Merge development into API spec branch #92
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In multipart cipher tests, test that each step of psa_cipher_update produces output of the expected length. The length is hard-coded in the test data since it depends on the mode. The length of the output of psa_cipher_finish is effectively tested because it's the total output length minus the length produced by the update steps.
…itial Specification of how keys and the random seed are stored
Prepare support for 64 bit key ids under SPM
It is now required to initialize PSA Crypto operation contexts before calling psa_*_setup(). Otherwise, one gets a PSA_ERROR_BAD_STATE error.
Add missing initializers to PSA Crypto example. Operation contexts must be initialized before calling psa_*_setup().
It is now required to initialize PSA Crypto operation contexts before calling psa_*_setup(). Otherwise, one gets a PSA_ERROR_BAD_STATE error.
…er_update_test Improve multipart cipher tests: 2 blocks, CTR
PSA_MAX_PERSISTENT_KEY_IDENTIFIER was actually one plus the maximum key identifier. Change it to be the maximum value, and change the code that uses it accordingly. There is no semantic change here (the maximum value hasn't changed). This commit only makes the implementation clearer.
Differentiate between _key identifiers_, which are always `uint32_t`,
and _key file identifiers_, which are platform-dependent. Normally,
the two are the same.
In `psa/crypto_platform.h`, define `psa_app_key_id_t` (which is always
32 bits, the standard key identifier type) and
`psa_key_file_id_t` (which will be different in some service builds).
A subsequent commit will introduce a platform where the two are different.
It would make sense for the function declarations in `psa/crypto.h` to
use `psa_key_file_id_t`. However this file is currently part of the
PSA Crypto API specification, so it must stick to the standard type
`psa_key_id_t`. Hence, as long as the specification and Mbed Crypto
are not separate, use the implementation-specific file
`psa/crypto_platform.h` to define `psa_key_id_t` as `psa_key_file_id_t`.
In the library, systematically use `psa_key_file_id_t`.
perl -i -pe 's/psa_key_id_t/psa_key_file_id_t/g' library/*.[hc]
Declare the owner as psa_key_owner_id_t, of which an implementation must be provided separately. Make this a configuration option MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER, to make the conditional compilation flow easier to follow. Declare it in config.h to pacify check_names.sh. Support for a specific implementation of psa_key_owner_id_t in storage backends will come in a subsequent commit.
When building for the PSA crypto service (defined(PSA_CRYPTO_SECURE)), define psa_key_owner_id_t as int32_t, which is how a PSA platform encodes partition identity. Note that this only takes effect when the build option MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is active. Support this configuration in the ITS backend.
…internal_key_id Support key file IDs encoding the key owner
In case the new constants aren't available yet in Mbed TLS, continue to use the deprecated constants if they are available.
Switch to the terminology "key file identifier", as has been done in the code. The owner uid is now in the upper 32 bits of the key file identifier, which facilitates namespacing.
Ensure that when doing MAC operations out of order, PSA_ERROR_BAD_STATE is returned as documented in crypto.h and the PSA Crypto specification.
Ensure that when doing cipher operations out of order, PSA_ERROR_BAD_STATE is returned as documented in crypto.h and the PSA Crypto specification.
If a hash context has not been set up, fail with PSA_ERROR_BAD_STATE as documented in crypto.h and the PSA Crypto specification.
Extend hash bad order test in line with the new bad order tests for MAC and cipher, covering more cases and making comments and test layout consistent. Ensure that when doing hash operations out of order, PSA_ERROR_BAD_STATE is returned as documented in crypto.h and the PSA Crypto specification.
Calling psa_*_setup() twice on a MAC, cipher, or hash context should result in a PSA_ERROR_BAD_STATE error because the operation has already been set up. Fixes ARMmbed#10
psa: Be compatible with deprecated constants
…y_file_id Update the architecture document regarding key file identifiers
In places where we detect a context is in a bad state and there is no sensitive data to clear, simply return PSA_ERROR_BAD_STATE and don't abort on behalf of the application. The application will choose what to do when it gets a bad state error. The motivation for this change is that an application should decide what to do when it misuses the API and encounters a PSA_ERROR_BAD_STATE error. The library should not attempt to abort on behalf of the application, as that may not be the correct thing to do in all circumstances.
Add deprecated error codes to help transition between the previous version of the PSA Crypto specification and the current one.
psa: Add backwards compatible error codes
Disallow use of invalid contexts
Add a test case for doing an ECDH calculation by calling mbedtls_ecdh_get_params on both keys, then mbedtls_ecdh_calc_secret.
Add a test case for doing an ECDH calculation by calling mbedtls_ecdh_get_params on both keys, with keys belonging to different groups. This should fail, but currently passes.
|
I've completed my review. |
yanesca
previously approved these changes
Apr 17, 2019
library/psa_crypto.c
Outdated
| @@ -4665,6 +4684,38 @@ psa_status_t psa_key_agreement( psa_crypto_generator_t *generator, | |||
| return( status ); | |||
| } | |||
|
|
|||
| psa_status_t psa_key_agreement_raw_shared_secret(psa_algorithm_t alg, | |||
There was a problem hiding this comment.
style: missing space after/before parentheses.
There was a problem hiding this comment.
Fixed in rebase
gilles-peskine-arm
force-pushed
the
psa-api-beta2-merge-development
branch
from
5f2ff84 to
91824b5
Compare
|
Thanks for the reviews. I rebased some commits to address minor issues. For the driver model, there hadn't been any changes in the API branch, so the development branch had the latest version. |
Patater
reviewed
Apr 17, 2019
| /* If an error happens and is not handled properly, the output | ||
| * may be used as a key to protect sensitive data. Arrange for such | ||
| * a key to be random, which is likely to resist in decryption or | ||
| * verification errors. This is better than filling the buffer with |
There was a problem hiding this comment.
In commit "Implement psa_key_agreement_raw_shared_secret":
s/resist/result
- * a key to be random, which is likely to resist in decryption or
- * verification errors. This is better than filling the buffer with
+ * a key to be random, which is likely to result in decryption or
+ * verification errors. This is better than filling the buffer withThere was a problem hiding this comment.
Fixed in rebase
|
I've completed another round of review. Just one typo found. |
|
Note that Windows tests are failing until the latest development is again merged into the API branch. |
Refactor: split psa_key_agreement_raw_internal out of psa_key_agreement_internal, and call it from psa_key_agreement_raw_shared_secret as well.
Separate test functions for raw key agreement and key agreement with KDF.
Allow either the key derivation step or the key agreement step to fail. These tests should be split into three groups: key derivation setup tests with an algorithm that includes a key agreement step, and multipart key agreement failure tests, and raw key agreement failure tests.
Since the format change for EC public key import from SubjectPublicKeyInfo to the ECPoint content, it is no longer possible to import a key with metadata marking it as ECDH-only. This test was converted systematically but now no longer has any purpose since the public key is now like any other public key.
Change test cases with test data for raw agreement to this new test function.
Basic coverage with one algorithm only and a restricted choice of output lengths.
This gives a little more room to encode key agreement algorithms, while keeping enough space for key derivation algorithms. This doesn't affect any of the already-defined algorithms.
One was obsolete. Reword the other two to avoid the magic word that our CI rejects.
Fix logic error that clang helpfully points out
uintN_t is not a standard type for a bitfield, as armcc points out.
Simplify the logic inside a few case statements. This removes unreachable break statements.
gilles-peskine-arm
force-pushed
the
psa-api-beta2-merge-development
branch
from
91824b5 to
2b522db
Compare
…pi-beta2-merge-development
|
I added a new merge commit to update to current |
|
Looks like there are some build failures in CI, but these are expected as we haven't fixed |
|
Oh right, yes, |
yanesca
approved these changes
Apr 18, 2019
Patater
removed
the
needs: review
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
developmentbranch at c70a3c7 intopsa-api-1.0-beta.This makes some updates to the spec:
BAD_STATE.Driver model evolution.Out of scope:
MBEDTLS_USE_PSA_CRYPTOwork.Reviewers: please assume that the current tip of
psa-api-1.0-betaand the commit used fromdevelopmentare ok, and review only “Merge remote-tracking branch 'upstream-crypto/development' into psa-api-beta2-merge-development” and the subsequent commits.