Commit graph

9063 commits

Author SHA1 Message Date
Gilles Peskine
b37af92eb9 Merge branch 'psa-hash_clone' into psa-api-1.0-beta
Add psa_hash_clone.
2019-01-19 12:07:27 +01:00
Gilles Peskine
ebb2c3e419 New function psa_hash_clone
Clone a hash operation.

Test good cases as part as multipart tests. Add new test functions for
the state machine.
2019-01-19 12:03:41 +01:00
Gilles Peskine
9dcc80e628 Merge branch 'psa-derive_input_steps-agreement_as_one_step' into psa-api-1.0-beta
Change the key derivation API to take inputs in multiple steps,
instead of a single one-site-fits-poorly function.

Conflicts:
* include/psa/crypto.h: merge independent changes in the documentation
  of psa_key_agreement (public_key from the work on public key formats
  vs general description and other parameters in the work on key derivation).
* tests/suites/test_suite_psa_crypto.data: update the key agreement
  tests from the work on key derivation to the format from the work on
  public key formats.
* tests/suites/test_suite_psa_crypto_metadata.function: reconcile the
  addition of unrelated ALG_IS_xxx macros
2019-01-18 18:54:15 +01:00
Gilles Peskine
6843c29713 Simplify the encoding of key agreement algorithms
Get rid of "key selection" algorithms (of which there was only one:
raw key selection).

Encode key agreement by combining a raw key agreement with a KDF,
rather than passing the KDF as an argument of a key agreement macro.
2019-01-18 18:38:08 +01:00
Gilles Peskine
769c7a66ac New function to get the raw shared secret from key agreement
The normal way is to pass the shared secret to a key derivation.
Having an ad hoc function will allow us to simplify the possible
behaviors of key agreement and get rid of "key selection" algorithms
which are a hard-to-understand invention of this API.
2019-01-18 18:38:08 +01:00
Gilles Peskine
5dcd3ce598 Remove psa_key_derivation from the official API
Keep it defined as an implementation-specific extension until the
tests are updated.
2019-01-18 18:38:08 +01:00
Gilles Peskine
969c5d61f7 Make key agreement the secret input for key derivation
* Documentation
* Proof-of-concept implementation
* Updates to the tests (work in progress)
2019-01-18 18:34:28 +01:00
Gilles Peskine
41ac513de8 Don't use key derivation multipart inputs for key agreement
It isn't a good fit. It's overly complex for what the API can do now,
which is Diffie-Hellman. Consider it again later for more complex use
cases such as authenticated key exchanges.
2019-01-18 18:33:12 +01:00
Gilles Peskine
6cdfdb75a9 Improve the rules on key derivation input types
Use separate step types for a KDF secret and for the private key in a
key agreement.

Determine which key type is allowed from the step type, independently
of the KDF.

Forbid raw inputs for certain steps. They definitely should be
forbidden for asymmetric keys, which are structured. Also forbid them
for KDF secrets: the secrets are supposed to be keys, even if they're
unstructured.
2019-01-18 18:33:12 +01:00
Gilles Peskine
b70a0fd1a5 Key derivation by small input steps: proof-of-concept
Document the new API. Keep the old one.

Implement for HKDF. Use it in a few test cases.

Key agreement is still unchanged.
2019-01-18 18:33:12 +01:00
Gilles Peskine
7666edbfe1 Merge branch 'psa-aead_multipart' into psa-api-1.0-beta
Add multipart AEAD API.

Add one-shot API for hash, MAC and cipher.
2019-01-18 17:59:30 +01:00
Gilles Peskine
1f9e58a1bb Merge branch 'psa-signature_policy_wildcard' into psa-api-1.0-beta
For hash-and-sign algorithms, allow a policy to specify a wildcard
instead of a specific hash algorithm.
2019-01-18 17:52:17 +01:00
Gilles Peskine
d71dbd888b Merge branch 'pubkey-format-dh-dsa-pass_type_to_set_domain_parameters' into psa-api-1.0-beta
Change the import/export format of DSA and DH public keys to use just
the key data, without a SubjectPublicKeyInfo wrapping.

Add an API to set and query domain parameters for DSA and DH keys.
2019-01-18 17:30:16 +01:00
Gilles Peskine
3a74e00429 Add type argument to psa_set_key_domain_parameters
psa_set_key_domain_parameters needs the type to parse the domain
parameters.
2019-01-18 17:24:20 +01:00
Jaeden Amero
8851c40d85 psa: Add DH key exchange keys
Add the ability to specify Diffie-Hellman key exchange keys. Specify the
import/export format as well, even though importing and exporting isn't
implemented yet.
2019-01-18 17:24:20 +01:00
Jaeden Amero
1308fb517f psa: Simplify DSA key formats
Remove front matter and DSS parameters from our DSA key formats, both
keypair and public key, to make it just a representation of the integer
private key, `x`, or the public key, `y`, respectively.
2019-01-18 17:24:20 +01:00
Jaeden Amero
283dfd1613 psa: Add get/set domain parameters
DSA and static DH need extra domain parameters. Instead of passing these
in with the keys themselves, add get and set functions to set and
retrieve this information about keys.
2019-01-18 17:19:54 +01:00
Gilles Peskine
2d22647ce3 Merge remote-tracking branch 'upstream-crypto/pr/13' into psa-api-1.0-beta
Change the import/export format of RSA and ECC public keys to use just
the key data, without a SubjectPublicKeyInfo wrapping.
2019-01-18 17:04:12 +01:00
Gilles Peskine
bc59c855c4 Doc only: Add psa_aead_set_lengths() for the sake of CCM 2019-01-17 15:26:08 +01:00
Gilles Peskine
a05602d100 Fix typos in recently-added documentation 2019-01-17 15:25:52 +01:00
Jaeden Amero
8afbff82dd psa: Expand documentation for psa_key_agreement()
Document `peer_key` parameter requirements, including an explanation of
how the peer key is used and an example for EC keys.
2019-01-15 11:29:19 +00:00
Jaeden Amero
08ad32721c psa: Remove extra status handling from import
Remove extra status handling code from psa_import_key_into_slot(). This
helps save a tiny amount of code space, but mainly serves to improve the
readability of the code.
2019-01-15 11:29:19 +00:00
Jaeden Amero
ec6ff863b5 psa: Refactor psa_import_rsa_key() pk-using code
Move pk-using code to inside psa_import_rsa_key(). This aligns the shape
of psa_import_rsa_key() to match that of psa_import_ec_private_key() and
psa_import_ec_public_key().
2019-01-15 11:29:19 +00:00
Jaeden Amero
0ae445f8fd psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-15 11:29:18 +00:00
Jaeden Amero
1e5c2bd8e3 psa: Use psa_status_t in psa_key_agreement_ecdh()
Use the PSA-native status type in psa_key_agreement_ecdh() in
preparation for us calling PSA functions (and not just Mbed TLS
functions) and still being able to return a psa_status_t (without having
to translate it to a Mbed TLS error and then back again).
2019-01-15 10:40:54 +00:00
Gilles Peskine
69647a45a3 Declare one-shot hash, MAC and cipher functions
Declare and document one-shot hash, MAC and cipher functions.

This commit does not contain any implementation or tests.
2019-01-14 20:18:12 +01:00
Gilles Peskine
30f77cdfc1 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-14 19:38:56 +01:00
Gilles Peskine
30a9e41076 Declare multipart AEAD functions
Declare and document multipart AEAD functions.

This commit does not contain any implementation or tests.
2019-01-14 18:36:12 +01:00
Gilles Peskine
f45adda9ac Copyedit the documentation of multipart operation functions
Finish changing "start" to "set up".

Correct the way to set an IV for decryption: it's set_iv(), not
update().

When decrypting, the IV is given, not random.
2019-01-14 18:29:46 +01:00
Gilles Peskine
5f25dd00c0 Document that destroying a key aborts any ongoing operation
Document that psa_close_key() and psa_destroy_key() abort any ongoing
multipart operation that is using the key. This is not implemented
yet.
2019-01-14 18:29:46 +01:00
Gilles Peskine
d35b489ce5 New macro PSA_ALG_IS_HASH_AND_SIGN
Test for a subclass of public-key algorithm: those that perform
full-domain hashing, i.e. algorithms that can be broken down as
sign(key, hash(message)).
2019-01-14 16:02:15 +01:00
Jaeden Amero
8d4be19517
Merge pull request #7 from gilles-peskine-arm/all_sh-mbedcrypto
[mbedcrypto] all.sh: make it possible to run a subset of the components
2019-01-14 10:47:20 +00:00
Jaeden Amero
6b19600fba psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-11 18:08:53 +00:00
Jaeden Amero
d3a0c2c779 psa: Document requirements for psa_export_public_key()
Copy the nice and clear documentation from psa_export_key() as to what
implementations are allowed to do regarding key export formats, as the
same applies to public keys.
2019-01-11 17:15:56 +00:00
Jaeden Amero
005401e6a7
Merge pull request #8 from NirSonnenschein/fix_check-names.sh
modify check-names.sh and list-macros.sh to work with PSA constants
2019-01-11 13:22:54 +00:00
Jaeden Amero
83d293951c psa: Call init when importing private EC keys
Previously we weren't initializing the freshly allocated ECP keypair
when importing private EC keys. This didn't seem to cause problems, at
least according to our current test coverage, but it's better to ensure
we don't have a partially initialized object by explicitly initializing
the keypair.
2019-01-10 20:25:55 +00:00
Gilles Peskine
e87898709c Rename test_memcheck to test_valgrind
Valgrind is what it does. `memcheck` is how it's implemented.
2019-01-10 18:36:20 +01:00
Gilles Peskine
a49b00f2ed Support wildcard patterns with a positive list of components to run
Wildcard patterns now work with command line COMPONENT arguments
without --except as well as with. You can now run e.g.
`all.sh "check_*` to run all the sanity checks.
2019-01-10 18:36:20 +01:00
Gilles Peskine
d692e11309 Delete $OUT_OF_SOURCE_DIR under --force
The deletion of "$OUT_OF_SOURCE_DIR" had mistakenly been lumped
together with Yotta and then removed when Yotta support was removed.
Bring it back.
2019-01-10 18:36:20 +01:00
Gilles Peskine
add1d23b26 Fix sometimes-spurious warning about changed config.h
After backing up and restoring config.h, `git diff-files` may report
it as potentially-changed because it isn't sure whether the index is
up to date. Use `git diff` instead: it actually reads the file.
2019-01-10 18:36:20 +01:00
Gilles Peskine
92bff7f9bf all.sh: Update the maintainer documentation 2019-01-10 18:36:16 +01:00
Gilles Peskine
2edf47c2c3 Merge the code to call output_env.sh into pre_check_tools
It's all about tool detection.
2019-01-10 18:35:33 +01:00
Gilles Peskine
657f59a520 all.sh: only check tools that are going to be used
Don't require openssl, mingw, etc. if we aren't going to run a
component that uses them.
2019-01-10 18:35:32 +01:00
Gilles Peskine
e26ab189cb all.sh: only look for armcc if it is used
Only look for armcc if component_build_armcc is to be executed,
instead of requiring the option --no-armcc.

You can still pass --no-armcc, but it's no longer required when
listing components to run. With no list of components or an exclude
list on the command line, --no-armcc is equivalent to having
build_armcc in the exclude list.
2019-01-10 18:35:32 +01:00
Gilles Peskine
1bcb1c8e28 all.sh: Always build the list of components to run
Build the list of components to run in $RUN_COMPONENTS as part of
command line parsing. After parsing the command line, it no longer
matters how this list was built.
2019-01-10 18:35:32 +01:00
Gilles Peskine
1072610e14 all.sh: list components automatically
Extract the list of available components by looking for definitions of
functions called component_xxx. The previous code explicitly listed
all components in run_all_components, which opened the risk of
forgetting to list a component there.

Add a conditional execution facility: if a function support_xxx exists
and returns false then component_xxx is not executed (except when the
command line lists an explicit set of components to execute).
2019-01-10 18:35:32 +01:00
Jaeden Amero
d6292ca57b
Merge pull request #6 from Patater/initializers
Add initializers for crypto structs
2019-01-10 09:50:33 +00:00
Gilles Peskine
55ae162559 all.sh: fix MAKEFLAGS setting
MAKEFLAGS was set to -j if it was already set, instead of being set if
not previously set as intended. So now all.sh will do parallel builds
if invoked without MAKEFLAGS in the environment.
2019-01-10 09:32:04 +01:00
Gilles Peskine
bdf3f52710 all.sh: don't insist on Linux; always run Valgrind
Don't bail out of all.sh if the OS isn't Linux. We only expect
everything to pass on a recent Linux x86_64, but it's useful to call
all.sh to run some components on any platform.

In all.sh, always run both MemorySanitizer and Valgrind. Valgrind is
slower than ASan and MSan but finds some things that they don't.

Run MSan unconditionally, not just on Linux/x86_64. MSan is supported
on some other OSes and CPUs these days.

Use `all.sh --except test_memsan` if you want to omit MSan because it
isn't supported on your platform. Use `all.sh --except test_memcheck`
if you want to omit Valgrind because it's too slow.

Make the test scripts more portable (tested on FreeBSD): don't insist
on GNU sed, and recognize amd64 as well as x86_64 for `uname -m`. The
`make` utility must still be GNU make.
2019-01-10 09:32:04 +01:00
Gilles Peskine
74851d8dd9 Gdb script: improve portability of ASLR disabling disabling
Call `set disable-randomization off` only if it seems to be supported.
The goal is to neither get an error about disable-randomization not
being supported (e.g. on FreeBSD), nor get an error if it is supported
but fails (e.g. on Ubuntu).

Only fiddle with disable-randomization from all.sh, which cares
because it reports the failure of ASLR disabling as an error. If a
developer invokes the Gdb script manually, a warning about ASLR
doesn't matter.
2019-01-10 09:32:04 +01:00