From 56b8d23ca1f93be731b9211d541c877eb7e853dd Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 1 Jun 2022 18:05:57 +0200 Subject: [PATCH 01/75] Add mbedtls_ prefix to PSA PAKE over MbedTLS implementation Signed-off-by: Neil Armstrong --- library/psa_crypto_pake.c | 58 ++--- library/psa_crypto_pake.h | 475 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 505 insertions(+), 28 deletions(-) create mode 100644 library/psa_crypto_pake.h diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 1f9a8cb33..7171f7566 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -24,6 +24,7 @@ #include #include "psa_crypto_core.h" +#include "psa_crypto_pake.h" #include "psa_crypto_slot_management.h" #include @@ -190,8 +191,8 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) #endif #if defined(MBEDTLS_PSA_BUILTIN_PAKE) -psa_status_t psa_pake_setup(psa_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite) +psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -243,8 +244,8 @@ error: return status; } -psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password) +psa_status_t mbedtls_psa_pake_set_password_key(psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t attributes = psa_key_attributes_init(); @@ -310,9 +311,9 @@ error: return status; } -psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len) +psa_status_t mbedtls_psa_pake_set_user(psa_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -334,9 +335,9 @@ error: return status; } -psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len) +psa_status_t mbedtls_psa_pake_set_peer(psa_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -358,8 +359,8 @@ error: return status; } -psa_status_t psa_pake_set_role(psa_pake_operation_t *operation, - psa_pake_role_t role) +psa_status_t mbedtls_psa_pake_set_role(psa_pake_operation_t *operation, + psa_pake_role_t role) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -437,7 +438,7 @@ static psa_status_t psa_pake_ecjpake_setup(psa_pake_operation_t *operation) } #endif -static psa_status_t psa_pake_output_internal( +static psa_status_t mbedtls_psa_pake_output_internal( psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *output, @@ -626,13 +627,13 @@ static psa_status_t psa_pake_output_internal( return PSA_ERROR_NOT_SUPPORTED; } -psa_status_t psa_pake_output(psa_pake_operation_t *operation, - psa_pake_step_t step, - uint8_t *output, - size_t output_size, - size_t *output_length) +psa_status_t mbedtls_psa_pake_output(psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length) { - psa_status_t status = psa_pake_output_internal( + psa_status_t status = mbedtls_psa_pake_output_internal( operation, step, output, output_size, output_length); if (status != PSA_SUCCESS) { @@ -642,7 +643,7 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, return status; } -static psa_status_t psa_pake_input_internal( +static psa_status_t mbedtls_psa_pake_input_internal( psa_pake_operation_t *operation, psa_pake_step_t step, const uint8_t *input, @@ -824,12 +825,12 @@ static psa_status_t psa_pake_input_internal( return PSA_ERROR_NOT_SUPPORTED; } -psa_status_t psa_pake_input(psa_pake_operation_t *operation, - psa_pake_step_t step, - const uint8_t *input, - size_t input_length) +psa_status_t mbedtls_psa_pake_input(psa_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length) { - psa_status_t status = psa_pake_input_internal( + psa_status_t status = mbedtls_psa_pake_input_internal( operation, step, input, input_length); if (status != PSA_SUCCESS) { @@ -839,8 +840,9 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, return status; } -psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, - psa_key_derivation_operation_t *output) +psa_status_t mbedtls_psa_pake_get_implicit_key( + psa_pake_operation_t *operation, + psa_key_derivation_operation_t *output) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -887,7 +889,7 @@ error: return status; } -psa_status_t psa_pake_abort(psa_pake_operation_t *operation) +psa_status_t mbedtls_psa_pake_abort(psa_pake_operation_t *operation) { if (operation->alg == PSA_ALG_NONE) { return PSA_SUCCESS; diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h new file mode 100644 index 000000000..b61ddde10 --- /dev/null +++ b/library/psa_crypto_pake.h @@ -0,0 +1,475 @@ +/* + * PSA PAKE layer on top of Mbed TLS software crypto + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_PAKE_H +#define PSA_CRYPTO_PAKE_H + +#include + +/** Set the session information for a password-authenticated key exchange. + * + * The sequence of operations to set up a password-authenticated key exchange + * is as follows: + * -# Allocate an operation object which will be passed to all the functions + * listed here. + * -# Initialize the operation object with one of the methods described in the + * documentation for #psa_pake_operation_t, e.g. + * #PSA_PAKE_OPERATION_INIT. + * -# Call psa_pake_setup() to specify the cipher suite. + * -# Call \c psa_pake_set_xxx() functions on the operation to complete the + * setup. The exact sequence of \c psa_pake_set_xxx() functions that needs + * to be called depends on the algorithm in use. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * A typical sequence of calls to perform a password-authenticated key + * exchange: + * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the + * key share that needs to be sent to the peer. + * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide + * the key share that was received from the peer. + * -# Depending on the algorithm additional calls to psa_pake_output() and + * psa_pake_input() might be necessary. + * -# Call psa_pake_get_implicit_key() for accessing the shared secret. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * If an error occurs at any step after a call to psa_pake_setup(), + * the operation will need to be reset by a call to psa_pake_abort(). The + * application may call psa_pake_abort() at any time after the operation + * has been initialized. + * + * After a successful call to psa_pake_setup(), the application must + * eventually terminate the operation. The following events terminate an + * operation: + * - A call to psa_pake_abort(). + * - A successful call to psa_pake_get_implicit_key(). + * + * \param[in,out] operation The operation object to set up. It must have + * been initialized but not set up yet. + * \param[in] cipher_suite The cipher suite to use. (A cipher suite fully + * characterizes a PAKE algorithm and determines + * the algorithm as well.) + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The algorithm in \p cipher_suite is not a PAKE algorithm, or the + * PAKE primitive in \p cipher_suite is not compatible with the + * PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid + * or not compatible with the PAKE algorithm and primitive. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The algorithm in \p cipher_suite is not a supported PAKE algorithm, + * or the PAKE primitive in \p cipher_suite is not supported or not + * compatible with the PAKE algorithm, or the hash algorithm in + * \p cipher_suite is not supported or not compatible with the PAKE + * algorithm and primitive. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid, or + * the library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite); + +/** Set the password for a password-authenticated key exchange from key ID. + * + * Call this function when the password, or a value derived from the password, + * is already present in the key store. + * + * \param[in,out] operation The operation object to set the password for. It + * must have been set up by psa_pake_setup() and + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the password hasn't + * been set yet (psa_pake_set_password_key() + * hasn't been called yet). + * \param password Identifier of the key holding the password or a + * value derived from the password (eg. by a + * memory-hard function). It must remain valid + * until the operation terminates. It must be of + * type #PSA_KEY_TYPE_PASSWORD or + * #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow + * the usage #PSA_KEY_USAGE_DERIVE. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_INVALID_HANDLE + * \p password is not a valid key identifier. + * \retval #PSA_ERROR_NOT_PERMITTED + * The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not + * permit the \p operation's algorithm. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or + * #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with + * the \p operation's cipher suite. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The key type or key size of \p password is not supported with the + * \p operation's cipher suite. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must have been set up.), or + * the library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_set_password_key( + psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password); + +/** Set the user ID for a password-authenticated key exchange. + * + * Call this function to set the user ID. For PAKE algorithms that associate a + * user identifier with each side of the session you need to call + * psa_pake_set_peer() as well. For PAKE algorithms that associate a single + * user identifier with the session, call psa_pake_set_user() only. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[in,out] operation The operation object to set the user ID for. It + * must have been set up by psa_pake_setup() and + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the user ID hasn't + * been set (psa_pake_set_user() hasn't been + * called yet). + * \param[in] user_id The user ID to authenticate with. + * \param user_id_len Size of the \p user_id buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p user_id is not valid for the \p operation's algorithm and cipher + * suite. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The value of \p user_id is not supported by the implementation. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid, or + * the library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_set_user(psa_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len); + +/** Set the peer ID for a password-authenticated key exchange. + * + * Call this function in addition to psa_pake_set_user() for PAKE algorithms + * that associate a user identifier with each side of the session. For PAKE + * algorithms that associate a single user identifier with the session, call + * psa_pake_set_user() only. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[in,out] operation The operation object to set the peer ID for. It + * must have been set up by psa_pake_setup() and + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the peer ID hasn't + * been set (psa_pake_set_peer() hasn't been + * called yet). + * \param[in] peer_id The peer's ID to authenticate. + * \param peer_id_len Size of the \p peer_id buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p user_id is not valid for the \p operation's algorithm and cipher + * suite. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The algorithm doesn't associate a second identity with the session. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * Calling psa_pake_set_peer() is invalid with the \p operation's + * algorithm, the operation state is not valid, or the library has not + * been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_set_peer(psa_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len); + +/** Set the application role for a password-authenticated key exchange. + * + * Not all PAKE algorithms need to differentiate the communicating entities. + * It is optional to call this function for PAKEs that don't require a role + * to be specified. For such PAKEs the application role parameter is ignored, + * or #PSA_PAKE_ROLE_NONE can be passed as \c role. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[in,out] operation The operation object to specify the + * application's role for. It must have been set up + * by psa_pake_setup() and not yet in use (neither + * psa_pake_output() nor psa_pake_input() has been + * called yet). It must be on operation for which + * the application's role hasn't been specified + * (psa_pake_set_role() hasn't been called yet). + * \param role A value of type ::psa_pake_role_t indicating the + * application's role in the PAKE the algorithm + * that is being set up. For more information see + * the documentation of \c PSA_PAKE_ROLE_XXX + * constants. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The \p role is not a valid PAKE role in the \p operation’s algorithm. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The \p role for this algorithm is not supported or is not valid. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid, or + * the library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_set_role(psa_pake_operation_t *operation, + psa_pake_role_t role); + +/** Get output for a step of a password-authenticated key exchange. + * + * Depending on the algorithm being executed, you might need to call this + * function several times or you might not need to call this at all. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the algorithm in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_pake_abort(). + * + * \param[in,out] operation Active PAKE operation. + * \param step The step of the algorithm for which the output is + * requested. + * \param[out] output Buffer where the output is to be written in the + * format appropriate for this \p step. Refer to + * the documentation of the individual + * \c PSA_PAKE_STEP_XXX constants for more + * information. + * \param output_size Size of the \p output buffer in bytes. This must + * be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p + * primitive, \p step) where \p alg and + * \p primitive are the PAKE algorithm and primitive + * in the operation's cipher suite, and \p step is + * the output step. + * + * \param[out] output_length On success, the number of bytes of the returned + * output. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * The size of the \p output buffer is too small. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p step is not compatible with the operation's algorithm. + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p step is not supported with the operation's algorithm. + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, and fully set + * up, and this call must conform to the algorithm's requirements + * for ordering of input and output steps), or + * the library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_output(psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length); + +/** Provide input for a step of a password-authenticated key exchange. + * + * Depending on the algorithm being executed, you might need to call this + * function several times or you might not need to call this at all. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the algorithm in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_pake_abort(). + * + * \param[in,out] operation Active PAKE operation. + * \param step The step for which the input is provided. + * \param[in] input Buffer containing the input in the format + * appropriate for this \p step. Refer to the + * documentation of the individual + * \c PSA_PAKE_STEP_XXX constants for more + * information. + * \param input_length Size of the \p input buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_INVALID_SIGNATURE + * The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p is not compatible with the \p operation’s algorithm, or the + * \p input is not valid for the \p operation's algorithm, cipher suite + * or \p step. + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p step p is not supported with the \p operation's algorithm, or the + * \p input is not supported for the \p operation's algorithm, cipher + * suite or \p step. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, and fully set + * up, and this call must conform to the algorithm's requirements + * for ordering of input and output steps), or + * the library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_input(psa_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length); + +/** Get implicitly confirmed shared secret from a PAKE. + * + * At this point there is a cryptographic guarantee that only the authenticated + * party who used the same password is able to compute the key. But there is no + * guarantee that the peer is the party it claims to be and was able to do so. + * + * That is, the authentication is only implicit. Since the peer is not + * authenticated yet, no action should be taken yet that assumes that the peer + * is who it claims to be. For example, do not access restricted files on the + * peer's behalf until an explicit authentication has succeeded. + * + * This function can be called after the key exchange phase of the operation + * has completed. It imports the shared secret output of the PAKE into the + * provided derivation operation. The input step + * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key + * material in the key derivation operation. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the algorithm in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * When this function returns successfully, \p operation becomes inactive. + * If this function returns an error status, both \p operation + * and \p key_derivation operations enter an error state and must be aborted by + * calling psa_pake_abort() and psa_key_derivation_abort() respectively. + * + * \param[in,out] operation Active PAKE operation. + * \param[out] output A key derivation operation that is ready + * for an input step of type + * #PSA_KEY_DERIVATION_INPUT_SECRET. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the + * algorithm in the \p output key derivation operation. + * \retval #PSA_ERROR_NOT_SUPPORTED + * Input from a PAKE is not supported by the algorithm in the \p output + * key derivation operation. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_BAD_STATE + * The PAKE operation state is not valid (it must be active, but beyond + * that validity is specific to the algorithm), or + * the library has not been previously initialized by psa_crypto_init(), + * or the state of \p output is not valid for + * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the + * step is out of order or the application has done this step already + * and it may not be repeated. + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_get_implicit_key( + psa_pake_operation_t *operation, + psa_key_derivation_operation_t *output); + +/** Abort a PAKE operation. + * + * Aborting an operation frees all associated resources except for the \c + * operation structure itself. Once aborted, the operation object can be reused + * for another operation by calling psa_pake_setup() again. + * + * This function may be called at any time after the operation + * object has been initialized as described in #psa_pake_operation_t. + * + * In particular, calling psa_pake_abort() after the operation has been + * terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() + * is safe and has no effect. + * + * \param[in,out] operation The operation to abort. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t mbedtls_psa_pake_abort(psa_pake_operation_t *operation); + +#endif /* PSA_CRYPTO_PAKE_H */ From 7da8c56b8447ce46a161dfdf47fa3fb3fdb41b45 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 1 Jun 2022 18:17:22 +0200 Subject: [PATCH 02/75] Add PSA PAKE wrappers Signed-off-by: Neil Armstrong --- library/psa_crypto_driver_wrappers.h | 45 ++++++++++++ .../psa_crypto_driver_wrappers.c.jinja | 73 +++++++++++++++++++ 2 files changed, 118 insertions(+) diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index e3edec791..e011594be 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -412,6 +412,51 @@ psa_status_t psa_driver_wrapper_key_agreement( size_t shared_secret_size, size_t *shared_secret_length); +/* + * PAKE functions. + */ +psa_status_t psa_driver_wrapper_pake_setup( + psa_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite); + +psa_status_t psa_driver_wrapper_pake_set_password_key( + psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password); + +psa_status_t psa_driver_wrapper_pake_set_user( + psa_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len); + +psa_status_t psa_driver_wrapper_pake_set_peer( + psa_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len); + +psa_status_t psa_driver_wrapper_pake_set_role( + psa_pake_operation_t *operation, + psa_pake_role_t role); + +psa_status_t psa_driver_wrapper_pake_output( + psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length); + +psa_status_t psa_driver_wrapper_pake_input( + psa_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length); + +psa_status_t psa_driver_wrapper_pake_get_implicit_key( + psa_pake_operation_t *operation, + psa_key_derivation_operation_t *output); + +psa_status_t psa_driver_wrapper_pake_abort( + psa_pake_operation_t *operation); + #endif /* PSA_CRYPTO_DRIVER_WRAPPERS_H */ /* End of automatically generated file. */ diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index b35e726a0..8f9ff73b8 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -28,6 +28,7 @@ #include "psa_crypto_driver_wrappers.h" #include "psa_crypto_hash.h" #include "psa_crypto_mac.h" +#include "psa_crypto_pake.h" #include "psa_crypto_rsa.h" #include "mbedtls/platform.h" @@ -2808,4 +2809,76 @@ psa_status_t psa_driver_wrapper_key_agreement( } } +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) +psa_status_t psa_driver_wrapper_pake_setup( + psa_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite ) +{ + return( mbedtls_psa_pake_setup( operation, cipher_suite ) ); +} + +psa_status_t psa_driver_wrapper_pake_set_password_key( + psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password ) +{ + return( mbedtls_psa_pake_set_password_key( operation, password ) ); +} + +psa_status_t psa_driver_wrapper_pake_set_user( + psa_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len ) +{ + return( mbedtls_psa_pake_set_user( operation, user_id, user_id_len ) ); +} + +psa_status_t psa_driver_wrapper_pake_set_peer( + psa_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len ) +{ + return( mbedtls_psa_pake_set_peer( operation, peer_id, peer_id_len ) ); +} + +psa_status_t psa_driver_wrapper_pake_set_role( + psa_pake_operation_t *operation, + psa_pake_role_t role ) +{ + return( mbedtls_psa_pake_set_role( operation, role ) ); +} + +psa_status_t psa_driver_wrapper_pake_output( + psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length ) +{ + return( mbedtls_psa_pake_output( operation, step, output, + output_size, output_length ) ); +} + +psa_status_t psa_driver_wrapper_pake_input( + psa_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length ) +{ + return( mbedtls_psa_pake_input( operation, step, input, input_length ) ); +} + +psa_status_t psa_driver_wrapper_pake_get_implicit_key( + psa_pake_operation_t *operation, + psa_key_derivation_operation_t *output ) +{ + return( mbedtls_psa_pake_get_implicit_key( operation, output ) ); +} + +psa_status_t psa_driver_wrapper_pake_abort( + psa_pake_operation_t * operation ) +{ + return( mbedtls_psa_pake_abort( operation ) ); +} +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + #endif /* MBEDTLS_PSA_CRYPTO_C */ From a7d08c3009330f06d349fc151a77d75fb37338ff Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 1 Jun 2022 18:21:20 +0200 Subject: [PATCH 03/75] Add PSA PAKE api calling the PAKE wrappers Signed-off-by: Neil Armstrong --- library/psa_crypto.c | 75 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3ec9273de..2cd4ee7ae 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7163,4 +7163,79 @@ exit: return status; } +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) +psa_status_t psa_pake_setup( + psa_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite) +{ + return psa_driver_wrapper_pake_setup(operation, cipher_suite); +} + +psa_status_t psa_pake_set_password_key( + psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password) +{ + return psa_driver_wrapper_pake_set_password_key(operation, password); +} + +psa_status_t psa_pake_set_user( + psa_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len) +{ + return psa_driver_wrapper_pake_set_user(operation, user_id, + user_id_len); +} + +psa_status_t psa_pake_set_peer( + psa_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len) +{ + return psa_driver_wrapper_pake_set_peer(operation, peer_id, + peer_id_len); +} + +psa_status_t psa_pake_set_role( + psa_pake_operation_t *operation, + psa_pake_role_t role) +{ + return psa_driver_wrapper_pake_set_role(operation, role); +} + +psa_status_t psa_pake_output( + psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length) +{ + return psa_driver_wrapper_pake_output(operation, step, output, + output_size, output_length); +} + +psa_status_t psa_pake_input( + psa_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length) +{ + return psa_driver_wrapper_pake_input(operation, step, input, + input_length); +} + +psa_status_t psa_pake_get_implicit_key( + psa_pake_operation_t *operation, + psa_key_derivation_operation_t *output) +{ + return psa_driver_wrapper_pake_get_implicit_key(operation, output); +} + +psa_status_t psa_pake_abort( + psa_pake_operation_t *operation) +{ + return psa_driver_wrapper_pake_abort(operation); +} +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + #endif /* MBEDTLS_PSA_CRYPTO_C */ From 5ae609631e768b1c229d7168c53b622016ae0f84 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 15 Sep 2022 11:29:46 +0200 Subject: [PATCH 04/75] Move the common parameters check code out of the wrapper Signed-off-by: Neil Armstrong --- library/psa_crypto.c | 93 ++++++++++++++++++++++++++++++++ library/psa_crypto_pake.c | 110 +++++++++++++------------------------- 2 files changed, 129 insertions(+), 74 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2cd4ee7ae..3494ae730 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7168,6 +7168,19 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { + /* A context must be freshly initialized before it can be set up. */ + if (operation->alg != PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (cipher_suite == NULL || + PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || + (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && + cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH) || + PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { + return PSA_ERROR_INVALID_ARGUMENT; + } + return psa_driver_wrapper_pake_setup(operation, cipher_suite); } @@ -7175,6 +7188,34 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, mbedtls_svc_key_id_t password) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_attributes_t attributes = psa_key_attributes_init(); + psa_key_type_t type; + psa_key_usage_t usage; + + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + status = psa_get_key_attributes(password, &attributes); + if (status != PSA_SUCCESS) { + return status; + } + + type = psa_get_key_type(&attributes); + usage = psa_get_key_usage_flags(&attributes); + + psa_reset_key_attributes(&attributes); + + if (type != PSA_KEY_TYPE_PASSWORD && + type != PSA_KEY_TYPE_PASSWORD_HASH) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + if ((usage & PSA_KEY_USAGE_DERIVE) == 0) { + return PSA_ERROR_NOT_PERMITTED; + } + return psa_driver_wrapper_pake_set_password_key(operation, password); } @@ -7183,6 +7224,14 @@ psa_status_t psa_pake_set_user( const uint8_t *user_id, size_t user_id_len) { + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (user_id_len == 0 || user_id == NULL) { + return PSA_ERROR_INVALID_ARGUMENT; + } + return psa_driver_wrapper_pake_set_user(operation, user_id, user_id_len); } @@ -7192,6 +7241,14 @@ psa_status_t psa_pake_set_peer( const uint8_t *peer_id, size_t peer_id_len) { + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (peer_id_len == 0 || peer_id == NULL) { + return PSA_ERROR_INVALID_ARGUMENT; + } + return psa_driver_wrapper_pake_set_peer(operation, peer_id, peer_id_len); } @@ -7200,6 +7257,18 @@ psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, psa_pake_role_t role) { + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (role != PSA_PAKE_ROLE_NONE && + role != PSA_PAKE_ROLE_FIRST && + role != PSA_PAKE_ROLE_SECOND && + role != PSA_PAKE_ROLE_CLIENT && + role != PSA_PAKE_ROLE_SERVER) { + return PSA_ERROR_INVALID_ARGUMENT; + } + return psa_driver_wrapper_pake_set_role(operation, role); } @@ -7210,6 +7279,14 @@ psa_status_t psa_pake_output( size_t output_size, size_t *output_length) { + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (output == NULL || output_size == 0 || output_length == NULL) { + return PSA_ERROR_INVALID_ARGUMENT; + } + return psa_driver_wrapper_pake_output(operation, step, output, output_size, output_length); } @@ -7220,6 +7297,14 @@ psa_status_t psa_pake_input( const uint8_t *input, size_t input_length) { + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (input == NULL || input_length == 0) { + return PSA_ERROR_INVALID_ARGUMENT; + } + return psa_driver_wrapper_pake_input(operation, step, input, input_length); } @@ -7228,12 +7313,20 @@ psa_status_t psa_pake_get_implicit_key( psa_pake_operation_t *operation, psa_key_derivation_operation_t *output) { + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + return psa_driver_wrapper_pake_get_implicit_key(operation, output); } psa_status_t psa_pake_abort( psa_pake_operation_t *operation) { + if (operation->alg == PSA_ALG_NONE) { + return PSA_SUCCESS; + } + return psa_driver_wrapper_pake_abort(operation); } #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 7171f7566..0dafe786d 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -194,23 +194,6 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - /* A context must be freshly initialized before it can be set up. */ - if (operation->alg != PSA_ALG_NONE) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - if (cipher_suite == NULL || - PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || - (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && - cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH) || - PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto error; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (cipher_suite->algorithm == PSA_ALG_JPAKE) { if (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC || @@ -236,11 +219,14 @@ psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, return PSA_SUCCESS; } else +#else + (void) operation; + (void) cipher_suite; #endif - status = PSA_ERROR_NOT_SUPPORTED; + { status = PSA_ERROR_NOT_SUPPORTED; } error: - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); return status; } @@ -315,23 +301,18 @@ psa_status_t mbedtls_psa_pake_set_user(psa_pake_operation_t *operation, const uint8_t *user_id, size_t user_id_len) { - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + (void) user_id; + (void) user_id_len; - if (operation->alg == PSA_ALG_NONE || - operation->state != PSA_PAKE_STATE_SETUP) { + if (operation->state != PSA_PAKE_STATE_SETUP) { status = PSA_ERROR_BAD_STATE; goto error; } - if (user_id_len == 0 || user_id == NULL) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto error; - } - status = PSA_ERROR_NOT_SUPPORTED; error: - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); return status; } @@ -339,46 +320,29 @@ psa_status_t mbedtls_psa_pake_set_peer(psa_pake_operation_t *operation, const uint8_t *peer_id, size_t peer_id_len) { - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + (void) peer_id; + (void) peer_id_len; - if (operation->alg == PSA_ALG_NONE || - operation->state != PSA_PAKE_STATE_SETUP) { + if (operation->state != PSA_PAKE_STATE_SETUP) { status = PSA_ERROR_BAD_STATE; goto error; } - if (peer_id_len == 0 || peer_id == NULL) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto error; - } - status = PSA_ERROR_NOT_SUPPORTED; error: - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); return status; } psa_status_t mbedtls_psa_pake_set_role(psa_pake_operation_t *operation, psa_pake_role_t role) { - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - if (operation->alg == PSA_ALG_NONE || - operation->state != PSA_PAKE_STATE_SETUP) { + if (operation->state != PSA_PAKE_STATE_SETUP) { status = PSA_ERROR_BAD_STATE; goto error; } - if (role != PSA_PAKE_ROLE_NONE && - role != PSA_PAKE_ROLE_FIRST && - role != PSA_PAKE_ROLE_SECOND && - role != PSA_PAKE_ROLE_CLIENT && - role != PSA_PAKE_ROLE_SERVER) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto error; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { if (role != PSA_PAKE_ROLE_CLIENT && @@ -390,11 +354,14 @@ psa_status_t mbedtls_psa_pake_set_role(psa_pake_operation_t *operation, return PSA_SUCCESS; } else +#else + (void) role; #endif - status = PSA_ERROR_NOT_SUPPORTED; + + { status = PSA_ERROR_NOT_SUPPORTED; } error: - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); return status; } @@ -449,15 +416,10 @@ static psa_status_t mbedtls_psa_pake_output_internal( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t length; - if (operation->alg == PSA_ALG_NONE || - operation->state == PSA_PAKE_STATE_INVALID) { + if (operation->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; } - if (output == NULL || output_size == 0 || output_length == NULL) { - return PSA_ERROR_INVALID_ARGUMENT; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different @@ -623,8 +585,13 @@ static psa_status_t mbedtls_psa_pake_output_internal( return PSA_SUCCESS; } else +#else + (void) step; + (void) output; + (void) output_size; + (void) output_length; #endif - return PSA_ERROR_NOT_SUPPORTED; + { return PSA_ERROR_NOT_SUPPORTED; } } psa_status_t mbedtls_psa_pake_output(psa_pake_operation_t *operation, @@ -652,15 +619,10 @@ static psa_status_t mbedtls_psa_pake_input_internal( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if (operation->alg == PSA_ALG_NONE || - operation->state == PSA_PAKE_STATE_INVALID) { + if (operation->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; } - if (input == NULL || input_length == 0) { - return PSA_ERROR_INVALID_ARGUMENT; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different @@ -821,8 +783,12 @@ static psa_status_t mbedtls_psa_pake_input_internal( return PSA_SUCCESS; } else +#else + (void) step; + (void) input; + (void) input_length; #endif - return PSA_ERROR_NOT_SUPPORTED; + { return PSA_ERROR_NOT_SUPPORTED; } } psa_status_t mbedtls_psa_pake_input(psa_pake_operation_t *operation, @@ -847,9 +813,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if (operation->alg == PSA_ALG_NONE || - operation->state != PSA_PAKE_STATE_READY || - operation->input_step != PSA_PAKE_STEP_DERIVE || + if (operation->input_step != PSA_PAKE_STEP_DERIVE || operation->output_step != PSA_PAKE_STEP_DERIVE) { status = PSA_ERROR_BAD_STATE; goto error; @@ -879,8 +843,10 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( return status; } else +#else + (void) output; #endif - status = PSA_ERROR_NOT_SUPPORTED; + { status = PSA_ERROR_NOT_SUPPORTED; } error: psa_key_derivation_abort(output); @@ -891,10 +857,6 @@ error: psa_status_t mbedtls_psa_pake_abort(psa_pake_operation_t *operation) { - if (operation->alg == PSA_ALG_NONE) { - return PSA_SUCCESS; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { operation->input_step = PSA_PAKE_STEP_INVALID; From 2e73649f9c9bcbf1a6cfe39097f6fca2f27aba8b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 13:50:22 +0100 Subject: [PATCH 05/75] Add pake psa crypto driver wrappers implementation Signed-off-by: Przemek Stekiel --- library/psa_crypto_driver_wrappers.h | 4 +- .../psa_crypto_driver_wrappers.c.jinja | 270 +++++++++++++++++- 2 files changed, 261 insertions(+), 13 deletions(-) diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index e011594be..a3755d3a4 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -420,8 +420,10 @@ psa_status_t psa_driver_wrapper_pake_setup( const psa_pake_cipher_suite_t *cipher_suite); psa_status_t psa_driver_wrapper_pake_set_password_key( + const psa_key_attributes_t *attributes, psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password); + uint8_t *key_buffer, + size_t key_size); psa_status_t psa_driver_wrapper_pake_set_user( psa_pake_operation_t *operation, diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 8f9ff73b8..802722f97 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2814,14 +2814,100 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite ) { - return( mbedtls_psa_pake_setup( operation, cipher_suite ) ); + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + /* Try setup on accelerators first */ +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + status = mbedtls_test_transparent_pake_setup( + &operation->ctx.transparent_test_driver_ctx, + (const psa_pake_cipher_suite_t*) cipher_suite ); + if( status == PSA_SUCCESS ) + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; + + if( status != PSA_ERROR_NOT_SUPPORTED ) + return( status ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + + /* If software fallback is compiled in, try fallback */ +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + status = mbedtls_psa_pake_setup( &operation->ctx.mbedtls_ctx, cipher_suite ); + if( status == PSA_SUCCESS ) + operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; + + if( status != PSA_ERROR_NOT_SUPPORTED ) + return( status ); +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + + /* Add cases for opaque driver here */ +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + status = mbedtls_test_opaque_pake_setup( + &operation->ctx.opaque_test_driver_ctx, + (const psa_pake_cipher_suite_t*) cipher_suite ); + if( status == PSA_SUCCESS ) + operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID; + + if( status != PSA_ERROR_NOT_SUPPORTED ) + return( status ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + + /* Nothing left to try if we fall through here */ + (void) status; + (void) operation; + (void) cipher_suite; + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t psa_driver_wrapper_pake_set_password_key( + const psa_key_attributes_t *attributes, psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password ) + uint8_t *key_buffer, + size_t key_size ) { - return( mbedtls_psa_pake_set_password_key( operation, password ) ); + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_location_t location = + PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + + switch( location ) + { + case PSA_KEY_LOCATION_LOCAL_STORAGE: + /* Key is stored in the slot in export representation, so + * cycle through all known transparent accelerators */ +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + status = mbedtls_test_transparent_set_password_key( + attributes, + &operation->ctx.transparent_test_driver_ctx, + key_buffer, key_size ); + /* Declared with fallback == true */ + if( status != PSA_ERROR_NOT_SUPPORTED ) + return( status ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + return( mbedtls_psa_pake_set_password_key( + attributes, &operation->ctx.mbedtls_ctx, + key_buffer, key_size ) ); + /* Add cases for opaque driver here */ +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case PSA_CRYPTO_TEST_DRIVER_LOCATION: + return( mbedtls_test_opaque_set_password_key( + attributes, + &operation->ctx.opaque_test_driver_ctx, + key_buffer, key_size ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + + default: + /* Key is declared with a lifetime not known to us */ + (void)status; + (void)key_buffer; + (void)key_size; + return( PSA_ERROR_INVALID_ARGUMENT ); + } } psa_status_t psa_driver_wrapper_pake_set_user( @@ -2829,7 +2915,31 @@ psa_status_t psa_driver_wrapper_pake_set_user( const uint8_t *user_id, size_t user_id_len ) { - return( mbedtls_psa_pake_set_user( operation, user_id, user_id_len ) ); + switch( operation->id ) + { +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_pake_set_user( &operation->ctx.mbedtls_ctx, + user_id, user_id_len ) ); +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + return( mbedtls_test_transparent_pake_set_user( + &operation->ctx.transparent_test_driver_ctx, + user_id, user_id_len ) ); + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: + return( mbedtls_test_opaque_pake_set_user( + &operation->ctx.opaque_test_driver_ctx, + user_id, user_id_len ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + default: + (void) user_id; + (void) user_id_len; + return( PSA_ERROR_INVALID_ARGUMENT ); + } } psa_status_t psa_driver_wrapper_pake_set_peer( @@ -2837,14 +2947,60 @@ psa_status_t psa_driver_wrapper_pake_set_peer( const uint8_t *peer_id, size_t peer_id_len ) { - return( mbedtls_psa_pake_set_peer( operation, peer_id, peer_id_len ) ); + switch( operation->id ) + { +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_pake_set_peer( &operation->ctx.mbedtls_ctx, + peer_id, peer_id_len ) ); +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + return( mbedtls_test_transparent_pake_set_peer( + &operation->ctx.transparent_test_driver_ctx, + peer_id, peer_id_len ) ); + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: + return( mbedtls_test_opaque_pake_set_peer( + &operation->ctx.opaque_test_driver_ctx, + peer_id, peer_id_len ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + default: + (void) peer_id; + (void) peer_id_len; + return( PSA_ERROR_INVALID_ARGUMENT ); + } } psa_status_t psa_driver_wrapper_pake_set_role( psa_pake_operation_t *operation, psa_pake_role_t role ) { - return( mbedtls_psa_pake_set_role( operation, role ) ); + switch( operation->id ) + { +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_pake_set_role( &operation->ctx.mbedtls_ctx, role ) ); +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + return( mbedtls_test_transparent_pake_set_role( + &operation->ctx.transparent_test_driver_ctx, + role ) ); + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: + return( mbedtls_test_opaque_pake_set_role( + &operation->ctx.opaque_test_driver_ctx, + role ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + default: + (void) role; + return( PSA_ERROR_INVALID_ARGUMENT ); + } } psa_status_t psa_driver_wrapper_pake_output( @@ -2854,8 +3010,33 @@ psa_status_t psa_driver_wrapper_pake_output( size_t output_size, size_t *output_length ) { - return( mbedtls_psa_pake_output( operation, step, output, - output_size, output_length ) ); + switch( operation->id ) + { +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_pake_output( &operation->ctx.mbedtls_ctx, step, output, + output_size, output_length ) ); +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + return( mbedtls_test_transparent_pake_output( + &operation->ctx.transparent_test_driver_ctx, + step, output, output_size, output_length ) ); + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: + return( mbedtls_test_opaque_pake_output( + &operation->ctx.opaque_test_driver_ctx, + step, output, output_size, output_length ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + default: + (void) step; + (void) output; + (void) output_size; + (void) output_length; + return( PSA_ERROR_INVALID_ARGUMENT ); + } } psa_status_t psa_driver_wrapper_pake_input( @@ -2864,21 +3045,86 @@ psa_status_t psa_driver_wrapper_pake_input( const uint8_t *input, size_t input_length ) { - return( mbedtls_psa_pake_input( operation, step, input, input_length ) ); + switch( operation->id ) + { +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_pake_input( &operation->ctx.mbedtls_ctx, + step, input, input_length ) ); +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + return( mbedtls_test_transparent_pake_input( + &operation->ctx.transparent_test_driver_ctx, + step, input, input_length ) ); + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: + return( mbedtls_test_opaque_pake_input( + &operation->ctx.opaque_test_driver_ctx, + step, input, input_length ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + default: + (void) step; + (void) input; + (void) input_length; + return( PSA_ERROR_INVALID_ARGUMENT ); + } } psa_status_t psa_driver_wrapper_pake_get_implicit_key( psa_pake_operation_t *operation, psa_key_derivation_operation_t *output ) { - return( mbedtls_psa_pake_get_implicit_key( operation, output ) ); + switch( operation->id ) + { +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_pake_get_implicit_key( &operation->ctx.mbedtls_ctx, output ) ); +#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + return( mbedtls_test_transparent_pake_get_implicit_key( + &operation->ctx.transparent_test_driver_ctx, + (psa_key_derivation_operation_t*) output ) ); + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: + return( mbedtls_test_opaque_pake_get_implicit_key( + &operation->ctx.opaque_test_driver_ctx, + (psa_key_derivation_operation_t*) output ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + default: + (void) output; + return( PSA_ERROR_INVALID_ARGUMENT ); + } } psa_status_t psa_driver_wrapper_pake_abort( psa_pake_operation_t * operation ) { - return( mbedtls_psa_pake_abort( operation ) ); -} + switch( operation->id ) + { +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_pake_abort( &operation->ctx.mbedtls_ctx ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + return( mbedtls_test_transparent_pake_abort( + &operation->ctx.transparent_test_driver_ctx ) ); + case MBEDTLS_TEST_OPAQUE_DRIVER_ID: + return( mbedtls_test_opaque_pake_abort( + &operation->ctx.opaque_test_driver_ctx ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + default: + return( PSA_ERROR_INVALID_ARGUMENT ); + } +} + #endif /* MBEDTLS_PSA_CRYPTO_C */ From d3da040f34c0a0107e30edc372804768ff7284dd Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 13:53:26 +0100 Subject: [PATCH 06/75] Add test driver impl for pake Signed-off-by: Przemek Stekiel --- tests/include/test/drivers/pake.h | 140 +++++++++ tests/src/drivers/test_driver_pake.c | 428 +++++++++++++++++++++++++++ 2 files changed, 568 insertions(+) create mode 100644 tests/include/test/drivers/pake.h create mode 100644 tests/src/drivers/test_driver_pake.c diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h new file mode 100644 index 000000000..81e87113b --- /dev/null +++ b/tests/include/test/drivers/pake.h @@ -0,0 +1,140 @@ +/* + * Test driver for PAKE driver entry points. + */ +/* Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_TEST_DRIVERS_PAKE_H +#define PSA_CRYPTO_TEST_DRIVERS_PAKE_H + +#include "mbedtls/build_info.h" + +#if defined(PSA_CRYPTO_DRIVER_TEST) +#include + +typedef struct { + /* If not PSA_SUCCESS, return this error code instead of processing the + * function call. */ + psa_status_t forced_status; + /* Count the amount of times PAKE driver functions are called. */ + unsigned long hits; + /* Status returned by the last PAKE driver function call. */ + psa_status_t driver_status; + /* Output returned by pake_output */ + void *forced_output; + size_t forced_output_length; +} mbedtls_test_driver_pake_hooks_t; + +#define MBEDTLS_TEST_DRIVER_PAKE_INIT { 0, 0, 0, NULL, 0 } +static inline mbedtls_test_driver_pake_hooks_t +mbedtls_test_driver_pake_hooks_init(void) +{ + const mbedtls_test_driver_pake_hooks_t v = MBEDTLS_TEST_DRIVER_PAKE_INIT; + return v; +} + +extern mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks; + +psa_status_t mbedtls_test_transparent_pake_setup( + mbedtls_transparent_test_driver_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite); + +psa_status_t mbedtls_test_transparent_set_password_key( + const psa_key_attributes_t *attributes, + mbedtls_transparent_test_driver_pake_operation_t *operation, + uint8_t *key_buffer, + size_t key_size); + +psa_status_t mbedtls_test_transparent_pake_set_user( + mbedtls_transparent_test_driver_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len); + +psa_status_t mbedtls_test_transparent_pake_set_peer( + mbedtls_transparent_test_driver_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len); + +psa_status_t mbedtls_test_transparent_pake_set_role( + mbedtls_transparent_test_driver_pake_operation_t *operation, + psa_pake_role_t role); + +psa_status_t mbedtls_test_transparent_pake_output( + mbedtls_transparent_test_driver_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length); + +psa_status_t mbedtls_test_transparent_pake_input( + mbedtls_transparent_test_driver_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length); + +psa_status_t mbedtls_test_transparent_pake_get_implicit_key( + mbedtls_transparent_test_driver_pake_operation_t *operation, + psa_key_derivation_operation_t *output); + +psa_status_t mbedtls_test_transparent_pake_abort( + mbedtls_transparent_test_driver_pake_operation_t *operation); + +psa_status_t mbedtls_test_opaque_pake_setup( + mbedtls_opaque_test_driver_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite); + +psa_status_t mbedtls_test_opaque_set_password_key( + const psa_key_attributes_t *attributes, + mbedtls_opaque_test_driver_pake_operation_t *operation, + uint8_t *key_buffer, + size_t key_size); + +psa_status_t mbedtls_test_opaque_pake_set_user( + mbedtls_opaque_test_driver_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len); + +psa_status_t mbedtls_test_opaque_pake_set_peer( + mbedtls_opaque_test_driver_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len); + +psa_status_t mbedtls_test_opaque_pake_set_role( + mbedtls_opaque_test_driver_pake_operation_t *operation, + psa_pake_role_t role); + +psa_status_t mbedtls_test_opaque_pake_output( + mbedtls_opaque_test_driver_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length); + +psa_status_t mbedtls_test_opaque_pake_input( + mbedtls_opaque_test_driver_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length); + +psa_status_t mbedtls_test_opaque_pake_get_implicit_key( + mbedtls_opaque_test_driver_pake_operation_t *operation, + psa_key_derivation_operation_t *output); + +psa_status_t mbedtls_test_opaque_pake_abort( + mbedtls_opaque_test_driver_pake_operation_t *operation); + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_TEST_DRIVERS_PAKE_H */ diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c new file mode 100644 index 000000000..1ced55936 --- /dev/null +++ b/tests/src/drivers/test_driver_pake.c @@ -0,0 +1,428 @@ +/* + * Test driver for MAC entry points. + */ +/* Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#include "psa_crypto_pake.h" + +#include "test/drivers/pake.h" +#include "string.h" + +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include "libtestdriver1/library/psa_crypto_pake.h" +#endif + +mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks = + MBEDTLS_TEST_DRIVER_PAKE_INIT; + + +psa_status_t mbedtls_test_transparent_pake_setup( + mbedtls_transparent_test_driver_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_setup( + operation, (const libtestdriver1_psa_pake_cipher_suite_t *) cipher_suite); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_setup( + operation, cipher_suite); +#else + (void) operation; + (void) cipher_suite; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + +psa_status_t mbedtls_test_transparent_set_password_key( + const psa_key_attributes_t *attributes, + mbedtls_transparent_test_driver_pake_operation_t *operation, + uint8_t *key_buffer, + size_t key_size) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_set_password_key( + (const libtestdriver1_psa_key_attributes_t *) attributes, + operation, key_buffer, key_size); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_set_password_key( + attributes, operation, key_buffer, key_size); +#else + (void) operation; + (void) key_buffer, + (void) key_size; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + +psa_status_t mbedtls_test_transparent_pake_set_user( + mbedtls_transparent_test_driver_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_set_user( + operation, user_id, user_id_len); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_set_user( + operation, user_id, user_id_len); +#else + (void) operation; + (void) user_id; + (void) user_id_len; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + + +psa_status_t mbedtls_test_transparent_pake_set_peer( + mbedtls_transparent_test_driver_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_set_peer( + operation, peer_id, peer_id_len); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_set_peer( + operation, peer_id, peer_id_len); +#else + (void) operation; + (void) peer_id; + (void) peer_id_len; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + +psa_status_t mbedtls_test_transparent_pake_set_role( + mbedtls_transparent_test_driver_pake_operation_t *operation, + psa_pake_role_t role) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_set_role( + operation, role); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_set_role( + operation, role); +#else + (void) operation; + (void) role; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + +psa_status_t mbedtls_test_transparent_pake_output( + mbedtls_transparent_test_driver_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_output != NULL) { + if (output_size < mbedtls_test_driver_pake_hooks.forced_output_length) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + + memcpy(output, + mbedtls_test_driver_pake_hooks.forced_output, + mbedtls_test_driver_pake_hooks.forced_output_length); + *output_length = mbedtls_test_driver_pake_hooks.forced_output_length; + + return mbedtls_test_driver_pake_hooks.forced_status; + } + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_output( + operation, step, output, output_size, output_length); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_output( + operation, step, output, output_size, output_length); +#else + (void) operation; + (void) step; + (void) output; + (void) output_size; + (void) output_length; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + +psa_status_t mbedtls_test_transparent_pake_input( + mbedtls_transparent_test_driver_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_input( + operation, step, input, input_length); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_input( + operation, step, input, input_length); +#else + (void) operation; + (void) step; + (void) input; + (void) input_length; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + +psa_status_t mbedtls_test_transparent_pake_get_implicit_key( + mbedtls_transparent_test_driver_pake_operation_t *operation, + psa_key_derivation_operation_t *output) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_get_implicit_key( + operation, (libtestdriver1_psa_key_derivation_operation_t *) output); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_get_implicit_key( + operation, output); +#else + (void) operation; + (void) output; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + +psa_status_t mbedtls_test_transparent_pake_abort( + mbedtls_transparent_test_driver_pake_operation_t *operation) +{ + mbedtls_test_driver_pake_hooks.hits++; + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; + } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_abort( + operation); +#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_abort( + operation); +#else + (void) operation; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif + } + + return mbedtls_test_driver_pake_hooks.driver_status; +} + +/* + * opaque versions, to do + */ +psa_status_t mbedtls_test_opaque_pake_setup( + mbedtls_opaque_test_driver_pake_operation_t *operation, + const psa_pake_cipher_suite_t *cipher_suite) +{ + (void) operation; + (void) cipher_suite; + return PSA_ERROR_NOT_SUPPORTED; +} + +psa_status_t mbedtls_test_opaque_set_password_key( + const psa_key_attributes_t *attributes, + mbedtls_opaque_test_driver_pake_operation_t *operation, + uint8_t *key_buffer, + size_t key_size) +{ + (void) attributes; + (void) operation; + (void) key_buffer; + (void) key_size; + return PSA_ERROR_NOT_SUPPORTED; +} + +psa_status_t mbedtls_test_opaque_pake_set_user( + mbedtls_opaque_test_driver_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len) +{ + (void) operation; + (void) user_id; + (void) user_id_len; + return PSA_ERROR_NOT_SUPPORTED; +} + +psa_status_t mbedtls_test_opaque_pake_set_peer( + mbedtls_opaque_test_driver_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len) +{ + (void) operation; + (void) peer_id; + (void) peer_id_len; + return PSA_ERROR_NOT_SUPPORTED; +} + +psa_status_t mbedtls_test_opaque_pake_set_role( + mbedtls_opaque_test_driver_pake_operation_t *operation, + psa_pake_role_t role) +{ + (void) operation; + (void) role; + return PSA_ERROR_NOT_SUPPORTED; +} + +psa_status_t mbedtls_test_opaque_pake_output( + mbedtls_opaque_test_driver_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length) +{ + (void) operation; + (void) step; + (void) output; + (void) output_size; + (void) output_length; + + return PSA_ERROR_NOT_SUPPORTED; +} + +psa_status_t mbedtls_test_opaque_pake_input( + mbedtls_opaque_test_driver_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length) +{ + (void) operation; + (void) step; + (void) input; + (void) input_length; + return PSA_ERROR_NOT_SUPPORTED; +} + +psa_status_t mbedtls_test_opaque_pake_get_implicit_key( + mbedtls_opaque_test_driver_pake_operation_t *operation, + psa_key_derivation_operation_t *output) +{ + (void) operation; + (void) output; + return PSA_ERROR_NOT_SUPPORTED; +} + +psa_status_t mbedtls_test_opaque_pake_abort( + mbedtls_opaque_test_driver_pake_operation_t *operation) +{ + (void) operation; + return PSA_ERROR_NOT_SUPPORTED; +} + +#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ From 03790029a6c6628a9a712d976281ccd2f46d04b4 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 13:54:44 +0100 Subject: [PATCH 07/75] Add test components to test accelerated pake and fallback Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 61 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7d91fa27d..e75767475 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2493,6 +2493,67 @@ component_test_psa_crypto_config_accel_aead () { make test } +component_test_psa_crypto_config_accel_pake () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + + # Start with full + scripts/config.py full + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + loc_accel_list="ALG_JPAKE" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + + scripts/config.py unset MBEDTLS_ECJPAKE_C + + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + tests/ssl-opt.sh -f "ECJPAKE" + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + make test +} + +component_test_psa_crypto_config_accel_pake_no_fallback () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + + # Start with full + scripts/config.py full + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + loc_accel_list="ALG_JPAKE" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + + scripts/config.py unset MBEDTLS_ECJPAKE_C + + # Make build-in fallback not available + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_JPAKE + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + make test +} + component_test_psa_crypto_config_no_driver() { # full plus MBEDTLS_PSA_CRYPTO_CONFIG msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" From d91bcb76737dc4efc65cc3db6154524532b1f5bd Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 14:00:51 +0100 Subject: [PATCH 08/75] Refactor structures for pake driver support Signed-off-by: Przemek Stekiel --- include/psa/crypto_builtin_primitives.h | 38 ++++++++++++++++ .../psa/crypto_driver_contexts_primitives.h | 37 +++++++++++++++ include/psa/crypto_extra.h | 45 ++++--------------- 3 files changed, 84 insertions(+), 36 deletions(-) diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index c76bc7814..2830b61e6 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -111,4 +111,42 @@ typedef struct { #define MBEDTLS_PSA_CIPHER_OPERATION_INIT { 0, 0, 0, { 0 } } + +/* EC-JPAKE operation definitions */ + +#include "mbedtls/ecjpake.h" + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#define MBEDTLS_PSA_BUILTIN_PAKE 1 +#endif + +/* Note: the format for mbedtls_ecjpake_read/write function has an extra + * length byte for each step, plus an extra 3 bytes for ECParameters in the + * server's 2nd round. */ +#define MBEDTLS_PSA_PAKE_BUFFER_SIZE ((3 + 1 + 65 + 1 + 65 + 1 + 32) * 2) + +typedef struct { + psa_algorithm_t MBEDTLS_PRIVATE(alg); + unsigned int MBEDTLS_PRIVATE(state); + unsigned int MBEDTLS_PRIVATE(sequence); +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + unsigned int MBEDTLS_PRIVATE(input_step); + unsigned int MBEDTLS_PRIVATE(output_step); + uint8_t *MBEDTLS_PRIVATE(password); + size_t MBEDTLS_PRIVATE(password_len); + uint8_t MBEDTLS_PRIVATE(role); + uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); + size_t MBEDTLS_PRIVATE(buffer_length); + size_t MBEDTLS_PRIVATE(buffer_offset); +#endif + /* Context structure for the Mbed TLS EC-JPAKE implementation. */ + union { + unsigned int MBEDTLS_PRIVATE(dummy); + mbedtls_ecjpake_context MBEDTLS_PRIVATE(pake); + } MBEDTLS_PRIVATE(ctx); + +} mbedtls_psa_pake_operation_t; + +#define MBEDTLS_PSA_PAKE_OPERATION_INIT { { 0 } } + #endif /* PSA_CRYPTO_BUILTIN_PRIMITIVES_H */ diff --git a/include/psa/crypto_driver_contexts_primitives.h b/include/psa/crypto_driver_contexts_primitives.h index 620a4b3a7..7d096208b 100644 --- a/include/psa/crypto_driver_contexts_primitives.h +++ b/include/psa/crypto_driver_contexts_primitives.h @@ -45,6 +45,8 @@ #include #endif +#include "mbedtls/ecjpake.h" + #if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ @@ -87,6 +89,32 @@ typedef struct { #define MBEDTLS_OPAQUE_TEST_DRIVER_CIPHER_OPERATION_INIT \ { 0, MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT } +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + +typedef libtestdriver1_mbedtls_psa_pake_operation_t + mbedtls_transparent_test_driver_pake_operation_t; +typedef libtestdriver1_psa_pake_operation_t + mbedtls_opaque_test_driver_pake_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT +#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT + +#else +typedef mbedtls_psa_pake_operation_t + mbedtls_transparent_test_driver_pake_operation_t; +typedef mbedtls_psa_pake_operation_t + mbedtls_opaque_test_driver_pake_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \ + MBEDTLS_PSA_PAKE_OPERATION_INIT +#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \ + MBEDTLS_PSA_PAKE_OPERATION_INIT + +#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE */ + #endif /* PSA_CRYPTO_DRIVER_TEST */ /* Define the context to be used for an operation that is executed through the @@ -113,5 +141,14 @@ typedef union { #endif } psa_driver_cipher_context_t; +typedef union { + unsigned dummy; /* Make sure this union is always non-empty */ + mbedtls_psa_pake_operation_t mbedtls_ctx; +#if defined(PSA_CRYPTO_DRIVER_TEST) + mbedtls_transparent_test_driver_pake_operation_t transparent_test_driver_ctx; + mbedtls_opaque_test_driver_pake_operation_t opaque_test_driver_ctx; +#endif +} psa_driver_pake_context_t; + #endif /* PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H */ /* End of automatically generated file. */ diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index bd1b5af56..da74bed17 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1826,14 +1826,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); /** Returns a suitable initializer for a PAKE operation object of type * psa_pake_operation_t. */ -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) -#define PSA_PAKE_OPERATION_INIT { PSA_ALG_NONE, 0, 0, 0, 0, \ - NULL, 0, \ - PSA_PAKE_ROLE_NONE, { 0 }, 0, 0, \ - { .dummy = 0 } } -#else -#define PSA_PAKE_OPERATION_INIT { PSA_ALG_NONE, 0, 0, { 0 } } -#endif +#define PSA_PAKE_OPERATION_INIT { 0, { .dummy = 0 } } struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -1904,35 +1897,15 @@ static inline void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite, } } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) -#include -/* Note: the format for mbedtls_ecjpake_read/write function has an extra - * length byte for each step, plus an extra 3 bytes for ECParameters in the - * server's 2nd round. */ -#define MBEDTLS_PSA_PAKE_BUFFER_SIZE ((3 + 1 + 65 + 1 + 65 + 1 + 32) * 2) -#endif - struct psa_pake_operation_s { - psa_algorithm_t MBEDTLS_PRIVATE(alg); - unsigned int MBEDTLS_PRIVATE(state); - unsigned int MBEDTLS_PRIVATE(sequence); -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) - unsigned int MBEDTLS_PRIVATE(input_step); - unsigned int MBEDTLS_PRIVATE(output_step); - uint8_t *MBEDTLS_PRIVATE(password); - size_t MBEDTLS_PRIVATE(password_len); - psa_pake_role_t MBEDTLS_PRIVATE(role); - uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); - size_t MBEDTLS_PRIVATE(buffer_length); - size_t MBEDTLS_PRIVATE(buffer_offset); -#endif - union { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) - mbedtls_ecjpake_context ecjpake; -#endif - /* Make the union non-empty even with no supported algorithms. */ - uint8_t dummy; - } MBEDTLS_PRIVATE(ctx); + /** Unique ID indicating which driver got assigned to do the + * operation. Since driver contexts are driver-specific, swapping + * drivers halfway through the operation is not supported. + * ID values are auto-generated in psa_crypto_driver_wrappers.h + * ID value zero means the context is not valid or not assigned to + * any driver (i.e. none of the driver contexts are active). */ + unsigned int MBEDTLS_PRIVATE(id); + psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); }; static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init(void) From 6c7644150ac411b3ebc5fe94d9de064de6fee363 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 14:05:12 +0100 Subject: [PATCH 09/75] Adapt pake impl for driver dispatch Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 64 ++++++--------- library/psa_crypto_pake.c | 162 +++++++++++++++++++++++--------------- library/psa_crypto_pake.h | 34 ++++---- 3 files changed, 138 insertions(+), 122 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3494ae730..8dc1a21fc 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5072,13 +5072,13 @@ psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation) operation->ctx.tls12_prf.label_length); mbedtls_free(operation->ctx.tls12_prf.label); } - +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) if (operation->ctx.tls12_prf.other_secret != NULL) { mbedtls_platform_zeroize(operation->ctx.tls12_prf.other_secret, operation->ctx.tls12_prf.other_secret_length); mbedtls_free(operation->ctx.tls12_prf.other_secret); } - +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ status = PSA_SUCCESS; /* We leave the fields Ai and output_block to be erased safely by the @@ -7163,24 +7163,10 @@ exit: return status; } -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { - /* A context must be freshly initialized before it can be set up. */ - if (operation->alg != PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } - - if (cipher_suite == NULL || - PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || - (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && - cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH) || - PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { - return PSA_ERROR_INVALID_ARGUMENT; - } - return psa_driver_wrapper_pake_setup(operation, cipher_suite); } @@ -7189,34 +7175,30 @@ psa_status_t psa_pake_set_password_key( mbedtls_svc_key_id_t password) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_attributes_t attributes = psa_key_attributes_init(); - psa_key_type_t type; - psa_key_usage_t usage; + psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_slot_t *slot = NULL; - if (operation->alg == PSA_ALG_NONE) { + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } - status = psa_get_key_attributes(password, &attributes); + status = psa_get_and_lock_key_slot_with_policy(password, &slot, + PSA_KEY_USAGE_DERIVE, + PSA_ALG_JPAKE); if (status != PSA_SUCCESS) { return status; } - type = psa_get_key_type(&attributes); - usage = psa_get_key_usage_flags(&attributes); + psa_key_attributes_t attributes = { + .core = slot->attr + }; - psa_reset_key_attributes(&attributes); + status = psa_driver_wrapper_pake_set_password_key(&attributes, operation, + slot->key.data, slot->key.bytes); - if (type != PSA_KEY_TYPE_PASSWORD && - type != PSA_KEY_TYPE_PASSWORD_HASH) { - return PSA_ERROR_INVALID_ARGUMENT; - } + unlock_status = psa_unlock_key_slot(slot); - if ((usage & PSA_KEY_USAGE_DERIVE) == 0) { - return PSA_ERROR_NOT_PERMITTED; - } - - return psa_driver_wrapper_pake_set_password_key(operation, password); + return (status == PSA_SUCCESS) ? unlock_status : status; } psa_status_t psa_pake_set_user( @@ -7224,7 +7206,7 @@ psa_status_t psa_pake_set_user( const uint8_t *user_id, size_t user_id_len) { - if (operation->alg == PSA_ALG_NONE) { + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } @@ -7241,7 +7223,7 @@ psa_status_t psa_pake_set_peer( const uint8_t *peer_id, size_t peer_id_len) { - if (operation->alg == PSA_ALG_NONE) { + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } @@ -7257,7 +7239,7 @@ psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, psa_pake_role_t role) { - if (operation->alg == PSA_ALG_NONE) { + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } @@ -7279,7 +7261,7 @@ psa_status_t psa_pake_output( size_t output_size, size_t *output_length) { - if (operation->alg == PSA_ALG_NONE) { + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } @@ -7297,7 +7279,7 @@ psa_status_t psa_pake_input( const uint8_t *input, size_t input_length) { - if (operation->alg == PSA_ALG_NONE) { + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } @@ -7313,7 +7295,7 @@ psa_status_t psa_pake_get_implicit_key( psa_pake_operation_t *operation, psa_key_derivation_operation_t *output) { - if (operation->alg == PSA_ALG_NONE) { + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } @@ -7323,12 +7305,12 @@ psa_status_t psa_pake_get_implicit_key( psa_status_t psa_pake_abort( psa_pake_operation_t *operation) { - if (operation->alg == PSA_ALG_NONE) { + /* Aborting a non-active operation is allowed */ + if (operation->id == 0) { return PSA_SUCCESS; } return psa_driver_wrapper_pake_abort(operation); } -#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 0dafe786d..6c4db6f2d 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -191,9 +191,26 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) #endif #if defined(MBEDTLS_PSA_BUILTIN_PAKE) -psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + /* A context must be freshly initialized before it can be set up. */ + if (operation->alg != PSA_ALG_NONE) { + status = PSA_ERROR_BAD_STATE; + goto error; + } + + if (cipher_suite == NULL || + PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || + (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && + cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH) || + PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } + #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (cipher_suite->algorithm == PSA_ALG_JPAKE) { if (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC || @@ -206,12 +223,14 @@ psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, operation->alg = cipher_suite->algorithm; - mbedtls_ecjpake_init(&operation->ctx.ecjpake); + mbedtls_ecjpake_init(&operation->ctx.pake); operation->state = PSA_PAKE_STATE_SETUP; operation->sequence = PSA_PAKE_SEQ_INVALID; operation->input_step = PSA_PAKE_STEP_X1_X2; operation->output_step = PSA_PAKE_STEP_X1_X2; + operation->password_len = 0; + operation->password = NULL; mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); operation->buffer_length = 0; @@ -230,30 +249,14 @@ error: return status; } -psa_status_t mbedtls_psa_pake_set_password_key(psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password) +psa_status_t mbedtls_psa_pake_set_password_key(const psa_key_attributes_t *attributes, + mbedtls_psa_pake_operation_t *operation, + uint8_t *password, + size_t password_len) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_attributes_t attributes = psa_key_attributes_init(); - psa_key_type_t type; - psa_key_usage_t usage; - psa_key_slot_t *slot = NULL; - - if (operation->alg == PSA_ALG_NONE || - operation->state != PSA_PAKE_STATE_SETUP) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - status = psa_get_key_attributes(password, &attributes); - if (status != PSA_SUCCESS) { - goto error; - } - - type = psa_get_key_type(&attributes); - usage = psa_get_key_usage_flags(&attributes); - - psa_reset_key_attributes(&attributes); + psa_key_type_t type = psa_get_key_type(attributes); + psa_key_usage_t usage = psa_get_key_usage_flags(attributes); if (type != PSA_KEY_TYPE_PASSWORD && type != PSA_KEY_TYPE_PASSWORD_HASH) { @@ -266,44 +269,48 @@ psa_status_t mbedtls_psa_pake_set_password_key(psa_pake_operation_t *operation, goto error; } + if (operation->alg == PSA_ALG_NONE) { + status = PSA_ERROR_BAD_STATE; + goto error; + } + + if (operation->state != PSA_PAKE_STATE_SETUP) { + status = PSA_ERROR_BAD_STATE; + goto error; + } + if (operation->password != NULL) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto error; } - status = psa_get_and_lock_key_slot_with_policy(password, &slot, - PSA_KEY_USAGE_DERIVE, - PSA_ALG_JPAKE); - if (status != PSA_SUCCESS) { - return status; - } - - operation->password = mbedtls_calloc(1, slot->key.bytes); + operation->password = mbedtls_calloc(1, password_len); if (operation->password == NULL) { - psa_unlock_key_slot(slot); return PSA_ERROR_INSUFFICIENT_MEMORY; } - memcpy(operation->password, slot->key.data, slot->key.bytes); - operation->password_len = slot->key.bytes; - status = psa_unlock_key_slot(slot); - if (status != PSA_SUCCESS) { - return status; - } + memcpy(operation->password, password, password_len); + operation->password_len = password_len; return PSA_SUCCESS; error: - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); return status; } -psa_status_t mbedtls_psa_pake_set_user(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_set_user(mbedtls_psa_pake_operation_t *operation, const uint8_t *user_id, size_t user_id_len) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; (void) user_id; (void) user_id_len; + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + if (operation->state != PSA_PAKE_STATE_SETUP) { status = PSA_ERROR_BAD_STATE; goto error; @@ -316,13 +323,19 @@ error: return status; } -psa_status_t mbedtls_psa_pake_set_peer(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_set_peer(mbedtls_psa_pake_operation_t *operation, const uint8_t *peer_id, size_t peer_id_len) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; (void) peer_id; (void) peer_id_len; + if (operation->alg == PSA_ALG_NONE) { + status = PSA_ERROR_BAD_STATE; + goto error; + } + if (operation->state != PSA_PAKE_STATE_SETUP) { status = PSA_ERROR_BAD_STATE; goto error; @@ -335,9 +348,15 @@ error: return status; } -psa_status_t mbedtls_psa_pake_set_role(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_set_role(mbedtls_psa_pake_operation_t *operation, psa_pake_role_t role) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + if (operation->alg == PSA_ALG_NONE) { + status = PSA_ERROR_BAD_STATE; + goto error; + } + if (operation->state != PSA_PAKE_STATE_SETUP) { status = PSA_ERROR_BAD_STATE; goto error; @@ -366,7 +385,7 @@ error: } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) -static psa_status_t psa_pake_ecjpake_setup(psa_pake_operation_t *operation) +static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ecjpake_role role; @@ -383,7 +402,7 @@ static psa_status_t psa_pake_ecjpake_setup(psa_pake_operation_t *operation) return PSA_ERROR_BAD_STATE; } - ret = mbedtls_ecjpake_setup(&operation->ctx.ecjpake, + ret = mbedtls_ecjpake_setup(&operation->ctx.pake, role, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, @@ -406,7 +425,7 @@ static psa_status_t psa_pake_ecjpake_setup(psa_pake_operation_t *operation) #endif static psa_status_t mbedtls_psa_pake_output_internal( - psa_pake_operation_t *operation, + mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *output, size_t output_size, @@ -416,6 +435,10 @@ static psa_status_t mbedtls_psa_pake_output_internal( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t length; + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + if (operation->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; } @@ -504,7 +527,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( /* Initialize & write round on KEY_SHARE sequences */ if (operation->state == PSA_PAKE_OUTPUT_X1_X2 && operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { - ret = mbedtls_ecjpake_write_round_one(&operation->ctx.ecjpake, + ret = mbedtls_ecjpake_write_round_one(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, @@ -517,7 +540,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( operation->buffer_offset = 0; } else if (operation->state == PSA_PAKE_OUTPUT_X2S && operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { - ret = mbedtls_ecjpake_write_round_two(&operation->ctx.ecjpake, + ret = mbedtls_ecjpake_write_round_two(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, @@ -594,7 +617,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( { return PSA_ERROR_NOT_SUPPORTED; } } -psa_status_t mbedtls_psa_pake_output(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *output, size_t output_size, @@ -604,14 +627,14 @@ psa_status_t mbedtls_psa_pake_output(psa_pake_operation_t *operation, operation, step, output, output_size, output_length); if (status != PSA_SUCCESS) { - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); } return status; } static psa_status_t mbedtls_psa_pake_input_internal( - psa_pake_operation_t *operation, + mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, const uint8_t *input, size_t input_length) @@ -619,6 +642,10 @@ static psa_status_t mbedtls_psa_pake_input_internal( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + if (operation->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; } @@ -746,7 +773,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( /* Load buffer at each last round ZK_PROOF */ if (operation->state == PSA_PAKE_INPUT_X1_X2 && operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) { - ret = mbedtls_ecjpake_read_round_one(&operation->ctx.ecjpake, + ret = mbedtls_ecjpake_read_round_one(&operation->ctx.pake, operation->buffer, operation->buffer_length); @@ -758,7 +785,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( } } else if (operation->state == PSA_PAKE_INPUT_X4S && operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF) { - ret = mbedtls_ecjpake_read_round_two(&operation->ctx.ecjpake, + ret = mbedtls_ecjpake_read_round_two(&operation->ctx.pake, operation->buffer, operation->buffer_length); @@ -791,7 +818,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( { return PSA_ERROR_NOT_SUPPORTED; } } -psa_status_t mbedtls_psa_pake_input(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, const uint8_t *input, size_t input_length) @@ -800,19 +827,23 @@ psa_status_t mbedtls_psa_pake_input(psa_pake_operation_t *operation, operation, step, input, input_length); if (status != PSA_SUCCESS) { - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); } return status; } psa_status_t mbedtls_psa_pake_get_implicit_key( - psa_pake_operation_t *operation, + mbedtls_psa_pake_operation_t *operation, psa_key_derivation_operation_t *output) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + if (operation->alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + if (operation->input_step != PSA_PAKE_STEP_DERIVE || operation->output_step != PSA_PAKE_STEP_DERIVE) { status = PSA_ERROR_BAD_STATE; @@ -821,14 +852,14 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { - ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.ecjpake, + ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); if (ret != 0) { - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); return mbedtls_ecjpake_to_psa_error(ret); } @@ -839,7 +870,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); return status; } else @@ -850,14 +881,19 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( error: psa_key_derivation_abort(output); - psa_pake_abort(operation); + mbedtls_psa_pake_abort(operation); return status; } -psa_status_t mbedtls_psa_pake_abort(psa_pake_operation_t *operation) +psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) { + if (operation->alg == PSA_ALG_NONE) { + return PSA_SUCCESS; + } + #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + if (operation->alg == PSA_ALG_JPAKE) { operation->input_step = PSA_PAKE_STEP_INVALID; operation->output_step = PSA_PAKE_STEP_INVALID; @@ -871,7 +907,7 @@ psa_status_t mbedtls_psa_pake_abort(psa_pake_operation_t *operation) mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); operation->buffer_length = 0; operation->buffer_offset = 0; - mbedtls_ecjpake_free(&operation->ctx.ecjpake); + mbedtls_ecjpake_free(&operation->ctx.pake); } #endif diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index b61ddde10..c7bf270a5 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -93,14 +93,15 @@ * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite); /** Set the password for a password-authenticated key exchange from key ID. * * Call this function when the password, or a value derived from the password, * is already present in the key store. - * + * \param[in] attributes The attributes of the key to use for the + * operation. * \param[in,out] operation The operation object to set the password for. It * must have been set up by psa_pake_setup() and * not yet in use (neither psa_pake_output() nor @@ -108,13 +109,8 @@ psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, * be on operation for which the password hasn't * been set yet (psa_pake_set_password_key() * hasn't been called yet). - * \param password Identifier of the key holding the password or a - * value derived from the password (eg. by a - * memory-hard function). It must remain valid - * until the operation terminates. It must be of - * type #PSA_KEY_TYPE_PASSWORD or - * #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow - * the usage #PSA_KEY_USAGE_DERIVE. + * \param password Buffer holding the password + * \param password_len Password buffer size * * \retval #PSA_SUCCESS * Success. @@ -142,8 +138,10 @@ psa_status_t mbedtls_psa_pake_setup(psa_pake_operation_t *operation, * results in this error code. */ psa_status_t mbedtls_psa_pake_set_password_key( - psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password); + const psa_key_attributes_t *attributes, + mbedtls_psa_pake_operation_t *operation, + uint8_t *password, + size_t password_len); /** Set the user ID for a password-authenticated key exchange. * @@ -182,7 +180,7 @@ psa_status_t mbedtls_psa_pake_set_password_key( * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t mbedtls_psa_pake_set_user(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_set_user(mbedtls_psa_pake_operation_t *operation, const uint8_t *user_id, size_t user_id_len); @@ -224,7 +222,7 @@ psa_status_t mbedtls_psa_pake_set_user(psa_pake_operation_t *operation, * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t mbedtls_psa_pake_set_peer(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_set_peer(mbedtls_psa_pake_operation_t *operation, const uint8_t *peer_id, size_t peer_id_len); @@ -266,7 +264,7 @@ psa_status_t mbedtls_psa_pake_set_peer(psa_pake_operation_t *operation, * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t mbedtls_psa_pake_set_role(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_set_role(mbedtls_psa_pake_operation_t *operation, psa_pake_role_t role); /** Get output for a step of a password-authenticated key exchange. @@ -324,7 +322,7 @@ psa_status_t mbedtls_psa_pake_set_role(psa_pake_operation_t *operation, * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t mbedtls_psa_pake_output(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *output, size_t output_size, @@ -379,7 +377,7 @@ psa_status_t mbedtls_psa_pake_output(psa_pake_operation_t *operation, * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t mbedtls_psa_pake_input(psa_pake_operation_t *operation, +psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, const uint8_t *input, size_t input_length); @@ -443,7 +441,7 @@ psa_status_t mbedtls_psa_pake_input(psa_pake_operation_t *operation, * results in this error code. */ psa_status_t mbedtls_psa_pake_get_implicit_key( - psa_pake_operation_t *operation, + mbedtls_psa_pake_operation_t *operation, psa_key_derivation_operation_t *output); /** Abort a PAKE operation. @@ -470,6 +468,6 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t mbedtls_psa_pake_abort(psa_pake_operation_t *operation); +psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation); #endif /* PSA_CRYPTO_PAKE_H */ From 6a9785f061fc6c712c93e932533ef1a641fcaa5e Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 14:11:31 +0100 Subject: [PATCH 10/75] Add pake.h to test driver header Signed-off-by: Przemek Stekiel --- tests/include/test/drivers/test_driver.h | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/include/test/drivers/test_driver.h b/tests/include/test/drivers/test_driver.h index 0a65b40bf..541ee03d0 100644 --- a/tests/include/test/drivers/test_driver.h +++ b/tests/include/test/drivers/test_driver.h @@ -38,6 +38,7 @@ #include "test/drivers/signature.h" #include "test/drivers/asymmetric_encryption.h" #include "test/drivers/key_agreement.h" +#include "test/drivers/pake.h" #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_TEST_DRIVER_H */ From 061a016c65ff5768297e7b4fee346603ee1dc24d Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 14:16:36 +0100 Subject: [PATCH 11/75] Add ALG_TLS12_PRF, TLS12_PSK_TO_MS, LG_TLS12_ECJPAKE_TO_PMS support to test driver extensions Signed-off-by: Przemek Stekiel --- .../crypto_config_test_driver_extension.h | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h index fbfe8da7a..393d6326e 100644 --- a/tests/include/test/drivers/crypto_config_test_driver_extension.h +++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h @@ -206,6 +206,30 @@ #endif #endif +#if defined(PSA_WANT_ALG_TLS12_PRF) +#if defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF) +#undef MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF +#else +#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) +#if defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS) +#undef MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS +#else +#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) +#if defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS) +#undef MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS +#else +#define MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS 1 +#endif +#endif + #define MBEDTLS_PSA_ACCEL_ALG_CBC_MAC 1 #define MBEDTLS_PSA_ACCEL_ALG_CCM 1 #define MBEDTLS_PSA_ACCEL_ALG_CMAC 1 @@ -218,8 +242,6 @@ #define MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP 1 #define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT 1 #define MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER 1 -#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF 1 -#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS 1 #if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) #if defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) From 7658a0768bb87e8d7bdbee960dd8233cbb5de65a Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 14:35:44 +0100 Subject: [PATCH 12/75] Add pake driver wrapper tests Signed-off-by: Przemek Stekiel Signed-off-by: Przemek Stekiel --- ...test_suite_psa_crypto_driver_wrappers.data | 36 + ..._suite_psa_crypto_driver_wrappers.function | 793 ++++++++++++++++++ 2 files changed, 829 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index 6069a696c..73c569d39 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -820,3 +820,39 @@ aead_decrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_G PSA AEAD decrypt setup, AES-GCM, 144 bytes #1, insufficient memory depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_decrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY + +PSA PAKE setup transparent driver: in-driver success +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_setup:"abcd":PSA_SUCCESS:PSA_SUCCESS + +PSA PAKE setup transparent driver: in-driver forced error +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_setup:"abcd":PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY + +PSA PAKE setup transparent driver: fallback +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:MBEDTLS_PSA_BUILTIN_PAKE +pake_setup:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS + +PSA PAKE setup transparent driver: fallback not available +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE +pake_setup:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE operations transparent driver: in-driver success +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_operations:"abcd":PSA_SUCCESS:"":PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_BAD_STATE + +PSA PAKE operations transparent driver: in-driver forced status +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_operations:"abcd":PSA_SUCCESS:"1234":PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY + +PSA PAKE operations transparent driver: fallback +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:MBEDTLS_PSA_BUILTIN_PAKE +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:"":PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_BAD_STATE + +PSA PAKE: ecjpake rounds transparent driver: in-driver +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1 + +PSA PAKE: ecjpake rounds transparent driver: fallback +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS:MBEDTLS_PSA_BUILTIN_PAKE +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0 diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 8bb3e35f6..cfbcccb34 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -1,6 +1,411 @@ /* BEGIN_HEADER */ #include "test/drivers/test_driver.h" +/* Auxiliary variables for pake tests. + Global to silent the compiler when unused. */ +size_t pake_expected_hit_count; +int pake_in_driver; + +#if defined(PSA_WANT_ALG_JPAKE) +static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, + psa_pake_operation_t *server, + psa_pake_operation_t *client, + int client_input_first, + int round) +{ + unsigned char *buffer0 = NULL, *buffer1 = NULL; + size_t buffer_length = ( + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; + /* The output should be exactly this size according to the spec */ + const size_t expected_size_key_share = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); + /* The output should be exactly this size according to the spec */ + const size_t expected_size_zk_public = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); + /* The output can be smaller: the spec allows stripping leading zeroes */ + const size_t max_expected_size_zk_proof = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); + size_t buffer0_off = 0; + size_t buffer1_off = 0; + size_t s_g1_len, s_g2_len, s_a_len; + size_t s_g1_off, s_g2_off, s_a_off; + size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len; + size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off; + size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len; + size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off; + size_t c_g1_len, c_g2_len, c_a_len; + size_t c_g1_off, c_g2_off, c_a_off; + size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len; + size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; + size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; + size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; + psa_status_t status; + + ASSERT_ALLOC(buffer0, buffer_length); + ASSERT_ALLOC(buffer1, buffer_length); + + switch (round) { + case 1: + /* Server first round Output */ + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_g1_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(s_g1_len, expected_size_key_share); + s_g1_off = buffer0_off; + buffer0_off += s_g1_len; + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x1_pk_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(s_x1_pk_len, expected_size_zk_public); + s_x1_pk_off = buffer0_off; + buffer0_off += s_x1_pk_len; + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x1_pr_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof); + s_x1_pr_off = buffer0_off; + buffer0_off += s_x1_pr_len; + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_g2_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(s_g2_len, expected_size_key_share); + s_g2_off = buffer0_off; + buffer0_off += s_g2_len; + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x2_pk_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(s_x2_pk_len, expected_size_zk_public); + s_x2_pk_off = buffer0_off; + buffer0_off += s_x2_pk_len; + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x2_pr_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof); + s_x2_pr_off = buffer0_off; + buffer0_off += s_x2_pr_len; + + if (client_input_first == 1) { + /* Client first round Input */ + status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_g1_off, s_g1_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x1_pk_off, + s_x1_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x1_pr_off, + s_x1_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_g2_off, + s_g2_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x2_pk_off, + s_x2_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x2_pr_off, + s_x2_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + } + + /* Client first round Output */ + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_g1_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(c_g1_len, expected_size_key_share); + c_g1_off = buffer1_off; + buffer1_off += c_g1_len; + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x1_pk_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(c_x1_pk_len, expected_size_zk_public); + c_x1_pk_off = buffer1_off; + buffer1_off += c_x1_pk_len; + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x1_pr_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof); + c_x1_pr_off = buffer1_off; + buffer1_off += c_x1_pr_len; + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_g2_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(c_g2_len, expected_size_key_share); + c_g2_off = buffer1_off; + buffer1_off += c_g2_len; + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x2_pk_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(c_x2_pk_len, expected_size_zk_public); + c_x2_pk_off = buffer1_off; + buffer1_off += c_x2_pk_len; + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x2_pr_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof); + c_x2_pr_off = buffer1_off; + buffer1_off += c_x2_pr_len; + + if (client_input_first == 0) { + /* Client first round Input */ + status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_g1_off, s_g1_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x1_pk_off, + s_x1_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x1_pr_off, + s_x1_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_g2_off, + s_g2_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x2_pk_off, + s_x2_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x2_pr_off, + s_x2_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + } + + /* Server first round Input */ + status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + c_g1_off, c_g1_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + c_x1_pk_off, c_x1_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + c_x1_pr_off, c_x1_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + c_g2_off, c_g2_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + c_x2_pk_off, c_x2_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + c_x2_pr_off, c_x2_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + break; + + case 2: + /* Server second round Output */ + buffer0_off = 0; + + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_a_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(s_a_len, expected_size_key_share); + s_a_off = buffer0_off; + buffer0_off += s_a_len; + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x2s_pk_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public); + s_x2s_pk_off = buffer0_off; + buffer0_off += s_x2s_pk_len; + PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x2s_pr_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof); + s_x2s_pr_off = buffer0_off; + buffer0_off += s_x2s_pr_len; + + if (client_input_first == 1) { + /* Client second round Input */ + status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_a_off, s_a_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x2s_pk_off, + s_x2s_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x2s_pr_off, + s_x2s_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + } + + /* Client second round Output */ + buffer1_off = 0; + + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_a_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(c_a_len, expected_size_key_share); + c_a_off = buffer1_off; + buffer1_off += c_a_len; + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x2s_pk_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public); + c_x2s_pk_off = buffer1_off; + buffer1_off += c_x2s_pk_len; + PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x2s_pr_len)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof); + c_x2s_pr_off = buffer1_off; + buffer1_off += c_x2s_pr_len; + + if (client_input_first == 0) { + /* Client second round Input */ + status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_a_off, s_a_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x2s_pk_off, + s_x2s_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x2s_pr_off, + s_x2s_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + } + + /* Server second round Input */ + status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + c_a_off, c_a_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + c_x2s_pk_off, c_x2s_pk_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + c_x2s_pr_off, c_x2s_pr_len); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(status, PSA_SUCCESS); + + break; + } + +exit: + mbedtls_free(buffer0); + mbedtls_free(buffer1); +} +#endif /* PSA_WANT_ALG_JPAKE */ + #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) /* Sanity checks on the output of RSA encryption. * @@ -2567,3 +2972,391 @@ exit: PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE */ +void pake_setup(data_t *pw_data, int forced_status_arg, int expected_status_arg) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_status_t forced_status = forced_status_arg; + psa_status_t expected_status = expected_status_arg; + psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_key_type_t key_type_pw = PSA_KEY_TYPE_PASSWORD; + psa_key_usage_t key_usage_pw = PSA_KEY_USAGE_DERIVE; + psa_algorithm_t alg = PSA_ALG_JPAKE; + psa_algorithm_t hash_alg = PSA_ALG_SHA_256; + psa_pake_primitive_t primitive_arg = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, 256); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_test_driver_pake_hooks = mbedtls_test_driver_pake_hooks_init(); + + PSA_INIT(); + + if (pw_data->len > 0) { + psa_set_key_usage_flags(&attributes, key_usage_pw); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type_pw); + PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, + &key)); + } + + psa_pake_cs_set_algorithm(&cipher_suite, alg); + psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); + psa_pake_cs_set_hash(&cipher_suite, hash_alg); + + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + + TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), + expected_status); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&attributes); + psa_destroy_key(key); + mbedtls_test_driver_pake_hooks = + mbedtls_test_driver_pake_hooks_init(); + PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pake_operations(data_t *pw_data, int forced_status_setup_arg, data_t *forced_output, + int forced_status_arg, int expected_status_set_user_arg, + int expected_status_set_role_arg, int expected_status_set_peer_arg, + int expected_status_set_password_arg, int expected_status_input_arg, + int expected_status_abort_arg, int expected_status_output_arg, + int expected_status_get_key_arg) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_status_t forced_status = forced_status_arg; + psa_status_t forced_status_setup = forced_status_setup_arg; + psa_status_t expected_status_set_user = expected_status_set_user_arg; + psa_status_t expected_status_set_role = expected_status_set_role_arg; + psa_status_t expected_status_set_peer = expected_status_set_peer_arg; + psa_status_t expected_status_set_password = expected_status_set_password_arg; + psa_status_t expected_status_input = expected_status_input_arg; + psa_status_t expected_status_abort = expected_status_abort_arg; + psa_status_t expected_status_output = expected_status_output_arg; + psa_status_t expected_status_get_key = expected_status_get_key_arg; + psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_key_type_t key_type_pw = PSA_KEY_TYPE_PASSWORD; + psa_key_usage_t key_usage_pw = PSA_KEY_USAGE_DERIVE; + psa_algorithm_t alg = PSA_ALG_JPAKE; + psa_algorithm_t hash_alg = PSA_ALG_SHA_256; + psa_key_derivation_operation_t implicit_key = + PSA_KEY_DERIVATION_OPERATION_INIT; + psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, 256); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_test_driver_pake_hooks = mbedtls_test_driver_pake_hooks_init(); + const unsigned char *user = (const unsigned char *) "user"; + const uint8_t peer[] = "abcd"; + uint32_t expected_hits = 1; + unsigned char *input_buffer = NULL; + const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive, + PSA_PAKE_STEP_KEY_SHARE); + unsigned char *output_buffer = NULL; + size_t output_len = 0; + size_t output_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive, + PSA_PAKE_STEP_KEY_SHARE); + + ASSERT_ALLOC(input_buffer, + PSA_PAKE_INPUT_SIZE(alg, primitive, + PSA_PAKE_STEP_KEY_SHARE)); + memset(input_buffer, 0xAA, size_key_share); + + ASSERT_ALLOC(output_buffer, + PSA_PAKE_INPUT_SIZE(alg, primitive, + PSA_PAKE_STEP_KEY_SHARE)); + memset(output_buffer, 0x55, output_size); + + /* Transparent driver is not available (fallback). */ + if (forced_status_setup == PSA_ERROR_NOT_SUPPORTED) { + expected_hits = 0; + } + + PSA_INIT(); + + if (pw_data->len > 0) { + psa_set_key_usage_flags(&attributes, key_usage_pw); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type_pw); + PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, + &key)); + } + + psa_pake_cs_set_algorithm(&cipher_suite, alg); + psa_pake_cs_set_primitive(&cipher_suite, primitive); + psa_pake_cs_set_hash(&cipher_suite, hash_alg); + + mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; + TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), + PSA_SUCCESS); + + /* --- psa_pake_set_user --- */ + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + + TEST_EQUAL(psa_pake_set_user(&operation, user, 4), + expected_status_set_user); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); + + /* psa_pake_set_user is unsupported (after this call operation is aborted) + we need to reinitialize object. */ + if (mbedtls_test_driver_pake_hooks.forced_status == PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; + TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), + PSA_SUCCESS); + } + + /* --- psa_pake_set_peer --- */ + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + + TEST_EQUAL(psa_pake_set_peer(&operation, peer, 4), + expected_status_set_peer); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); + + /* psa_pake_set_user is unsupported (after this call operation is aborted) + we need to reinitialize object. */ + if (mbedtls_test_driver_pake_hooks.forced_status == PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; + TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), + PSA_SUCCESS); + } + + /* --- psa_pake_set_role --- */ + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + + TEST_EQUAL(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), + expected_status_set_role); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); + + /* --- psa_pake_set_password_key --- */ + /* psa_pake_set_password_key is dispatched by location and other + functions are dispatched by operation id (set during setup). + In case of dispatching by location fallback is performed when + transparent accelerators are not supported. */ + if (forced_status_setup == PSA_ERROR_NOT_SUPPORTED) { + mbedtls_test_driver_pake_hooks.forced_status = PSA_ERROR_NOT_SUPPORTED; + expected_hits = 1; + } else { + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + } + mbedtls_test_driver_pake_hooks.hits = 0; + + TEST_EQUAL(psa_pake_set_password_key(&operation, key), + expected_status_set_password); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); + + /* Restore expected_hits for next tests. */ + if (forced_status_setup == PSA_ERROR_NOT_SUPPORTED) { + expected_hits = 0; + } + + /* --- psa_pake_input --- */ + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + + TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, + input_buffer, size_key_share), + expected_status_input); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); + + /* --- psa_pake_abort --- */ + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + + TEST_EQUAL(psa_pake_abort(&operation), expected_status_abort); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); + + /* --- psa_pake_output --- */ + /* We need to setup pake again */ + mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; + TEST_EQUAL(psa_pake_abort(&operation), PSA_SUCCESS); + + mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; + TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), + PSA_SUCCESS); + + TEST_EQUAL(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), + PSA_SUCCESS); + + TEST_EQUAL(psa_pake_set_password_key(&operation, key), + PSA_SUCCESS); + + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + + if (forced_output->len > 0) { + mbedtls_test_driver_pake_hooks.forced_output = forced_output->x; + mbedtls_test_driver_pake_hooks.forced_output_length = forced_output->len; + } + + TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, + output_buffer, output_size, &output_len), + expected_status_output); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); + + if (forced_output->len > 0) { + TEST_EQUAL(output_len, forced_output->len); + TEST_EQUAL(memcmp(output_buffer, forced_output->x, output_len), 0); + } + + /* --- psa_pake_get_implicit_key --- */ + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + + TEST_EQUAL(psa_pake_get_implicit_key(&operation, &implicit_key), + expected_status_get_key); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); + + /* Clean up */ + mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; + TEST_EQUAL(psa_pake_abort(&operation), PSA_SUCCESS); +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&attributes); + mbedtls_free(input_buffer); + mbedtls_free(output_buffer); + psa_destroy_key(key); + mbedtls_test_driver_pake_hooks = + mbedtls_test_driver_pake_hooks_init(); + PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ +void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, + int derive_alg_arg, data_t *pw_data, + int client_input_first, int in_driver) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_pake_operation_t server = psa_pake_operation_init(); + psa_pake_operation_t client = psa_pake_operation_init(); + psa_algorithm_t alg = alg_arg; + psa_algorithm_t hash_alg = hash_arg; + psa_algorithm_t derive_alg = derive_alg_arg; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_derivation_operation_t server_derive = + PSA_KEY_DERIVATION_OPERATION_INIT; + psa_key_derivation_operation_t client_derive = + PSA_KEY_DERIVATION_OPERATION_INIT; + pake_in_driver = in_driver; + mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; + mbedtls_test_driver_pake_hooks.hits = 0; + pake_expected_hit_count = 1; + + PSA_INIT(); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); + PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, + &key)); + + psa_pake_cs_set_algorithm(&cipher_suite, alg); + psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); + psa_pake_cs_set_hash(&cipher_suite, hash_alg); + + /* Get shared key */ + PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg)); + PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg)); + + if (PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) { + PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive, + PSA_KEY_DERIVATION_INPUT_SEED, + (const uint8_t *) "", 0)); + PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive, + PSA_KEY_DERIVATION_INPUT_SEED, + (const uint8_t *) "", 0)); + } + + if (!pake_in_driver) { + mbedtls_test_driver_pake_hooks.forced_status = PSA_ERROR_NOT_SUPPORTED; + } + + PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, pake_expected_hit_count++); + PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, pake_expected_hit_count++); + + /* Restore forced status and adjust pake_expected_hit_count */ + mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; + if (!pake_in_driver) { + pake_expected_hit_count--; + } + + PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + + /* psa_pake_set_password_key is dispatched by location and other + functions are dispatched by operation id (set during setup). + In case of dispatching by location fallback is performed when + transparent accelerators are not supported. We need to also adjust + expected hit counter. */ + if (!pake_in_driver) { + mbedtls_test_driver_pake_hooks.forced_status = PSA_ERROR_NOT_SUPPORTED; + pake_expected_hit_count++; + } + + PSA_ASSERT(psa_pake_set_password_key(&server, key)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_expected_hit_count++); + PSA_ASSERT(psa_pake_set_password_key(&client, key)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_expected_hit_count++); + + /* Restore forced status and adjust pake_expected_hit_count */ + mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; + if (!pake_in_driver) { + pake_expected_hit_count--; + } + + /* First round */ + ecjpake_do_round(alg, primitive_arg, &server, &client, + client_input_first, 1); + + /* Second round */ + ecjpake_do_round(alg, primitive_arg, &server, &client, + client_input_first, 2); + + PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive)); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); +exit: + psa_key_derivation_abort(&server_derive); + psa_key_derivation_abort(&client_derive); + psa_destroy_key(key); + psa_pake_abort(&server); + psa_pake_abort(&client); + PSA_DONE(); +} +/* END_CASE */ From 4f0035be299bf84d2456b4b3cf364c076acff743 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 23 Nov 2022 23:19:22 +0100 Subject: [PATCH 13/75] Add guards for buildin pake set_password function Signed-off-by: Przemek Stekiel --- .../driver_templates/psa_crypto_driver_wrappers.c.jinja | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 802722f97..b3e40f0cf 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2887,9 +2887,12 @@ psa_status_t psa_driver_wrapper_pake_set_password_key( return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) return( mbedtls_psa_pake_set_password_key( attributes, &operation->ctx.mbedtls_ctx, key_buffer, key_size ) ); +#endif + return( PSA_ERROR_NOT_SUPPORTED ); /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) @@ -2903,6 +2906,7 @@ psa_status_t psa_driver_wrapper_pake_set_password_key( default: /* Key is declared with a lifetime not known to us */ + (void)operation; (void)status; (void)key_buffer; (void)key_size; From 0c78180ee548568c513696b72268aa37cdd6d97d Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 29 Nov 2022 14:53:13 +0100 Subject: [PATCH 14/75] mbedtls_psa_pake_get_implicit_key: move psa_key_derivation_input_bytes call to upper layer Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 25 ++++++++++++++++++- library/psa_crypto_driver_wrappers.h | 2 +- library/psa_crypto_pake.c | 11 +++----- library/psa_crypto_pake.h | 2 +- .../psa_crypto_driver_wrappers.c.jinja | 9 ++++--- tests/include/test/drivers/pake.h | 4 +-- tests/src/drivers/test_driver_pake.c | 9 ++++--- 7 files changed, 42 insertions(+), 20 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 8dc1a21fc..4e0f5f51f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7295,11 +7295,34 @@ psa_status_t psa_pake_get_implicit_key( psa_pake_operation_t *operation, psa_key_derivation_operation_t *output) { + psa_status_t status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; + size_t shared_key_len = 0; + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } - return psa_driver_wrapper_pake_get_implicit_key(operation, output); + status = psa_driver_wrapper_pake_get_implicit_key(operation, + shared_key, + &shared_key_len); + + if (status != PSA_SUCCESS) { + return status; + } + + status = psa_key_derivation_input_bytes(output, + PSA_KEY_DERIVATION_INPUT_SECRET, + shared_key, + shared_key_len); + + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(output); + } + + mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + + return status; } psa_status_t psa_pake_abort( diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index a3755d3a4..78f2f9a28 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -454,7 +454,7 @@ psa_status_t psa_driver_wrapper_pake_input( psa_status_t psa_driver_wrapper_pake_get_implicit_key( psa_pake_operation_t *operation, - psa_key_derivation_operation_t *output); + uint8_t *output, size_t *output_size); psa_status_t psa_driver_wrapper_pake_abort( psa_pake_operation_t *operation); diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 6c4db6f2d..1e5dca4e6 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -835,7 +835,7 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_status_t mbedtls_psa_pake_get_implicit_key( mbedtls_psa_pake_operation_t *operation, - psa_key_derivation_operation_t *output) + uint8_t *output, size_t *output_size) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -863,16 +863,14 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( return mbedtls_ecjpake_to_psa_error(ret); } - status = psa_key_derivation_input_bytes(output, - PSA_KEY_DERIVATION_INPUT_SECRET, - operation->buffer, - operation->buffer_length); + memcpy(output, operation->buffer, operation->buffer_length); + *output_size = operation->buffer_length; mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); mbedtls_psa_pake_abort(operation); - return status; + return PSA_SUCCESS; } else #else (void) output; @@ -880,7 +878,6 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( { status = PSA_ERROR_NOT_SUPPORTED; } error: - psa_key_derivation_abort(output); mbedtls_psa_pake_abort(operation); return status; diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index c7bf270a5..9256f5a14 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -442,7 +442,7 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, */ psa_status_t mbedtls_psa_pake_get_implicit_key( mbedtls_psa_pake_operation_t *operation, - psa_key_derivation_operation_t *output); + uint8_t *output, size_t *output_size); /** Abort a PAKE operation. * diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index b3e40f0cf..cea7948b7 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -3079,13 +3079,13 @@ psa_status_t psa_driver_wrapper_pake_input( psa_status_t psa_driver_wrapper_pake_get_implicit_key( psa_pake_operation_t *operation, - psa_key_derivation_operation_t *output ) + uint8_t *output, size_t *output_size ) { switch( operation->id ) { #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_get_implicit_key( &operation->ctx.mbedtls_ctx, output ) ); + return( mbedtls_psa_pake_get_implicit_key( &operation->ctx.mbedtls_ctx, output, output_size ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -3093,15 +3093,16 @@ psa_status_t psa_driver_wrapper_pake_get_implicit_key( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_get_implicit_key( &operation->ctx.transparent_test_driver_ctx, - (psa_key_derivation_operation_t*) output ) ); + output, output_size ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_get_implicit_key( &operation->ctx.opaque_test_driver_ctx, - (psa_key_derivation_operation_t*) output ) ); + output, output_size ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) output; + (void) output_size; return( PSA_ERROR_INVALID_ARGUMENT ); } } diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 81e87113b..5ee401b7d 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -87,7 +87,7 @@ psa_status_t mbedtls_test_transparent_pake_input( psa_status_t mbedtls_test_transparent_pake_get_implicit_key( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_key_derivation_operation_t *output); + uint8_t *output, size_t *output_size); psa_status_t mbedtls_test_transparent_pake_abort( mbedtls_transparent_test_driver_pake_operation_t *operation); @@ -131,7 +131,7 @@ psa_status_t mbedtls_test_opaque_pake_input( psa_status_t mbedtls_test_opaque_pake_get_implicit_key( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_key_derivation_operation_t *output); + uint8_t *output, size_t *output_size); psa_status_t mbedtls_test_opaque_pake_abort( mbedtls_opaque_test_driver_pake_operation_t *operation); diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 1ced55936..3495705d6 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -270,7 +270,7 @@ psa_status_t mbedtls_test_transparent_pake_input( psa_status_t mbedtls_test_transparent_pake_get_implicit_key( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_key_derivation_operation_t *output) + uint8_t *output, size_t *output_size) { mbedtls_test_driver_pake_hooks.hits++; @@ -282,11 +282,11 @@ psa_status_t mbedtls_test_transparent_pake_get_implicit_key( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_get_implicit_key( - operation, (libtestdriver1_psa_key_derivation_operation_t *) output); + operation, output, output_size); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_get_implicit_key( - operation, output); + operation, output, output_size); #else (void) operation; (void) output; @@ -411,10 +411,11 @@ psa_status_t mbedtls_test_opaque_pake_input( psa_status_t mbedtls_test_opaque_pake_get_implicit_key( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_key_derivation_operation_t *output) + uint8_t *output, size_t *output_size) { (void) operation; (void) output; + (void) output_size; return PSA_ERROR_NOT_SUPPORTED; } From 061f6949fd4704852ea08ebcc55c8c1361f1c2b9 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 30 Nov 2022 10:51:35 +0100 Subject: [PATCH 15/75] Make psa_get_and_lock_key_slot_with_policy() static function psa_get_and_lock_key_slot_with_policy() becomes public temporarily as part of: https://github.com/Mbed-TLS/mbedtls/pull/6608 Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 15 ++++++++++++++- library/psa_crypto_core.h | 18 ------------------ 2 files changed, 14 insertions(+), 19 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4e0f5f51f..18aa18ba8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -878,7 +878,20 @@ static psa_status_t psa_restrict_key_policy( return PSA_SUCCESS; } -psa_status_t psa_get_and_lock_key_slot_with_policy( +/** Get the description of a key given its identifier and policy constraints + * and lock it. + * + * The key must have allow all the usage flags set in \p usage. If \p alg is + * nonzero, the key must allow operations with this algorithm. If \p alg is + * zero, the algorithm is not checked. + * + * In case of a persistent key, the function loads the description of the key + * into a key slot if not already done. + * + * On success, the returned key slot is locked. It is the responsibility of + * the caller to unlock the key slot when it does not access it anymore. + */ +static psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot, psa_key_usage_t usage, diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index b1817e2da..84c218c13 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -182,24 +182,6 @@ static inline psa_key_slot_number_t psa_key_slot_get_slot_number( } #endif -/** Get the description of a key given its identifier and policy constraints - * and lock it. - * - * The key must have allow all the usage flags set in \p usage. If \p alg is - * nonzero, the key must allow operations with this algorithm. If \p alg is - * zero, the algorithm is not checked. - * - * In case of a persistent key, the function loads the description of the key - * into a key slot if not already done. - * - * On success, the returned key slot is locked. It is the responsibility of - * the caller to unlock the key slot when it does not access it anymore. - */ -psa_status_t psa_get_and_lock_key_slot_with_policy(mbedtls_svc_key_id_t key, - psa_key_slot_t **p_slot, - psa_key_usage_t usage, - psa_algorithm_t alg); - /** Completely wipe a slot in memory, including its policy. * * Persistent storage is not affected. From e5e41eb14cab251727ddae5cfbba4282b8119920 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 1 Dec 2022 15:55:29 +0100 Subject: [PATCH 16/75] Remove redundant line (fix rebase error) Signed-off-by: Przemek Stekiel --- .../driver_templates/psa_crypto_driver_wrappers.c.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index cea7948b7..9a7b64547 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2809,7 +2809,6 @@ psa_status_t psa_driver_wrapper_key_agreement( } } -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) psa_status_t psa_driver_wrapper_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite ) From 51eac53b935a738e7db3e69d36b1b9ce1d59efdb Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 7 Dec 2022 11:04:51 +0100 Subject: [PATCH 17/75] Divide pake operation into two phases collecting inputs and computation. Functions that only set inputs do not have driver entry points. Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 27 ++- library/psa_crypto.c | 144 ++++++++++-- library/psa_crypto_driver_wrappers.h | 22 +- library/psa_crypto_pake.c | 179 ++------------- library/psa_crypto_pake.h | 172 +-------------- .../psa_crypto_driver_wrappers.c.jinja | 205 +++--------------- tests/include/test/drivers/pake.h | 24 +- tests/src/drivers/test_driver_pake.c | 137 +----------- 8 files changed, 215 insertions(+), 695 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index da74bed17..4fa273d31 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -429,6 +429,9 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, */ #define PSA_DH_FAMILY_CUSTOM ((psa_dh_family_t) 0x7e) +/** EC-JPAKE operation stages. */ +#define PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS 0 +#define PSA_PAKE_OPERATION_STAGE_COMPUTATION 1 /** * \brief Set domain parameters for a key. @@ -1286,6 +1289,9 @@ static void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite, * Implementation details can change in future versions without notice. */ typedef struct psa_pake_operation_s psa_pake_operation_t; +/** The type of input values for PAKE operations. */ +typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t; + /** Return an initial value for a PAKE operation object. */ static psa_pake_operation_t psa_pake_operation_init(void); @@ -1826,7 +1832,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); /** Returns a suitable initializer for a PAKE operation object of type * psa_pake_operation_t. */ -#define PSA_PAKE_OPERATION_INIT { 0, { .dummy = 0 } } +#define PSA_PAKE_OPERATION_INIT { 0, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, { 0 } } struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -1897,6 +1903,15 @@ static inline void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite, } } +struct psa_crypto_driver_pake_inputs_s { + psa_algorithm_t MBEDTLS_PRIVATE(alg); + uint8_t *MBEDTLS_PRIVATE(password); + size_t MBEDTLS_PRIVATE(password_len); + psa_pake_role_t MBEDTLS_PRIVATE(role); + psa_key_lifetime_t MBEDTLS_PRIVATE(key_lifetime); + psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite); +}; + struct psa_pake_operation_s { /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping @@ -1905,7 +1920,15 @@ struct psa_pake_operation_s { * ID value zero means the context is not valid or not assigned to * any driver (i.e. none of the driver contexts are active). */ unsigned int MBEDTLS_PRIVATE(id); - psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); + /* Based on stage (collecting inputs/computation) we select active structure of data union. + * While switching stage (when driver setup is called) collected inputs + are copied to the corresponding operation context. */ + uint8_t MBEDTLS_PRIVATE(stage); + union { + unsigned dummy; + psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); + psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); + } MBEDTLS_PRIVATE(data); }; static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init(void) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 18aa18ba8..4742c3cae 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7180,7 +7180,29 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { - return psa_driver_wrapper_pake_setup(operation, cipher_suite); + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { + return PSA_ERROR_BAD_STATE; + } + + if (operation->data.inputs.alg != PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (cipher_suite == NULL || + PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || + (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && + cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH) || + PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + ; + memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); + + operation->data.inputs.alg = cipher_suite->algorithm; + operation->data.inputs.cipher_suite = *cipher_suite; + + return PSA_SUCCESS; } psa_status_t psa_pake_set_password_key( @@ -7191,7 +7213,11 @@ psa_status_t psa_pake_set_password_key( psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; - if (operation->id == 0) { + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { + return PSA_ERROR_BAD_STATE; + } + + if (operation->data.inputs.alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7206,9 +7232,29 @@ psa_status_t psa_pake_set_password_key( .core = slot->attr }; - status = psa_driver_wrapper_pake_set_password_key(&attributes, operation, - slot->key.data, slot->key.bytes); + psa_key_type_t type = psa_get_key_type(&attributes); + psa_key_usage_t usage = psa_get_key_usage_flags(&attributes); + if (type != PSA_KEY_TYPE_PASSWORD && + type != PSA_KEY_TYPE_PASSWORD_HASH) { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } + + if ((usage & PSA_KEY_USAGE_DERIVE) == 0) { + status = PSA_ERROR_NOT_PERMITTED; + goto error; + } + + operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes); + if (operation->data.inputs.password == NULL) { + return PSA_ERROR_INSUFFICIENT_MEMORY; + } + + memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); + operation->data.inputs.password_len = slot->key.bytes; + operation->data.inputs.key_lifetime = attributes.core.lifetime; +error: unlock_status = psa_unlock_key_slot(slot); return (status == PSA_SUCCESS) ? unlock_status : status; @@ -7219,16 +7265,21 @@ psa_status_t psa_pake_set_user( const uint8_t *user_id, size_t user_id_len) { - if (operation->id == 0) { + (void) user_id; + + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { return PSA_ERROR_BAD_STATE; } - if (user_id_len == 0 || user_id == NULL) { + if (operation->data.inputs.alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (user_id_len == 0) { return PSA_ERROR_INVALID_ARGUMENT; } - return psa_driver_wrapper_pake_set_user(operation, user_id, - user_id_len); + return PSA_ERROR_NOT_SUPPORTED; } psa_status_t psa_pake_set_peer( @@ -7236,23 +7287,32 @@ psa_status_t psa_pake_set_peer( const uint8_t *peer_id, size_t peer_id_len) { - if (operation->id == 0) { + (void) peer_id; + + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { return PSA_ERROR_BAD_STATE; } - if (peer_id_len == 0 || peer_id == NULL) { + if (operation->data.inputs.alg == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + if (peer_id_len == 0) { return PSA_ERROR_INVALID_ARGUMENT; } - return psa_driver_wrapper_pake_set_peer(operation, peer_id, - peer_id_len); + return PSA_ERROR_NOT_SUPPORTED; } psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, psa_pake_role_t role) { - if (operation->id == 0) { + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { + return PSA_ERROR_BAD_STATE; + } + + if (operation->data.inputs.alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7264,7 +7324,9 @@ psa_status_t psa_pake_set_role( return PSA_ERROR_INVALID_ARGUMENT; } - return psa_driver_wrapper_pake_set_role(operation, role); + operation->data.inputs.role = role; + + return PSA_SUCCESS; } psa_status_t psa_pake_output( @@ -7274,11 +7336,34 @@ psa_status_t psa_pake_output( size_t output_size, size_t *output_length) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { + if (operation->data.inputs.alg == PSA_ALG_NONE || + operation->data.inputs.password_len == 0 || + operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { + return PSA_ERROR_BAD_STATE; + } + + status = psa_driver_wrapper_pake_setup(operation, + &operation->data.inputs); + + if (status == PSA_SUCCESS) { + operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; + } else { + return status; + } + } + + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { + return PSA_ERROR_BAD_STATE; + } + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } - if (output == NULL || output_size == 0 || output_length == NULL) { + if (output == NULL || output_size == 0) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7292,6 +7377,29 @@ psa_status_t psa_pake_input( const uint8_t *input, size_t input_length) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { + if (operation->data.inputs.alg == PSA_ALG_NONE || + operation->data.inputs.password_len == 0 || + operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { + return PSA_ERROR_BAD_STATE; + } + + status = psa_driver_wrapper_pake_setup(operation, + &operation->data.inputs); + + if (status == PSA_SUCCESS) { + operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; + } else { + return status; + } + } + + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { + return PSA_ERROR_BAD_STATE; + } + if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } @@ -7341,8 +7449,10 @@ psa_status_t psa_pake_get_implicit_key( psa_status_t psa_pake_abort( psa_pake_operation_t *operation) { - /* Aborting a non-active operation is allowed */ - if (operation->id == 0) { + /* If we are in collecting inputs stage clear inputs. */ + if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { + mbedtls_free(operation->data.inputs.password); + memset(&operation->data.inputs, 0, sizeof(psa_crypto_driver_pake_inputs_t)); return PSA_SUCCESS; } diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 78f2f9a28..abaabb544 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -417,27 +417,7 @@ psa_status_t psa_driver_wrapper_key_agreement( */ psa_status_t psa_driver_wrapper_pake_setup( psa_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite); - -psa_status_t psa_driver_wrapper_pake_set_password_key( - const psa_key_attributes_t *attributes, - psa_pake_operation_t *operation, - uint8_t *key_buffer, - size_t key_size); - -psa_status_t psa_driver_wrapper_pake_set_user( - psa_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len); - -psa_status_t psa_driver_wrapper_pake_set_peer( - psa_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len); - -psa_status_t psa_driver_wrapper_pake_set_role( - psa_pake_operation_t *operation, - psa_pake_role_t role); + const psa_crypto_driver_pake_inputs_t *inputs); psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 1e5dca4e6..3a710dc60 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -192,36 +192,32 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) #if defined(MBEDTLS_PSA_BUILTIN_PAKE) psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite) + const psa_crypto_driver_pake_inputs_t *inputs) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - /* A context must be freshly initialized before it can be set up. */ - if (operation->alg != PSA_ALG_NONE) { - status = PSA_ERROR_BAD_STATE; - goto error; - } + uint8_t *password = inputs->password; + size_t password_len = inputs->password_len; + psa_pake_role_t role = inputs->role; + psa_pake_cipher_suite_t cipher_suite = inputs->cipher_suite; - if (cipher_suite == NULL || - PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || - (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && - cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH) || - PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto error; - } + memset(operation, 0, sizeof(mbedtls_psa_pake_operation_t)); #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) - if (cipher_suite->algorithm == PSA_ALG_JPAKE) { - if (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC || - cipher_suite->family != PSA_ECC_FAMILY_SECP_R1 || - cipher_suite->bits != 256 || - cipher_suite->hash != PSA_ALG_SHA_256) { + if (cipher_suite.algorithm == PSA_ALG_JPAKE) { + if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC || + cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || + cipher_suite.bits != 256 || + cipher_suite.hash != PSA_ALG_SHA_256) { status = PSA_ERROR_NOT_SUPPORTED; goto error; } - operation->alg = cipher_suite->algorithm; + if (role != PSA_PAKE_ROLE_CLIENT && + role != PSA_PAKE_ROLE_SERVER) { + status = PSA_ERROR_NOT_SUPPORTED; + goto error; + } mbedtls_ecjpake_init(&operation->ctx.pake); @@ -229,8 +225,10 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, operation->sequence = PSA_PAKE_SEQ_INVALID; operation->input_step = PSA_PAKE_STEP_X1_X2; operation->output_step = PSA_PAKE_STEP_X1_X2; - operation->password_len = 0; - operation->password = NULL; + operation->password_len = password_len; + operation->password = password; + operation->role = role; + operation->alg = cipher_suite.algorithm; mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); operation->buffer_length = 0; @@ -240,149 +238,16 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, } else #else (void) operation; - (void) cipher_suite; + (void) inputs; #endif { status = PSA_ERROR_NOT_SUPPORTED; } error: + mbedtls_free(password); mbedtls_psa_pake_abort(operation); return status; } -psa_status_t mbedtls_psa_pake_set_password_key(const psa_key_attributes_t *attributes, - mbedtls_psa_pake_operation_t *operation, - uint8_t *password, - size_t password_len) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_type_t type = psa_get_key_type(attributes); - psa_key_usage_t usage = psa_get_key_usage_flags(attributes); - - if (type != PSA_KEY_TYPE_PASSWORD && - type != PSA_KEY_TYPE_PASSWORD_HASH) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto error; - } - - if ((usage & PSA_KEY_USAGE_DERIVE) == 0) { - status = PSA_ERROR_NOT_PERMITTED; - goto error; - } - - if (operation->alg == PSA_ALG_NONE) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - if (operation->state != PSA_PAKE_STATE_SETUP) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - if (operation->password != NULL) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - operation->password = mbedtls_calloc(1, password_len); - if (operation->password == NULL) { - return PSA_ERROR_INSUFFICIENT_MEMORY; - } - - memcpy(operation->password, password, password_len); - operation->password_len = password_len; - - return PSA_SUCCESS; - -error: - mbedtls_psa_pake_abort(operation); - return status; -} - -psa_status_t mbedtls_psa_pake_set_user(mbedtls_psa_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - (void) user_id; - (void) user_id_len; - - if (operation->alg == PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } - - if (operation->state != PSA_PAKE_STATE_SETUP) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - status = PSA_ERROR_NOT_SUPPORTED; - -error: - mbedtls_psa_pake_abort(operation); - return status; -} - -psa_status_t mbedtls_psa_pake_set_peer(mbedtls_psa_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - (void) peer_id; - (void) peer_id_len; - - if (operation->alg == PSA_ALG_NONE) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - if (operation->state != PSA_PAKE_STATE_SETUP) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - status = PSA_ERROR_NOT_SUPPORTED; - -error: - mbedtls_psa_pake_abort(operation); - return status; -} - -psa_status_t mbedtls_psa_pake_set_role(mbedtls_psa_pake_operation_t *operation, - psa_pake_role_t role) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if (operation->alg == PSA_ALG_NONE) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - if (operation->state != PSA_PAKE_STATE_SETUP) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) - if (operation->alg == PSA_ALG_JPAKE) { - if (role != PSA_PAKE_ROLE_CLIENT && - role != PSA_PAKE_ROLE_SERVER) { - return PSA_ERROR_NOT_SUPPORTED; - } - - operation->role = role; - - return PSA_SUCCESS; - } else -#else - (void) role; -#endif - - { status = PSA_ERROR_NOT_SUPPORTED; } - -error: - mbedtls_psa_pake_abort(operation); - return status; -} #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index 9256f5a14..4768cee11 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -94,178 +94,8 @@ * results in this error code. */ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite); + const psa_crypto_driver_pake_inputs_t *inputs); -/** Set the password for a password-authenticated key exchange from key ID. - * - * Call this function when the password, or a value derived from the password, - * is already present in the key store. - * \param[in] attributes The attributes of the key to use for the - * operation. - * \param[in,out] operation The operation object to set the password for. It - * must have been set up by psa_pake_setup() and - * not yet in use (neither psa_pake_output() nor - * psa_pake_input() has been called yet). It must - * be on operation for which the password hasn't - * been set yet (psa_pake_set_password_key() - * hasn't been called yet). - * \param password Buffer holding the password - * \param password_len Password buffer size - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \p password is not a valid key identifier. - * \retval #PSA_ERROR_NOT_PERMITTED - * The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not - * permit the \p operation's algorithm. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or - * #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with - * the \p operation's cipher suite. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The key type or key size of \p password is not supported with the - * \p operation's cipher suite. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must have been set up.), or - * the library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t mbedtls_psa_pake_set_password_key( - const psa_key_attributes_t *attributes, - mbedtls_psa_pake_operation_t *operation, - uint8_t *password, - size_t password_len); - -/** Set the user ID for a password-authenticated key exchange. - * - * Call this function to set the user ID. For PAKE algorithms that associate a - * user identifier with each side of the session you need to call - * psa_pake_set_peer() as well. For PAKE algorithms that associate a single - * user identifier with the session, call psa_pake_set_user() only. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * \param[in,out] operation The operation object to set the user ID for. It - * must have been set up by psa_pake_setup() and - * not yet in use (neither psa_pake_output() nor - * psa_pake_input() has been called yet). It must - * be on operation for which the user ID hasn't - * been set (psa_pake_set_user() hasn't been - * called yet). - * \param[in] user_id The user ID to authenticate with. - * \param user_id_len Size of the \p user_id buffer in bytes. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p user_id is not valid for the \p operation's algorithm and cipher - * suite. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The value of \p user_id is not supported by the implementation. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid, or - * the library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t mbedtls_psa_pake_set_user(mbedtls_psa_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len); - -/** Set the peer ID for a password-authenticated key exchange. - * - * Call this function in addition to psa_pake_set_user() for PAKE algorithms - * that associate a user identifier with each side of the session. For PAKE - * algorithms that associate a single user identifier with the session, call - * psa_pake_set_user() only. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * \param[in,out] operation The operation object to set the peer ID for. It - * must have been set up by psa_pake_setup() and - * not yet in use (neither psa_pake_output() nor - * psa_pake_input() has been called yet). It must - * be on operation for which the peer ID hasn't - * been set (psa_pake_set_peer() hasn't been - * called yet). - * \param[in] peer_id The peer's ID to authenticate. - * \param peer_id_len Size of the \p peer_id buffer in bytes. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p user_id is not valid for the \p operation's algorithm and cipher - * suite. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The algorithm doesn't associate a second identity with the session. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * Calling psa_pake_set_peer() is invalid with the \p operation's - * algorithm, the operation state is not valid, or the library has not - * been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t mbedtls_psa_pake_set_peer(mbedtls_psa_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len); - -/** Set the application role for a password-authenticated key exchange. - * - * Not all PAKE algorithms need to differentiate the communicating entities. - * It is optional to call this function for PAKEs that don't require a role - * to be specified. For such PAKEs the application role parameter is ignored, - * or #PSA_PAKE_ROLE_NONE can be passed as \c role. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * \param[in,out] operation The operation object to specify the - * application's role for. It must have been set up - * by psa_pake_setup() and not yet in use (neither - * psa_pake_output() nor psa_pake_input() has been - * called yet). It must be on operation for which - * the application's role hasn't been specified - * (psa_pake_set_role() hasn't been called yet). - * \param role A value of type ::psa_pake_role_t indicating the - * application's role in the PAKE the algorithm - * that is being set up. For more information see - * the documentation of \c PSA_PAKE_ROLE_XXX - * constants. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * The \p role is not a valid PAKE role in the \p operation’s algorithm. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The \p role for this algorithm is not supported or is not valid. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid, or - * the library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t mbedtls_psa_pake_set_role(mbedtls_psa_pake_operation_t *operation, - psa_pake_role_t role); /** Get output for a step of a password-authenticated key exchange. * diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 9a7b64547..21a3b5f91 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2811,64 +2811,12 @@ psa_status_t psa_driver_wrapper_key_agreement( psa_status_t psa_driver_wrapper_pake_setup( psa_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite ) + const psa_crypto_driver_pake_inputs_t *inputs ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - /* Try setup on accelerators first */ -#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - status = mbedtls_test_transparent_pake_setup( - &operation->ctx.transparent_test_driver_ctx, - (const psa_pake_cipher_suite_t*) cipher_suite ); - if( status == PSA_SUCCESS ) - operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; - - if( status != PSA_ERROR_NOT_SUPPORTED ) - return( status ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ -#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - - /* If software fallback is compiled in, try fallback */ -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) - status = mbedtls_psa_pake_setup( &operation->ctx.mbedtls_ctx, cipher_suite ); - if( status == PSA_SUCCESS ) - operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; - - if( status != PSA_ERROR_NOT_SUPPORTED ) - return( status ); -#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ - - /* Add cases for opaque driver here */ -#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - status = mbedtls_test_opaque_pake_setup( - &operation->ctx.opaque_test_driver_ctx, - (const psa_pake_cipher_suite_t*) cipher_suite ); - if( status == PSA_SUCCESS ) - operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID; - - if( status != PSA_ERROR_NOT_SUPPORTED ) - return( status ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ -#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - - /* Nothing left to try if we fall through here */ - (void) status; - (void) operation; - (void) cipher_suite; - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t psa_driver_wrapper_pake_set_password_key( - const psa_key_attributes_t *attributes, - psa_pake_operation_t *operation, - uint8_t *key_buffer, - size_t key_size ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( inputs->key_lifetime ); switch( location ) { @@ -2877,135 +2825,44 @@ psa_status_t psa_driver_wrapper_pake_set_password_key( * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - status = mbedtls_test_transparent_set_password_key( - attributes, - &operation->ctx.transparent_test_driver_ctx, - key_buffer, key_size ); + status = mbedtls_test_transparent_pake_setup( + &operation->data.ctx.transparent_test_driver_ctx, + inputs ); + if( status == PSA_SUCCESS ) + operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID; /* Declared with fallback == true */ if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #if defined(MBEDTLS_PSA_BUILTIN_PAKE) - return( mbedtls_psa_pake_set_password_key( - attributes, &operation->ctx.mbedtls_ctx, - key_buffer, key_size ) ); + status = mbedtls_psa_pake_setup( &operation->data.ctx.mbedtls_ctx, + inputs ); + if( status == PSA_SUCCESS ) + operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; + return status; #endif return( PSA_ERROR_NOT_SUPPORTED ); /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) case PSA_CRYPTO_TEST_DRIVER_LOCATION: - return( mbedtls_test_opaque_set_password_key( - attributes, - &operation->ctx.opaque_test_driver_ctx, - key_buffer, key_size ) ); + status = mbedtls_test_opaque_pake_setup( + &operation->data.ctx.opaque_test_driver_ctx, + inputs ); + if( status == PSA_SUCCESS ) + operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID; + return status; #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - default: /* Key is declared with a lifetime not known to us */ (void)operation; + (void)inputs; (void)status; - (void)key_buffer; - (void)key_size; return( PSA_ERROR_INVALID_ARGUMENT ); } } - -psa_status_t psa_driver_wrapper_pake_set_user( - psa_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len ) -{ - switch( operation->id ) - { -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) - case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_set_user( &operation->ctx.mbedtls_ctx, - user_id, user_id_len ) ); -#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ - -#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - return( mbedtls_test_transparent_pake_set_user( - &operation->ctx.transparent_test_driver_ctx, - user_id, user_id_len ) ); - case MBEDTLS_TEST_OPAQUE_DRIVER_ID: - return( mbedtls_test_opaque_pake_set_user( - &operation->ctx.opaque_test_driver_ctx, - user_id, user_id_len ) ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ -#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - default: - (void) user_id; - (void) user_id_len; - return( PSA_ERROR_INVALID_ARGUMENT ); - } -} - -psa_status_t psa_driver_wrapper_pake_set_peer( - psa_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len ) -{ - switch( operation->id ) - { -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) - case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_set_peer( &operation->ctx.mbedtls_ctx, - peer_id, peer_id_len ) ); -#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ - -#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - return( mbedtls_test_transparent_pake_set_peer( - &operation->ctx.transparent_test_driver_ctx, - peer_id, peer_id_len ) ); - case MBEDTLS_TEST_OPAQUE_DRIVER_ID: - return( mbedtls_test_opaque_pake_set_peer( - &operation->ctx.opaque_test_driver_ctx, - peer_id, peer_id_len ) ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ -#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - default: - (void) peer_id; - (void) peer_id_len; - return( PSA_ERROR_INVALID_ARGUMENT ); - } -} - -psa_status_t psa_driver_wrapper_pake_set_role( - psa_pake_operation_t *operation, - psa_pake_role_t role ) -{ - switch( operation->id ) - { -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) - case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_set_role( &operation->ctx.mbedtls_ctx, role ) ); -#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ - -#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - return( mbedtls_test_transparent_pake_set_role( - &operation->ctx.transparent_test_driver_ctx, - role ) ); - case MBEDTLS_TEST_OPAQUE_DRIVER_ID: - return( mbedtls_test_opaque_pake_set_role( - &operation->ctx.opaque_test_driver_ctx, - role ) ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ -#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - default: - (void) role; - return( PSA_ERROR_INVALID_ARGUMENT ); - } -} - psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, psa_pake_step_t step, @@ -3017,7 +2874,7 @@ psa_status_t psa_driver_wrapper_pake_output( { #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_output( &operation->ctx.mbedtls_ctx, step, output, + return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step, output, output_size, output_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ @@ -3025,11 +2882,11 @@ psa_status_t psa_driver_wrapper_pake_output( #if defined(PSA_CRYPTO_DRIVER_TEST) case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_output( - &operation->ctx.transparent_test_driver_ctx, + &operation->data.ctx.transparent_test_driver_ctx, step, output, output_size, output_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_output( - &operation->ctx.opaque_test_driver_ctx, + &operation->data.ctx.opaque_test_driver_ctx, step, output, output_size, output_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ @@ -3052,7 +2909,7 @@ psa_status_t psa_driver_wrapper_pake_input( { #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_input( &operation->ctx.mbedtls_ctx, + return( mbedtls_psa_pake_input( &operation->data.ctx.mbedtls_ctx, step, input, input_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ @@ -3060,11 +2917,11 @@ psa_status_t psa_driver_wrapper_pake_input( #if defined(PSA_CRYPTO_DRIVER_TEST) case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_input( - &operation->ctx.transparent_test_driver_ctx, + &operation->data.ctx.transparent_test_driver_ctx, step, input, input_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_input( - &operation->ctx.opaque_test_driver_ctx, + &operation->data.ctx.opaque_test_driver_ctx, step, input, input_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ @@ -3084,18 +2941,18 @@ psa_status_t psa_driver_wrapper_pake_get_implicit_key( { #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_get_implicit_key( &operation->ctx.mbedtls_ctx, output, output_size ) ); + return( mbedtls_psa_pake_get_implicit_key( &operation->data.ctx.mbedtls_ctx, output, output_size ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_get_implicit_key( - &operation->ctx.transparent_test_driver_ctx, + &operation->data.ctx.transparent_test_driver_ctx, output, output_size ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_get_implicit_key( - &operation->ctx.opaque_test_driver_ctx, + &operation->data.ctx.opaque_test_driver_ctx, output, output_size ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ @@ -3113,17 +2970,17 @@ psa_status_t psa_driver_wrapper_pake_abort( { #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_abort( &operation->ctx.mbedtls_ctx ) ); + return( mbedtls_psa_pake_abort( &operation->data.ctx.mbedtls_ctx ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_abort( - &operation->ctx.transparent_test_driver_ctx ) ); + &operation->data.ctx.transparent_test_driver_ctx ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_abort( - &operation->ctx.opaque_test_driver_ctx ) ); + &operation->data.ctx.opaque_test_driver_ctx ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 5ee401b7d..b1d3d4474 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -50,27 +50,7 @@ extern mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks; psa_status_t mbedtls_test_transparent_pake_setup( mbedtls_transparent_test_driver_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite); - -psa_status_t mbedtls_test_transparent_set_password_key( - const psa_key_attributes_t *attributes, - mbedtls_transparent_test_driver_pake_operation_t *operation, - uint8_t *key_buffer, - size_t key_size); - -psa_status_t mbedtls_test_transparent_pake_set_user( - mbedtls_transparent_test_driver_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len); - -psa_status_t mbedtls_test_transparent_pake_set_peer( - mbedtls_transparent_test_driver_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len); - -psa_status_t mbedtls_test_transparent_pake_set_role( - mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_role_t role); + const psa_crypto_driver_pake_inputs_t *inputs); psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, @@ -94,7 +74,7 @@ psa_status_t mbedtls_test_transparent_pake_abort( psa_status_t mbedtls_test_opaque_pake_setup( mbedtls_opaque_test_driver_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite); + const psa_crypto_driver_pake_inputs_t *inputs); psa_status_t mbedtls_test_opaque_set_password_key( const psa_key_attributes_t *attributes, diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 3495705d6..06168a142 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -35,7 +35,7 @@ mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks = psa_status_t mbedtls_test_transparent_pake_setup( mbedtls_transparent_test_driver_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite) + const psa_crypto_driver_pake_inputs_t *inputs) { mbedtls_test_driver_pake_hooks.hits++; @@ -47,139 +47,14 @@ psa_status_t mbedtls_test_transparent_pake_setup( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_setup( - operation, (const libtestdriver1_psa_pake_cipher_suite_t *) cipher_suite); + operation, (const libtestdriver1_psa_crypto_driver_pake_inputs_t *) inputs); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_setup( - operation, cipher_suite); + operation, inputs); #else (void) operation; - (void) cipher_suite; - mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; -#endif - } - - return mbedtls_test_driver_pake_hooks.driver_status; -} - -psa_status_t mbedtls_test_transparent_set_password_key( - const psa_key_attributes_t *attributes, - mbedtls_transparent_test_driver_pake_operation_t *operation, - uint8_t *key_buffer, - size_t key_size) -{ - mbedtls_test_driver_pake_hooks.hits++; - - if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_test_driver_pake_hooks.forced_status; - } else { -#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - libtestdriver1_mbedtls_psa_pake_set_password_key( - (const libtestdriver1_psa_key_attributes_t *) attributes, - operation, key_buffer, key_size); -#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_psa_pake_set_password_key( - attributes, operation, key_buffer, key_size); -#else - (void) operation; - (void) key_buffer, - (void) key_size; - mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; -#endif - } - - return mbedtls_test_driver_pake_hooks.driver_status; -} - -psa_status_t mbedtls_test_transparent_pake_set_user( - mbedtls_transparent_test_driver_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len) -{ - mbedtls_test_driver_pake_hooks.hits++; - - if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_test_driver_pake_hooks.forced_status; - } else { -#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - libtestdriver1_mbedtls_psa_pake_set_user( - operation, user_id, user_id_len); -#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_psa_pake_set_user( - operation, user_id, user_id_len); -#else - (void) operation; - (void) user_id; - (void) user_id_len; - mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; -#endif - } - - return mbedtls_test_driver_pake_hooks.driver_status; -} - - -psa_status_t mbedtls_test_transparent_pake_set_peer( - mbedtls_transparent_test_driver_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len) -{ - mbedtls_test_driver_pake_hooks.hits++; - - if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_test_driver_pake_hooks.forced_status; - } else { -#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - libtestdriver1_mbedtls_psa_pake_set_peer( - operation, peer_id, peer_id_len); -#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_psa_pake_set_peer( - operation, peer_id, peer_id_len); -#else - (void) operation; - (void) peer_id; - (void) peer_id_len; - mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; -#endif - } - - return mbedtls_test_driver_pake_hooks.driver_status; -} - -psa_status_t mbedtls_test_transparent_pake_set_role( - mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_role_t role) -{ - mbedtls_test_driver_pake_hooks.hits++; - - if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_test_driver_pake_hooks.forced_status; - } else { -#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - libtestdriver1_mbedtls_psa_pake_set_role( - operation, role); -#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_psa_pake_set_role( - operation, role); -#else - (void) operation; - (void) role; + (void) inputs; mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; #endif } @@ -329,10 +204,10 @@ psa_status_t mbedtls_test_transparent_pake_abort( */ psa_status_t mbedtls_test_opaque_pake_setup( mbedtls_opaque_test_driver_pake_operation_t *operation, - const psa_pake_cipher_suite_t *cipher_suite) + const psa_crypto_driver_pake_inputs_t *inputs) { (void) operation; - (void) cipher_suite; + (void) inputs; return PSA_ERROR_NOT_SUPPORTED; } From 96ae8b939d6e64868225de84636adf5f46f22b52 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 7 Dec 2022 11:52:08 +0100 Subject: [PATCH 18/75] Move pake definitions to headers for composite algorithms Signed-off-by: Przemek Stekiel --- include/psa/crypto_builtin_composites.h | 36 ++++++++++++++++++ include/psa/crypto_builtin_primitives.h | 38 ------------------- .../psa/crypto_driver_contexts_composites.h | 35 +++++++++++++++++ .../psa/crypto_driver_contexts_primitives.h | 35 ----------------- 4 files changed, 71 insertions(+), 73 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 9f23551eb..295452c8c 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -180,5 +180,41 @@ typedef struct { #endif +/* EC-JPAKE operation definitions */ + +#include "mbedtls/ecjpake.h" + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#define MBEDTLS_PSA_BUILTIN_PAKE 1 +#endif + +/* Note: the format for mbedtls_ecjpake_read/write function has an extra + * length byte for each step, plus an extra 3 bytes for ECParameters in the + * server's 2nd round. */ +#define MBEDTLS_PSA_PAKE_BUFFER_SIZE ((3 + 1 + 65 + 1 + 65 + 1 + 32) * 2) + +typedef struct { + psa_algorithm_t MBEDTLS_PRIVATE(alg); + unsigned int MBEDTLS_PRIVATE(state); + unsigned int MBEDTLS_PRIVATE(sequence); +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) + unsigned int MBEDTLS_PRIVATE(input_step); + unsigned int MBEDTLS_PRIVATE(output_step); + uint8_t *MBEDTLS_PRIVATE(password); + size_t MBEDTLS_PRIVATE(password_len); + uint8_t MBEDTLS_PRIVATE(role); + uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); + size_t MBEDTLS_PRIVATE(buffer_length); + size_t MBEDTLS_PRIVATE(buffer_offset); +#endif + /* Context structure for the Mbed TLS EC-JPAKE implementation. */ + union { + unsigned int MBEDTLS_PRIVATE(dummy); + mbedtls_ecjpake_context MBEDTLS_PRIVATE(pake); + } MBEDTLS_PRIVATE(ctx); + +} mbedtls_psa_pake_operation_t; + +#define MBEDTLS_PSA_PAKE_OPERATION_INIT { { 0 } } #endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */ diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index 2830b61e6..c76bc7814 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -111,42 +111,4 @@ typedef struct { #define MBEDTLS_PSA_CIPHER_OPERATION_INIT { 0, 0, 0, { 0 } } - -/* EC-JPAKE operation definitions */ - -#include "mbedtls/ecjpake.h" - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) -#define MBEDTLS_PSA_BUILTIN_PAKE 1 -#endif - -/* Note: the format for mbedtls_ecjpake_read/write function has an extra - * length byte for each step, plus an extra 3 bytes for ECParameters in the - * server's 2nd round. */ -#define MBEDTLS_PSA_PAKE_BUFFER_SIZE ((3 + 1 + 65 + 1 + 65 + 1 + 32) * 2) - -typedef struct { - psa_algorithm_t MBEDTLS_PRIVATE(alg); - unsigned int MBEDTLS_PRIVATE(state); - unsigned int MBEDTLS_PRIVATE(sequence); -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) - unsigned int MBEDTLS_PRIVATE(input_step); - unsigned int MBEDTLS_PRIVATE(output_step); - uint8_t *MBEDTLS_PRIVATE(password); - size_t MBEDTLS_PRIVATE(password_len); - uint8_t MBEDTLS_PRIVATE(role); - uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); - size_t MBEDTLS_PRIVATE(buffer_length); - size_t MBEDTLS_PRIVATE(buffer_offset); -#endif - /* Context structure for the Mbed TLS EC-JPAKE implementation. */ - union { - unsigned int MBEDTLS_PRIVATE(dummy); - mbedtls_ecjpake_context MBEDTLS_PRIVATE(pake); - } MBEDTLS_PRIVATE(ctx); - -} mbedtls_psa_pake_operation_t; - -#define MBEDTLS_PSA_PAKE_OPERATION_INIT { { 0 } } - #endif /* PSA_CRYPTO_BUILTIN_PRIMITIVES_H */ diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h index 1b95814f9..4d0e9848d 100644 --- a/include/psa/crypto_driver_contexts_composites.h +++ b/include/psa/crypto_driver_contexts_composites.h @@ -88,6 +88,32 @@ typedef mbedtls_psa_aead_operation_t #endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD */ +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + +typedef libtestdriver1_mbedtls_psa_pake_operation_t + mbedtls_transparent_test_driver_pake_operation_t; +typedef libtestdriver1_psa_pake_operation_t + mbedtls_opaque_test_driver_pake_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT +#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT + +#else +typedef mbedtls_psa_pake_operation_t + mbedtls_transparent_test_driver_pake_operation_t; +typedef mbedtls_psa_pake_operation_t + mbedtls_opaque_test_driver_pake_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \ + MBEDTLS_PSA_PAKE_OPERATION_INIT +#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \ + MBEDTLS_PSA_PAKE_OPERATION_INIT + +#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE */ + #endif /* PSA_CRYPTO_DRIVER_TEST */ /* Define the context to be used for an operation that is executed through the @@ -124,5 +150,14 @@ typedef union { mbedtls_psa_verify_hash_interruptible_operation_t mbedtls_ctx; } psa_driver_verify_hash_interruptible_context_t; +typedef union { + unsigned dummy; /* Make sure this union is always non-empty */ + mbedtls_psa_pake_operation_t mbedtls_ctx; +#if defined(PSA_CRYPTO_DRIVER_TEST) + mbedtls_transparent_test_driver_pake_operation_t transparent_test_driver_ctx; + mbedtls_opaque_test_driver_pake_operation_t opaque_test_driver_ctx; +#endif +} psa_driver_pake_context_t; + #endif /* PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H */ /* End of automatically generated file. */ diff --git a/include/psa/crypto_driver_contexts_primitives.h b/include/psa/crypto_driver_contexts_primitives.h index 7d096208b..f1463f34d 100644 --- a/include/psa/crypto_driver_contexts_primitives.h +++ b/include/psa/crypto_driver_contexts_primitives.h @@ -89,32 +89,6 @@ typedef struct { #define MBEDTLS_OPAQUE_TEST_DRIVER_CIPHER_OPERATION_INIT \ { 0, MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT } -#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) - -typedef libtestdriver1_mbedtls_psa_pake_operation_t - mbedtls_transparent_test_driver_pake_operation_t; -typedef libtestdriver1_psa_pake_operation_t - mbedtls_opaque_test_driver_pake_operation_t; - -#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \ - LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT -#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \ - LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT - -#else -typedef mbedtls_psa_pake_operation_t - mbedtls_transparent_test_driver_pake_operation_t; -typedef mbedtls_psa_pake_operation_t - mbedtls_opaque_test_driver_pake_operation_t; - -#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \ - MBEDTLS_PSA_PAKE_OPERATION_INIT -#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \ - MBEDTLS_PSA_PAKE_OPERATION_INIT - -#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE */ - #endif /* PSA_CRYPTO_DRIVER_TEST */ /* Define the context to be used for an operation that is executed through the @@ -141,14 +115,5 @@ typedef union { #endif } psa_driver_cipher_context_t; -typedef union { - unsigned dummy; /* Make sure this union is always non-empty */ - mbedtls_psa_pake_operation_t mbedtls_ctx; -#if defined(PSA_CRYPTO_DRIVER_TEST) - mbedtls_transparent_test_driver_pake_operation_t transparent_test_driver_ctx; - mbedtls_opaque_test_driver_pake_operation_t opaque_test_driver_ctx; -#endif -} psa_driver_pake_context_t; - #endif /* PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H */ /* End of automatically generated file. */ From ca67483b1568d2150a6ba25d2a02a73f7b008428 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 7 Dec 2022 14:47:34 +0100 Subject: [PATCH 19/75] psa_crypto_pake.h: adapt function descriptions Signed-off-by: Przemek Stekiel --- library/psa_crypto_pake.h | 154 +++++++------------------------------- 1 file changed, 28 insertions(+), 126 deletions(-) diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index 4768cee11..608d76aed 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -25,73 +25,24 @@ /** Set the session information for a password-authenticated key exchange. * - * The sequence of operations to set up a password-authenticated key exchange - * is as follows: - * -# Allocate an operation object which will be passed to all the functions - * listed here. - * -# Initialize the operation object with one of the methods described in the - * documentation for #psa_pake_operation_t, e.g. - * #PSA_PAKE_OPERATION_INIT. - * -# Call psa_pake_setup() to specify the cipher suite. - * -# Call \c psa_pake_set_xxx() functions on the operation to complete the - * setup. The exact sequence of \c psa_pake_set_xxx() functions that needs - * to be called depends on the algorithm in use. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * A typical sequence of calls to perform a password-authenticated key - * exchange: - * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the - * key share that needs to be sent to the peer. - * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide - * the key share that was received from the peer. - * -# Depending on the algorithm additional calls to psa_pake_output() and - * psa_pake_input() might be necessary. - * -# Call psa_pake_get_implicit_key() for accessing the shared secret. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * If an error occurs at any step after a call to psa_pake_setup(), - * the operation will need to be reset by a call to psa_pake_abort(). The - * application may call psa_pake_abort() at any time after the operation - * has been initialized. - * - * After a successful call to psa_pake_setup(), the application must - * eventually terminate the operation. The following events terminate an - * operation: - * - A call to psa_pake_abort(). - * - A successful call to psa_pake_get_implicit_key(). + * \note The signature of this function is that of a PSA driver + * pake_setup entry point. This function behaves as a pake_setup + * entry point as defined in the PSA driver interface specification for + * transparent drivers. * * \param[in,out] operation The operation object to set up. It must have * been initialized but not set up yet. - * \param[in] cipher_suite The cipher suite to use. (A cipher suite fully - * characterizes a PAKE algorithm and determines - * the algorithm as well.) + * \param[in] inputs Inputs required for PAKE operation (role, password, + * key lifetime, cipher suite) * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * The algorithm in \p cipher_suite is not a PAKE algorithm, or the - * PAKE primitive in \p cipher_suite is not compatible with the - * PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid - * or not compatible with the PAKE algorithm and primitive. * \retval #PSA_ERROR_NOT_SUPPORTED * The algorithm in \p cipher_suite is not a supported PAKE algorithm, * or the PAKE primitive in \p cipher_suite is not supported or not * compatible with the PAKE algorithm, or the hash algorithm in * \p cipher_suite is not supported or not compatible with the PAKE * algorithm and primitive. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid, or - * the library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. */ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, const psa_crypto_driver_pake_inputs_t *inputs); @@ -99,17 +50,10 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, /** Get output for a step of a password-authenticated key exchange. * - * Depending on the algorithm being executed, you might need to call this - * function several times or you might not need to call this at all. - * - * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the algorithm in use. Refer to the documentation of - * individual PAKE algorithm types (`PSA_ALG_XXX` values of type - * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - * information. - * - * If this function returns an error status, the operation enters an error - * state and must be aborted by calling psa_pake_abort(). + * \note The signature of this function is that of a PSA driver + * pake_output entry point. This function behaves as a pake_output + * entry point as defined in the PSA driver interface specification for + * transparent drivers. * * \param[in,out] operation Active PAKE operation. * \param step The step of the algorithm for which the output is @@ -147,8 +91,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, and fully set * up, and this call must conform to the algorithm's requirements - * for ordering of input and output steps), or - * the library has not been previously initialized by psa_crypto_init(). + * for ordering of input and output steps). * It is implementation-dependent whether a failure to initialize * results in this error code. */ @@ -160,17 +103,10 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, /** Provide input for a step of a password-authenticated key exchange. * - * Depending on the algorithm being executed, you might need to call this - * function several times or you might not need to call this at all. - * - * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the algorithm in use. Refer to the documentation of - * individual PAKE algorithm types (`PSA_ALG_XXX` values of type - * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - * information. - * - * If this function returns an error status, the operation enters an error - * state and must be aborted by calling psa_pake_abort(). + * \note The signature of this function is that of a PSA driver + * key_agreement entry point. This function behaves as a key_agreement + * entry point as defined in the PSA driver interface specification for + * transparent drivers. * * \param[in,out] operation Active PAKE operation. * \param step The step for which the input is provided. @@ -186,7 +122,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * \retval #PSA_ERROR_INVALID_SIGNATURE * The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p is not compatible with the \p operation’s algorithm, or the + * \p step is not compatible with the \p operation’s algorithm, or the * \p input is not valid for the \p operation's algorithm, cipher suite * or \p step. * \retval #PSA_ERROR_NOT_SUPPORTED @@ -202,8 +138,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, and fully set * up, and this call must conform to the algorithm's requirements - * for ordering of input and output steps), or - * the library has not been previously initialized by psa_crypto_init(). + * for ordering of input and output steps). * It is implementation-dependent whether a failure to initialize * results in this error code. */ @@ -214,42 +149,17 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, /** Get implicitly confirmed shared secret from a PAKE. * - * At this point there is a cryptographic guarantee that only the authenticated - * party who used the same password is able to compute the key. But there is no - * guarantee that the peer is the party it claims to be and was able to do so. - * - * That is, the authentication is only implicit. Since the peer is not - * authenticated yet, no action should be taken yet that assumes that the peer - * is who it claims to be. For example, do not access restricted files on the - * peer's behalf until an explicit authentication has succeeded. - * - * This function can be called after the key exchange phase of the operation - * has completed. It imports the shared secret output of the PAKE into the - * provided derivation operation. The input step - * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key - * material in the key derivation operation. - * - * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the algorithm in use. Refer to the documentation of - * individual PAKE algorithm types (`PSA_ALG_XXX` values of type - * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - * information. - * - * When this function returns successfully, \p operation becomes inactive. - * If this function returns an error status, both \p operation - * and \p key_derivation operations enter an error state and must be aborted by - * calling psa_pake_abort() and psa_key_derivation_abort() respectively. + * \note The signature of this function is that of a PSA driver + * pake_get_implicit_key entry point. This function behaves as a + * pake_get_implicit_key entry point as defined in the PSA driver + * interface specification for transparent drivers. * * \param[in,out] operation Active PAKE operation. - * \param[out] output A key derivation operation that is ready - * for an input step of type - * #PSA_KEY_DERIVATION_INPUT_SECRET. + * \param[out] output Output buffer for implicit key + * \param[out] output_size Size of the returned implicit key * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the - * algorithm in the \p output key derivation operation. * \retval #PSA_ERROR_NOT_SUPPORTED * Input from a PAKE is not supported by the algorithm in the \p output * key derivation operation. @@ -261,8 +171,7 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, * \retval #PSA_ERROR_DATA_INVALID * \retval #PSA_ERROR_BAD_STATE * The PAKE operation state is not valid (it must be active, but beyond - * that validity is specific to the algorithm), or - * the library has not been previously initialized by psa_crypto_init(), + * that validity is specific to the algorithm), * or the state of \p output is not valid for * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the * step is out of order or the application has done this step already @@ -276,16 +185,10 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( /** Abort a PAKE operation. * - * Aborting an operation frees all associated resources except for the \c - * operation structure itself. Once aborted, the operation object can be reused - * for another operation by calling psa_pake_setup() again. - * - * This function may be called at any time after the operation - * object has been initialized as described in #psa_pake_operation_t. - * - * In particular, calling psa_pake_abort() after the operation has been - * terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key() - * is safe and has no effect. + * \note The signature of this function is that of a PSA driver + * pake_abort entry point. This function behaves as a pake_abort + * entry point as defined in the PSA driver interface specification for + * transparent drivers. * * \param[in,out] operation The operation to abort. * @@ -294,7 +197,6 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_CORRUPTION_DETECTED * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize * results in this error code. */ From c6b954686b3b0341cdec7a01e45ae515994c13ca Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 8 Dec 2022 11:13:29 +0100 Subject: [PATCH 20/75] Adapt test_suite_psa_crypto_pake test for the new design Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_psa_crypto_pake.data | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index f447ef05b..0ec16f06c 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -8,19 +8,19 @@ ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAK PSA PAKE: invalid primitive type depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_OUTPUT:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid primitive family depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_OUTPUT:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid primitive bits depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_OUTPUT:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid hash depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:ERR_IN_OUTPUT:PSA_ERROR_NOT_SUPPORTED PSA PAKE: duplicate a valid setup depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 @@ -28,7 +28,7 @@ ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_ PSA PAKE: ecjpake setup invalid role NONE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:ERR_IN_SET_ROLE:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:ERR_IN_OUTPUT:PSA_ERROR_BAD_STATE PSA PAKE: wrong password key type depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 From 95629ab4ae3977a7e1c09ea9b568afc12c619aa1 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 14 Dec 2022 08:22:25 +0100 Subject: [PATCH 21/75] Add forced status for pake setup Signed-off-by: Przemek Stekiel --- tests/include/test/drivers/pake.h | 5 ++++- tests/src/drivers/test_driver_pake.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index b1d3d4474..041229601 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -29,6 +29,9 @@ typedef struct { /* If not PSA_SUCCESS, return this error code instead of processing the * function call. */ psa_status_t forced_status; + /* PAKE driver setup is executed on the first call to + pake_output/pake_input (added to distinguish forced statuses). */ + psa_status_t forced_setup_status; /* Count the amount of times PAKE driver functions are called. */ unsigned long hits; /* Status returned by the last PAKE driver function call. */ @@ -38,7 +41,7 @@ typedef struct { size_t forced_output_length; } mbedtls_test_driver_pake_hooks_t; -#define MBEDTLS_TEST_DRIVER_PAKE_INIT { 0, 0, 0, NULL, 0 } +#define MBEDTLS_TEST_DRIVER_PAKE_INIT { PSA_SUCCESS, PSA_SUCCESS, 0, PSA_SUCCESS, NULL, 0 } static inline mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks_init(void) { diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 06168a142..437c4995f 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -39,9 +39,9 @@ psa_status_t mbedtls_test_transparent_pake_setup( { mbedtls_test_driver_pake_hooks.hits++; - if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { + if (mbedtls_test_driver_pake_hooks.forced_setup_status != PSA_SUCCESS) { mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_test_driver_pake_hooks.forced_status; + mbedtls_test_driver_pake_hooks.forced_setup_status; } else { #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) From 3f9dbac83fce2bc07202a285fe26fad754315532 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 14 Dec 2022 08:27:46 +0100 Subject: [PATCH 22/75] Adapt ake driver tests to the new design Signed-off-by: Przemek Stekiel --- ...test_suite_psa_crypto_driver_wrappers.data | 56 +-- ..._suite_psa_crypto_driver_wrappers.function | 337 ++++++------------ 2 files changed, 153 insertions(+), 240 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index 73c569d39..fa7aa7b62 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -821,38 +821,54 @@ PSA AEAD decrypt setup, AES-GCM, 144 bytes #1, insufficient memory depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_decrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY -PSA PAKE setup transparent driver: in-driver success +PSA PAKE transparent driver: setup(via input) in-driver forced status depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_setup:"abcd":PSA_SUCCESS:PSA_SUCCESS +pake_operations:"abcd":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:"":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:0 -PSA PAKE setup transparent driver: in-driver forced error +PSA PAKE transparent driver: setup(via output) in-driver forced status depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_setup:"abcd":PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY +pake_operations:"abcd":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:"":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:1 -PSA PAKE setup transparent driver: fallback -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:MBEDTLS_PSA_BUILTIN_PAKE -pake_setup:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS +PSA PAKE transparent driver: input in-driver forced status +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:2 -PSA PAKE setup transparent driver: fallback not available +PSA PAKE transparent driver: output in-driver forced status +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:PSA_SUCCESS:3 + +PSA PAKE transparent driver: output in-driver forced output +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_operations:"abcd":PSA_SUCCESS:PSA_SUCCESS:"1234":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:3 + +PSA PAKE transparent driver: get_key in-driver forced status +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:4 + +PSA PAKE transparent driver: abort in-driver forced status +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:5 + +PSA PAKE transparent driver: setup(via input) fallback not available depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE -pake_setup:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_NOT_SUPPORTED +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:0 -PSA PAKE operations transparent driver: in-driver success -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_SUCCESS:"":PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_BAD_STATE +PSA PAKE transparent driver: setup(via output) fallback not available +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:1 -PSA PAKE operations transparent driver: in-driver forced status -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_SUCCESS:"1234":PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY +PSA PAKE transparent driver: input fallback not available +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:2 -PSA PAKE operations transparent driver: fallback -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:MBEDTLS_PSA_BUILTIN_PAKE -pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:"":PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_BAD_STATE +PSA PAKE transparent driver: output fallback not available +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:3 -PSA PAKE: ecjpake rounds transparent driver: in-driver +PSA PAKE: ecjpake rounds transparent driver: in-driver success depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1 -PSA PAKE: ecjpake rounds transparent driver: fallback +PSA PAKE: ecjpake rounds transparent driver: fallback success depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS:MBEDTLS_PSA_BUILTIN_PAKE ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0 diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index cfbcccb34..2e1c626a6 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -3,8 +3,8 @@ /* Auxiliary variables for pake tests. Global to silent the compiler when unused. */ -size_t pake_expected_hit_count; -int pake_in_driver; +size_t pake_expected_hit_count = 0; +int pake_in_driver = 0; #if defined(PSA_WANT_ALG_JPAKE) static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, @@ -142,6 +142,9 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, TEST_EQUAL(status, PSA_SUCCESS); } + /* Adjust for indirect client driver setup in first pake_output call. */ + pake_expected_hit_count++; + /* Client first round Output */ PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, buffer1 + buffer1_off, @@ -2974,81 +2977,27 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void pake_setup(data_t *pw_data, int forced_status_arg, int expected_status_arg) -{ - mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; - psa_status_t forced_status = forced_status_arg; - psa_status_t expected_status = expected_status_arg; - psa_pake_operation_t operation = psa_pake_operation_init(); - psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_key_type_t key_type_pw = PSA_KEY_TYPE_PASSWORD; - psa_key_usage_t key_usage_pw = PSA_KEY_USAGE_DERIVE; - psa_algorithm_t alg = PSA_ALG_JPAKE; - psa_algorithm_t hash_alg = PSA_ALG_SHA_256; - psa_pake_primitive_t primitive_arg = PSA_PAKE_PRIMITIVE( - PSA_PAKE_PRIMITIVE_TYPE_ECC, - PSA_ECC_FAMILY_SECP_R1, 256); - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_test_driver_pake_hooks = mbedtls_test_driver_pake_hooks_init(); - - PSA_INIT(); - - if (pw_data->len > 0) { - psa_set_key_usage_flags(&attributes, key_usage_pw); - psa_set_key_algorithm(&attributes, alg); - psa_set_key_type(&attributes, key_type_pw); - PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, - &key)); - } - - psa_pake_cs_set_algorithm(&cipher_suite, alg); - psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); - psa_pake_cs_set_hash(&cipher_suite, hash_alg); - - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - - TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), - expected_status); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); -exit: - /* - * Key attributes may have been returned by psa_get_key_attributes() - * thus reset them as required. - */ - psa_reset_key_attributes(&attributes); - psa_destroy_key(key); - mbedtls_test_driver_pake_hooks = - mbedtls_test_driver_pake_hooks_init(); - PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE */ -void pake_operations(data_t *pw_data, int forced_status_setup_arg, data_t *forced_output, - int forced_status_arg, int expected_status_set_user_arg, - int expected_status_set_role_arg, int expected_status_set_peer_arg, - int expected_status_set_password_arg, int expected_status_input_arg, - int expected_status_abort_arg, int expected_status_output_arg, - int expected_status_get_key_arg) +void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_status_arg, + data_t *forced_output, int expected_status_setup_arg, + int expected_status_input_arg, int expected_status_output_arg, + int expected_status_get_key_arg, int expected_status_abort_arg, + int fut) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t forced_status = forced_status_arg; psa_status_t forced_status_setup = forced_status_setup_arg; - psa_status_t expected_status_set_user = expected_status_set_user_arg; - psa_status_t expected_status_set_role = expected_status_set_role_arg; - psa_status_t expected_status_set_peer = expected_status_set_peer_arg; - psa_status_t expected_status_set_password = expected_status_set_password_arg; + psa_status_t expected_status_setup = expected_status_setup_arg; psa_status_t expected_status_input = expected_status_input_arg; - psa_status_t expected_status_abort = expected_status_abort_arg; psa_status_t expected_status_output = expected_status_output_arg; psa_status_t expected_status_get_key = expected_status_get_key_arg; + psa_status_t expected_status_abort = expected_status_abort_arg; psa_pake_operation_t operation = psa_pake_operation_init(); psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_key_type_t key_type_pw = PSA_KEY_TYPE_PASSWORD; psa_key_usage_t key_usage_pw = PSA_KEY_USAGE_DERIVE; psa_algorithm_t alg = PSA_ALG_JPAKE; psa_algorithm_t hash_alg = PSA_ALG_SHA_256; + int in_driver = 1; psa_key_derivation_operation_t implicit_key = PSA_KEY_DERIVATION_OPERATION_INIT; psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( @@ -3056,9 +3005,6 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, data_t *force PSA_ECC_FAMILY_SECP_R1, 256); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_test_driver_pake_hooks = mbedtls_test_driver_pake_hooks_init(); - const unsigned char *user = (const unsigned char *) "user"; - const uint8_t peer[] = "abcd"; - uint32_t expected_hits = 1; unsigned char *input_buffer = NULL; const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); @@ -3077,9 +3023,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, data_t *force PSA_PAKE_STEP_KEY_SHARE)); memset(output_buffer, 0x55, output_size); - /* Transparent driver is not available (fallback). */ - if (forced_status_setup == PSA_ERROR_NOT_SUPPORTED) { - expected_hits = 0; + if (forced_status_setup_arg == PSA_ERROR_NOT_SUPPORTED) { + in_driver = 0; } PSA_INIT(); @@ -3097,99 +3042,9 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, data_t *force psa_pake_cs_set_hash(&cipher_suite, hash_alg); mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; - TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), - PSA_SUCCESS); - /* --- psa_pake_set_user --- */ - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; + /* Collecting input stage (no driver entry points) */ - TEST_EQUAL(psa_pake_set_user(&operation, user, 4), - expected_status_set_user); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); - - /* psa_pake_set_user is unsupported (after this call operation is aborted) - we need to reinitialize object. */ - if (mbedtls_test_driver_pake_hooks.forced_status == PSA_SUCCESS) { - mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; - TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), - PSA_SUCCESS); - } - - /* --- psa_pake_set_peer --- */ - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; - - TEST_EQUAL(psa_pake_set_peer(&operation, peer, 4), - expected_status_set_peer); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); - - /* psa_pake_set_user is unsupported (after this call operation is aborted) - we need to reinitialize object. */ - if (mbedtls_test_driver_pake_hooks.forced_status == PSA_SUCCESS) { - mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; - TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), - PSA_SUCCESS); - } - - /* --- psa_pake_set_role --- */ - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; - - TEST_EQUAL(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), - expected_status_set_role); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); - - /* --- psa_pake_set_password_key --- */ - /* psa_pake_set_password_key is dispatched by location and other - functions are dispatched by operation id (set during setup). - In case of dispatching by location fallback is performed when - transparent accelerators are not supported. */ - if (forced_status_setup == PSA_ERROR_NOT_SUPPORTED) { - mbedtls_test_driver_pake_hooks.forced_status = PSA_ERROR_NOT_SUPPORTED; - expected_hits = 1; - } else { - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - } - mbedtls_test_driver_pake_hooks.hits = 0; - - TEST_EQUAL(psa_pake_set_password_key(&operation, key), - expected_status_set_password); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); - - /* Restore expected_hits for next tests. */ - if (forced_status_setup == PSA_ERROR_NOT_SUPPORTED) { - expected_hits = 0; - } - - /* --- psa_pake_input --- */ - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; - - TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, - input_buffer, size_key_share), - expected_status_input); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); - - /* --- psa_pake_abort --- */ - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; - - TEST_EQUAL(psa_pake_abort(&operation), expected_status_abort); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); - - /* --- psa_pake_output --- */ - /* We need to setup pake again */ - mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; - TEST_EQUAL(psa_pake_abort(&operation), PSA_SUCCESS); - - mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), PSA_SUCCESS); @@ -3199,35 +3054,98 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, data_t *force TEST_EQUAL(psa_pake_set_password_key(&operation, key), PSA_SUCCESS); - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); - if (forced_output->len > 0) { - mbedtls_test_driver_pake_hooks.forced_output = forced_output->x; - mbedtls_test_driver_pake_hooks.forced_output_length = forced_output->len; + /* Computation stage (driver entry points) */ + + switch (fut) { + case 0: /* setup (via input) */ + /* --- psa_pake_input (driver: setup, input) --- */ + mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, + input_buffer, size_key_share), + expected_status_setup); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); + break; + + case 1: /* setup (via output) */ + /* --- psa_pake_input (driver: setup, input) --- */ + mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, + input_buffer, size_key_share), + expected_status_setup); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); + break; + + case 2: /* input */ + /* --- psa_pake_input (driver: setup, input) --- */ + mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, + input_buffer, size_key_share), + expected_status_input); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 2 : 1); + break; + + case 3: /* output */ + /* --- psa_pake_input (driver: setup, output) --- */ + mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + if (forced_output->len > 0) { + mbedtls_test_driver_pake_hooks.forced_output = forced_output->x; + mbedtls_test_driver_pake_hooks.forced_output_length = forced_output->len; + } + TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, + output_buffer, output_size, &output_len), + expected_status_output); + + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 2 : 1); + if (forced_output->len > 0) { + TEST_EQUAL(output_len, forced_output->len); + TEST_EQUAL(memcmp(output_buffer, forced_output->x, output_len), 0); + } + break; + + case 4: /* get_implicit_key */ + /* Call driver setup indirectly */ + TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, + input_buffer, size_key_share), + PSA_SUCCESS); + + /* --- psa_pake_get_implicit_key --- */ + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + TEST_EQUAL(psa_pake_get_implicit_key(&operation, &implicit_key), + expected_status_get_key); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); + + break; + + case 5: /* abort */ + /* Call driver setup indirectly */ + TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, + input_buffer, size_key_share), + PSA_SUCCESS); + + /* --- psa_pake_abort --- */ + mbedtls_test_driver_pake_hooks.forced_status = forced_status; + mbedtls_test_driver_pake_hooks.hits = 0; + TEST_EQUAL(psa_pake_abort(&operation), expected_status_abort); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); + break; + + default: + break; } - TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, - output_buffer, output_size, &output_len), - expected_status_output); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); - - if (forced_output->len > 0) { - TEST_EQUAL(output_len, forced_output->len); - TEST_EQUAL(memcmp(output_buffer, forced_output->x, output_len), 0); - } - - /* --- psa_pake_get_implicit_key --- */ - mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; - - TEST_EQUAL(psa_pake_get_implicit_key(&operation, &implicit_key), - expected_status_get_key); - - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, expected_hits); - /* Clean up */ + mbedtls_test_driver_pake_hooks.forced_setup_status = PSA_SUCCESS; mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; TEST_EQUAL(psa_pake_abort(&operation), PSA_SUCCESS); exit: @@ -3265,7 +3183,12 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, pake_in_driver = in_driver; mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; mbedtls_test_driver_pake_hooks.hits = 0; - pake_expected_hit_count = 1; + /* driver setup is called indirectly through pake_output/pake_input */ + if (pake_in_driver) { + pake_expected_hit_count = 2; + } else { + pake_expected_hit_count = 1; + } PSA_INIT(); @@ -3293,49 +3216,23 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, } if (!pake_in_driver) { - mbedtls_test_driver_pake_hooks.forced_status = PSA_ERROR_NOT_SUPPORTED; + mbedtls_test_driver_pake_hooks.forced_setup_status = PSA_ERROR_NOT_SUPPORTED; } PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, pake_expected_hit_count++); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, pake_expected_hit_count++); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); - /* Restore forced status and adjust pake_expected_hit_count */ - mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; - if (!pake_in_driver) { - pake_expected_hit_count--; - } PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, - pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, - pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); - - /* psa_pake_set_password_key is dispatched by location and other - functions are dispatched by operation id (set during setup). - In case of dispatching by location fallback is performed when - transparent accelerators are not supported. We need to also adjust - expected hit counter. */ - if (!pake_in_driver) { - mbedtls_test_driver_pake_hooks.forced_status = PSA_ERROR_NOT_SUPPORTED; - pake_expected_hit_count++; - } - + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); PSA_ASSERT(psa_pake_set_password_key(&server, key)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, - pake_expected_hit_count++); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); PSA_ASSERT(psa_pake_set_password_key(&client, key)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, - pake_expected_hit_count++); - - /* Restore forced status and adjust pake_expected_hit_count */ - mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; - if (!pake_in_driver) { - pake_expected_hit_count--; - } + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); /* First round */ ecjpake_do_round(alg, primitive_arg, &server, &client, From be5e27b5ad46147a3ba69a035a528308f8104d7c Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 14 Dec 2022 08:54:54 +0100 Subject: [PATCH 23/75] Remove redundant code Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4742c3cae..273d248af 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7196,7 +7196,6 @@ psa_status_t psa_pake_setup( return PSA_ERROR_INVALID_ARGUMENT; } - ; memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); operation->data.inputs.alg = cipher_suite->algorithm; @@ -7233,7 +7232,6 @@ psa_status_t psa_pake_set_password_key( }; psa_key_type_t type = psa_get_key_type(&attributes); - psa_key_usage_t usage = psa_get_key_usage_flags(&attributes); if (type != PSA_KEY_TYPE_PASSWORD && type != PSA_KEY_TYPE_PASSWORD_HASH) { @@ -7241,11 +7239,6 @@ psa_status_t psa_pake_set_password_key( goto error; } - if ((usage & PSA_KEY_USAGE_DERIVE) == 0) { - status = PSA_ERROR_NOT_PERMITTED; - goto error; - } - operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes); if (operation->data.inputs.password == NULL) { return PSA_ERROR_INSUFFICIENT_MEMORY; From e12ed36a6ce40cc5d0a94137443bdeb7fce1145d Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 21 Dec 2022 12:54:46 +0100 Subject: [PATCH 24/75] Move JPAKE state machine logic from driver to core - Add `alg` and `computation_stage` to `psa_pake_operation_s`. Now when logic is moved to core information about `alg` is required. `computation_stage` is a structure that provides a union of computation stages for pake algorithms. - Move the jpake operation logic from driver to core. This requires changing driver entry points for `psa_pake_output`/`psa_pake_input` functions and adding a `computation_stage` parameter. I'm not sure if this solution is correct. Now the driver can check the current computation stage and perform some action. For jpake drivers `step` parameter is now not used, but I think it needs to stay as it might be needed for other pake algorithms. - Removed test that seems to be redundant as we can't be sure that operation is aborted after failure. Signed-off-by: Przemek Stekiel --- include/psa/crypto_builtin_composites.h | 5 +- include/psa/crypto_extra.h | 56 ++- library/psa_crypto.c | 324 ++++++++++++++- library/psa_crypto_driver_wrappers.h | 2 + library/psa_crypto_pake.c | 375 +++++------------- library/psa_crypto_pake.h | 4 + .../psa_crypto_driver_wrappers.c.jinja | 20 +- tests/include/test/drivers/pake.h | 4 + tests/src/drivers/test_driver_pake.c | 25 +- tests/suites/test_suite_psa_crypto_pake.data | 8 - 10 files changed, 500 insertions(+), 323 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 295452c8c..3221a6423 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -195,11 +195,8 @@ typedef struct { typedef struct { psa_algorithm_t MBEDTLS_PRIVATE(alg); - unsigned int MBEDTLS_PRIVATE(state); - unsigned int MBEDTLS_PRIVATE(sequence); + #if defined(MBEDTLS_PSA_BUILTIN_PAKE) - unsigned int MBEDTLS_PRIVATE(input_step); - unsigned int MBEDTLS_PRIVATE(output_step); uint8_t *MBEDTLS_PRIVATE(password); size_t MBEDTLS_PRIVATE(password_len); uint8_t MBEDTLS_PRIVATE(role); diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 4fa273d31..1678228d3 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1292,6 +1292,12 @@ typedef struct psa_pake_operation_s psa_pake_operation_t; /** The type of input values for PAKE operations. */ typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t; +/** The type of compuatation stage for PAKE operations. */ +typedef struct psa_pake_computation_stage_s psa_pake_computation_stage_t; + +/** The type of compuatation stage for J-PAKE operations. */ +typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t; + /** Return an initial value for a PAKE operation object. */ static psa_pake_operation_t psa_pake_operation_init(void); @@ -1832,7 +1838,8 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); /** Returns a suitable initializer for a PAKE operation object of type * psa_pake_operation_t. */ -#define PSA_PAKE_OPERATION_INIT { 0, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, { 0 } } +#define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, \ + { { 0 } }, { 0 } } struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -1904,7 +1911,6 @@ static inline void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite, } struct psa_crypto_driver_pake_inputs_s { - psa_algorithm_t MBEDTLS_PRIVATE(alg); uint8_t *MBEDTLS_PRIVATE(password); size_t MBEDTLS_PRIVATE(password_len); psa_pake_role_t MBEDTLS_PRIVATE(role); @@ -1912,6 +1918,48 @@ struct psa_crypto_driver_pake_inputs_s { psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite); }; +enum psa_jpake_step { + PSA_PAKE_STEP_INVALID = 0, + PSA_PAKE_STEP_X1_X2 = 1, + PSA_PAKE_STEP_X2S = 2, + PSA_PAKE_STEP_DERIVE = 3, +}; + +enum psa_jpake_state { + PSA_PAKE_STATE_INVALID = 0, + PSA_PAKE_STATE_SETUP = 1, + PSA_PAKE_STATE_READY = 2, + PSA_PAKE_OUTPUT_X1_X2 = 3, + PSA_PAKE_OUTPUT_X2S = 4, + PSA_PAKE_INPUT_X1_X2 = 5, + PSA_PAKE_INPUT_X4S = 6, +}; + +enum psa_jpake_sequence { + PSA_PAKE_SEQ_INVALID = 0, + PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */ + PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */ + PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */ + PSA_PAKE_X2_STEP_KEY_SHARE = 4, + PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, + PSA_PAKE_X2_STEP_ZK_PROOF = 6, + PSA_PAKE_SEQ_END = 7, +}; + +struct psa_jpake_computation_stage_s { + unsigned int MBEDTLS_PRIVATE(state); + unsigned int MBEDTLS_PRIVATE(sequence); + unsigned int MBEDTLS_PRIVATE(input_step); + unsigned int MBEDTLS_PRIVATE(output_step); +}; + +struct psa_pake_computation_stage_s { + union { + unsigned dummy; + psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake_computation_stage); + } MBEDTLS_PRIVATE(data); +}; + struct psa_pake_operation_s { /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping @@ -1920,10 +1968,14 @@ struct psa_pake_operation_s { * ID value zero means the context is not valid or not assigned to * any driver (i.e. none of the driver contexts are active). */ unsigned int MBEDTLS_PRIVATE(id); + /* Algorithm used for PAKE operation */ + psa_algorithm_t MBEDTLS_PRIVATE(alg); /* Based on stage (collecting inputs/computation) we select active structure of data union. * While switching stage (when driver setup is called) collected inputs are copied to the corresponding operation context. */ uint8_t MBEDTLS_PRIVATE(stage); + /* Holds computation stage of the PAKE algorithms. */ + psa_pake_computation_stage_t MBEDTLS_PRIVATE(computation_stage); union { unsigned dummy; psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 273d248af..66ecc0643 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7180,11 +7180,14 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg != PSA_ALG_NONE) { + if (operation->alg != PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7198,9 +7201,16 @@ psa_status_t psa_pake_setup( memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); - operation->data.inputs.alg = cipher_suite->algorithm; + operation->alg = cipher_suite->algorithm; operation->data.inputs.cipher_suite = *cipher_suite; + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->state = PSA_PAKE_STATE_SETUP; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + computation_stage->input_step = PSA_PAKE_STEP_X1_X2; + computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } + return PSA_SUCCESS; } @@ -7216,7 +7226,7 @@ psa_status_t psa_pake_set_password_key( return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg == PSA_ALG_NONE) { + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7241,7 +7251,8 @@ psa_status_t psa_pake_set_password_key( operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes); if (operation->data.inputs.password == NULL) { - return PSA_ERROR_INSUFFICIENT_MEMORY; + status = PSA_ERROR_INSUFFICIENT_MEMORY; + goto error; } memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); @@ -7264,7 +7275,7 @@ psa_status_t psa_pake_set_user( return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg == PSA_ALG_NONE) { + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7286,7 +7297,7 @@ psa_status_t psa_pake_set_peer( return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg == PSA_ALG_NONE) { + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7305,7 +7316,7 @@ psa_status_t psa_pake_set_role( return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg == PSA_ALG_NONE) { + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7322,6 +7333,98 @@ psa_status_t psa_pake_set_role( return PSA_SUCCESS; } +static psa_status_t psa_jpake_output_prologue( + psa_pake_operation_t *operation, + psa_pake_step_t step) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + + if (computation_stage->state == PSA_PAKE_STATE_INVALID) { + return PSA_ERROR_BAD_STATE; + } + + if (step != PSA_PAKE_STEP_KEY_SHARE && + step != PSA_PAKE_STEP_ZK_PUBLIC && + step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + if (computation_stage->state != PSA_PAKE_STATE_READY && + computation_stage->state != PSA_PAKE_OUTPUT_X1_X2 && + computation_stage->state != PSA_PAKE_OUTPUT_X2S) { + return PSA_ERROR_BAD_STATE; + } + + if (computation_stage->state == PSA_PAKE_STATE_READY) { + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + + switch (computation_stage->output_step) { + case PSA_PAKE_STEP_X1_X2: + computation_stage->state = PSA_PAKE_OUTPUT_X1_X2; + break; + case PSA_PAKE_STEP_X2S: + computation_stage->state = PSA_PAKE_OUTPUT_X2S; + break; + default: + return PSA_ERROR_BAD_STATE; + } + + computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch (computation_stage->sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if (step != PSA_PAKE_STEP_ZK_PUBLIC) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if (step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_BAD_STATE; + } + break; + + default: + return PSA_ERROR_BAD_STATE; + } + + return PSA_SUCCESS; +} + +static psa_status_t psa_jpake_output_epilogue( + psa_pake_operation_t *operation) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + + if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (computation_stage->state == PSA_PAKE_OUTPUT_X2S && + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->output_step++; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } else { + computation_stage->sequence++; + } + + return PSA_SUCCESS; +} + psa_status_t psa_pake_output( psa_pake_operation_t *operation, psa_pake_step_t step, @@ -7330,9 +7433,11 @@ psa_status_t psa_pake_output( size_t *output_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - if (operation->data.inputs.alg == PSA_ALG_NONE || + if (operation->alg == PSA_ALG_NONE || operation->data.inputs.password_len == 0 || operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { return PSA_ERROR_BAD_STATE; @@ -7343,6 +7448,12 @@ psa_status_t psa_pake_output( if (status == PSA_SUCCESS) { operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + computation_stage->input_step = PSA_PAKE_STEP_X1_X2; + computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } } else { return status; } @@ -7360,10 +7471,140 @@ psa_status_t psa_pake_output( return PSA_ERROR_INVALID_ARGUMENT; } - return psa_driver_wrapper_pake_output(operation, step, output, - output_size, output_length); + switch (operation->alg) { + case PSA_ALG_JPAKE: + status = psa_jpake_output_prologue(operation, step); + if (status != PSA_SUCCESS) { + return status; + } + break; + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + status = psa_driver_wrapper_pake_output(operation, step, + &operation->computation_stage, + output, output_size, output_length); + + if (status != PSA_SUCCESS) { + return status; + } + + switch (operation->alg) { + case PSA_ALG_JPAKE: + status = psa_jpake_output_epilogue(operation); + if (status != PSA_SUCCESS) { + return status; + } + break; + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + return status; } +static psa_status_t psa_jpake_input_prologue( + psa_pake_operation_t *operation, + psa_pake_step_t step, + size_t input_length) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + + if (computation_stage->state == PSA_PAKE_STATE_INVALID) { + return PSA_ERROR_BAD_STATE; + } + + if (step != PSA_PAKE_STEP_KEY_SHARE && + step != PSA_PAKE_STEP_ZK_PUBLIC && + step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); + if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + if (computation_stage->state != PSA_PAKE_STATE_READY && + computation_stage->state != PSA_PAKE_INPUT_X1_X2 && + computation_stage->state != PSA_PAKE_INPUT_X4S) { + return PSA_ERROR_BAD_STATE; + } + + if (computation_stage->state == PSA_PAKE_STATE_READY) { + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + + switch (computation_stage->input_step) { + case PSA_PAKE_STEP_X1_X2: + computation_stage->state = PSA_PAKE_INPUT_X1_X2; + break; + case PSA_PAKE_STEP_X2S: + computation_stage->state = PSA_PAKE_INPUT_X4S; + break; + default: + return PSA_ERROR_BAD_STATE; + } + + computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch (computation_stage->sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if (step != PSA_PAKE_STEP_ZK_PUBLIC) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if (step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_BAD_STATE; + } + break; + + default: + return PSA_ERROR_BAD_STATE; + } + + return PSA_SUCCESS; +} + + +static psa_status_t psa_jpake_input_epilogue( + psa_pake_operation_t *operation) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + + if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (computation_stage->state == PSA_PAKE_INPUT_X4S && + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->input_step++; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } else { + computation_stage->sequence++; + } + + return PSA_SUCCESS; +} + + psa_status_t psa_pake_input( psa_pake_operation_t *operation, psa_pake_step_t step, @@ -7371,9 +7612,11 @@ psa_status_t psa_pake_input( size_t input_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - if (operation->data.inputs.alg == PSA_ALG_NONE || + if (operation->alg == PSA_ALG_NONE || operation->data.inputs.password_len == 0 || operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { return PSA_ERROR_BAD_STATE; @@ -7384,6 +7627,12 @@ psa_status_t psa_pake_input( if (status == PSA_SUCCESS) { operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + computation_stage->input_step = PSA_PAKE_STEP_X1_X2; + computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } } else { return status; } @@ -7401,8 +7650,37 @@ psa_status_t psa_pake_input( return PSA_ERROR_INVALID_ARGUMENT; } - return psa_driver_wrapper_pake_input(operation, step, input, - input_length); + switch (operation->alg) { + case PSA_ALG_JPAKE: + status = psa_jpake_input_prologue(operation, step, input_length); + if (status != PSA_SUCCESS) { + return status; + } + break; + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + status = psa_driver_wrapper_pake_input(operation, step, + &operation->computation_stage, + input, input_length); + + if (status != PSA_SUCCESS) { + return status; + } + + switch (operation->alg) { + case PSA_ALG_JPAKE: + status = psa_jpake_input_epilogue(operation); + if (status != PSA_SUCCESS) { + return status; + } + break; + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + return status; } psa_status_t psa_pake_get_implicit_key( @@ -7412,11 +7690,20 @@ psa_status_t psa_pake_get_implicit_key( psa_status_t status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; size_t shared_key_len = 0; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } + if (operation->alg == PSA_ALG_JPAKE) { + if (computation_stage->input_step != PSA_PAKE_STEP_DERIVE || + computation_stage->output_step != PSA_PAKE_STEP_DERIVE) { + return PSA_ERROR_BAD_STATE; + } + } + status = psa_driver_wrapper_pake_get_implicit_key(operation, shared_key, &shared_key_len); @@ -7436,18 +7723,29 @@ psa_status_t psa_pake_get_implicit_key( mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + psa_pake_abort(operation); + return status; } psa_status_t psa_pake_abort( psa_pake_operation_t *operation) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + /* If we are in collecting inputs stage clear inputs. */ if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { mbedtls_free(operation->data.inputs.password); memset(&operation->data.inputs, 0, sizeof(psa_crypto_driver_pake_inputs_t)); return PSA_SUCCESS; } + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->input_step = PSA_PAKE_STEP_INVALID; + computation_stage->output_step = PSA_PAKE_STEP_INVALID; + computation_stage->state = PSA_PAKE_STATE_INVALID; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } return psa_driver_wrapper_pake_abort(operation); } diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index abaabb544..ac17be4e3 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -422,6 +422,7 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length); @@ -429,6 +430,7 @@ psa_status_t psa_driver_wrapper_pake_output( psa_status_t psa_driver_wrapper_pake_input( psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length); diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 3a710dc60..3d5b57d29 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -79,23 +79,6 @@ * psa_pake_abort() */ -enum psa_pake_step { - PSA_PAKE_STEP_INVALID = 0, - PSA_PAKE_STEP_X1_X2 = 1, - PSA_PAKE_STEP_X2S = 2, - PSA_PAKE_STEP_DERIVE = 3, -}; - -enum psa_pake_state { - PSA_PAKE_STATE_INVALID = 0, - PSA_PAKE_STATE_SETUP = 1, - PSA_PAKE_STATE_READY = 2, - PSA_PAKE_OUTPUT_X1_X2 = 3, - PSA_PAKE_OUTPUT_X2S = 4, - PSA_PAKE_INPUT_X1_X2 = 5, - PSA_PAKE_INPUT_X4S = 6, -}; - /* * The first PAKE step shares the same sequences of the second PAKE step * but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs. @@ -157,16 +140,6 @@ enum psa_pake_state { * psa_pake_get_implicit_key() * => Input & Output Step = PSA_PAKE_STEP_INVALID */ -enum psa_pake_sequence { - PSA_PAKE_SEQ_INVALID = 0, - PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */ - PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */ - PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */ - PSA_PAKE_X2_STEP_KEY_SHARE = 4, - PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, - PSA_PAKE_X2_STEP_ZK_PROOF = 6, - PSA_PAKE_SEQ_END = 7, -}; #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) @@ -190,65 +163,6 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) } #endif -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) -psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, - const psa_crypto_driver_pake_inputs_t *inputs) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - uint8_t *password = inputs->password; - size_t password_len = inputs->password_len; - psa_pake_role_t role = inputs->role; - psa_pake_cipher_suite_t cipher_suite = inputs->cipher_suite; - - memset(operation, 0, sizeof(mbedtls_psa_pake_operation_t)); - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) - if (cipher_suite.algorithm == PSA_ALG_JPAKE) { - if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC || - cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || - cipher_suite.bits != 256 || - cipher_suite.hash != PSA_ALG_SHA_256) { - status = PSA_ERROR_NOT_SUPPORTED; - goto error; - } - - if (role != PSA_PAKE_ROLE_CLIENT && - role != PSA_PAKE_ROLE_SERVER) { - status = PSA_ERROR_NOT_SUPPORTED; - goto error; - } - - mbedtls_ecjpake_init(&operation->ctx.pake); - - operation->state = PSA_PAKE_STATE_SETUP; - operation->sequence = PSA_PAKE_SEQ_INVALID; - operation->input_step = PSA_PAKE_STEP_X1_X2; - operation->output_step = PSA_PAKE_STEP_X1_X2; - operation->password_len = password_len; - operation->password = password; - operation->role = role; - operation->alg = cipher_suite.algorithm; - - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); - operation->buffer_length = 0; - operation->buffer_offset = 0; - - return PSA_SUCCESS; - } else -#else - (void) operation; - (void) inputs; -#endif - { status = PSA_ERROR_NOT_SUPPORTED; } - -error: - mbedtls_free(password); - mbedtls_psa_pake_abort(operation); - return status; -} - - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) { @@ -283,31 +197,84 @@ static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operati return mbedtls_ecjpake_to_psa_error(ret); } - operation->state = PSA_PAKE_STATE_READY; - return PSA_SUCCESS; } + +psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, + const psa_crypto_driver_pake_inputs_t *inputs) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + uint8_t *password = inputs->password; + size_t password_len = inputs->password_len; + psa_pake_role_t role = inputs->role; + psa_pake_cipher_suite_t cipher_suite = inputs->cipher_suite; + + memset(operation, 0, sizeof(mbedtls_psa_pake_operation_t)); + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + if (cipher_suite.algorithm == PSA_ALG_JPAKE) { + if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC || + cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || + cipher_suite.bits != 256 || + cipher_suite.hash != PSA_ALG_SHA_256) { + status = PSA_ERROR_NOT_SUPPORTED; + goto error; + } + + if (role != PSA_PAKE_ROLE_CLIENT && + role != PSA_PAKE_ROLE_SERVER) { + status = PSA_ERROR_NOT_SUPPORTED; + goto error; + } + + mbedtls_ecjpake_init(&operation->ctx.pake); + + operation->password_len = password_len; + operation->password = password; + operation->role = role; + operation->alg = cipher_suite.algorithm; + + mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + operation->buffer_length = 0; + operation->buffer_offset = 0; + + status = psa_pake_ecjpake_setup(operation); + + if (status != PSA_SUCCESS) { + goto error; + } + + return PSA_SUCCESS; + } else +#else + (void) operation; + (void) inputs; #endif + { status = PSA_ERROR_NOT_SUPPORTED; } + +error: + mbedtls_free(password); + mbedtls_psa_pake_abort(operation); + return status; +} static psa_status_t mbedtls_psa_pake_output_internal( mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t length; + (void) step; if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } - if (operation->state == PSA_PAKE_STATE_INVALID) { - return PSA_ERROR_BAD_STATE; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different @@ -324,74 +291,12 @@ static psa_status_t mbedtls_psa_pake_output_internal( * to return the right parts on each step. */ if (operation->alg == PSA_ALG_JPAKE) { - if (step != PSA_PAKE_STEP_KEY_SHARE && - step != PSA_PAKE_STEP_ZK_PUBLIC && - step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - if (operation->state == PSA_PAKE_STATE_SETUP) { - status = psa_pake_ecjpake_setup(operation); - if (status != PSA_SUCCESS) { - return status; - } - } - - if (operation->state != PSA_PAKE_STATE_READY && - operation->state != PSA_PAKE_OUTPUT_X1_X2 && - operation->state != PSA_PAKE_OUTPUT_X2S) { - return PSA_ERROR_BAD_STATE; - } - - if (operation->state == PSA_PAKE_STATE_READY) { - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - - switch (operation->output_step) { - case PSA_PAKE_STEP_X1_X2: - operation->state = PSA_PAKE_OUTPUT_X1_X2; - break; - case PSA_PAKE_STEP_X2S: - operation->state = PSA_PAKE_OUTPUT_X2S; - break; - default: - return PSA_ERROR_BAD_STATE; - } - - operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; - } - - /* Check if step matches current sequence */ - switch (operation->sequence) { - case PSA_PAKE_X1_STEP_KEY_SHARE: - case PSA_PAKE_X2_STEP_KEY_SHARE: - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - break; - - case PSA_PAKE_X1_STEP_ZK_PUBLIC: - case PSA_PAKE_X2_STEP_ZK_PUBLIC: - if (step != PSA_PAKE_STEP_ZK_PUBLIC) { - return PSA_ERROR_BAD_STATE; - } - break; - - case PSA_PAKE_X1_STEP_ZK_PROOF: - case PSA_PAKE_X2_STEP_ZK_PROOF: - if (step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_BAD_STATE; - } - break; - - default: - return PSA_ERROR_BAD_STATE; - } + const psa_jpake_computation_stage_t *jpake_computation_stage = + &computation_stage->data.jpake_computation_stage; /* Initialize & write round on KEY_SHARE sequences */ - if (operation->state == PSA_PAKE_OUTPUT_X1_X2 && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { + if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { ret = mbedtls_ecjpake_write_round_one(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, @@ -403,8 +308,8 @@ static psa_status_t mbedtls_psa_pake_output_internal( } operation->buffer_offset = 0; - } else if (operation->state == PSA_PAKE_OUTPUT_X2S && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { + } else if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { ret = mbedtls_ecjpake_write_round_two(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, @@ -429,8 +334,8 @@ static psa_status_t mbedtls_psa_pake_output_internal( * output with a length byte, even less a curve identifier, as that * information is already available. */ - if (operation->state == PSA_PAKE_OUTPUT_X2S && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && operation->role == PSA_PAKE_ROLE_SERVER) { /* Skip ECParameters, with is 3 bytes (RFC 8422) */ operation->buffer_offset += 3; @@ -456,25 +361,20 @@ static psa_status_t mbedtls_psa_pake_output_internal( operation->buffer_offset += length; /* Reset buffer after ZK_PROOF sequence */ - if ((operation->state == PSA_PAKE_OUTPUT_X1_X2 && - operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (operation->state == PSA_PAKE_OUTPUT_X2S && - operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + if ((jpake_computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && + jpake_computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); operation->buffer_length = 0; operation->buffer_offset = 0; - - operation->state = PSA_PAKE_STATE_READY; - operation->output_step++; - operation->sequence = PSA_PAKE_SEQ_INVALID; - } else { - operation->sequence++; } return PSA_SUCCESS; } else #else (void) step; + (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -484,12 +384,13 @@ static psa_status_t mbedtls_psa_pake_output_internal( psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length) { psa_status_t status = mbedtls_psa_pake_output_internal( - operation, step, output, output_size, output_length); + operation, step, computation_stage, output, output_size, output_length); if (status != PSA_SUCCESS) { mbedtls_psa_pake_abort(operation); @@ -501,20 +402,16 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, static psa_status_t mbedtls_psa_pake_input_internal( mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - + (void) step; if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } - if (operation->state == PSA_PAKE_STATE_INVALID) { - return PSA_ERROR_BAD_STATE; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different @@ -532,77 +429,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( * This causes any input error to be only detected on the last step. */ if (operation->alg == PSA_ALG_JPAKE) { - if (step != PSA_PAKE_STEP_KEY_SHARE && - step != PSA_PAKE_STEP_ZK_PUBLIC && - step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( - PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); - if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - if (operation->state == PSA_PAKE_STATE_SETUP) { - status = psa_pake_ecjpake_setup(operation); - if (status != PSA_SUCCESS) { - return status; - } - } - - if (operation->state != PSA_PAKE_STATE_READY && - operation->state != PSA_PAKE_INPUT_X1_X2 && - operation->state != PSA_PAKE_INPUT_X4S) { - return PSA_ERROR_BAD_STATE; - } - - if (operation->state == PSA_PAKE_STATE_READY) { - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - - switch (operation->input_step) { - case PSA_PAKE_STEP_X1_X2: - operation->state = PSA_PAKE_INPUT_X1_X2; - break; - case PSA_PAKE_STEP_X2S: - operation->state = PSA_PAKE_INPUT_X4S; - break; - default: - return PSA_ERROR_BAD_STATE; - } - - operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; - } - - /* Check if step matches current sequence */ - switch (operation->sequence) { - case PSA_PAKE_X1_STEP_KEY_SHARE: - case PSA_PAKE_X2_STEP_KEY_SHARE: - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - break; - - case PSA_PAKE_X1_STEP_ZK_PUBLIC: - case PSA_PAKE_X2_STEP_ZK_PUBLIC: - if (step != PSA_PAKE_STEP_ZK_PUBLIC) { - return PSA_ERROR_BAD_STATE; - } - break; - - case PSA_PAKE_X1_STEP_ZK_PROOF: - case PSA_PAKE_X2_STEP_ZK_PROOF: - if (step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_BAD_STATE; - } - break; - - default: - return PSA_ERROR_BAD_STATE; - } - + const psa_jpake_computation_stage_t *jpake_computation_stage = + &computation_stage->data.jpake_computation_stage; /* * Copy input to local buffer and format it as the Mbed TLS API * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. @@ -612,8 +440,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( * ECParameters structure - which means we have to prepend that when * we're a client. */ - if (operation->state == PSA_PAKE_INPUT_X4S && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + if (jpake_computation_stage->state == PSA_PAKE_INPUT_X4S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && operation->role == PSA_PAKE_ROLE_CLIENT) { /* We only support secp256r1. */ /* This is the ECParameters structure defined by RFC 8422. */ @@ -636,8 +464,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( operation->buffer_length += input_length; /* Load buffer at each last round ZK_PROOF */ - if (operation->state == PSA_PAKE_INPUT_X1_X2 && - operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) { + if (jpake_computation_stage->state == PSA_PAKE_INPUT_X1_X2 && + jpake_computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) { ret = mbedtls_ecjpake_read_round_one(&operation->ctx.pake, operation->buffer, operation->buffer_length); @@ -648,8 +476,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( if (ret != 0) { return mbedtls_ecjpake_to_psa_error(ret); } - } else if (operation->state == PSA_PAKE_INPUT_X4S && - operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF) { + } else if (jpake_computation_stage->state == PSA_PAKE_INPUT_X4S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF) { ret = mbedtls_ecjpake_read_round_two(&operation->ctx.pake, operation->buffer, operation->buffer_length); @@ -662,21 +490,11 @@ static psa_status_t mbedtls_psa_pake_input_internal( } } - if ((operation->state == PSA_PAKE_INPUT_X1_X2 && - operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (operation->state == PSA_PAKE_INPUT_X4S && - operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { - operation->state = PSA_PAKE_STATE_READY; - operation->input_step++; - operation->sequence = PSA_PAKE_SEQ_INVALID; - } else { - operation->sequence++; - } - return PSA_SUCCESS; } else #else (void) step; + (void) computation_stage; (void) input; (void) input_length; #endif @@ -685,11 +503,12 @@ static psa_status_t mbedtls_psa_pake_input_internal( psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length) { psa_status_t status = mbedtls_psa_pake_input_internal( - operation, step, input, input_length); + operation, step, computation_stage, input, input_length); if (status != PSA_SUCCESS) { mbedtls_psa_pake_abort(operation); @@ -703,18 +522,11 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( uint8_t *output, size_t *output_size) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } - if (operation->input_step != PSA_PAKE_STEP_DERIVE || - operation->output_step != PSA_PAKE_STEP_DERIVE) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake, @@ -740,12 +552,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( #else (void) output; #endif - { status = PSA_ERROR_NOT_SUPPORTED; } - -error: - mbedtls_psa_pake_abort(operation); - - return status; + { return PSA_ERROR_NOT_SUPPORTED; } } psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) @@ -757,8 +564,6 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { - operation->input_step = PSA_PAKE_STEP_INVALID; - operation->output_step = PSA_PAKE_STEP_INVALID; if (operation->password_len > 0) { mbedtls_platform_zeroize(operation->password, operation->password_len); } @@ -774,8 +579,6 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) #endif operation->alg = PSA_ALG_NONE; - operation->state = PSA_PAKE_STATE_INVALID; - operation->sequence = PSA_PAKE_SEQ_INVALID; return PSA_SUCCESS; } diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index 608d76aed..485c93af9 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -58,6 +58,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, * \param[in,out] operation Active PAKE operation. * \param step The step of the algorithm for which the output is * requested. + * \param computation_stage The structure that holds PAKE computation stage. * \param[out] output Buffer where the output is to be written in the * format appropriate for this \p step. Refer to * the documentation of the individual @@ -97,6 +98,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, */ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length); @@ -110,6 +112,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * * \param[in,out] operation Active PAKE operation. * \param step The step for which the input is provided. + * \param computation_stage The structure that holds PAKE computation stage. * \param[in] input Buffer containing the input in the format * appropriate for this \p step. Refer to the * documentation of the individual @@ -144,6 +147,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, */ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 21a3b5f91..e1a4c9ca3 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2866,6 +2866,7 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length ) @@ -2874,7 +2875,8 @@ psa_status_t psa_driver_wrapper_pake_output( { #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step, output, + return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step, + computation_stage, output, output_size, output_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ @@ -2883,15 +2885,16 @@ psa_status_t psa_driver_wrapper_pake_output( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_output( &operation->data.ctx.transparent_test_driver_ctx, - step, output, output_size, output_length ) ); + step, computation_stage, output, output_size, output_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_output( &operation->data.ctx.opaque_test_driver_ctx, - step, output, output_size, output_length ) ); + step, computation_stage, output, output_size, output_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) step; + (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -2902,6 +2905,7 @@ psa_status_t psa_driver_wrapper_pake_output( psa_status_t psa_driver_wrapper_pake_input( psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length ) { @@ -2910,7 +2914,8 @@ psa_status_t psa_driver_wrapper_pake_input( #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_pake_input( &operation->data.ctx.mbedtls_ctx, - step, input, input_length ) ); + step, computation_stage, input, + input_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -2918,15 +2923,18 @@ psa_status_t psa_driver_wrapper_pake_input( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_input( &operation->data.ctx.transparent_test_driver_ctx, - step, input, input_length ) ); + step, computation_stage, + input, input_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_input( &operation->data.ctx.opaque_test_driver_ctx, - step, input, input_length ) ); + step, computation_stage, + input, input_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) step; + (void) computation_stage; (void) input; (void) input_length; return( PSA_ERROR_INVALID_ARGUMENT ); diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 041229601..1f530081a 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -58,6 +58,7 @@ psa_status_t mbedtls_test_transparent_pake_setup( psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length); @@ -65,6 +66,7 @@ psa_status_t mbedtls_test_transparent_pake_output( psa_status_t mbedtls_test_transparent_pake_input( mbedtls_transparent_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length); @@ -102,6 +104,7 @@ psa_status_t mbedtls_test_opaque_pake_set_role( psa_status_t mbedtls_test_opaque_pake_output( mbedtls_opaque_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length); @@ -109,6 +112,7 @@ psa_status_t mbedtls_test_opaque_pake_output( psa_status_t mbedtls_test_opaque_pake_input( mbedtls_opaque_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length); diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 437c4995f..21719e6d7 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -65,6 +65,7 @@ psa_status_t mbedtls_test_transparent_pake_setup( psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length) @@ -92,14 +93,20 @@ psa_status_t mbedtls_test_transparent_pake_output( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_output( - operation, step, output, output_size, output_length); + operation, + step, + (libtestdriver1_psa_pake_computation_stage_t *) computation_stage, + output, + output_size, + output_length); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_output( - operation, step, output, output_size, output_length); + operation, step, computation_stage, output, output_size, output_length); #else (void) operation; (void) step; + (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -113,6 +120,7 @@ psa_status_t mbedtls_test_transparent_pake_output( psa_status_t mbedtls_test_transparent_pake_input( mbedtls_transparent_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length) { @@ -126,14 +134,19 @@ psa_status_t mbedtls_test_transparent_pake_input( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_input( - operation, step, input, input_length); + operation, + step, + (libtestdriver1_psa_pake_computation_stage_t *) computation_stage, + input, + input_length); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_input( - operation, step, input, input_length); + operation, step, computation_stage, input, input_length); #else (void) operation; (void) step; + (void) computation_stage; (void) input; (void) input_length; mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; @@ -258,12 +271,14 @@ psa_status_t mbedtls_test_opaque_pake_set_role( psa_status_t mbedtls_test_opaque_pake_output( mbedtls_opaque_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length) { (void) operation; (void) step; + (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -274,11 +289,13 @@ psa_status_t mbedtls_test_opaque_pake_output( psa_status_t mbedtls_test_opaque_pake_input( mbedtls_opaque_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length) { (void) operation; (void) step; + (void) computation_stage; (void) input; (void) input_length; return PSA_ERROR_NOT_SUPPORTED; diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 0ec16f06c..e4bb92b3c 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -70,10 +70,6 @@ PSA PAKE: input buffer too large depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT -PSA PAKE: valid input operation after a failure -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE - PSA PAKE: invalid output depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT @@ -90,10 +86,6 @@ PSA PAKE: output buffer too small depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_BUFFER_TOO_SMALL -PSA PAKE: valid output operation after a failure -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE - PSA PAKE: check rounds w/o forced errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE From 2797d37424fb27c1b3763544c798cfc214bd73cc Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 22 Dec 2022 11:19:22 +0100 Subject: [PATCH 25/75] Split handling of memory allocation for password between core and driver Driver is now responsible for creating its own copy of the password in the setup function. After calling pake setup driver entry point core frees memory for password. Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 88 +++++++++++++++++++++------------------ library/psa_crypto_pake.c | 9 +++- 2 files changed, 54 insertions(+), 43 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 66ecc0643..0bb751b01 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7333,6 +7333,44 @@ psa_status_t psa_pake_set_role( return PSA_SUCCESS; } +static psa_status_t psa_pake_complete_inputs( + psa_pake_operation_t *operation) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + uint8_t *password = operation->data.inputs.password; + size_t password_len = operation->data.inputs.password_len; + + if (operation->alg == PSA_ALG_NONE || + operation->data.inputs.password_len == 0 || + operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { + return PSA_ERROR_BAD_STATE; + } + + status = psa_driver_wrapper_pake_setup(operation, + &operation->data.inputs); + + /* Driver is responsible for creating its own copy of the password. */ + mbedtls_platform_zeroize(password, password_len); + mbedtls_free(password); + + if (status == PSA_SUCCESS) { + operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + computation_stage->input_step = PSA_PAKE_STEP_X1_X2; + computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } + } else { + operation->data.inputs.password_len = 0; + operation->data.inputs.password = NULL; + } + + return status; +} + static psa_status_t psa_jpake_output_prologue( psa_pake_operation_t *operation, psa_pake_step_t step) @@ -7433,28 +7471,10 @@ psa_status_t psa_pake_output( size_t *output_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - if (operation->alg == PSA_ALG_NONE || - operation->data.inputs.password_len == 0 || - operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { - return PSA_ERROR_BAD_STATE; - } - - status = psa_driver_wrapper_pake_setup(operation, - &operation->data.inputs); - - if (status == PSA_SUCCESS) { - operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; - if (operation->alg == PSA_ALG_JPAKE) { - computation_stage->state = PSA_PAKE_STATE_READY; - computation_stage->sequence = PSA_PAKE_SEQ_INVALID; - computation_stage->input_step = PSA_PAKE_STEP_X1_X2; - computation_stage->output_step = PSA_PAKE_STEP_X1_X2; - } - } else { + status = psa_pake_complete_inputs(operation); + if (status != PSA_SUCCESS) { return status; } } @@ -7612,28 +7632,10 @@ psa_status_t psa_pake_input( size_t input_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - if (operation->alg == PSA_ALG_NONE || - operation->data.inputs.password_len == 0 || - operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { - return PSA_ERROR_BAD_STATE; - } - - status = psa_driver_wrapper_pake_setup(operation, - &operation->data.inputs); - - if (status == PSA_SUCCESS) { - operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; - if (operation->alg == PSA_ALG_JPAKE) { - computation_stage->state = PSA_PAKE_STATE_READY; - computation_stage->sequence = PSA_PAKE_SEQ_INVALID; - computation_stage->input_step = PSA_PAKE_STEP_X1_X2; - computation_stage->output_step = PSA_PAKE_STEP_X1_X2; - } - } else { + status = psa_pake_complete_inputs(operation); + if (status != PSA_SUCCESS) { return status; } } @@ -7736,7 +7738,11 @@ psa_status_t psa_pake_abort( /* If we are in collecting inputs stage clear inputs. */ if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - mbedtls_free(operation->data.inputs.password); + if (operation->data.inputs.password_len > 0) { + mbedtls_platform_zeroize(operation->data.inputs.password, + operation->data.inputs.password_len); + mbedtls_free(operation->data.inputs.password); + } memset(&operation->data.inputs, 0, sizeof(psa_crypto_driver_pake_inputs_t)); return PSA_SUCCESS; } diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 3d5b57d29..01998a6d5 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -230,8 +230,14 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, mbedtls_ecjpake_init(&operation->ctx.pake); + operation->password = mbedtls_calloc(1, password_len); + if (operation->password == NULL) { + status = PSA_ERROR_INSUFFICIENT_MEMORY; + goto error; + } + + memcpy(operation->password, password, password_len); operation->password_len = password_len; - operation->password = password; operation->role = role; operation->alg = cipher_suite.algorithm; @@ -254,7 +260,6 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, { status = PSA_ERROR_NOT_SUPPORTED; } error: - mbedtls_free(password); mbedtls_psa_pake_abort(operation); return status; } From fcd70e250f5aaad993c29ec279a2b2bc2f95d764 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 22 Dec 2022 11:22:45 +0100 Subject: [PATCH 26/75] Adapt pake driver wrapper tests for the new design Signed-off-by: Przemek Stekiel --- ..._suite_psa_crypto_driver_wrappers.function | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 2e1c626a6..0f376efe0 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -3118,6 +3118,12 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st input_buffer, size_key_share), PSA_SUCCESS); + /* Simulate that we are ready to get implicit key. */ + operation.computation_stage.data.jpake_computation_stage.input_step = + PSA_PAKE_STEP_DERIVE; + operation.computation_stage.data.jpake_computation_stage.output_step = + PSA_PAKE_STEP_DERIVE; + /* --- psa_pake_get_implicit_key --- */ mbedtls_test_driver_pake_hooks.forced_status = forced_status; mbedtls_test_driver_pake_hooks.hits = 0; @@ -3242,9 +3248,22 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, ecjpake_do_round(alg, primitive_arg, &server, &client, client_input_first, 2); + /* After get the key is obtained operation is aborted. + Adapt counter of expected hits. */ + if (pake_in_driver) { + pake_expected_hit_count++; + } + PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive)); TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); + + /* After get the key is obtained operation is aborted. + Adapt counter of expected hits. */ + if (pake_in_driver) { + pake_expected_hit_count++; + } + PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive)); TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); From 9a5b812aa812032a266b111a0667b33dff0ee10b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 22 Dec 2022 13:34:47 +0100 Subject: [PATCH 27/75] Cleanup the code Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 44 +++++++++++-------- library/psa_crypto_pake.c | 19 +------- tests/scripts/all.sh | 4 +- ..._suite_psa_crypto_driver_wrappers.function | 4 +- 4 files changed, 32 insertions(+), 39 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 0bb751b01..f7b0270c1 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -898,7 +898,7 @@ static psa_status_t psa_get_and_lock_key_slot_with_policy( psa_algorithm_t alg) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_slot_t *slot; + psa_key_slot_t *slot = NULL; status = psa_get_and_lock_key_slot(key, p_slot); if (status != PSA_SUCCESS) { @@ -7180,9 +7180,6 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; - if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { return PSA_ERROR_BAD_STATE; } @@ -7205,6 +7202,9 @@ psa_status_t psa_pake_setup( operation->data.inputs.cipher_suite = *cipher_suite; if (operation->alg == PSA_ALG_JPAKE) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + computation_stage->state = PSA_PAKE_STATE_SETUP; computation_stage->sequence = PSA_PAKE_SEQ_INVALID; computation_stage->input_step = PSA_PAKE_STEP_X1_X2; @@ -7260,7 +7260,6 @@ psa_status_t psa_pake_set_password_key( operation->data.inputs.key_lifetime = attributes.core.lifetime; error: unlock_status = psa_unlock_key_slot(slot); - return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -7603,7 +7602,6 @@ static psa_status_t psa_jpake_input_prologue( return PSA_SUCCESS; } - static psa_status_t psa_jpake_input_epilogue( psa_pake_operation_t *operation) { @@ -7624,7 +7622,6 @@ static psa_status_t psa_jpake_input_epilogue( return PSA_SUCCESS; } - psa_status_t psa_pake_input( psa_pake_operation_t *operation, psa_pake_step_t step, @@ -7733,27 +7730,38 @@ psa_status_t psa_pake_get_implicit_key( psa_status_t psa_pake_abort( psa_pake_operation_t *operation) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + psa_status_t status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* If we are in collecting inputs stage clear inputs. */ - if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - if (operation->data.inputs.password_len > 0) { - mbedtls_platform_zeroize(operation->data.inputs.password, - operation->data.inputs.password_len); - mbedtls_free(operation->data.inputs.password); + if (operation->id != 0) { + status = psa_driver_wrapper_pake_abort(operation); + if (status != PSA_SUCCESS) { + return status; } - memset(&operation->data.inputs, 0, sizeof(psa_crypto_driver_pake_inputs_t)); - return PSA_SUCCESS; } + + if (operation->data.inputs.password_len > 0) { + mbedtls_platform_zeroize(operation->data.inputs.password, + operation->data.inputs.password_len); + mbedtls_free(operation->data.inputs.password); + } + + memset(&operation->data, 0, sizeof(operation->data)); + if (operation->alg == PSA_ALG_JPAKE) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + computation_stage->input_step = PSA_PAKE_STEP_INVALID; computation_stage->output_step = PSA_PAKE_STEP_INVALID; computation_stage->state = PSA_PAKE_STATE_INVALID; computation_stage->sequence = PSA_PAKE_SEQ_INVALID; } - return psa_driver_wrapper_pake_abort(operation); + operation->alg = PSA_ALG_NONE; + operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS; + operation->id = 0; + + return PSA_SUCCESS; } #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 01998a6d5..a238147cb 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -274,11 +274,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t length; - (void) step; - - if (operation->alg == PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } + (void) step; // Unused parameter #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* @@ -412,10 +408,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( size_t input_length) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - (void) step; - if (operation->alg == PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } + (void) step; // Unused parameter #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* @@ -528,10 +521,6 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (operation->alg == PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake, @@ -562,10 +551,6 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) { - if (operation->alg == PSA_ALG_NONE) { - return PSA_SUCCESS; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index e75767475..98060d720 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2524,7 +2524,7 @@ component_test_psa_crypto_config_accel_pake () { } component_test_psa_crypto_config_accel_pake_no_fallback () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE - no fallback" # Start with full scripts/config.py full @@ -2550,7 +2550,7 @@ component_test_psa_crypto_config_accel_pake_no_fallback () { loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE - no fallback" make test } diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 0f376efe0..f718349f9 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -3248,7 +3248,7 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, ecjpake_do_round(alg, primitive_arg, &server, &client, client_input_first, 2); - /* After get the key is obtained operation is aborted. + /* After the key is obtained operation is aborted. Adapt counter of expected hits. */ if (pake_in_driver) { pake_expected_hit_count++; @@ -3258,7 +3258,7 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); - /* After get the key is obtained operation is aborted. + /* After the key is obtained operation is aborted. Adapt counter of expected hits. */ if (pake_in_driver) { pake_expected_hit_count++; From d6eb11007f30dec1c27126e84b2debdf6dfcf060 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 29 Dec 2022 13:27:51 +0100 Subject: [PATCH 28/75] Add draft documentation for the PAKE driver dispatch logic Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 75 +++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 8f02af182..7cc573d53 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -321,6 +321,81 @@ TODO: key input and output for opaque drivers; deterministic key generation for TODO +#### PAKE operation driver dispatch logic + +PSA PAKE operation structure for driver dispatch: + +``` +struct psa_pake_operation_s +{ +    /** Unique ID indicating which driver got assigned to do the +     * operation. Since driver contexts are driver-specific, swapping +     * drivers halfway through the operation is not supported. +     * ID values are auto-generated in psa_crypto_driver_wrappers.h +     * ID value zero means the context is not valid or not assigned to +     * any driver (i.e. none of the driver contexts are active). */ +    unsigned int MBEDTLS_PRIVATE(id); +    /* Algorithm used for PAKE operation */ +    psa_algorithm_t MBEDTLS_PRIVATE(alg); +    /* Based on stage (collecting inputs/computation) we select active structure of data union. +     * While switching stage (when driver setup is called) collected inputs +       are copied to the corresponding operation context. */ +    uint8_t MBEDTLS_PRIVATE(stage); +    /* Holds the computation stage of the PAKE algorithms. */ +    psa_pake_computation_stage_t MBEDTLS_PRIVATE(computation_stage); +    union { +        unsigned dummy; +        psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); +        psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); +    } MBEDTLS_PRIVATE(data); +}; +``` + +PAKE operation is divided into two stages: `collecting inputs` and `computation`. `stage` field defines the current stage and selects the active structure of the `data` union. +The core decides whether to dispatch a PAKE operation to a driver based on the location of the provided password while calling `pake_setup` driver entry point. +The core is responsible for holding information about the current stage of computation(`computation_stage`) and provides this information to the driver. + +1. Collecting inputs stage + +The core conveys the initial inputs for a PAKE operation via an opaque data structure of type `psa_crypto_driver_pake_inputs_t`. +After calling `psa_pake_setup` the operation object is initialized and is ready to collect inputs. Driver entry point for `pake_setup` is not called at this point. It will be called later when all inputs are collected. Setter functions: `psa_pake_set_password_key`, `psa_pake_set_role`, `psa_pake_set_user`, `psa_pake_set_peer` do not have driver entry points. These functions just fill `inputs` structure. + +2. Computation stage + +First call of `psa_pake_output()` or `psa_pake_input()` switches the stage to `computation` (assuming that all inputs are collected) and calls `pake_setup` driver entry point. Driver function is responsible for coping inputs from given `inputs` structure to the driver context. Note that, after calling `pake_setup` the driver entry point, core will free memory allocated for the password. The driver is responsible for making its own copy. + +#### Driver entry points for PAKE operation + +A PAKE driver has the following entry points: +`pake_setup` (mandatory): always the first entry point to be called. This entry point provides the `inputs` that need to be copied by the driver to the driver context. +`pake_output` (mandatory): derive cryptographic material for the specified step and output it. +`pake_input` (mandatory): provides cryptographic material in the format appropriate for the specified step. +`pake_get_implicit_key` (mandatory): returns implicitly confirmed shared secret from a PAKE. +`pake_abort` (mandatory): always the last entry point to be called. + +``` +psa_status_t pake_setup( mbedtls_psa_pake_operation_t *operation, + const psa_crypto_driver_pake_inputs_t *inputs ); + +psa_status_t pake_output( mbedtls_psa_pake_operation_t *operation, + psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, + uint8_t *output, + size_t output_size, + size_t *output_length ); + +psa_status_t pake_input( mbedtls_psa_pake_operation_t *operation, + psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, + const uint8_t *input, + size_t input_length ); + +psa_status_t pake_get_implicit_key( mbedtls_psa_pake_operation_t *operation, + uint8_t *output, size_t *output_size ); + +psa_status_t pake_abort( mbedtls_psa_pake_operation_t * operation ); +``` + ### Driver entry points for key management The driver entry points for key management differ significantly between [transparent drivers](#key-management-with-transparent-drivers) and [opaque drivers](#key-management-with-opaque-drivers). This section describes common elements. Refer to the applicable section for each driver type for more information. From 5798003b99c03a676d1684035c1390bb1e796ea5 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 9 Jan 2023 15:07:26 +0100 Subject: [PATCH 29/75] Add enum that presents computation stage as single value Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 1678228d3..fa6ef4e54 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1946,6 +1946,21 @@ enum psa_jpake_sequence { PSA_PAKE_SEQ_END = 7, }; +enum psa_jpake_computation_state { + PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* Round 1: input/output key share (for ephemeral private key X1).*/ + PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* Round 1: input/output Schnorr NIZKP public key for the X1 key */ + PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* Round 1: input/output Schnorr NIZKP proof for the X1 key */ + PSA_PAKE_X2_STEP_KEY_SHARE = 4, /* Round 1: input/output key share (for ephemeral private key X2).*/ + PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, /* Round 1: input/output Schnorr NIZKP public key for the X2 key */ + PSA_PAKE_X2_STEP_ZK_PROOF = 6, /* Round 1: input/output Schnorr NIZKP proof for the X2 key */ + PSA_PAKE_X2S_STEP_KEY_SHARE = 7, /* Round 2: output X2S key (our key) */ + PSA_PAKE_X2S_STEP_ZK_PUBLIC = 8, /* Round 2: output Schnorr NIZKP public key for the X2S key (our key) */ + PSA_PAKE_X2S_STEP_ZK_PROOF = 9, /* Round 2: output Schnorr NIZKP proof for the X2S key (our key) */ + PSA_PAKE_X4S_STEP_KEY_SHARE = 10, /* Round 2: input X4S key (from peer) */ + PSA_PAKE_X4S_STEP_ZK_PUBLIC = 11, /* Round 2: input Schnorr NIZKP public key for the X4S key (from peer) */ + PSA_PAKE_X4S_STEP_ZK_PROOF = 12 /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */ +}; + struct psa_jpake_computation_stage_s { unsigned int MBEDTLS_PRIVATE(state); unsigned int MBEDTLS_PRIVATE(sequence); From d67a5b63204e639c25d8ffac5a535cc15c2d6ac3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 11 Jan 2023 10:28:52 +0100 Subject: [PATCH 30/75] Update PAKE driver documentation (v.2) Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 193 +++++++++++++++++--------- 1 file changed, 128 insertions(+), 65 deletions(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 7cc573d53..5c7b92cbc 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -321,81 +321,144 @@ TODO: key input and output for opaque drivers; deterministic key generation for TODO -#### PAKE operation driver dispatch logic +### Driver entry points for PAKE -PSA PAKE operation structure for driver dispatch: +PAKE operation is divided into two stages: collecting inputs and computation. Core side is responsible for keeping inputs and core set-data functions do not have driver entry points. Collected inputs are available for drivers via get-data functions for `password`, `role` and `cipher_suite`. Lifetime of the inputs is limited by the lifetime of the core operation. -``` -struct psa_pake_operation_s -{ -    /** Unique ID indicating which driver got assigned to do the -     * operation. Since driver contexts are driver-specific, swapping -     * drivers halfway through the operation is not supported. -     * ID values are auto-generated in psa_crypto_driver_wrappers.h -     * ID value zero means the context is not valid or not assigned to -     * any driver (i.e. none of the driver contexts are active). */ -    unsigned int MBEDTLS_PRIVATE(id); -    /* Algorithm used for PAKE operation */ -    psa_algorithm_t MBEDTLS_PRIVATE(alg); -    /* Based on stage (collecting inputs/computation) we select active structure of data union. -     * While switching stage (when driver setup is called) collected inputs -       are copied to the corresponding operation context. */ -    uint8_t MBEDTLS_PRIVATE(stage); -    /* Holds the computation stage of the PAKE algorithms. */ -    psa_pake_computation_stage_t MBEDTLS_PRIVATE(computation_stage); -    union { -        unsigned dummy; -        psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); -        psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); -    } MBEDTLS_PRIVATE(data); -}; -``` +### PAKE driver dispatch logic +The core decides whether to dispatch a PAKE operation to a driver based on the location of the provided password. +When all inputs are collected and `"psa_pake_output"` or `"psa_pake_input"` is called for the first time `"pake_setup"` driver entry point is invoked. -PAKE operation is divided into two stages: `collecting inputs` and `computation`. `stage` field defines the current stage and selects the active structure of the `data` union. -The core decides whether to dispatch a PAKE operation to a driver based on the location of the provided password while calling `pake_setup` driver entry point. -The core is responsible for holding information about the current stage of computation(`computation_stage`) and provides this information to the driver. +1. Lifetime of the `password` is local storage +- if there is a transparent driver available for the given configuration, the core calls that driver's `"pake_setup"` and subsequent entry points. +- if a transparent driver is not available or can not handle a given configuration, the core uses its built-in implementation. +2. Lifetime of the `password` is test driver +- the core calls opaque driver's `"pake_setup"` and subsequent entry points. -1. Collecting inputs stage - -The core conveys the initial inputs for a PAKE operation via an opaque data structure of type `psa_crypto_driver_pake_inputs_t`. -After calling `psa_pake_setup` the operation object is initialized and is ready to collect inputs. Driver entry point for `pake_setup` is not called at this point. It will be called later when all inputs are collected. Setter functions: `psa_pake_set_password_key`, `psa_pake_set_role`, `psa_pake_set_user`, `psa_pake_set_peer` do not have driver entry points. These functions just fill `inputs` structure. - -2. Computation stage - -First call of `psa_pake_output()` or `psa_pake_input()` switches the stage to `computation` (assuming that all inputs are collected) and calls `pake_setup` driver entry point. Driver function is responsible for coping inputs from given `inputs` structure to the driver context. Note that, after calling `pake_setup` the driver entry point, core will free memory allocated for the password. The driver is responsible for making its own copy. - -#### Driver entry points for PAKE operation +### Summary of entry points for PAKE A PAKE driver has the following entry points: -`pake_setup` (mandatory): always the first entry point to be called. This entry point provides the `inputs` that need to be copied by the driver to the driver context. -`pake_output` (mandatory): derive cryptographic material for the specified step and output it. -`pake_input` (mandatory): provides cryptographic material in the format appropriate for the specified step. -`pake_get_implicit_key` (mandatory): returns implicitly confirmed shared secret from a PAKE. -`pake_abort` (mandatory): always the last entry point to be called. +* `"pake_setup"` (mandatory): always the first entry point to be called. It is called when all inputs are collected and the computation stage starts. +* `"pake_output"` (mandatory): derive cryptographic material for the specified step and output it. +* `"pake_input"` (mandatory): provides cryptographic material in the format appropriate for the specified step. +* `"pake_get_implicit_key"` (mandatory): returns implicitly confirmed shared secret from a PAKE. +* `"pake_abort"` (mandatory): always the last entry point to be called. + +For naming purposes, here and in the following subsection, this specification takes the example of a driver with the prefix `"acme"` that implements the PAKE entry point family with a capability that does not use the `"names"` property to declare different type and entry point names. Such a driver must implement the following type and functions, as well as the entry points listed above and described in the following subsections: +``` +typedef ... acme_pake_operation_t; +psa_status_t acme_pake_abort( acme_pake_operation_t *operation ); +``` + +#### PAKE driver inputs + +The core conveys the initial inputs for a PAKE operation via an opaque data structure of type `psa_crypto_driver_pake_inputs_t`. ``` -psa_status_t pake_setup( mbedtls_psa_pake_operation_t *operation, - const psa_crypto_driver_pake_inputs_t *inputs ); - -psa_status_t pake_output( mbedtls_psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, - uint8_t *output, - size_t output_size, - size_t *output_length ); - -psa_status_t pake_input( mbedtls_psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, - const uint8_t *input, - size_t input_length ); - -psa_status_t pake_get_implicit_key( mbedtls_psa_pake_operation_t *operation, - uint8_t *output, size_t *output_size ); - -psa_status_t pake_abort( mbedtls_psa_pake_operation_t * operation ); +typedef ... psa_crypto_driver_pake_inputs_t; // implementation-specific type ``` +A driver receiving an argument that points to a `psa_crypto_driver_pake_inputs_t` can retrieve its contents by calling one of the get-data functions below. + +``` +psa_status_t psa_crypto_pake_get_password( +    const psa_crypto_driver_pake_inputs_t *inputs, +    uint8_t **password, +    size_t *password_len); + +psa_status_t psa_crypto_pake_get_role( +    const psa_crypto_driver_pake_inputs_t *inputs, +    psa_pake_role_t *role); + +psa_status_t psa_crypto_pake_get_cipher_suite( +    const psa_crypto_driver_pake_inputs_t *inputs, +    psa_pake_cipher_suite_t *cipher_suite); +``` +The get-data functions take the following parameters: + +The first parameter `inputs` must be a pointer passed by the core to a PAKE driver setup entry point. +Next parameters are return buffers (must not be null pointers). + +These functions can return the following statuses: +* `PSA_SUCCESS`: value has been successfully obtained +* `PSA_ERROR_BAD_STATE`: the inputs are not ready + +#### PAKE driver setup + +``` +psa_status_t acme_psa_pake_setup( acme_pake_operation_t *operation, +                                  const psa_crypto_driver_pake_inputs_t *inputs ); +``` + +* `operation` is a zero-initialized operation object. +* `inputs` is an opaque pointer to the [inputs](#pake-driver-inputs) for the PAKE operation. + +The setup driver function should preserve `inputs` for other driver functions. + +#### PAKE driver output + +``` +psa_status_t acme_pake_output(acme_pake_operation_t *operation, +                              psa_pake_computation_step_t step, +                              uint8_t *output, +                              size_t output_size, +                              size_t *output_length); +``` + +* `operation` is an operation object. +* `step` computation step based on which driver should perform an action. +* `output` buffer where the output is to be written. +* `output_size` size of the output buffer in bytes. +* `output_length` the number of bytes of the returned output. + +For `PSA_ALG_JPAKE` the following steps are available for output operation: +`step` can be one of the following values: +* `PSA_JPAKE_X1_STEP_KEY_SHARE`     Round 1: output our key share (for ephemeral private key X1) +* `PSA_JPAKE_X1_STEP_ZK_PUBLIC`     Round 1: output Schnorr NIZKP public key for the X1 key +* `PSA_JPAKE_X1_STEP_ZK_PROOF`      Round 1: output Schnorr NIZKP proof for the X1 key +* `PSA_JPAKE_X2_STEP_KEY_SHARE`     Round 1: output our key share (for ephemeral private key X2) +* `PSA_JPAKE_X2_STEP_ZK_PUBLIC`     Round 1: output Schnorr NIZKP public key for the X2 key +* `PSA_JPAKE_X2_STEP_ZK_PROOF`      Round 1: output Schnorr NIZKP proof for the X2 key +* `PSA_JPAKE_X2S_STEP_KEY_SHARE`    Round 2: output our X2S key +* `PSA_JPAKE_X2S_STEP_ZK_PUBLIC`    Round 2: output Schnorr NIZKP public key for the X2S key +* `PSA_JPAKE_X2S_STEP_ZK_PROOF`     Round 2: output Schnorr NIZKP proof for the X2S key + +#### PAKE driver input +``` +psa_status_t acme_pake_input(acme_pake_operation_t *operation, +                             psa_pake_computation_step_t step, +                             uint8_t *input, +                             size_t input_size); +``` + +* `operation` is an operation object. +* `step` computation step based on which driver should perform an action. +* `input` buffer containing the input. +* `input_length` length of the input in bytes. + +For `PSA_ALG_JPAKE` the following steps are available for input operation: +* `PSA_JPAKE_X1_STEP_KEY_SHARE`     Round 1: input key share from peer (for ephemeral private key X1) +* `PSA_JPAKE_X1_STEP_ZK_PUBLIC`     Round 1: input Schnorr NIZKP public key for the X1 key +* `PSA_JPAKE_X1_STEP_ZK_PROOF`      Round 1: input Schnorr NIZKP proof for the X1 key +* `PSA_JPAKE_X2_STEP_KEY_SHARE`     Round 1: input key share from peer (for ephemeral private key X2) +* `PSA_JPAKE_X2_STEP_ZK_PUBLIC`     Round 1: input Schnorr NIZKP public key for the X2 key +* `PSA_JPAKE_X2_STEP_ZK_PROOF`      Round 1: input Schnorr NIZKP proof for the X2 key +* `PSA_JPAKE_X4S_STEP_KEY_SHARE`    Round 2: input X4S key from peer +* `PSA_JPAKE_X4S_STEP_ZK_PUBLIC`    Round 2: input Schnorr NIZKP public key for the X4S key +* `PSA_JPAKE_X4S_STEP_ZK_PROOF`     Round 2: input Schnorr NIZKP proof for the X4S key + +### PAKE driver get implicit key + +``` +psa_status_t acme_pake_get_implicit_key( +                            acme_pake_operation_t *operation, +                            uint8_t *output, size_t *output_size ); +``` + +* `operation` is an operation object +* `output` output buffer for implicit key +* `output_size` size of the returned implicit key + ### Driver entry points for key management The driver entry points for key management differ significantly between [transparent drivers](#key-management-with-transparent-drivers) and [opaque drivers](#key-management-with-opaque-drivers). This section describes common elements. Refer to the applicable section for each driver type for more information. From 8c8ab26b2a4ea31ea1538d04338a41a2293f87f5 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 16 Jan 2023 09:36:57 +0100 Subject: [PATCH 31/75] Update documentation (handling inputs, function names) Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 5c7b92cbc..39f13d923 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -323,7 +323,7 @@ TODO ### Driver entry points for PAKE -PAKE operation is divided into two stages: collecting inputs and computation. Core side is responsible for keeping inputs and core set-data functions do not have driver entry points. Collected inputs are available for drivers via get-data functions for `password`, `role` and `cipher_suite`. Lifetime of the inputs is limited by the lifetime of the core operation. +PAKE operation is divided into two stages: collecting inputs and computation. Core side is responsible for keeping inputs and core set-data functions do not have driver entry points. Collected inputs are available for drivers via get-data functions for `password`, `role` and `cipher_suite`. ### PAKE driver dispatch logic The core decides whether to dispatch a PAKE operation to a driver based on the location of the provided password. @@ -361,16 +361,19 @@ typedef ... psa_crypto_driver_pake_inputs_t; // implementation-specific type A driver receiving an argument that points to a `psa_crypto_driver_pake_inputs_t` can retrieve its contents by calling one of the get-data functions below. ``` -psa_status_t psa_crypto_pake_get_password( +psa_status_t psa_crypto_driver_pake_get_password_len(     const psa_crypto_driver_pake_inputs_t *inputs, -    uint8_t **password,     size_t *password_len); -psa_status_t psa_crypto_pake_get_role( +psa_status_t psa_crypto_driver_pake_get_password( +    const psa_crypto_driver_pake_inputs_t *inputs, +    uint8_t *buffer, buffer_size, size_t *buffer_length); + +psa_status_t psa_crypto_driver_pake_get_role(     const psa_crypto_driver_pake_inputs_t *inputs,     psa_pake_role_t *role); -psa_status_t psa_crypto_pake_get_cipher_suite( +psa_status_t psa_crypto_driver_pake_get_cipher_suite(     const psa_crypto_driver_pake_inputs_t *inputs,     psa_pake_cipher_suite_t *cipher_suite); ``` @@ -382,6 +385,7 @@ Next parameters are return buffers (must not be null pointers). These functions can return the following statuses: * `PSA_SUCCESS`: value has been successfully obtained * `PSA_ERROR_BAD_STATE`: the inputs are not ready +* `PSA_ERROR_BUFFER_TOO_SMALL` (`psa_crypto_driver_pake_get_password` only): the output buffer is too small. This is not a fatal error and the driver can, for example, subsequently call the same function again with a larger buffer. Call `psa_crypto_driver_pake_get_password_len` to obtain the required size. #### PAKE driver setup @@ -393,7 +397,7 @@ psa_status_t acme_psa_pake_setup( acme_pake_operation_t *operation, * `operation` is a zero-initialized operation object. * `inputs` is an opaque pointer to the [inputs](#pake-driver-inputs) for the PAKE operation. -The setup driver function should preserve `inputs` for other driver functions. +The setup driver function should preserve the inputs using get-data functions. #### PAKE driver output From b09c487546c3d3573d261ec98dd841a5ebcbf058 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 17 Jan 2023 12:05:38 +0100 Subject: [PATCH 32/75] Combine core pake computation stage(step,sequence,state) into single driver step Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 35 ++++---- library/psa_crypto.c | 84 +++++++++++++++++-- library/psa_crypto_driver_wrappers.h | 6 +- library/psa_crypto_pake.c | 47 ++++------- library/psa_crypto_pake.h | 8 +- .../psa_crypto_driver_wrappers.c.jinja | 21 ++--- tests/include/test/drivers/pake.h | 12 +-- tests/src/drivers/test_driver_pake.c | 33 ++------ 8 files changed, 136 insertions(+), 110 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index fa6ef4e54..83c7e04c4 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1292,12 +1292,15 @@ typedef struct psa_pake_operation_s psa_pake_operation_t; /** The type of input values for PAKE operations. */ typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t; -/** The type of compuatation stage for PAKE operations. */ +/** The type of computation stage for PAKE operations. */ typedef struct psa_pake_computation_stage_s psa_pake_computation_stage_t; -/** The type of compuatation stage for J-PAKE operations. */ +/** The type of computation stage for J-PAKE operations. */ typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t; +/** The type of driver step for PAKE operation. */ +typedef enum psa_pake_driver_step psa_pake_driver_step_t; + /** Return an initial value for a PAKE operation object. */ static psa_pake_operation_t psa_pake_operation_init(void); @@ -1946,21 +1949,23 @@ enum psa_jpake_sequence { PSA_PAKE_SEQ_END = 7, }; -enum psa_jpake_computation_state { - PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* Round 1: input/output key share (for ephemeral private key X1).*/ - PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* Round 1: input/output Schnorr NIZKP public key for the X1 key */ - PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* Round 1: input/output Schnorr NIZKP proof for the X1 key */ - PSA_PAKE_X2_STEP_KEY_SHARE = 4, /* Round 1: input/output key share (for ephemeral private key X2).*/ - PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, /* Round 1: input/output Schnorr NIZKP public key for the X2 key */ - PSA_PAKE_X2_STEP_ZK_PROOF = 6, /* Round 1: input/output Schnorr NIZKP proof for the X2 key */ - PSA_PAKE_X2S_STEP_KEY_SHARE = 7, /* Round 2: output X2S key (our key) */ - PSA_PAKE_X2S_STEP_ZK_PUBLIC = 8, /* Round 2: output Schnorr NIZKP public key for the X2S key (our key) */ - PSA_PAKE_X2S_STEP_ZK_PROOF = 9, /* Round 2: output Schnorr NIZKP proof for the X2S key (our key) */ - PSA_PAKE_X4S_STEP_KEY_SHARE = 10, /* Round 2: input X4S key (from peer) */ - PSA_PAKE_X4S_STEP_ZK_PUBLIC = 11, /* Round 2: input Schnorr NIZKP public key for the X4S key (from peer) */ - PSA_PAKE_X4S_STEP_ZK_PROOF = 12 /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */ +enum psa_pake_driver_step { + PSA_JPAKE_STEP_INVALID = 0, /* Invalid step */ + PSA_JPAKE_X1_STEP_KEY_SHARE = 1, /* Round 1: input/output key share (for ephemeral private key X1).*/ + PSA_JPAKE_X1_STEP_ZK_PUBLIC = 2, /* Round 1: input/output Schnorr NIZKP public key for the X1 key */ + PSA_JPAKE_X1_STEP_ZK_PROOF = 3, /* Round 1: input/output Schnorr NIZKP proof for the X1 key */ + PSA_JPAKE_X2_STEP_KEY_SHARE = 4, /* Round 1: input/output key share (for ephemeral private key X2).*/ + PSA_JPAKE_X2_STEP_ZK_PUBLIC = 5, /* Round 1: input/output Schnorr NIZKP public key for the X2 key */ + PSA_JPAKE_X2_STEP_ZK_PROOF = 6, /* Round 1: input/output Schnorr NIZKP proof for the X2 key */ + PSA_JPAKE_X2S_STEP_KEY_SHARE = 7, /* Round 2: output X2S key (our key) */ + PSA_JPAKE_X2S_STEP_ZK_PUBLIC = 8, /* Round 2: output Schnorr NIZKP public key for the X2S key (our key) */ + PSA_JPAKE_X2S_STEP_ZK_PROOF = 9, /* Round 2: output Schnorr NIZKP proof for the X2S key (our key) */ + PSA_JPAKE_X4S_STEP_KEY_SHARE = 10, /* Round 2: input X4S key (from peer) */ + PSA_JPAKE_X4S_STEP_ZK_PUBLIC = 11, /* Round 2: input Schnorr NIZKP public key for the X4S key (from peer) */ + PSA_JPAKE_X4S_STEP_ZK_PROOF = 12 /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */ }; + struct psa_jpake_computation_stage_s { unsigned int MBEDTLS_PRIVATE(state); unsigned int MBEDTLS_PRIVATE(sequence); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f7b0270c1..09d46ed90 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7332,6 +7332,70 @@ psa_status_t psa_pake_set_role( return PSA_SUCCESS; } +/* Auxiliary function to convert core computation stage(step, sequence, state) to single driver step. */ +static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( + psa_pake_computation_stage_t *stage) +{ + switch (stage->data.jpake_computation_stage.state) { + case PSA_PAKE_OUTPUT_X1_X2: + case PSA_PAKE_INPUT_X1_X2: + switch (stage->data.jpake_computation_stage.sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + return PSA_JPAKE_X1_STEP_KEY_SHARE; + break; + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + return PSA_JPAKE_X1_STEP_ZK_PUBLIC; + break; + case PSA_PAKE_X1_STEP_ZK_PROOF: + return PSA_JPAKE_X1_STEP_ZK_PROOF; + break; + case PSA_PAKE_X2_STEP_KEY_SHARE: + return PSA_JPAKE_X2_STEP_KEY_SHARE; + break; + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + return PSA_JPAKE_X2_STEP_ZK_PUBLIC; + break; + case PSA_PAKE_X2_STEP_ZK_PROOF: + return PSA_JPAKE_X2_STEP_ZK_PROOF; + break; + default: + return PSA_JPAKE_STEP_INVALID; + } + break; + case PSA_PAKE_OUTPUT_X2S: + switch (stage->data.jpake_computation_stage.sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + return PSA_JPAKE_X2S_STEP_KEY_SHARE; + break; + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + return PSA_JPAKE_X2S_STEP_ZK_PUBLIC; + break; + case PSA_PAKE_X1_STEP_ZK_PROOF: + return PSA_JPAKE_X2S_STEP_ZK_PROOF; + break; + return PSA_JPAKE_STEP_INVALID; + } + break; + case PSA_PAKE_INPUT_X4S: + switch (stage->data.jpake_computation_stage.sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + return PSA_JPAKE_X4S_STEP_KEY_SHARE; + break; + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + return PSA_JPAKE_X4S_STEP_ZK_PUBLIC; + break; + case PSA_PAKE_X1_STEP_ZK_PROOF: + return PSA_JPAKE_X4S_STEP_ZK_PROOF; + break; + return PSA_JPAKE_STEP_INVALID; + } + break; + default: + return PSA_JPAKE_STEP_INVALID; + } + return PSA_JPAKE_STEP_INVALID; +} + static psa_status_t psa_pake_complete_inputs( psa_pake_operation_t *operation) { @@ -7501,9 +7565,14 @@ psa_status_t psa_pake_output( return PSA_ERROR_NOT_SUPPORTED; } - status = psa_driver_wrapper_pake_output(operation, step, - &operation->computation_stage, - output, output_size, output_length); + status = psa_driver_wrapper_pake_output(operation, + convert_jpake_computation_stage_to_driver_step(& + operation + -> + computation_stage), + output, + output_size, + output_length); if (status != PSA_SUCCESS) { return status; @@ -7660,9 +7729,12 @@ psa_status_t psa_pake_input( return PSA_ERROR_NOT_SUPPORTED; } - status = psa_driver_wrapper_pake_input(operation, step, - &operation->computation_stage, - input, input_length); + status = psa_driver_wrapper_pake_input(operation, + convert_jpake_computation_stage_to_driver_step(&operation + -> + computation_stage), + input, + input_length); if (status != PSA_SUCCESS) { return status; diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index ac17be4e3..11a95e3a0 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -421,16 +421,14 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length); psa_status_t psa_driver_wrapper_pake_input( psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length); diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index a238147cb..da10cdd1f 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -266,8 +266,7 @@ error: static psa_status_t mbedtls_psa_pake_output_internal( mbedtls_psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length) @@ -292,12 +291,8 @@ static psa_status_t mbedtls_psa_pake_output_internal( * to return the right parts on each step. */ if (operation->alg == PSA_ALG_JPAKE) { - const psa_jpake_computation_stage_t *jpake_computation_stage = - &computation_stage->data.jpake_computation_stage; - /* Initialize & write round on KEY_SHARE sequences */ - if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && - jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { + if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) { ret = mbedtls_ecjpake_write_round_one(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, @@ -309,8 +304,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( } operation->buffer_offset = 0; - } else if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && - jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { + } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) { ret = mbedtls_ecjpake_write_round_two(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, @@ -335,8 +329,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( * output with a length byte, even less a curve identifier, as that * information is already available. */ - if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && - jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE && operation->role == PSA_PAKE_ROLE_SERVER) { /* Skip ECParameters, with is 3 bytes (RFC 8422) */ operation->buffer_offset += 3; @@ -362,10 +355,8 @@ static psa_status_t mbedtls_psa_pake_output_internal( operation->buffer_offset += length; /* Reset buffer after ZK_PROOF sequence */ - if ((jpake_computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && - jpake_computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && - jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) || + (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) { mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); operation->buffer_length = 0; operation->buffer_offset = 0; @@ -375,7 +366,6 @@ static psa_status_t mbedtls_psa_pake_output_internal( } else #else (void) step; - (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -384,14 +374,13 @@ static psa_status_t mbedtls_psa_pake_output_internal( } psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length) { psa_status_t status = mbedtls_psa_pake_output_internal( - operation, step, computation_stage, output, output_size, output_length); + operation, step, output, output_size, output_length); if (status != PSA_SUCCESS) { mbedtls_psa_pake_abort(operation); @@ -402,8 +391,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, static psa_status_t mbedtls_psa_pake_input_internal( mbedtls_psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length) { @@ -427,8 +415,6 @@ static psa_status_t mbedtls_psa_pake_input_internal( * This causes any input error to be only detected on the last step. */ if (operation->alg == PSA_ALG_JPAKE) { - const psa_jpake_computation_stage_t *jpake_computation_stage = - &computation_stage->data.jpake_computation_stage; /* * Copy input to local buffer and format it as the Mbed TLS API * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. @@ -438,8 +424,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( * ECParameters structure - which means we have to prepend that when * we're a client. */ - if (jpake_computation_stage->state == PSA_PAKE_INPUT_X4S && - jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + if (step == PSA_JPAKE_X4S_STEP_KEY_SHARE && operation->role == PSA_PAKE_ROLE_CLIENT) { /* We only support secp256r1. */ /* This is the ECParameters structure defined by RFC 8422. */ @@ -462,8 +447,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( operation->buffer_length += input_length; /* Load buffer at each last round ZK_PROOF */ - if (jpake_computation_stage->state == PSA_PAKE_INPUT_X1_X2 && - jpake_computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) { + if (step == PSA_JPAKE_X2_STEP_ZK_PROOF) { ret = mbedtls_ecjpake_read_round_one(&operation->ctx.pake, operation->buffer, operation->buffer_length); @@ -474,8 +458,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( if (ret != 0) { return mbedtls_ecjpake_to_psa_error(ret); } - } else if (jpake_computation_stage->state == PSA_PAKE_INPUT_X4S && - jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF) { + } else if (step == PSA_JPAKE_X4S_STEP_ZK_PROOF) { ret = mbedtls_ecjpake_read_round_two(&operation->ctx.pake, operation->buffer, operation->buffer_length); @@ -492,7 +475,6 @@ static psa_status_t mbedtls_psa_pake_input_internal( } else #else (void) step; - (void) computation_stage; (void) input; (void) input_length; #endif @@ -500,13 +482,12 @@ static psa_status_t mbedtls_psa_pake_input_internal( } psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length) { psa_status_t status = mbedtls_psa_pake_input_internal( - operation, step, computation_stage, input, input_length); + operation, step, input, input_length); if (status != PSA_SUCCESS) { mbedtls_psa_pake_abort(operation); diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index 485c93af9..dc6ad7b54 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -58,7 +58,6 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, * \param[in,out] operation Active PAKE operation. * \param step The step of the algorithm for which the output is * requested. - * \param computation_stage The structure that holds PAKE computation stage. * \param[out] output Buffer where the output is to be written in the * format appropriate for this \p step. Refer to * the documentation of the individual @@ -97,8 +96,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, * results in this error code. */ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length); @@ -112,7 +110,6 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * * \param[in,out] operation Active PAKE operation. * \param step The step for which the input is provided. - * \param computation_stage The structure that holds PAKE computation stage. * \param[in] input Buffer containing the input in the format * appropriate for this \p step. Refer to the * documentation of the individual @@ -146,8 +143,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * results in this error code. */ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index e1a4c9ca3..d7dabed63 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2865,8 +2865,7 @@ psa_status_t psa_driver_wrapper_pake_setup( } psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length ) @@ -2876,8 +2875,7 @@ psa_status_t psa_driver_wrapper_pake_output( #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step, - computation_stage, output, - output_size, output_length ) ); + output, output_size, output_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -2885,16 +2883,15 @@ psa_status_t psa_driver_wrapper_pake_output( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_output( &operation->data.ctx.transparent_test_driver_ctx, - step, computation_stage, output, output_size, output_length ) ); + step, output, output_size, output_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_output( &operation->data.ctx.opaque_test_driver_ctx, - step, computation_stage, output, output_size, output_length ) ); + step, output, output_size, output_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) step; - (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -2904,8 +2901,7 @@ psa_status_t psa_driver_wrapper_pake_output( psa_status_t psa_driver_wrapper_pake_input( psa_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length ) { @@ -2914,7 +2910,7 @@ psa_status_t psa_driver_wrapper_pake_input( #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_pake_input( &operation->data.ctx.mbedtls_ctx, - step, computation_stage, input, + step, input, input_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ @@ -2923,18 +2919,17 @@ psa_status_t psa_driver_wrapper_pake_input( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_input( &operation->data.ctx.transparent_test_driver_ctx, - step, computation_stage, + step, input, input_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_input( &operation->data.ctx.opaque_test_driver_ctx, - step, computation_stage, + step, input, input_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) step; - (void) computation_stage; (void) input; (void) input_length; return( PSA_ERROR_INVALID_ARGUMENT ); diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 1f530081a..23cb98aa4 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -57,16 +57,14 @@ psa_status_t mbedtls_test_transparent_pake_setup( psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length); psa_status_t mbedtls_test_transparent_pake_input( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length); @@ -103,16 +101,14 @@ psa_status_t mbedtls_test_opaque_pake_set_role( psa_status_t mbedtls_test_opaque_pake_output( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length); psa_status_t mbedtls_test_opaque_pake_input( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length); diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 21719e6d7..e0be17dd0 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -64,8 +64,7 @@ psa_status_t mbedtls_test_transparent_pake_setup( psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length) @@ -93,20 +92,14 @@ psa_status_t mbedtls_test_transparent_pake_output( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_output( - operation, - step, - (libtestdriver1_psa_pake_computation_stage_t *) computation_stage, - output, - output_size, - output_length); + operation, step, output, output_size, output_length); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_output( - operation, step, computation_stage, output, output_size, output_length); + operation, step, output, output_size, output_length); #else (void) operation; (void) step; - (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -119,8 +112,7 @@ psa_status_t mbedtls_test_transparent_pake_output( psa_status_t mbedtls_test_transparent_pake_input( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length) { @@ -134,19 +126,14 @@ psa_status_t mbedtls_test_transparent_pake_input( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_input( - operation, - step, - (libtestdriver1_psa_pake_computation_stage_t *) computation_stage, - input, - input_length); + operation, step, input, input_length); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_input( - operation, step, computation_stage, input, input_length); + operation, step, input, input_length); #else (void) operation; (void) step; - (void) computation_stage; (void) input; (void) input_length; mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; @@ -270,15 +257,13 @@ psa_status_t mbedtls_test_opaque_pake_set_role( psa_status_t mbedtls_test_opaque_pake_output( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, uint8_t *output, size_t output_size, size_t *output_length) { (void) operation; (void) step; - (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -288,14 +273,12 @@ psa_status_t mbedtls_test_opaque_pake_output( psa_status_t mbedtls_test_opaque_pake_input( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_step_t step, - const psa_pake_computation_stage_t *computation_stage, + psa_pake_driver_step_t step, const uint8_t *input, size_t input_length) { (void) operation; (void) step; - (void) computation_stage; (void) input; (void) input_length; return PSA_ERROR_NOT_SUPPORTED; From 7b730175b30973bd56e3cffbe90892285370fc81 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 17 Jan 2023 12:49:44 +0100 Subject: [PATCH 33/75] Simplify psa_pake_computation_stage_s structure Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 2 +- library/psa_crypto.c | 24 +++++++++---------- ..._suite_psa_crypto_driver_wrappers.function | 6 ++--- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 83c7e04c4..75ce1a33d 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1976,7 +1976,7 @@ struct psa_jpake_computation_stage_s { struct psa_pake_computation_stage_s { union { unsigned dummy; - psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake_computation_stage); + psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake); } MBEDTLS_PRIVATE(data); }; diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 09d46ed90..46d62b098 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7203,7 +7203,7 @@ psa_status_t psa_pake_setup( if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + &operation->computation_stage.data.jpake; computation_stage->state = PSA_PAKE_STATE_SETUP; computation_stage->sequence = PSA_PAKE_SEQ_INVALID; @@ -7336,10 +7336,10 @@ psa_status_t psa_pake_set_role( static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( psa_pake_computation_stage_t *stage) { - switch (stage->data.jpake_computation_stage.state) { + switch (stage->data.jpake.state) { case PSA_PAKE_OUTPUT_X1_X2: case PSA_PAKE_INPUT_X1_X2: - switch (stage->data.jpake_computation_stage.sequence) { + switch (stage->data.jpake.sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X1_STEP_KEY_SHARE; break; @@ -7363,7 +7363,7 @@ static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( } break; case PSA_PAKE_OUTPUT_X2S: - switch (stage->data.jpake_computation_stage.sequence) { + switch (stage->data.jpake.sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X2S_STEP_KEY_SHARE; break; @@ -7377,7 +7377,7 @@ static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( } break; case PSA_PAKE_INPUT_X4S: - switch (stage->data.jpake_computation_stage.sequence) { + switch (stage->data.jpake.sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X4S_STEP_KEY_SHARE; break; @@ -7400,7 +7400,7 @@ static psa_status_t psa_pake_complete_inputs( psa_pake_operation_t *operation) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + &operation->computation_stage.data.jpake; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; uint8_t *password = operation->data.inputs.password; size_t password_len = operation->data.inputs.password_len; @@ -7439,7 +7439,7 @@ static psa_status_t psa_jpake_output_prologue( psa_pake_step_t step) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + &operation->computation_stage.data.jpake; if (computation_stage->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; @@ -7510,7 +7510,7 @@ static psa_status_t psa_jpake_output_epilogue( psa_pake_operation_t *operation) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + &operation->computation_stage.data.jpake; if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || @@ -7598,7 +7598,7 @@ static psa_status_t psa_jpake_input_prologue( size_t input_length) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + &operation->computation_stage.data.jpake; if (computation_stage->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; @@ -7675,7 +7675,7 @@ static psa_status_t psa_jpake_input_epilogue( psa_pake_operation_t *operation) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + &operation->computation_stage.data.jpake; if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || @@ -7762,7 +7762,7 @@ psa_status_t psa_pake_get_implicit_key( uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; size_t shared_key_len = 0; psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + &operation->computation_stage.data.jpake; if (operation->id == 0) { return PSA_ERROR_BAD_STATE; @@ -7821,7 +7821,7 @@ psa_status_t psa_pake_abort( if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake_computation_stage; + &operation->computation_stage.data.jpake; computation_stage->input_step = PSA_PAKE_STEP_INVALID; computation_stage->output_step = PSA_PAKE_STEP_INVALID; diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index f718349f9..0c4422783 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -3119,10 +3119,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st PSA_SUCCESS); /* Simulate that we are ready to get implicit key. */ - operation.computation_stage.data.jpake_computation_stage.input_step = - PSA_PAKE_STEP_DERIVE; - operation.computation_stage.data.jpake_computation_stage.output_step = - PSA_PAKE_STEP_DERIVE; + operation.computation_stage.data.jpake.input_step = PSA_PAKE_STEP_DERIVE; + operation.computation_stage.data.jpake.output_step = PSA_PAKE_STEP_DERIVE; /* --- psa_pake_get_implicit_key --- */ mbedtls_test_driver_pake_hooks.forced_status = forced_status; From 0f50f689b74cb7b865ab5ae4b04f56753f83e18d Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 17 Jan 2023 14:22:10 +0100 Subject: [PATCH 34/75] Remove redundant dummy fields inside unions Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 75ce1a33d..57b173351 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1842,7 +1842,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); * psa_pake_operation_t. */ #define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, \ - { { 0 } }, { 0 } } + { { { 0 } } }, { { 0 } } } struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -1975,7 +1975,6 @@ struct psa_jpake_computation_stage_s { struct psa_pake_computation_stage_s { union { - unsigned dummy; psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake); } MBEDTLS_PRIVATE(data); }; @@ -1997,7 +1996,6 @@ struct psa_pake_operation_s { /* Holds computation stage of the PAKE algorithms. */ psa_pake_computation_stage_t MBEDTLS_PRIVATE(computation_stage); union { - unsigned dummy; psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); } MBEDTLS_PRIVATE(data); From ca8d2b25896c6235ee04c47ca792236216e8a896 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 17 Jan 2023 16:21:33 +0100 Subject: [PATCH 35/75] Add get-data functions for inputs + tests Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 58 ++++++++++++++ library/psa_crypto.c | 57 ++++++++++++++ tests/suites/test_suite_psa_crypto_pake.data | 12 +++ .../test_suite_psa_crypto_pake.function | 75 +++++++++++++++++++ 4 files changed, 202 insertions(+) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 57b173351..79fb263ba 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1305,6 +1305,64 @@ typedef enum psa_pake_driver_step psa_pake_driver_step_t; */ static psa_pake_operation_t psa_pake_operation_init(void); +/** Get the lengths of the password in bytes from given inputs. + * + * \param[in] inputs Operation inputs. + * \param[out] password_len Return buffer for password length. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * Password hasn't been set yet. + */ +psa_status_t psa_crypto_driver_pake_get_password_len( + const psa_crypto_driver_pake_inputs_t *inputs, + size_t *password_len); + +/** Get the password from given inputs. + * + * \param[in] inputs Operation inputs. + * \param[out] buffer Return buffer for password. + * \param[in] buffer_size Size of the return buffer in bytes. + * \param[in] buffer_length Actual size of the password in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * Password hasn't been set yet. + */ +psa_status_t psa_crypto_driver_pake_get_password( + const psa_crypto_driver_pake_inputs_t *inputs, + uint8_t *buffer, size_t buffer_size, size_t *buffer_length); + +/** Get the role from given inputs. + * + * \param[in] inputs Operation inputs. + * \param[out] role Return buffer for role. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * Role hasn't been set yet. + */ +psa_status_t psa_crypto_driver_pake_get_role( + const psa_crypto_driver_pake_inputs_t *inputs, + psa_pake_role_t *role); + +/** Get the cipher suite from given inputs. + * + * \param[in] inputs Operation inputs. + * \param[out] cipher_suite Return buffer for role. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * Cipher_suite hasn't been set yet. + */ +psa_status_t psa_crypto_driver_pake_get_cipher_suite( + const psa_crypto_driver_pake_inputs_t *inputs, + psa_pake_cipher_suite_t *cipher_suite); + /** Set the session information for a password-authenticated key exchange. * * The sequence of operations to set up a password-authenticated key exchange diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 46d62b098..06308852d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7176,6 +7176,63 @@ exit: return status; } +psa_status_t psa_crypto_driver_pake_get_password_len( + const psa_crypto_driver_pake_inputs_t *inputs, + size_t *password_len) +{ + if (inputs->password_len == 0) { + return PSA_ERROR_BAD_STATE; + } + + *password_len = inputs->password_len; + + return PSA_SUCCESS; +} + +psa_status_t psa_crypto_driver_pake_get_password( + const psa_crypto_driver_pake_inputs_t *inputs, + uint8_t *buffer, size_t buffer_size, size_t *buffer_length) +{ + if (inputs->password_len == 0) { + return PSA_ERROR_BAD_STATE; + } + + if (buffer_size < inputs->password_len) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + + memcpy(buffer, inputs->password, inputs->password_len); + *buffer_length = inputs->password_len; + + return PSA_SUCCESS; +} + +psa_status_t psa_crypto_driver_pake_get_role( + const psa_crypto_driver_pake_inputs_t *inputs, + psa_pake_role_t *role) +{ + if (inputs->role == PSA_PAKE_ROLE_NONE) { + return PSA_ERROR_BAD_STATE; + } + + *role = inputs->role; + + return PSA_SUCCESS; +} + +psa_status_t psa_crypto_driver_pake_get_cipher_suite( + const psa_crypto_driver_pake_inputs_t *inputs, + psa_pake_cipher_suite_t *cipher_suite) +{ + if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) { + return PSA_ERROR_BAD_STATE; + } + + *cipher_suite = inputs->cipher_suite; + + return PSA_SUCCESS; +} + psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index e4bb92b3c..3be249fda 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -193,3 +193,15 @@ ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_E PSA PAKE: ecjpake size macros depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 ecjpake_size_macros: + +PSA PAKE: input getters: ok #1 +pake_input_getters:"aabbccddee":PSA_PAKE_ROLE_SERVER:5:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS + +PSA PAKE: input getters: ok #2 +pake_input_getters:"ddccbbaa":PSA_PAKE_ROLE_CLIENT:5:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_512:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS + +PSA PAKE: input getters: buffer for password to small +pake_input_getters:"aabbccddee":PSA_PAKE_ROLE_SERVER:4:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ERROR_BUFFER_TOO_SMALL:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS + +PSA PAKE: input getters: inputs not ready +pake_input_getters:"":0:5:0:0:0:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 4dffa3b9d..5af41f75f 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -728,6 +728,7 @@ void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg, psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); psa_set_key_algorithm(&attributes, alg); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); + PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, &key)); @@ -905,3 +906,77 @@ void ecjpake_size_macros() PSA_PAKE_INPUT_MAX_SIZE); } /* END_CASE */ + +/* BEGIN_CASE */ +void pake_input_getters(data_t *password, int role_arg, int password_buffer_size, + int alg_arg, int primitive_arg, int hash_arg, + int expected_status_pass, int expected_status_pass_len, + int expected_status_role, int expected_status_cs) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_role_t role = role_arg; + psa_algorithm_t alg = alg_arg; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_pake_role_t role_ret = PSA_PAKE_ROLE_NONE; + uint8_t password_ret[20] = { 0 }; // max key length is 20 bytes + size_t password_len_ret = 0; + psa_pake_cipher_suite_t cipher_suite_ret = psa_pake_cipher_suite_init(); + size_t buffer_len_ret = 0; + + PSA_INIT(); + + /* alg equal to 0 indicates case when inputs are not set yet. */ + if (alg != 0) { + psa_pake_cs_set_algorithm(&cipher_suite, alg); + psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); + psa_pake_cs_set_hash(&cipher_suite, hash_arg); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); + + PSA_ASSERT(psa_import_key(&attributes, password->x, password->len, &key)); + + PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); + PSA_ASSERT(psa_pake_set_password_key(&operation, key)); + PSA_ASSERT(psa_pake_set_role(&operation, role)); + } + + TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), + expected_status_pass_len); + + TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, + (uint8_t *) &password_ret, + password_buffer_size, &buffer_len_ret), + expected_status_pass); + + TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret), + expected_status_role); + + TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), + expected_status_cs); + + if (expected_status_pass_len == PSA_SUCCESS) { + TEST_EQUAL(password_len_ret, password->len); + } + + if (expected_status_pass == PSA_SUCCESS) { + PSA_ASSERT(memcmp(password_ret, password->x, password->len)); + } + + if (expected_status_role == PSA_SUCCESS) { + TEST_EQUAL(role_ret, role); + } + + if (expected_status_pass == PSA_SUCCESS) { + PSA_ASSERT(memcmp(&cipher_suite_ret, &cipher_suite, sizeof(cipher_suite))); + } + +exit: + PSA_ASSERT(psa_destroy_key(key)); + PSA_ASSERT(psa_pake_abort(&operation)); + PSA_DONE(); +} +/* END_CASE */ From 18620a3b1cf4f0c6e3881ed3add4f6653e5d8278 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 17 Jan 2023 16:34:52 +0100 Subject: [PATCH 36/75] Make copy of inputs on stack before passing to psa_driver_wrapper_pake_setup Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 06308852d..75196fc1e 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7461,6 +7461,9 @@ static psa_status_t psa_pake_complete_inputs( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; uint8_t *password = operation->data.inputs.password; size_t password_len = operation->data.inputs.password_len; + /* Create copy of the inputs on stack as inputs share memory + with the driver context which will be setup by the driver. */ + psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs; if (operation->alg == PSA_ALG_NONE || operation->data.inputs.password_len == 0 || @@ -7468,8 +7471,10 @@ static psa_status_t psa_pake_complete_inputs( return PSA_ERROR_BAD_STATE; } - status = psa_driver_wrapper_pake_setup(operation, - &operation->data.inputs); + /* Clear driver context */ + mbedtls_platform_zeroize(&operation->data, sizeof(operation->data)); + + status = psa_driver_wrapper_pake_setup(operation, &inputs); /* Driver is responsible for creating its own copy of the password. */ mbedtls_platform_zeroize(password, password_len); From 5cbca790f7c2d8b667e0d067666b699bab3ac218 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 17 Jan 2023 16:51:19 +0100 Subject: [PATCH 37/75] Make usage of pake input getters Signed-off-by: Przemek Stekiel --- library/psa_crypto_pake.c | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index da10cdd1f..1a7725f68 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -204,13 +204,25 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, const psa_crypto_driver_pake_inputs_t *inputs) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t password_len = 0; + psa_pake_role_t role = PSA_PAKE_ROLE_NONE; + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + size_t actual_password_len = 0; - uint8_t *password = inputs->password; - size_t password_len = inputs->password_len; - psa_pake_role_t role = inputs->role; - psa_pake_cipher_suite_t cipher_suite = inputs->cipher_suite; + status = psa_crypto_driver_pake_get_password_len(inputs, &password_len); + if (status != PSA_SUCCESS) { + return status; + } - memset(operation, 0, sizeof(mbedtls_psa_pake_operation_t)); + status = psa_crypto_driver_pake_get_role(inputs, &role); + if (status != PSA_SUCCESS) { + return status; + } + + status = psa_crypto_driver_pake_get_cipher_suite(inputs, &cipher_suite); + if (status != PSA_SUCCESS) { + return status; + } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (cipher_suite.algorithm == PSA_ALG_JPAKE) { @@ -236,8 +248,13 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, goto error; } - memcpy(operation->password, password, password_len); - operation->password_len = password_len; + status = psa_crypto_driver_pake_get_password(inputs, operation->password, + password_len, &actual_password_len); + if (status != PSA_SUCCESS) { + goto error; + } + + operation->password_len = actual_password_len; operation->role = role; operation->alg = cipher_suite.algorithm; From 33ea63d766fdf19e376631beac7c04505d61f3db Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 18 Jan 2023 09:42:32 +0100 Subject: [PATCH 38/75] Minor updates of the documentation Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 39f13d923..d2c6b7c04 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -367,7 +367,7 @@ psa_status_t psa_crypto_driver_pake_get_password_len( psa_status_t psa_crypto_driver_pake_get_password(     const psa_crypto_driver_pake_inputs_t *inputs, -    uint8_t *buffer, buffer_size, size_t *buffer_length); +    uint8_t *buffer, size_t buffer_size, size_t *buffer_length); psa_status_t psa_crypto_driver_pake_get_role(     const psa_crypto_driver_pake_inputs_t *inputs, @@ -403,7 +403,7 @@ The setup driver function should preserve the inputs using get-data functions. ``` psa_status_t acme_pake_output(acme_pake_operation_t *operation, -                              psa_pake_computation_step_t step, +                              psa_pake_driver_step_t step,                               uint8_t *output,                               size_t output_size,                               size_t *output_length); @@ -430,7 +430,7 @@ For `PSA_ALG_JPAKE` the following steps are available for output operation: #### PAKE driver input ``` psa_status_t acme_pake_input(acme_pake_operation_t *operation, -                             psa_pake_computation_step_t step, +                            psa_pake_driver_step_t step,                              uint8_t *input,                              size_t input_size); ``` From 38b4e1761d509a605c2aae4e29616c4fce3eb383 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 18 Jan 2023 15:52:24 +0100 Subject: [PATCH 39/75] Remove typedef for enum Workaround for CI error: Parsing source code... Compiling... ============= All symbols in header: PASS Naming patterns of public_macros: PASS Naming patterns of internal_macros: PASS Naming patterns of enum_consts: FAIL > include/psa/crypto_extra.h:1857: 'return' does not match the required pattern '^(MBEDTLS|PSA)_[0-9A-Z_]*[0-9A-Z]$'. | 1857 | return cipher_suite->algorithm; | ^^^^^^ Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 79fb263ba..cd16410d6 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1298,9 +1298,6 @@ typedef struct psa_pake_computation_stage_s psa_pake_computation_stage_t; /** The type of computation stage for J-PAKE operations. */ typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t; -/** The type of driver step for PAKE operation. */ -typedef enum psa_pake_driver_step psa_pake_driver_step_t; - /** Return an initial value for a PAKE operation object. */ static psa_pake_operation_t psa_pake_operation_init(void); @@ -2007,7 +2004,7 @@ enum psa_jpake_sequence { PSA_PAKE_SEQ_END = 7, }; -enum psa_pake_driver_step { +typedef enum psa_pake_driver_step { PSA_JPAKE_STEP_INVALID = 0, /* Invalid step */ PSA_JPAKE_X1_STEP_KEY_SHARE = 1, /* Round 1: input/output key share (for ephemeral private key X1).*/ PSA_JPAKE_X1_STEP_ZK_PUBLIC = 2, /* Round 1: input/output Schnorr NIZKP public key for the X1 key */ @@ -2021,7 +2018,7 @@ enum psa_pake_driver_step { PSA_JPAKE_X4S_STEP_KEY_SHARE = 10, /* Round 2: input X4S key (from peer) */ PSA_JPAKE_X4S_STEP_ZK_PUBLIC = 11, /* Round 2: input Schnorr NIZKP public key for the X4S key (from peer) */ PSA_JPAKE_X4S_STEP_ZK_PROOF = 12 /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */ -}; +} psa_pake_driver_step_t; struct psa_jpake_computation_stage_s { From 27cd488088e6dd38a399c29b32bb7ad03e59a4f8 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 25 Jan 2023 23:16:18 +0100 Subject: [PATCH 40/75] Update the documentation (v.3) Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index d2c6b7c04..1b941cede 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -323,17 +323,17 @@ TODO ### Driver entry points for PAKE -PAKE operation is divided into two stages: collecting inputs and computation. Core side is responsible for keeping inputs and core set-data functions do not have driver entry points. Collected inputs are available for drivers via get-data functions for `password`, `role` and `cipher_suite`. +A PAKE operation is divided into two stages: collecting inputs and computation. Core side is responsible for keeping inputs and core set-data functions do not have driver entry points. Collected inputs are available for drivers via get-data functions for `password`, `role` and `cipher_suite`. ### PAKE driver dispatch logic The core decides whether to dispatch a PAKE operation to a driver based on the location of the provided password. When all inputs are collected and `"psa_pake_output"` or `"psa_pake_input"` is called for the first time `"pake_setup"` driver entry point is invoked. -1. Lifetime of the `password` is local storage -- if there is a transparent driver available for the given configuration, the core calls that driver's `"pake_setup"` and subsequent entry points. -- if a transparent driver is not available or can not handle a given configuration, the core uses its built-in implementation. -2. Lifetime of the `password` is test driver -- the core calls opaque driver's `"pake_setup"` and subsequent entry points. +1. If the location of the `password` is the local storage +- if there is a transparent driver for the specified ciphersuite, the core calls that driver's `"pake_setup"` and subsequent entry points. +- otherwise, or on fallback, the core uses its built-in implementation. +2. If the location of the `password` is the location of a secure element +- the core calls the `"pake_setup"` entry point of the secure element driver and subsequent entry points. ### Summary of entry points for PAKE @@ -365,10 +365,15 @@ psa_status_t psa_crypto_driver_pake_get_password_len(     const psa_crypto_driver_pake_inputs_t *inputs,     size_t *password_len); -psa_status_t psa_crypto_driver_pake_get_password( +psa_status_t psa_crypto_driver_pake_get_password_bytes(     const psa_crypto_driver_pake_inputs_t *inputs,     uint8_t *buffer, size_t buffer_size, size_t *buffer_length); +psa_status_t psa_crypto_driver_pake_get_password_key( +    const psa_crypto_driver_pake_inputs_t *inputs, +    uint8_t** p_key_buffer, size_t *key_buffer_size, + const psa_key_attributes_t *attributes); + psa_status_t psa_crypto_driver_pake_get_role(     const psa_crypto_driver_pake_inputs_t *inputs,     psa_pake_role_t *role); @@ -385,13 +390,13 @@ Next parameters are return buffers (must not be null pointers). These functions can return the following statuses: * `PSA_SUCCESS`: value has been successfully obtained * `PSA_ERROR_BAD_STATE`: the inputs are not ready -* `PSA_ERROR_BUFFER_TOO_SMALL` (`psa_crypto_driver_pake_get_password` only): the output buffer is too small. This is not a fatal error and the driver can, for example, subsequently call the same function again with a larger buffer. Call `psa_crypto_driver_pake_get_password_len` to obtain the required size. +* `PSA_ERROR_BUFFER_TOO_SMALL` (`psa_crypto_driver_pake_get_password_bytes` and `psa_crypto_driver_pake_get_password_key` only): the output buffer is too small. This is not a fatal error and the driver can, for example, subsequently call the same function again with a larger buffer. Call `psa_crypto_driver_pake_get_password_len` to obtain the required size. #### PAKE driver setup ``` -psa_status_t acme_psa_pake_setup( acme_pake_operation_t *operation, -                                  const psa_crypto_driver_pake_inputs_t *inputs ); +psa_status_t acme_pake_setup( acme_pake_operation_t *operation, +                              const psa_crypto_driver_pake_inputs_t *inputs ); ``` * `operation` is a zero-initialized operation object. @@ -399,6 +404,8 @@ psa_status_t acme_psa_pake_setup( acme_pake_operation_t *operation, The setup driver function should preserve the inputs using get-data functions. +The pointer output by `psa_crypto_driver_pake_get_password_key` is only valid until the "pake_setup" entry point returns. Opaque drivers must copy all relevant data from the key buffer during the "pake_setup" entry point and must not store the pointer itself. + #### PAKE driver output ``` From dde6a910bba23168d8455122557aaa4467272a50 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 26 Jan 2023 08:46:37 +0100 Subject: [PATCH 41/75] Optimize out psa_pake_computation_stage_t Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 15 ++------ library/psa_crypto.c | 37 +++++++++---------- ..._suite_psa_crypto_driver_wrappers.function | 4 +- 3 files changed, 23 insertions(+), 33 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index cd16410d6..07d7bae31 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1292,9 +1292,6 @@ typedef struct psa_pake_operation_s psa_pake_operation_t; /** The type of input values for PAKE operations. */ typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t; -/** The type of computation stage for PAKE operations. */ -typedef struct psa_pake_computation_stage_s psa_pake_computation_stage_t; - /** The type of computation stage for J-PAKE operations. */ typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t; @@ -1897,7 +1894,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); * psa_pake_operation_t. */ #define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, \ - { { { 0 } } }, { { 0 } } } + { { 0 } }, { { 0 } } } struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -2028,12 +2025,6 @@ struct psa_jpake_computation_stage_s { unsigned int MBEDTLS_PRIVATE(output_step); }; -struct psa_pake_computation_stage_s { - union { - psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake); - } MBEDTLS_PRIVATE(data); -}; - struct psa_pake_operation_s { /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping @@ -2049,7 +2040,9 @@ struct psa_pake_operation_s { are copied to the corresponding operation context. */ uint8_t MBEDTLS_PRIVATE(stage); /* Holds computation stage of the PAKE algorithms. */ - psa_pake_computation_stage_t MBEDTLS_PRIVATE(computation_stage); + union { + psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake); + } MBEDTLS_PRIVATE(computation_stage); union { psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 75196fc1e..bafb0ae0b 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7260,7 +7260,7 @@ psa_status_t psa_pake_setup( if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake; + &operation->computation_stage.jpake; computation_stage->state = PSA_PAKE_STATE_SETUP; computation_stage->sequence = PSA_PAKE_SEQ_INVALID; @@ -7391,12 +7391,12 @@ psa_status_t psa_pake_set_role( /* Auxiliary function to convert core computation stage(step, sequence, state) to single driver step. */ static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( - psa_pake_computation_stage_t *stage) + psa_jpake_computation_stage_t *stage) { - switch (stage->data.jpake.state) { + switch (stage->state) { case PSA_PAKE_OUTPUT_X1_X2: case PSA_PAKE_INPUT_X1_X2: - switch (stage->data.jpake.sequence) { + switch (stage->sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X1_STEP_KEY_SHARE; break; @@ -7420,7 +7420,7 @@ static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( } break; case PSA_PAKE_OUTPUT_X2S: - switch (stage->data.jpake.sequence) { + switch (stage->sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X2S_STEP_KEY_SHARE; break; @@ -7434,7 +7434,7 @@ static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( } break; case PSA_PAKE_INPUT_X4S: - switch (stage->data.jpake.sequence) { + switch (stage->sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X4S_STEP_KEY_SHARE; break; @@ -7457,7 +7457,7 @@ static psa_status_t psa_pake_complete_inputs( psa_pake_operation_t *operation) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake; + &operation->computation_stage.jpake; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; uint8_t *password = operation->data.inputs.password; size_t password_len = operation->data.inputs.password_len; @@ -7501,7 +7501,7 @@ static psa_status_t psa_jpake_output_prologue( psa_pake_step_t step) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake; + &operation->computation_stage.jpake; if (computation_stage->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; @@ -7572,7 +7572,7 @@ static psa_status_t psa_jpake_output_epilogue( psa_pake_operation_t *operation) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake; + &operation->computation_stage.jpake; if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || @@ -7628,10 +7628,8 @@ psa_status_t psa_pake_output( } status = psa_driver_wrapper_pake_output(operation, - convert_jpake_computation_stage_to_driver_step(& - operation - -> - computation_stage), + convert_jpake_computation_stage_to_driver_step( + &operation->computation_stage.jpake), output, output_size, output_length); @@ -7660,7 +7658,7 @@ static psa_status_t psa_jpake_input_prologue( size_t input_length) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake; + &operation->computation_stage.jpake; if (computation_stage->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; @@ -7737,7 +7735,7 @@ static psa_status_t psa_jpake_input_epilogue( psa_pake_operation_t *operation) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake; + &operation->computation_stage.jpake; if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || @@ -7792,9 +7790,8 @@ psa_status_t psa_pake_input( } status = psa_driver_wrapper_pake_input(operation, - convert_jpake_computation_stage_to_driver_step(&operation - -> - computation_stage), + convert_jpake_computation_stage_to_driver_step( + &operation->computation_stage.jpake), input, input_length); @@ -7824,7 +7821,7 @@ psa_status_t psa_pake_get_implicit_key( uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; size_t shared_key_len = 0; psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake; + &operation->computation_stage.jpake; if (operation->id == 0) { return PSA_ERROR_BAD_STATE; @@ -7883,7 +7880,7 @@ psa_status_t psa_pake_abort( if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.data.jpake; + &operation->computation_stage.jpake; computation_stage->input_step = PSA_PAKE_STEP_INVALID; computation_stage->output_step = PSA_PAKE_STEP_INVALID; diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 0c4422783..3220c62a6 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -3119,8 +3119,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st PSA_SUCCESS); /* Simulate that we are ready to get implicit key. */ - operation.computation_stage.data.jpake.input_step = PSA_PAKE_STEP_DERIVE; - operation.computation_stage.data.jpake.output_step = PSA_PAKE_STEP_DERIVE; + operation.computation_stage.jpake.input_step = PSA_PAKE_STEP_DERIVE; + operation.computation_stage.jpake.output_step = PSA_PAKE_STEP_DERIVE; /* --- psa_pake_get_implicit_key --- */ mbedtls_test_driver_pake_hooks.forced_status = forced_status; From ff01bc496c4ded56614114115e3738ad34036c87 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 26 Jan 2023 09:48:06 +0100 Subject: [PATCH 42/75] Remove j-pake specific checks from psa_pake_setup mbedtls_psa_pake_setup has already check for PSA_PAKE_PRIMITIVE_TYPE_ECC primitive. Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bafb0ae0b..bfbd49735 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7247,8 +7247,6 @@ psa_status_t psa_pake_setup( if (cipher_suite == NULL || PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || - (cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC && - cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH) || PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { return PSA_ERROR_INVALID_ARGUMENT; } From 1c3cfb4fb0ba2000ac04d9379c00f96fd9764ef5 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 26 Jan 2023 10:35:02 +0100 Subject: [PATCH 43/75] Introduce PSA_PAKE_OPERATION_STAGE_SETUP to optimize out alg checks Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 7 ++++--- library/psa_crypto.c | 26 ++++---------------------- 2 files changed, 8 insertions(+), 25 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 07d7bae31..32e956925 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -430,8 +430,9 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, #define PSA_DH_FAMILY_CUSTOM ((psa_dh_family_t) 0x7e) /** EC-JPAKE operation stages. */ -#define PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS 0 -#define PSA_PAKE_OPERATION_STAGE_COMPUTATION 1 +#define PSA_PAKE_OPERATION_STAGE_SETUP 0 +#define PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS 1 +#define PSA_PAKE_OPERATION_STAGE_COMPUTATION 2 /** * \brief Set domain parameters for a key. @@ -1893,7 +1894,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); /** Returns a suitable initializer for a PAKE operation object of type * psa_pake_operation_t. */ -#define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, \ +#define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_SETUP, \ { { 0 } }, { { 0 } } } struct psa_pake_cipher_suite_s { diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bfbd49735..2d1c06500 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7237,11 +7237,7 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { - if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - return PSA_ERROR_BAD_STATE; - } - - if (operation->alg != PSA_ALG_NONE) { + if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) { return PSA_ERROR_BAD_STATE; } @@ -7266,6 +7262,8 @@ psa_status_t psa_pake_setup( computation_stage->output_step = PSA_PAKE_STEP_X1_X2; } + operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS; + return PSA_SUCCESS; } @@ -7281,10 +7279,6 @@ psa_status_t psa_pake_set_password_key( return PSA_ERROR_BAD_STATE; } - if (operation->alg == PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } - status = psa_get_and_lock_key_slot_with_policy(password, &slot, PSA_KEY_USAGE_DERIVE, PSA_ALG_JPAKE); @@ -7329,10 +7323,6 @@ psa_status_t psa_pake_set_user( return PSA_ERROR_BAD_STATE; } - if (operation->alg == PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } - if (user_id_len == 0) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7351,10 +7341,6 @@ psa_status_t psa_pake_set_peer( return PSA_ERROR_BAD_STATE; } - if (operation->alg == PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } - if (peer_id_len == 0) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7370,10 +7356,6 @@ psa_status_t psa_pake_set_role( return PSA_ERROR_BAD_STATE; } - if (operation->alg == PSA_ALG_NONE) { - return PSA_ERROR_BAD_STATE; - } - if (role != PSA_PAKE_ROLE_NONE && role != PSA_PAKE_ROLE_FIRST && role != PSA_PAKE_ROLE_SECOND && @@ -7887,7 +7869,7 @@ psa_status_t psa_pake_abort( } operation->alg = PSA_ALG_NONE; - operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS; + operation->stage = PSA_PAKE_OPERATION_STAGE_SETUP; operation->id = 0; return PSA_SUCCESS; From d5d28a217fd0b2e5ee40cbd8cee241f7ffbceab1 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 26 Jan 2023 10:46:05 +0100 Subject: [PATCH 44/75] Use operation alg for locking key slot Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2d1c06500..5e567ad12 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7281,7 +7281,7 @@ psa_status_t psa_pake_set_password_key( status = psa_get_and_lock_key_slot_with_policy(password, &slot, PSA_KEY_USAGE_DERIVE, - PSA_ALG_JPAKE); + operation->alg); if (status != PSA_SUCCESS) { return status; } From 9dd2440c95707ae66e707f8144a80a384e89c5c2 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 26 Jan 2023 15:06:09 +0100 Subject: [PATCH 45/75] Change pake input: key_lifetime -> key attributes In the future key attributes will be available for opaque driver via psa_crypto_driver_pake_get_password_key(). Signed-off-by: Przemek Stekiel Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 2 +- library/psa_crypto.c | 2 +- .../psa_crypto_driver_wrappers.c.jinja | 2 +- tests/scripts/all.sh | 12 ++++++++++-- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 32e956925..2d6b6abd1 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1970,7 +1970,7 @@ struct psa_crypto_driver_pake_inputs_s { uint8_t *MBEDTLS_PRIVATE(password); size_t MBEDTLS_PRIVATE(password_len); psa_pake_role_t MBEDTLS_PRIVATE(role); - psa_key_lifetime_t MBEDTLS_PRIVATE(key_lifetime); + psa_key_attributes_t MBEDTLS_PRIVATE(attributes); psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite); }; diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5e567ad12..b4fad33d3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7306,7 +7306,7 @@ psa_status_t psa_pake_set_password_key( memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); operation->data.inputs.password_len = slot->key.bytes; - operation->data.inputs.key_lifetime = attributes.core.lifetime; + operation->data.inputs.attributes = attributes; error: unlock_status = psa_unlock_key_slot(slot); return (status == PSA_SUCCESS) ? unlock_status : status; diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index d7dabed63..d52ed5993 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2816,7 +2816,7 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( inputs->key_lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( inputs->attributes.core.lifetime ); switch( location ) { diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 98060d720..7964319e6 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2506,15 +2506,19 @@ component_test_psa_crypto_config_accel_pake () { loc_accel_list="ALG_JPAKE" loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" DEBUG=1 scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_ECJPAKE_C + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" DEBUG=1 msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" tests/ssl-opt.sh -f "ECJPAKE" @@ -2547,6 +2551,10 @@ component_test_psa_crypto_config_accel_pake_no_fallback () { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_JPAKE scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" From ac067d779eb8a849f122b0f0000260e2a37d399c Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 26 Jan 2023 16:31:03 +0100 Subject: [PATCH 46/75] Fix PSA_PAKE_OPERATION_INIT macro Needs to be adapted for the clang -Wall -Wextra. Requirea to explicitly initialize all the members of the struct that is the first member in the union. Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 2d6b6abd1..8b8cb042e 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1895,7 +1895,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); * psa_pake_operation_t. */ #define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_SETUP, \ - { { 0 } }, { { 0 } } } + { { 0, 0, 0, 0 } }, { { 0 } } } struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -2045,8 +2045,8 @@ struct psa_pake_operation_s { psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake); } MBEDTLS_PRIVATE(computation_stage); union { - psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); + psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); } MBEDTLS_PRIVATE(data); }; From f62b3bb0878c6056f07345521f75a1cc838a29d3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 31 Jan 2023 19:51:24 +0100 Subject: [PATCH 47/75] Optimization of pake core functions Adapt pake test (passing NULL buffers is not allowed). Passing the null buffer to psa_pake_output results in a hard fault. Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 33 +++++++------------ .../psa_crypto_driver_wrappers.c.jinja | 2 +- .../test_suite_psa_crypto_pake.function | 10 +++--- 3 files changed, 18 insertions(+), 27 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b4fad33d3..4f3d774af 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7241,8 +7241,7 @@ psa_status_t psa_pake_setup( return PSA_ERROR_BAD_STATE; } - if (cipher_suite == NULL || - PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || + if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7436,17 +7435,12 @@ static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( static psa_status_t psa_pake_complete_inputs( psa_pake_operation_t *operation) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - uint8_t *password = operation->data.inputs.password; - size_t password_len = operation->data.inputs.password_len; /* Create copy of the inputs on stack as inputs share memory with the driver context which will be setup by the driver. */ psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs; - if (operation->alg == PSA_ALG_NONE || - operation->data.inputs.password_len == 0 || + if (operation->data.inputs.password_len == 0 || operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7457,12 +7451,14 @@ static psa_status_t psa_pake_complete_inputs( status = psa_driver_wrapper_pake_setup(operation, &inputs); /* Driver is responsible for creating its own copy of the password. */ - mbedtls_platform_zeroize(password, password_len); - mbedtls_free(password); + mbedtls_platform_zeroize(inputs.password, inputs.password_len); + mbedtls_free(inputs.password); if (status == PSA_SUCCESS) { operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; if (operation->alg == PSA_ALG_JPAKE) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; computation_stage->state = PSA_PAKE_STATE_READY; computation_stage->sequence = PSA_PAKE_SEQ_INVALID; computation_stage->input_step = PSA_PAKE_STEP_X1_X2; @@ -7576,6 +7572,7 @@ psa_status_t psa_pake_output( size_t *output_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + *output_length = 0; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = psa_pake_complete_inputs(operation); @@ -7588,11 +7585,7 @@ psa_status_t psa_pake_output( return PSA_ERROR_BAD_STATE; } - if (operation->id == 0) { - return PSA_ERROR_BAD_STATE; - } - - if (output == NULL || output_size == 0) { + if (output_size == 0) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7750,11 +7743,7 @@ psa_status_t psa_pake_input( return PSA_ERROR_BAD_STATE; } - if (operation->id == 0) { - return PSA_ERROR_BAD_STATE; - } - - if (input == NULL || input_length == 0) { + if (input_length == 0) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7797,13 +7786,13 @@ psa_status_t psa_pake_get_implicit_key( psa_pake_operation_t *operation, psa_key_derivation_operation_t *output) { - psa_status_t status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; size_t shared_key_len = 0; psa_jpake_computation_stage_t *computation_stage = &operation->computation_stage.jpake; - if (operation->id == 0) { + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { return PSA_ERROR_BAD_STATE; } diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index d52ed5993..cf08794c6 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2816,7 +2816,7 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( inputs->attributes.core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime( &inputs->attributes ) ); switch( location ) { diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 5af41f75f..d77dfdc8e 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -590,10 +590,10 @@ void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, TEST_EQUAL(psa_pake_set_role(&operation, role), expected_error); TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, - NULL, 0, NULL), + output_buffer, 0, &output_len), expected_error); TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, - NULL, 0), + output_buffer, 0), expected_error); TEST_EQUAL(psa_pake_get_implicit_key(&operation, &key_derivation), expected_error); @@ -633,7 +633,8 @@ void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, if (test_input) { SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, - PSA_PAKE_STEP_ZK_PROOF, NULL, 0), + PSA_PAKE_STEP_ZK_PROOF, + output_buffer, 0), ERR_INJECT_EMPTY_IO_BUFFER); SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, @@ -665,7 +666,8 @@ void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, } else { SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF, - NULL, 0, NULL), + output_buffer, 0, + &output_len), ERR_INJECT_EMPTY_IO_BUFFER); SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, From d69dca9fc405438731550c0092c6be3719d04623 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 31 Jan 2023 19:59:20 +0100 Subject: [PATCH 48/75] Rework psa_pake_abort - Fix potential issue with freeing password - Clean operation object even if psa_driver_wrapper_pake_abort fails - Remove redundant code Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 28 ++++++---------------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4f3d774af..93e76aee8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7830,38 +7830,22 @@ psa_status_t psa_pake_get_implicit_key( psa_status_t psa_pake_abort( psa_pake_operation_t *operation) { - psa_status_t status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_status_t status = PSA_SUCCESS; - if (operation->id != 0) { + if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) { status = psa_driver_wrapper_pake_abort(operation); - if (status != PSA_SUCCESS) { - return status; - } } - if (operation->data.inputs.password_len > 0) { + if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS && + operation->data.inputs.password_len > 0) { mbedtls_platform_zeroize(operation->data.inputs.password, operation->data.inputs.password_len); mbedtls_free(operation->data.inputs.password); } - memset(&operation->data, 0, sizeof(operation->data)); + memset(operation, 0, sizeof(psa_pake_operation_t)); - if (operation->alg == PSA_ALG_JPAKE) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; - - computation_stage->input_step = PSA_PAKE_STEP_INVALID; - computation_stage->output_step = PSA_PAKE_STEP_INVALID; - computation_stage->state = PSA_PAKE_STATE_INVALID; - computation_stage->sequence = PSA_PAKE_SEQ_INVALID; - } - - operation->alg = PSA_ALG_NONE; - operation->stage = PSA_PAKE_OPERATION_STAGE_SETUP; - operation->id = 0; - - return PSA_SUCCESS; + return status; } #endif /* MBEDTLS_PSA_CRYPTO_C */ From a48cf500d7fd8e4a4c8099cbba6738bf1b061868 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 31 Jan 2023 20:03:57 +0100 Subject: [PATCH 49/75] mbedtls_test_transparent_pake_abort: call driver/build-in impl even when status is forced This is done to solve the problem with memory leak when pake abort status is forced. In this case the driver/build-in abort function was not executed. After failure core clears the operation object and no successive abort call is possible. Signed-off-by: Przemek Stekiel --- tests/src/drivers/test_driver_pake.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index e0be17dd0..9d51ea10b 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -177,25 +177,28 @@ psa_status_t mbedtls_test_transparent_pake_abort( { mbedtls_test_driver_pake_hooks.hits++; - if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_test_driver_pake_hooks.forced_status; - } else { #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - libtestdriver1_mbedtls_psa_pake_abort( - operation); + mbedtls_test_driver_pake_hooks.driver_status = + libtestdriver1_mbedtls_psa_pake_abort( + operation); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) - mbedtls_test_driver_pake_hooks.driver_status = - mbedtls_psa_pake_abort( - operation); + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_psa_pake_abort( + operation); #else - (void) operation; - mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; + (void) operation; + mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; #endif + + + if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS && + mbedtls_test_driver_pake_hooks.driver_status == PSA_SUCCESS) { + mbedtls_test_driver_pake_hooks.driver_status = + mbedtls_test_driver_pake_hooks.forced_status; } + return mbedtls_test_driver_pake_hooks.driver_status; } From 3e784d898114883facf559b82940315964502dab Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 8 Feb 2023 09:12:42 +0100 Subject: [PATCH 50/75] PSA crypto pake: call abort on each failure Adapt driver hook counters in pake driver test. Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 139 ++++++++++++------ ..._suite_psa_crypto_driver_wrappers.function | 12 +- 2 files changed, 102 insertions(+), 49 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 93e76aee8..adbd7af82 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7237,13 +7237,18 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; + if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { - return PSA_ERROR_INVALID_ARGUMENT; + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; } memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); @@ -7264,6 +7269,9 @@ psa_status_t psa_pake_setup( operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS; return PSA_SUCCESS; +exit: + abort_status = psa_pake_abort(operation); + return status == PSA_SUCCESS ? abort_status : status; } psa_status_t psa_pake_set_password_key( @@ -7272,17 +7280,19 @@ psa_status_t psa_pake_set_password_key( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } status = psa_get_and_lock_key_slot_with_policy(password, &slot, PSA_KEY_USAGE_DERIVE, operation->alg); if (status != PSA_SUCCESS) { - return status; + goto exit; } psa_key_attributes_t attributes = { @@ -7294,21 +7304,27 @@ psa_status_t psa_pake_set_password_key( if (type != PSA_KEY_TYPE_PASSWORD && type != PSA_KEY_TYPE_PASSWORD_HASH) { status = PSA_ERROR_INVALID_ARGUMENT; - goto error; + goto exit; } operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes); if (operation->data.inputs.password == NULL) { status = PSA_ERROR_INSUFFICIENT_MEMORY; - goto error; + goto exit; } memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); operation->data.inputs.password_len = slot->key.bytes; operation->data.inputs.attributes = attributes; -error: + unlock_status = psa_unlock_key_slot(slot); - return (status == PSA_SUCCESS) ? unlock_status : status; + + return unlock_status; +exit: + unlock_status = psa_unlock_key_slot(slot); + abort_status = psa_pake_abort(operation); + status = (status == PSA_SUCCESS) ? unlock_status : status; + return (status == PSA_SUCCESS) ? abort_status : status; } psa_status_t psa_pake_set_user( @@ -7316,17 +7332,24 @@ psa_status_t psa_pake_set_user( const uint8_t *user_id, size_t user_id_len) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; (void) user_id; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } if (user_id_len == 0) { - return PSA_ERROR_INVALID_ARGUMENT; + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; } return PSA_ERROR_NOT_SUPPORTED; +exit: + abort_status = psa_pake_abort(operation); + return status == PSA_SUCCESS ? abort_status : status; } psa_status_t psa_pake_set_peer( @@ -7334,25 +7357,36 @@ psa_status_t psa_pake_set_peer( const uint8_t *peer_id, size_t peer_id_len) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; (void) peer_id; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } if (peer_id_len == 0) { - return PSA_ERROR_INVALID_ARGUMENT; + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; } return PSA_ERROR_NOT_SUPPORTED; +exit: + abort_status = psa_pake_abort(operation); + return status == PSA_SUCCESS ? abort_status : status; } psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, psa_pake_role_t role) { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } if (role != PSA_PAKE_ROLE_NONE && @@ -7360,12 +7394,16 @@ psa_status_t psa_pake_set_role( role != PSA_PAKE_ROLE_SECOND && role != PSA_PAKE_ROLE_CLIENT && role != PSA_PAKE_ROLE_SERVER) { - return PSA_ERROR_INVALID_ARGUMENT; + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; } operation->data.inputs.role = role; return PSA_SUCCESS; +exit: + abort_status = psa_pake_abort(operation); + return status == PSA_SUCCESS ? abort_status : status; } /* Auxiliary function to convert core computation stage(step, sequence, state) to single driver step. */ @@ -7572,32 +7610,36 @@ psa_status_t psa_pake_output( size_t *output_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; *output_length = 0; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = psa_pake_complete_inputs(operation); if (status != PSA_SUCCESS) { - return status; + goto exit; } } if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } if (output_size == 0) { - return PSA_ERROR_INVALID_ARGUMENT; + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; } switch (operation->alg) { case PSA_ALG_JPAKE: status = psa_jpake_output_prologue(operation, step); if (status != PSA_SUCCESS) { - return status; + goto exit; } break; default: - return PSA_ERROR_NOT_SUPPORTED; + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; } status = psa_driver_wrapper_pake_output(operation, @@ -7608,21 +7650,25 @@ psa_status_t psa_pake_output( output_length); if (status != PSA_SUCCESS) { - return status; + goto exit; } switch (operation->alg) { case PSA_ALG_JPAKE: status = psa_jpake_output_epilogue(operation); if (status != PSA_SUCCESS) { - return status; + goto exit; } break; default: - return PSA_ERROR_NOT_SUPPORTED; + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; } - return status; + return PSA_SUCCESS; +exit: + abort_status = psa_pake_abort(operation); + return status == PSA_SUCCESS ? abort_status : status; } static psa_status_t psa_jpake_input_prologue( @@ -7731,27 +7777,30 @@ psa_status_t psa_pake_input( size_t input_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = psa_pake_complete_inputs(operation); if (status != PSA_SUCCESS) { - return status; + goto exit; } } if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } if (input_length == 0) { - return PSA_ERROR_INVALID_ARGUMENT; + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; } switch (operation->alg) { case PSA_ALG_JPAKE: status = psa_jpake_input_prologue(operation, step, input_length); if (status != PSA_SUCCESS) { - return status; + goto exit; } break; default: @@ -7765,21 +7814,25 @@ psa_status_t psa_pake_input( input_length); if (status != PSA_SUCCESS) { - return status; + goto exit; } switch (operation->alg) { case PSA_ALG_JPAKE: status = psa_jpake_input_epilogue(operation); if (status != PSA_SUCCESS) { - return status; + goto exit; } break; default: - return PSA_ERROR_NOT_SUPPORTED; + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; } - return status; + return PSA_SUCCESS; +exit: + abort_status = psa_pake_abort(operation); + return status == PSA_SUCCESS ? abort_status : status; } psa_status_t psa_pake_get_implicit_key( @@ -7787,19 +7840,22 @@ psa_status_t psa_pake_get_implicit_key( psa_key_derivation_operation_t *output) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; size_t shared_key_len = 0; - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } if (operation->alg == PSA_ALG_JPAKE) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; if (computation_stage->input_step != PSA_PAKE_STEP_DERIVE || computation_stage->output_step != PSA_PAKE_STEP_DERIVE) { - return PSA_ERROR_BAD_STATE; + status = PSA_ERROR_BAD_STATE; + goto exit; } } @@ -7808,7 +7864,7 @@ psa_status_t psa_pake_get_implicit_key( &shared_key_len); if (status != PSA_SUCCESS) { - return status; + goto exit; } status = psa_key_derivation_input_bytes(output, @@ -7816,15 +7872,10 @@ psa_status_t psa_pake_get_implicit_key( shared_key, shared_key_len); - if (status != PSA_SUCCESS) { - psa_key_derivation_abort(output); - } - mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_PAKE_BUFFER_SIZE); - - psa_pake_abort(operation); - - return status; +exit: + abort_status = psa_pake_abort(operation); + return status == PSA_SUCCESS ? abort_status : status; } psa_status_t psa_pake_abort( diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 3220c62a6..c1eea5059 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -3082,18 +3082,18 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st break; case 2: /* input */ - /* --- psa_pake_input (driver: setup, input) --- */ + /* --- psa_pake_input (driver: setup, input, (abort)) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; mbedtls_test_driver_pake_hooks.hits = 0; TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, input_buffer, size_key_share), expected_status_input); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 2 : 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 3 : 1); break; case 3: /* output */ - /* --- psa_pake_input (driver: setup, output) --- */ + /* --- psa_pake_input (driver: setup, output, (abort)) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; mbedtls_test_driver_pake_hooks.hits = 0; @@ -3105,10 +3105,12 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st output_buffer, output_size, &output_len), expected_status_output); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 2 : 1); if (forced_output->len > 0) { + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 2 : 1); TEST_EQUAL(output_len, forced_output->len); TEST_EQUAL(memcmp(output_buffer, forced_output->x, output_len), 0); + } else { + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 3 : 1); } break; @@ -3127,7 +3129,7 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st mbedtls_test_driver_pake_hooks.hits = 0; TEST_EQUAL(psa_pake_get_implicit_key(&operation, &implicit_key), expected_status_get_key); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 2); break; From e1d51bf3c9f47f5a8325db7d00448a3c458fa1b8 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 14 Feb 2023 14:28:33 +0100 Subject: [PATCH 51/75] Optimieze psa_pake_complete_inputs() Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index adbd7af82..9c12863f0 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7478,8 +7478,8 @@ static psa_status_t psa_pake_complete_inputs( with the driver context which will be setup by the driver. */ psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs; - if (operation->data.inputs.password_len == 0 || - operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { + if (inputs.password_len == 0 || + inputs.role == PSA_PAKE_ROLE_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7503,8 +7503,8 @@ static psa_status_t psa_pake_complete_inputs( computation_stage->output_step = PSA_PAKE_STEP_X1_X2; } } else { - operation->data.inputs.password_len = 0; - operation->data.inputs.password = NULL; + inputs.password_len = 0; + inputs.password = NULL; } return status; @@ -7888,7 +7888,7 @@ psa_status_t psa_pake_abort( } if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS && - operation->data.inputs.password_len > 0) { + operation->data.inputs.password != NULL) { mbedtls_platform_zeroize(operation->data.inputs.password, operation->data.inputs.password_len); mbedtls_free(operation->data.inputs.password); From 849c35f8b469f8ec4fed0b7c2d6db2ea9c799ddd Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 14 Feb 2023 15:11:40 +0100 Subject: [PATCH 52/75] Remove pake abort on failure from driver (handled by core) Signed-off-by: Przemek Stekiel --- library/psa_crypto_pake.c | 25 +++++-------------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 1a7725f68..10691afeb 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -230,14 +230,12 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || cipher_suite.bits != 256 || cipher_suite.hash != PSA_ALG_SHA_256) { - status = PSA_ERROR_NOT_SUPPORTED; - goto error; + return PSA_ERROR_NOT_SUPPORTED; } if (role != PSA_PAKE_ROLE_CLIENT && role != PSA_PAKE_ROLE_SERVER) { - status = PSA_ERROR_NOT_SUPPORTED; - goto error; + return PSA_ERROR_NOT_SUPPORTED; } mbedtls_ecjpake_init(&operation->ctx.pake); @@ -245,13 +243,13 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, operation->password = mbedtls_calloc(1, password_len); if (operation->password == NULL) { status = PSA_ERROR_INSUFFICIENT_MEMORY; - goto error; + return status; } status = psa_crypto_driver_pake_get_password(inputs, operation->password, password_len, &actual_password_len); if (status != PSA_SUCCESS) { - goto error; + return status; } operation->password_len = actual_password_len; @@ -265,7 +263,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, status = psa_pake_ecjpake_setup(operation); if (status != PSA_SUCCESS) { - goto error; + return status; } return PSA_SUCCESS; @@ -276,8 +274,6 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, #endif { status = PSA_ERROR_NOT_SUPPORTED; } -error: - mbedtls_psa_pake_abort(operation); return status; } @@ -399,10 +395,6 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_status_t status = mbedtls_psa_pake_output_internal( operation, step, output, output_size, output_length); - if (status != PSA_SUCCESS) { - mbedtls_psa_pake_abort(operation); - } - return status; } @@ -506,10 +498,6 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_status_t status = mbedtls_psa_pake_input_internal( operation, step, input, input_length); - if (status != PSA_SUCCESS) { - mbedtls_psa_pake_abort(operation); - } - return status; } @@ -528,7 +516,6 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); if (ret != 0) { - mbedtls_psa_pake_abort(operation); return mbedtls_ecjpake_to_psa_error(ret); } @@ -537,8 +524,6 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); - mbedtls_psa_pake_abort(operation); - return PSA_SUCCESS; } else #else From 4fcc61eec055dc8451c348f850e207796c765eea Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 14 Feb 2023 20:05:43 +0100 Subject: [PATCH 53/75] Optimize psa_pake_ecjpake_setup() Signed-off-by: Przemek Stekiel --- library/psa_crypto_pake.c | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 10691afeb..2d84f570b 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -167,19 +167,10 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_ecjpake_role role; + mbedtls_ecjpake_role role = (operation->role == PSA_PAKE_ROLE_CLIENT) ? + MBEDTLS_ECJPAKE_CLIENT : MBEDTLS_ECJPAKE_SERVER; - if (operation->role == PSA_PAKE_ROLE_CLIENT) { - role = MBEDTLS_ECJPAKE_CLIENT; - } else if (operation->role == PSA_PAKE_ROLE_SERVER) { - role = MBEDTLS_ECJPAKE_SERVER; - } else { - return PSA_ERROR_BAD_STATE; - } - - if (operation->password_len == 0) { - return PSA_ERROR_BAD_STATE; - } + mbedtls_ecjpake_init(&operation->ctx.pake); ret = mbedtls_ecjpake_setup(&operation->ctx.pake, role, @@ -189,9 +180,6 @@ static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operati operation->password_len); mbedtls_platform_zeroize(operation->password, operation->password_len); - mbedtls_free(operation->password); - operation->password = NULL; - operation->password_len = 0; if (ret != 0) { return mbedtls_ecjpake_to_psa_error(ret); @@ -238,7 +226,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, return PSA_ERROR_NOT_SUPPORTED; } - mbedtls_ecjpake_init(&operation->ctx.pake); + operation->password = mbedtls_calloc(1, password_len); if (operation->password == NULL) { From dff21d3429449bcc89d3980a38bcbaa83545168f Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 14 Feb 2023 20:09:10 +0100 Subject: [PATCH 54/75] Move jpake role check to psa_pake_complete_inputs() Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 6 ++++++ library/psa_crypto_pake.c | 7 ------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9c12863f0..0fd0eff88 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7483,6 +7483,12 @@ static psa_status_t psa_pake_complete_inputs( return PSA_ERROR_BAD_STATE; } + if (operation->alg == PSA_ALG_JPAKE && + inputs.role != PSA_PAKE_ROLE_CLIENT && + inputs.role != PSA_PAKE_ROLE_SERVER) { + return PSA_ERROR_NOT_SUPPORTED; + } + /* Clear driver context */ mbedtls_platform_zeroize(&operation->data, sizeof(operation->data)); diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 2d84f570b..382f0214a 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -221,13 +221,6 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, return PSA_ERROR_NOT_SUPPORTED; } - if (role != PSA_PAKE_ROLE_CLIENT && - role != PSA_PAKE_ROLE_SERVER) { - return PSA_ERROR_NOT_SUPPORTED; - } - - - operation->password = mbedtls_calloc(1, password_len); if (operation->password == NULL) { status = PSA_ERROR_INSUFFICIENT_MEMORY; From 6d77830c6a0ee0bd7314c4e752f9d9d3fa338556 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 14 Feb 2023 20:24:32 +0100 Subject: [PATCH 55/75] Remove redundant code Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 4 ---- library/psa_crypto_pake.c | 7 +------ 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 0fd0eff88..c57583aef 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7508,11 +7508,7 @@ static psa_status_t psa_pake_complete_inputs( computation_stage->input_step = PSA_PAKE_STEP_X1_X2; computation_stage->output_step = PSA_PAKE_STEP_X1_X2; } - } else { - inputs.password_len = 0; - inputs.password = NULL; } - return status; } diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 382f0214a..fdfbd16fb 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -242,7 +242,6 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, operation->buffer_offset = 0; status = psa_pake_ecjpake_setup(operation); - if (status != PSA_SUCCESS) { return status; } @@ -503,8 +502,6 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( memcpy(output, operation->buffer, operation->buffer_length); *output_size = operation->buffer_length; - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); - return PSA_SUCCESS; } else #else @@ -518,9 +515,7 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { - if (operation->password_len > 0) { - mbedtls_platform_zeroize(operation->password, operation->password_len); - } + mbedtls_platform_zeroize(operation->password, operation->password_len); mbedtls_free(operation->password); operation->password = NULL; operation->password_len = 0; From b45b8ce47457225336388a9d3006087abc623be4 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 15 Feb 2023 14:50:14 +0100 Subject: [PATCH 56/75] Disable MBEDTLS_PSA_CRYPTO_SE_C is hash psa builds Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7964319e6..b0d460dd9 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2355,6 +2355,10 @@ config_psa_crypto_hash_use_psa () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C } # Note that component_test_psa_crypto_config_reference_hash_use_psa From 251e86ae3f19c3866650b517f61a80cd881f44a3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 17 Feb 2023 14:30:50 +0100 Subject: [PATCH 57/75] Adapt names to more suitable and fix conditional compilation flags Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 4 +-- include/psa/crypto_builtin_composites.h | 8 +++--- .../psa/crypto_driver_contexts_composites.h | 2 +- .../psa/crypto_driver_contexts_primitives.h | 2 -- include/psa/crypto_extra.h | 11 +++++--- library/psa_crypto.c | 6 ++--- library/psa_crypto_driver_wrappers.h | 4 +-- library/psa_crypto_pake.c | 26 ++++++++++--------- library/psa_crypto_pake.h | 4 +-- .../psa_crypto_driver_wrappers.c.jinja | 4 +-- tests/include/test/drivers/pake.h | 8 +++--- tests/src/drivers/test_driver_pake.c | 8 +++--- 12 files changed, 46 insertions(+), 41 deletions(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 1b941cede..07f198908 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -410,7 +410,7 @@ The pointer output by `psa_crypto_driver_pake_get_password_key` is only valid un ``` psa_status_t acme_pake_output(acme_pake_operation_t *operation, -                              psa_pake_driver_step_t step, +                              psa_crypto_driver_pake_step_t step,                               uint8_t *output,                               size_t output_size,                               size_t *output_length); @@ -437,7 +437,7 @@ For `PSA_ALG_JPAKE` the following steps are available for output operation: #### PAKE driver input ``` psa_status_t acme_pake_input(acme_pake_operation_t *operation, -                            psa_pake_driver_step_t step, +                            psa_crypto_driver_pake_step_t step,                              uint8_t *input,                              size_t input_size); ``` diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 3221a6423..f331ec5f4 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -191,23 +191,25 @@ typedef struct { /* Note: the format for mbedtls_ecjpake_read/write function has an extra * length byte for each step, plus an extra 3 bytes for ECParameters in the * server's 2nd round. */ -#define MBEDTLS_PSA_PAKE_BUFFER_SIZE ((3 + 1 + 65 + 1 + 65 + 1 + 32) * 2) +#define MBEDTLS_PSA_JPAKE_BUFFER_SIZE ((3 + 1 + 65 + 1 + 65 + 1 + 32) * 2) typedef struct { psa_algorithm_t MBEDTLS_PRIVATE(alg); -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) uint8_t *MBEDTLS_PRIVATE(password); size_t MBEDTLS_PRIVATE(password_len); +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) uint8_t MBEDTLS_PRIVATE(role); - uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); + uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_JPAKE_BUFFER_SIZE]); size_t MBEDTLS_PRIVATE(buffer_length); size_t MBEDTLS_PRIVATE(buffer_offset); #endif /* Context structure for the Mbed TLS EC-JPAKE implementation. */ union { unsigned int MBEDTLS_PRIVATE(dummy); +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) mbedtls_ecjpake_context MBEDTLS_PRIVATE(pake); +#endif } MBEDTLS_PRIVATE(ctx); } mbedtls_psa_pake_operation_t; diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h index 4d0e9848d..6c56a51db 100644 --- a/include/psa/crypto_driver_contexts_composites.h +++ b/include/psa/crypto_driver_contexts_composites.h @@ -93,7 +93,7 @@ typedef mbedtls_psa_aead_operation_t typedef libtestdriver1_mbedtls_psa_pake_operation_t mbedtls_transparent_test_driver_pake_operation_t; -typedef libtestdriver1_psa_pake_operation_t +typedef libtestdriver1_mbedtls_psa_pake_operation_t mbedtls_opaque_test_driver_pake_operation_t; #define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \ diff --git a/include/psa/crypto_driver_contexts_primitives.h b/include/psa/crypto_driver_contexts_primitives.h index f1463f34d..620a4b3a7 100644 --- a/include/psa/crypto_driver_contexts_primitives.h +++ b/include/psa/crypto_driver_contexts_primitives.h @@ -45,8 +45,6 @@ #include #endif -#include "mbedtls/ecjpake.h" - #if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 8b8cb042e..39ef52cbe 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -429,7 +429,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, */ #define PSA_DH_FAMILY_CUSTOM ((psa_dh_family_t) 0x7e) -/** EC-JPAKE operation stages. */ +/** PAKE operation stages. */ #define PSA_PAKE_OPERATION_STAGE_SETUP 0 #define PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS 1 #define PSA_PAKE_OPERATION_STAGE_COMPUTATION 2 @@ -1895,7 +1895,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); * psa_pake_operation_t. */ #define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_SETUP, \ - { { 0, 0, 0, 0 } }, { { 0 } } } + { 0 }, { { 0 } } } struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -2002,7 +2002,7 @@ enum psa_jpake_sequence { PSA_PAKE_SEQ_END = 7, }; -typedef enum psa_pake_driver_step { +typedef enum psa_crypto_driver_pake_step { PSA_JPAKE_STEP_INVALID = 0, /* Invalid step */ PSA_JPAKE_X1_STEP_KEY_SHARE = 1, /* Round 1: input/output key share (for ephemeral private key X1).*/ PSA_JPAKE_X1_STEP_ZK_PUBLIC = 2, /* Round 1: input/output Schnorr NIZKP public key for the X1 key */ @@ -2016,7 +2016,7 @@ typedef enum psa_pake_driver_step { PSA_JPAKE_X4S_STEP_KEY_SHARE = 10, /* Round 2: input X4S key (from peer) */ PSA_JPAKE_X4S_STEP_ZK_PUBLIC = 11, /* Round 2: input Schnorr NIZKP public key for the X4S key (from peer) */ PSA_JPAKE_X4S_STEP_ZK_PROOF = 12 /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */ -} psa_pake_driver_step_t; +} psa_crypto_driver_pake_step_t; struct psa_jpake_computation_stage_s { @@ -2042,7 +2042,10 @@ struct psa_pake_operation_s { uint8_t MBEDTLS_PRIVATE(stage); /* Holds computation stage of the PAKE algorithms. */ union { + uint8_t MBEDTLS_PRIVATE(dummy); +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake); +#endif } MBEDTLS_PRIVATE(computation_stage); union { psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c57583aef..2c1a910fb 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7407,7 +7407,7 @@ exit: } /* Auxiliary function to convert core computation stage(step, sequence, state) to single driver step. */ -static psa_pake_driver_step_t convert_jpake_computation_stage_to_driver_step( +static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step( psa_jpake_computation_stage_t *stage) { switch (stage->state) { @@ -7843,7 +7843,7 @@ psa_status_t psa_pake_get_implicit_key( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; - uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; + uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE]; size_t shared_key_len = 0; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { @@ -7874,7 +7874,7 @@ psa_status_t psa_pake_get_implicit_key( shared_key, shared_key_len); - mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); exit: abort_status = psa_pake_abort(operation); return status == PSA_SUCCESS ? abort_status : status; diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 11a95e3a0..65d0d3f07 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -421,14 +421,14 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length); psa_status_t psa_driver_wrapper_pake_input( psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length); diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index fdfbd16fb..73032c6a8 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -163,6 +163,7 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) } #endif +#if defined(MBEDTLS_PSA_BUILTIN_PAKE) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) { @@ -187,6 +188,7 @@ static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operati return PSA_SUCCESS; } +#endif psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, const psa_crypto_driver_pake_inputs_t *inputs) @@ -237,7 +239,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, operation->role = role; operation->alg = cipher_suite.algorithm; - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); operation->buffer_length = 0; operation->buffer_offset = 0; @@ -259,7 +261,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, static psa_status_t mbedtls_psa_pake_output_internal( mbedtls_psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length) @@ -288,7 +290,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) { ret = mbedtls_ecjpake_write_round_one(&operation->ctx.pake, operation->buffer, - MBEDTLS_PSA_PAKE_BUFFER_SIZE, + MBEDTLS_PSA_JPAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); @@ -300,7 +302,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) { ret = mbedtls_ecjpake_write_round_two(&operation->ctx.pake, operation->buffer, - MBEDTLS_PSA_PAKE_BUFFER_SIZE, + MBEDTLS_PSA_JPAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); @@ -350,7 +352,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( /* Reset buffer after ZK_PROOF sequence */ if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) || (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) { - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); operation->buffer_length = 0; operation->buffer_offset = 0; } @@ -367,7 +369,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( } psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length) @@ -380,7 +382,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, static psa_status_t mbedtls_psa_pake_input_internal( mbedtls_psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length) { @@ -441,7 +443,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( operation->buffer, operation->buffer_length); - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); operation->buffer_length = 0; if (ret != 0) { @@ -452,7 +454,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( operation->buffer, operation->buffer_length); - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); operation->buffer_length = 0; if (ret != 0) { @@ -471,7 +473,7 @@ static psa_status_t mbedtls_psa_pake_input_internal( } psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length) { @@ -491,7 +493,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( if (operation->alg == PSA_ALG_JPAKE) { ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake, operation->buffer, - MBEDTLS_PSA_PAKE_BUFFER_SIZE, + MBEDTLS_PSA_JPAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); @@ -520,7 +522,7 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) operation->password = NULL; operation->password_len = 0; operation->role = PSA_PAKE_ROLE_NONE; - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); operation->buffer_length = 0; operation->buffer_offset = 0; mbedtls_ecjpake_free(&operation->ctx.pake); diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index dc6ad7b54..365855601 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -96,7 +96,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, * results in this error code. */ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length); @@ -143,7 +143,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * results in this error code. */ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index cf08794c6..b287b37a1 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2865,7 +2865,7 @@ psa_status_t psa_driver_wrapper_pake_setup( } psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length ) @@ -2901,7 +2901,7 @@ psa_status_t psa_driver_wrapper_pake_output( psa_status_t psa_driver_wrapper_pake_input( psa_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length ) { diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 23cb98aa4..d082d6e5e 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -57,14 +57,14 @@ psa_status_t mbedtls_test_transparent_pake_setup( psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length); psa_status_t mbedtls_test_transparent_pake_input( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length); @@ -101,14 +101,14 @@ psa_status_t mbedtls_test_opaque_pake_set_role( psa_status_t mbedtls_test_opaque_pake_output( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length); psa_status_t mbedtls_test_opaque_pake_input( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length); diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 9d51ea10b..615f7ef8a 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -64,7 +64,7 @@ psa_status_t mbedtls_test_transparent_pake_setup( psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length) @@ -112,7 +112,7 @@ psa_status_t mbedtls_test_transparent_pake_output( psa_status_t mbedtls_test_transparent_pake_input( mbedtls_transparent_test_driver_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length) { @@ -260,7 +260,7 @@ psa_status_t mbedtls_test_opaque_pake_set_role( psa_status_t mbedtls_test_opaque_pake_output( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length) @@ -276,7 +276,7 @@ psa_status_t mbedtls_test_opaque_pake_output( psa_status_t mbedtls_test_opaque_pake_input( mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_driver_step_t step, + psa_crypto_driver_pake_step_t step, const uint8_t *input, size_t input_length) { From 6b64862ef7b4b1b6256ca878163399c712e0f043 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Sun, 19 Feb 2023 22:55:33 +0100 Subject: [PATCH 58/75] Documentation fixes and code adaptation Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 10 +-- include/psa/crypto_extra.h | 11 ++- library/psa_crypto.c | 1 + library/psa_crypto_driver_wrappers.h | 3 +- library/psa_crypto_pake.c | 7 +- library/psa_crypto_pake.h | 70 +++++-------------- .../psa_crypto_driver_wrappers.c.jinja | 10 +-- tests/include/test/drivers/pake.h | 4 +- tests/src/drivers/test_driver_pake.c | 9 +-- 9 files changed, 48 insertions(+), 77 deletions(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 07f198908..ac6b8ded7 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -463,12 +463,14 @@ For `PSA_ALG_JPAKE` the following steps are available for input operation: ``` psa_status_t acme_pake_get_implicit_key(                             acme_pake_operation_t *operation, -                            uint8_t *output, size_t *output_size ); +                            uint8_t *output, size_t output_size, + size_t *output_length ); ``` -* `operation` is an operation object -* `output` output buffer for implicit key -* `output_size` size of the returned implicit key +* `operation` The driver PAKE operation object to use. +* `output` Buffer where the implicit key is to be written. +* `output_size` Size of the output buffer in bytes. +* `output_length` On success, the number of bytes of the implicit key. ### Driver entry points for key management diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 39ef52cbe..5f86c3f4f 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1318,8 +1318,8 @@ psa_status_t psa_crypto_driver_pake_get_password_len( * * \param[in] inputs Operation inputs. * \param[out] buffer Return buffer for password. - * \param[in] buffer_size Size of the return buffer in bytes. - * \param[in] buffer_length Actual size of the password in bytes. + * \param buffer_size Size of the return buffer in bytes. + * \param[out] buffer_length Actual size of the password in bytes. * * \retval #PSA_SUCCESS * Success. @@ -2034,11 +2034,10 @@ struct psa_pake_operation_s { * ID value zero means the context is not valid or not assigned to * any driver (i.e. none of the driver contexts are active). */ unsigned int MBEDTLS_PRIVATE(id); - /* Algorithm used for PAKE operation */ + /* Algorithm of the PAKE operation */ psa_algorithm_t MBEDTLS_PRIVATE(alg); - /* Based on stage (collecting inputs/computation) we select active structure of data union. - * While switching stage (when driver setup is called) collected inputs - are copied to the corresponding operation context. */ + /* Stage of the PAKE operation: waiting for the setup, collecting inputs + * or computing. */ uint8_t MBEDTLS_PRIVATE(stage); /* Holds computation stage of the PAKE algorithms. */ union { diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2c1a910fb..1c066ce13 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7863,6 +7863,7 @@ psa_status_t psa_pake_get_implicit_key( status = psa_driver_wrapper_pake_get_implicit_key(operation, shared_key, + sizeof(shared_key), &shared_key_len); if (status != PSA_SUCCESS) { diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 65d0d3f07..dd1b763b1 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -434,7 +434,8 @@ psa_status_t psa_driver_wrapper_pake_input( psa_status_t psa_driver_wrapper_pake_get_implicit_key( psa_pake_operation_t *operation, - uint8_t *output, size_t *output_size); + uint8_t *output, size_t output_size, + size_t *output_length); psa_status_t psa_driver_wrapper_pake_abort( psa_pake_operation_t *operation); diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 73032c6a8..150270c6c 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -485,7 +485,8 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_status_t mbedtls_psa_pake_get_implicit_key( mbedtls_psa_pake_operation_t *operation, - uint8_t *output, size_t *output_size) + uint8_t *output, size_t output_size, + size_t *output_length) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -493,7 +494,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( if (operation->alg == PSA_ALG_JPAKE) { ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake, operation->buffer, - MBEDTLS_PSA_JPAKE_BUFFER_SIZE, + output_size, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); @@ -502,7 +503,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( } memcpy(output, operation->buffer, operation->buffer_length); - *output_size = operation->buffer_length; + *output_length = operation->buffer_length; return PSA_SUCCESS; } else diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index 365855601..9bdcc3387 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -43,6 +43,8 @@ * compatible with the PAKE algorithm, or the hash algorithm in * \p cipher_suite is not supported or not compatible with the PAKE * algorithm and primitive. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_CORRUPTION_DETECTED */ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, const psa_crypto_driver_pake_inputs_t *inputs); @@ -59,10 +61,9 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, * \param step The step of the algorithm for which the output is * requested. * \param[out] output Buffer where the output is to be written in the - * format appropriate for this \p step. Refer to - * the documentation of the individual - * \c PSA_PAKE_STEP_XXX constants for more - * information. + * format appropriate for this driver \p step. Refer to + * the documentation of psa_crypto_driver_pake_step_t for + * more information. * \param output_size Size of the \p output buffer in bytes. This must * be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p * primitive, \p step) where \p alg and @@ -77,23 +78,10 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, * Success. * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p step is not compatible with the operation's algorithm. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \p step is not supported with the operation's algorithm. * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_DATA_CORRUPT * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active, and fully set - * up, and this call must conform to the algorithm's requirements - * for ordering of input and output steps). - * It is implementation-dependent whether a failure to initialize - * results in this error code. */ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_crypto_driver_pake_step_t step, @@ -104,43 +92,32 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, /** Provide input for a step of a password-authenticated key exchange. * * \note The signature of this function is that of a PSA driver - * key_agreement entry point. This function behaves as a key_agreement + * pake_input entry point. This function behaves as a pake_input * entry point as defined in the PSA driver interface specification for * transparent drivers. * * \param[in,out] operation Active PAKE operation. - * \param step The step for which the input is provided. + * \param step The driver step for which the input is provided. * \param[in] input Buffer containing the input in the format * appropriate for this \p step. Refer to the - * documentation of the individual - * \c PSA_PAKE_STEP_XXX constants for more - * information. + * documentation of psa_crypto_driver_pake_step_t + * for more information. * \param input_length Size of the \p input buffer in bytes. * * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_INVALID_SIGNATURE - * The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step. + * The verification fails for a zero-knowledge input step. * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p step is not compatible with the \p operation’s algorithm, or the - * \p input is not valid for the \p operation's algorithm, cipher suite + * the \p input is not valid for the \p operation's algorithm, cipher suite * or \p step. * \retval #PSA_ERROR_NOT_SUPPORTED - * \p step p is not supported with the \p operation's algorithm, or the - * \p input is not supported for the \p operation's algorithm, cipher + * the \p input is not supported for the \p operation's algorithm, cipher * suite or \p step. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_DATA_CORRUPT * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active, and fully set - * up, and this call must conform to the algorithm's requirements - * for ordering of input and output steps). - * It is implementation-dependent whether a failure to initialize - * results in this error code. */ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_crypto_driver_pake_step_t step, @@ -155,8 +132,9 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, * interface specification for transparent drivers. * * \param[in,out] operation Active PAKE operation. - * \param[out] output Output buffer for implicit key - * \param[out] output_size Size of the returned implicit key + * \param[out] output Output buffer for implicit key. + * \param output_size Size of the output buffer in bytes. + * \param[out] output_length On success, the number of bytes of the implicit key. * * \retval #PSA_SUCCESS * Success. @@ -164,24 +142,14 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, * Input from a PAKE is not supported by the algorithm in the \p output * key derivation operation. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_DATA_CORRUPT * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_BAD_STATE - * The PAKE operation state is not valid (it must be active, but beyond - * that validity is specific to the algorithm), - * or the state of \p output is not valid for - * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the - * step is out of order or the application has done this step already - * and it may not be repeated. - * It is implementation-dependent whether a failure to initialize - * results in this error code. */ psa_status_t mbedtls_psa_pake_get_implicit_key( mbedtls_psa_pake_operation_t *operation, - uint8_t *output, size_t *output_size); + uint8_t *output, size_t output_size, + size_t *output_length); /** Abort a PAKE operation. * @@ -194,11 +162,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * It is implementation-dependent whether a failure to initialize - * results in this error code. */ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index b287b37a1..a34d9b094 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2938,13 +2938,15 @@ psa_status_t psa_driver_wrapper_pake_input( psa_status_t psa_driver_wrapper_pake_get_implicit_key( psa_pake_operation_t *operation, - uint8_t *output, size_t *output_size ) + uint8_t *output, size_t output_size, + size_t *output_length ) { switch( operation->id ) { #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_get_implicit_key( &operation->data.ctx.mbedtls_ctx, output, output_size ) ); + return( mbedtls_psa_pake_get_implicit_key( &operation->data.ctx.mbedtls_ctx, + output, output_size, output_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -2952,11 +2954,11 @@ psa_status_t psa_driver_wrapper_pake_get_implicit_key( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_get_implicit_key( &operation->data.ctx.transparent_test_driver_ctx, - output, output_size ) ); + output, output_size, output_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_get_implicit_key( &operation->data.ctx.opaque_test_driver_ctx, - output, output_size ) ); + output, output_size, output_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index d082d6e5e..4a2b7c461 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -70,7 +70,7 @@ psa_status_t mbedtls_test_transparent_pake_input( psa_status_t mbedtls_test_transparent_pake_get_implicit_key( mbedtls_transparent_test_driver_pake_operation_t *operation, - uint8_t *output, size_t *output_size); + uint8_t *output, size_t output_size, size_t *output_length); psa_status_t mbedtls_test_transparent_pake_abort( mbedtls_transparent_test_driver_pake_operation_t *operation); @@ -114,7 +114,7 @@ psa_status_t mbedtls_test_opaque_pake_input( psa_status_t mbedtls_test_opaque_pake_get_implicit_key( mbedtls_opaque_test_driver_pake_operation_t *operation, - uint8_t *output, size_t *output_size); + uint8_t *output, size_t output_size, size_t *output_length); psa_status_t mbedtls_test_opaque_pake_abort( mbedtls_opaque_test_driver_pake_operation_t *operation); diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 615f7ef8a..3eaf38a65 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -145,7 +145,7 @@ psa_status_t mbedtls_test_transparent_pake_input( psa_status_t mbedtls_test_transparent_pake_get_implicit_key( mbedtls_transparent_test_driver_pake_operation_t *operation, - uint8_t *output, size_t *output_size) + uint8_t *output, size_t output_size, size_t *output_length) { mbedtls_test_driver_pake_hooks.hits++; @@ -157,11 +157,11 @@ psa_status_t mbedtls_test_transparent_pake_get_implicit_key( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_get_implicit_key( - operation, output, output_size); + operation, output, output_size, output_length); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_get_implicit_key( - operation, output, output_size); + operation, output, output_size, output_length); #else (void) operation; (void) output; @@ -289,11 +289,12 @@ psa_status_t mbedtls_test_opaque_pake_input( psa_status_t mbedtls_test_opaque_pake_get_implicit_key( mbedtls_opaque_test_driver_pake_operation_t *operation, - uint8_t *output, size_t *output_size) + uint8_t *output, size_t output_size, size_t *output_length) { (void) operation; (void) output; (void) output_size; + (void) output_length; return PSA_ERROR_NOT_SUPPORTED; } From a54dc69fe0dd93c02fe8a29bfa4ee69289c22ec3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 20 Feb 2023 10:18:10 +0100 Subject: [PATCH 59/75] mbedtls_psa_pake_setup: move driver password and alg init to the common part Also in the core part change stage to computation after return from psa_driver_wrapper_pake_setup() regardless of the result. At this point driver context is active even if init has failed. Additionally handle deallocation of password on failure in mbedtls_psa_pake_setup(). The plan was to handle deallocation on core level by calling abort on failure. Unfortunately in this case when mbedtls_psa_pake_setup() fails with an unsupported result the built-in implementation is executed (if available) and it will reallocate the password leading to the memory leak. Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 3 ++- library/psa_crypto_pake.c | 39 +++++++++++++++++++++------------------ 2 files changed, 23 insertions(+), 19 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 1c066ce13..e2cb06f42 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7494,12 +7494,13 @@ static psa_status_t psa_pake_complete_inputs( status = psa_driver_wrapper_pake_setup(operation, &inputs); + operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; + /* Driver is responsible for creating its own copy of the password. */ mbedtls_platform_zeroize(inputs.password, inputs.password_len); mbedtls_free(inputs.password); if (status == PSA_SUCCESS) { - operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = &operation->computation_stage.jpake; diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 150270c6c..a6798111d 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -214,38 +214,38 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, return status; } + operation->password = mbedtls_calloc(1, password_len); + if (operation->password == NULL) { + return PSA_ERROR_INSUFFICIENT_MEMORY; + } + + status = psa_crypto_driver_pake_get_password(inputs, operation->password, + password_len, &actual_password_len); + if (status != PSA_SUCCESS) { + goto error; + } + + operation->password_len = actual_password_len; + operation->alg = cipher_suite.algorithm; + #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (cipher_suite.algorithm == PSA_ALG_JPAKE) { if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC || cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || cipher_suite.bits != 256 || cipher_suite.hash != PSA_ALG_SHA_256) { - return PSA_ERROR_NOT_SUPPORTED; + status = PSA_ERROR_NOT_SUPPORTED; + goto error; } - operation->password = mbedtls_calloc(1, password_len); - if (operation->password == NULL) { - status = PSA_ERROR_INSUFFICIENT_MEMORY; - return status; - } - - status = psa_crypto_driver_pake_get_password(inputs, operation->password, - password_len, &actual_password_len); - if (status != PSA_SUCCESS) { - return status; - } - - operation->password_len = actual_password_len; operation->role = role; - operation->alg = cipher_suite.algorithm; - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); operation->buffer_length = 0; operation->buffer_offset = 0; status = psa_pake_ecjpake_setup(operation); if (status != PSA_SUCCESS) { - return status; + goto error; } return PSA_SUCCESS; @@ -254,8 +254,11 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, (void) operation; (void) inputs; #endif - { status = PSA_ERROR_NOT_SUPPORTED; } + { return PSA_ERROR_NOT_SUPPORTED; } +error: + mbedtls_platform_zeroize(operation->password, operation->password_len); + mbedtls_free(operation->password); return status; } From 80a884990311f1be27a05a052dde29489747a3b0 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 20 Feb 2023 13:32:22 +0100 Subject: [PATCH 60/75] Adapt conditional compilation flags for jpake alg Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 288 +++++++++++------- ..._suite_psa_crypto_driver_wrappers.function | 2 +- .../test_suite_psa_crypto_pake.function | 2 +- 3 files changed, 175 insertions(+), 117 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e2cb06f42..f11be0e40 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7256,6 +7256,7 @@ psa_status_t psa_pake_setup( operation->alg = cipher_suite->algorithm; operation->data.inputs.cipher_suite = *cipher_suite; +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = &operation->computation_stage.jpake; @@ -7264,6 +7265,12 @@ psa_status_t psa_pake_setup( computation_stage->sequence = PSA_PAKE_SEQ_INVALID; computation_stage->input_step = PSA_PAKE_STEP_X1_X2; computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } else +#else +#endif + { + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; } operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS; @@ -7407,6 +7414,7 @@ exit: } /* Auxiliary function to convert core computation stage(step, sequence, state) to single driver step. */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step( psa_jpake_computation_stage_t *stage) { @@ -7469,6 +7477,7 @@ static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_s } return PSA_JPAKE_STEP_INVALID; } +#endif static psa_status_t psa_pake_complete_inputs( psa_pake_operation_t *operation) @@ -7501,6 +7510,7 @@ static psa_status_t psa_pake_complete_inputs( mbedtls_free(inputs.password); if (status == PSA_SUCCESS) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = &operation->computation_stage.jpake; @@ -7508,102 +7518,114 @@ static psa_status_t psa_pake_complete_inputs( computation_stage->sequence = PSA_PAKE_SEQ_INVALID; computation_stage->input_step = PSA_PAKE_STEP_X1_X2; computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } else +#endif + { + status = PSA_ERROR_NOT_SUPPORTED; } } return status; } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_jpake_output_prologue( psa_pake_operation_t *operation, psa_pake_step_t step) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; - - if (computation_stage->state == PSA_PAKE_STATE_INVALID) { - return PSA_ERROR_BAD_STATE; - } - if (step != PSA_PAKE_STEP_KEY_SHARE && step != PSA_PAKE_STEP_ZK_PUBLIC && step != PSA_PAKE_STEP_ZK_PROOF) { return PSA_ERROR_INVALID_ARGUMENT; } - if (computation_stage->state != PSA_PAKE_STATE_READY && - computation_stage->state != PSA_PAKE_OUTPUT_X1_X2 && - computation_stage->state != PSA_PAKE_OUTPUT_X2S) { - return PSA_ERROR_BAD_STATE; - } + if (operation->alg == PSA_ALG_JPAKE) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; - if (computation_stage->state == PSA_PAKE_STATE_READY) { - if (step != PSA_PAKE_STEP_KEY_SHARE) { + if (computation_stage->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; } - switch (computation_stage->output_step) { - case PSA_PAKE_STEP_X1_X2: - computation_stage->state = PSA_PAKE_OUTPUT_X1_X2; - break; - case PSA_PAKE_STEP_X2S: - computation_stage->state = PSA_PAKE_OUTPUT_X2S; - break; - default: - return PSA_ERROR_BAD_STATE; + if (computation_stage->state != PSA_PAKE_STATE_READY && + computation_stage->state != PSA_PAKE_OUTPUT_X1_X2 && + computation_stage->state != PSA_PAKE_OUTPUT_X2S) { + return PSA_ERROR_BAD_STATE; } - computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; - } - - /* Check if step matches current sequence */ - switch (computation_stage->sequence) { - case PSA_PAKE_X1_STEP_KEY_SHARE: - case PSA_PAKE_X2_STEP_KEY_SHARE: + if (computation_stage->state == PSA_PAKE_STATE_READY) { if (step != PSA_PAKE_STEP_KEY_SHARE) { return PSA_ERROR_BAD_STATE; } - break; - case PSA_PAKE_X1_STEP_ZK_PUBLIC: - case PSA_PAKE_X2_STEP_ZK_PUBLIC: - if (step != PSA_PAKE_STEP_ZK_PUBLIC) { - return PSA_ERROR_BAD_STATE; + switch (computation_stage->output_step) { + case PSA_PAKE_STEP_X1_X2: + computation_stage->state = PSA_PAKE_OUTPUT_X1_X2; + break; + case PSA_PAKE_STEP_X2S: + computation_stage->state = PSA_PAKE_OUTPUT_X2S; + break; + default: + return PSA_ERROR_BAD_STATE; } - break; - case PSA_PAKE_X1_STEP_ZK_PROOF: - case PSA_PAKE_X2_STEP_ZK_PROOF: - if (step != PSA_PAKE_STEP_ZK_PROOF) { + computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch (computation_stage->sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if (step != PSA_PAKE_STEP_ZK_PUBLIC) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if (step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_BAD_STATE; + } + break; + + default: return PSA_ERROR_BAD_STATE; - } - break; - - default: - return PSA_ERROR_BAD_STATE; + } } return PSA_SUCCESS; } +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_jpake_output_epilogue( psa_pake_operation_t *operation) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; + if (operation->alg == PSA_ALG_JPAKE) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; - if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && - computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (computation_stage->state == PSA_PAKE_OUTPUT_X2S && - computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { - computation_stage->state = PSA_PAKE_STATE_READY; - computation_stage->output_step++; - computation_stage->sequence = PSA_PAKE_SEQ_INVALID; - } else { - computation_stage->sequence++; + if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (computation_stage->state == PSA_PAKE_OUTPUT_X2S && + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->output_step++; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } else { + computation_stage->sequence++; + } } return PSA_SUCCESS; } +#endif psa_status_t psa_pake_output( psa_pake_operation_t *operation, @@ -7634,35 +7656,45 @@ psa_status_t psa_pake_output( } switch (operation->alg) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) case PSA_ALG_JPAKE: status = psa_jpake_output_prologue(operation, step); if (status != PSA_SUCCESS) { goto exit; } break; +#endif default: + (void) step; status = PSA_ERROR_NOT_SUPPORTED; goto exit; } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) status = psa_driver_wrapper_pake_output(operation, convert_jpake_computation_stage_to_driver_step( &operation->computation_stage.jpake), output, output_size, output_length); +#else + (void) output; + status = PSA_ERROR_NOT_SUPPORTED; +#endif if (status != PSA_SUCCESS) { goto exit; } switch (operation->alg) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) case PSA_ALG_JPAKE: status = psa_jpake_output_epilogue(operation); if (status != PSA_SUCCESS) { goto exit; } break; +#endif default: status = PSA_ERROR_NOT_SUPPORTED; goto exit; @@ -7674,104 +7706,112 @@ exit: return status == PSA_SUCCESS ? abort_status : status; } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_jpake_input_prologue( psa_pake_operation_t *operation, psa_pake_step_t step, size_t input_length) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; - - if (computation_stage->state == PSA_PAKE_STATE_INVALID) { - return PSA_ERROR_BAD_STATE; - } - if (step != PSA_PAKE_STEP_KEY_SHARE && step != PSA_PAKE_STEP_ZK_PUBLIC && step != PSA_PAKE_STEP_ZK_PROOF) { return PSA_ERROR_INVALID_ARGUMENT; } - const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( - PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); - if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { - return PSA_ERROR_INVALID_ARGUMENT; - } + if (operation->alg == PSA_ALG_JPAKE) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; - if (computation_stage->state != PSA_PAKE_STATE_READY && - computation_stage->state != PSA_PAKE_INPUT_X1_X2 && - computation_stage->state != PSA_PAKE_INPUT_X4S) { - return PSA_ERROR_BAD_STATE; - } - - if (computation_stage->state == PSA_PAKE_STATE_READY) { - if (step != PSA_PAKE_STEP_KEY_SHARE) { + if (computation_stage->state == PSA_PAKE_STATE_INVALID) { return PSA_ERROR_BAD_STATE; } - switch (computation_stage->input_step) { - case PSA_PAKE_STEP_X1_X2: - computation_stage->state = PSA_PAKE_INPUT_X1_X2; - break; - case PSA_PAKE_STEP_X2S: - computation_stage->state = PSA_PAKE_INPUT_X4S; - break; - default: - return PSA_ERROR_BAD_STATE; + const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); + if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { + return PSA_ERROR_INVALID_ARGUMENT; } - computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; - } + if (computation_stage->state != PSA_PAKE_STATE_READY && + computation_stage->state != PSA_PAKE_INPUT_X1_X2 && + computation_stage->state != PSA_PAKE_INPUT_X4S) { + return PSA_ERROR_BAD_STATE; + } - /* Check if step matches current sequence */ - switch (computation_stage->sequence) { - case PSA_PAKE_X1_STEP_KEY_SHARE: - case PSA_PAKE_X2_STEP_KEY_SHARE: + if (computation_stage->state == PSA_PAKE_STATE_READY) { if (step != PSA_PAKE_STEP_KEY_SHARE) { return PSA_ERROR_BAD_STATE; } - break; - case PSA_PAKE_X1_STEP_ZK_PUBLIC: - case PSA_PAKE_X2_STEP_ZK_PUBLIC: - if (step != PSA_PAKE_STEP_ZK_PUBLIC) { - return PSA_ERROR_BAD_STATE; + switch (computation_stage->input_step) { + case PSA_PAKE_STEP_X1_X2: + computation_stage->state = PSA_PAKE_INPUT_X1_X2; + break; + case PSA_PAKE_STEP_X2S: + computation_stage->state = PSA_PAKE_INPUT_X4S; + break; + default: + return PSA_ERROR_BAD_STATE; } - break; - case PSA_PAKE_X1_STEP_ZK_PROOF: - case PSA_PAKE_X2_STEP_ZK_PROOF: - if (step != PSA_PAKE_STEP_ZK_PROOF) { + computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch (computation_stage->sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if (step != PSA_PAKE_STEP_ZK_PUBLIC) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if (step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_BAD_STATE; + } + break; + + default: return PSA_ERROR_BAD_STATE; - } - break; - - default: - return PSA_ERROR_BAD_STATE; + } } return PSA_SUCCESS; } +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_jpake_input_epilogue( psa_pake_operation_t *operation) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; + if (operation->alg == PSA_ALG_JPAKE) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; - if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && - computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (computation_stage->state == PSA_PAKE_INPUT_X4S && - computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { - computation_stage->state = PSA_PAKE_STATE_READY; - computation_stage->input_step++; - computation_stage->sequence = PSA_PAKE_SEQ_INVALID; - } else { - computation_stage->sequence++; + if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (computation_stage->state == PSA_PAKE_INPUT_X4S && + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->input_step++; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } else { + computation_stage->sequence++; + } } return PSA_SUCCESS; } +#endif psa_status_t psa_pake_input( psa_pake_operation_t *operation, @@ -7800,33 +7840,43 @@ psa_status_t psa_pake_input( } switch (operation->alg) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) case PSA_ALG_JPAKE: status = psa_jpake_input_prologue(operation, step, input_length); if (status != PSA_SUCCESS) { goto exit; } break; +#endif default: + (void) step; return PSA_ERROR_NOT_SUPPORTED; } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) status = psa_driver_wrapper_pake_input(operation, convert_jpake_computation_stage_to_driver_step( &operation->computation_stage.jpake), input, input_length); +#else + (void) input; + status = PSA_ERROR_NOT_SUPPORTED; +#endif if (status != PSA_SUCCESS) { goto exit; } switch (operation->alg) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) case PSA_ALG_JPAKE: status = psa_jpake_input_epilogue(operation); if (status != PSA_SUCCESS) { goto exit; } break; +#endif default: status = PSA_ERROR_NOT_SUPPORTED; goto exit; @@ -7852,6 +7902,7 @@ psa_status_t psa_pake_get_implicit_key( goto exit; } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = &operation->computation_stage.jpake; @@ -7860,6 +7911,13 @@ psa_status_t psa_pake_get_implicit_key( status = PSA_ERROR_BAD_STATE; goto exit; } + } else +#else + +#endif + { + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; } status = psa_driver_wrapper_pake_get_implicit_key(operation, diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index c1eea5059..0bc0a32ff 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -2976,7 +2976,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_BUILTIN_ALG_JPAKE */ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_status_arg, data_t *forced_output, int expected_status_setup_arg, int expected_status_input_arg, int expected_status_output_arg, diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index d77dfdc8e..1c3b3289a 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -909,7 +909,7 @@ void ecjpake_size_macros() } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_BUILTIN_ALG_JPAKE */ void pake_input_getters(data_t *password, int role_arg, int password_buffer_size, int alg_arg, int primitive_arg, int hash_arg, int expected_status_pass, int expected_status_pass_len, From ce131bf5c5ce51d8f2400a3b23fb555745bd67d7 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 21 Feb 2023 12:19:27 +0100 Subject: [PATCH 61/75] PAKE driver: fix password releasing Signed-off-by: Przemek Stekiel --- library/psa_crypto_pake.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index a6798111d..929db5919 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -254,11 +254,13 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, (void) operation; (void) inputs; #endif - { return PSA_ERROR_NOT_SUPPORTED; } + { status = PSA_ERROR_NOT_SUPPORTED; } error: - mbedtls_platform_zeroize(operation->password, operation->password_len); - mbedtls_free(operation->password); + /* When driver fails with PSA_ERROR_NOT_SUPPORTED the built-in implementation is executed (if available) + and it will reallocate the password leading to the memory leak. + Call abort explicitly to clean up allocated memory for password on failure. */ + mbedtls_psa_pake_abort(operation); return status; } @@ -518,13 +520,13 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + mbedtls_platform_zeroize(operation->password, operation->password_len); + mbedtls_free(operation->password); + operation->password = NULL; + operation->password_len = 0; +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { - mbedtls_platform_zeroize(operation->password, operation->password_len); - mbedtls_free(operation->password); - operation->password = NULL; - operation->password_len = 0; operation->role = PSA_PAKE_ROLE_NONE; mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); operation->buffer_length = 0; From 51a677bb307549096fc04db2aeb4eee5ec597f8f Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 21 Feb 2023 12:20:46 +0100 Subject: [PATCH 62/75] Remove support for pake opaque driver Signed-off-by: Przemek Stekiel --- .../psa_crypto_driver_wrappers.c.jinja | 28 +---- tests/include/test/drivers/pake.h | 44 -------- tests/src/drivers/test_driver_pake.c | 105 +----------------- 3 files changed, 3 insertions(+), 174 deletions(-) diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index a34d9b094..1e7140ca8 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2844,17 +2844,6 @@ psa_status_t psa_driver_wrapper_pake_setup( #endif return( PSA_ERROR_NOT_SUPPORTED ); /* Add cases for opaque driver here */ -#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -#if defined(PSA_CRYPTO_DRIVER_TEST) - case PSA_CRYPTO_TEST_DRIVER_LOCATION: - status = mbedtls_test_opaque_pake_setup( - &operation->data.ctx.opaque_test_driver_ctx, - inputs ); - if( status == PSA_SUCCESS ) - operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID; - return status; -#endif /* PSA_CRYPTO_DRIVER_TEST */ -#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: /* Key is declared with a lifetime not known to us */ (void)operation; @@ -2884,10 +2873,6 @@ psa_status_t psa_driver_wrapper_pake_output( return( mbedtls_test_transparent_pake_output( &operation->data.ctx.transparent_test_driver_ctx, step, output, output_size, output_length ) ); - case MBEDTLS_TEST_OPAQUE_DRIVER_ID: - return( mbedtls_test_opaque_pake_output( - &operation->data.ctx.opaque_test_driver_ctx, - step, output, output_size, output_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: @@ -2921,11 +2906,6 @@ psa_status_t psa_driver_wrapper_pake_input( &operation->data.ctx.transparent_test_driver_ctx, step, input, input_length ) ); - case MBEDTLS_TEST_OPAQUE_DRIVER_ID: - return( mbedtls_test_opaque_pake_input( - &operation->data.ctx.opaque_test_driver_ctx, - step, - input, input_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: @@ -2955,15 +2935,12 @@ psa_status_t psa_driver_wrapper_pake_get_implicit_key( return( mbedtls_test_transparent_pake_get_implicit_key( &operation->data.ctx.transparent_test_driver_ctx, output, output_size, output_length ) ); - case MBEDTLS_TEST_OPAQUE_DRIVER_ID: - return( mbedtls_test_opaque_pake_get_implicit_key( - &operation->data.ctx.opaque_test_driver_ctx, - output, output_size, output_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) output; (void) output_size; + (void) output_length; return( PSA_ERROR_INVALID_ARGUMENT ); } } @@ -2983,9 +2960,6 @@ psa_status_t psa_driver_wrapper_pake_abort( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_abort( &operation->data.ctx.transparent_test_driver_ctx ) ); - case MBEDTLS_TEST_OPAQUE_DRIVER_ID: - return( mbedtls_test_opaque_pake_abort( - &operation->data.ctx.opaque_test_driver_ctx ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 4a2b7c461..80307248f 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -75,49 +75,5 @@ psa_status_t mbedtls_test_transparent_pake_get_implicit_key( psa_status_t mbedtls_test_transparent_pake_abort( mbedtls_transparent_test_driver_pake_operation_t *operation); -psa_status_t mbedtls_test_opaque_pake_setup( - mbedtls_opaque_test_driver_pake_operation_t *operation, - const psa_crypto_driver_pake_inputs_t *inputs); - -psa_status_t mbedtls_test_opaque_set_password_key( - const psa_key_attributes_t *attributes, - mbedtls_opaque_test_driver_pake_operation_t *operation, - uint8_t *key_buffer, - size_t key_size); - -psa_status_t mbedtls_test_opaque_pake_set_user( - mbedtls_opaque_test_driver_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len); - -psa_status_t mbedtls_test_opaque_pake_set_peer( - mbedtls_opaque_test_driver_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len); - -psa_status_t mbedtls_test_opaque_pake_set_role( - mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_role_t role); - -psa_status_t mbedtls_test_opaque_pake_output( - mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_crypto_driver_pake_step_t step, - uint8_t *output, - size_t output_size, - size_t *output_length); - -psa_status_t mbedtls_test_opaque_pake_input( - mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_crypto_driver_pake_step_t step, - const uint8_t *input, - size_t input_length); - -psa_status_t mbedtls_test_opaque_pake_get_implicit_key( - mbedtls_opaque_test_driver_pake_operation_t *operation, - uint8_t *output, size_t output_size, size_t *output_length); - -psa_status_t mbedtls_test_opaque_pake_abort( - mbedtls_opaque_test_driver_pake_operation_t *operation); - #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_TEST_DRIVERS_PAKE_H */ diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 3eaf38a65..03f387fa1 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -165,6 +165,8 @@ psa_status_t mbedtls_test_transparent_pake_get_implicit_key( #else (void) operation; (void) output; + (void) output_size; + (void) output_length; mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; #endif } @@ -202,107 +204,4 @@ psa_status_t mbedtls_test_transparent_pake_abort( return mbedtls_test_driver_pake_hooks.driver_status; } -/* - * opaque versions, to do - */ -psa_status_t mbedtls_test_opaque_pake_setup( - mbedtls_opaque_test_driver_pake_operation_t *operation, - const psa_crypto_driver_pake_inputs_t *inputs) -{ - (void) operation; - (void) inputs; - return PSA_ERROR_NOT_SUPPORTED; -} - -psa_status_t mbedtls_test_opaque_set_password_key( - const psa_key_attributes_t *attributes, - mbedtls_opaque_test_driver_pake_operation_t *operation, - uint8_t *key_buffer, - size_t key_size) -{ - (void) attributes; - (void) operation; - (void) key_buffer; - (void) key_size; - return PSA_ERROR_NOT_SUPPORTED; -} - -psa_status_t mbedtls_test_opaque_pake_set_user( - mbedtls_opaque_test_driver_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len) -{ - (void) operation; - (void) user_id; - (void) user_id_len; - return PSA_ERROR_NOT_SUPPORTED; -} - -psa_status_t mbedtls_test_opaque_pake_set_peer( - mbedtls_opaque_test_driver_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len) -{ - (void) operation; - (void) peer_id; - (void) peer_id_len; - return PSA_ERROR_NOT_SUPPORTED; -} - -psa_status_t mbedtls_test_opaque_pake_set_role( - mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_pake_role_t role) -{ - (void) operation; - (void) role; - return PSA_ERROR_NOT_SUPPORTED; -} - -psa_status_t mbedtls_test_opaque_pake_output( - mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_crypto_driver_pake_step_t step, - uint8_t *output, - size_t output_size, - size_t *output_length) -{ - (void) operation; - (void) step; - (void) output; - (void) output_size; - (void) output_length; - - return PSA_ERROR_NOT_SUPPORTED; -} - -psa_status_t mbedtls_test_opaque_pake_input( - mbedtls_opaque_test_driver_pake_operation_t *operation, - psa_crypto_driver_pake_step_t step, - const uint8_t *input, - size_t input_length) -{ - (void) operation; - (void) step; - (void) input; - (void) input_length; - return PSA_ERROR_NOT_SUPPORTED; -} - -psa_status_t mbedtls_test_opaque_pake_get_implicit_key( - mbedtls_opaque_test_driver_pake_operation_t *operation, - uint8_t *output, size_t output_size, size_t *output_length) -{ - (void) operation; - (void) output; - (void) output_size; - (void) output_length; - return PSA_ERROR_NOT_SUPPORTED; -} - -psa_status_t mbedtls_test_opaque_pake_abort( - mbedtls_opaque_test_driver_pake_operation_t *operation) -{ - (void) operation; - return PSA_ERROR_NOT_SUPPORTED; -} - #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ From 5eff1033b6aa176b5758808bc0a61ffa4e1d7b0e Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 21 Feb 2023 19:10:36 +0100 Subject: [PATCH 63/75] Remove redundant checks for jpake alg Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 256 +++++++++++++++++++++---------------------- 1 file changed, 124 insertions(+), 132 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f11be0e40..3823f7ad7 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7538,65 +7538,63 @@ static psa_status_t psa_jpake_output_prologue( return PSA_ERROR_INVALID_ARGUMENT; } - if (operation->alg == PSA_ALG_JPAKE) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; - if (computation_stage->state == PSA_PAKE_STATE_INVALID) { + if (computation_stage->state == PSA_PAKE_STATE_INVALID) { + return PSA_ERROR_BAD_STATE; + } + + if (computation_stage->state != PSA_PAKE_STATE_READY && + computation_stage->state != PSA_PAKE_OUTPUT_X1_X2 && + computation_stage->state != PSA_PAKE_OUTPUT_X2S) { + return PSA_ERROR_BAD_STATE; + } + + if (computation_stage->state == PSA_PAKE_STATE_READY) { + if (step != PSA_PAKE_STEP_KEY_SHARE) { return PSA_ERROR_BAD_STATE; } - if (computation_stage->state != PSA_PAKE_STATE_READY && - computation_stage->state != PSA_PAKE_OUTPUT_X1_X2 && - computation_stage->state != PSA_PAKE_OUTPUT_X2S) { - return PSA_ERROR_BAD_STATE; - } - - if (computation_stage->state == PSA_PAKE_STATE_READY) { - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - - switch (computation_stage->output_step) { - case PSA_PAKE_STEP_X1_X2: - computation_stage->state = PSA_PAKE_OUTPUT_X1_X2; - break; - case PSA_PAKE_STEP_X2S: - computation_stage->state = PSA_PAKE_OUTPUT_X2S; - break; - default: - return PSA_ERROR_BAD_STATE; - } - - computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; - } - - /* Check if step matches current sequence */ - switch (computation_stage->sequence) { - case PSA_PAKE_X1_STEP_KEY_SHARE: - case PSA_PAKE_X2_STEP_KEY_SHARE: - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } + switch (computation_stage->output_step) { + case PSA_PAKE_STEP_X1_X2: + computation_stage->state = PSA_PAKE_OUTPUT_X1_X2; break; - - case PSA_PAKE_X1_STEP_ZK_PUBLIC: - case PSA_PAKE_X2_STEP_ZK_PUBLIC: - if (step != PSA_PAKE_STEP_ZK_PUBLIC) { - return PSA_ERROR_BAD_STATE; - } + case PSA_PAKE_STEP_X2S: + computation_stage->state = PSA_PAKE_OUTPUT_X2S; break; - - case PSA_PAKE_X1_STEP_ZK_PROOF: - case PSA_PAKE_X2_STEP_ZK_PROOF: - if (step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_BAD_STATE; - } - break; - default: return PSA_ERROR_BAD_STATE; } + + computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch (computation_stage->sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if (step != PSA_PAKE_STEP_ZK_PUBLIC) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if (step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_BAD_STATE; + } + break; + + default: + return PSA_ERROR_BAD_STATE; } return PSA_SUCCESS; @@ -7607,20 +7605,18 @@ static psa_status_t psa_jpake_output_prologue( static psa_status_t psa_jpake_output_epilogue( psa_pake_operation_t *operation) { - if (operation->alg == PSA_ALG_JPAKE) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; - if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && - computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (computation_stage->state == PSA_PAKE_OUTPUT_X2S && - computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { - computation_stage->state = PSA_PAKE_STATE_READY; - computation_stage->output_step++; - computation_stage->sequence = PSA_PAKE_SEQ_INVALID; - } else { - computation_stage->sequence++; - } + if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (computation_stage->state == PSA_PAKE_OUTPUT_X2S && + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->output_step++; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } else { + computation_stage->sequence++; } return PSA_SUCCESS; @@ -7718,71 +7714,69 @@ static psa_status_t psa_jpake_input_prologue( return PSA_ERROR_INVALID_ARGUMENT; } - if (operation->alg == PSA_ALG_JPAKE) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; - if (computation_stage->state == PSA_PAKE_STATE_INVALID) { + if (computation_stage->state == PSA_PAKE_STATE_INVALID) { + return PSA_ERROR_BAD_STATE; + } + + const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); + if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + if (computation_stage->state != PSA_PAKE_STATE_READY && + computation_stage->state != PSA_PAKE_INPUT_X1_X2 && + computation_stage->state != PSA_PAKE_INPUT_X4S) { + return PSA_ERROR_BAD_STATE; + } + + if (computation_stage->state == PSA_PAKE_STATE_READY) { + if (step != PSA_PAKE_STEP_KEY_SHARE) { return PSA_ERROR_BAD_STATE; } - const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( - PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); - if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - if (computation_stage->state != PSA_PAKE_STATE_READY && - computation_stage->state != PSA_PAKE_INPUT_X1_X2 && - computation_stage->state != PSA_PAKE_INPUT_X4S) { - return PSA_ERROR_BAD_STATE; - } - - if (computation_stage->state == PSA_PAKE_STATE_READY) { - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - - switch (computation_stage->input_step) { - case PSA_PAKE_STEP_X1_X2: - computation_stage->state = PSA_PAKE_INPUT_X1_X2; - break; - case PSA_PAKE_STEP_X2S: - computation_stage->state = PSA_PAKE_INPUT_X4S; - break; - default: - return PSA_ERROR_BAD_STATE; - } - - computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; - } - - /* Check if step matches current sequence */ - switch (computation_stage->sequence) { - case PSA_PAKE_X1_STEP_KEY_SHARE: - case PSA_PAKE_X2_STEP_KEY_SHARE: - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } + switch (computation_stage->input_step) { + case PSA_PAKE_STEP_X1_X2: + computation_stage->state = PSA_PAKE_INPUT_X1_X2; break; - - case PSA_PAKE_X1_STEP_ZK_PUBLIC: - case PSA_PAKE_X2_STEP_ZK_PUBLIC: - if (step != PSA_PAKE_STEP_ZK_PUBLIC) { - return PSA_ERROR_BAD_STATE; - } + case PSA_PAKE_STEP_X2S: + computation_stage->state = PSA_PAKE_INPUT_X4S; break; - - case PSA_PAKE_X1_STEP_ZK_PROOF: - case PSA_PAKE_X2_STEP_ZK_PROOF: - if (step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_BAD_STATE; - } - break; - default: return PSA_ERROR_BAD_STATE; } + + computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch (computation_stage->sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if (step != PSA_PAKE_STEP_ZK_PUBLIC) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if (step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_BAD_STATE; + } + break; + + default: + return PSA_ERROR_BAD_STATE; } return PSA_SUCCESS; @@ -7793,20 +7787,18 @@ static psa_status_t psa_jpake_input_prologue( static psa_status_t psa_jpake_input_epilogue( psa_pake_operation_t *operation) { - if (operation->alg == PSA_ALG_JPAKE) { - psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.jpake; - if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && - computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (computation_stage->state == PSA_PAKE_INPUT_X4S && - computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { - computation_stage->state = PSA_PAKE_STATE_READY; - computation_stage->input_step++; - computation_stage->sequence = PSA_PAKE_SEQ_INVALID; - } else { - computation_stage->sequence++; - } + if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (computation_stage->state == PSA_PAKE_INPUT_X4S && + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->input_step++; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } else { + computation_stage->sequence++; } return PSA_SUCCESS; From d59d2a4deeee29089dafce0c682dbc5d7f2c7e43 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 22 Feb 2023 11:02:40 +0100 Subject: [PATCH 64/75] Optimize pake tests Signed-off-by: Przemek Stekiel --- tests/include/test/drivers/pake.h | 11 +- tests/src/drivers/test_driver_pake.c | 15 +- ...test_suite_psa_crypto_driver_wrappers.data | 37 ++- ..._suite_psa_crypto_driver_wrappers.function | 214 +++++++++--------- 4 files changed, 141 insertions(+), 136 deletions(-) diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 80307248f..99ca8f275 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -33,7 +33,14 @@ typedef struct { pake_output/pake_input (added to distinguish forced statuses). */ psa_status_t forced_setup_status; /* Count the amount of times PAKE driver functions are called. */ - unsigned long hits; + struct { + unsigned long total; + unsigned long setup; + unsigned long input; + unsigned long output; + unsigned long implicit_key; + unsigned long abort; + } hits; /* Status returned by the last PAKE driver function call. */ psa_status_t driver_status; /* Output returned by pake_output */ @@ -41,7 +48,7 @@ typedef struct { size_t forced_output_length; } mbedtls_test_driver_pake_hooks_t; -#define MBEDTLS_TEST_DRIVER_PAKE_INIT { PSA_SUCCESS, PSA_SUCCESS, 0, PSA_SUCCESS, NULL, 0 } +#define MBEDTLS_TEST_DRIVER_PAKE_INIT { PSA_SUCCESS, PSA_SUCCESS, {0, 0, 0, 0, 0, 0}, PSA_SUCCESS, NULL, 0 } static inline mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks_init(void) { diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 03f387fa1..7eafe14d8 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -37,7 +37,8 @@ psa_status_t mbedtls_test_transparent_pake_setup( mbedtls_transparent_test_driver_pake_operation_t *operation, const psa_crypto_driver_pake_inputs_t *inputs) { - mbedtls_test_driver_pake_hooks.hits++; + mbedtls_test_driver_pake_hooks.hits.total++; + mbedtls_test_driver_pake_hooks.hits.setup++; if (mbedtls_test_driver_pake_hooks.forced_setup_status != PSA_SUCCESS) { mbedtls_test_driver_pake_hooks.driver_status = @@ -69,7 +70,8 @@ psa_status_t mbedtls_test_transparent_pake_output( size_t output_size, size_t *output_length) { - mbedtls_test_driver_pake_hooks.hits++; + mbedtls_test_driver_pake_hooks.hits.total++; + mbedtls_test_driver_pake_hooks.hits.output++; if (mbedtls_test_driver_pake_hooks.forced_output != NULL) { if (output_size < mbedtls_test_driver_pake_hooks.forced_output_length) { @@ -116,7 +118,8 @@ psa_status_t mbedtls_test_transparent_pake_input( const uint8_t *input, size_t input_length) { - mbedtls_test_driver_pake_hooks.hits++; + mbedtls_test_driver_pake_hooks.hits.total++; + mbedtls_test_driver_pake_hooks.hits.input++; if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { mbedtls_test_driver_pake_hooks.driver_status = @@ -147,7 +150,8 @@ psa_status_t mbedtls_test_transparent_pake_get_implicit_key( mbedtls_transparent_test_driver_pake_operation_t *operation, uint8_t *output, size_t output_size, size_t *output_length) { - mbedtls_test_driver_pake_hooks.hits++; + mbedtls_test_driver_pake_hooks.hits.total++; + mbedtls_test_driver_pake_hooks.hits.implicit_key++; if (mbedtls_test_driver_pake_hooks.forced_status != PSA_SUCCESS) { mbedtls_test_driver_pake_hooks.driver_status = @@ -177,7 +181,8 @@ psa_status_t mbedtls_test_transparent_pake_get_implicit_key( psa_status_t mbedtls_test_transparent_pake_abort( mbedtls_transparent_test_driver_pake_operation_t *operation) { - mbedtls_test_driver_pake_hooks.hits++; + mbedtls_test_driver_pake_hooks.hits.total++; + mbedtls_test_driver_pake_hooks.hits.abort++; #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index fa7aa7b62..d63371b7c 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -822,48 +822,41 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_decrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_ERROR_INSUFFICIENT_MEMORY:PSA_ERROR_INSUFFICIENT_MEMORY PSA PAKE transparent driver: setup(via input) in-driver forced status -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:"":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:0 +pake_operations:"abcd":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:"":PSA_ERROR_GENERIC_ERROR:0 PSA PAKE transparent driver: setup(via output) in-driver forced status -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:"":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:1 +pake_operations:"abcd":PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:"":PSA_ERROR_GENERIC_ERROR:1 PSA PAKE transparent driver: input in-driver forced status -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:2 +pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_ERROR_GENERIC_ERROR:2 PSA PAKE transparent driver: output in-driver forced status -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:PSA_SUCCESS:3 +pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_ERROR_GENERIC_ERROR:3 PSA PAKE transparent driver: output in-driver forced output -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_SUCCESS:PSA_SUCCESS:"1234":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:3 +pake_operations:"abcd":PSA_SUCCESS:PSA_SUCCESS:"1234":PSA_SUCCESS:3 PSA PAKE transparent driver: get_key in-driver forced status -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:PSA_SUCCESS:4 +pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_ERROR_GENERIC_ERROR:4 PSA PAKE transparent driver: abort in-driver forced status -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:5 +pake_operations:"abcd":PSA_SUCCESS:PSA_ERROR_GENERIC_ERROR:"":PSA_ERROR_GENERIC_ERROR:5 PSA PAKE transparent driver: setup(via input) fallback not available -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE -pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:0 +depends_on:!MBEDTLS_PSA_BUILTIN_PAKE +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:0 PSA PAKE transparent driver: setup(via output) fallback not available -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE -pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:1 +depends_on:!MBEDTLS_PSA_BUILTIN_PAKE +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:1 PSA PAKE transparent driver: input fallback not available -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE -pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:2 +depends_on:!MBEDTLS_PSA_BUILTIN_PAKE +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:2 PSA PAKE transparent driver: output fallback not available -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:!MBEDTLS_PSA_BUILTIN_PAKE -pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:PSA_SUCCESS:3 +depends_on:!MBEDTLS_PSA_BUILTIN_PAKE +pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:3 PSA PAKE: ecjpake rounds transparent driver: in-driver success depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 0bc0a32ff..b0aac5357 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -52,7 +52,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, buffer0 + buffer0_off, 512 - buffer0_off, &s_g1_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(s_g1_len, expected_size_key_share); s_g1_off = buffer0_off; @@ -60,7 +60,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x1_pk_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(s_x1_pk_len, expected_size_zk_public); s_x1_pk_off = buffer0_off; @@ -68,7 +68,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x1_pr_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof); s_x1_pr_off = buffer0_off; @@ -76,7 +76,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, buffer0 + buffer0_off, 512 - buffer0_off, &s_g2_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(s_g2_len, expected_size_key_share); s_g2_off = buffer0_off; @@ -84,7 +84,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2_pk_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(s_x2_pk_len, expected_size_zk_public); s_x2_pk_off = buffer0_off; @@ -92,7 +92,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2_pr_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof); s_x2_pr_off = buffer0_off; @@ -102,42 +102,42 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, /* Client first round Input */ status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_g1_off, s_g1_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x1_pk_off, s_x1_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x1_pr_off, s_x1_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_g2_off, s_g2_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x2_pk_off, s_x2_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x2_pr_off, s_x2_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); } @@ -149,7 +149,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, buffer1 + buffer1_off, 512 - buffer1_off, &c_g1_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(c_g1_len, expected_size_key_share); c_g1_off = buffer1_off; @@ -157,7 +157,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x1_pk_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(c_x1_pk_len, expected_size_zk_public); c_x1_pk_off = buffer1_off; @@ -165,7 +165,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x1_pr_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof); c_x1_pr_off = buffer1_off; @@ -173,7 +173,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, buffer1 + buffer1_off, 512 - buffer1_off, &c_g2_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(c_g2_len, expected_size_key_share); c_g2_off = buffer1_off; @@ -181,7 +181,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2_pk_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(c_x2_pk_len, expected_size_zk_public); c_x2_pk_off = buffer1_off; @@ -189,7 +189,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2_pr_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof); c_x2_pr_off = buffer1_off; @@ -199,42 +199,42 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, /* Client first round Input */ status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_g1_off, s_g1_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x1_pk_off, s_x1_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x1_pr_off, s_x1_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_g2_off, s_g2_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x2_pk_off, s_x2_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x2_pr_off, s_x2_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); } @@ -242,37 +242,37 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, /* Server first round Input */ status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, buffer1 + c_g1_off, c_g1_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + c_x1_pk_off, c_x1_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, buffer1 + c_x1_pr_off, c_x1_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, buffer1 + c_g2_off, c_g2_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + c_x2_pk_off, c_x2_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, buffer1 + c_x2_pr_off, c_x2_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); @@ -285,7 +285,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, buffer0 + buffer0_off, 512 - buffer0_off, &s_a_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(s_a_len, expected_size_key_share); s_a_off = buffer0_off; @@ -293,7 +293,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2s_pk_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public); s_x2s_pk_off = buffer0_off; @@ -301,7 +301,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2s_pr_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof); s_x2s_pr_off = buffer0_off; @@ -311,21 +311,21 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, /* Client second round Input */ status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_a_off, s_a_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x2s_pk_off, s_x2s_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x2s_pr_off, s_x2s_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); } @@ -336,7 +336,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, buffer1 + buffer1_off, 512 - buffer1_off, &c_a_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(c_a_len, expected_size_key_share); c_a_off = buffer1_off; @@ -344,7 +344,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2s_pk_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public); c_x2s_pk_off = buffer1_off; @@ -352,7 +352,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2s_pr_len)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof); c_x2s_pr_off = buffer1_off; @@ -362,21 +362,21 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, /* Client second round Input */ status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_a_off, s_a_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x2s_pk_off, s_x2s_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x2s_pr_off, s_x2s_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); } @@ -384,19 +384,19 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, /* Server second round Input */ status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, buffer1 + c_a_off, c_a_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + c_x2s_pk_off, c_x2s_pk_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, buffer1 + c_x2s_pr_off, c_x2s_pr_len); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); TEST_EQUAL(status, PSA_SUCCESS); @@ -2976,70 +2976,57 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_BUILTIN_ALG_JPAKE */ +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 */ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_status_arg, - data_t *forced_output, int expected_status_setup_arg, - int expected_status_input_arg, int expected_status_output_arg, - int expected_status_get_key_arg, int expected_status_abort_arg, + data_t *forced_output, int expected_status_arg, int fut) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t forced_status = forced_status_arg; psa_status_t forced_status_setup = forced_status_setup_arg; - psa_status_t expected_status_setup = expected_status_setup_arg; - psa_status_t expected_status_input = expected_status_input_arg; - psa_status_t expected_status_output = expected_status_output_arg; - psa_status_t expected_status_get_key = expected_status_get_key_arg; - psa_status_t expected_status_abort = expected_status_abort_arg; + psa_status_t expected_status = expected_status_arg; psa_pake_operation_t operation = psa_pake_operation_init(); psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_key_type_t key_type_pw = PSA_KEY_TYPE_PASSWORD; - psa_key_usage_t key_usage_pw = PSA_KEY_USAGE_DERIVE; - psa_algorithm_t alg = PSA_ALG_JPAKE; - psa_algorithm_t hash_alg = PSA_ALG_SHA_256; - int in_driver = 1; psa_key_derivation_operation_t implicit_key = PSA_KEY_DERIVATION_OPERATION_INIT; psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_test_driver_pake_hooks = mbedtls_test_driver_pake_hooks_init(); unsigned char *input_buffer = NULL; - const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive, + const size_t size_key_share = PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, PSA_PAKE_STEP_KEY_SHARE); unsigned char *output_buffer = NULL; size_t output_len = 0; - size_t output_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive, + size_t output_size = PSA_PAKE_OUTPUT_SIZE(PSA_ALG_JPAKE, primitive, PSA_PAKE_STEP_KEY_SHARE); + int in_driver = (forced_status_setup_arg == PSA_SUCCESS); ASSERT_ALLOC(input_buffer, - PSA_PAKE_INPUT_SIZE(alg, primitive, + PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, PSA_PAKE_STEP_KEY_SHARE)); memset(input_buffer, 0xAA, size_key_share); ASSERT_ALLOC(output_buffer, - PSA_PAKE_INPUT_SIZE(alg, primitive, + PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, PSA_PAKE_STEP_KEY_SHARE)); memset(output_buffer, 0x55, output_size); - if (forced_status_setup_arg == PSA_ERROR_NOT_SUPPORTED) { - in_driver = 0; - } - PSA_INIT(); + mbedtls_test_driver_pake_hooks = mbedtls_test_driver_pake_hooks_init(); + if (pw_data->len > 0) { - psa_set_key_usage_flags(&attributes, key_usage_pw); - psa_set_key_algorithm(&attributes, alg); - psa_set_key_type(&attributes, key_type_pw); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, &key)); } - psa_pake_cs_set_algorithm(&cipher_suite, alg); + psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); psa_pake_cs_set_primitive(&cipher_suite, primitive); - psa_pake_cs_set_hash(&cipher_suite, hash_alg); + psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); mbedtls_test_driver_pake_hooks.forced_status = forced_status_setup; @@ -3054,7 +3041,7 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st TEST_EQUAL(psa_pake_set_password_key(&operation, key), PSA_SUCCESS); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 0); /* Computation stage (driver entry points) */ @@ -3063,54 +3050,64 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_input (driver: setup, input) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; + memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, input_buffer, size_key_share), - expected_status_setup); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); + expected_status); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.setup, 1); break; case 1: /* setup (via output) */ - /* --- psa_pake_input (driver: setup, input) --- */ + /* --- psa_pake_output (driver: setup, output) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; - TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, - input_buffer, size_key_share), - expected_status_setup); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); + memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); + TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, + output_buffer, output_size, &output_len), + expected_status); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.setup, 1); break; case 2: /* input */ /* --- psa_pake_input (driver: setup, input, (abort)) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; + memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, input_buffer, size_key_share), - expected_status_input); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 3 : 1); + expected_status); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, in_driver ? 3 : 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.setup, 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.input, in_driver ? 1 : 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.abort, in_driver ? 1 : 0); break; case 3: /* output */ - /* --- psa_pake_input (driver: setup, output, (abort)) --- */ + /* --- psa_pake_output (driver: setup, output, (abort)) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; + memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); if (forced_output->len > 0) { mbedtls_test_driver_pake_hooks.forced_output = forced_output->x; mbedtls_test_driver_pake_hooks.forced_output_length = forced_output->len; } TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, output_size, &output_len), - expected_status_output); + expected_status); if (forced_output->len > 0) { - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 2 : 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, in_driver ? 2 : 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.setup, 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.output, in_driver ? 1 : 0); TEST_EQUAL(output_len, forced_output->len); TEST_EQUAL(memcmp(output_buffer, forced_output->x, output_len), 0); } else { - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, in_driver ? 3 : 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, in_driver ? 3 : 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.setup, 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.output, in_driver ? 1 : 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.abort, in_driver ? 1 : 0); } break; @@ -3126,10 +3123,12 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_get_implicit_key --- */ mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; + memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_get_implicit_key(&operation, &implicit_key), - expected_status_get_key); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 2); + expected_status); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 2); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.implicit_key, 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.abort, 1); break; @@ -3141,9 +3140,10 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_abort --- */ mbedtls_test_driver_pake_hooks.forced_status = forced_status; - mbedtls_test_driver_pake_hooks.hits = 0; - TEST_EQUAL(psa_pake_abort(&operation), expected_status_abort); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 1); + memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); + TEST_EQUAL(psa_pake_abort(&operation), expected_status); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 1); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.abort, 1); break; default: @@ -3187,8 +3187,6 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, psa_key_derivation_operation_t client_derive = PSA_KEY_DERIVATION_OPERATION_INIT; pake_in_driver = in_driver; - mbedtls_test_driver_pake_hooks.forced_status = PSA_SUCCESS; - mbedtls_test_driver_pake_hooks.hits = 0; /* driver setup is called indirectly through pake_output/pake_input */ if (pake_in_driver) { pake_expected_hit_count = 2; @@ -3198,6 +3196,8 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, PSA_INIT(); + mbedtls_test_driver_pake_hooks = mbedtls_test_driver_pake_hooks_init(); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); psa_set_key_algorithm(&attributes, alg); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); @@ -3226,19 +3226,19 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, } PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 0); PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 0); PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 0); PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 0); PSA_ASSERT(psa_pake_set_password_key(&server, key)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 0); PSA_ASSERT(psa_pake_set_password_key(&client, key)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, 0); + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 0); /* First round */ ecjpake_do_round(alg, primitive_arg, &server, &client, @@ -3255,7 +3255,7 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, } PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); /* After the key is obtained operation is aborted. @@ -3265,7 +3265,7 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, } PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive)); - TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits, + TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count); exit: psa_key_derivation_abort(&server_derive); From bdc21e623e3da41a3d8d18f942bc08bd4ac7c8cc Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 23 Feb 2023 17:12:19 +0100 Subject: [PATCH 65/75] Disable MBEDTLS_PSA_CRYPTO_SE_C is ecdsa psa builds Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b0d460dd9..a2c0cb756 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2112,6 +2112,9 @@ config_psa_crypto_config_ecdsa_use_psa () { # the future, the following line could be removed (see issues # 6061, 6332 and following ones) scripts/config.py unset MBEDTLS_ECP_RESTARTABLE + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C } # Keep in sync with component_test_psa_crypto_config_reference_ecdsa_use_psa @@ -2510,7 +2513,7 @@ component_test_psa_crypto_config_accel_pake () { loc_accel_list="ALG_JPAKE" loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" DEBUG=1 + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG @@ -2522,7 +2525,7 @@ component_test_psa_crypto_config_accel_pake () { scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" DEBUG=1 + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" tests/ssl-opt.sh -f "ECJPAKE" From 083745e09739d06ff13975bdfc1721fe4af9205a Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 23 Feb 2023 17:28:23 +0100 Subject: [PATCH 66/75] Fix code style Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 12 ++++++------ library/psa_crypto_pake.c | 4 ++-- tests/include/test/drivers/pake.h | 3 ++- tests/src/drivers/test_driver_pake.c | 2 +- ...t_suite_psa_crypto_driver_wrappers.function | 18 ++++++++++++------ 5 files changed, 23 insertions(+), 16 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3823f7ad7..4406fcc3b 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7609,9 +7609,9 @@ static psa_status_t psa_jpake_output_epilogue( &operation->computation_stage.jpake; if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && - computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || (computation_stage->state == PSA_PAKE_OUTPUT_X2S && - computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { computation_stage->state = PSA_PAKE_STATE_READY; computation_stage->output_step++; computation_stage->sequence = PSA_PAKE_SEQ_INVALID; @@ -7791,9 +7791,9 @@ static psa_status_t psa_jpake_input_epilogue( &operation->computation_stage.jpake; if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && - computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || (computation_stage->state == PSA_PAKE_INPUT_X4S && - computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { computation_stage->state = PSA_PAKE_STATE_READY; computation_stage->input_step++; computation_stage->sequence = PSA_PAKE_SEQ_INVALID; @@ -7848,7 +7848,7 @@ psa_status_t psa_pake_input( #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) status = psa_driver_wrapper_pake_input(operation, convert_jpake_computation_stage_to_driver_step( - &operation->computation_stage.jpake), + &operation->computation_stage.jpake), input, input_length); #else @@ -7897,7 +7897,7 @@ psa_status_t psa_pake_get_implicit_key( #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = - &operation->computation_stage.jpake; + &operation->computation_stage.jpake; if (computation_stage->input_step != PSA_PAKE_STEP_DERIVE || computation_stage->output_step != PSA_PAKE_STEP_DERIVE) { status = PSA_ERROR_BAD_STATE; diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 929db5919..062d0bb68 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -169,7 +169,7 @@ static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operati { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ecjpake_role role = (operation->role == PSA_PAKE_ROLE_CLIENT) ? - MBEDTLS_ECJPAKE_CLIENT : MBEDTLS_ECJPAKE_SERVER; + MBEDTLS_ECJPAKE_CLIENT : MBEDTLS_ECJPAKE_SERVER; mbedtls_ecjpake_init(&operation->ctx.pake); @@ -220,7 +220,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, } status = psa_crypto_driver_pake_get_password(inputs, operation->password, - password_len, &actual_password_len); + password_len, &actual_password_len); if (status != PSA_SUCCESS) { goto error; } diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 99ca8f275..331ee49da 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -48,7 +48,8 @@ typedef struct { size_t forced_output_length; } mbedtls_test_driver_pake_hooks_t; -#define MBEDTLS_TEST_DRIVER_PAKE_INIT { PSA_SUCCESS, PSA_SUCCESS, {0, 0, 0, 0, 0, 0}, PSA_SUCCESS, NULL, 0 } +#define MBEDTLS_TEST_DRIVER_PAKE_INIT { PSA_SUCCESS, PSA_SUCCESS, { 0, 0, 0, 0, 0, 0 }, PSA_SUCCESS, \ + NULL, 0 } static inline mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks_init(void) { diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 7eafe14d8..9c7248308 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -185,7 +185,7 @@ psa_status_t mbedtls_test_transparent_pake_abort( mbedtls_test_driver_pake_hooks.hits.abort++; #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_abort( operation); diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index b0aac5357..a32da21ce 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -3050,7 +3050,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_input (driver: setup, input) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); + memset(&mbedtls_test_driver_pake_hooks.hits, 0, + sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, input_buffer, size_key_share), expected_status); @@ -3062,7 +3063,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_output (driver: setup, output) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); + memset(&mbedtls_test_driver_pake_hooks.hits, 0, + sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, output_size, &output_len), expected_status); @@ -3074,7 +3076,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_input (driver: setup, input, (abort)) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); + memset(&mbedtls_test_driver_pake_hooks.hits, 0, + sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, input_buffer, size_key_share), expected_status); @@ -3088,7 +3091,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_output (driver: setup, output, (abort)) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); + memset(&mbedtls_test_driver_pake_hooks.hits, 0, + sizeof(mbedtls_test_driver_pake_hooks.hits)); if (forced_output->len > 0) { mbedtls_test_driver_pake_hooks.forced_output = forced_output->x; mbedtls_test_driver_pake_hooks.forced_output_length = forced_output->len; @@ -3123,7 +3127,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_get_implicit_key --- */ mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); + memset(&mbedtls_test_driver_pake_hooks.hits, 0, + sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_get_implicit_key(&operation, &implicit_key), expected_status); TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 2); @@ -3140,7 +3145,8 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_abort --- */ mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, sizeof(mbedtls_test_driver_pake_hooks.hits)); + memset(&mbedtls_test_driver_pake_hooks.hits, 0, + sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_abort(&operation), expected_status); TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total, 1); TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.abort, 1); From d93de32267a8e33d365c8e84d428c767b175a655 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 24 Feb 2023 08:39:04 +0100 Subject: [PATCH 67/75] Move to computation stage only on successfull setup Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 3 +-- library/psa_crypto_pake.c | 8 +++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4406fcc3b..8752bffe5 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7503,8 +7503,6 @@ static psa_status_t psa_pake_complete_inputs( status = psa_driver_wrapper_pake_setup(operation, &inputs); - operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; - /* Driver is responsible for creating its own copy of the password. */ mbedtls_platform_zeroize(inputs.password, inputs.password_len); mbedtls_free(inputs.password); @@ -7512,6 +7510,7 @@ static psa_status_t psa_pake_complete_inputs( if (status == PSA_SUCCESS) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { + operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; psa_jpake_computation_stage_t *computation_stage = &operation->computation_stage.jpake; computation_stage->state = PSA_PAKE_STATE_READY; diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 062d0bb68..63d08303d 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -257,9 +257,11 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, { status = PSA_ERROR_NOT_SUPPORTED; } error: - /* When driver fails with PSA_ERROR_NOT_SUPPORTED the built-in implementation is executed (if available) - and it will reallocate the password leading to the memory leak. - Call abort explicitly to clean up allocated memory for password on failure. */ + /* In case of failure of the setup of a multipart operation, the PSA driver interface + * specifies that the core does not call any other driver entry point thus does not + * call mbedtls_psa_pake_abort(). Therefore call it here to do the needed clean + * up like freeing the memory that may have been allocated to store the password. + */ mbedtls_psa_pake_abort(operation); return status; } From 6f2d1f419a700cf10fd4898eafde5c2cc7e78091 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 24 Feb 2023 08:41:39 +0100 Subject: [PATCH 68/75] Further pake tests optimizations Signed-off-by: Przemek Stekiel --- ..._suite_psa_crypto_driver_wrappers.function | 10 +- tests/suites/test_suite_psa_crypto_pake.data | 31 ++-- .../test_suite_psa_crypto_pake.function | 136 ++++++++++++------ 3 files changed, 119 insertions(+), 58 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index a32da21ce..6522fe5d0 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -3050,8 +3050,6 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_input (driver: setup, input) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, - sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, input_buffer, size_key_share), expected_status); @@ -3063,8 +3061,6 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_output (driver: setup, output) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, - sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, output_size, &output_len), expected_status); @@ -3073,11 +3069,9 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st break; case 2: /* input */ - /* --- psa_pake_input (driver: setup, input, (abort)) --- */ + /* --- psa_pake_input (driver: setup, input, abort) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, - sizeof(mbedtls_test_driver_pake_hooks.hits)); TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, input_buffer, size_key_share), expected_status); @@ -3091,8 +3085,6 @@ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_st /* --- psa_pake_output (driver: setup, output, (abort)) --- */ mbedtls_test_driver_pake_hooks.forced_setup_status = forced_status_setup; mbedtls_test_driver_pake_hooks.forced_status = forced_status; - memset(&mbedtls_test_driver_pake_hooks.hits, 0, - sizeof(mbedtls_test_driver_pake_hooks.hits)); if (forced_output->len > 0) { mbedtls_test_driver_pake_hooks.forced_output = forced_output->x; mbedtls_test_driver_pake_hooks.forced_output_length = forced_output->len; diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 3be249fda..1a25a8c71 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -194,14 +194,29 @@ PSA PAKE: ecjpake size macros depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 ecjpake_size_macros: -PSA PAKE: input getters: ok #1 -pake_input_getters:"aabbccddee":PSA_PAKE_ROLE_SERVER:5:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS +PSA PAKE: input getters password: ok #1 +pake_input_getters_password:"aabbccddee":5:PSA_SUCCESS:PSA_SUCCESS -PSA PAKE: input getters: ok #2 -pake_input_getters:"ddccbbaa":PSA_PAKE_ROLE_CLIENT:5:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_512:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS +PSA PAKE: input getters password: ok #2 +pake_input_getters_password:"11223344556677889900":10:PSA_SUCCESS:PSA_SUCCESS -PSA PAKE: input getters: buffer for password to small -pake_input_getters:"aabbccddee":PSA_PAKE_ROLE_SERVER:4:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ERROR_BUFFER_TOO_SMALL:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS +PSA PAKE: input getters password: buffer to small +pake_input_getters_password:"aabbccddee":4:PSA_ERROR_BUFFER_TOO_SMALL:PSA_SUCCESS -PSA PAKE: input getters: inputs not ready -pake_input_getters:"":0:5:0:0:0:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE +PSA PAKE: input getters password: not set +pake_input_getters_password:"":0:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE + +PSA PAKE: input getters cipher suite: ok +pake_input_getters_cipher_suite:PSA_SUCCESS:1 + +PSA PAKE: input getters cipher suite: not set +pake_input_getters_cipher_suite:PSA_ERROR_BAD_STATE:0 + +PSA PAKE: input getters role client: ok +pake_input_getters_role:PSA_PAKE_ROLE_CLIENT:PSA_SUCCESS + +PSA PAKE: input getters role server: ok +pake_input_getters_role:PSA_PAKE_ROLE_SERVER:PSA_SUCCESS + +PSA PAKE: input getters role: not set +pake_input_getters_role:PSA_PAKE_ROLE_NONE:PSA_ERROR_BAD_STATE diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 1c3b3289a..3bb441fb6 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -909,71 +909,54 @@ void ecjpake_size_macros() } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_BUILTIN_ALG_JPAKE */ -void pake_input_getters(data_t *password, int role_arg, int password_buffer_size, - int alg_arg, int primitive_arg, int hash_arg, - int expected_status_pass, int expected_status_pass_len, - int expected_status_role, int expected_status_cs) +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ +void pake_input_getters_password(data_t *password, int password_buffer_size, + int expected_status_pass, int expected_status_pass_len) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t operation = psa_pake_operation_init(); - psa_pake_role_t role = role_arg; - psa_algorithm_t alg = alg_arg; mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_pake_role_t role_ret = PSA_PAKE_ROLE_NONE; uint8_t password_ret[20] = { 0 }; // max key length is 20 bytes size_t password_len_ret = 0; - psa_pake_cipher_suite_t cipher_suite_ret = psa_pake_cipher_suite_init(); size_t buffer_len_ret = 0; + psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, 256); + PSA_INIT(); - /* alg equal to 0 indicates case when inputs are not set yet. */ - if (alg != 0) { - psa_pake_cs_set_algorithm(&cipher_suite, alg); - psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); - psa_pake_cs_set_hash(&cipher_suite, hash_arg); + psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); + psa_pake_cs_set_primitive(&cipher_suite, primitive); + psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, alg); - psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); + PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); + + if (password_buffer_size > 0) { PSA_ASSERT(psa_import_key(&attributes, password->x, password->len, &key)); - - PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); PSA_ASSERT(psa_pake_set_password_key(&operation, key)); - PSA_ASSERT(psa_pake_set_role(&operation, role)); } TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), expected_status_pass_len); - TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, - (uint8_t *) &password_ret, - password_buffer_size, &buffer_len_ret), - expected_status_pass); - - TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret), - expected_status_role); - - TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), - expected_status_cs); - if (expected_status_pass_len == PSA_SUCCESS) { TEST_EQUAL(password_len_ret, password->len); - } - if (expected_status_pass == PSA_SUCCESS) { - PSA_ASSERT(memcmp(password_ret, password->x, password->len)); - } + TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, + (uint8_t *) &password_ret, + password_buffer_size, &buffer_len_ret), + expected_status_pass); - if (expected_status_role == PSA_SUCCESS) { - TEST_EQUAL(role_ret, role); - } - - if (expected_status_pass == PSA_SUCCESS) { - PSA_ASSERT(memcmp(&cipher_suite_ret, &cipher_suite, sizeof(cipher_suite))); + if (expected_status_pass == PSA_SUCCESS) { + TEST_EQUAL(buffer_len_ret, password->len); + PSA_ASSERT(memcmp(password_ret, password->x, buffer_len_ret)); + } } exit: @@ -982,3 +965,74 @@ exit: PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ +void pake_input_getters_cipher_suite(int expected_status, int setup_done) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_cipher_suite_t cipher_suite_ret = psa_pake_cipher_suite_init(); + + psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, 256); + + PSA_INIT(); + + if (setup_done == 1) { + psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); + psa_pake_cs_set_primitive(&cipher_suite, primitive); + psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); + + PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); + } + + TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), + expected_status); + + if (expected_status == PSA_SUCCESS) { + PSA_ASSERT(memcmp(&cipher_suite_ret, &cipher_suite, sizeof(cipher_suite))); + } + +exit: + PSA_ASSERT(psa_pake_abort(&operation)); + PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ +void pake_input_getters_role(int role_arg, int expected_status) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_role_t role_ret = PSA_PAKE_ROLE_NONE; + psa_pake_role_t role = role_arg; + + psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, 256); + + PSA_INIT(); + + psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); + psa_pake_cs_set_primitive(&cipher_suite, primitive); + psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); + + PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); + + if (role != PSA_PAKE_ROLE_NONE) { + PSA_ASSERT(psa_pake_set_role(&operation, role)); + } + + TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret), + expected_status); + + if (expected_status == PSA_SUCCESS) { + TEST_EQUAL(role_ret, role); + } + +exit: + PSA_ASSERT(psa_pake_abort(&operation)); + PSA_DONE(); +} +/* END_CASE */ From f5dcb8886a24128bedd99ef24c5562a21f68eba6 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 27 Feb 2023 07:53:14 +0100 Subject: [PATCH 69/75] Rework pake input getters tests Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_psa_crypto_pake.data | 30 ++---- .../test_suite_psa_crypto_pake.function | 91 ++++++++++--------- 2 files changed, 54 insertions(+), 67 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 1a25a8c71..7640e3a89 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -194,29 +194,11 @@ PSA PAKE: ecjpake size macros depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 ecjpake_size_macros: -PSA PAKE: input getters password: ok #1 -pake_input_getters_password:"aabbccddee":5:PSA_SUCCESS:PSA_SUCCESS +PSA PAKE: input getters: password +pake_input_getters_password -PSA PAKE: input getters password: ok #2 -pake_input_getters_password:"11223344556677889900":10:PSA_SUCCESS:PSA_SUCCESS +PSA PAKE: input getters: cipher suite +pake_input_getters_cipher_suite -PSA PAKE: input getters password: buffer to small -pake_input_getters_password:"aabbccddee":4:PSA_ERROR_BUFFER_TOO_SMALL:PSA_SUCCESS - -PSA PAKE: input getters password: not set -pake_input_getters_password:"":0:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE - -PSA PAKE: input getters cipher suite: ok -pake_input_getters_cipher_suite:PSA_SUCCESS:1 - -PSA PAKE: input getters cipher suite: not set -pake_input_getters_cipher_suite:PSA_ERROR_BAD_STATE:0 - -PSA PAKE: input getters role client: ok -pake_input_getters_role:PSA_PAKE_ROLE_CLIENT:PSA_SUCCESS - -PSA PAKE: input getters role server: ok -pake_input_getters_role:PSA_PAKE_ROLE_SERVER:PSA_SUCCESS - -PSA PAKE: input getters role: not set -pake_input_getters_role:PSA_PAKE_ROLE_NONE:PSA_ERROR_BAD_STATE +PSA PAKE: input getters: role +pake_input_getters_role diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 3bb441fb6..f094eb977 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -909,14 +909,14 @@ void ecjpake_size_macros() } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ -void pake_input_getters_password(data_t *password, int password_buffer_size, - int expected_status_pass, int expected_status_pass_len) +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_ALG_SHA_256 */ +void pake_input_getters_password() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t operation = psa_pake_operation_init(); mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + const char *password = "password"; uint8_t password_ret[20] = { 0 }; // max key length is 20 bytes size_t password_len_ret = 0; size_t buffer_len_ret = 0; @@ -937,28 +937,37 @@ void pake_input_getters_password(data_t *password, int password_buffer_size, PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); - if (password_buffer_size > 0) { - PSA_ASSERT(psa_import_key(&attributes, password->x, password->len, &key)); - PSA_ASSERT(psa_pake_set_password_key(&operation, key)); - } + PSA_ASSERT(psa_import_key(&attributes, (uint8_t *) password, strlen(password), &key)); + + TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, + (uint8_t *) &password_ret, + 10, &buffer_len_ret), + PSA_ERROR_BAD_STATE); TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), - expected_status_pass_len); + PSA_ERROR_BAD_STATE); - if (expected_status_pass_len == PSA_SUCCESS) { - TEST_EQUAL(password_len_ret, password->len); + PSA_ASSERT(psa_pake_set_password_key(&operation, key)); - TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, - (uint8_t *) &password_ret, - password_buffer_size, &buffer_len_ret), - expected_status_pass); + TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), + PSA_SUCCESS); - if (expected_status_pass == PSA_SUCCESS) { - TEST_EQUAL(buffer_len_ret, password->len); - PSA_ASSERT(memcmp(password_ret, password->x, buffer_len_ret)); - } - } + TEST_EQUAL(password_len_ret, strlen(password)); + TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, + (uint8_t *) &password_ret, + password_len_ret - 1, + &buffer_len_ret), + PSA_ERROR_BUFFER_TOO_SMALL); + + TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, + (uint8_t *) &password_ret, + password_len_ret, + &buffer_len_ret), + PSA_SUCCESS); + + TEST_EQUAL(buffer_len_ret, strlen(password)); + PSA_ASSERT(memcmp(password_ret, password, buffer_len_ret)); exit: PSA_ASSERT(psa_destroy_key(key)); PSA_ASSERT(psa_pake_abort(&operation)); @@ -966,8 +975,8 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ -void pake_input_getters_cipher_suite(int expected_status, int setup_done) +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_ALG_SHA_256 */ +void pake_input_getters_cipher_suite() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t operation = psa_pake_operation_init(); @@ -979,20 +988,19 @@ void pake_input_getters_cipher_suite(int expected_status, int setup_done) PSA_INIT(); - if (setup_done == 1) { - psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); - psa_pake_cs_set_primitive(&cipher_suite, primitive); - psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); - - PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); - } + psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); + psa_pake_cs_set_primitive(&cipher_suite, primitive); + psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), - expected_status); + PSA_ERROR_BAD_STATE); - if (expected_status == PSA_SUCCESS) { - PSA_ASSERT(memcmp(&cipher_suite_ret, &cipher_suite, sizeof(cipher_suite))); - } + PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); + + TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), + PSA_SUCCESS); + + PSA_ASSERT(memcmp(&cipher_suite_ret, &cipher_suite, sizeof(cipher_suite))); exit: PSA_ASSERT(psa_pake_abort(&operation)); @@ -1000,13 +1008,12 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ -void pake_input_getters_role(int role_arg, int expected_status) +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_ALG_SHA_256 */ +void pake_input_getters_role() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t operation = psa_pake_operation_init(); psa_pake_role_t role_ret = PSA_PAKE_ROLE_NONE; - psa_pake_role_t role = role_arg; psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, @@ -1020,17 +1027,15 @@ void pake_input_getters_role(int role_arg, int expected_status) PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); - if (role != PSA_PAKE_ROLE_NONE) { - PSA_ASSERT(psa_pake_set_role(&operation, role)); - } + TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret), + PSA_ERROR_BAD_STATE); + + PSA_ASSERT(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER)); TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret), - expected_status); - - if (expected_status == PSA_SUCCESS) { - TEST_EQUAL(role_ret, role); - } + PSA_SUCCESS); + TEST_EQUAL(role_ret, PSA_PAKE_ROLE_SERVER); exit: PSA_ASSERT(psa_pake_abort(&operation)); PSA_DONE(); From e3ef3a15cd472bdad2d57938a4a1a7855a190259 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 27 Feb 2023 10:20:06 +0100 Subject: [PATCH 70/75] Further pake code optimizations Signed-off-by: Przemek Stekiel --- include/psa/crypto_builtin_composites.h | 2 +- library/psa_crypto.c | 78 ++++++++++--------------- library/psa_crypto_pake.c | 35 +++++------ 3 files changed, 48 insertions(+), 67 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index f331ec5f4..932c50366 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -208,7 +208,7 @@ typedef struct { union { unsigned int MBEDTLS_PRIVATE(dummy); #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) - mbedtls_ecjpake_context MBEDTLS_PRIVATE(pake); + mbedtls_ecjpake_context MBEDTLS_PRIVATE(jpake); #endif } MBEDTLS_PRIVATE(ctx); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 8752bffe5..1611fc9c4 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7238,7 +7238,6 @@ psa_status_t psa_pake_setup( const psa_pake_cipher_suite_t *cipher_suite) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) { status = PSA_ERROR_BAD_STATE; @@ -7266,8 +7265,7 @@ psa_status_t psa_pake_setup( computation_stage->input_step = PSA_PAKE_STEP_X1_X2; computation_stage->output_step = PSA_PAKE_STEP_X1_X2; } else -#else -#endif +#endif /* PSA_WANT_ALG_JPAKE */ { status = PSA_ERROR_NOT_SUPPORTED; goto exit; @@ -7277,8 +7275,8 @@ psa_status_t psa_pake_setup( return PSA_SUCCESS; exit: - abort_status = psa_pake_abort(operation); - return status == PSA_SUCCESS ? abort_status : status; + psa_pake_abort(operation); + return status; } psa_status_t psa_pake_set_password_key( @@ -7287,7 +7285,6 @@ psa_status_t psa_pake_set_password_key( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { @@ -7323,15 +7320,12 @@ psa_status_t psa_pake_set_password_key( memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); operation->data.inputs.password_len = slot->key.bytes; operation->data.inputs.attributes = attributes; - - unlock_status = psa_unlock_key_slot(slot); - - return unlock_status; exit: + if (status != PSA_SUCCESS) { + psa_pake_abort(operation); + } unlock_status = psa_unlock_key_slot(slot); - abort_status = psa_pake_abort(operation); - status = (status == PSA_SUCCESS) ? unlock_status : status; - return (status == PSA_SUCCESS) ? abort_status : status; + return (status == PSA_SUCCESS) ? unlock_status : status; } psa_status_t psa_pake_set_user( @@ -7340,7 +7334,6 @@ psa_status_t psa_pake_set_user( size_t user_id_len) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; (void) user_id; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { @@ -7355,8 +7348,8 @@ psa_status_t psa_pake_set_user( return PSA_ERROR_NOT_SUPPORTED; exit: - abort_status = psa_pake_abort(operation); - return status == PSA_SUCCESS ? abort_status : status; + psa_pake_abort(operation); + return status; } psa_status_t psa_pake_set_peer( @@ -7365,7 +7358,6 @@ psa_status_t psa_pake_set_peer( size_t peer_id_len) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; (void) peer_id; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { @@ -7380,8 +7372,8 @@ psa_status_t psa_pake_set_peer( return PSA_ERROR_NOT_SUPPORTED; exit: - abort_status = psa_pake_abort(operation); - return status == PSA_SUCCESS ? abort_status : status; + psa_pake_abort(operation); + return status; } psa_status_t psa_pake_set_role( @@ -7389,7 +7381,6 @@ psa_status_t psa_pake_set_role( psa_pake_role_t role) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = PSA_ERROR_BAD_STATE; @@ -7409,8 +7400,8 @@ psa_status_t psa_pake_set_role( return PSA_SUCCESS; exit: - abort_status = psa_pake_abort(operation); - return status == PSA_SUCCESS ? abort_status : status; + psa_pake_abort(operation); + return status; } /* Auxiliary function to convert core computation stage(step, sequence, state) to single driver step. */ @@ -7477,7 +7468,7 @@ static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_s } return PSA_JPAKE_STEP_INVALID; } -#endif +#endif /* PSA_WANT_ALG_JPAKE */ static psa_status_t psa_pake_complete_inputs( psa_pake_operation_t *operation) @@ -7518,7 +7509,7 @@ static psa_status_t psa_pake_complete_inputs( computation_stage->input_step = PSA_PAKE_STEP_X1_X2; computation_stage->output_step = PSA_PAKE_STEP_X1_X2; } else -#endif +#endif /* PSA_WANT_ALG_JPAKE */ { status = PSA_ERROR_NOT_SUPPORTED; } @@ -7598,9 +7589,7 @@ static psa_status_t psa_jpake_output_prologue( return PSA_SUCCESS; } -#endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_jpake_output_epilogue( psa_pake_operation_t *operation) { @@ -7620,7 +7609,7 @@ static psa_status_t psa_jpake_output_epilogue( return PSA_SUCCESS; } -#endif +#endif /* PSA_WANT_ALG_JPAKE */ psa_status_t psa_pake_output( psa_pake_operation_t *operation, @@ -7630,7 +7619,6 @@ psa_status_t psa_pake_output( size_t *output_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; *output_length = 0; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { @@ -7658,7 +7646,7 @@ psa_status_t psa_pake_output( goto exit; } break; -#endif +#endif /* PSA_WANT_ALG_JPAKE */ default: (void) step; status = PSA_ERROR_NOT_SUPPORTED; @@ -7675,7 +7663,7 @@ psa_status_t psa_pake_output( #else (void) output; status = PSA_ERROR_NOT_SUPPORTED; -#endif +#endif /* PSA_WANT_ALG_JPAKE */ if (status != PSA_SUCCESS) { goto exit; @@ -7689,7 +7677,7 @@ psa_status_t psa_pake_output( goto exit; } break; -#endif +#endif /* PSA_WANT_ALG_JPAKE */ default: status = PSA_ERROR_NOT_SUPPORTED; goto exit; @@ -7697,8 +7685,8 @@ psa_status_t psa_pake_output( return PSA_SUCCESS; exit: - abort_status = psa_pake_abort(operation); - return status == PSA_SUCCESS ? abort_status : status; + psa_pake_abort(operation); + return status; } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) @@ -7780,9 +7768,7 @@ static psa_status_t psa_jpake_input_prologue( return PSA_SUCCESS; } -#endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_jpake_input_epilogue( psa_pake_operation_t *operation) { @@ -7802,7 +7788,7 @@ static psa_status_t psa_jpake_input_epilogue( return PSA_SUCCESS; } -#endif +#endif /* PSA_WANT_ALG_JPAKE */ psa_status_t psa_pake_input( psa_pake_operation_t *operation, @@ -7811,7 +7797,6 @@ psa_status_t psa_pake_input( size_t input_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = psa_pake_complete_inputs(operation); @@ -7838,10 +7823,11 @@ psa_status_t psa_pake_input( goto exit; } break; -#endif +#endif /* PSA_WANT_ALG_JPAKE */ default: (void) step; - return PSA_ERROR_NOT_SUPPORTED; + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) @@ -7853,7 +7839,7 @@ psa_status_t psa_pake_input( #else (void) input; status = PSA_ERROR_NOT_SUPPORTED; -#endif +#endif /* PSA_WANT_ALG_JPAKE */ if (status != PSA_SUCCESS) { goto exit; @@ -7867,7 +7853,7 @@ psa_status_t psa_pake_input( goto exit; } break; -#endif +#endif /* PSA_WANT_ALG_JPAKE */ default: status = PSA_ERROR_NOT_SUPPORTED; goto exit; @@ -7875,8 +7861,8 @@ psa_status_t psa_pake_input( return PSA_SUCCESS; exit: - abort_status = psa_pake_abort(operation); - return status == PSA_SUCCESS ? abort_status : status; + psa_pake_abort(operation); + return status; } psa_status_t psa_pake_get_implicit_key( @@ -7903,9 +7889,7 @@ psa_status_t psa_pake_get_implicit_key( goto exit; } } else -#else - -#endif +#endif /* PSA_WANT_ALG_JPAKE */ { status = PSA_ERROR_NOT_SUPPORTED; goto exit; @@ -7925,7 +7909,7 @@ psa_status_t psa_pake_get_implicit_key( shared_key, shared_key_len); - mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(shared_key, sizeof(shared_key)); exit: abort_status = psa_pake_abort(operation); return status == PSA_SUCCESS ? abort_status : status; diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 63d08303d..c6f9e895b 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -171,9 +171,9 @@ static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operati mbedtls_ecjpake_role role = (operation->role == PSA_PAKE_ROLE_CLIENT) ? MBEDTLS_ECJPAKE_CLIENT : MBEDTLS_ECJPAKE_SERVER; - mbedtls_ecjpake_init(&operation->ctx.pake); + mbedtls_ecjpake_init(&operation->ctx.jpake); - ret = mbedtls_ecjpake_setup(&operation->ctx.pake, + ret = mbedtls_ecjpake_setup(&operation->ctx.jpake, role, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, @@ -295,9 +295,9 @@ static psa_status_t mbedtls_psa_pake_output_internal( if (operation->alg == PSA_ALG_JPAKE) { /* Initialize & write round on KEY_SHARE sequences */ if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) { - ret = mbedtls_ecjpake_write_round_one(&operation->ctx.pake, + ret = mbedtls_ecjpake_write_round_one(&operation->ctx.jpake, operation->buffer, - MBEDTLS_PSA_JPAKE_BUFFER_SIZE, + sizeof(operation->buffer), &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); @@ -307,9 +307,9 @@ static psa_status_t mbedtls_psa_pake_output_internal( operation->buffer_offset = 0; } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) { - ret = mbedtls_ecjpake_write_round_two(&operation->ctx.pake, + ret = mbedtls_ecjpake_write_round_two(&operation->ctx.jpake, operation->buffer, - MBEDTLS_PSA_JPAKE_BUFFER_SIZE, + sizeof(operation->buffer), &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); @@ -359,7 +359,7 @@ static psa_status_t mbedtls_psa_pake_output_internal( /* Reset buffer after ZK_PROOF sequence */ if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) || (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) { - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); operation->buffer_length = 0; operation->buffer_offset = 0; } @@ -446,22 +446,22 @@ static psa_status_t mbedtls_psa_pake_input_internal( /* Load buffer at each last round ZK_PROOF */ if (step == PSA_JPAKE_X2_STEP_ZK_PROOF) { - ret = mbedtls_ecjpake_read_round_one(&operation->ctx.pake, + ret = mbedtls_ecjpake_read_round_one(&operation->ctx.jpake, operation->buffer, operation->buffer_length); - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); operation->buffer_length = 0; if (ret != 0) { return mbedtls_ecjpake_to_psa_error(ret); } } else if (step == PSA_JPAKE_X4S_STEP_ZK_PROOF) { - ret = mbedtls_ecjpake_read_round_two(&operation->ctx.pake, + ret = mbedtls_ecjpake_read_round_two(&operation->ctx.jpake, operation->buffer, operation->buffer_length); - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); operation->buffer_length = 0; if (ret != 0) { @@ -499,19 +499,16 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { - ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake, - operation->buffer, + ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.jpake, + output, output_size, - &operation->buffer_length, + output_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); if (ret != 0) { return mbedtls_ecjpake_to_psa_error(ret); } - memcpy(output, operation->buffer, operation->buffer_length); - *output_length = operation->buffer_length; - return PSA_SUCCESS; } else #else @@ -530,10 +527,10 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { operation->role = PSA_PAKE_ROLE_NONE; - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_JPAKE_BUFFER_SIZE); + mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer)); operation->buffer_length = 0; operation->buffer_offset = 0; - mbedtls_ecjpake_free(&operation->ctx.pake); + mbedtls_ecjpake_free(&operation->ctx.jpake); } #endif From 4dc83d40af813fd7036198248722864c89f56c1f Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 27 Feb 2023 11:49:35 +0100 Subject: [PATCH 71/75] Add check for pake operation buffer overflow Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 4 ++++ library/psa_crypto_pake.c | 15 +++++++++++++++ library/psa_crypto_pake.h | 6 ++++++ 3 files changed, 25 insertions(+) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index ac6b8ded7..c00796a49 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -458,6 +458,10 @@ For `PSA_ALG_JPAKE` the following steps are available for input operation: * `PSA_JPAKE_X4S_STEP_ZK_PUBLIC`    Round 2: input Schnorr NIZKP public key for the X4S key * `PSA_JPAKE_X4S_STEP_ZK_PROOF`     Round 2: input Schnorr NIZKP proof for the X4S key +The core has checked that input_length is smaller than PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step) +where primitive is the JPAKE algorithm primitive and step the PSA API level input step. +Thus no risk of integer overflow while checking operation buffer overflow. + ### PAKE driver get implicit key ``` diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index c6f9e895b..538df8744 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -430,11 +430,26 @@ static psa_status_t mbedtls_psa_pake_input_internal( 3, /* named_curve */ 0, 23 /* secp256r1 */ }; + + if (operation->buffer_length + sizeof(ecparameters) > sizeof(operation->buffer)) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + memcpy(operation->buffer + operation->buffer_length, ecparameters, sizeof(ecparameters)); operation->buffer_length += sizeof(ecparameters); } + /* + * The core has checked that input_length is smaller than + * PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step) + * where primitive is the JPAKE algorithm primitive and step + * the PSA API level input step. Thus no risk of integer overflow here. + */ + if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + /* Write the length byte */ operation->buffer[operation->buffer_length] = (uint8_t) input_length; operation->buffer_length += 1; diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index 9bdcc3387..eb308813e 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -96,6 +96,12 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * entry point as defined in the PSA driver interface specification for * transparent drivers. * + * \note The core has checked that input_length is smaller than + PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step) + where primitive is the JPAKE algorithm primitive and step + the PSA API level input step. Thus no risk of integer overflow while + checking operation buffer overflow. + * * \param[in,out] operation Active PAKE operation. * \param step The driver step for which the input is provided. * \param[in] input Buffer containing the input in the format From 4aa99403f419ee8b149f2142ee8afe0448794219 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 27 Feb 2023 13:00:57 +0100 Subject: [PATCH 72/75] Fix configuration for accelerated jpake Signed-off-by: Przemek Stekiel --- include/mbedtls/config_psa.h | 3 ++ include/psa/crypto_extra.h | 2 +- library/psa_crypto.c | 24 +++++----- .../crypto_config_test_driver_extension.h | 8 ++++ tests/scripts/all.sh | 44 +++---------------- ..._suite_psa_crypto_driver_wrappers.function | 2 +- .../test_suite_psa_crypto_pake.function | 6 +-- 7 files changed, 33 insertions(+), 56 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 48b2d3209..f7de6d1e5 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -147,12 +147,15 @@ extern "C" { #endif #if defined(PSA_WANT_ALG_JPAKE) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE) #define MBEDTLS_PSA_BUILTIN_PAKE 1 #define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED #define MBEDTLS_BIGNUM_C #define MBEDTLS_ECP_C #define MBEDTLS_ECJPAKE_C +#define MBEDTLS_SHA256_C +#endif /* MBEDTLS_PSA_ACCEL_ALG_JPAKE */ #endif /* PSA_WANT_ALG_JPAKE */ #if defined(PSA_WANT_ALG_RIPEMD160) && !defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 5f86c3f4f..5cf56158f 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -2042,7 +2042,7 @@ struct psa_pake_operation_s { /* Holds computation stage of the PAKE algorithms. */ union { uint8_t MBEDTLS_PRIVATE(dummy); -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake); #endif } MBEDTLS_PRIVATE(computation_stage); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 1611fc9c4..d7eeead29 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7255,7 +7255,7 @@ psa_status_t psa_pake_setup( operation->alg = cipher_suite->algorithm; operation->data.inputs.cipher_suite = *cipher_suite; -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = &operation->computation_stage.jpake; @@ -7405,7 +7405,7 @@ exit: } /* Auxiliary function to convert core computation stage(step, sequence, state) to single driver step. */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step( psa_jpake_computation_stage_t *stage) { @@ -7499,7 +7499,7 @@ static psa_status_t psa_pake_complete_inputs( mbedtls_free(inputs.password); if (status == PSA_SUCCESS) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; psa_jpake_computation_stage_t *computation_stage = @@ -7517,7 +7517,7 @@ static psa_status_t psa_pake_complete_inputs( return status; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) static psa_status_t psa_jpake_output_prologue( psa_pake_operation_t *operation, psa_pake_step_t step) @@ -7639,7 +7639,7 @@ psa_status_t psa_pake_output( } switch (operation->alg) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) case PSA_ALG_JPAKE: status = psa_jpake_output_prologue(operation, step); if (status != PSA_SUCCESS) { @@ -7653,7 +7653,7 @@ psa_status_t psa_pake_output( goto exit; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) status = psa_driver_wrapper_pake_output(operation, convert_jpake_computation_stage_to_driver_step( &operation->computation_stage.jpake), @@ -7670,7 +7670,7 @@ psa_status_t psa_pake_output( } switch (operation->alg) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) case PSA_ALG_JPAKE: status = psa_jpake_output_epilogue(operation); if (status != PSA_SUCCESS) { @@ -7689,7 +7689,7 @@ exit: return status; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) static psa_status_t psa_jpake_input_prologue( psa_pake_operation_t *operation, psa_pake_step_t step, @@ -7816,7 +7816,7 @@ psa_status_t psa_pake_input( } switch (operation->alg) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) case PSA_ALG_JPAKE: status = psa_jpake_input_prologue(operation, step, input_length); if (status != PSA_SUCCESS) { @@ -7830,7 +7830,7 @@ psa_status_t psa_pake_input( goto exit; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) status = psa_driver_wrapper_pake_input(operation, convert_jpake_computation_stage_to_driver_step( &operation->computation_stage.jpake), @@ -7846,7 +7846,7 @@ psa_status_t psa_pake_input( } switch (operation->alg) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) case PSA_ALG_JPAKE: status = psa_jpake_input_epilogue(operation); if (status != PSA_SUCCESS) { @@ -7879,7 +7879,7 @@ psa_status_t psa_pake_get_implicit_key( goto exit; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { psa_jpake_computation_stage_t *computation_stage = &operation->computation_stage.jpake; diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h index 393d6326e..26c432cde 100644 --- a/tests/include/test/drivers/crypto_config_test_driver_extension.h +++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h @@ -158,6 +158,14 @@ #endif #endif +#if defined(PSA_WANT_ALG_JPAKE) +#if defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE) +#undef MBEDTLS_PSA_ACCEL_ALG_JPAKE +#else +#define MBEDTLS_PSA_ACCEL_ALG_JPAKE 1 +#endif +#endif + #if defined(PSA_WANT_KEY_TYPE_AES) #if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) #undef MBEDTLS_PSA_ACCEL_KEY_TYPE_AES diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a2c0cb756..f20a7dc16 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2500,7 +2500,7 @@ component_test_psa_crypto_config_accel_aead () { make test } -component_test_psa_crypto_config_accel_pake () { +component_test_psa_crypto_config_accel_pake() { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" # Start with full @@ -2518,44 +2518,8 @@ component_test_psa_crypto_config_accel_pake () { scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py unset MBEDTLS_ECJPAKE_C - - # Dynamic secure element support is a deprecated feature and needs to be disabled here. - # This is done to have the same form of psa_key_attributes_s for libdriver and library. - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C - - loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - - msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" - tests/ssl-opt.sh -f "ECJPAKE" - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" - make test -} - -component_test_psa_crypto_config_accel_pake_no_fallback () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE - no fallback" - - # Start with full - scripts/config.py full - - # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having - # partial support for cipher operations in the driver test library. - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - - loc_accel_list="ALG_JPAKE" - loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - - scripts/config.py unset MBEDTLS_ECJPAKE_C - # Make build-in fallback not available - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_JPAKE + scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED # Dynamic secure element support is a deprecated feature and needs to be disabled here. @@ -2565,7 +2529,9 @@ component_test_psa_crypto_config_accel_pake_no_fallback () { loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE - no fallback" + not grep mbedtls_ecjpake_init library/ecjpake.o + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" make test } diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 6522fe5d0..8a4c007ae 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -2976,7 +2976,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 */ +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void pake_operations(data_t *pw_data, int forced_status_setup_arg, int forced_status_arg, data_t *forced_output, int expected_status_arg, int fut) diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index f094eb977..2bed45ac1 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -909,7 +909,7 @@ void ecjpake_size_macros() } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_ALG_SHA_256 */ +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void pake_input_getters_password() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); @@ -975,7 +975,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_ALG_SHA_256 */ +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void pake_input_getters_cipher_suite() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); @@ -1008,7 +1008,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_ALG_SHA_256 */ +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void pake_input_getters_role() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); From 57580f2539251d9f77623f72daf05aa700a0f8c6 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 1 Mar 2023 12:21:26 +0100 Subject: [PATCH 73/75] Use proper enum types for pake state/sequence/step Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 20 ++++++++++---------- library/psa_crypto.c | 14 ++------------ 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 5cf56158f..252eb7439 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1974,14 +1974,14 @@ struct psa_crypto_driver_pake_inputs_s { psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite); }; -enum psa_jpake_step { +typedef enum psa_jpake_step { PSA_PAKE_STEP_INVALID = 0, PSA_PAKE_STEP_X1_X2 = 1, PSA_PAKE_STEP_X2S = 2, PSA_PAKE_STEP_DERIVE = 3, -}; +} psa_jpake_step_t; -enum psa_jpake_state { +typedef enum psa_jpake_state { PSA_PAKE_STATE_INVALID = 0, PSA_PAKE_STATE_SETUP = 1, PSA_PAKE_STATE_READY = 2, @@ -1989,9 +1989,9 @@ enum psa_jpake_state { PSA_PAKE_OUTPUT_X2S = 4, PSA_PAKE_INPUT_X1_X2 = 5, PSA_PAKE_INPUT_X4S = 6, -}; +} psa_jpake_state_t; -enum psa_jpake_sequence { +typedef enum psa_jpake_sequence { PSA_PAKE_SEQ_INVALID = 0, PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */ PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */ @@ -2000,7 +2000,7 @@ enum psa_jpake_sequence { PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, PSA_PAKE_X2_STEP_ZK_PROOF = 6, PSA_PAKE_SEQ_END = 7, -}; +} psa_jpake_sequence_t; typedef enum psa_crypto_driver_pake_step { PSA_JPAKE_STEP_INVALID = 0, /* Invalid step */ @@ -2020,10 +2020,10 @@ typedef enum psa_crypto_driver_pake_step { struct psa_jpake_computation_stage_s { - unsigned int MBEDTLS_PRIVATE(state); - unsigned int MBEDTLS_PRIVATE(sequence); - unsigned int MBEDTLS_PRIVATE(input_step); - unsigned int MBEDTLS_PRIVATE(output_step); + psa_jpake_state_t MBEDTLS_PRIVATE(state); + psa_jpake_sequence_t MBEDTLS_PRIVATE(sequence); + psa_jpake_step_t MBEDTLS_PRIVATE(input_step); + psa_jpake_step_t MBEDTLS_PRIVATE(output_step); }; struct psa_pake_operation_s { diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d7eeead29..115e994bb 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7415,22 +7415,16 @@ static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_s switch (stage->sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X1_STEP_KEY_SHARE; - break; case PSA_PAKE_X1_STEP_ZK_PUBLIC: return PSA_JPAKE_X1_STEP_ZK_PUBLIC; - break; case PSA_PAKE_X1_STEP_ZK_PROOF: return PSA_JPAKE_X1_STEP_ZK_PROOF; - break; case PSA_PAKE_X2_STEP_KEY_SHARE: return PSA_JPAKE_X2_STEP_KEY_SHARE; - break; case PSA_PAKE_X2_STEP_ZK_PUBLIC: return PSA_JPAKE_X2_STEP_ZK_PUBLIC; - break; case PSA_PAKE_X2_STEP_ZK_PROOF: return PSA_JPAKE_X2_STEP_ZK_PROOF; - break; default: return PSA_JPAKE_STEP_INVALID; } @@ -7439,13 +7433,11 @@ static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_s switch (stage->sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X2S_STEP_KEY_SHARE; - break; case PSA_PAKE_X1_STEP_ZK_PUBLIC: return PSA_JPAKE_X2S_STEP_ZK_PUBLIC; - break; case PSA_PAKE_X1_STEP_ZK_PROOF: return PSA_JPAKE_X2S_STEP_ZK_PROOF; - break; + default: return PSA_JPAKE_STEP_INVALID; } break; @@ -7453,13 +7445,11 @@ static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_s switch (stage->sequence) { case PSA_PAKE_X1_STEP_KEY_SHARE: return PSA_JPAKE_X4S_STEP_KEY_SHARE; - break; case PSA_PAKE_X1_STEP_ZK_PUBLIC: return PSA_JPAKE_X4S_STEP_ZK_PUBLIC; - break; case PSA_PAKE_X1_STEP_ZK_PROOF: return PSA_JPAKE_X4S_STEP_ZK_PROOF; - break; + default: return PSA_JPAKE_STEP_INVALID; } break; From 691e91adac10c9466f0b84f930b72e277440279b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 7 Mar 2023 16:26:37 +0100 Subject: [PATCH 74/75] Further pake code optimizations Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 4 +-- library/psa_crypto.c | 44 ++++++++------------------- library/psa_crypto_pake.c | 10 +++--- library/psa_crypto_pake.h | 6 +--- 4 files changed, 20 insertions(+), 44 deletions(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index c00796a49..f681ea60e 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -458,9 +458,7 @@ For `PSA_ALG_JPAKE` the following steps are available for input operation: * `PSA_JPAKE_X4S_STEP_ZK_PUBLIC`    Round 2: input Schnorr NIZKP public key for the X4S key * `PSA_JPAKE_X4S_STEP_ZK_PROOF`     Round 2: input Schnorr NIZKP proof for the X4S key -The core has checked that input_length is smaller than PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step) -where primitive is the JPAKE algorithm primitive and step the PSA API level input step. -Thus no risk of integer overflow while checking operation buffer overflow. +The core checks that input_length is smaller than PSA_PAKE_INPUT_MAX_SIZE. ### PAKE driver get implicit key diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 115e994bb..917a9fae6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7609,6 +7609,7 @@ psa_status_t psa_pake_output( size_t *output_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID; *output_length = 0; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { @@ -7635,6 +7636,8 @@ psa_status_t psa_pake_output( if (status != PSA_SUCCESS) { goto exit; } + driver_step = convert_jpake_computation_stage_to_driver_step( + &operation->computation_stage.jpake); break; #endif /* PSA_WANT_ALG_JPAKE */ default: @@ -7643,17 +7646,8 @@ psa_status_t psa_pake_output( goto exit; } -#if defined(PSA_WANT_ALG_JPAKE) - status = psa_driver_wrapper_pake_output(operation, - convert_jpake_computation_stage_to_driver_step( - &operation->computation_stage.jpake), - output, - output_size, - output_length); -#else - (void) output; - status = PSA_ERROR_NOT_SUPPORTED; -#endif /* PSA_WANT_ALG_JPAKE */ + status = psa_driver_wrapper_pake_output(operation, driver_step, + output, output_size, output_length); if (status != PSA_SUCCESS) { goto exit; @@ -7682,8 +7676,7 @@ exit: #if defined(PSA_WANT_ALG_JPAKE) static psa_status_t psa_jpake_input_prologue( psa_pake_operation_t *operation, - psa_pake_step_t step, - size_t input_length) + psa_pake_step_t step) { if (step != PSA_PAKE_STEP_KEY_SHARE && step != PSA_PAKE_STEP_ZK_PUBLIC && @@ -7698,12 +7691,6 @@ static psa_status_t psa_jpake_input_prologue( return PSA_ERROR_BAD_STATE; } - const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( - PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); - if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { - return PSA_ERROR_INVALID_ARGUMENT; - } - if (computation_stage->state != PSA_PAKE_STATE_READY && computation_stage->state != PSA_PAKE_INPUT_X1_X2 && computation_stage->state != PSA_PAKE_INPUT_X4S) { @@ -7787,6 +7774,7 @@ psa_status_t psa_pake_input( size_t input_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = psa_pake_complete_inputs(operation); @@ -7800,7 +7788,7 @@ psa_status_t psa_pake_input( goto exit; } - if (input_length == 0) { + if (input_length == 0 || input_length > PSA_PAKE_INPUT_MAX_SIZE) { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; } @@ -7808,10 +7796,12 @@ psa_status_t psa_pake_input( switch (operation->alg) { #if defined(PSA_WANT_ALG_JPAKE) case PSA_ALG_JPAKE: - status = psa_jpake_input_prologue(operation, step, input_length); + status = psa_jpake_input_prologue(operation, step); if (status != PSA_SUCCESS) { goto exit; } + driver_step = convert_jpake_computation_stage_to_driver_step( + &operation->computation_stage.jpake); break; #endif /* PSA_WANT_ALG_JPAKE */ default: @@ -7820,16 +7810,8 @@ psa_status_t psa_pake_input( goto exit; } -#if defined(PSA_WANT_ALG_JPAKE) - status = psa_driver_wrapper_pake_input(operation, - convert_jpake_computation_stage_to_driver_step( - &operation->computation_stage.jpake), - input, - input_length); -#else - (void) input; - status = PSA_ERROR_NOT_SUPPORTED; -#endif /* PSA_WANT_ALG_JPAKE */ + status = psa_driver_wrapper_pake_input(operation, driver_step, + input, input_length); if (status != PSA_SUCCESS) { goto exit; diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 538df8744..a53718496 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -431,7 +431,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( 0, 23 /* secp256r1 */ }; - if (operation->buffer_length + sizeof(ecparameters) > sizeof(operation->buffer)) { + if (operation->buffer_length + sizeof(ecparameters) > + sizeof(operation->buffer)) { return PSA_ERROR_BUFFER_TOO_SMALL; } @@ -441,10 +442,9 @@ static psa_status_t mbedtls_psa_pake_input_internal( } /* - * The core has checked that input_length is smaller than - * PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step) - * where primitive is the JPAKE algorithm primitive and step - * the PSA API level input step. Thus no risk of integer overflow here. + * The core checks that input_length is smaller than + * PSA_PAKE_INPUT_MAX_SIZE. + * Thus no risk of integer overflow here. */ if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) { return PSA_ERROR_BUFFER_TOO_SMALL; diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index eb308813e..001c987a4 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -96,11 +96,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * entry point as defined in the PSA driver interface specification for * transparent drivers. * - * \note The core has checked that input_length is smaller than - PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, primitive, step) - where primitive is the JPAKE algorithm primitive and step - the PSA API level input step. Thus no risk of integer overflow while - checking operation buffer overflow. + * \note The core checks that input_length is smaller than PSA_PAKE_INPUT_MAX_SIZE. * * \param[in,out] operation Active PAKE operation. * \param step The driver step for which the input is provided. From b8eaf635ba803099c2bab2e4f2d5091429b5ea0b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 8 Mar 2023 09:56:29 +0100 Subject: [PATCH 75/75] Remove MBEDTLS_SHA256_C from PSA_WANT_ALG_JPAKE config and adapt test dependencies Signed-off-by: Przemek Stekiel --- include/mbedtls/config_psa.h | 1 - tests/suites/test_suite_psa_crypto_driver_wrappers.data | 4 ++-- tests/suites/test_suite_psa_crypto_driver_wrappers.function | 6 +++--- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index f7de6d1e5..2818c9cfd 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -154,7 +154,6 @@ extern "C" { #define MBEDTLS_BIGNUM_C #define MBEDTLS_ECP_C #define MBEDTLS_ECJPAKE_C -#define MBEDTLS_SHA256_C #endif /* MBEDTLS_PSA_ACCEL_ALG_JPAKE */ #endif /* PSA_WANT_ALG_JPAKE */ diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index d63371b7c..cf027c80e 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -859,9 +859,9 @@ depends_on:!MBEDTLS_PSA_BUILTIN_PAKE pake_operations:"abcd":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS:"":PSA_ERROR_NOT_SUPPORTED:3 PSA PAKE: ecjpake rounds transparent driver: in-driver success -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +depends_on:PSA_WANT_ALG_JPAKE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1 PSA PAKE: ecjpake rounds transparent driver: fallback success -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS:MBEDTLS_PSA_BUILTIN_PAKE +depends_on:PSA_WANT_ALG_JPAKE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS:MBEDTLS_PSA_BUILTIN_ALG_JPAKE ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0 diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 8a4c007ae..ab09fa0f5 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -5,8 +5,8 @@ Global to silent the compiler when unused. */ size_t pake_expected_hit_count = 0; int pake_in_driver = 0; - -#if defined(PSA_WANT_ALG_JPAKE) +#if defined(PSA_WANT_ALG_JPAKE) && defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) && \ + defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ALG_SHA_256) static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, psa_pake_operation_t *server, psa_pake_operation_t *client, @@ -3167,7 +3167,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 */ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, int derive_alg_arg, data_t *pw_data, int client_input_first, int in_driver)