diff --git a/ChangeLog.d/ecjpake_to_pms.txt b/ChangeLog.d/ecjpake_to_pms.txt new file mode 100644 index 000000000..4dd2075de --- /dev/null +++ b/ChangeLog.d/ecjpake_to_pms.txt @@ -0,0 +1,5 @@ +API changes + * Add an ad-hoc key derivation function handling ECJPAKE to PMS + calculation that can be used to derive the session secret in TLS 1.2, + as described in draft-cragie-tls-ecjpake-01. This can be achieved by + using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm. diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 2609787ba..5b27dda2a 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -237,6 +237,12 @@ extern "C" { #endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */ #endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */ +#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS) +#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1 +#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS */ +#endif /* PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */ + #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR 1 @@ -721,6 +727,11 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1 #endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) +#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 +#endif + #if defined(MBEDTLS_CHACHA20_C) #define PSA_WANT_KEY_TYPE_CHACHA20 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 9011a5596..5ab4fdef3 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -89,6 +89,8 @@ #define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 + /* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS. * Note: when adding support, also adjust include/mbedtls/config_psa.h */ //#define PSA_WANT_ALG_XTS 1 diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 1024d6b91..231ea624a 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -239,6 +239,15 @@ */ #define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128 +/* The expected size of input passed to psa_tls12_ecjpake_to_pms_input, + * which is expected to work with P-256 curve only. */ +#define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65 + +/* The size of a serialized K.X coordinate to be used in + * psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256 + * curve. */ +#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32 + /** The maximum size of a block cipher. */ #define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16 diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 957b4c611..afba32502 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -202,6 +202,12 @@ typedef struct #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF || MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT || MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) +typedef struct +{ + uint8_t MBEDTLS_PRIVATE(data)[PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE]; +} psa_tls12_ecjpake_to_pms_t; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) @@ -266,6 +272,9 @@ struct psa_key_derivation_s #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf); +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms); #endif } MBEDTLS_PRIVATE(ctx); }; diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 5e6e5e352..b465ddb14 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2021,6 +2021,20 @@ #define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \ (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) +/* The TLS 1.2 ECJPAKE-to-PMS KDF. It takes the shared secret K (an EC point + * in case of EC J-PAKE) and calculates SHA256(K.X) that the rest of TLS 1.2 + * will use to derive the session secret, as defined by step 2 of + * https://datatracker.ietf.org/doc/html/draft-cragie-tls-ecjpake-01#section-8.7. + * Uses PSA_ALG_SHA_256. + * This function takes a single input: + * #PSA_KEY_DERIVATION_INPUT_SECRET is the shared secret K from EC J-PAKE. + * The only supported curve is secp256r1 (the 256-bit curve in + * #PSA_ECC_FAMILY_SECP_R1), so the input must be exactly 65 bytes. + * The output has to be read as a single chunk of 32 bytes, defined as + * PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE. + */ +#define PSA_ALG_TLS12_ECJPAKE_TO_PMS ((psa_algorithm_t)0x08000609) + /* This flag indicates whether the key derivation algorithm is suitable for * use on low-entropy secrets such as password - these algorithms are also * known as key stretching or password hashing schemes. These are also the diff --git a/library/check_crypto_config.h b/library/check_crypto_config.h index c74437e7d..e60e66616 100644 --- a/library/check_crypto_config.h +++ b/library/check_crypto_config.h @@ -93,4 +93,9 @@ #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" #endif +#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) && \ + !defined(PSA_WANT_ALG_SHA_256) +#error "PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS defined, but not all prerequisites" +#endif + #endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4a0bd8331..38b49cb0a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4245,7 +4245,8 @@ psa_status_t psa_aead_abort( psa_aead_operation_t *operation ) #if defined(BUILTIN_ALG_ANY_HKDF) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) #define AT_LEAST_ONE_BUILTIN_KDF #endif /* At least one builtin KDF */ @@ -4352,6 +4353,14 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation else #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + { + mbedtls_platform_zeroize( operation->ctx.tls12_ecjpake_to_pms.data, + sizeof( operation->ctx.tls12_ecjpake_to_pms.data ) ); + } + else +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */ { status = PSA_ERROR_BAD_STATE; } @@ -4633,6 +4642,31 @@ static psa_status_t psa_key_derivation_tls12_prf_read( #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF || * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) +static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read( + psa_tls12_ecjpake_to_pms_t *ecjpake, + uint8_t *output, + size_t output_length ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t output_size = 0; + + if( output_length != 32 ) + return ( PSA_ERROR_INVALID_ARGUMENT ); + + status = psa_hash_compute( PSA_ALG_SHA_256, ecjpake->data, + PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length, + &output_size ); + if( status != PSA_SUCCESS ) + return ( status ); + + if( output_size != output_length ) + return ( PSA_ERROR_GENERIC_ERROR ); + + return ( PSA_SUCCESS ); +} +#endif + psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *operation, uint8_t *output, @@ -4687,6 +4721,15 @@ psa_status_t psa_key_derivation_output_bytes( else #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF || * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + { + status = psa_key_derivation_tls12_ecjpake_to_pms_read( + &operation->ctx.tls12_ecjpake_to_pms, output, output_length ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ + { (void) kdf_alg; return( PSA_ERROR_BAD_STATE ); @@ -5078,6 +5121,10 @@ static int is_kdf_alg_supported( psa_algorithm_t kdf_alg ) #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) return( 1 ); +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + return( 1 ); #endif return( 0 ); } @@ -5102,19 +5149,26 @@ static psa_status_t psa_key_derivation_setup_kdf( if( ! is_kdf_alg_supported( kdf_alg ) ) return( PSA_ERROR_NOT_SUPPORTED ); - /* All currently supported key derivation algorithms are based on a - * hash algorithm. */ + /* All currently supported key derivation algorithms (apart from + * ecjpake to pms) are based on a hash algorithm. */ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg ); size_t hash_size = PSA_HASH_LENGTH( hash_alg ); - if( hash_size == 0 ) - return( PSA_ERROR_NOT_SUPPORTED ); + if( kdf_alg != PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + { + if( hash_size == 0 ) + return( PSA_ERROR_NOT_SUPPORTED ); - /* Make sure that hash_alg is a supported hash algorithm. Otherwise - * we might fail later, which is somewhat unfriendly and potentially - * risk-prone. */ - psa_status_t status = psa_hash_try_support( hash_alg ); - if( status != PSA_SUCCESS ) - return( status ); + /* Make sure that hash_alg is a supported hash algorithm. Otherwise + * we might fail later, which is somewhat unfriendly and potentially + * risk-prone. */ + psa_status_t status = psa_hash_try_support( hash_alg ); + if( status != PSA_SUCCESS ) + return( status ); + } + else + { + hash_size = PSA_HASH_LENGTH( PSA_ALG_SHA_256 ); + } if( ( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) && @@ -5122,11 +5176,14 @@ static psa_status_t psa_key_derivation_setup_kdf( { return( PSA_ERROR_NOT_SUPPORTED ); } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) - if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) ) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( PSA_ALG_IS_HKDF_EXTRACT( kdf_alg ) || + ( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) ) operation->capacity = hash_size; else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT || + MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ operation->capacity = 255 * hash_size; return( PSA_SUCCESS ); } @@ -5515,6 +5572,29 @@ static psa_status_t psa_tls12_prf_psk_to_ms_input( } #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) +static psa_status_t psa_tls12_ecjpake_to_pms_input( + psa_tls12_ecjpake_to_pms_t *ecjpake, + psa_key_derivation_step_t step, + const uint8_t *data, + size_t data_length ) +{ + if( data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE || + step != PSA_KEY_DERIVATION_INPUT_SECRET ) + { + return( PSA_ERROR_INVALID_ARGUMENT ); + } + + /* Check if the passed point is in an uncompressed form */ + if( data[0] != 0x04 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */ + memcpy( ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE ); + + return( PSA_SUCCESS ); +} +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ /** Check whether the given key type is acceptable for the given * input step of a key derivation. * @@ -5593,6 +5673,14 @@ static psa_status_t psa_key_derivation_input_internal( } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + if( kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS ) + { + status = psa_tls12_ecjpake_to_pms_input( + &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ { /* This can't happen unless the operation object was not initialized */ (void) data; diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py index 592fc0afe..f52ca9ac8 100644 --- a/scripts/mbedtls_dev/crypto_knowledge.py +++ b/scripts/mbedtls_dev/crypto_knowledge.py @@ -357,6 +357,7 @@ class Algorithm: 'HKDF': AlgorithmCategory.KEY_DERIVATION, 'TLS12_PRF': AlgorithmCategory.KEY_DERIVATION, 'TLS12_PSK_TO_MS': AlgorithmCategory.KEY_DERIVATION, + 'TLS12_ECJPAKE_TO_PMS': AlgorithmCategory.KEY_DERIVATION, 'PBKDF': AlgorithmCategory.KEY_DERIVATION, 'ECDH': AlgorithmCategory.KEY_AGREEMENT, 'FFDH': AlgorithmCategory.KEY_AGREEMENT, diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 28a20d2b7..a1b47f466 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2082,6 +2082,7 @@ component_build_psa_accel_alg_md5() { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512 + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } @@ -2101,6 +2102,7 @@ component_build_psa_accel_alg_ripemd160() { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512 + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } @@ -2120,6 +2122,7 @@ component_build_psa_accel_alg_sha1() { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512 + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } @@ -2138,6 +2141,7 @@ component_build_psa_accel_alg_sha224() { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_512 + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } @@ -2175,6 +2179,7 @@ component_build_psa_accel_alg_sha384() { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_1 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256 + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } @@ -2194,6 +2199,7 @@ component_build_psa_accel_alg_sha512() { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_224 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_256 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_SHA_384 + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c8b229c7f..f2478be5f 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4824,6 +4824,10 @@ PSA key derivation setup: TLS 1.2 PRF SHA-256, good case depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF derive_setup:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_SUCCESS +PSA key derivation setup: TLS 1.2 ECJPAKE to PMS +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +derive_setup:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_SUCCESS + PSA key derivation setup: not a key derivation algorithm (HMAC) depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256 derive_setup:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_INVALID_ARGUMENT @@ -5793,6 +5797,47 @@ PSA key derivation: over capacity 42: output 43+1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865ff":"ff":0:1:0 +PSA key derivation: ECJPAKE to PMS, no input +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: ECJPAKE to PMS, input too short +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"deadbeef":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: ECJPAKE to PMS, input too long +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000de":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: ECJPAKE to PMS, bad input format +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"0200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT + +#NIST CAVS 11.0 SHA-256 ShortMSG vector for L=256 +PSA key derivation: ECJPAKE to PMS, good case +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4":PSA_SUCCESS + +PSA key derivation: ECJPAKE to PMS, bad derivation step +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SEED:32:PSA_SUCCESS:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4":PSA_SUCCESS + +PSA key derivation: ECJPAKE to PMS, capacity 1 byte too big +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:33:PSA_ERROR_INVALID_ARGUMENT:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4":PSA_SUCCESS + +PSA key derivation: ECJPAKE to PMS, capacity 1 byte too small +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:31:PSA_SUCCESS:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4":PSA_ERROR_INSUFFICIENT_DATA + +PSA key derivation: ECJPAKE to PMS, output too short +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"4f":PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: ECJPAKE to PMS, output too long +depends_on:PSA_WANT_ALG_SHA_256 +derive_ecjpake_to_pms:"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a400":PSA_ERROR_INSUFFICIENT_DATA + PSA key derivation: HKDF SHA-256, read maximum capacity minus 1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index c74acf671..fa237d366 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7797,6 +7797,51 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS:MBEDTLS_SHA256_C */ +void derive_ecjpake_to_pms( data_t *input, int expected_input_status_arg, + int derivation_step, + int capacity, int expected_capacity_status_arg, + data_t *expected_output, + int expected_output_status_arg ) +{ + psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; + psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; + psa_key_derivation_step_t step = (psa_key_derivation_step_t) derivation_step; + uint8_t *output_buffer = NULL; + psa_status_t status; + psa_status_t expected_input_status = (psa_status_t) expected_input_status_arg; + psa_status_t expected_capacity_status = (psa_status_t) expected_capacity_status_arg; + psa_status_t expected_output_status = (psa_status_t) expected_output_status_arg; + + ASSERT_ALLOC( output_buffer, expected_output->len ); + PSA_ASSERT( psa_crypto_init() ); + + PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); + TEST_EQUAL( psa_key_derivation_set_capacity( &operation, capacity ), + expected_capacity_status); + + TEST_EQUAL( psa_key_derivation_input_bytes( &operation, + step, input->x, input->len ), + expected_input_status ); + + if( ( (psa_status_t) expected_input_status ) != PSA_SUCCESS ) + goto exit; + + status = psa_key_derivation_output_bytes( &operation, output_buffer, + expected_output->len ); + + TEST_EQUAL( status, expected_output_status ); + if( expected_output->len != 0 && expected_output_status == PSA_SUCCESS ) + ASSERT_COMPARE( output_buffer, expected_output->len, expected_output->x, + expected_output->len ); + +exit: + mbedtls_free( output_buffer ); + psa_key_derivation_abort( &operation ); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void derive_key_exercise( int alg_arg, data_t *key_data,