commit e1f2d7d1ac985df3c5330fe33479e77fff58cca6
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Aug 21 14:54:54 2018 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed Oct 17 13:54:47 2018 +0200
tree 613e640a4b46b093d3b87b9de41e2a6100a47ed0
parent 3111981d94a41f74a561f65def0e40a278842e8d

Document and check the consistency of truncated MAC encodings

Add comments noting that the maximum length of a MAC must fit in
PSA_ALG_MAC_TRUNCATION_MASK. Add a unit test that verifies that the
maximum MAC size fits.

include/psa/crypto.h

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index a646107..3d99933 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -756,6 +756,13 @@
     (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
      PSA_ALG_HMAC_BASE)
 
+/* In the encoding of a MAC algorithm, the bits corresponding to
+ * PSA_ALG_MAC_TRUNCATION_MASK encode the length to which the MAC is
+ * truncated. As an exception, the value 0 means the untruncated algorithm,
+ * whatever its length is. The length is encoded in 6 bits, so it can
+ * reach up to 63; the largest MAC is 64 bytes so its trivial truncation
+ * to full length is correctly encoded as 0 and any non-trivial truncation
+ * is correctly encoded as a value between 1 and 63. */
 #define PSA_ALG_MAC_TRUNCATION_MASK             ((psa_algorithm_t)0x00003f00)
 #define PSA_MAC_TRUNCATION_OFFSET 8
 
@@ -887,6 +894,10 @@
 #define PSA_ALG_CCM                             ((psa_algorithm_t)0x06001001)
 #define PSA_ALG_GCM                             ((psa_algorithm_t)0x06001002)
 
+/* In the encoding of a AEAD algorithm, the bits corresponding to
+ * PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag.
+ * The constants for default lengths follow this encoding.
+ */
 #define PSA_ALG_AEAD_TAG_LENGTH_MASK            ((psa_algorithm_t)0x00003f00)
 #define PSA_AEAD_TAG_LENGTH_OFFSET 8
 

include/psa/crypto_sizes.h

diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
index 169566e..b5ff2aa 100644
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@@ -79,6 +79,9 @@
  */
 /* All non-HMAC MACs have a maximum size that's smaller than the
  * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */
+/* Note that the encoding of truncated MAC algorithms limits this value
+ * to 64 bytes.
+ */
 #define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE
 
 /* The maximum size of an RSA key on this implementation, in bits.

tests/suites/test_suite_psa_crypto.data

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index d8a5924..e8b119e 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -1,3 +1,6 @@
+PSA compile-time sanity checks
+static_checks:
+
 PSA init/deinit
 init_deinit:
 

tests/suites/test_suite_psa_crypto.function

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 5503c94..63d837f 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -794,6 +794,19 @@
  */
 
 /* BEGIN_CASE */
+void static_checks( )
+{
+    size_t max_truncated_mac_size =
+        PSA_ALG_MAC_TRUNCATION_MASK >> PSA_MAC_TRUNCATION_OFFSET;
+
+    /* Check that the length for a truncated MAC always fits in the algorithm
+     * encoding. The shifted mask is the maximum truncated value. The
+     * untruncated algorithm may be one byte larger. */
+    TEST_ASSERT( PSA_MAC_MAX_SIZE <= 1 + max_truncated_mac_size );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
 void init_deinit( )
 {
     psa_status_t status;