From b3ce8156ce141a66463ee6d34f4025762ee8ca02 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 18 Feb 2021 12:03:50 +0100 Subject: [PATCH 01/31] Add support for minimum-tag-length AEAD and MAC policies Includes tests. Signed-off-by: Steven Cooreman # Conflicts: # include/psa/crypto_values.h # tests/suites/test_suite_psa_crypto.function --- ChangeLog.d/psa-crypto-key-policies.txt | 8 + include/psa/crypto.h | 6 + include/psa/crypto_values.h | 89 ++++++++++- library/psa_crypto.c | 131 +++++++++++++-- tests/suites/test_suite_psa_crypto.data | 166 ++++++++++++++++++-- tests/suites/test_suite_psa_crypto.function | 49 ++++-- 6 files changed, 394 insertions(+), 55 deletions(-) create mode 100644 ChangeLog.d/psa-crypto-key-policies.txt diff --git a/ChangeLog.d/psa-crypto-key-policies.txt b/ChangeLog.d/psa-crypto-key-policies.txt new file mode 100644 index 000000000..6186d4642 --- /dev/null +++ b/ChangeLog.d/psa-crypto-key-policies.txt @@ -0,0 +1,8 @@ +Features + * Added PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG and + PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG as usage algorithms for declaring key + usage in PSA Crypto. These algorithm values describe that a key is allowed + to be used with any algorithm that matches the specified base algorithm + (e.g PSA_ALG_CCM for AEAD or PSA_ALG_CMAC for MAC) and has a tag length + which is at least as long as the one encoded in the MINIMUM_TAG_LENGTH + usage algorithm. diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 271fb99fa..a8fe59a12 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -264,6 +264,12 @@ static psa_key_usage_t psa_get_key_usage_flags( * - An algorithm value permits this particular algorithm. * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified * signature scheme with any hash algorithm. + * - An algorithm value for which PSA_ALG_IS_WILDCARD() evaluates to true + * allows any algorithm specified by that usage algorithm definition. + * E.g. a usage algorithm built from PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG() + * allows using the key for any algorithm with the same base MAC algorithm as + * long as the used algorithm isn't truncated to less than the minimum tag + * length declared in the usage algorithm. * * This function overwrites any algorithm policy * previously set in \p attributes. diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 7002631a1..368581cd5 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -900,7 +900,7 @@ * too large for the specified MAC algorithm. */ #define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) \ - (((mac_alg) & ~PSA_ALG_MAC_TRUNCATION_MASK) | \ + (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG)) | \ ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK)) /** Macro to build the base MAC algorithm corresponding to a truncated @@ -916,7 +916,7 @@ * MAC algorithm. */ #define PSA_ALG_FULL_LENGTH_MAC(mac_alg) \ - ((mac_alg) & ~PSA_ALG_MAC_TRUNCATION_MASK) + ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG)) /** Length to which a MAC algorithm is truncated. * @@ -932,6 +932,34 @@ #define PSA_MAC_TRUNCATED_LENGTH(mac_alg) \ (((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET) +/* In the encoding of a MAC algorithm, the bit corresponding to + * PSA_ALG_MAC_MINIMUM_LENGTH_FLAG encodes the fact that the algorithm is + * a usage algorithm, which allows any algorithm corresponding to the same + * base class and a tag length greater or equal than the one encoded in + * PSA_ALG_MAC_TRUNCATION_MASK. */ +#define PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ((psa_algorithm_t)0x00008000) + +/** Macro to build a MAC minimum-tag-length usage algorithm. + * + * A mininimum-tag-length MAC usage algorithm contains all MAC algorithms + * sharing the same base algorithm, and where the tag length of the specific + * algorithm is equal to or larger then the usage's minimum tag length. + * + * \param mac_alg A MAC algorithm identifier (value of type + * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p alg) + * is true). + * \param tag_length Desired minimum length of the authentication tag in + * bytes. + * + * \return The corresponding MAC usage algorithm with the + * specified minimum length. + * \return Unspecified if \p alg is not a supported + * MAC algorithm or if \p tag_length is not valid + * for the specified MAC algorithm. + */ +#define PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(mac_alg, tag_length) \ + ( PSA_ALG_TRUNCATED_MAC(mac_alg, tag_length) | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) + #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000) /** The CBC-MAC construction over a block cipher * @@ -1111,10 +1139,25 @@ * for the specified AEAD algorithm. */ #define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) \ - (((aead_alg) & ~PSA_ALG_AEAD_TAG_LENGTH_MASK) | \ + (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG)) | \ ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET & \ PSA_ALG_AEAD_TAG_LENGTH_MASK)) +/** Retrieve the tag length of a specified AEAD algorithm + * + * \param aead_alg An AEAD algorithm identifier (value of type + * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p alg) + * is true). + * + * \return The tag length specified by the input algorithm. + * \return Unspecified if \p alg is not a supported + * AEAD algorithm or if \p tag_length is not valid + * for the specified AEAD algorithm. + */ +#define PSA_ALG_AEAD_GET_TAG_LENGTH(aead_alg) \ + (((aead_alg) & PSA_ALG_AEAD_TAG_LENGTH_MASK) >> \ + PSA_AEAD_TAG_LENGTH_OFFSET ) + /** Calculate the corresponding AEAD algorithm with the default tag length. * * \param aead_alg An AEAD algorithm (\c PSA_ALG_XXX value such that @@ -1134,6 +1177,34 @@ PSA_ALG_AEAD_WITH_SHORTENED_TAG(ref, 0) ? \ ref : +/* In the encoding of an AEAD algorithm, the bit corresponding to + * PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG encodes the fact that the algorithm is + * a usage algorithm, which allows any algorithm corresponding to the same + * base class and a tag length greater or equal than the one encoded in + * PSA_ALG_AEAD_TAG_LENGTH_MASK. */ +#define PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ((psa_algorithm_t)0x00008000) + +/** Macro to build an AEAD minimum-tag-length usage algorithm. + * + * A mininimum-tag-length AEAD usage algorithm contains all AEAD algorithms + * sharing the same base algorithm, and where the tag length of the specific + * algorithm is equal to or larger then the usage's minimum tag length. + * + * \param aead_alg An AEAD algorithm identifier (value of type + * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p alg) + * is true). + * \param tag_length Desired minimum length of the authentication tag in + * bytes. + * + * \return The corresponding AEAD usage algorithm with the + * specified minimum length. + * \return Unspecified if \p alg is not a supported + * AEAD algorithm or if \p tag_length is not valid + * for the specified AEAD algorithm. + */ +#define PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(aead_alg, tag_length) \ + ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) | PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) + #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200) /** RSA PKCS#1 v1.5 signature with hashing. * @@ -1580,10 +1651,14 @@ * \return This macro may return either 0 or 1 if \c alg is not a supported * algorithm identifier. */ -#define PSA_ALG_IS_WILDCARD(alg) \ - (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ - PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \ - (alg) == PSA_ALG_ANY_HASH) +#define PSA_ALG_IS_WILDCARD(alg) \ + (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ + PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \ + (PSA_ALG_IS_MAC(alg) ? \ + (alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG) != 0 : \ + (PSA_ALG_IS_AEAD(alg) ? \ + (alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG) != 0 : \ + (alg) == PSA_ALG_ANY_HASH))) /**@}*/ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 8a51e9969..b6e26b3f0 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -663,16 +663,79 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( /* Common case: both sides actually specify the same policy. */ if( alg1 == alg2 ) return( alg1 ); - /* If the policies are from the same hash-and-sign family, check - * if one is a wildcard. If so the other has the specific algorithm. */ - if( PSA_ALG_IS_HASH_AND_SIGN( alg1 ) && - PSA_ALG_IS_HASH_AND_SIGN( alg2 ) && - ( alg1 & ~PSA_ALG_HASH_MASK ) == ( alg2 & ~PSA_ALG_HASH_MASK ) ) + /* Special case: one or both sides contain a wildcard. */ + if( PSA_ALG_IS_WILDCARD( alg1 ) || PSA_ALG_IS_WILDCARD( alg2 ) ) { - if( PSA_ALG_SIGN_GET_HASH( alg1 ) == PSA_ALG_ANY_HASH ) - return( alg2 ); - if( PSA_ALG_SIGN_GET_HASH( alg2 ) == PSA_ALG_ANY_HASH ) - return( alg1 ); + /* If the policies are from the same hash-and-sign family, check + * if one is a wildcard. If so the other has the specific algorithm. */ + if( PSA_ALG_IS_HASH_AND_SIGN( alg1 ) && + PSA_ALG_IS_HASH_AND_SIGN( alg2 ) && + ( alg1 & ~PSA_ALG_HASH_MASK ) == ( alg2 & ~PSA_ALG_HASH_MASK ) ) + { + if( PSA_ALG_SIGN_GET_HASH( alg1 ) == PSA_ALG_ANY_HASH ) + return( alg2 ); + if( PSA_ALG_SIGN_GET_HASH( alg2 ) == PSA_ALG_ANY_HASH ) + return( alg1 ); + } + /* If the policies are from the same AEAD family, then at least one + * of them is a minimum-tag-length policy. Calculate the most + * restrictive tag length. */ + if( PSA_ALG_IS_AEAD( alg1 ) && PSA_ALG_IS_AEAD( alg2 ) && + ( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg1, 0 ) == + PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg2, 0 ) ) ) + { + size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg1 ); + size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg2 ); + size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; + + /* If both are wildcards, return most restricitve wildcard */ + if( PSA_ALG_IS_WILDCARD( alg1 ) && PSA_ALG_IS_WILDCARD( alg2 ) ) + { + return( PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG( alg1, max_len ) ); + } + /* If only one is a wildcard, return specific algorithm if compatible. */ + if( PSA_ALG_IS_WILDCARD( alg1 ) && (alg1_len <= alg2_len) ) + { + return( alg2 ); + } + if( PSA_ALG_IS_WILDCARD( alg2 ) && (alg2_len <= alg1_len) ) + { + return( alg1 ); + } + } + /* If the policies are from the same MAC family, then at least one + * of them is a minimum-tag-length policy. Calculate the most + * restrictive tag length. */ + if( PSA_ALG_IS_MAC( alg1 ) && PSA_ALG_IS_MAC( alg2 ) && + ( PSA_ALG_FULL_LENGTH_MAC( alg1 ) == + PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) + { + size_t alg1_len = PSA_MAC_TRUNCATED_LENGTH( alg1 ); + size_t alg2_len = PSA_MAC_TRUNCATED_LENGTH( alg2 ); + size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; + + /* If both are wildcards, return most restricitve wildcard */ + if( PSA_ALG_IS_WILDCARD( alg1 ) && PSA_ALG_IS_WILDCARD( alg2 ) ) + { + return( PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG( alg1, max_len ) ); + } + /* If only one is a wildcard, return specific algorithm if compatible. + * Special case: specific MAC algorithm with '0' as length means full- + * length MAC, which is always allowed by a wildcard with the same + * base algorithm. */ + if( PSA_ALG_IS_WILDCARD( alg1 ) && + ( ( alg1_len <= alg2_len) || + ( alg2 == PSA_ALG_FULL_LENGTH_MAC( alg1 ) ) ) ) + { + return( alg2 ); + } + if( PSA_ALG_IS_WILDCARD( alg2 ) && + ( (alg2_len <= alg1_len) || + ( alg1 == PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) ) + { + return( alg1 ); + } + } } /* If the policies are incompatible, allow nothing. */ return( 0 ); @@ -681,17 +744,51 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, psa_algorithm_t requested_alg ) { + /* A requested algorithm cannot be a wildcard. */ + if( PSA_ALG_IS_WILDCARD( requested_alg ) ) + return( 0 ); /* Common case: the policy only allows requested_alg. */ if( requested_alg == policy_alg ) return( 1 ); - /* If policy_alg is a hash-and-sign with a wildcard for the hash, - * and requested_alg is the same hash-and-sign family with any hash, - * then requested_alg is compliant with policy_alg. */ - if( PSA_ALG_IS_HASH_AND_SIGN( requested_alg ) && - PSA_ALG_SIGN_GET_HASH( policy_alg ) == PSA_ALG_ANY_HASH ) + /* Special cases: the policy is an algorithm collection. */ + if( PSA_ALG_IS_WILDCARD( policy_alg ) ) { - return( ( policy_alg & ~PSA_ALG_HASH_MASK ) == - ( requested_alg & ~PSA_ALG_HASH_MASK ) ); + /* If policy_alg is a hash-and-sign with a wildcard for the hash, + * and requested_alg is the same hash-and-sign family with any hash, + * then requested_alg is compliant with policy_alg. */ + if( PSA_ALG_IS_HASH_AND_SIGN( requested_alg ) && + PSA_ALG_SIGN_GET_HASH( policy_alg ) == PSA_ALG_ANY_HASH ) + { + return( ( policy_alg & ~PSA_ALG_HASH_MASK ) == + ( requested_alg & ~PSA_ALG_HASH_MASK ) ); + } + /* If policy_alg is a wildcard AEAD algorithm of the same base as + * the requested algorithm, check the requested tag length to be + * equal-length or longer than the wildcard-specified length. */ + if( PSA_ALG_IS_AEAD( policy_alg ) && + PSA_ALG_IS_AEAD( requested_alg ) && + ( PSA_ALG_AEAD_WITH_SHORTENED_TAG( policy_alg, 0 ) == + PSA_ALG_AEAD_WITH_SHORTENED_TAG( requested_alg, 0 ) ) ) + { + return( PSA_ALG_AEAD_GET_TAG_LENGTH( policy_alg ) <= + PSA_ALG_AEAD_GET_TAG_LENGTH( requested_alg ) ); + } + /* If policy_alg is a wildcard MAC algorithm of the same base as + * the requested algorithm, check the requested tag length to be + * equal-length or longer than the wildcard-specified length. */ + if( PSA_ALG_IS_MAC( policy_alg ) && + PSA_ALG_IS_MAC( requested_alg ) && + ( PSA_ALG_FULL_LENGTH_MAC( policy_alg ) == + PSA_ALG_FULL_LENGTH_MAC( requested_alg ) ) ) + { + /* Special case: full-length MAC is encoded with 0-length. + * A minimum-length policy will always allow a full-length MAC. */ + if( PSA_ALG_FULL_LENGTH_MAC( requested_alg ) == requested_alg ) + return( 1 ); + + return( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) <= + PSA_MAC_TRUNCATED_LENGTH( requested_alg ) ); + } } /* If policy_alg is a generic key agreement operation, then using it for * a key derivation with that key agreement should also be allowed. This @@ -702,7 +799,7 @@ static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, return( PSA_ALG_KEY_AGREEMENT_GET_BASE( requested_alg ) == policy_alg ); } - /* If it isn't permitted, it's forbidden. */ + /* If it isn't explicitly permitted, it's forbidden. */ return( 0 ); } diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index ad34bad3d..cd68ae1f1 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -378,31 +378,63 @@ key_attributes_init: PSA key policy: MAC, sign | verify depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256) +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_SUCCESS PSA key policy: MAC, wrong algorithm depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_224:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_224) +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_224):PSA_ERROR_NOT_PERMITTED PSA key policy: MAC, alg=0 in policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256) +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_NOT_PERMITTED PSA key policy: MAC, ANY_HASH in policy is not meaningful depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_HMAC(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256) +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_HMAC(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_NOT_PERMITTED PSA key policy: MAC, sign but not verify depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256) +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_SUCCESS PSA key policy: MAC, verify but not sign depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256) +mac_key_policy:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_SUCCESS PSA key policy: MAC, neither sign nor verify depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:0:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256) +mac_key_policy:0:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_NOT_PERMITTED + +PSA key policy: MAC, sign-verify, tag length > min-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 30):PSA_SUCCESS + +PSA key policy: MAC, sign-verify, tag length = min-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_SUCCESS + +PSA key policy: MAC, sign-verify, tag length < min-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_ERROR_NOT_PERMITTED + +PSA key policy: MAC, sign-verify, min-length policy, unmatched base alg +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC:MBEDTLS_CMAC_C +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 20):PSA_ERROR_NOT_PERMITTED + +PSA key policy: MAC, sign-verify, min-length policy used as algorithm +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_NOT_PERMITTED + +PSA key policy: MAC, sign-verify, tag length > exact-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_NOT_PERMITTED + +PSA key policy: MAC, sign-verify, tag length = exact-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_SUCCESS + +PSA key policy: MAC, sign-verify, tag length < exact-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_ERROR_NOT_PERMITTED PSA key policy: cipher, encrypt | decrypt depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR @@ -430,27 +462,59 @@ cipher_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_A PSA key policy: AEAD, encrypt | decrypt depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM:PSA_SUCCESS PSA key policy: AEAD, wrong algorithm depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_GCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":16:16:PSA_ALG_GCM +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":16:16:PSA_ALG_GCM:PSA_ERROR_NOT_PERMITTED PSA key policy: AEAD, alg=0 in policy depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":16:16:PSA_ALG_CCM +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":16:16:PSA_ALG_CCM:PSA_ERROR_NOT_PERMITTED PSA key policy: AEAD, encrypt but not decrypt depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM +aead_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM:PSA_SUCCESS PSA key policy: AEAD, decrypt but not encrypt depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM +aead_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM:PSA_SUCCESS PSA key policy: AEAD, neither encrypt nor decrypt depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:0:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM +aead_key_policy:0:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM:PSA_ERROR_NOT_PERMITTED + +PSA key policy: AEAD, tag length > min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):PSA_SUCCESS + +PSA key policy: AEAD, tag length = min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_SUCCESS + +PSA key policy: AEAD, tag length < min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_ERROR_NOT_PERMITTED + +PSA key policy: AEAD, min-length policy, unmatched base alg +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_GCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 4):PSA_ERROR_NOT_PERMITTED + +PSA key policy: AEAD, min-length policy used as algorithm +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_ERROR_NOT_PERMITTED + +PSA key policy: AEAD, tag length > exact-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):PSA_ERROR_NOT_PERMITTED + +PSA key policy: AEAD, tag length = exact-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_SUCCESS + +PSA key policy: AEAD, tag length < exact-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_ERROR_NOT_PERMITTED PSA key policy: asymmetric encryption, encrypt | decrypt depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR @@ -698,6 +762,78 @@ Copy fail: AES, incompatible target policy depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_CIPHER_MODE_CBC copy_fail:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:PSA_KEY_TYPE_AES:"404142434445464748494a4b4c4d4e4f":0:0:PSA_KEY_USAGE_EXPORT:PSA_ALG_CBC_NO_PADDING:0:PSA_ERROR_INVALID_ARGUMENT +Copy key: source=MAC min-length, target=MAC length > min-length +depends_on:MBEDTLS_SHA256_C +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 + +Copy key: source=MAC min-length, target=MAC length = min-length +depends_on:MBEDTLS_SHA256_C +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 + +Copy fail: source=MAC min-length, target=MAC length < min-length +depends_on:MBEDTLS_SHA256_C +copy_fail:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16):0:PSA_ERROR_INVALID_ARGUMENT + +Copy key: source=MAC min-length, target=MAC min-length, src > tgt +depends_on:MBEDTLS_SHA256_C +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 + +Copy key: source=MAC min-length, target=MAC min-length, src = tgt +depends_on:MBEDTLS_SHA256_C +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 + +Copy key: source=MAC min-length, target=MAC min-length, src < tgt +depends_on:MBEDTLS_SHA256_C +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 + +Copy fail: source=MAC, target=MAC min-length > length +depends_on:MBEDTLS_SHA256_C +copy_fail:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_ERROR_INVALID_ARGUMENT + +Copy key: source=MAC, target=MAC min-length = length +depends_on:MBEDTLS_SHA256_C +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 + +Copy key: source=MAC, target=MAC min-length < length +depends_on:MBEDTLS_SHA256_C +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 + +Copy key: source=AEAD min-length, target=AEAD length > min-length +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0 + +Copy key: source=AEAD min-length, target=AEAD length = min-length +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0 + +Copy fail: source=AEAD min-length, target=AEAD length < min-length +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_fail:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_ERROR_INVALID_ARGUMENT + +Copy key: source=AEAD min-length, target=AEAD min-length, src > tgt +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0 + +Copy key: source=AEAD min-length, target=AEAD min-length, src = tgt +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0 + +Copy key: source=AEAD min-length, target=AEAD min-length, src < tgt +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0 + +Copy fail: source=AEAD, target=AEAD min-length > length +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_fail:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_ERROR_INVALID_ARGUMENT + +Copy key: source=AEAD, target=AEAD min-length = length +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0 + +Copy key: source=AEAD, target=AEAD min-length < length +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 12):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 12):0 + Copy fail: RSA, incompatible target policy (source wildcard) depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C copy_fail:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":0:0:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_ERROR_INVALID_ARGUMENT @@ -1928,7 +2064,7 @@ PSA sign: RSA PKCS#1 v1.5, invalid hash (wildcard) depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_C:MBEDTLS_PKCS1_V15 # Arguably the error should be INVALID_ARGUMENT, but NOT_SUPPORTED is simpler # to implement. -sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":128:PSA_ERROR_NOT_SUPPORTED +sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":128:PSA_ERROR_NOT_PERMITTED PSA sign: RSA PKCS#1 v1.5 raw, input too large depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C @@ -1956,7 +2092,7 @@ sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bb PSA sign: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_C -sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT +sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_PERMITTED PSA sign: invalid key type, signing with a public key depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 7ae672573..fca78cb5e 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -834,12 +834,14 @@ void mac_key_policy( int policy_usage, int policy_alg, int key_type, data_t *key_data, - int exercise_alg ) + int exercise_alg, + int expected_status_arg ) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; psa_status_t status; + psa_status_t expected_status = expected_status_arg; unsigned char mac[PSA_MAC_MAX_SIZE]; PSA_ASSERT( psa_crypto_init( ) ); @@ -852,20 +854,19 @@ void mac_key_policy( int policy_usage, &key ) ); status = psa_mac_sign_setup( &operation, key, exercise_alg ); - if( policy_alg == exercise_alg && - ( policy_usage & PSA_KEY_USAGE_SIGN_HASH ) != 0 ) - PSA_ASSERT( status ); - else + if( ( policy_usage & PSA_KEY_USAGE_SIGN_HASH ) == 0 ) TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); + else + TEST_EQUAL( status, expected_status ); + psa_mac_abort( &operation ); memset( mac, 0, sizeof( mac ) ); status = psa_mac_verify_setup( &operation, key, exercise_alg ); - if( policy_alg == exercise_alg && - ( policy_usage & PSA_KEY_USAGE_VERIFY_HASH ) != 0 ) - PSA_ASSERT( status ); - else + if( ( policy_usage & PSA_KEY_USAGE_VERIFY_HASH ) == 0 ) TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); + else + TEST_EQUAL( status, expected_status ); exit: psa_mac_abort( &operation ); @@ -924,11 +925,13 @@ void aead_key_policy( int policy_usage, data_t *key_data, int nonce_length_arg, int tag_length_arg, - int exercise_alg ) + int exercise_alg, + int expected_status_arg ) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status; + psa_status_t expected_status = expected_status_arg; unsigned char nonce[16] = {0}; size_t nonce_length = nonce_length_arg; unsigned char tag[16]; @@ -953,9 +956,8 @@ void aead_key_policy( int policy_usage, NULL, 0, tag, tag_length, &output_length ); - if( policy_alg == exercise_alg && - ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) - PSA_ASSERT( status ); + if( ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) + TEST_EQUAL( status, expected_status ); else TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); @@ -966,11 +968,12 @@ void aead_key_policy( int policy_usage, tag, tag_length, NULL, 0, &output_length ); - if( policy_alg == exercise_alg && - ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 ) + if( ( policy_usage & PSA_KEY_USAGE_DECRYPT ) == 0 ) + TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); + else if( expected_status == PSA_SUCCESS ) TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); else - TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); + TEST_EQUAL( status, expected_status ); exit: psa_destroy_key( key ); @@ -1334,6 +1337,20 @@ void copy_success( int source_usage_arg, ASSERT_COMPARE( material->x, material->len, export_buffer, length ); } + + /* Convert wildcard algorithm to exercisable algorithm */ + if( PSA_ALG_IS_WILDCARD( expected_alg ) ) + { + if( PSA_ALG_IS_MAC( expected_alg ) ) + expected_alg = PSA_ALG_TRUNCATED_MAC( + expected_alg, + PSA_MAC_TRUNCATED_LENGTH( expected_alg ) ); + if( PSA_ALG_IS_AEAD( expected_alg ) ) + expected_alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG( + expected_alg, + PSA_ALG_AEAD_GET_TAG_LENGTH( expected_alg ) ); + } + if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg ) ) goto exit; if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg2 ) ) From ee18b1f5a4332772a8b39e1f4992b4e962fb0cf8 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Mon, 8 Feb 2021 11:44:21 +0100 Subject: [PATCH 02/31] Style and language updates after review Signed-off-by: Steven Cooreman --- ChangeLog.d/psa-crypto-key-policies.txt | 8 -- .../psa-crypto-new-wildcard-policies.txt | 7 ++ include/psa/crypto.h | 14 ++-- include/psa/crypto_values.h | 73 ++++++++++--------- 4 files changed, 54 insertions(+), 48 deletions(-) delete mode 100644 ChangeLog.d/psa-crypto-key-policies.txt create mode 100644 ChangeLog.d/psa-crypto-new-wildcard-policies.txt diff --git a/ChangeLog.d/psa-crypto-key-policies.txt b/ChangeLog.d/psa-crypto-key-policies.txt deleted file mode 100644 index 6186d4642..000000000 --- a/ChangeLog.d/psa-crypto-key-policies.txt +++ /dev/null @@ -1,8 +0,0 @@ -Features - * Added PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG and - PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG as usage algorithms for declaring key - usage in PSA Crypto. These algorithm values describe that a key is allowed - to be used with any algorithm that matches the specified base algorithm - (e.g PSA_ALG_CCM for AEAD or PSA_ALG_CMAC for MAC) and has a tag length - which is at least as long as the one encoded in the MINIMUM_TAG_LENGTH - usage algorithm. diff --git a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt new file mode 100644 index 000000000..f6aced99a --- /dev/null +++ b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt @@ -0,0 +1,7 @@ +Features + * Added PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG and + PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG as wildcard algorithms in PSA Crypto. + These algorithm values describe that a key is allowed to be used with any + algorithm that matches the specified base algorithm (e.g PSA_ALG_CCM for + AEAD or PSA_ALG_CMAC for MAC) and has a tag/MAC length which is at least as + long as the one encoded in the MINIMUM_TAG_LENGTH wildcard algorithm. diff --git a/include/psa/crypto.h b/include/psa/crypto.h index a8fe59a12..4aad09452 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -264,12 +264,14 @@ static psa_key_usage_t psa_get_key_usage_flags( * - An algorithm value permits this particular algorithm. * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified * signature scheme with any hash algorithm. - * - An algorithm value for which PSA_ALG_IS_WILDCARD() evaluates to true - * allows any algorithm specified by that usage algorithm definition. - * E.g. a usage algorithm built from PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG() - * allows using the key for any algorithm with the same base MAC algorithm as - * long as the used algorithm isn't truncated to less than the minimum tag - * length declared in the usage algorithm. + * - An algorithm built from #PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG allows + * any MAC algorithm from the same base class (e.g. CMAC) which + * generates/verifies a MAC length greater than or equal to the length + * encoded in the wildcard algorithm. + * - An algorithm built from #PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG allows + * any AEAD algorithm from the same base class (e.g. CCM) which + * generates/verifies a tag length greater than or equal to the length + * encoded in the wildcard algorithm. * * This function overwrites any algorithm policy * previously set in \p attributes. diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 368581cd5..e804dc4be 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -933,32 +933,36 @@ (((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET) /* In the encoding of a MAC algorithm, the bit corresponding to - * PSA_ALG_MAC_MINIMUM_LENGTH_FLAG encodes the fact that the algorithm is - * a usage algorithm, which allows any algorithm corresponding to the same - * base class and a tag length greater or equal than the one encoded in - * PSA_ALG_MAC_TRUNCATION_MASK. */ + * #PSA_ALG_MAC_MINIMUM_LENGTH_FLAG encodes the fact that the algorithm is + * a wildcard algorithm, which allows any algorithm corresponding to the same + * base class and having a (potentially truncated) MAC length greater or equal + * than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */ #define PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ((psa_algorithm_t)0x00008000) -/** Macro to build a MAC minimum-tag-length usage algorithm. +/** Macro to build a MAC minimum-MAC-length wildcard algorithm. * - * A mininimum-tag-length MAC usage algorithm contains all MAC algorithms - * sharing the same base algorithm, and where the tag length of the specific - * algorithm is equal to or larger then the usage's minimum tag length. + * A mininimum-MAC-length MAC wildcard algorithm contains all MAC algorithms + * sharing the same base algorithm, and where the (potentially truncated) MAC + * length of the specific algorithm is equal to or larger then the wildcard + * algorithm's minimum MAC length. * * \param mac_alg A MAC algorithm identifier (value of type - * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p alg) + * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg) * is true). - * \param tag_length Desired minimum length of the authentication tag in - * bytes. + * \param mac_length Desired minimum length of the message authentication + * code in bytes. This must be at most the full length of + * the MAC and must be at least an implementation-specified + * minimum. The implementation-specified minimum + * shall not be zero. * - * \return The corresponding MAC usage algorithm with the + * \return The corresponding MAC wildcard algorithm with the * specified minimum length. - * \return Unspecified if \p alg is not a supported - * MAC algorithm or if \p tag_length is not valid + * \return Unspecified if \p mac_alg is not a supported MAC + * algorithm or if \p mac_length is too small or too large * for the specified MAC algorithm. */ -#define PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(mac_alg, tag_length) \ - ( PSA_ALG_TRUNCATED_MAC(mac_alg, tag_length) | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) +#define PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(mac_alg, mac_length) \ + ( PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000) /** The CBC-MAC construction over a block cipher @@ -1178,27 +1182,28 @@ ref : /* In the encoding of an AEAD algorithm, the bit corresponding to - * PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG encodes the fact that the algorithm is - * a usage algorithm, which allows any algorithm corresponding to the same - * base class and a tag length greater or equal than the one encoded in - * PSA_ALG_AEAD_TAG_LENGTH_MASK. */ + * #PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG encodes the fact that the algorithm is + * a wildcard algorithm, which allows any algorithm corresponding to the same + * base class and having a tag length greater than or equal to the one encoded + * in #PSA_ALG_AEAD_TAG_LENGTH_MASK. */ #define PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ((psa_algorithm_t)0x00008000) -/** Macro to build an AEAD minimum-tag-length usage algorithm. +/** Macro to build an AEAD minimum-tag-length wildcard algorithm. * - * A mininimum-tag-length AEAD usage algorithm contains all AEAD algorithms + * A mininimum-tag-length AEAD wildcard algorithm contains all AEAD algorithms * sharing the same base algorithm, and where the tag length of the specific - * algorithm is equal to or larger then the usage's minimum tag length. + * algorithm is equal to or larger then the minimum tag length specified by the + * wildcard algorithm. * * \param aead_alg An AEAD algorithm identifier (value of type - * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p alg) + * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg) * is true). * \param tag_length Desired minimum length of the authentication tag in * bytes. * - * \return The corresponding AEAD usage algorithm with the + * \return The corresponding AEAD wildcard algorithm with the * specified minimum length. - * \return Unspecified if \p alg is not a supported + * \return Unspecified if \p aead_alg is not a supported * AEAD algorithm or if \p tag_length is not valid * for the specified AEAD algorithm. */ @@ -1651,14 +1656,14 @@ * \return This macro may return either 0 or 1 if \c alg is not a supported * algorithm identifier. */ -#define PSA_ALG_IS_WILDCARD(alg) \ - (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ - PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \ - (PSA_ALG_IS_MAC(alg) ? \ - (alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG) != 0 : \ - (PSA_ALG_IS_AEAD(alg) ? \ - (alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG) != 0 : \ - (alg) == PSA_ALG_ANY_HASH))) +#define PSA_ALG_IS_WILDCARD(alg) \ + (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ + PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \ + PSA_ALG_IS_MAC(alg) ? \ + (alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG) != 0 : \ + PSA_ALG_IS_AEAD(alg) ? \ + (alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG) != 0 : \ + (alg) == PSA_ALG_ANY_HASH) /**@}*/ From 034880224756aa24cede25c49b1732a523c90dc1 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 18 Feb 2021 12:07:20 +0100 Subject: [PATCH 03/31] Remove generic wildcard checks after review feedback Applied specific wildcard checks instead. Signed-off-by: Steven Cooreman # Conflicts: # library/psa_crypto.c --- library/psa_crypto.c | 208 +++++++++++++++++++++---------------------- 1 file changed, 103 insertions(+), 105 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b6e26b3f0..540d6594f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -663,78 +663,78 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( /* Common case: both sides actually specify the same policy. */ if( alg1 == alg2 ) return( alg1 ); - /* Special case: one or both sides contain a wildcard. */ - if( PSA_ALG_IS_WILDCARD( alg1 ) || PSA_ALG_IS_WILDCARD( alg2 ) ) + /* If the policies are from the same hash-and-sign family, check + * if one is a wildcard. If so the other has the specific algorithm. */ + if( PSA_ALG_IS_HASH_AND_SIGN( alg1 ) && + PSA_ALG_IS_HASH_AND_SIGN( alg2 ) && + ( alg1 & ~PSA_ALG_HASH_MASK ) == ( alg2 & ~PSA_ALG_HASH_MASK ) ) { - /* If the policies are from the same hash-and-sign family, check - * if one is a wildcard. If so the other has the specific algorithm. */ - if( PSA_ALG_IS_HASH_AND_SIGN( alg1 ) && - PSA_ALG_IS_HASH_AND_SIGN( alg2 ) && - ( alg1 & ~PSA_ALG_HASH_MASK ) == ( alg2 & ~PSA_ALG_HASH_MASK ) ) - { - if( PSA_ALG_SIGN_GET_HASH( alg1 ) == PSA_ALG_ANY_HASH ) - return( alg2 ); - if( PSA_ALG_SIGN_GET_HASH( alg2 ) == PSA_ALG_ANY_HASH ) - return( alg1 ); - } - /* If the policies are from the same AEAD family, then at least one - * of them is a minimum-tag-length policy. Calculate the most - * restrictive tag length. */ - if( PSA_ALG_IS_AEAD( alg1 ) && PSA_ALG_IS_AEAD( alg2 ) && - ( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg1, 0 ) == - PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg2, 0 ) ) ) - { - size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg1 ); - size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg2 ); - size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; + if( PSA_ALG_SIGN_GET_HASH( alg1 ) == PSA_ALG_ANY_HASH ) + return( alg2 ); + if( PSA_ALG_SIGN_GET_HASH( alg2 ) == PSA_ALG_ANY_HASH ) + return( alg1 ); + } + /* If the policies are from the same AEAD family, check whether + * one f them is a minimum-tag-length wildcard. Calculate the most + * restrictive tag length. */ + if( PSA_ALG_IS_AEAD( alg1 ) && PSA_ALG_IS_AEAD( alg2 ) && + ( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg1, 0 ) == + PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg2, 0 ) ) ) + { + size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg1 ); + size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg2 ); + size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; - /* If both are wildcards, return most restricitve wildcard */ - if( PSA_ALG_IS_WILDCARD( alg1 ) && PSA_ALG_IS_WILDCARD( alg2 ) ) - { - return( PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG( alg1, max_len ) ); - } - /* If only one is a wildcard, return specific algorithm if compatible. */ - if( PSA_ALG_IS_WILDCARD( alg1 ) && (alg1_len <= alg2_len) ) - { - return( alg2 ); - } - if( PSA_ALG_IS_WILDCARD( alg2 ) && (alg2_len <= alg1_len) ) - { - return( alg1 ); - } - } - /* If the policies are from the same MAC family, then at least one - * of them is a minimum-tag-length policy. Calculate the most - * restrictive tag length. */ - if( PSA_ALG_IS_MAC( alg1 ) && PSA_ALG_IS_MAC( alg2 ) && - ( PSA_ALG_FULL_LENGTH_MAC( alg1 ) == - PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) + /* If both are wildcards, return most restricitve wildcard */ + if( ( ( alg1 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && + ( ( alg2 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) ) { - size_t alg1_len = PSA_MAC_TRUNCATED_LENGTH( alg1 ); - size_t alg2_len = PSA_MAC_TRUNCATED_LENGTH( alg2 ); - size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; + return( PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG( alg1, max_len ) ); + } + /* If only one is a wildcard, return specific algorithm if compatible. */ + if( ( ( alg1 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && + ( alg1_len <= alg2_len ) ) + { + return( alg2 ); + } + if( ( ( alg2 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && + ( alg2_len <= alg1_len ) ) + { + return( alg1 ); + } + } + /* If the policies are from the same MAC family, check whether one + * of them is a minimum-MAC-length policy. Calculate the most + * restrictive tag length. */ + if( PSA_ALG_IS_MAC( alg1 ) && PSA_ALG_IS_MAC( alg2 ) && + ( PSA_ALG_FULL_LENGTH_MAC( alg1 ) == + PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) + { + size_t alg1_len = PSA_MAC_TRUNCATED_LENGTH( alg1 ); + size_t alg2_len = PSA_MAC_TRUNCATED_LENGTH( alg2 ); + size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; - /* If both are wildcards, return most restricitve wildcard */ - if( PSA_ALG_IS_WILDCARD( alg1 ) && PSA_ALG_IS_WILDCARD( alg2 ) ) - { - return( PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG( alg1, max_len ) ); - } - /* If only one is a wildcard, return specific algorithm if compatible. - * Special case: specific MAC algorithm with '0' as length means full- - * length MAC, which is always allowed by a wildcard with the same - * base algorithm. */ - if( PSA_ALG_IS_WILDCARD( alg1 ) && - ( ( alg1_len <= alg2_len) || - ( alg2 == PSA_ALG_FULL_LENGTH_MAC( alg1 ) ) ) ) - { - return( alg2 ); - } - if( PSA_ALG_IS_WILDCARD( alg2 ) && - ( (alg2_len <= alg1_len) || - ( alg1 == PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) ) - { - return( alg1 ); - } + /* If both are wildcards, return most restricitve wildcard */ + if( ( ( alg1 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) && + ( ( alg2 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) ) + { + return( PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG( alg1, max_len ) ); + } + /* If only one is a wildcard, return specific algorithm if compatible. + * Special case: specific MAC algorithm with '0' as length means full- + * length MAC, which is always allowed by a wildcard with the same + * base algorithm. */ + if( ( ( alg1 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) && + ( ( alg1_len <= alg2_len ) || + ( alg2 == PSA_ALG_FULL_LENGTH_MAC( alg1 ) ) ) ) + { + return( alg2 ); + } + if( ( ( alg2 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) && + ( ( alg2_len <= alg1_len ) || + ( alg1 == PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) ) + { + return( alg1 ); } } /* If the policies are incompatible, allow nothing. */ @@ -750,45 +750,43 @@ static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, /* Common case: the policy only allows requested_alg. */ if( requested_alg == policy_alg ) return( 1 ); - /* Special cases: the policy is an algorithm collection. */ - if( PSA_ALG_IS_WILDCARD( policy_alg ) ) + /* If policy_alg is a hash-and-sign with a wildcard for the hash, + * and requested_alg is the same hash-and-sign family with any hash, + * then requested_alg is compliant with policy_alg. */ + if( PSA_ALG_IS_HASH_AND_SIGN( requested_alg ) && + PSA_ALG_SIGN_GET_HASH( policy_alg ) == PSA_ALG_ANY_HASH ) { - /* If policy_alg is a hash-and-sign with a wildcard for the hash, - * and requested_alg is the same hash-and-sign family with any hash, - * then requested_alg is compliant with policy_alg. */ - if( PSA_ALG_IS_HASH_AND_SIGN( requested_alg ) && - PSA_ALG_SIGN_GET_HASH( policy_alg ) == PSA_ALG_ANY_HASH ) - { - return( ( policy_alg & ~PSA_ALG_HASH_MASK ) == - ( requested_alg & ~PSA_ALG_HASH_MASK ) ); - } - /* If policy_alg is a wildcard AEAD algorithm of the same base as - * the requested algorithm, check the requested tag length to be - * equal-length or longer than the wildcard-specified length. */ - if( PSA_ALG_IS_AEAD( policy_alg ) && - PSA_ALG_IS_AEAD( requested_alg ) && - ( PSA_ALG_AEAD_WITH_SHORTENED_TAG( policy_alg, 0 ) == - PSA_ALG_AEAD_WITH_SHORTENED_TAG( requested_alg, 0 ) ) ) - { - return( PSA_ALG_AEAD_GET_TAG_LENGTH( policy_alg ) <= - PSA_ALG_AEAD_GET_TAG_LENGTH( requested_alg ) ); - } - /* If policy_alg is a wildcard MAC algorithm of the same base as - * the requested algorithm, check the requested tag length to be - * equal-length or longer than the wildcard-specified length. */ - if( PSA_ALG_IS_MAC( policy_alg ) && - PSA_ALG_IS_MAC( requested_alg ) && - ( PSA_ALG_FULL_LENGTH_MAC( policy_alg ) == - PSA_ALG_FULL_LENGTH_MAC( requested_alg ) ) ) - { - /* Special case: full-length MAC is encoded with 0-length. - * A minimum-length policy will always allow a full-length MAC. */ - if( PSA_ALG_FULL_LENGTH_MAC( requested_alg ) == requested_alg ) - return( 1 ); + return( ( policy_alg & ~PSA_ALG_HASH_MASK ) == + ( requested_alg & ~PSA_ALG_HASH_MASK ) ); + } + /* If policy_alg is a wildcard AEAD algorithm of the same base as + * the requested algorithm, check the requested tag length to be + * equal-length or longer than the wildcard-specified length. */ + if( PSA_ALG_IS_AEAD( policy_alg ) && + PSA_ALG_IS_AEAD( requested_alg ) && + ( PSA_ALG_AEAD_WITH_SHORTENED_TAG( policy_alg, 0 ) == + PSA_ALG_AEAD_WITH_SHORTENED_TAG( requested_alg, 0 ) ) && + ( ( policy_alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) ) + { + return( PSA_ALG_AEAD_GET_TAG_LENGTH( policy_alg ) <= + PSA_ALG_AEAD_GET_TAG_LENGTH( requested_alg ) ); + } + /* If policy_alg is a wildcard MAC algorithm of the same base as + * the requested algorithm, check the requested tag length to be + * equal-length or longer than the wildcard-specified length. */ + if( PSA_ALG_IS_MAC( policy_alg ) && + PSA_ALG_IS_MAC( requested_alg ) && + ( PSA_ALG_FULL_LENGTH_MAC( policy_alg ) == + PSA_ALG_FULL_LENGTH_MAC( requested_alg ) ) && + ( ( policy_alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) ) + { + /* Special case: full-length MAC is encoded with 0-length. + * A minimum-length policy will always allow a full-length MAC. */ + if( PSA_ALG_FULL_LENGTH_MAC( requested_alg ) == requested_alg ) + return( 1 ); - return( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) <= - PSA_MAC_TRUNCATED_LENGTH( requested_alg ) ); - } + return( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) <= + PSA_MAC_TRUNCATED_LENGTH( requested_alg ) ); } /* If policy_alg is a generic key agreement operation, then using it for * a key derivation with that key agreement should also be allowed. This From 37389c768d760c895e7137d7099e1ae8ed3fbf02 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 18 Feb 2021 12:08:41 +0100 Subject: [PATCH 04/31] Update validity domain of min_tag_length / min_mac_length Review indicated explicit validity domain should be [1, max_alg_length] Signed-off-by: Steven Cooreman # Conflicts: # include/psa/crypto_values.h --- include/psa/crypto_values.h | 65 ++++++++++++++++++++----------------- 1 file changed, 36 insertions(+), 29 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index e804dc4be..f3792c86e 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -941,28 +941,30 @@ /** Macro to build a MAC minimum-MAC-length wildcard algorithm. * - * A mininimum-MAC-length MAC wildcard algorithm contains all MAC algorithms + * A mininimum-MAC-length MAC wildcard algorithm permits all MAC algorithms * sharing the same base algorithm, and where the (potentially truncated) MAC * length of the specific algorithm is equal to or larger then the wildcard * algorithm's minimum MAC length. * - * \param mac_alg A MAC algorithm identifier (value of type - * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg) - * is true). - * \param mac_length Desired minimum length of the message authentication - * code in bytes. This must be at most the full length of - * the MAC and must be at least an implementation-specified - * minimum. The implementation-specified minimum - * shall not be zero. + * \note When setting the minimum required MAC length to less than the + * smallest MAC length allowed by the base algorithm, this effectively + * becomes an 'any-MAC-length-allowed' policy for that base algorithm. * - * \return The corresponding MAC wildcard algorithm with the - * specified minimum length. - * \return Unspecified if \p mac_alg is not a supported MAC - * algorithm or if \p mac_length is too small or too large - * for the specified MAC algorithm. + * \param mac_alg A MAC algorithm identifier (value of type + * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg) + * is true). + * \param min_mac_length Desired minimum length of the message authentication + * code in bytes. This must be at most the untruncated + * length of the MAC and must be at least 1. + * + * \return The corresponding MAC wildcard algorithm with the + * specified minimum length. + * \return Unspecified if \p mac_alg is not a supported MAC + * algorithm or if \p min_mac_length is less than 1 or + * too large for the specified MAC algorithm. */ -#define PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(mac_alg, mac_length) \ - ( PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) +#define PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(mac_alg, min_mac_length) \ + ( PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000) /** The CBC-MAC construction over a block cipher @@ -1190,25 +1192,30 @@ /** Macro to build an AEAD minimum-tag-length wildcard algorithm. * - * A mininimum-tag-length AEAD wildcard algorithm contains all AEAD algorithms + * A mininimum-tag-length AEAD wildcard algorithm permits all AEAD algorithms * sharing the same base algorithm, and where the tag length of the specific * algorithm is equal to or larger then the minimum tag length specified by the * wildcard algorithm. * - * \param aead_alg An AEAD algorithm identifier (value of type - * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg) - * is true). - * \param tag_length Desired minimum length of the authentication tag in - * bytes. + * \note When setting the minimum required tag length to less than the + * smallest tag length allowed by the base algorithm, this effectively + * becomes an 'any-tag-length-allowed' policy for that base algorithm. * - * \return The corresponding AEAD wildcard algorithm with the - * specified minimum length. - * \return Unspecified if \p aead_alg is not a supported - * AEAD algorithm or if \p tag_length is not valid - * for the specified AEAD algorithm. + * \param aead_alg An AEAD algorithm identifier (value of type + * #psa_algorithm_t such that + * #PSA_ALG_IS_AEAD(\p aead_alg) is true). + * \param min_tag_length Desired minimum length of the authentication tag in + * bytes. This must be at least 1 and at most the largest + * allowed tag length of the algorithm. + * + * \return The corresponding AEAD wildcard algorithm with the + * specified minimum length. + * \return Unspecified if \p aead_alg is not a supported + * AEAD algorithm or if \p min_tag_length is less than 1 + * or too large for the specified AEAD algorithm. */ -#define PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(aead_alg, tag_length) \ - ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) | PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) +#define PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(aead_alg, min_tag_length) \ + ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) | PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200) /** RSA PKCS#1 v1.5 signature with hashing. From caad49316b9b1a2b1f3fa779dd0277a3c925fc13 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 18 Feb 2021 11:28:17 +0100 Subject: [PATCH 05/31] rename MAC_WITH_MINIMUM_LENGTH_TAG to AT_LEAST_THIS_LENGTH_MAC Signed-off-by: Steven Cooreman --- .../psa-crypto-new-wildcard-policies.txt | 7 +++-- include/psa/crypto.h | 2 +- include/psa/crypto_values.h | 2 +- library/psa_crypto.c | 2 +- tests/suites/test_suite_psa_crypto.data | 28 +++++++++---------- 5 files changed, 21 insertions(+), 20 deletions(-) diff --git a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt index f6aced99a..9530b4c94 100644 --- a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt +++ b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt @@ -1,7 +1,8 @@ Features * Added PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG and - PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG as wildcard algorithms in PSA Crypto. + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC as wildcard algorithms in PSA Crypto. These algorithm values describe that a key is allowed to be used with any algorithm that matches the specified base algorithm (e.g PSA_ALG_CCM for - AEAD or PSA_ALG_CMAC for MAC) and has a tag/MAC length which is at least as - long as the one encoded in the MINIMUM_TAG_LENGTH wildcard algorithm. + AEAD or PSA_ALG_CMAC for MAC) and has a tag/MAC length which is at least + as long as the one encoded in the AT_LEAST_THIS_LENGTH_MAC/TAG wildcard + algorithm. diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 4aad09452..b28ec4974 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -264,7 +264,7 @@ static psa_key_usage_t psa_get_key_usage_flags( * - An algorithm value permits this particular algorithm. * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified * signature scheme with any hash algorithm. - * - An algorithm built from #PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG allows + * - An algorithm built from #PSA_ALG_AT_LEAST_THIS_LENGTH_MAC allows * any MAC algorithm from the same base class (e.g. CMAC) which * generates/verifies a MAC length greater than or equal to the length * encoded in the wildcard algorithm. diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index f3792c86e..974a4db0a 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -963,7 +963,7 @@ * algorithm or if \p min_mac_length is less than 1 or * too large for the specified MAC algorithm. */ -#define PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(mac_alg, min_mac_length) \ +#define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length) \ ( PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 540d6594f..853dcb118 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -718,7 +718,7 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( if( ( ( alg1 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) && ( ( alg2 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) ) { - return( PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG( alg1, max_len ) ); + return( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg1, max_len ) ); } /* If only one is a wildcard, return specific algorithm if compatible. * Special case: specific MAC algorithm with '0' as length means full- diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index cd68ae1f1..3749885da 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -406,23 +406,23 @@ mac_key_policy:0:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaa PSA key policy: MAC, sign-verify, tag length > min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 30):PSA_SUCCESS +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 30):PSA_SUCCESS PSA key policy: MAC, sign-verify, tag length = min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_SUCCESS +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_SUCCESS PSA key policy: MAC, sign-verify, tag length < min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_ERROR_NOT_PERMITTED +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_ERROR_NOT_PERMITTED PSA key policy: MAC, sign-verify, min-length policy, unmatched base alg depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC:MBEDTLS_CMAC_C -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 20):PSA_ERROR_NOT_PERMITTED +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 20):PSA_ERROR_NOT_PERMITTED PSA key policy: MAC, sign-verify, min-length policy used as algorithm depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_NOT_PERMITTED +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_NOT_PERMITTED PSA key policy: MAC, sign-verify, tag length > exact-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC @@ -764,39 +764,39 @@ copy_fail:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:PSA_KEY_TYPE_A Copy key: source=MAC min-length, target=MAC length > min-length depends_on:MBEDTLS_SHA256_C -copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 Copy key: source=MAC min-length, target=MAC length = min-length depends_on:MBEDTLS_SHA256_C -copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 Copy fail: source=MAC min-length, target=MAC length < min-length depends_on:MBEDTLS_SHA256_C -copy_fail:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16):0:PSA_ERROR_INVALID_ARGUMENT +copy_fail:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16):0:PSA_ERROR_INVALID_ARGUMENT Copy key: source=MAC min-length, target=MAC min-length, src > tgt depends_on:MBEDTLS_SHA256_C -copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 Copy key: source=MAC min-length, target=MAC min-length, src = tgt depends_on:MBEDTLS_SHA256_C -copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 Copy key: source=MAC min-length, target=MAC min-length, src < tgt depends_on:MBEDTLS_SHA256_C -copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 Copy fail: source=MAC, target=MAC min-length > length depends_on:MBEDTLS_SHA256_C -copy_fail:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_ERROR_INVALID_ARGUMENT +copy_fail:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_ERROR_INVALID_ARGUMENT Copy key: source=MAC, target=MAC min-length = length depends_on:MBEDTLS_SHA256_C -copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 Copy key: source=MAC, target=MAC min-length < length depends_on:MBEDTLS_SHA256_C -copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_MAC_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 +copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 Copy key: source=AEAD min-length, target=AEAD length > min-length depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C From 5d81481a1cf12c95059c758f1874734436e77d9e Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 18 Feb 2021 12:11:39 +0100 Subject: [PATCH 06/31] Rename AEAD WITH_MINIMUM_LENGTH to AT_LEAST_THIS_LENGTH Signed-off-by: Steven Cooreman # Conflicts: # include/psa/crypto_values.h # tests/suites/test_suite_psa_crypto.data --- .../psa-crypto-new-wildcard-policies.txt | 2 +- include/psa/crypto.h | 4 +-- include/psa/crypto_values.h | 2 +- library/psa_crypto.c | 2 +- tests/suites/test_suite_psa_crypto.data | 28 +++++++++---------- 5 files changed, 19 insertions(+), 19 deletions(-) diff --git a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt index 9530b4c94..d27f48096 100644 --- a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt +++ b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt @@ -1,5 +1,5 @@ Features - * Added PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG and + * Added PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG and PSA_ALG_AT_LEAST_THIS_LENGTH_MAC as wildcard algorithms in PSA Crypto. These algorithm values describe that a key is allowed to be used with any algorithm that matches the specified base algorithm (e.g PSA_ALG_CCM for diff --git a/include/psa/crypto.h b/include/psa/crypto.h index b28ec4974..78c6e3d1e 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -268,8 +268,8 @@ static psa_key_usage_t psa_get_key_usage_flags( * any MAC algorithm from the same base class (e.g. CMAC) which * generates/verifies a MAC length greater than or equal to the length * encoded in the wildcard algorithm. - * - An algorithm built from #PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG allows - * any AEAD algorithm from the same base class (e.g. CCM) which + * - An algorithm built from #PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG + * allows any AEAD algorithm from the same base class (e.g. CCM) which * generates/verifies a tag length greater than or equal to the length * encoded in the wildcard algorithm. * diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 974a4db0a..18ef3d7b1 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1214,7 +1214,7 @@ * AEAD algorithm or if \p min_tag_length is less than 1 * or too large for the specified AEAD algorithm. */ -#define PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(aead_alg, min_tag_length) \ +#define PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(aead_alg, min_tag_length) \ ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) | PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 853dcb118..e04b43b98 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -689,7 +689,7 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( if( ( ( alg1 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && ( ( alg2 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) ) { - return( PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG( alg1, max_len ) ); + return( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg1, max_len ) ); } /* If only one is a wildcard, return specific algorithm if compatible. */ if( ( ( alg1 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 3749885da..19c593849 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -486,23 +486,23 @@ aead_key_policy:0:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa PSA key policy: AEAD, tag length > min-length policy depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):PSA_SUCCESS +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):PSA_SUCCESS PSA key policy: AEAD, tag length = min-length policy depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_SUCCESS +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_SUCCESS PSA key policy: AEAD, tag length < min-length policy depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_ERROR_NOT_PERMITTED +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_ERROR_NOT_PERMITTED PSA key policy: AEAD, min-length policy, unmatched base alg depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_GCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 4):PSA_ERROR_NOT_PERMITTED +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 4):PSA_ERROR_NOT_PERMITTED PSA key policy: AEAD, min-length policy used as algorithm depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_ERROR_NOT_PERMITTED +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_ERROR_NOT_PERMITTED PSA key policy: AEAD, tag length > exact-length policy depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C @@ -800,39 +800,39 @@ copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE Copy key: source=AEAD min-length, target=AEAD length > min-length depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0 +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0 Copy key: source=AEAD min-length, target=AEAD length = min-length depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0 +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0 Copy fail: source=AEAD min-length, target=AEAD length < min-length depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_fail:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_ERROR_INVALID_ARGUMENT +copy_fail:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_ERROR_INVALID_ARGUMENT Copy key: source=AEAD min-length, target=AEAD min-length, src > tgt depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0 +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0 Copy key: source=AEAD min-length, target=AEAD min-length, src = tgt depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0 +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0 Copy key: source=AEAD min-length, target=AEAD min-length, src < tgt depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0 +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0 Copy fail: source=AEAD, target=AEAD min-length > length depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_fail:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_ERROR_INVALID_ARGUMENT +copy_fail:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_ERROR_INVALID_ARGUMENT Copy key: source=AEAD, target=AEAD min-length = length depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0 +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):0 Copy key: source=AEAD, target=AEAD min-length < length depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 12):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_MINIMUM_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 12):0 +copy_success:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 12):0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):0:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 12):0 Copy fail: RSA, incompatible target policy (source wildcard) depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C From aaec341c9b5268a5f078f81dee27596c113e5d9a Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 18 Feb 2021 13:30:34 +0100 Subject: [PATCH 07/31] Exercise CCM with the right amount of IV bytes in test Signed-off-by: Steven Cooreman --- tests/src/psa_exercise_key.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index 9f80d7b65..869da7df6 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -243,6 +243,13 @@ static int exercise_aead_key( mbedtls_svc_key_id_t key, nonce_length = 12; } + /* IV length for CCM needs to be between 7 and 13 bytes */ + if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) == + PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ) ) + { + nonce_length = 12; + } + if( usage & PSA_KEY_USAGE_ENCRYPT ) { PSA_ASSERT( psa_aead_encrypt( key, alg, From 7de9e2db1fb4868a79444715bca72d228b7e5c9e Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Mon, 22 Feb 2021 17:05:56 +0100 Subject: [PATCH 08/31] Language / verbiage fixes Signed-off-by: Steven Cooreman --- ChangeLog.d/psa-crypto-new-wildcard-policies.txt | 11 ++++------- library/psa_crypto.c | 4 ++-- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt index d27f48096..56fbbc9b5 100644 --- a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt +++ b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt @@ -1,8 +1,5 @@ Features - * Added PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG and - PSA_ALG_AT_LEAST_THIS_LENGTH_MAC as wildcard algorithms in PSA Crypto. - These algorithm values describe that a key is allowed to be used with any - algorithm that matches the specified base algorithm (e.g PSA_ALG_CCM for - AEAD or PSA_ALG_CMAC for MAC) and has a tag/MAC length which is at least - as long as the one encoded in the AT_LEAST_THIS_LENGTH_MAC/TAG wildcard - algorithm. + * In the PSA API, the policy for a MAC or AEAD algorithm can specify a + minimum MAC or tag length thanks to the new wildcards + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e04b43b98..0375cca12 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -675,7 +675,7 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( return( alg1 ); } /* If the policies are from the same AEAD family, check whether - * one f them is a minimum-tag-length wildcard. Calculate the most + * one of them is a minimum-tag-length wildcard. Calculate the most * restrictive tag length. */ if( PSA_ALG_IS_AEAD( alg1 ) && PSA_ALG_IS_AEAD( alg2 ) && ( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg1, 0 ) == @@ -685,7 +685,7 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg2 ); size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; - /* If both are wildcards, return most restricitve wildcard */ + /* If both are wildcards, return most restrictive wildcard */ if( ( ( alg1 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && ( ( alg2 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) ) { From 4400c3a44a1eaef53cb863cdc1800f502cf4b432 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Mon, 22 Feb 2021 18:53:07 +0100 Subject: [PATCH 09/31] Add _AT_LEAST_THIS_LENGTH_ macros to PSA constants test Signed-off-by: Steven Cooreman --- programs/psa/psa_constant_names_generated.c | 35 +++++++++++++++------ scripts/generate_psa_constants.py | 35 +++++++++++++++------ tests/scripts/test_psa_constant_names.py | 4 ++- 3 files changed, 55 insertions(+), 19 deletions(-) diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c index 6b0c0b27a..b12ef0ae3 100644 --- a/programs/psa/psa_constant_names_generated.c +++ b/programs/psa/psa_constant_names_generated.c @@ -150,20 +150,37 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, unsigned long length_modifier = NO_LENGTH_MODIFIER; if (PSA_ALG_IS_MAC(alg)) { core_alg = PSA_ALG_TRUNCATED_MAC(alg, 0); - if (core_alg != alg) { + if (alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG) { append(&buffer, buffer_size, &required_size, - "PSA_ALG_TRUNCATED_MAC(", 22); + "PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(", 33); length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); + } else { + if (core_alg != alg) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_TRUNCATED_MAC(", 22); + length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); + } } } else if (PSA_ALG_IS_AEAD(alg)) { core_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg); - if (core_alg == 0) { - /* For unknown AEAD algorithms, there is no "default tag length". */ - core_alg = alg; - } else if (core_alg != alg) { - append(&buffer, buffer_size, &required_size, - "PSA_ALG_AEAD_WITH_SHORTENED_TAG(", 32); - length_modifier = PSA_AEAD_TAG_LENGTH(alg); + if (alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG) { + if (core_alg == 0) { + /* For unknown AEAD algorithms, there is no "default tag length". */ + core_alg = alg; + } else { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(", 43); + length_modifier = PSA_AEAD_TAG_LENGTH(alg); + } + } else { + if (core_alg == 0) { + /* For unknown AEAD algorithms, there is no "default tag length". */ + core_alg = alg; + } else if (core_alg != alg) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_AEAD_WITH_SHORTENED_TAG(", 32); + length_modifier = PSA_AEAD_TAG_LENGTH(alg); + } } } else if (PSA_ALG_IS_KEY_AGREEMENT(alg) && !PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) { diff --git a/scripts/generate_psa_constants.py b/scripts/generate_psa_constants.py index 01c5a32a1..ddcf6253a 100755 --- a/scripts/generate_psa_constants.py +++ b/scripts/generate_psa_constants.py @@ -100,20 +100,37 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, unsigned long length_modifier = NO_LENGTH_MODIFIER; if (PSA_ALG_IS_MAC(alg)) { core_alg = PSA_ALG_TRUNCATED_MAC(alg, 0); - if (core_alg != alg) { + if (alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG) { append(&buffer, buffer_size, &required_size, - "PSA_ALG_TRUNCATED_MAC(", 22); + "PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(", 33); length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); + } else { + if (core_alg != alg) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_TRUNCATED_MAC(", 22); + length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); + } } } else if (PSA_ALG_IS_AEAD(alg)) { core_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg); - if (core_alg == 0) { - /* For unknown AEAD algorithms, there is no "default tag length". */ - core_alg = alg; - } else if (core_alg != alg) { - append(&buffer, buffer_size, &required_size, - "PSA_ALG_AEAD_WITH_SHORTENED_TAG(", 32); - length_modifier = PSA_AEAD_TAG_LENGTH(alg); + if (alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG) { + if (core_alg == 0) { + /* For unknown AEAD algorithms, there is no "default tag length". */ + core_alg = alg; + } else { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(", 43); + length_modifier = PSA_AEAD_TAG_LENGTH(alg); + } + } else { + if (core_alg == 0) { + /* For unknown AEAD algorithms, there is no "default tag length". */ + core_alg = alg; + } else if (core_alg != alg) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_AEAD_WITH_SHORTENED_TAG(", 32); + length_modifier = PSA_AEAD_TAG_LENGTH(alg); + } } } else if (PSA_ALG_IS_KEY_AGREEMENT(alg) && !PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) { diff --git a/tests/scripts/test_psa_constant_names.py b/tests/scripts/test_psa_constant_names.py index 537f9e94e..9e8d7f8f4 100755 --- a/tests/scripts/test_psa_constant_names.py +++ b/tests/scripts/test_psa_constant_names.py @@ -101,7 +101,7 @@ class Inputs: # PSA_ALG_IS_xxx macros, but are also not currently assigned and are # not likely to be assigned in the near future. self.hash_algorithms = set(['0x020000fe']) # 0x020000ff is PSA_ALG_ANY_HASH - self.mac_algorithms = set(['0x0300ffff']) + self.mac_algorithms = set(['0x03007fff']) self.ka_algorithms = set(['0x09fc0000']) self.kdf_algorithms = set(['0x080000ff']) # For AEAD algorithms, the only variability is over the tag length, @@ -146,6 +146,8 @@ class Inputs: self.arguments_for = { 'mac_length': ['1', '63'], 'tag_length': ['1', '63'], + 'min_mac_length': ['1', '63'], + 'min_tag_length': ['1', '63'], } def get_names(self, type_word): From d927ed790169f1e378f3331cc140d2b610e091e5 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Mon, 22 Feb 2021 19:59:35 +0100 Subject: [PATCH 10/31] Rename _MINIMUM_LENGTH flags to _AT_LEAST_THIS_LENGTH Signed-off-by: Steven Cooreman --- include/psa/crypto_values.h | 52 ++++++++++----------- library/psa_crypto.c | 20 ++++---- programs/psa/psa_constant_names_generated.c | 4 +- scripts/generate_psa_constants.py | 4 +- 4 files changed, 40 insertions(+), 40 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 18ef3d7b1..7d16523a9 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -866,6 +866,13 @@ #define PSA_ALG_MAC_TRUNCATION_MASK ((psa_algorithm_t)0x003f0000) #define PSA_MAC_TRUNCATION_OFFSET 16 +/* In the encoding of a MAC algorithm, the bit corresponding to + * #PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm + * is a wildcard algorithm, which allows any algorithm corresponding to the + * same base class and having a (potentially truncated) MAC length greater or + * equal than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */ +#define PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ((psa_algorithm_t)0x00008000) + /** Macro to build a truncated MAC algorithm. * * A truncated MAC algorithm is identical to the corresponding MAC @@ -900,7 +907,7 @@ * too large for the specified MAC algorithm. */ #define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) \ - (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG)) | \ + (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) | \ ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK)) /** Macro to build the base MAC algorithm corresponding to a truncated @@ -916,7 +923,7 @@ * MAC algorithm. */ #define PSA_ALG_FULL_LENGTH_MAC(mac_alg) \ - ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG)) + ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) /** Length to which a MAC algorithm is truncated. * @@ -932,13 +939,6 @@ #define PSA_MAC_TRUNCATED_LENGTH(mac_alg) \ (((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET) -/* In the encoding of a MAC algorithm, the bit corresponding to - * #PSA_ALG_MAC_MINIMUM_LENGTH_FLAG encodes the fact that the algorithm is - * a wildcard algorithm, which allows any algorithm corresponding to the same - * base class and having a (potentially truncated) MAC length greater or equal - * than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */ -#define PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ((psa_algorithm_t)0x00008000) - /** Macro to build a MAC minimum-MAC-length wildcard algorithm. * * A mininimum-MAC-length MAC wildcard algorithm permits all MAC algorithms @@ -964,7 +964,7 @@ * too large for the specified MAC algorithm. */ #define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length) \ - ( PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) | PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) + ( PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) | PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000) /** The CBC-MAC construction over a block cipher @@ -1126,6 +1126,13 @@ #define PSA_ALG_AEAD_TAG_LENGTH_MASK ((psa_algorithm_t)0x003f0000) #define PSA_AEAD_TAG_LENGTH_OFFSET 16 +/* In the encoding of an AEAD algorithm, the bit corresponding to + * #PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm + * is a wildcard algorithm, which allows any algorithm corresponding to the + * same base class and having a tag length greater than or equal to the one + * encoded in #PSA_ALG_AEAD_TAG_LENGTH_MASK. */ +#define PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ((psa_algorithm_t)0x00008000) + /** Macro to build a shortened AEAD algorithm. * * A shortened AEAD algorithm is similar to the corresponding AEAD @@ -1145,7 +1152,7 @@ * for the specified AEAD algorithm. */ #define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) \ - (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG)) | \ + (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)) | \ ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET & \ PSA_ALG_AEAD_TAG_LENGTH_MASK)) @@ -1183,13 +1190,6 @@ PSA_ALG_AEAD_WITH_SHORTENED_TAG(ref, 0) ? \ ref : -/* In the encoding of an AEAD algorithm, the bit corresponding to - * #PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG encodes the fact that the algorithm is - * a wildcard algorithm, which allows any algorithm corresponding to the same - * base class and having a tag length greater than or equal to the one encoded - * in #PSA_ALG_AEAD_TAG_LENGTH_MASK. */ -#define PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ((psa_algorithm_t)0x00008000) - /** Macro to build an AEAD minimum-tag-length wildcard algorithm. * * A mininimum-tag-length AEAD wildcard algorithm permits all AEAD algorithms @@ -1215,7 +1215,7 @@ * or too large for the specified AEAD algorithm. */ #define PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(aead_alg, min_tag_length) \ - ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) | PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) + ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200) /** RSA PKCS#1 v1.5 signature with hashing. @@ -1663,13 +1663,13 @@ * \return This macro may return either 0 or 1 if \c alg is not a supported * algorithm identifier. */ -#define PSA_ALG_IS_WILDCARD(alg) \ - (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ - PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \ - PSA_ALG_IS_MAC(alg) ? \ - (alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG) != 0 : \ - PSA_ALG_IS_AEAD(alg) ? \ - (alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG) != 0 : \ +#define PSA_ALG_IS_WILDCARD(alg) \ + (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ + PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \ + PSA_ALG_IS_MAC(alg) ? \ + (alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0 : \ + PSA_ALG_IS_AEAD(alg) ? \ + (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0 : \ (alg) == PSA_ALG_ANY_HASH) /**@}*/ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 0375cca12..ffb6ef4b6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -686,18 +686,18 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; /* If both are wildcards, return most restrictive wildcard */ - if( ( ( alg1 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && - ( ( alg2 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) ) + if( ( ( alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && + ( ( alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) ) { return( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg1, max_len ) ); } /* If only one is a wildcard, return specific algorithm if compatible. */ - if( ( ( alg1 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && + if( ( ( alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && ( alg1_len <= alg2_len ) ) { return( alg2 ); } - if( ( ( alg2 & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) && + if( ( ( alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && ( alg2_len <= alg1_len ) ) { return( alg1 ); @@ -715,8 +715,8 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; /* If both are wildcards, return most restricitve wildcard */ - if( ( ( alg1 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) && - ( ( alg2 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) ) + if( ( ( alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && + ( ( alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) ) { return( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg1, max_len ) ); } @@ -724,13 +724,13 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( * Special case: specific MAC algorithm with '0' as length means full- * length MAC, which is always allowed by a wildcard with the same * base algorithm. */ - if( ( ( alg1 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) && + if( ( ( alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && ( ( alg1_len <= alg2_len ) || ( alg2 == PSA_ALG_FULL_LENGTH_MAC( alg1 ) ) ) ) { return( alg2 ); } - if( ( ( alg2 & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) && + if( ( ( alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && ( ( alg2_len <= alg1_len ) || ( alg1 == PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) ) { @@ -766,7 +766,7 @@ static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, PSA_ALG_IS_AEAD( requested_alg ) && ( PSA_ALG_AEAD_WITH_SHORTENED_TAG( policy_alg, 0 ) == PSA_ALG_AEAD_WITH_SHORTENED_TAG( requested_alg, 0 ) ) && - ( ( policy_alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG ) != 0 ) ) + ( ( policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) ) { return( PSA_ALG_AEAD_GET_TAG_LENGTH( policy_alg ) <= PSA_ALG_AEAD_GET_TAG_LENGTH( requested_alg ) ); @@ -778,7 +778,7 @@ static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, PSA_ALG_IS_MAC( requested_alg ) && ( PSA_ALG_FULL_LENGTH_MAC( policy_alg ) == PSA_ALG_FULL_LENGTH_MAC( requested_alg ) ) && - ( ( policy_alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG ) != 0 ) ) + ( ( policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) ) { /* Special case: full-length MAC is encoded with 0-length. * A minimum-length policy will always allow a full-length MAC. */ diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c index b12ef0ae3..b1a801f74 100644 --- a/programs/psa/psa_constant_names_generated.c +++ b/programs/psa/psa_constant_names_generated.c @@ -150,7 +150,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, unsigned long length_modifier = NO_LENGTH_MODIFIER; if (PSA_ALG_IS_MAC(alg)) { core_alg = PSA_ALG_TRUNCATED_MAC(alg, 0); - if (alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG) { + if (alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) { append(&buffer, buffer_size, &required_size, "PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(", 33); length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); @@ -163,7 +163,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, } } else if (PSA_ALG_IS_AEAD(alg)) { core_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg); - if (alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG) { + if (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) { if (core_alg == 0) { /* For unknown AEAD algorithms, there is no "default tag length". */ core_alg = alg; diff --git a/scripts/generate_psa_constants.py b/scripts/generate_psa_constants.py index ddcf6253a..644fbad5d 100755 --- a/scripts/generate_psa_constants.py +++ b/scripts/generate_psa_constants.py @@ -100,7 +100,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, unsigned long length_modifier = NO_LENGTH_MODIFIER; if (PSA_ALG_IS_MAC(alg)) { core_alg = PSA_ALG_TRUNCATED_MAC(alg, 0); - if (alg & PSA_ALG_MAC_MINIMUM_LENGTH_FLAG) { + if (alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) { append(&buffer, buffer_size, &required_size, "PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(", 33); length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); @@ -113,7 +113,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, } } else if (PSA_ALG_IS_AEAD(alg)) { core_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg); - if (alg & PSA_ALG_AEAD_MINIMUM_LENGTH_FLAG) { + if (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) { if (core_alg == 0) { /* For unknown AEAD algorithms, there is no "default tag length". */ core_alg = alg; From 2c2efa488bb823ffaa0e7847d838a5f26becfa11 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 23 Feb 2021 09:36:42 +0100 Subject: [PATCH 11/31] Fix dependency-setting script and test dependencies for new tests Signed-off-by: Steven Cooreman --- tests/scripts/set_psa_test_dependencies.py | 2 ++ tests/suites/test_suite_psa_crypto.data | 18 +++++++++--------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py index 7a84cf4d8..e37ce3db5 100755 --- a/tests/scripts/set_psa_test_dependencies.py +++ b/tests/scripts/set_psa_test_dependencies.py @@ -115,6 +115,8 @@ WITHOUT_SYSTEMATIC_DEPENDENCIES = frozenset([ 'PSA_KEY_TYPE_NONE', # not a real key type 'PSA_KEY_TYPE_DERIVE', # always supported, don't list it to reduce noise 'PSA_KEY_TYPE_RAW_DATA', # always supported, don't list it to reduce noise + 'PSA_ALG_AT_LEAST_THIS_LENGTH_MAC', #only a modifier + 'PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG', #only a modifier # Not implemented yet: cipher-related key types and algorithms. # Manually extracted from crypto_values.h. diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 19c593849..ed4336591 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -763,39 +763,39 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_CIPHER_MODE_CBC copy_fail:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:PSA_KEY_TYPE_AES:"404142434445464748494a4b4c4d4e4f":0:0:PSA_KEY_USAGE_EXPORT:PSA_ALG_CBC_NO_PADDING:0:PSA_ERROR_INVALID_ARGUMENT Copy key: source=MAC min-length, target=MAC length > min-length -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 Copy key: source=MAC min-length, target=MAC length = min-length -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 Copy fail: source=MAC min-length, target=MAC length < min-length -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_fail:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16):0:PSA_ERROR_INVALID_ARGUMENT Copy key: source=MAC min-length, target=MAC min-length, src > tgt -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 Copy key: source=MAC min-length, target=MAC min-length, src = tgt -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 Copy key: source=MAC min-length, target=MAC min-length, src < tgt -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0 Copy fail: source=MAC, target=MAC min-length > length -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_fail:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 24):0:PSA_ERROR_INVALID_ARGUMENT Copy key: source=MAC, target=MAC min-length = length -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 Copy key: source=MAC, target=MAC min-length < length -depends_on:MBEDTLS_SHA256_C +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC copy_success:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_EXPORT:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):0 Copy key: source=AEAD min-length, target=AEAD length > min-length From a96e2410e7e5604a85bce6f548c0e66b55c88d67 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 23 Feb 2021 10:21:58 +0100 Subject: [PATCH 12/31] Test _AT_LEAST_THIS_LENGTH macros in the PSA Crypto metadata test suite Signed-off-by: Steven Cooreman --- .../test_suite_psa_crypto_metadata.function | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function index 4b55da1ed..9379c5ed2 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.function +++ b/tests/suites/test_suite_psa_crypto_metadata.function @@ -264,6 +264,24 @@ void mac_algorithm( int alg_arg, int classification_flags, TEST_EQUAL( PSA_ALG_TRUNCATED_MAC( truncated_alg, length ), PSA_ALG_TRUNCATED_MAC( alg, length ) ); } + + /* At-leat-this-length versions */ + for( n = 1; n <= length; n++ ) + { + psa_algorithm_t policy_alg = PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, n ); + mac_algorithm_core( policy_alg, classification_flags | ALG_IS_WILDCARD, + key_type, key_bits, n ); + TEST_EQUAL( PSA_ALG_FULL_LENGTH_MAC( policy_alg ), alg ); + /* Check that calling PSA_ALG_TRUNCATED_MAC twice gives the length + * of the outer truncation (even if the outer length is smaller than + * the inner length). */ + TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( policy_alg, 1 ), + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, 1 ) ); + TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( policy_alg, length - 1 ), + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, length - 1) ); + TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( policy_alg, length ), + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, length ) ); + } } /* END_CASE */ @@ -339,6 +357,24 @@ void aead_algorithm( int alg_arg, int classification_flags, TEST_EQUAL( PSA_ALG_AEAD_WITH_SHORTENED_TAG( truncated_alg, tag_length ), PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, tag_length ) ); } + + /* At-leat-this-length versions */ + for( n = 1; n <= tag_length; n++ ) + { + psa_algorithm_t policy_alg = PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, n ); + aead_algorithm_core( policy_alg, classification_flags | ALG_IS_WILDCARD, n ); + TEST_EQUAL( PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG( policy_alg ), + alg ); + /* Check that calling PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG twice gives + * the length of the outer truncation (even if the outer length is + * smaller than the inner length). */ + TEST_EQUAL( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( policy_alg, 1 ), + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, 1 ) ); + TEST_EQUAL( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( policy_alg, tag_length - 1 ), + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, tag_length - 1) ); + TEST_EQUAL( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( policy_alg, tag_length ), + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, tag_length ) ); + } } /* END_CASE */ From ae3f13bf5ecd02955556a1450294613bd0102f8c Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 23 Feb 2021 12:19:42 +0100 Subject: [PATCH 13/31] Add more test cases and fix AT_LEAST_THIS_LENGTH against base algorithm Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 23 ++++++++- tests/suites/test_suite_psa_crypto.data | 68 ++++++++++++++++++++++--- 2 files changed, 84 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ffb6ef4b6..32be756a2 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2913,7 +2913,28 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, if( truncated == 0 ) { - /* The "normal" case: untruncated algorithm. Nothing to do. */ + /* The "normal" case: untruncated algorithm. Re-validate the + * key policy with explicit MAC length set in the algorithm + * when the algorithm policy is at-least-this-length to catch + * a corner case due to the default MAC length being unknown + * at key loading time. */ + if( PSA_ALG_IS_MAC( slot->attr.policy.alg ) && + ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg ) == full_length_alg ) && + ( slot->attr.policy.alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) ) + { + /* validate policy length */ + if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg ) > operation->mac_size ) + status = PSA_ERROR_NOT_PERMITTED; + } + + if( PSA_ALG_IS_MAC( slot->attr.policy.alg2 ) && + ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg2 ) == full_length_alg ) && + ( slot->attr.policy.alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) ) + { + /* validate policy length */ + if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg2 ) > operation->mac_size ) + status = PSA_ERROR_NOT_PERMITTED; + } } else if( truncated < 4 ) { diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index ed4336591..c4c340f79 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -404,22 +404,54 @@ PSA key policy: MAC, neither sign nor verify depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:0:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_NOT_PERMITTED -PSA key policy: MAC, sign-verify, tag length > min-length policy +PSA key policy: HMAC, sign-verify, tag length > min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 30):PSA_SUCCESS -PSA key policy: MAC, sign-verify, tag length = min-length policy +PSA key policy: HMAC, sign-verify, tag length = min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_SUCCESS -PSA key policy: MAC, sign-verify, tag length < min-length policy +PSA key policy: HMAC, sign-verify, tag length < min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_ERROR_NOT_PERMITTED +PSA key policy: CMAC, sign-verify, tag length > min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CMAC_C +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_CMAC, 10):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 16):PSA_SUCCESS + +PSA key policy: CMAC, sign-verify, tag length = min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CMAC_C +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_CMAC, 10):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 10):PSA_SUCCESS + +PSA key policy: CMAC, sign-verify, tag length < min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CMAC_C +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_CMAC, 10):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 8):PSA_ERROR_NOT_PERMITTED + +PSA key policy: MAC, sign-verify, default tag length > min-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 31):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_SUCCESS + +PSA key policy: MAC, sign-verify, default tag length = min-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 32):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_SUCCESS + +PSA key policy: MAC, sign-verify, default tag length < min-length policy +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 33):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_NOT_PERMITTED + PSA key policy: MAC, sign-verify, min-length policy, unmatched base alg depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC:MBEDTLS_CMAC_C mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 20):PSA_ERROR_NOT_PERMITTED +PSA key policy: MAC, sign-verify, min-length policy, unmatched base alg (different hash base) +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_224:PSA_WANT_KEY_TYPE_HMAC +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_224), 20):PSA_ERROR_NOT_PERMITTED + +PSA key policy: MAC, sign-verify, min-length policy, unmatched base alg (different algorithm) +depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC:MBEDTLS_CMAC_C +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CMAC:PSA_ERROR_NOT_PERMITTED + PSA key policy: MAC, sign-verify, min-length policy used as algorithm depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_NOT_PERMITTED @@ -484,18 +516,42 @@ PSA key policy: AEAD, neither encrypt nor decrypt depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C aead_key_policy:0:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM:PSA_ERROR_NOT_PERMITTED -PSA key policy: AEAD, tag length > min-length policy +PSA key policy: AEAD, tag length > min-length policy, CCM depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8):PSA_SUCCESS -PSA key policy: AEAD, tag length = min-length policy +PSA key policy: AEAD, tag length = min-length policy, CCM depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_SUCCESS -PSA key policy: AEAD, tag length < min-length policy +PSA key policy: AEAD, tag length < min-length policy, CCM depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 4):PSA_ERROR_NOT_PERMITTED +PSA key policy: AEAD, tag length > min-length policy, GCM +depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_GCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":12:8:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 8):PSA_SUCCESS + +PSA key policy: AEAD, tag length = min-length policy, GCM +depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_GCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":12:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 4):PSA_SUCCESS + +PSA key policy: AEAD, tag length < min-length policy, GCM +depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_GCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":12:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 4):PSA_ERROR_NOT_PERMITTED + +PSA key policy: AEAD, default tag length > min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM:PSA_SUCCESS + +PSA key policy: AEAD, default tag length = min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 16):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM:PSA_SUCCESS + +PSA key policy: AEAD, default tag length < min-length policy +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 17):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM:PSA_ERROR_NOT_PERMITTED + PSA key policy: AEAD, min-length policy, unmatched base alg depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_GCM_C aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 4):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:4:PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 4):PSA_ERROR_NOT_PERMITTED From 7e39f0592915caf1f1cebf4eeedc9f05f6fded8f Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 23 Feb 2021 14:18:32 +0100 Subject: [PATCH 14/31] Using a wildcard as a specific algorithm now reports invalid argument Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 32 ++++++++++++++++++------- tests/suites/test_suite_psa_crypto.data | 10 ++++---- 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 32be756a2..40a0db373 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -744,9 +744,6 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, psa_algorithm_t requested_alg ) { - /* A requested algorithm cannot be a wildcard. */ - if( PSA_ALG_IS_WILDCARD( requested_alg ) ) - return( 0 ); /* Common case: the policy only allows requested_alg. */ if( requested_alg == policy_alg ) return( 1 ); @@ -804,12 +801,25 @@ static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, /** Test whether a policy permits an algorithm. * * The caller must test usage flags separately. + * + * \retval PSA_SUCCESS When \p alg is a specific algorithm + * allowed by the \p policy. + * \retval PSA_ERROR_INVALID_ARGUMENT When \p alg is not a specific algorithm + * \retval PSA_ERROR_NOT_PERMITTED When \p alg is a specific algorithm, but + * the \p policy does not allow it. */ -static int psa_key_policy_permits( const psa_key_policy_t *policy, - psa_algorithm_t alg ) +static psa_status_t psa_key_policy_permits( const psa_key_policy_t *policy, + psa_algorithm_t alg ) { - return( psa_key_algorithm_permits( policy->alg, alg ) || - psa_key_algorithm_permits( policy->alg2, alg ) ); + /* A requested algorithm cannot be a wildcard. */ + if( PSA_ALG_IS_WILDCARD( alg ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + if( psa_key_algorithm_permits( policy->alg, alg ) || + psa_key_algorithm_permits( policy->alg2, alg ) ) + return( PSA_SUCCESS ); + else + return( PSA_ERROR_NOT_PERMITTED ); } /** Restrict a key policy based on a constraint. @@ -880,8 +890,12 @@ static psa_status_t psa_get_and_lock_key_slot_with_policy( goto error; /* Enforce that the usage policy permits the requested algortihm. */ - if( alg != 0 && ! psa_key_policy_permits( &slot->attr.policy, alg ) ) - goto error; + if( alg != 0 ) + { + status = psa_key_policy_permits( &slot->attr.policy, alg ); + if( status != PSA_SUCCESS ) + goto error; + } return( PSA_SUCCESS ); diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c4c340f79..6e379a217 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -454,7 +454,7 @@ mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LE PSA key policy: MAC, sign-verify, min-length policy used as algorithm depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC -mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_NOT_PERMITTED +mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_INVALID_ARGUMENT PSA key policy: MAC, sign-verify, tag length > exact-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC @@ -558,7 +558,7 @@ aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_ PSA key policy: AEAD, min-length policy used as algorithm depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C -aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_ERROR_NOT_PERMITTED +aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:8:PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(PSA_ALG_CCM, 8):PSA_ERROR_INVALID_ARGUMENT PSA key policy: AEAD, tag length > exact-length policy depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C @@ -2118,9 +2118,7 @@ sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb PSA sign: RSA PKCS#1 v1.5, invalid hash (wildcard) depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_C:MBEDTLS_PKCS1_V15 -# Arguably the error should be INVALID_ARGUMENT, but NOT_SUPPORTED is simpler -# to implement. -sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":128:PSA_ERROR_NOT_PERMITTED +sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":128:PSA_ERROR_INVALID_ARGUMENT PSA sign: RSA PKCS#1 v1.5 raw, input too large depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C @@ -2148,7 +2146,7 @@ sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bb PSA sign: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_C -sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_PERMITTED +sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT PSA sign: invalid key type, signing with a public key depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C From fb9cb920558fd462dcf6cb0ff30532e46db46313 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 23 Feb 2021 14:37:38 +0100 Subject: [PATCH 15/31] Move wildcard-to-exercisable conversion to exercise_key in test suite Signed-off-by: Steven Cooreman --- tests/src/psa_exercise_key.c | 12 ++++++++++++ tests/suites/test_suite_psa_crypto.function | 13 ------------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index 869da7df6..a4f87eb2c 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -122,6 +122,12 @@ static int exercise_mac_key( mbedtls_svc_key_id_t key, unsigned char mac[PSA_MAC_MAX_SIZE] = {0}; size_t mac_length = sizeof( mac ); + /* Convert wildcard algorithm to exercisable algorithm */ + if( alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) + { + alg = PSA_ALG_TRUNCATED_MAC( alg, PSA_MAC_TRUNCATED_LENGTH( alg ) ); + } + if( usage & PSA_KEY_USAGE_SIGN_HASH ) { PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); @@ -236,6 +242,12 @@ static int exercise_aead_key( mbedtls_svc_key_id_t key, size_t ciphertext_length = sizeof( ciphertext ); size_t plaintext_length = sizeof( ciphertext ); + /* Convert wildcard algorithm to exercisable algorithm */ + if( alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) + { + alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, PSA_ALG_AEAD_GET_TAG_LENGTH( alg ) ); + } + /* Default IV length for AES-GCM is 12 bytes */ if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) == PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ) ) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index fca78cb5e..a6b0b84e8 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1338,19 +1338,6 @@ void copy_success( int source_usage_arg, export_buffer, length ); } - /* Convert wildcard algorithm to exercisable algorithm */ - if( PSA_ALG_IS_WILDCARD( expected_alg ) ) - { - if( PSA_ALG_IS_MAC( expected_alg ) ) - expected_alg = PSA_ALG_TRUNCATED_MAC( - expected_alg, - PSA_MAC_TRUNCATED_LENGTH( expected_alg ) ); - if( PSA_ALG_IS_AEAD( expected_alg ) ) - expected_alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG( - expected_alg, - PSA_ALG_AEAD_GET_TAG_LENGTH( expected_alg ) ); - } - if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg ) ) goto exit; if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg2 ) ) From a1d8322f74d0df03c5acd8b42ca506dde2bd5c0d Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 25 Feb 2021 10:20:29 +0100 Subject: [PATCH 16/31] Fix typos & copy-paste errors Signed-off-by: Steven Cooreman --- include/psa/crypto_values.h | 4 ++-- library/psa_crypto.c | 2 +- tests/suites/test_suite_psa_crypto_metadata.function | 12 ++++++------ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 7d16523a9..524cde1a0 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -941,7 +941,7 @@ /** Macro to build a MAC minimum-MAC-length wildcard algorithm. * - * A mininimum-MAC-length MAC wildcard algorithm permits all MAC algorithms + * A minimum-MAC-length MAC wildcard algorithm permits all MAC algorithms * sharing the same base algorithm, and where the (potentially truncated) MAC * length of the specific algorithm is equal to or larger then the wildcard * algorithm's minimum MAC length. @@ -1192,7 +1192,7 @@ /** Macro to build an AEAD minimum-tag-length wildcard algorithm. * - * A mininimum-tag-length AEAD wildcard algorithm permits all AEAD algorithms + * A minimum-tag-length AEAD wildcard algorithm permits all AEAD algorithms * sharing the same base algorithm, and where the tag length of the specific * algorithm is equal to or larger then the minimum tag length specified by the * wildcard algorithm. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 40a0db373..c23d124f3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -714,7 +714,7 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( size_t alg2_len = PSA_MAC_TRUNCATED_LENGTH( alg2 ); size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; - /* If both are wildcards, return most restricitve wildcard */ + /* If both are wildcards, return most restrictive wildcard */ if( ( ( alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && ( ( alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) ) { diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function index 9379c5ed2..01ce47f2c 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.function +++ b/tests/suites/test_suite_psa_crypto_metadata.function @@ -272,9 +272,9 @@ void mac_algorithm( int alg_arg, int classification_flags, mac_algorithm_core( policy_alg, classification_flags | ALG_IS_WILDCARD, key_type, key_bits, n ); TEST_EQUAL( PSA_ALG_FULL_LENGTH_MAC( policy_alg ), alg ); - /* Check that calling PSA_ALG_TRUNCATED_MAC twice gives the length - * of the outer truncation (even if the outer length is smaller than - * the inner length). */ + /* Check that calling PSA_ALG_AT_LEAST_THIS_LENGTH_MAC twice gives the + * length of the outer truncation (even if the outer length is smaller + * than the inner length). */ TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( policy_alg, 1 ), PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, 1 ) ); TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( policy_alg, length - 1 ), @@ -347,7 +347,7 @@ void aead_algorithm( int alg_arg, int classification_flags, aead_algorithm_core( truncated_alg, classification_flags, n ); TEST_EQUAL( PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG( truncated_alg ), alg ); - /* Check that calling PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG twice gives + /* Check that calling PSA_ALG_AEAD_WITH_SHORTENED_TAG twice gives * the length of the outer truncation (even if the outer length is * smaller than the inner length). */ TEST_EQUAL( PSA_ALG_AEAD_WITH_SHORTENED_TAG( truncated_alg, 1 ), @@ -365,8 +365,8 @@ void aead_algorithm( int alg_arg, int classification_flags, aead_algorithm_core( policy_alg, classification_flags | ALG_IS_WILDCARD, n ); TEST_EQUAL( PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG( policy_alg ), alg ); - /* Check that calling PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG twice gives - * the length of the outer truncation (even if the outer length is + /* Check that calling PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG twice + * gives the length of the outer truncation (even if the outer length is * smaller than the inner length). */ TEST_EQUAL( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( policy_alg, 1 ), PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, 1 ) ); From 947bb0b06fe631155c6f78ef175dbac96f6f7b70 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 25 Feb 2021 10:33:30 +0100 Subject: [PATCH 17/31] Code readability improvements Signed-off-by: Steven Cooreman --- programs/psa/psa_constant_names_generated.c | 39 ++++++++------------- scripts/generate_psa_constants.py | 39 ++++++++------------- 2 files changed, 30 insertions(+), 48 deletions(-) diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c index b1a801f74..f797c027f 100644 --- a/programs/psa/psa_constant_names_generated.c +++ b/programs/psa/psa_constant_names_generated.c @@ -154,33 +154,24 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, append(&buffer, buffer_size, &required_size, "PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(", 33); length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); - } else { - if (core_alg != alg) { - append(&buffer, buffer_size, &required_size, - "PSA_ALG_TRUNCATED_MAC(", 22); - length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); - } + } else if (core_alg != alg) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_TRUNCATED_MAC(", 22); + length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); } } else if (PSA_ALG_IS_AEAD(alg)) { core_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg); - if (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) { - if (core_alg == 0) { - /* For unknown AEAD algorithms, there is no "default tag length". */ - core_alg = alg; - } else { - append(&buffer, buffer_size, &required_size, - "PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(", 43); - length_modifier = PSA_AEAD_TAG_LENGTH(alg); - } - } else { - if (core_alg == 0) { - /* For unknown AEAD algorithms, there is no "default tag length". */ - core_alg = alg; - } else if (core_alg != alg) { - append(&buffer, buffer_size, &required_size, - "PSA_ALG_AEAD_WITH_SHORTENED_TAG(", 32); - length_modifier = PSA_AEAD_TAG_LENGTH(alg); - } + if (core_alg == 0) { + /* For unknown AEAD algorithms, there is no "default tag length". */ + core_alg = alg; + } else if (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(", 43); + length_modifier = PSA_AEAD_TAG_LENGTH(alg); + } else if (core_alg != alg) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_AEAD_WITH_SHORTENED_TAG(", 32); + length_modifier = PSA_AEAD_TAG_LENGTH(alg); } } else if (PSA_ALG_IS_KEY_AGREEMENT(alg) && !PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) { diff --git a/scripts/generate_psa_constants.py b/scripts/generate_psa_constants.py index 644fbad5d..d0d1f3f49 100755 --- a/scripts/generate_psa_constants.py +++ b/scripts/generate_psa_constants.py @@ -104,33 +104,24 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, append(&buffer, buffer_size, &required_size, "PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(", 33); length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); - } else { - if (core_alg != alg) { - append(&buffer, buffer_size, &required_size, - "PSA_ALG_TRUNCATED_MAC(", 22); - length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); - } + } else if (core_alg != alg) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_TRUNCATED_MAC(", 22); + length_modifier = PSA_MAC_TRUNCATED_LENGTH(alg); } } else if (PSA_ALG_IS_AEAD(alg)) { core_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg); - if (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) { - if (core_alg == 0) { - /* For unknown AEAD algorithms, there is no "default tag length". */ - core_alg = alg; - } else { - append(&buffer, buffer_size, &required_size, - "PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(", 43); - length_modifier = PSA_AEAD_TAG_LENGTH(alg); - } - } else { - if (core_alg == 0) { - /* For unknown AEAD algorithms, there is no "default tag length". */ - core_alg = alg; - } else if (core_alg != alg) { - append(&buffer, buffer_size, &required_size, - "PSA_ALG_AEAD_WITH_SHORTENED_TAG(", 32); - length_modifier = PSA_AEAD_TAG_LENGTH(alg); - } + if (core_alg == 0) { + /* For unknown AEAD algorithms, there is no "default tag length". */ + core_alg = alg; + } else if (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(", 43); + length_modifier = PSA_AEAD_TAG_LENGTH(alg); + } else if (core_alg != alg) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_AEAD_WITH_SHORTENED_TAG(", 32); + length_modifier = PSA_AEAD_TAG_LENGTH(alg); } } else if (PSA_ALG_IS_KEY_AGREEMENT(alg) && !PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) { From 16a05f5881dcd7d68e188d7709df5a3890318762 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 25 Feb 2021 11:22:03 +0100 Subject: [PATCH 18/31] Add metadata tests intertwining truncated and at-least-length algos Signed-off-by: Steven Cooreman --- .../test_suite_psa_crypto_metadata.function | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function index 01ce47f2c..3b3e38053 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.function +++ b/tests/suites/test_suite_psa_crypto_metadata.function @@ -263,6 +263,20 @@ void mac_algorithm( int alg_arg, int classification_flags, PSA_ALG_TRUNCATED_MAC( alg, length - 1) ); TEST_EQUAL( PSA_ALG_TRUNCATED_MAC( truncated_alg, length ), PSA_ALG_TRUNCATED_MAC( alg, length ) ); + + /* Check that calling PSA_ALG_TRUNCATED_MAC on an algorithm + * earlier constructed with PSA_ALG_AT_LEAST_THIS_LENGTH_MAC gives the + * length of the outer truncation (even if the outer length is smaller + * than the inner length). */ + TEST_EQUAL( PSA_ALG_TRUNCATED_MAC( + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( truncated_alg, n ), 1 ), + PSA_ALG_TRUNCATED_MAC( alg, 1 ) ); + TEST_EQUAL( PSA_ALG_TRUNCATED_MAC( + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( truncated_alg, n ), length - 1 ), + PSA_ALG_TRUNCATED_MAC( alg, length - 1) ); + TEST_EQUAL( PSA_ALG_TRUNCATED_MAC( + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( truncated_alg, n ), length ), + PSA_ALG_TRUNCATED_MAC( alg, length ) ); } /* At-leat-this-length versions */ @@ -281,6 +295,20 @@ void mac_algorithm( int alg_arg, int classification_flags, PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, length - 1) ); TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( policy_alg, length ), PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, length ) ); + + /* Check that calling PSA_ALG_AT_LEAST_THIS_LENGTH_MAC on an algorithm + * earlier constructed with PSA_ALG_TRUNCATED_MAC gives the length of + * the outer truncation (even if the outer length is smaller than the + * inner length). */ + TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( + PSA_ALG_TRUNCATED_MAC( policy_alg, n ), 1), + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, 1 ) ); + TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( + PSA_ALG_TRUNCATED_MAC( policy_alg, n ), length - 1 ), + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, length - 1) ); + TEST_EQUAL( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( + PSA_ALG_TRUNCATED_MAC( policy_alg, n ), length ), + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg, length ) ); } } /* END_CASE */ @@ -356,6 +384,20 @@ void aead_algorithm( int alg_arg, int classification_flags, PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, tag_length - 1) ); TEST_EQUAL( PSA_ALG_AEAD_WITH_SHORTENED_TAG( truncated_alg, tag_length ), PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, tag_length ) ); + + /* Check that calling PSA_ALG_AEAD_WITH_SHORTENED_TAG on an algorithm + * earlier constructed with PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG + * gives the length of the outer truncation (even if the outer length is + * smaller than the inner length). */ + TEST_EQUAL( PSA_ALG_AEAD_WITH_SHORTENED_TAG( + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( truncated_alg, n ), 1 ), + PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 1 ) ); + TEST_EQUAL( PSA_ALG_AEAD_WITH_SHORTENED_TAG( + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( truncated_alg, n ), tag_length - 1 ), + PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, tag_length - 1) ); + TEST_EQUAL( PSA_ALG_AEAD_WITH_SHORTENED_TAG( + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( truncated_alg, n ), tag_length ), + PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, tag_length ) ); } /* At-leat-this-length versions */ @@ -374,6 +416,20 @@ void aead_algorithm( int alg_arg, int classification_flags, PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, tag_length - 1) ); TEST_EQUAL( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( policy_alg, tag_length ), PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, tag_length ) ); + + /* Check that calling PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG on an + * algorithm earlier constructed with PSA_ALG_AEAD_WITH_SHORTENED_TAG + * gives the length of the outer truncation (even if the outer length is + * smaller than the inner length). */ + TEST_EQUAL( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( + PSA_ALG_AEAD_WITH_SHORTENED_TAG( policy_alg, n ), 1), + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, 1 ) ); + TEST_EQUAL( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( + PSA_ALG_AEAD_WITH_SHORTENED_TAG( policy_alg, n ), tag_length - 1 ), + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, tag_length - 1) ); + TEST_EQUAL( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( + PSA_ALG_AEAD_WITH_SHORTENED_TAG( policy_alg, n ), tag_length ), + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg, tag_length ) ); } } /* END_CASE */ From d788fab4ff8a7e14841c8c372591fc71333fde67 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 25 Feb 2021 11:29:17 +0100 Subject: [PATCH 19/31] Clarify usage of psa_key_policy_permits Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c23d124f3..eff86bcf0 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -811,6 +811,10 @@ static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, static psa_status_t psa_key_policy_permits( const psa_key_policy_t *policy, psa_algorithm_t alg ) { + /* '0' is not a valid algorithm */ + if( alg == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + /* A requested algorithm cannot be a wildcard. */ if( PSA_ALG_IS_WILDCARD( alg ) ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -856,7 +860,8 @@ static psa_status_t psa_restrict_key_policy( * and lock it. * * The key must have allow all the usage flags set in \p usage. If \p alg is - * nonzero, the key must allow operations with this algorithm. + * nonzero, the key must allow operations with this algorithm. If \p alg is + * zero, the algorithm is not checked. * * In case of a persistent key, the function loads the description of the key * into a key slot if not already done. From 328f11c50ed3a540aefbc0fd9a159a92b4f093ac Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 2 Mar 2021 11:44:51 +0100 Subject: [PATCH 20/31] Language & readability touchups Signed-off-by: Steven Cooreman --- include/psa/crypto_values.h | 27 ++++++++++++++++--------- library/psa_crypto.c | 20 +++++++++++++----- tests/suites/test_suite_psa_crypto.data | 20 +++++++++--------- 3 files changed, 42 insertions(+), 25 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 524cde1a0..a17bfc2bf 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -868,7 +868,8 @@ /* In the encoding of a MAC algorithm, the bit corresponding to * #PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm - * is a wildcard algorithm, which allows any algorithm corresponding to the + * is a wildcard algorithm. A key with such wildcard algorithm as permitted + * algorithm policy can be used with any algorithm corresponding to the * same base class and having a (potentially truncated) MAC length greater or * equal than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */ #define PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ((psa_algorithm_t)0x00008000) @@ -906,8 +907,9 @@ * MAC algorithm or if \p mac_length is too small or * too large for the specified MAC algorithm. */ -#define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) \ - (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) | \ +#define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) \ + (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | \ + PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) | \ ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK)) /** Macro to build the base MAC algorithm corresponding to a truncated @@ -922,8 +924,9 @@ * \return Unspecified if \p alg is not a supported * MAC algorithm. */ -#define PSA_ALG_FULL_LENGTH_MAC(mac_alg) \ - ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) +#define PSA_ALG_FULL_LENGTH_MAC(mac_alg) \ + ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | \ + PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) /** Length to which a MAC algorithm is truncated. * @@ -963,8 +966,9 @@ * algorithm or if \p min_mac_length is less than 1 or * too large for the specified MAC algorithm. */ -#define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length) \ - ( PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) | PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) +#define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length) \ + ( PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) | \ + PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000) /** The CBC-MAC construction over a block cipher @@ -1128,7 +1132,8 @@ /* In the encoding of an AEAD algorithm, the bit corresponding to * #PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm - * is a wildcard algorithm, which allows any algorithm corresponding to the + * is a wildcard algorithm. A key with such wildcard algorithm as permitted + * algorithm policy can be used with any algorithm corresponding to the * same base class and having a tag length greater than or equal to the one * encoded in #PSA_ALG_AEAD_TAG_LENGTH_MASK. */ #define PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ((psa_algorithm_t)0x00008000) @@ -1152,7 +1157,8 @@ * for the specified AEAD algorithm. */ #define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) \ - (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)) | \ + (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | \ + PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)) | \ ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET & \ PSA_ALG_AEAD_TAG_LENGTH_MASK)) @@ -1215,7 +1221,8 @@ * or too large for the specified AEAD algorithm. */ #define PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(aead_alg, min_tag_length) \ - ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) + ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) | \ + PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200) /** RSA PKCS#1 v1.5 signature with hashing. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index eff86bcf0..4f67ddf9c 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -890,9 +890,11 @@ static psa_status_t psa_get_and_lock_key_slot_with_policy( if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ) usage &= ~PSA_KEY_USAGE_EXPORT; - status = PSA_ERROR_NOT_PERMITTED; if( ( slot->attr.policy.usage & usage ) != usage ) + { + status = PSA_ERROR_NOT_PERMITTED; goto error; + } /* Enforce that the usage policy permits the requested algortihm. */ if( alg != 0 ) @@ -2938,21 +2940,29 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, * a corner case due to the default MAC length being unknown * at key loading time. */ if( PSA_ALG_IS_MAC( slot->attr.policy.alg ) && - ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg ) == full_length_alg ) && + ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg ) == + full_length_alg ) && ( slot->attr.policy.alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) ) { /* validate policy length */ - if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg ) > operation->mac_size ) + if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg ) > + operation->mac_size ) + { status = PSA_ERROR_NOT_PERMITTED; + } } if( PSA_ALG_IS_MAC( slot->attr.policy.alg2 ) && - ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg2 ) == full_length_alg ) && + ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg2 ) == + full_length_alg ) && ( slot->attr.policy.alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) ) { /* validate policy length */ - if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg2 ) > operation->mac_size ) + if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg2 ) > + operation->mac_size ) + { status = PSA_ERROR_NOT_PERMITTED; + } } } else if( truncated < 4 ) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 6e379a217..b542938ac 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -428,43 +428,43 @@ PSA key policy: CMAC, sign-verify, tag length < min-length policy depends_on:MBEDTLS_AES_C:MBEDTLS_CMAC_C mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_CMAC, 10):PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 8):PSA_ERROR_NOT_PERMITTED -PSA key policy: MAC, sign-verify, default tag length > min-length policy +PSA key policy: HMAC, sign-verify, default tag length > min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 31):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_SUCCESS -PSA key policy: MAC, sign-verify, default tag length = min-length policy +PSA key policy: HMAC, sign-verify, default tag length = min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 32):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_SUCCESS -PSA key policy: MAC, sign-verify, default tag length < min-length policy +PSA key policy: HMAC, sign-verify, default tag length < min-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 33):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_NOT_PERMITTED -PSA key policy: MAC, sign-verify, min-length policy, unmatched base alg +PSA key policy: HMAC, sign-verify, min-length policy, unmatched base alg depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC:MBEDTLS_CMAC_C mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_CMAC, 20):PSA_ERROR_NOT_PERMITTED -PSA key policy: MAC, sign-verify, min-length policy, unmatched base alg (different hash base) +PSA key policy: HMAC, sign-verify, min-length policy, unmatched base alg (different hash base) depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_224:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_224), 20):PSA_ERROR_NOT_PERMITTED -PSA key policy: MAC, sign-verify, min-length policy, unmatched base alg (different algorithm) +PSA key policy: HMAC, sign-verify, min-length policy, unmatched base alg (different algorithm) depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC:MBEDTLS_CMAC_C mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CMAC:PSA_ERROR_NOT_PERMITTED -PSA key policy: MAC, sign-verify, min-length policy used as algorithm +PSA key policy: HMAC, sign-verify, min-length policy used as algorithm depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_INVALID_ARGUMENT -PSA key policy: MAC, sign-verify, tag length > exact-length policy +PSA key policy: HMAC, sign-verify, tag length > exact-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_ERROR_NOT_PERMITTED -PSA key policy: MAC, sign-verify, tag length = exact-length policy +PSA key policy: HMAC, sign-verify, tag length = exact-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_SUCCESS -PSA key policy: MAC, sign-verify, tag length < exact-length policy +PSA key policy: HMAC, sign-verify, tag length < exact-length policy depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC mac_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 20):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 10):PSA_ERROR_NOT_PERMITTED From 5ad4bf75e3fdd1470c37fd3c0617e1bc460ea012 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 2 Mar 2021 15:11:57 +0100 Subject: [PATCH 21/31] Move MAC default length checking into psa_key_policy_permits Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 154 +++++++++++++++++------- tests/suites/test_suite_psa_crypto.data | 10 +- 2 files changed, 116 insertions(+), 48 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4f67ddf9c..f843e6656 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -545,6 +545,68 @@ static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot ) return( slot->attr.bits ); } +/** Return the output MAC length of a MAC algorithm, in bytes + * + * \param[in] algorithm The specific MAC algorithm + * \param[in] key_type The key type of the key to be used with the + * \p algorithm. + * \param[out] length The calculated output length of the given MAC + * \p algorithm when used with a key corresponding to + * the given \p key_type + * + * \retval #PSA_SUCCESS + * The \p length has been successfully calculated + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p algorithm is a MAC algorithm, but ubsupported by this PSA core. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p algorithm is not a valid, specific MAC algorithm or \p key_type + * describes a key incompatible with the specified \p algorithm. + */ +static psa_status_t psa_get_mac_output_length( psa_algorithm_t algorithm, + psa_key_type_t key_type, + size_t *length ) +{ + if( !PSA_ALG_IS_MAC( algorithm ) || PSA_ALG_IS_WILDCARD( algorithm ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + size_t default_length = 0; + + if( PSA_ALG_FULL_LENGTH_MAC( algorithm ) == PSA_ALG_CMAC || + PSA_ALG_FULL_LENGTH_MAC( algorithm ) == PSA_ALG_CBC_MAC ) + { + default_length = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ); + /* CMAC and CBC-MAC are only defined on block ciphers */ + if( default_length == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + } + else if( PSA_ALG_IS_HMAC( algorithm ) ) + { + /* HMAC output length is dictated by the underlying hash operation */ + psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( algorithm ); + default_length = PSA_HASH_LENGTH( hash_alg ); + + if( hash_alg == 0 || default_length == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + } + else + return( PSA_ERROR_NOT_SUPPORTED ); + + /* Output the expected (potentially truncated) length as long as it can + * actually be output by the algorithm */ + if( PSA_ALG_FULL_LENGTH_MAC( algorithm ) == algorithm ) + { + *length = default_length; + return( PSA_SUCCESS ); + } + else if( PSA_MAC_TRUNCATED_LENGTH( algorithm ) <= default_length ) + { + *length = PSA_MAC_TRUNCATED_LENGTH( algorithm ); + return( PSA_SUCCESS ); + } + else + return( PSA_ERROR_INVALID_ARGUMENT ); +} + /** Try to allocate a buffer to an empty key slot. * * \param[in,out] slot Key slot to attach buffer to. @@ -741,7 +803,8 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( return( 0 ); } -static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, +static int psa_key_algorithm_permits( psa_key_type_t key_type, + psa_algorithm_t policy_alg, psa_algorithm_t requested_alg ) { /* Common case: the policy only allows requested_alg. */ @@ -768,22 +831,49 @@ static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, return( PSA_ALG_AEAD_GET_TAG_LENGTH( policy_alg ) <= PSA_ALG_AEAD_GET_TAG_LENGTH( requested_alg ) ); } - /* If policy_alg is a wildcard MAC algorithm of the same base as - * the requested algorithm, check the requested tag length to be - * equal-length or longer than the wildcard-specified length. */ if( PSA_ALG_IS_MAC( policy_alg ) && PSA_ALG_IS_MAC( requested_alg ) && ( PSA_ALG_FULL_LENGTH_MAC( policy_alg ) == - PSA_ALG_FULL_LENGTH_MAC( requested_alg ) ) && - ( ( policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) ) + PSA_ALG_FULL_LENGTH_MAC( requested_alg ) ) ) { - /* Special case: full-length MAC is encoded with 0-length. - * A minimum-length policy will always allow a full-length MAC. */ - if( PSA_ALG_FULL_LENGTH_MAC( requested_alg ) == requested_alg ) - return( 1 ); + size_t actual_output_length; + size_t default_output_length; + if( PSA_SUCCESS != psa_get_mac_output_length( + requested_alg, + key_type, + &actual_output_length ) ) + { + return( 0 ); + } + if( PSA_SUCCESS != psa_get_mac_output_length( + PSA_ALG_FULL_LENGTH_MAC( requested_alg ), + key_type, + &default_output_length ) ) + { + return( 0 ); + } - return( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) <= - PSA_MAC_TRUNCATED_LENGTH( requested_alg ) ); + /* If the policy is default-length, only allow an algorithm with + * a declared exact-length matching the default. */ + if( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) == 0 ) + return( actual_output_length == default_output_length ); + + /* If the requested algorithm is default-length, allow it if the policy + * is exactly the default length. */ + if( PSA_MAC_TRUNCATED_LENGTH( requested_alg ) == 0 && + PSA_MAC_TRUNCATED_LENGTH( policy_alg ) == default_output_length ) + { + return( 1 ); + } + + /* If policy_alg is a wildcard MAC algorithm of the same base as + * the requested algorithm, check the requested tag length to be + * equal-length or longer than the wildcard-specified length. */ + if( ( policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) + { + return( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) <= + actual_output_length ); + } } /* If policy_alg is a generic key agreement operation, then using it for * a key derivation with that key agreement should also be allowed. This @@ -809,6 +899,7 @@ static int psa_key_algorithm_permits( psa_algorithm_t policy_alg, * the \p policy does not allow it. */ static psa_status_t psa_key_policy_permits( const psa_key_policy_t *policy, + psa_key_type_t key_type, psa_algorithm_t alg ) { /* '0' is not a valid algorithm */ @@ -819,8 +910,8 @@ static psa_status_t psa_key_policy_permits( const psa_key_policy_t *policy, if( PSA_ALG_IS_WILDCARD( alg ) ) return( PSA_ERROR_INVALID_ARGUMENT ); - if( psa_key_algorithm_permits( policy->alg, alg ) || - psa_key_algorithm_permits( policy->alg2, alg ) ) + if( psa_key_algorithm_permits( key_type, policy->alg, alg ) || + psa_key_algorithm_permits( key_type, policy->alg2, alg ) ) return( PSA_SUCCESS ); else return( PSA_ERROR_NOT_PERMITTED ); @@ -899,7 +990,9 @@ static psa_status_t psa_get_and_lock_key_slot_with_policy( /* Enforce that the usage policy permits the requested algortihm. */ if( alg != 0 ) { - status = psa_key_policy_permits( &slot->attr.policy, alg ); + status = psa_key_policy_permits( &slot->attr.policy, + slot->attr.type, + alg ); if( status != PSA_SUCCESS ) goto error; } @@ -2934,36 +3027,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, if( truncated == 0 ) { - /* The "normal" case: untruncated algorithm. Re-validate the - * key policy with explicit MAC length set in the algorithm - * when the algorithm policy is at-least-this-length to catch - * a corner case due to the default MAC length being unknown - * at key loading time. */ - if( PSA_ALG_IS_MAC( slot->attr.policy.alg ) && - ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg ) == - full_length_alg ) && - ( slot->attr.policy.alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) ) - { - /* validate policy length */ - if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg ) > - operation->mac_size ) - { - status = PSA_ERROR_NOT_PERMITTED; - } - } - - if( PSA_ALG_IS_MAC( slot->attr.policy.alg2 ) && - ( PSA_ALG_FULL_LENGTH_MAC( slot->attr.policy.alg2 ) == - full_length_alg ) && - ( slot->attr.policy.alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) ) - { - /* validate policy length */ - if( PSA_MAC_TRUNCATED_LENGTH( slot->attr.policy.alg2 ) > - operation->mac_size ) - { - status = PSA_ERROR_NOT_PERMITTED; - } - } + /* The "normal" case: untruncated algorithm. Nothing to do. */ } else if( truncated < 4 ) { diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index b542938ac..84267ad95 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1085,8 +1085,12 @@ PSA MAC setup: good, AES-CMAC depends_on:MBEDTLS_AES_C:MBEDTLS_CMAC_C mac_setup:PSA_KEY_TYPE_AES:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CMAC:PSA_SUCCESS -PSA MAC setup: bad algorithm (unknown MAC algorithm) -mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":PSA_ALG_HMAC(0):PSA_ERROR_NOT_SUPPORTED +PSA MAC setup: bad algorithm (HMAC without specified hash) +mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":PSA_ALG_HMAC(0):PSA_ERROR_INVALID_ARGUMENT + +PSA MAC setup: bad algorithm (unsupported HMAC hash algorithm) +depends_on:!PSA_WANT_ALG_MD2 +mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":PSA_ALG_HMAC(PSA_ALG_MD2):PSA_ERROR_NOT_SUPPORTED PSA MAC setup: bad algorithm (not a MAC algorithm) depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC @@ -1107,7 +1111,7 @@ mac_setup:PSA_KEY_TYPE_RAW_DATA:"000102030405060708090a0b0c0d0e0f101112131415161 PSA MAC setup: incompatible key HMAC for CMAC depends_on:MBEDTLS_CMAC_C # Either INVALID_ARGUMENT or NOT_SUPPORTED would be reasonable here -mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CMAC:PSA_ERROR_NOT_SUPPORTED +mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CMAC:PSA_ERROR_INVALID_ARGUMENT PSA MAC setup: algorithm known but not supported, long key depends_on:!MBEDTLS_MD5_C From 15472f8c70b1798abe4aebc255a2aaa1e07992f4 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 2 Mar 2021 16:16:22 +0100 Subject: [PATCH 22/31] Clean up psa_mac_setup now that we have an output length calculator Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 97 +++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 60 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f843e6656..fbde52bd3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2762,7 +2762,7 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation, { psa_status_t status = PSA_ERROR_NOT_SUPPORTED; - operation->alg = alg; + operation->alg = PSA_ALG_FULL_LENGTH_MAC( alg ); operation->key_set = 0; operation->iv_set = 0; operation->iv_required = 0; @@ -2770,7 +2770,7 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation, operation->is_sign = 0; #if defined(MBEDTLS_CMAC_C) - if( alg == PSA_ALG_CMAC ) + if( operation->alg == PSA_ALG_CMAC ) { operation->iv_required = 0; mbedtls_cipher_init( &operation->ctx.cmac ); @@ -2854,23 +2854,26 @@ bad_state: } #if defined(MBEDTLS_CMAC_C) -static int psa_cmac_setup( psa_mac_operation_t *operation, - size_t key_bits, - psa_key_slot_t *slot, - const mbedtls_cipher_info_t *cipher_info ) +static psa_status_t psa_cmac_setup( psa_mac_operation_t *operation, + psa_key_slot_t *slot ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - operation->mac_size = cipher_info->block_size; + const mbedtls_cipher_info_t *cipher_info = + mbedtls_cipher_info_from_psa( PSA_ALG_CMAC, + slot->attr.type, slot->attr.bits, + NULL ); + if( cipher_info == NULL ) + return( PSA_ERROR_NOT_SUPPORTED ); ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info ); if( ret != 0 ) - return( ret ); + goto exit; ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac, slot->key.data, - key_bits ); - return( ret ); + slot->attr.bits ); +exit: + return( mbedtls_to_psa_error( ret ) ); } #endif /* MBEDTLS_CMAC_C */ @@ -2946,11 +2949,9 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - size_t key_bits; + size_t output_length = 0; psa_key_usage_t usage = is_sign ? PSA_KEY_USAGE_SIGN_HASH : PSA_KEY_USAGE_VERIFY_HASH; - uint8_t truncated = PSA_MAC_TRUNCATED_LENGTH( alg ); - psa_algorithm_t full_length_alg = PSA_ALG_FULL_LENGTH_MAC( alg ); /* A context must be freshly initialized before it can be set up. */ if( operation->alg != 0 ) @@ -2958,7 +2959,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, return( PSA_ERROR_BAD_STATE ); } - status = psa_mac_init( operation, full_length_alg ); + status = psa_mac_init( operation, alg ); if( status != PSA_SUCCESS ) return( status ); if( is_sign ) @@ -2968,37 +2969,34 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, key, &slot, usage, alg ); if( status != PSA_SUCCESS ) goto exit; - key_bits = psa_get_key_slot_bits( slot ); + + status = psa_get_mac_output_length( alg, slot->attr.type, + &output_length ); + if( status != PSA_SUCCESS ) + goto exit; + + operation->mac_size = (uint8_t) output_length; + + if( operation->mac_size < 4 ) + { + /* A very short MAC is too short for security since it can be + * brute-forced. Ancient protocols with 32-bit MACs do exist, + * so we make this our minimum, even though 32 bits is still + * too small for security. */ + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; + } #if defined(MBEDTLS_CMAC_C) - if( full_length_alg == PSA_ALG_CMAC ) + if( PSA_ALG_FULL_LENGTH_MAC( alg ) == PSA_ALG_CMAC ) { - const mbedtls_cipher_info_t *cipher_info = - mbedtls_cipher_info_from_psa( full_length_alg, - slot->attr.type, key_bits, NULL ); - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( cipher_info == NULL ) - { - status = PSA_ERROR_NOT_SUPPORTED; - goto exit; - } - operation->mac_size = cipher_info->block_size; - ret = psa_cmac_setup( operation, key_bits, slot, cipher_info ); - status = mbedtls_to_psa_error( ret ); + status = psa_cmac_setup( operation, slot ); } else #endif /* MBEDTLS_CMAC_C */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) - if( PSA_ALG_IS_HMAC( full_length_alg ) ) + if( PSA_ALG_IS_HMAC( alg ) ) { - psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( alg ); - if( hash_alg == 0 ) - { - status = PSA_ERROR_NOT_SUPPORTED; - goto exit; - } - - operation->mac_size = PSA_HASH_LENGTH( hash_alg ); /* Sanity check. This shouldn't fail on a valid configuration. */ if( operation->mac_size == 0 || operation->mac_size > sizeof( operation->ctx.hmac.opad ) ) @@ -3016,35 +3014,14 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, status = psa_hmac_setup_internal( &operation->ctx.hmac, slot->key.data, slot->key.bytes, - hash_alg ); + PSA_ALG_HMAC_GET_HASH( alg ) ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { - (void) key_bits; status = PSA_ERROR_NOT_SUPPORTED; } - if( truncated == 0 ) - { - /* The "normal" case: untruncated algorithm. Nothing to do. */ - } - else if( truncated < 4 ) - { - /* A very short MAC is too short for security since it can be - * brute-forced. Ancient protocols with 32-bit MACs do exist, - * so we make this our minimum, even though 32 bits is still - * too small for security. */ - status = PSA_ERROR_NOT_SUPPORTED; - } - else if( truncated > operation->mac_size ) - { - /* It's impossible to "truncate" to a larger length. */ - status = PSA_ERROR_INVALID_ARGUMENT; - } - else - operation->mac_size = truncated; - exit: if( status != PSA_SUCCESS ) { From 1ac5ce3b91f2cbdd9a1ea65d55c83dfd0b9464ba Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 2 Mar 2021 16:34:49 +0100 Subject: [PATCH 23/31] Make psa_key_policy_algorithm_intersection MAC-length aware This makes it more in-line with how psa_key_policy_permits works. It also adds consistency: the intersection of MAC with default length and MAC with exact-length is now computed correctly in case the exact length equals the default length of the algorithm when used with the given key type. Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 66 ++++++++++++++++++++++++++++++++------------ 1 file changed, 48 insertions(+), 18 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fbde52bd3..5cbf99d92 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -719,6 +719,7 @@ psa_status_t psa_import_key_into_slot( * Return 0 (which allows no operation) on incompatibility. */ static psa_algorithm_t psa_key_policy_algorithm_intersection( + psa_key_type_t key_type, psa_algorithm_t alg1, psa_algorithm_t alg2 ) { @@ -772,8 +773,28 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( ( PSA_ALG_FULL_LENGTH_MAC( alg1 ) == PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) { - size_t alg1_len = PSA_MAC_TRUNCATED_LENGTH( alg1 ); - size_t alg2_len = PSA_MAC_TRUNCATED_LENGTH( alg2 ); + /* Calculate the actual requested output length for both sides. In case + * of at-least-this-length wildcard algorithms, the requested output + * length is the shortest allowed length. */ + size_t alg1_len = 0; + size_t alg2_len = 0; + if( PSA_SUCCESS != psa_get_mac_output_length( + PSA_ALG_TRUNCATED_MAC( alg1, + PSA_MAC_TRUNCATED_LENGTH( alg1 ) ), + key_type, + &alg1_len ) ) + { + return( 0 ); + } + if( PSA_SUCCESS != psa_get_mac_output_length( + PSA_ALG_TRUNCATED_MAC( alg2, + PSA_MAC_TRUNCATED_LENGTH( alg2 ) ), + key_type, + &alg2_len ) ) + { + return( 0 ); + } + size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; /* If both are wildcards, return most restrictive wildcard */ @@ -782,22 +803,26 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( { return( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg1, max_len ) ); } - /* If only one is a wildcard, return specific algorithm if compatible. - * Special case: specific MAC algorithm with '0' as length means full- - * length MAC, which is always allowed by a wildcard with the same - * base algorithm. */ - if( ( ( alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && - ( ( alg1_len <= alg2_len ) || - ( alg2 == PSA_ALG_FULL_LENGTH_MAC( alg1 ) ) ) ) + /* If only one is a wildcard, return specific algorithm if compatible. */ + if( ( alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) { - return( alg2 ); + if( alg1_len <= alg2_len ) + return( alg2 ); + else + return( 0 ); } - if( ( ( alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && - ( ( alg2_len <= alg1_len ) || - ( alg1 == PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) ) + if( ( alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) { - return( alg1 ); + if( alg2_len <= alg1_len ) + return( alg1 ); + else + return( 0 ); } + /* If none of them are wildcards, check whether we can match + * default-length with exact-length, and return exact-length in that + * case. */ + if( alg1_len == alg2_len ) + return( PSA_ALG_TRUNCATED_MAC( alg1, alg1_len ) ); } /* If the policies are incompatible, allow nothing. */ return( 0 ); @@ -919,6 +944,7 @@ static psa_status_t psa_key_policy_permits( const psa_key_policy_t *policy, /** Restrict a key policy based on a constraint. * + * \param[in] key_type The key type for which to restrict the policy * \param[in,out] policy The policy to restrict. * \param[in] constraint The policy constraint to apply. * @@ -926,17 +952,20 @@ static psa_status_t psa_key_policy_permits( const psa_key_policy_t *policy, * \c *policy contains the intersection of the original value of * \c *policy and \c *constraint. * \retval #PSA_ERROR_INVALID_ARGUMENT - * \c *policy and \c *constraint are incompatible. + * \c key_type, \c *policy and \c *constraint are incompatible. * \c *policy is unchanged. */ static psa_status_t psa_restrict_key_policy( + psa_key_type_t key_type, psa_key_policy_t *policy, const psa_key_policy_t *constraint ) { psa_algorithm_t intersection_alg = - psa_key_policy_algorithm_intersection( policy->alg, constraint->alg ); + psa_key_policy_algorithm_intersection( key_type, policy->alg, + constraint->alg ); psa_algorithm_t intersection_alg2 = - psa_key_policy_algorithm_intersection( policy->alg2, constraint->alg2 ); + psa_key_policy_algorithm_intersection( key_type, policy->alg2, + constraint->alg2 ); if( intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0 ) return( PSA_ERROR_INVALID_ARGUMENT ); if( intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0 ) @@ -2089,7 +2118,8 @@ psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key, if( status != PSA_SUCCESS ) goto exit; - status = psa_restrict_key_policy( &actual_attributes.core.policy, + status = psa_restrict_key_policy( source_slot->attr.type, + &actual_attributes.core.policy, &source_slot->attr.policy ); if( status != PSA_SUCCESS ) goto exit; From 5a1726744203371b89ac607bda2ec6d3debe57ae Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 2 Mar 2021 21:27:42 +0100 Subject: [PATCH 24/31] Add a note about why key_type is required Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5cbf99d92..f466e6900 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -917,6 +917,11 @@ static int psa_key_algorithm_permits( psa_key_type_t key_type, * * The caller must test usage flags separately. * + * \note This function requires providing the key type for which the policy is + * being validated, since some algorithm policy definitions (e.g. MAC) + * have different properties depending on what kind of cipher it is + * combined with. + * * \retval PSA_SUCCESS When \p alg is a specific algorithm * allowed by the \p policy. * \retval PSA_ERROR_INVALID_ARGUMENT When \p alg is not a specific algorithm @@ -943,6 +948,11 @@ static psa_status_t psa_key_policy_permits( const psa_key_policy_t *policy, } /** Restrict a key policy based on a constraint. + * + * \note This function requires providing the key type for which the policy is + * being restricted, since some algorithm policy definitions (e.g. MAC) + * have different properties depending on what kind of cipher it is + * combined with. * * \param[in] key_type The key type for which to restrict the policy * \param[in,out] policy The policy to restrict. From 7d4b0d778f1daa8889a3b801ed0fce8dc2e49a7b Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 2 Mar 2021 21:29:45 +0100 Subject: [PATCH 25/31] Reuse PSA_MAC_LENGTH in psa_get_mac_output_length Avoid code duplication. Also update the guarantees made by the function doc to match the guarantees given by PSA_MAC_LENGTH. Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 46 +++++++++++++++++--------------------------- 1 file changed, 18 insertions(+), 28 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f466e6900..9f014d0bf 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -547,7 +547,7 @@ static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot ) /** Return the output MAC length of a MAC algorithm, in bytes * - * \param[in] algorithm The specific MAC algorithm + * \param[in] algorithm The specific (non-wildcard) MAC algorithm. * \param[in] key_type The key type of the key to be used with the * \p algorithm. * \param[out] length The calculated output length of the given MAC @@ -556,41 +556,31 @@ static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot ) * * \retval #PSA_SUCCESS * The \p length has been successfully calculated - * \retval #PSA_ERROR_NOT_SUPPORTED - * \p algorithm is a MAC algorithm, but ubsupported by this PSA core. * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p algorithm is not a valid, specific MAC algorithm or \p key_type - * describes a key incompatible with the specified \p algorithm. + * \p algorithm is not a valid, specific MAC algorithm recognized and + * supported by this core, or \p key_type describes a key which is + * inconsistent with the specified \p algorithm. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p algorithm tries to truncate the MAC to a size which would be + * larger than the underlying algorithm's maximum output length. */ static psa_status_t psa_get_mac_output_length( psa_algorithm_t algorithm, psa_key_type_t key_type, size_t *length ) { - if( !PSA_ALG_IS_MAC( algorithm ) || PSA_ALG_IS_WILDCARD( algorithm ) ) + /* Get the default length for the algorithm and key combination. None of the + * currently supported algorithms have a default output length dependent on + * key size, so setting it to a bogus value is OK. */ + size_t default_length = PSA_MAC_LENGTH( key_type, 0, + PSA_ALG_FULL_LENGTH_MAC( algorithm ) ); + + /* PSA_MAC_LENGTH, when called on a full-length algorithm identifier, can + * currently return either 0 (unknown algorithm) or 1 (cipher-MAC with + * stream cipher) in cases where the key type / algorithm combination would + * be invalid. */ + if( default_length == 0 || default_length == 1 ) return( PSA_ERROR_INVALID_ARGUMENT ); - size_t default_length = 0; - - if( PSA_ALG_FULL_LENGTH_MAC( algorithm ) == PSA_ALG_CMAC || - PSA_ALG_FULL_LENGTH_MAC( algorithm ) == PSA_ALG_CBC_MAC ) - { - default_length = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ); - /* CMAC and CBC-MAC are only defined on block ciphers */ - if( default_length == 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - } - else if( PSA_ALG_IS_HMAC( algorithm ) ) - { - /* HMAC output length is dictated by the underlying hash operation */ - psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( algorithm ); - default_length = PSA_HASH_LENGTH( hash_alg ); - - if( hash_alg == 0 || default_length == 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - } - else - return( PSA_ERROR_NOT_SUPPORTED ); - /* Output the expected (potentially truncated) length as long as it can * actually be output by the algorithm */ if( PSA_ALG_FULL_LENGTH_MAC( algorithm ) == algorithm ) From 58c94d39ae164726d418268aab13d27bf93b2170 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 2 Mar 2021 21:31:17 +0100 Subject: [PATCH 26/31] Make psa_get_mac_output_length testable and test it Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 7 ++++--- library/psa_crypto_invasive.h | 7 +++++++ tests/suites/test_suite_psa_crypto_metadata.function | 7 +++++++ 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9f014d0bf..a112ff41b 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -564,9 +564,10 @@ static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot ) * \p algorithm tries to truncate the MAC to a size which would be * larger than the underlying algorithm's maximum output length. */ -static psa_status_t psa_get_mac_output_length( psa_algorithm_t algorithm, - psa_key_type_t key_type, - size_t *length ) +MBEDTLS_STATIC_TESTABLE psa_status_t psa_get_mac_output_length( + psa_algorithm_t algorithm, + psa_key_type_t key_type, + size_t *length ) { /* Get the default length for the algorithm and key combination. None of the * currently supported algorithms have a default output length dependent on diff --git a/library/psa_crypto_invasive.h b/library/psa_crypto_invasive.h index be127d9f8..99156de6b 100644 --- a/library/psa_crypto_invasive.h +++ b/library/psa_crypto_invasive.h @@ -35,6 +35,7 @@ #endif #include "psa/crypto.h" +#include "common.h" #include "mbedtls/entropy.h" @@ -76,4 +77,10 @@ psa_status_t mbedtls_psa_crypto_configure_entropy_sources( void (* entropy_free )( mbedtls_entropy_context *ctx ) ); #endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */ +#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C) +psa_status_t psa_get_mac_output_length( psa_algorithm_t algorithm, + psa_key_type_t key_type, + size_t *length ); +#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_PSA_CRYPTO_C */ + #endif /* PSA_CRYPTO_INVASIVE_H */ diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function index 3b3e38053..5839611a4 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.function +++ b/tests/suites/test_suite_psa_crypto_metadata.function @@ -9,6 +9,7 @@ #endif #include "psa/crypto.h" +#include "psa_crypto_invasive.h" /* Flags for algorithm classification macros. There is a flag for every * algorithm classification macro PSA_ALG_IS_xxx except for the @@ -158,6 +159,12 @@ void mac_algorithm_core( psa_algorithm_t alg, int classification_flags, /* Length */ TEST_EQUAL( length, PSA_MAC_LENGTH( key_type, key_bits, alg ) ); +#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C) + size_t output_length = 0; + PSA_ASSERT( psa_get_mac_output_length( alg, key_type, &output_length ) ); + TEST_EQUAL( length, output_length ); +#endif + exit: ; } From 4ff9a29686810c3cce3399ecde98264f7ebd7cca Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Wed, 3 Mar 2021 12:07:20 +0100 Subject: [PATCH 27/31] Check truncation length explicitly Comparing algorithm with its FULL_LENGTH_MAC version doesn't work in cases where algorithm is a wildcard. Wildcard input is not specified in the documentation of the function, but in order to test the function using the same test as PSA_MAC_LENGTH we're mimicking that behaviour here. Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a112ff41b..13a0835ff 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -583,8 +583,9 @@ MBEDTLS_STATIC_TESTABLE psa_status_t psa_get_mac_output_length( return( PSA_ERROR_INVALID_ARGUMENT ); /* Output the expected (potentially truncated) length as long as it can - * actually be output by the algorithm */ - if( PSA_ALG_FULL_LENGTH_MAC( algorithm ) == algorithm ) + * actually be output by the algorithm. Truncation length of '0' means + * default output length of the keytype-algorithm combination. */ + if( PSA_MAC_TRUNCATED_LENGTH( algorithm ) == 0 ) { *length = default_length; return( PSA_SUCCESS ); From f9f7fdfe49cc4f7e1ded553c02c71290bd3b9712 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Wed, 3 Mar 2021 19:04:05 +0100 Subject: [PATCH 28/31] Rework MAC algorithm / key type validation Reworked the validation of MAC algorithm with the used key type by introducing psa_mac_key_can_do, which guarantees that PSA_MAC_LENGTH can be called successfully after validation of the algorithm and key type. This means psa_get_mac_output_length is no longer required. Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 155 ++++++++---------- library/psa_crypto_invasive.h | 6 +- tests/suites/test_suite_psa_crypto.data | 3 +- .../test_suite_psa_crypto_metadata.function | 4 +- 4 files changed, 77 insertions(+), 91 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 13a0835ff..db4b3876d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -545,58 +545,44 @@ static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot ) return( slot->attr.bits ); } -/** Return the output MAC length of a MAC algorithm, in bytes +/** Check whether a given key type is valid for use with a given MAC algorithm * - * \param[in] algorithm The specific (non-wildcard) MAC algorithm. + * Upon successful return of this function, the behavioud of #PSA_MAC_LENGTH + * will be defined when called with the validated \p algorithm and \p key_type + * + * \param[in] algorithm The specific MAC algorithm (can be wildcard). * \param[in] key_type The key type of the key to be used with the * \p algorithm. - * \param[out] length The calculated output length of the given MAC - * \p algorithm when used with a key corresponding to - * the given \p key_type * * \retval #PSA_SUCCESS - * The \p length has been successfully calculated + * The \p key_type is valid for use with the \p algorithm * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p algorithm is not a valid, specific MAC algorithm recognized and - * supported by this core, or \p key_type describes a key which is - * inconsistent with the specified \p algorithm. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p algorithm tries to truncate the MAC to a size which would be - * larger than the underlying algorithm's maximum output length. + * The \p key_type is not valid for use with the \p algorithm */ -MBEDTLS_STATIC_TESTABLE psa_status_t psa_get_mac_output_length( +MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do( psa_algorithm_t algorithm, - psa_key_type_t key_type, - size_t *length ) + psa_key_type_t key_type ) { - /* Get the default length for the algorithm and key combination. None of the - * currently supported algorithms have a default output length dependent on - * key size, so setting it to a bogus value is OK. */ - size_t default_length = PSA_MAC_LENGTH( key_type, 0, - PSA_ALG_FULL_LENGTH_MAC( algorithm ) ); - - /* PSA_MAC_LENGTH, when called on a full-length algorithm identifier, can - * currently return either 0 (unknown algorithm) or 1 (cipher-MAC with - * stream cipher) in cases where the key type / algorithm combination would - * be invalid. */ - if( default_length == 0 || default_length == 1 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - - /* Output the expected (potentially truncated) length as long as it can - * actually be output by the algorithm. Truncation length of '0' means - * default output length of the keytype-algorithm combination. */ - if( PSA_MAC_TRUNCATED_LENGTH( algorithm ) == 0 ) - { - *length = default_length; - return( PSA_SUCCESS ); + if( PSA_ALG_IS_HMAC( algorithm ) ) { + if( key_type == PSA_KEY_TYPE_HMAC ) + return( PSA_SUCCESS ); } - else if( PSA_MAC_TRUNCATED_LENGTH( algorithm ) <= default_length ) + + if( PSA_ALG_IS_BLOCK_CIPHER_MAC( algorithm ) ) { - *length = PSA_MAC_TRUNCATED_LENGTH( algorithm ); - return( PSA_SUCCESS ); + /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher + * key. */ + if( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) == + PSA_KEY_TYPE_CATEGORY_SYMMETRIC ) + { + /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and + * the block length (larger than 1) for block ciphers. */ + if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ) > 1 ) + return( PSA_SUCCESS ); + } } - else - return( PSA_ERROR_INVALID_ARGUMENT ); + + return( PSA_ERROR_INVALID_ARGUMENT ); } /** Try to allocate a buffer to an empty key slot. @@ -765,28 +751,19 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( ( PSA_ALG_FULL_LENGTH_MAC( alg1 ) == PSA_ALG_FULL_LENGTH_MAC( alg2 ) ) ) { - /* Calculate the actual requested output length for both sides. In case - * of at-least-this-length wildcard algorithms, the requested output - * length is the shortest allowed length. */ - size_t alg1_len = 0; - size_t alg2_len = 0; - if( PSA_SUCCESS != psa_get_mac_output_length( - PSA_ALG_TRUNCATED_MAC( alg1, - PSA_MAC_TRUNCATED_LENGTH( alg1 ) ), - key_type, - &alg1_len ) ) - { + /* Validate the combination of key type and algorithm. Since the base + * algorithm of alg1 and alg2 are the same, we only need this once. */ + if( PSA_SUCCESS != psa_mac_key_can_do( alg1, key_type ) ) return( 0 ); - } - if( PSA_SUCCESS != psa_get_mac_output_length( - PSA_ALG_TRUNCATED_MAC( alg2, - PSA_MAC_TRUNCATED_LENGTH( alg2 ) ), - key_type, - &alg2_len ) ) - { - return( 0 ); - } + /* Get the output length for the algorithm and key combination. None of + * the currently supported algorithms have an output length dependent on + * actual key size, so setting it to a bogus value is currently OK. + * Note that for at-least-this-length wildcard algorithms, the output + * length is set to the shortest allowed length, which allows us to + * calculate the most restrictive tag length for the intersection. */ + size_t alg1_len = PSA_MAC_LENGTH( key_type, 0, alg1 ); + size_t alg2_len = PSA_MAC_LENGTH( key_type, 0, alg2 ); size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; /* If both are wildcards, return most restrictive wildcard */ @@ -810,9 +787,10 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( else return( 0 ); } - /* If none of them are wildcards, check whether we can match - * default-length with exact-length, and return exact-length in that - * case. */ + /* If none of them are wildcards, check whether this is a case of one + * specifying the default length and the other a specific length. If the + * specific length equals the default length for this key type, the + * intersection would be the specific-length algorithm. */ if( alg1_len == alg2_len ) return( PSA_ALG_TRUNCATED_MAC( alg1, alg1_len ) ); } @@ -853,27 +831,25 @@ static int psa_key_algorithm_permits( psa_key_type_t key_type, ( PSA_ALG_FULL_LENGTH_MAC( policy_alg ) == PSA_ALG_FULL_LENGTH_MAC( requested_alg ) ) ) { - size_t actual_output_length; - size_t default_output_length; - if( PSA_SUCCESS != psa_get_mac_output_length( - requested_alg, - key_type, - &actual_output_length ) ) - { + /* Validate the combination of key type and algorithm. Since the policy + * and requested algorithms are the same, we only need this once. */ + if( PSA_SUCCESS != psa_mac_key_can_do( policy_alg, key_type ) ) return( 0 ); - } - if( PSA_SUCCESS != psa_get_mac_output_length( - PSA_ALG_FULL_LENGTH_MAC( requested_alg ), - key_type, - &default_output_length ) ) - { - return( 0 ); - } + + /* Get both the requested and the default output length for this + * algorithm and key combination. None of the currently supported + * algorithms have an output length dependent on actual key size, so + * setting it to a bogus value is currently OK. */ + size_t requested_output_length = PSA_MAC_LENGTH( + key_type, 0, requested_alg ); + size_t default_output_length = PSA_MAC_LENGTH( + key_type, 0, + PSA_ALG_FULL_LENGTH_MAC( requested_alg ) ); /* If the policy is default-length, only allow an algorithm with * a declared exact-length matching the default. */ if( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) == 0 ) - return( actual_output_length == default_output_length ); + return( requested_output_length == default_output_length ); /* If the requested algorithm is default-length, allow it if the policy * is exactly the default length. */ @@ -889,7 +865,7 @@ static int psa_key_algorithm_permits( psa_key_type_t key_type, if( ( policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) { return( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) <= - actual_output_length ); + requested_output_length ); } } /* If policy_alg is a generic key agreement operation, then using it for @@ -2981,7 +2957,6 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - size_t output_length = 0; psa_key_usage_t usage = is_sign ? PSA_KEY_USAGE_SIGN_HASH : PSA_KEY_USAGE_VERIFY_HASH; @@ -3002,12 +2977,15 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, if( status != PSA_SUCCESS ) goto exit; - status = psa_get_mac_output_length( alg, slot->attr.type, - &output_length ); + /* Validate the combination of key type and algorithm */ + status = psa_mac_key_can_do( alg, slot->attr.type ); if( status != PSA_SUCCESS ) goto exit; - operation->mac_size = (uint8_t) output_length; + /* Get the output length for the algorithm and key combination. None of the + * currently supported algorithms have an output length dependent on actual + * key size, so setting it to a bogus value is currently OK. */ + operation->mac_size = PSA_MAC_LENGTH( slot->attr.type, 0, alg ); if( operation->mac_size < 4 ) { @@ -3019,6 +2997,15 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, goto exit; } + if( operation->mac_size > + PSA_MAC_LENGTH( slot->attr.type, 0, PSA_ALG_FULL_LENGTH_MAC( alg ) ) ) + { + /* It's impossible to "truncate" to a larger length than the full length + * of the algorithm. */ + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } + #if defined(MBEDTLS_CMAC_C) if( PSA_ALG_FULL_LENGTH_MAC( alg ) == PSA_ALG_CMAC ) { diff --git a/library/psa_crypto_invasive.h b/library/psa_crypto_invasive.h index 99156de6b..1e5a40711 100644 --- a/library/psa_crypto_invasive.h +++ b/library/psa_crypto_invasive.h @@ -78,9 +78,9 @@ psa_status_t mbedtls_psa_crypto_configure_entropy_sources( #endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */ #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C) -psa_status_t psa_get_mac_output_length( psa_algorithm_t algorithm, - psa_key_type_t key_type, - size_t *length ); +psa_status_t psa_mac_key_can_do( + psa_algorithm_t algorithm, + psa_key_type_t key_type ); #endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_PSA_CRYPTO_C */ #endif /* PSA_CRYPTO_INVASIVE_H */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 84267ad95..3824fa09b 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1086,7 +1086,8 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_CMAC_C mac_setup:PSA_KEY_TYPE_AES:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CMAC:PSA_SUCCESS PSA MAC setup: bad algorithm (HMAC without specified hash) -mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":PSA_ALG_HMAC(0):PSA_ERROR_INVALID_ARGUMENT +# Either INVALID_ARGUMENT or NOT_SUPPORTED would be reasonable here +mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":PSA_ALG_HMAC(0):PSA_ERROR_NOT_SUPPORTED PSA MAC setup: bad algorithm (unsupported HMAC hash algorithm) depends_on:!PSA_WANT_ALG_MD2 diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function index 5839611a4..4bf56352b 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.function +++ b/tests/suites/test_suite_psa_crypto_metadata.function @@ -160,9 +160,7 @@ void mac_algorithm_core( psa_algorithm_t alg, int classification_flags, TEST_EQUAL( length, PSA_MAC_LENGTH( key_type, key_bits, alg ) ); #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C) - size_t output_length = 0; - PSA_ASSERT( psa_get_mac_output_length( alg, key_type, &output_length ) ); - TEST_EQUAL( length, output_length ); + PSA_ASSERT( psa_mac_key_can_do( alg, key_type ) ); #endif exit: ; From 31a876da092954f670cb7cda74700250d4e1c455 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Wed, 3 Mar 2021 20:47:40 +0100 Subject: [PATCH 29/31] Clarify some policy-handling code comments Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index db4b3876d..6b0571512 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -756,9 +756,11 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( if( PSA_SUCCESS != psa_mac_key_can_do( alg1, key_type ) ) return( 0 ); - /* Get the output length for the algorithm and key combination. None of - * the currently supported algorithms have an output length dependent on - * actual key size, so setting it to a bogus value is currently OK. + /* Get the (exact or at-least) output lengths for both sides of the + * requested intersection. None of the currently supported algorithms + * have an output length dependent on the actual key size, so setting it + * to a bogus value of 0 is currently OK. + * * Note that for at-least-this-length wildcard algorithms, the output * length is set to the shortest allowed length, which allows us to * calculate the most restrictive tag length for the intersection. */ @@ -772,7 +774,10 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( { return( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg1, max_len ) ); } - /* If only one is a wildcard, return specific algorithm if compatible. */ + + /* If only one is an at-least-this-length policy, the intersection would + * be the other (fixed-length) policy as long as said fixed length is + * equal to or larger than the shortest allowed length. */ if( ( alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) { if( alg1_len <= alg2_len ) @@ -787,6 +792,7 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( else return( 0 ); } + /* If none of them are wildcards, check whether this is a case of one * specifying the default length and the other a specific length. If the * specific length equals the default length for this key type, the @@ -836,10 +842,11 @@ static int psa_key_algorithm_permits( psa_key_type_t key_type, if( PSA_SUCCESS != psa_mac_key_can_do( policy_alg, key_type ) ) return( 0 ); - /* Get both the requested and the default output length for this - * algorithm and key combination. None of the currently supported - * algorithms have an output length dependent on actual key size, so - * setting it to a bogus value is currently OK. */ + /* Get both the requested output length for the algorithm which is to be + * verified, and the default output length for the base algorithm. + * Note that none of the currently supported algorithms have an output + * length dependent on actual key size, so setting it to a bogus value + * of 0 is currently OK. */ size_t requested_output_length = PSA_MAC_LENGTH( key_type, 0, requested_alg ); size_t default_output_length = PSA_MAC_LENGTH( @@ -859,9 +866,9 @@ static int psa_key_algorithm_permits( psa_key_type_t key_type, return( 1 ); } - /* If policy_alg is a wildcard MAC algorithm of the same base as - * the requested algorithm, check the requested tag length to be - * equal-length or longer than the wildcard-specified length. */ + /* If policy_alg is an at-least-this-length wildcard MAC algorithm of + * the same base as the requested algorithm, check for the requested MAC + * length to be equal to or longer than the minimum allowed length. */ if( ( policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) { return( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) <= From cd640932220d4f5c98b6b1686ce482ffb3953bba Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Mon, 8 Mar 2021 12:00:27 +0100 Subject: [PATCH 30/31] Language & code readability updates No functional/behavioral changes in this commit Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 44 +++++++++++++++++++++----------------------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 6b0571512..a77209498 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -547,8 +547,8 @@ static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot ) /** Check whether a given key type is valid for use with a given MAC algorithm * - * Upon successful return of this function, the behavioud of #PSA_MAC_LENGTH - * will be defined when called with the validated \p algorithm and \p key_type + * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH + * when called with the validated \p algorithm and \p key_type is well-defined. * * \param[in] algorithm The specific MAC algorithm (can be wildcard). * \param[in] key_type The key type of the key to be used with the @@ -563,7 +563,8 @@ MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do( psa_algorithm_t algorithm, psa_key_type_t key_type ) { - if( PSA_ALG_IS_HMAC( algorithm ) ) { + if( PSA_ALG_IS_HMAC( algorithm ) ) + { if( key_type == PSA_KEY_TYPE_HMAC ) return( PSA_SUCCESS ); } @@ -724,13 +725,14 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( { size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg1 ); size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH( alg2 ); - size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; + size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len; /* If both are wildcards, return most restrictive wildcard */ if( ( ( alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && ( ( alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) ) { - return( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( alg1, max_len ) ); + return( PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( + alg1, restricted_len ) ); } /* If only one is a wildcard, return specific algorithm if compatible. */ if( ( ( alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && @@ -766,13 +768,13 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( * calculate the most restrictive tag length for the intersection. */ size_t alg1_len = PSA_MAC_LENGTH( key_type, 0, alg1 ); size_t alg2_len = PSA_MAC_LENGTH( key_type, 0, alg2 ); - size_t max_len = alg1_len > alg2_len ? alg1_len : alg2_len; + size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len; /* If both are wildcards, return most restrictive wildcard */ if( ( ( alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) && ( ( alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) ) { - return( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg1, max_len ) ); + return( PSA_ALG_AT_LEAST_THIS_LENGTH_MAC( alg1, restricted_len ) ); } /* If only one is an at-least-this-length policy, the intersection would @@ -780,23 +782,17 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( * equal to or larger than the shortest allowed length. */ if( ( alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) { - if( alg1_len <= alg2_len ) - return( alg2 ); - else - return( 0 ); + return( ( alg1_len <= alg2_len ) ? alg2 : 0 ); } if( ( alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) { - if( alg2_len <= alg1_len ) - return( alg1 ); - else - return( 0 ); + return( ( alg2_len <= alg1_len ) ? alg1 : 0 ); } - /* If none of them are wildcards, check whether this is a case of one - * specifying the default length and the other a specific length. If the - * specific length equals the default length for this key type, the - * intersection would be the specific-length algorithm. */ + /* If none of them are wildcards, check whether they define the same tag + * length. This is still possible here when one is default-length and + * the other specific-length. Ensure to always return the + * specific-length version for the intersection. */ if( alg1_len == alg2_len ) return( PSA_ALG_TRUNCATED_MAC( alg1, alg1_len ) ); } @@ -832,6 +828,8 @@ static int psa_key_algorithm_permits( psa_key_type_t key_type, return( PSA_ALG_AEAD_GET_TAG_LENGTH( policy_alg ) <= PSA_ALG_AEAD_GET_TAG_LENGTH( requested_alg ) ); } + /* If policy_alg is a MAC algorithm of the same base as the requested + * algorithm, check whether their MAC lengths are compatible. */ if( PSA_ALG_IS_MAC( policy_alg ) && PSA_ALG_IS_MAC( requested_alg ) && ( PSA_ALG_FULL_LENGTH_MAC( policy_alg ) == @@ -859,16 +857,16 @@ static int psa_key_algorithm_permits( psa_key_type_t key_type, return( requested_output_length == default_output_length ); /* If the requested algorithm is default-length, allow it if the policy - * is exactly the default length. */ + * length exactly matches the default length. */ if( PSA_MAC_TRUNCATED_LENGTH( requested_alg ) == 0 && PSA_MAC_TRUNCATED_LENGTH( policy_alg ) == default_output_length ) { return( 1 ); } - /* If policy_alg is an at-least-this-length wildcard MAC algorithm of - * the same base as the requested algorithm, check for the requested MAC - * length to be equal to or longer than the minimum allowed length. */ + /* If policy_alg is an at-least-this-length wildcard MAC algorithm, + * check for the requested MAC length to be equal to or longer than the + * minimum allowed length. */ if( ( policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ) != 0 ) { return( PSA_MAC_TRUNCATED_LENGTH( policy_alg ) <= From 1fb691aea95741dcc0f1a76e397b68f1690f31a6 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Mon, 8 Mar 2021 12:01:55 +0100 Subject: [PATCH 31/31] Remove superfluous check mac size is previously checked to not be less than 4, so it can't be zero anymore at this point. Signed-off-by: Steven Cooreman --- library/psa_crypto.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a77209498..57053efb0 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3022,8 +3022,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation, if( PSA_ALG_IS_HMAC( alg ) ) { /* Sanity check. This shouldn't fail on a valid configuration. */ - if( operation->mac_size == 0 || - operation->mac_size > sizeof( operation->ctx.hmac.opad ) ) + if( operation->mac_size > sizeof( operation->ctx.hmac.opad ) ) { status = PSA_ERROR_NOT_SUPPORTED; goto exit;