mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-24 06:02:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

A key agreement algorithm can contain a key derivation

Browse Source 
PSA_ALG_KEY_AGREEMENT(..., kdf) is a valid key derivation algorithm
when kdf is one.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2021-04-29 20:54:40 +02:00
parent d79e3b92fa
commit a401386f82
2 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
scripts/mbedtls_dev/crypto_knowledge.py
View File

@ -366,3 +366,23 @@ class Algorithm:
self.head = self.determine_head(self.base_expression) self.head = self.determine_head(self.base_expression)
self.category = self.determine_category(self.base_expression, self.head) self.category = self.determine_category(self.base_expression, self.head)
self.is_wildcard = self.determine_wildcard(self.expression) self.is_wildcard = self.determine_wildcard(self.expression)
def is_key_agreement_with_derivation(self) -> bool:
"""Whether this is a combined key agreement and key derivation algorithm."""
if self.category != AlgorithmCategory.KEY_AGREEMENT:
return False
m = re.match(r'PSA_ALG_KEY_AGREEMENT\(\w+,\s*(.*)\)\Z', self.expression)
if not m:
return False
kdf_alg = m.group(1)
# Assume kdf_alg is either a valid KDF or 0.
return not re.match(r'(?:0[Xx])?0+\s*\Z', kdf_alg)
def can_do(self, category: AlgorithmCategory) -> bool:
"""Whether this algorithm fits the specified operation category."""
if category == self.category:
return True
if category == AlgorithmCategory.KEY_DERIVATION and \
self.is_key_agreement_with_derivation():
return True
return False

6
tests/scripts/generate_psa_tests.py
View File

@ -375,7 +375,7 @@ class OpFail:
category: crypto_knowledge.AlgorithmCategory, category: crypto_knowledge.AlgorithmCategory,
) -> Iterator[test_case.TestCase]: ) -> Iterator[test_case.TestCase]:
"""Generate failure test cases for keyless operations with the specified algorithm.""" """Generate failure test cases for keyless operations with the specified algorithm."""
if category == alg.category: if alg.can_do(category):
# Compatible operation, unsupported algorithm # Compatible operation, unsupported algorithm
for dep in automatic_dependencies(alg.base_expression): for dep in automatic_dependencies(alg.base_expression):
yield self.make_test_case(alg, category, yield self.make_test_case(alg, category,
@ -394,7 +394,7 @@ class OpFail:
for kt in self.key_types: for kt in self.key_types:
key_is_compatible = kt.can_do(alg) key_is_compatible = kt.can_do(alg)
# To do: public key for a private key operation # To do: public key for a private key operation
if key_is_compatible and category == alg.category: if key_is_compatible and alg.can_do(category):
# Compatible key and operation, unsupported algorithm # Compatible key and operation, unsupported algorithm
for dep in automatic_dependencies(alg.base_expression): for dep in automatic_dependencies(alg.base_expression):
yield self.make_test_case(alg, category, yield self.make_test_case(alg, category,
@ -405,7 +405,7 @@ class OpFail:
yield self.make_test_case(alg, category, yield self.make_test_case(alg, category,
self.Reason.INVALID, self.Reason.INVALID,
kt=kt) kt=kt)
elif category == alg.category: elif alg.can_do(category):
# Incompatible key, compatible operation, supported algorithm # Incompatible key, compatible operation, supported algorithm
yield self.make_test_case(alg, category, yield self.make_test_case(alg, category,
self.Reason.INCOMPATIBLE, self.Reason.INCOMPATIBLE,