Commit graph

2265 commits

Author SHA1 Message Date
Gilles Peskine
eae6eee24c Change ECDSA signature representation to r||s
Change the representation of an ECDSA signature from the ASN.1 DER
encoding used in TLS and X.509, to the concatenation of r and s
in big-endian order with a fixed size. A fixed size helps memory and
buffer management and this representation is generally easier to use
for anything that doesn't require the ASN.1 representation. This is
the same representation as PKCS#11 (Cryptoki) except that PKCS#11
allows r and s to be truncated (both to the same length), which
complicates the implementation and negates the advantage of a
fixed-size representation.
2018-09-12 16:41:11 +03:00
Gilles Peskine
ca45c35e65 Fix exercise_signature_key for ECDSA
mbedtls_ecdsa_verify fails when the input is all-bits-zero (mbedtls
issue #1792). Use a different input.
2018-09-12 16:41:11 +03:00
Gilles Peskine
a680c7a9fc Add import-and-exercise tests for some signature algorithms 2018-09-12 16:41:10 +03:00
Gilles Peskine
a81d85b732 Sort out ECDSA mechanisms
* Distinguish randomized ECDSA from deterministic ECDSA.
* Deterministic ECDSA needs to be parametrized by a hash.
* Randomized ECDSA only uses the hash for the initial hash step,
  but add ECDSA(hash) algorithms anyway so that all the signature
  algorithms encode the initial hashing step.
* Add brief documentation for the ECDSA signature mechanisms.
* Also define DSA signature mechanisms while I'm at it. There were
  already key types for DSA.
2018-09-12 16:24:51 +03:00
Gilles Peskine
55bf3d1171 Sort out RSA mechanisms
* PSS needs to be parametrized by a hash.
* Don't use `_MGF1` in the names of macros for OAEP and PSS. No one
  ever uses anything else.
* Add brief documentation for the RSA signature mechanisms.
2018-09-12 16:24:51 +03:00
Gilles Peskine
559d2f6d3e Add bad-type import tests with coinciding key sizes
Add a negative test for import where the expected key is an EC key
with the correct key size, but the wrong curve. Change the test that
tries to import an RSA key when an EC key is expected to have the
expected key size.
2018-09-12 16:24:50 +03:00
Gilles Peskine
a9a3c23ccd Fix a config dependency in a test case 2018-09-12 16:24:50 +03:00
Gilles Peskine
202d0793a2 Add import test cases with a key pair of the wrong type 2018-09-12 16:24:50 +03:00
Mohammad AboMokh
65fa0b8433 fix if condition to validate encrypt key usage 2018-09-12 16:24:50 +03:00
Mohammad AboMokh
adb9b2372b fix PSA_BLOCK_CIPHER_BLOCK_SIZE() argument in test code 2018-09-12 16:24:50 +03:00
Jaeden Amero
2a671e9031 psa: export_public_key: Check for all zero on error 2018-09-12 16:24:50 +03:00
Jaeden Amero
e7edf7bb20 psa: Expect zero-length exported-public symmetric keys
Because exporting-public a symmetric key fails, we have no reasonable
expectation that the exported key length has any value at all other than
something obviously incorrect or "empty", like a key with a length of 0.
Our current implementation explicitly sets the exported key length to 0
on errors, so test for this. Fix the "PSA import/export-public: cannot
export-public a symmetric key" test to expect a key length of 0 instead
of 162.
2018-09-12 16:24:50 +03:00
Jaeden Amero
f24c7f80a0 psa_export_key: Always set a valid data length
Make psa_export_key() always set a valid data_length when exporting,
even when there are errors. This makes the API easier to use for buggy
programs (like our test code).

Our test code previously used exported_length uninitialized when
checking to see that the buffer returned was all zero in import_export()
in the case where an error was returned from psa_export_key().
Initialize exported_length to an invalid length, and check that it gets
set properly by psa_export_key(), to avoid this using export_length
uninitialized. Note that the mem_is_zero() check is still valid when
psa_export_key() returns an error, e.g. where exported_length is 0, as
we want to check that nothing was written to the buffer on error.

Out test code also previous passed NULL for the data_length parameter of
psa_export_key() when it expected a failure (in key_policy_fail()).
However, data_length is not allowed to be NULL, especially now that we
write to data_length from psa_export_key() even when there are errors.
Update the test code to not pass in a NULL data_length.
2018-09-12 16:24:50 +03:00
Gilles Peskine
0c48c58721 Merge remote-tracking branch 'psa/pr/63' into feature-psa 2018-09-12 16:24:50 +03:00
Gilles Peskine
48c0ea14c6 Remove PSA_KEY_TYPE_IS_RAW_BYTES from crypto.h
It isn't used to define other macros and it doesn't seem that useful
for users. Remove it, we can reintroduce it if needed.

Define a similar function key_type_is_raw_bytes in the implementation
with a clear semantics: it's a key that's represented as a struct
raw_data.
2018-09-12 16:24:50 +03:00
Gilles Peskine
a50d7396f3 test of generate_random: focus on testing the output buffer size
In the test generate_random, focus on testing that psa_generate_random
is writing all the bytes of the output buffer and no more. Add a check
that it is writing to each byte of the output buffer. Do not try to
look for repeating output as the structure of a unit test isn't likely
to catch that sort of problem anyway.
2018-09-12 16:24:50 +03:00
Gilles Peskine
9ad29e2bee Add what little was missing to fully support DES
Also add what was missing in the test suite to support block ciphers
with a block size that isn't 16.

Fix some buggy test data that passed only due to problems with DES
support in the product.
2018-09-12 16:24:50 +03:00
Gilles Peskine
9a94480685 Convert ERR_ASN1 error codes to PSA
This fixes the error code when psa_export_key on an asymmetric key
reports that the output buffer is too small.
2018-09-12 16:24:50 +03:00
Gilles Peskine
775b8e97b1 export asymmetric key: more larger buffer cases
Test not only a buffer that's one byte larger than the minimum, but
also larger sizes that currently trigger a different code path.
2018-09-12 16:24:50 +03:00
Gilles Peskine
140855615f Fix copypasta in some test cases 2018-09-12 16:24:50 +03:00
Gilles Peskine
b866e2b4d2 Get rid of some casts in test_suite_psa_crypto
Use more auxiliary variables to unmarshall int values.
2018-09-12 16:24:49 +03:00
Gilles Peskine
3f669c374a Simplify mem_is_nonzero to mem_is_zero
This also fixes a bug that the value that mem_is_nonzero tried to
return could overflow int.
2018-09-12 16:23:54 +03:00
Gilles Peskine
818ca1283a generate_key tests: exercise the key
After generating a key, perform a smoke test: run one operation with
it and check that the operation has the expected status.
2018-09-12 16:23:54 +03:00
Gilles Peskine
c06e07128c Favor INVALID_ARGUMENT over NOT_SUPPORTED for bad algorithm types
In psa_hash_start, psa_mac_start and psa_cipher_setup, return
PSA_ERROR_INVALID_ARGUMENT rather than PSA_ERROR_NOT_SUPPORTED when
the algorithm parameter is not the right category.
2018-09-12 16:23:54 +03:00
Gilles Peskine
16c0f4f787 Fix potential memory corruption on MAC/cipher setup failure
When psa_mac_start(), psa_encrypt_setup() or psa_cipher_setup()
failed, depending on when the failure happened, it was possible that
psa_mac_abort() or psa_cipher_abort() would crash because it would try
to call a free() function uninitialized data in the operation
structure. Refactor the functions so that they initialize the
operation structure before doing anything else.

Add non-regression tests and a few more positive and negative unit
tests for psa_mac_start() and psa_cipher_setup() (the latter via
psa_encrypt_setip()).
2018-09-12 16:23:53 +03:00
Jaeden Amero
c939f6fcba fixup! New function mbedtls_rsa_get_bitlen
In some configurations (like config-mini-tls1_1.h), size is unused. This
leads to failures when building with CMake Asan, because that build
doesn't use "-Wno-unused-value".

Fixes: e01822299624 ("New function mbedtls_rsa_get_bitlen")
2018-09-12 16:22:51 +03:00
Gilles Peskine
12313cd84c Implement psa_generate_key: AES, DES, RSA, ECP
In the test cases, try exporting the generated key and perform sanity
checks on it.
2018-09-12 16:22:51 +03:00
Gilles Peskine
e66ca3bbf3 psa_export_key: zero out potential garbage in the output buffer
In psa_export_key, ensure that each byte of the output buffer either
contains its original value, is zero, or is part of the actual output.
Specifically, don't risk having partial output on error, and don't
leave extra data at the end of the buffer when exporting an asymmetric
key.

Test that exporting to a previously zeroed buffer leaves the buffer
zeroed outside the actual output if any.
2018-09-12 16:22:51 +03:00
Gilles Peskine
0e2315859f psa_export_key: fix asymmetric key in larger buffer
Exporting an asymmetric key only worked if the target buffer had
exactly the right size, because psa_export_key uses
mbedtls_pk_write_key_der or mbedtls_pk_write_pubkey_der and these
functions write to the end of the buffer, which psa_export_key did not
correct for. Fix this by moving the data to the beginning of the
buffer if necessary.

Add non-regression tests.
2018-09-12 16:22:51 +03:00
Gilles Peskine
9a9e19f3fb Switch default config back to the upstream one + PSA + CMAC
Switch the default config.h back to the upstream version, plus the new
feature from this branch MBEDTLS_PSA_CRYPTO_C, plus MBEDTLS_CMAC_C
because it's a features we're using to explore the API design but
that's off by default in Mbed TLS.

Having a crypto-only version saved a bit of developer time, and it's
something we want to ship, but we also need a full build with TLS to
work, and the CI scripts assume that the default build includes TLS.

As a consequence, list-macros.sh no longer needs a special case to
pass check-names.sh.
2018-09-12 16:22:51 +03:00
Gilles Peskine
05d69890ee Implement psa_generate_random 2018-09-12 16:22:51 +03:00
Gilles Peskine
0ff4b0f7f9 psa_import_key: validate symmetric key size
When importing a symmetric key, validate that the key size is valid
for the given key type.

Non-supported key types may no longer be imported.
2018-09-12 16:22:51 +03:00
Gilles Peskine
ca36a23bce Fix asymmetric encrypt/decrypt test with invalid key types
The key data was invalid on import. The import doesn't fail because it
doesn't check the data enough.
2018-09-12 16:22:51 +03:00
Gilles Peskine
2d9d6db60f check-names: also check PSA files
Allow both mbedtls and psa identifiers in either set of files for now.
2018-09-12 16:22:51 +03:00
Gilles Peskine
313b8af18e Improve the description of some test cases
Make the descriptions more consistent.
2018-09-12 16:22:51 +03:00
Gilles Peskine
d5b3322f72 Reorder PSA test cases to group them by topic
* init-deinit
* import-export
* policies
* lifetime
* hash
* MAC
* cipher
* AEAD
* asymmetric sign
* asymmetric verify
* asymmetric encrypt-decrypt

This commit only moves test functions and test cases around. It does
not modify, add or remove tests.
2018-09-12 16:22:49 +03:00
Gilles Peskine
34ef7f5a55 Check the curve of an elliptic curve key on import
psa_import_key must check that the imported key data matches the
expected key type. Implement the missing check for EC keys that the
curve is the expected one.
2018-09-12 16:19:04 +03:00
Gilles Peskine
e1fed0de18 Define elliptic curve identifiers from TLS
Instead of rolling our own list of elliptic curve identifiers, use one
from somewhere. Pick TLS because it's the right size (16 bits) and
it's as good as any.
2018-09-12 16:19:04 +03:00
Gilles Peskine
b3e6e5deeb Rename hash max sizes for consistency
Use "hash" throughout the library, not "md" as in Mbed TLS.
2018-09-12 16:19:04 +03:00
Gilles Peskine
dec7261df1 Remove redundant initialization of policies to {0}
Some compilers don't like initializing a structure to {0} (incomplete
initializer). It's redundant anyway since we always call
psa_key_policy_init.
2018-09-12 16:19:04 +03:00
Gilles Peskine
c0ec97222b mac_verify: remove unused IV argument
We aren't going to have MAC with IV in the API any time soon, if at
all, so remove the embryonic support for it in the tests.
2018-09-12 16:19:03 +03:00
Gilles Peskine
01b929c85b Fix key_lifetime_set_fail not cleaning up the right key slot 2018-09-12 16:18:04 +03:00
Gilles Peskine
4abf741e6a Hygiene improvements in PSA crypto test code
Get rid of many redundant casts. In particular, it is not useful to
cast uint32_t values to size_t before performing arithmetic or
comparisons on them.

Rewrap a number of function calls, many of which now have narrower
arguments thanks to the removed casts. When a function call doesn't
fit on a single line, avoid grouping unrelated parameters together,
but do try to group a buffer pointer and the associated size.

Define more auxiliary variables xxx of a particular integer
type (psa_algorithm_t, psa_key_usage_t, etc.) corresponding to a test
function xxx_arg which has the type int. This avoids the need to cast
xxx_arg to an unsigned type sometimes in the code.
2018-09-12 16:18:04 +03:00
Gilles Peskine
7bcfc0a9ae Be more consistent about blank lines 2018-09-12 16:18:04 +03:00
Gilles Peskine
c1bb6c8dcc Formatting improvements
Avoid lines longer than 80 columns.

Remove some redundant parentheses, e.g. change
    if( ( a == b ) && ( c == d ) )
to
    if( a == b && c == d )
which makes lines less long and makes the remaining parentheses more
relevant.

Add missing parentheses around return statements.

There should be no semantic change in this commit.
2018-09-12 16:18:02 +03:00
Gilles Peskine
2d2778650b Normalize whitespace
Normalize whitespace to Mbed TLS standards. There are only whitespace
changes in this commit.
2018-09-12 16:15:52 +03:00
Nir Sonnenschein
1e2b046026 adding more test cases for hmac 2018-09-12 16:13:49 +03:00
itayzafrir
27fbaf7781 Fixed test sign_deterministic, macro PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE
Arguments in the wrong order
2018-09-12 16:13:49 +03:00
itayzafrir
3e02b3b280 On target testing tests adaptation
Updated all psa crypto tests to use the new test format
2018-09-12 16:13:39 +03:00
itayzafrir
423f219bb2 Fixed missing dependencies in psa crypto tests
PSA verify RSA PKCS#1 v1.5 SHA-256, wrong hash
    PSA Symmetric decryption: AES-CTR, 16 bytes, good
    PSA Symmetric encryption: AES-CTR, 15 bytes, good
    PSA Symmetric encryption: AES-CTR, 16 bytes, good
2018-09-05 12:46:20 +03:00