From e12ed36a6ce40cc5d0a94137443bdeb7fce1145d Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 21 Dec 2022 12:54:46 +0100 Subject: [PATCH] Move JPAKE state machine logic from driver to core - Add `alg` and `computation_stage` to `psa_pake_operation_s`. Now when logic is moved to core information about `alg` is required. `computation_stage` is a structure that provides a union of computation stages for pake algorithms. - Move the jpake operation logic from driver to core. This requires changing driver entry points for `psa_pake_output`/`psa_pake_input` functions and adding a `computation_stage` parameter. I'm not sure if this solution is correct. Now the driver can check the current computation stage and perform some action. For jpake drivers `step` parameter is now not used, but I think it needs to stay as it might be needed for other pake algorithms. - Removed test that seems to be redundant as we can't be sure that operation is aborted after failure. Signed-off-by: Przemek Stekiel --- include/psa/crypto_builtin_composites.h | 5 +- include/psa/crypto_extra.h | 56 ++- library/psa_crypto.c | 324 ++++++++++++++- library/psa_crypto_driver_wrappers.h | 2 + library/psa_crypto_pake.c | 375 +++++------------- library/psa_crypto_pake.h | 4 + .../psa_crypto_driver_wrappers.c.jinja | 20 +- tests/include/test/drivers/pake.h | 4 + tests/src/drivers/test_driver_pake.c | 25 +- tests/suites/test_suite_psa_crypto_pake.data | 8 - 10 files changed, 500 insertions(+), 323 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 295452c8c..3221a6423 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -195,11 +195,8 @@ typedef struct { typedef struct { psa_algorithm_t MBEDTLS_PRIVATE(alg); - unsigned int MBEDTLS_PRIVATE(state); - unsigned int MBEDTLS_PRIVATE(sequence); + #if defined(MBEDTLS_PSA_BUILTIN_PAKE) - unsigned int MBEDTLS_PRIVATE(input_step); - unsigned int MBEDTLS_PRIVATE(output_step); uint8_t *MBEDTLS_PRIVATE(password); size_t MBEDTLS_PRIVATE(password_len); uint8_t MBEDTLS_PRIVATE(role); diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 4fa273d31..1678228d3 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1292,6 +1292,12 @@ typedef struct psa_pake_operation_s psa_pake_operation_t; /** The type of input values for PAKE operations. */ typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t; +/** The type of compuatation stage for PAKE operations. */ +typedef struct psa_pake_computation_stage_s psa_pake_computation_stage_t; + +/** The type of compuatation stage for J-PAKE operations. */ +typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t; + /** Return an initial value for a PAKE operation object. */ static psa_pake_operation_t psa_pake_operation_init(void); @@ -1832,7 +1838,8 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); /** Returns a suitable initializer for a PAKE operation object of type * psa_pake_operation_t. */ -#define PSA_PAKE_OPERATION_INIT { 0, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, { 0 } } +#define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, \ + { { 0 } }, { 0 } } struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; @@ -1904,7 +1911,6 @@ static inline void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite, } struct psa_crypto_driver_pake_inputs_s { - psa_algorithm_t MBEDTLS_PRIVATE(alg); uint8_t *MBEDTLS_PRIVATE(password); size_t MBEDTLS_PRIVATE(password_len); psa_pake_role_t MBEDTLS_PRIVATE(role); @@ -1912,6 +1918,48 @@ struct psa_crypto_driver_pake_inputs_s { psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite); }; +enum psa_jpake_step { + PSA_PAKE_STEP_INVALID = 0, + PSA_PAKE_STEP_X1_X2 = 1, + PSA_PAKE_STEP_X2S = 2, + PSA_PAKE_STEP_DERIVE = 3, +}; + +enum psa_jpake_state { + PSA_PAKE_STATE_INVALID = 0, + PSA_PAKE_STATE_SETUP = 1, + PSA_PAKE_STATE_READY = 2, + PSA_PAKE_OUTPUT_X1_X2 = 3, + PSA_PAKE_OUTPUT_X2S = 4, + PSA_PAKE_INPUT_X1_X2 = 5, + PSA_PAKE_INPUT_X4S = 6, +}; + +enum psa_jpake_sequence { + PSA_PAKE_SEQ_INVALID = 0, + PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */ + PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */ + PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */ + PSA_PAKE_X2_STEP_KEY_SHARE = 4, + PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, + PSA_PAKE_X2_STEP_ZK_PROOF = 6, + PSA_PAKE_SEQ_END = 7, +}; + +struct psa_jpake_computation_stage_s { + unsigned int MBEDTLS_PRIVATE(state); + unsigned int MBEDTLS_PRIVATE(sequence); + unsigned int MBEDTLS_PRIVATE(input_step); + unsigned int MBEDTLS_PRIVATE(output_step); +}; + +struct psa_pake_computation_stage_s { + union { + unsigned dummy; + psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake_computation_stage); + } MBEDTLS_PRIVATE(data); +}; + struct psa_pake_operation_s { /** Unique ID indicating which driver got assigned to do the * operation. Since driver contexts are driver-specific, swapping @@ -1920,10 +1968,14 @@ struct psa_pake_operation_s { * ID value zero means the context is not valid or not assigned to * any driver (i.e. none of the driver contexts are active). */ unsigned int MBEDTLS_PRIVATE(id); + /* Algorithm used for PAKE operation */ + psa_algorithm_t MBEDTLS_PRIVATE(alg); /* Based on stage (collecting inputs/computation) we select active structure of data union. * While switching stage (when driver setup is called) collected inputs are copied to the corresponding operation context. */ uint8_t MBEDTLS_PRIVATE(stage); + /* Holds computation stage of the PAKE algorithms. */ + psa_pake_computation_stage_t MBEDTLS_PRIVATE(computation_stage); union { unsigned dummy; psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 273d248af..66ecc0643 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7180,11 +7180,14 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg != PSA_ALG_NONE) { + if (operation->alg != PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7198,9 +7201,16 @@ psa_status_t psa_pake_setup( memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); - operation->data.inputs.alg = cipher_suite->algorithm; + operation->alg = cipher_suite->algorithm; operation->data.inputs.cipher_suite = *cipher_suite; + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->state = PSA_PAKE_STATE_SETUP; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + computation_stage->input_step = PSA_PAKE_STEP_X1_X2; + computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } + return PSA_SUCCESS; } @@ -7216,7 +7226,7 @@ psa_status_t psa_pake_set_password_key( return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg == PSA_ALG_NONE) { + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7241,7 +7251,8 @@ psa_status_t psa_pake_set_password_key( operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes); if (operation->data.inputs.password == NULL) { - return PSA_ERROR_INSUFFICIENT_MEMORY; + status = PSA_ERROR_INSUFFICIENT_MEMORY; + goto error; } memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); @@ -7264,7 +7275,7 @@ psa_status_t psa_pake_set_user( return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg == PSA_ALG_NONE) { + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7286,7 +7297,7 @@ psa_status_t psa_pake_set_peer( return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg == PSA_ALG_NONE) { + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7305,7 +7316,7 @@ psa_status_t psa_pake_set_role( return PSA_ERROR_BAD_STATE; } - if (operation->data.inputs.alg == PSA_ALG_NONE) { + if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } @@ -7322,6 +7333,98 @@ psa_status_t psa_pake_set_role( return PSA_SUCCESS; } +static psa_status_t psa_jpake_output_prologue( + psa_pake_operation_t *operation, + psa_pake_step_t step) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + + if (computation_stage->state == PSA_PAKE_STATE_INVALID) { + return PSA_ERROR_BAD_STATE; + } + + if (step != PSA_PAKE_STEP_KEY_SHARE && + step != PSA_PAKE_STEP_ZK_PUBLIC && + step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + if (computation_stage->state != PSA_PAKE_STATE_READY && + computation_stage->state != PSA_PAKE_OUTPUT_X1_X2 && + computation_stage->state != PSA_PAKE_OUTPUT_X2S) { + return PSA_ERROR_BAD_STATE; + } + + if (computation_stage->state == PSA_PAKE_STATE_READY) { + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + + switch (computation_stage->output_step) { + case PSA_PAKE_STEP_X1_X2: + computation_stage->state = PSA_PAKE_OUTPUT_X1_X2; + break; + case PSA_PAKE_STEP_X2S: + computation_stage->state = PSA_PAKE_OUTPUT_X2S; + break; + default: + return PSA_ERROR_BAD_STATE; + } + + computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch (computation_stage->sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if (step != PSA_PAKE_STEP_ZK_PUBLIC) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if (step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_BAD_STATE; + } + break; + + default: + return PSA_ERROR_BAD_STATE; + } + + return PSA_SUCCESS; +} + +static psa_status_t psa_jpake_output_epilogue( + psa_pake_operation_t *operation) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + + if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (computation_stage->state == PSA_PAKE_OUTPUT_X2S && + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->output_step++; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } else { + computation_stage->sequence++; + } + + return PSA_SUCCESS; +} + psa_status_t psa_pake_output( psa_pake_operation_t *operation, psa_pake_step_t step, @@ -7330,9 +7433,11 @@ psa_status_t psa_pake_output( size_t *output_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - if (operation->data.inputs.alg == PSA_ALG_NONE || + if (operation->alg == PSA_ALG_NONE || operation->data.inputs.password_len == 0 || operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { return PSA_ERROR_BAD_STATE; @@ -7343,6 +7448,12 @@ psa_status_t psa_pake_output( if (status == PSA_SUCCESS) { operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + computation_stage->input_step = PSA_PAKE_STEP_X1_X2; + computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } } else { return status; } @@ -7360,10 +7471,140 @@ psa_status_t psa_pake_output( return PSA_ERROR_INVALID_ARGUMENT; } - return psa_driver_wrapper_pake_output(operation, step, output, - output_size, output_length); + switch (operation->alg) { + case PSA_ALG_JPAKE: + status = psa_jpake_output_prologue(operation, step); + if (status != PSA_SUCCESS) { + return status; + } + break; + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + status = psa_driver_wrapper_pake_output(operation, step, + &operation->computation_stage, + output, output_size, output_length); + + if (status != PSA_SUCCESS) { + return status; + } + + switch (operation->alg) { + case PSA_ALG_JPAKE: + status = psa_jpake_output_epilogue(operation); + if (status != PSA_SUCCESS) { + return status; + } + break; + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + return status; } +static psa_status_t psa_jpake_input_prologue( + psa_pake_operation_t *operation, + psa_pake_step_t step, + size_t input_length) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + + if (computation_stage->state == PSA_PAKE_STATE_INVALID) { + return PSA_ERROR_BAD_STATE; + } + + if (step != PSA_PAKE_STEP_KEY_SHARE && + step != PSA_PAKE_STEP_ZK_PUBLIC && + step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); + if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + if (computation_stage->state != PSA_PAKE_STATE_READY && + computation_stage->state != PSA_PAKE_INPUT_X1_X2 && + computation_stage->state != PSA_PAKE_INPUT_X4S) { + return PSA_ERROR_BAD_STATE; + } + + if (computation_stage->state == PSA_PAKE_STATE_READY) { + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + + switch (computation_stage->input_step) { + case PSA_PAKE_STEP_X1_X2: + computation_stage->state = PSA_PAKE_INPUT_X1_X2; + break; + case PSA_PAKE_STEP_X2S: + computation_stage->state = PSA_PAKE_INPUT_X4S; + break; + default: + return PSA_ERROR_BAD_STATE; + } + + computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; + } + + /* Check if step matches current sequence */ + switch (computation_stage->sequence) { + case PSA_PAKE_X1_STEP_KEY_SHARE: + case PSA_PAKE_X2_STEP_KEY_SHARE: + if (step != PSA_PAKE_STEP_KEY_SHARE) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PUBLIC: + case PSA_PAKE_X2_STEP_ZK_PUBLIC: + if (step != PSA_PAKE_STEP_ZK_PUBLIC) { + return PSA_ERROR_BAD_STATE; + } + break; + + case PSA_PAKE_X1_STEP_ZK_PROOF: + case PSA_PAKE_X2_STEP_ZK_PROOF: + if (step != PSA_PAKE_STEP_ZK_PROOF) { + return PSA_ERROR_BAD_STATE; + } + break; + + default: + return PSA_ERROR_BAD_STATE; + } + + return PSA_SUCCESS; +} + + +static psa_status_t psa_jpake_input_epilogue( + psa_pake_operation_t *operation) +{ + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + + if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 && + computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (computation_stage->state == PSA_PAKE_INPUT_X4S && + computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->input_step++; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } else { + computation_stage->sequence++; + } + + return PSA_SUCCESS; +} + + psa_status_t psa_pake_input( psa_pake_operation_t *operation, psa_pake_step_t step, @@ -7371,9 +7612,11 @@ psa_status_t psa_pake_input( size_t input_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { - if (operation->data.inputs.alg == PSA_ALG_NONE || + if (operation->alg == PSA_ALG_NONE || operation->data.inputs.password_len == 0 || operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { return PSA_ERROR_BAD_STATE; @@ -7384,6 +7627,12 @@ psa_status_t psa_pake_input( if (status == PSA_SUCCESS) { operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->state = PSA_PAKE_STATE_READY; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + computation_stage->input_step = PSA_PAKE_STEP_X1_X2; + computation_stage->output_step = PSA_PAKE_STEP_X1_X2; + } } else { return status; } @@ -7401,8 +7650,37 @@ psa_status_t psa_pake_input( return PSA_ERROR_INVALID_ARGUMENT; } - return psa_driver_wrapper_pake_input(operation, step, input, - input_length); + switch (operation->alg) { + case PSA_ALG_JPAKE: + status = psa_jpake_input_prologue(operation, step, input_length); + if (status != PSA_SUCCESS) { + return status; + } + break; + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + status = psa_driver_wrapper_pake_input(operation, step, + &operation->computation_stage, + input, input_length); + + if (status != PSA_SUCCESS) { + return status; + } + + switch (operation->alg) { + case PSA_ALG_JPAKE: + status = psa_jpake_input_epilogue(operation); + if (status != PSA_SUCCESS) { + return status; + } + break; + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + return status; } psa_status_t psa_pake_get_implicit_key( @@ -7412,11 +7690,20 @@ psa_status_t psa_pake_get_implicit_key( psa_status_t status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; size_t shared_key_len = 0; + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; if (operation->id == 0) { return PSA_ERROR_BAD_STATE; } + if (operation->alg == PSA_ALG_JPAKE) { + if (computation_stage->input_step != PSA_PAKE_STEP_DERIVE || + computation_stage->output_step != PSA_PAKE_STEP_DERIVE) { + return PSA_ERROR_BAD_STATE; + } + } + status = psa_driver_wrapper_pake_get_implicit_key(operation, shared_key, &shared_key_len); @@ -7436,18 +7723,29 @@ psa_status_t psa_pake_get_implicit_key( mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + psa_pake_abort(operation); + return status; } psa_status_t psa_pake_abort( psa_pake_operation_t *operation) { + psa_jpake_computation_stage_t *computation_stage = + &operation->computation_stage.data.jpake_computation_stage; + /* If we are in collecting inputs stage clear inputs. */ if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { mbedtls_free(operation->data.inputs.password); memset(&operation->data.inputs, 0, sizeof(psa_crypto_driver_pake_inputs_t)); return PSA_SUCCESS; } + if (operation->alg == PSA_ALG_JPAKE) { + computation_stage->input_step = PSA_PAKE_STEP_INVALID; + computation_stage->output_step = PSA_PAKE_STEP_INVALID; + computation_stage->state = PSA_PAKE_STATE_INVALID; + computation_stage->sequence = PSA_PAKE_SEQ_INVALID; + } return psa_driver_wrapper_pake_abort(operation); } diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index abaabb544..ac17be4e3 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -422,6 +422,7 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length); @@ -429,6 +430,7 @@ psa_status_t psa_driver_wrapper_pake_output( psa_status_t psa_driver_wrapper_pake_input( psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length); diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 3a710dc60..3d5b57d29 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -79,23 +79,6 @@ * psa_pake_abort() */ -enum psa_pake_step { - PSA_PAKE_STEP_INVALID = 0, - PSA_PAKE_STEP_X1_X2 = 1, - PSA_PAKE_STEP_X2S = 2, - PSA_PAKE_STEP_DERIVE = 3, -}; - -enum psa_pake_state { - PSA_PAKE_STATE_INVALID = 0, - PSA_PAKE_STATE_SETUP = 1, - PSA_PAKE_STATE_READY = 2, - PSA_PAKE_OUTPUT_X1_X2 = 3, - PSA_PAKE_OUTPUT_X2S = 4, - PSA_PAKE_INPUT_X1_X2 = 5, - PSA_PAKE_INPUT_X4S = 6, -}; - /* * The first PAKE step shares the same sequences of the second PAKE step * but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs. @@ -157,16 +140,6 @@ enum psa_pake_state { * psa_pake_get_implicit_key() * => Input & Output Step = PSA_PAKE_STEP_INVALID */ -enum psa_pake_sequence { - PSA_PAKE_SEQ_INVALID = 0, - PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */ - PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */ - PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */ - PSA_PAKE_X2_STEP_KEY_SHARE = 4, - PSA_PAKE_X2_STEP_ZK_PUBLIC = 5, - PSA_PAKE_X2_STEP_ZK_PROOF = 6, - PSA_PAKE_SEQ_END = 7, -}; #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) @@ -190,65 +163,6 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) } #endif -#if defined(MBEDTLS_PSA_BUILTIN_PAKE) -psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, - const psa_crypto_driver_pake_inputs_t *inputs) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - uint8_t *password = inputs->password; - size_t password_len = inputs->password_len; - psa_pake_role_t role = inputs->role; - psa_pake_cipher_suite_t cipher_suite = inputs->cipher_suite; - - memset(operation, 0, sizeof(mbedtls_psa_pake_operation_t)); - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) - if (cipher_suite.algorithm == PSA_ALG_JPAKE) { - if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC || - cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || - cipher_suite.bits != 256 || - cipher_suite.hash != PSA_ALG_SHA_256) { - status = PSA_ERROR_NOT_SUPPORTED; - goto error; - } - - if (role != PSA_PAKE_ROLE_CLIENT && - role != PSA_PAKE_ROLE_SERVER) { - status = PSA_ERROR_NOT_SUPPORTED; - goto error; - } - - mbedtls_ecjpake_init(&operation->ctx.pake); - - operation->state = PSA_PAKE_STATE_SETUP; - operation->sequence = PSA_PAKE_SEQ_INVALID; - operation->input_step = PSA_PAKE_STEP_X1_X2; - operation->output_step = PSA_PAKE_STEP_X1_X2; - operation->password_len = password_len; - operation->password = password; - operation->role = role; - operation->alg = cipher_suite.algorithm; - - mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); - operation->buffer_length = 0; - operation->buffer_offset = 0; - - return PSA_SUCCESS; - } else -#else - (void) operation; - (void) inputs; -#endif - { status = PSA_ERROR_NOT_SUPPORTED; } - -error: - mbedtls_free(password); - mbedtls_psa_pake_abort(operation); - return status; -} - - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) { @@ -283,31 +197,84 @@ static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operati return mbedtls_ecjpake_to_psa_error(ret); } - operation->state = PSA_PAKE_STATE_READY; - return PSA_SUCCESS; } + +psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, + const psa_crypto_driver_pake_inputs_t *inputs) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + uint8_t *password = inputs->password; + size_t password_len = inputs->password_len; + psa_pake_role_t role = inputs->role; + psa_pake_cipher_suite_t cipher_suite = inputs->cipher_suite; + + memset(operation, 0, sizeof(mbedtls_psa_pake_operation_t)); + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) + if (cipher_suite.algorithm == PSA_ALG_JPAKE) { + if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC || + cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 || + cipher_suite.bits != 256 || + cipher_suite.hash != PSA_ALG_SHA_256) { + status = PSA_ERROR_NOT_SUPPORTED; + goto error; + } + + if (role != PSA_PAKE_ROLE_CLIENT && + role != PSA_PAKE_ROLE_SERVER) { + status = PSA_ERROR_NOT_SUPPORTED; + goto error; + } + + mbedtls_ecjpake_init(&operation->ctx.pake); + + operation->password_len = password_len; + operation->password = password; + operation->role = role; + operation->alg = cipher_suite.algorithm; + + mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); + operation->buffer_length = 0; + operation->buffer_offset = 0; + + status = psa_pake_ecjpake_setup(operation); + + if (status != PSA_SUCCESS) { + goto error; + } + + return PSA_SUCCESS; + } else +#else + (void) operation; + (void) inputs; #endif + { status = PSA_ERROR_NOT_SUPPORTED; } + +error: + mbedtls_free(password); + mbedtls_psa_pake_abort(operation); + return status; +} static psa_status_t mbedtls_psa_pake_output_internal( mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t length; + (void) step; if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } - if (operation->state == PSA_PAKE_STATE_INVALID) { - return PSA_ERROR_BAD_STATE; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different @@ -324,74 +291,12 @@ static psa_status_t mbedtls_psa_pake_output_internal( * to return the right parts on each step. */ if (operation->alg == PSA_ALG_JPAKE) { - if (step != PSA_PAKE_STEP_KEY_SHARE && - step != PSA_PAKE_STEP_ZK_PUBLIC && - step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - if (operation->state == PSA_PAKE_STATE_SETUP) { - status = psa_pake_ecjpake_setup(operation); - if (status != PSA_SUCCESS) { - return status; - } - } - - if (operation->state != PSA_PAKE_STATE_READY && - operation->state != PSA_PAKE_OUTPUT_X1_X2 && - operation->state != PSA_PAKE_OUTPUT_X2S) { - return PSA_ERROR_BAD_STATE; - } - - if (operation->state == PSA_PAKE_STATE_READY) { - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - - switch (operation->output_step) { - case PSA_PAKE_STEP_X1_X2: - operation->state = PSA_PAKE_OUTPUT_X1_X2; - break; - case PSA_PAKE_STEP_X2S: - operation->state = PSA_PAKE_OUTPUT_X2S; - break; - default: - return PSA_ERROR_BAD_STATE; - } - - operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; - } - - /* Check if step matches current sequence */ - switch (operation->sequence) { - case PSA_PAKE_X1_STEP_KEY_SHARE: - case PSA_PAKE_X2_STEP_KEY_SHARE: - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - break; - - case PSA_PAKE_X1_STEP_ZK_PUBLIC: - case PSA_PAKE_X2_STEP_ZK_PUBLIC: - if (step != PSA_PAKE_STEP_ZK_PUBLIC) { - return PSA_ERROR_BAD_STATE; - } - break; - - case PSA_PAKE_X1_STEP_ZK_PROOF: - case PSA_PAKE_X2_STEP_ZK_PROOF: - if (step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_BAD_STATE; - } - break; - - default: - return PSA_ERROR_BAD_STATE; - } + const psa_jpake_computation_stage_t *jpake_computation_stage = + &computation_stage->data.jpake_computation_stage; /* Initialize & write round on KEY_SHARE sequences */ - if (operation->state == PSA_PAKE_OUTPUT_X1_X2 && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { + if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { ret = mbedtls_ecjpake_write_round_one(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, @@ -403,8 +308,8 @@ static psa_status_t mbedtls_psa_pake_output_internal( } operation->buffer_offset = 0; - } else if (operation->state == PSA_PAKE_OUTPUT_X2S && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { + } else if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { ret = mbedtls_ecjpake_write_round_two(&operation->ctx.pake, operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE, @@ -429,8 +334,8 @@ static psa_status_t mbedtls_psa_pake_output_internal( * output with a length byte, even less a curve identifier, as that * information is already available. */ - if (operation->state == PSA_PAKE_OUTPUT_X2S && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && operation->role == PSA_PAKE_ROLE_SERVER) { /* Skip ECParameters, with is 3 bytes (RFC 8422) */ operation->buffer_offset += 3; @@ -456,25 +361,20 @@ static psa_status_t mbedtls_psa_pake_output_internal( operation->buffer_offset += length; /* Reset buffer after ZK_PROOF sequence */ - if ((operation->state == PSA_PAKE_OUTPUT_X1_X2 && - operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (operation->state == PSA_PAKE_OUTPUT_X2S && - operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { + if ((jpake_computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 && + jpake_computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || + (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); operation->buffer_length = 0; operation->buffer_offset = 0; - - operation->state = PSA_PAKE_STATE_READY; - operation->output_step++; - operation->sequence = PSA_PAKE_SEQ_INVALID; - } else { - operation->sequence++; } return PSA_SUCCESS; } else #else (void) step; + (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -484,12 +384,13 @@ static psa_status_t mbedtls_psa_pake_output_internal( psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length) { psa_status_t status = mbedtls_psa_pake_output_internal( - operation, step, output, output_size, output_length); + operation, step, computation_stage, output, output_size, output_length); if (status != PSA_SUCCESS) { mbedtls_psa_pake_abort(operation); @@ -501,20 +402,16 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, static psa_status_t mbedtls_psa_pake_input_internal( mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - + (void) step; if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } - if (operation->state == PSA_PAKE_STATE_INVALID) { - return PSA_ERROR_BAD_STATE; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) /* * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different @@ -532,77 +429,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( * This causes any input error to be only detected on the last step. */ if (operation->alg == PSA_ALG_JPAKE) { - if (step != PSA_PAKE_STEP_KEY_SHARE && - step != PSA_PAKE_STEP_ZK_PUBLIC && - step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( - PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256); - if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - if (operation->state == PSA_PAKE_STATE_SETUP) { - status = psa_pake_ecjpake_setup(operation); - if (status != PSA_SUCCESS) { - return status; - } - } - - if (operation->state != PSA_PAKE_STATE_READY && - operation->state != PSA_PAKE_INPUT_X1_X2 && - operation->state != PSA_PAKE_INPUT_X4S) { - return PSA_ERROR_BAD_STATE; - } - - if (operation->state == PSA_PAKE_STATE_READY) { - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - - switch (operation->input_step) { - case PSA_PAKE_STEP_X1_X2: - operation->state = PSA_PAKE_INPUT_X1_X2; - break; - case PSA_PAKE_STEP_X2S: - operation->state = PSA_PAKE_INPUT_X4S; - break; - default: - return PSA_ERROR_BAD_STATE; - } - - operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; - } - - /* Check if step matches current sequence */ - switch (operation->sequence) { - case PSA_PAKE_X1_STEP_KEY_SHARE: - case PSA_PAKE_X2_STEP_KEY_SHARE: - if (step != PSA_PAKE_STEP_KEY_SHARE) { - return PSA_ERROR_BAD_STATE; - } - break; - - case PSA_PAKE_X1_STEP_ZK_PUBLIC: - case PSA_PAKE_X2_STEP_ZK_PUBLIC: - if (step != PSA_PAKE_STEP_ZK_PUBLIC) { - return PSA_ERROR_BAD_STATE; - } - break; - - case PSA_PAKE_X1_STEP_ZK_PROOF: - case PSA_PAKE_X2_STEP_ZK_PROOF: - if (step != PSA_PAKE_STEP_ZK_PROOF) { - return PSA_ERROR_BAD_STATE; - } - break; - - default: - return PSA_ERROR_BAD_STATE; - } - + const psa_jpake_computation_stage_t *jpake_computation_stage = + &computation_stage->data.jpake_computation_stage; /* * Copy input to local buffer and format it as the Mbed TLS API * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. @@ -612,8 +440,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( * ECParameters structure - which means we have to prepend that when * we're a client. */ - if (operation->state == PSA_PAKE_INPUT_X4S && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + if (jpake_computation_stage->state == PSA_PAKE_INPUT_X4S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && operation->role == PSA_PAKE_ROLE_CLIENT) { /* We only support secp256r1. */ /* This is the ECParameters structure defined by RFC 8422. */ @@ -636,8 +464,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( operation->buffer_length += input_length; /* Load buffer at each last round ZK_PROOF */ - if (operation->state == PSA_PAKE_INPUT_X1_X2 && - operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) { + if (jpake_computation_stage->state == PSA_PAKE_INPUT_X1_X2 && + jpake_computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) { ret = mbedtls_ecjpake_read_round_one(&operation->ctx.pake, operation->buffer, operation->buffer_length); @@ -648,8 +476,8 @@ static psa_status_t mbedtls_psa_pake_input_internal( if (ret != 0) { return mbedtls_ecjpake_to_psa_error(ret); } - } else if (operation->state == PSA_PAKE_INPUT_X4S && - operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF) { + } else if (jpake_computation_stage->state == PSA_PAKE_INPUT_X4S && + jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF) { ret = mbedtls_ecjpake_read_round_two(&operation->ctx.pake, operation->buffer, operation->buffer_length); @@ -662,21 +490,11 @@ static psa_status_t mbedtls_psa_pake_input_internal( } } - if ((operation->state == PSA_PAKE_INPUT_X1_X2 && - operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || - (operation->state == PSA_PAKE_INPUT_X4S && - operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { - operation->state = PSA_PAKE_STATE_READY; - operation->input_step++; - operation->sequence = PSA_PAKE_SEQ_INVALID; - } else { - operation->sequence++; - } - return PSA_SUCCESS; } else #else (void) step; + (void) computation_stage; (void) input; (void) input_length; #endif @@ -685,11 +503,12 @@ static psa_status_t mbedtls_psa_pake_input_internal( psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length) { psa_status_t status = mbedtls_psa_pake_input_internal( - operation, step, input, input_length); + operation, step, computation_stage, input, input_length); if (status != PSA_SUCCESS) { mbedtls_psa_pake_abort(operation); @@ -703,18 +522,11 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( uint8_t *output, size_t *output_size) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if (operation->alg == PSA_ALG_NONE) { return PSA_ERROR_BAD_STATE; } - if (operation->input_step != PSA_PAKE_STEP_DERIVE || - operation->output_step != PSA_PAKE_STEP_DERIVE) { - status = PSA_ERROR_BAD_STATE; - goto error; - } - #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake, @@ -740,12 +552,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key( #else (void) output; #endif - { status = PSA_ERROR_NOT_SUPPORTED; } - -error: - mbedtls_psa_pake_abort(operation); - - return status; + { return PSA_ERROR_NOT_SUPPORTED; } } psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) @@ -757,8 +564,6 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if (operation->alg == PSA_ALG_JPAKE) { - operation->input_step = PSA_PAKE_STEP_INVALID; - operation->output_step = PSA_PAKE_STEP_INVALID; if (operation->password_len > 0) { mbedtls_platform_zeroize(operation->password, operation->password_len); } @@ -774,8 +579,6 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) #endif operation->alg = PSA_ALG_NONE; - operation->state = PSA_PAKE_STATE_INVALID; - operation->sequence = PSA_PAKE_SEQ_INVALID; return PSA_SUCCESS; } diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h index 608d76aed..485c93af9 100644 --- a/library/psa_crypto_pake.h +++ b/library/psa_crypto_pake.h @@ -58,6 +58,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, * \param[in,out] operation Active PAKE operation. * \param step The step of the algorithm for which the output is * requested. + * \param computation_stage The structure that holds PAKE computation stage. * \param[out] output Buffer where the output is to be written in the * format appropriate for this \p step. Refer to * the documentation of the individual @@ -97,6 +98,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, */ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length); @@ -110,6 +112,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, * * \param[in,out] operation Active PAKE operation. * \param step The step for which the input is provided. + * \param computation_stage The structure that holds PAKE computation stage. * \param[in] input Buffer containing the input in the format * appropriate for this \p step. Refer to the * documentation of the individual @@ -144,6 +147,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, */ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 21a3b5f91..e1a4c9ca3 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2866,6 +2866,7 @@ psa_status_t psa_driver_wrapper_pake_setup( psa_status_t psa_driver_wrapper_pake_output( psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length ) @@ -2874,7 +2875,8 @@ psa_status_t psa_driver_wrapper_pake_output( { #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step, output, + return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step, + computation_stage, output, output_size, output_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ @@ -2883,15 +2885,16 @@ psa_status_t psa_driver_wrapper_pake_output( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_output( &operation->data.ctx.transparent_test_driver_ctx, - step, output, output_size, output_length ) ); + step, computation_stage, output, output_size, output_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_output( &operation->data.ctx.opaque_test_driver_ctx, - step, output, output_size, output_length ) ); + step, computation_stage, output, output_size, output_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) step; + (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -2902,6 +2905,7 @@ psa_status_t psa_driver_wrapper_pake_output( psa_status_t psa_driver_wrapper_pake_input( psa_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length ) { @@ -2910,7 +2914,8 @@ psa_status_t psa_driver_wrapper_pake_input( #if defined(MBEDTLS_PSA_BUILTIN_PAKE) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_pake_input( &operation->data.ctx.mbedtls_ctx, - step, input, input_length ) ); + step, computation_stage, input, + input_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -2918,15 +2923,18 @@ psa_status_t psa_driver_wrapper_pake_input( case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: return( mbedtls_test_transparent_pake_input( &operation->data.ctx.transparent_test_driver_ctx, - step, input, input_length ) ); + step, computation_stage, + input, input_length ) ); case MBEDTLS_TEST_OPAQUE_DRIVER_ID: return( mbedtls_test_opaque_pake_input( &operation->data.ctx.opaque_test_driver_ctx, - step, input, input_length ) ); + step, computation_stage, + input, input_length ) ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) step; + (void) computation_stage; (void) input; (void) input_length; return( PSA_ERROR_INVALID_ARGUMENT ); diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h index 041229601..1f530081a 100644 --- a/tests/include/test/drivers/pake.h +++ b/tests/include/test/drivers/pake.h @@ -58,6 +58,7 @@ psa_status_t mbedtls_test_transparent_pake_setup( psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length); @@ -65,6 +66,7 @@ psa_status_t mbedtls_test_transparent_pake_output( psa_status_t mbedtls_test_transparent_pake_input( mbedtls_transparent_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length); @@ -102,6 +104,7 @@ psa_status_t mbedtls_test_opaque_pake_set_role( psa_status_t mbedtls_test_opaque_pake_output( mbedtls_opaque_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length); @@ -109,6 +112,7 @@ psa_status_t mbedtls_test_opaque_pake_output( psa_status_t mbedtls_test_opaque_pake_input( mbedtls_opaque_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length); diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 437c4995f..21719e6d7 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -65,6 +65,7 @@ psa_status_t mbedtls_test_transparent_pake_setup( psa_status_t mbedtls_test_transparent_pake_output( mbedtls_transparent_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length) @@ -92,14 +93,20 @@ psa_status_t mbedtls_test_transparent_pake_output( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_output( - operation, step, output, output_size, output_length); + operation, + step, + (libtestdriver1_psa_pake_computation_stage_t *) computation_stage, + output, + output_size, + output_length); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_output( - operation, step, output, output_size, output_length); + operation, step, computation_stage, output, output_size, output_length); #else (void) operation; (void) step; + (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -113,6 +120,7 @@ psa_status_t mbedtls_test_transparent_pake_output( psa_status_t mbedtls_test_transparent_pake_input( mbedtls_transparent_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length) { @@ -126,14 +134,19 @@ psa_status_t mbedtls_test_transparent_pake_input( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = libtestdriver1_mbedtls_psa_pake_input( - operation, step, input, input_length); + operation, + step, + (libtestdriver1_psa_pake_computation_stage_t *) computation_stage, + input, + input_length); #elif defined(MBEDTLS_PSA_BUILTIN_PAKE) mbedtls_test_driver_pake_hooks.driver_status = mbedtls_psa_pake_input( - operation, step, input, input_length); + operation, step, computation_stage, input, input_length); #else (void) operation; (void) step; + (void) computation_stage; (void) input; (void) input_length; mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; @@ -258,12 +271,14 @@ psa_status_t mbedtls_test_opaque_pake_set_role( psa_status_t mbedtls_test_opaque_pake_output( mbedtls_opaque_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, uint8_t *output, size_t output_size, size_t *output_length) { (void) operation; (void) step; + (void) computation_stage; (void) output; (void) output_size; (void) output_length; @@ -274,11 +289,13 @@ psa_status_t mbedtls_test_opaque_pake_output( psa_status_t mbedtls_test_opaque_pake_input( mbedtls_opaque_test_driver_pake_operation_t *operation, psa_pake_step_t step, + const psa_pake_computation_stage_t *computation_stage, const uint8_t *input, size_t input_length) { (void) operation; (void) step; + (void) computation_stage; (void) input; (void) input_length; return PSA_ERROR_NOT_SUPPORTED; diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 0ec16f06c..e4bb92b3c 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -70,10 +70,6 @@ PSA PAKE: input buffer too large depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT -PSA PAKE: valid input operation after a failure -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE - PSA PAKE: invalid output depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT @@ -90,10 +86,6 @@ PSA PAKE: output buffer too small depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_BUFFER_TOO_SMALL -PSA PAKE: valid output operation after a failure -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE - PSA PAKE: check rounds w/o forced errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE