test_suite_psa_crypto.function (416380B)
1 /* BEGIN_HEADER */ 2 #include <stdint.h> 3 4 #include "mbedtls/asn1.h" 5 #include "mbedtls/asn1write.h" 6 #include "mbedtls/oid.h" 7 #include "common.h" 8 9 #include "mbedtls/psa_util.h" 10 11 /* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random() 12 * uses mbedtls_ctr_drbg internally. */ 13 #include "mbedtls/ctr_drbg.h" 14 15 #include "psa/crypto.h" 16 #include "psa_crypto_slot_management.h" 17 18 #include "psa_crypto_core.h" 19 20 #include "test/asn1_helpers.h" 21 #include "test/psa_crypto_helpers.h" 22 #include "test/psa_exercise_key.h" 23 #if defined(PSA_CRYPTO_DRIVER_TEST) 24 #include "test/drivers/test_driver.h" 25 #define TEST_DRIVER_LOCATION PSA_CRYPTO_TEST_DRIVER_LOCATION 26 #else 27 #define TEST_DRIVER_LOCATION 0x7fffff 28 #endif 29 30 #if defined(MBEDTLS_THREADING_PTHREAD) 31 #include "mbedtls/threading.h" 32 #endif 33 34 /* If this comes up, it's a bug in the test code or in the test data. */ 35 #define UNUSED 0xdeadbeef 36 37 /* Assert that an operation is (not) active. 38 * This serves as a proxy for checking if the operation is aborted. */ 39 #define ASSERT_OPERATION_IS_ACTIVE(operation) TEST_ASSERT(operation.id != 0) 40 #define ASSERT_OPERATION_IS_INACTIVE(operation) TEST_ASSERT(operation.id == 0) 41 42 /** An invalid export length that will never be set by psa_export_key(). */ 43 static const size_t INVALID_EXPORT_LENGTH = ~0U; 44 45 /** Test if a buffer contains a constant byte value. 46 * 47 * `mem_is_char(buffer, c, size)` is true after `memset(buffer, c, size)`. 48 * 49 * \param buffer Pointer to the beginning of the buffer. 50 * \param c Expected value of every byte. 51 * \param size Size of the buffer in bytes. 52 * 53 * \return 1 if the buffer is all-bits-zero. 54 * \return 0 if there is at least one nonzero byte. 55 */ 56 static int mem_is_char(void *buffer, unsigned char c, size_t size) 57 { 58 size_t i; 59 for (i = 0; i < size; i++) { 60 if (((unsigned char *) buffer)[i] != c) { 61 return 0; 62 } 63 } 64 return 1; 65 } 66 #if defined(MBEDTLS_ASN1_WRITE_C) 67 /* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */ 68 static int asn1_write_10x(unsigned char **p, 69 unsigned char *start, 70 size_t bits, 71 unsigned char x) 72 { 73 int ret; 74 int len = bits / 8 + 1; 75 if (bits == 0) { 76 return MBEDTLS_ERR_ASN1_INVALID_DATA; 77 } 78 if (bits <= 8 && x >= 1 << (bits - 1)) { 79 return MBEDTLS_ERR_ASN1_INVALID_DATA; 80 } 81 if (*p < start || *p - start < (ptrdiff_t) len) { 82 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; 83 } 84 *p -= len; 85 (*p)[len-1] = x; 86 if (bits % 8 == 0) { 87 (*p)[1] |= 1; 88 } else { 89 (*p)[0] |= 1 << (bits % 8); 90 } 91 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); 92 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, 93 MBEDTLS_ASN1_INTEGER)); 94 return len; 95 } 96 97 static int construct_fake_rsa_key(unsigned char *buffer, 98 size_t buffer_size, 99 unsigned char **p, 100 size_t bits, 101 int keypair) 102 { 103 size_t half_bits = (bits + 1) / 2; 104 int ret; 105 int len = 0; 106 /* Construct something that looks like a DER encoding of 107 * as defined by PKCS#1 v2.2 (RFC 8017) section A.1.2: 108 * RSAPrivateKey ::= SEQUENCE { 109 * version Version, 110 * modulus INTEGER, -- n 111 * publicExponent INTEGER, -- e 112 * privateExponent INTEGER, -- d 113 * prime1 INTEGER, -- p 114 * prime2 INTEGER, -- q 115 * exponent1 INTEGER, -- d mod (p-1) 116 * exponent2 INTEGER, -- d mod (q-1) 117 * coefficient INTEGER, -- (inverse of q) mod p 118 * otherPrimeInfos OtherPrimeInfos OPTIONAL 119 * } 120 * Or, for a public key, the same structure with only 121 * version, modulus and publicExponent. 122 */ 123 *p = buffer + buffer_size; 124 if (keypair) { 125 MBEDTLS_ASN1_CHK_ADD(len, /* pq */ 126 asn1_write_10x(p, buffer, half_bits, 1)); 127 MBEDTLS_ASN1_CHK_ADD(len, /* dq */ 128 asn1_write_10x(p, buffer, half_bits, 1)); 129 MBEDTLS_ASN1_CHK_ADD(len, /* dp */ 130 asn1_write_10x(p, buffer, half_bits, 1)); 131 MBEDTLS_ASN1_CHK_ADD(len, /* q */ 132 asn1_write_10x(p, buffer, half_bits, 1)); 133 MBEDTLS_ASN1_CHK_ADD(len, /* p != q to pass mbedtls sanity checks */ 134 asn1_write_10x(p, buffer, half_bits, 3)); 135 MBEDTLS_ASN1_CHK_ADD(len, /* d */ 136 asn1_write_10x(p, buffer, bits, 1)); 137 } 138 MBEDTLS_ASN1_CHK_ADD(len, /* e = 65537 */ 139 asn1_write_10x(p, buffer, 17, 1)); 140 MBEDTLS_ASN1_CHK_ADD(len, /* n */ 141 asn1_write_10x(p, buffer, bits, 1)); 142 if (keypair) { 143 MBEDTLS_ASN1_CHK_ADD(len, /* version = 0 */ 144 mbedtls_asn1_write_int(p, buffer, 0)); 145 } 146 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buffer, len)); 147 { 148 const unsigned char tag = 149 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE; 150 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buffer, tag)); 151 } 152 return len; 153 } 154 #endif /* MBEDTLS_ASN1_WRITE_C */ 155 156 static int exercise_mac_setup(psa_key_type_t key_type, 157 const unsigned char *key_bytes, 158 size_t key_length, 159 psa_algorithm_t alg, 160 psa_mac_operation_t *operation, 161 psa_status_t *status) 162 { 163 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 164 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 165 166 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 167 psa_set_key_algorithm(&attributes, alg); 168 psa_set_key_type(&attributes, key_type); 169 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key)); 170 171 *status = psa_mac_sign_setup(operation, key, alg); 172 /* Whether setup succeeded or failed, abort must succeed. */ 173 PSA_ASSERT(psa_mac_abort(operation)); 174 /* If setup failed, reproduce the failure, so that the caller can 175 * test the resulting state of the operation object. */ 176 if (*status != PSA_SUCCESS) { 177 TEST_EQUAL(psa_mac_sign_setup(operation, key, alg), *status); 178 } 179 180 psa_destroy_key(key); 181 return 1; 182 183 exit: 184 psa_destroy_key(key); 185 return 0; 186 } 187 188 static int exercise_cipher_setup(psa_key_type_t key_type, 189 const unsigned char *key_bytes, 190 size_t key_length, 191 psa_algorithm_t alg, 192 psa_cipher_operation_t *operation, 193 psa_status_t *status) 194 { 195 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 196 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 197 198 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 199 psa_set_key_algorithm(&attributes, alg); 200 psa_set_key_type(&attributes, key_type); 201 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key)); 202 203 *status = psa_cipher_encrypt_setup(operation, key, alg); 204 /* Whether setup succeeded or failed, abort must succeed. */ 205 PSA_ASSERT(psa_cipher_abort(operation)); 206 /* If setup failed, reproduce the failure, so that the caller can 207 * test the resulting state of the operation object. */ 208 if (*status != PSA_SUCCESS) { 209 TEST_EQUAL(psa_cipher_encrypt_setup(operation, key, alg), 210 *status); 211 } 212 213 psa_destroy_key(key); 214 return 1; 215 216 exit: 217 psa_destroy_key(key); 218 return 0; 219 } 220 221 static int test_operations_on_invalid_key(mbedtls_svc_key_id_t key) 222 { 223 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 224 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 0x6964); 225 uint8_t buffer[1]; 226 size_t length; 227 int ok = 0; 228 229 psa_set_key_id(&attributes, key_id); 230 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 231 psa_set_key_algorithm(&attributes, PSA_ALG_CTR); 232 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); 233 TEST_EQUAL(psa_get_key_attributes(key, &attributes), 234 PSA_ERROR_INVALID_HANDLE); 235 TEST_EQUAL( 236 MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(&attributes)), 0); 237 TEST_EQUAL( 238 MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(psa_get_key_id(&attributes)), 0); 239 TEST_EQUAL(psa_get_key_lifetime(&attributes), 0); 240 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 0); 241 TEST_EQUAL(psa_get_key_algorithm(&attributes), 0); 242 TEST_EQUAL(psa_get_key_type(&attributes), 0); 243 TEST_EQUAL(psa_get_key_bits(&attributes), 0); 244 245 TEST_EQUAL(psa_export_key(key, buffer, sizeof(buffer), &length), 246 PSA_ERROR_INVALID_HANDLE); 247 TEST_EQUAL(psa_export_public_key(key, 248 buffer, sizeof(buffer), &length), 249 PSA_ERROR_INVALID_HANDLE); 250 251 ok = 1; 252 253 exit: 254 /* 255 * Key attributes may have been returned by psa_get_key_attributes() 256 * thus reset them as required. 257 */ 258 psa_reset_key_attributes(&attributes); 259 260 return ok; 261 } 262 263 /* Assert that a key isn't reported as having a slot number. */ 264 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 265 #define ASSERT_NO_SLOT_NUMBER(attributes) \ 266 do \ 267 { \ 268 psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \ 269 TEST_EQUAL(psa_get_key_slot_number( \ 270 attributes, \ 271 &ASSERT_NO_SLOT_NUMBER_slot_number), \ 272 PSA_ERROR_INVALID_ARGUMENT); \ 273 } \ 274 while (0) 275 #else /* MBEDTLS_PSA_CRYPTO_SE_C */ 276 #define ASSERT_NO_SLOT_NUMBER(attributes) \ 277 ((void) 0) 278 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 279 280 #define INPUT_INTEGER 0x10000 /* Out of range of psa_key_type_t */ 281 282 /* An overapproximation of the amount of storage needed for a key of the 283 * given type and with the given content. The API doesn't make it easy 284 * to find a good value for the size. The current implementation doesn't 285 * care about the value anyway. */ 286 #define KEY_BITS_FROM_DATA(type, data) \ 287 (data)->len 288 289 typedef enum { 290 IMPORT_KEY = 0, 291 GENERATE_KEY = 1, 292 DERIVE_KEY = 2 293 } generate_method; 294 295 typedef enum { 296 DO_NOT_SET_LENGTHS = 0, 297 SET_LENGTHS_BEFORE_NONCE = 1, 298 SET_LENGTHS_AFTER_NONCE = 2 299 } set_lengths_method_t; 300 301 typedef enum { 302 USE_NULL_TAG = 0, 303 USE_GIVEN_TAG = 1, 304 } tag_usage_method_t; 305 306 307 /*! 308 * \brief Internal Function for AEAD multipart tests. 309 * \param key_type_arg Type of key passed in 310 * \param key_data The encryption / decryption key data 311 * \param alg_arg The type of algorithm used 312 * \param nonce Nonce data 313 * \param additional_data Additional data 314 * \param ad_part_len_arg If not -1, the length of chunks to 315 * feed additional data in to be encrypted / 316 * decrypted. If -1, no chunking. 317 * \param input_data Data to encrypt / decrypt 318 * \param data_part_len_arg If not -1, the length of chunks to feed 319 * the data in to be encrypted / decrypted. If 320 * -1, no chunking 321 * \param set_lengths_method A member of the set_lengths_method_t enum is 322 * expected here, this controls whether or not 323 * to set lengths, and in what order with 324 * respect to set nonce. 325 * \param expected_output Expected output 326 * \param is_encrypt If non-zero this is an encryption operation. 327 * \param do_zero_parts If non-zero, interleave zero length chunks 328 * with normal length chunks. 329 * \return int Zero on failure, non-zero on success. 330 */ 331 static int aead_multipart_internal_func(int key_type_arg, data_t *key_data, 332 int alg_arg, 333 data_t *nonce, 334 data_t *additional_data, 335 int ad_part_len_arg, 336 data_t *input_data, 337 int data_part_len_arg, 338 set_lengths_method_t set_lengths_method, 339 data_t *expected_output, 340 int is_encrypt, 341 int do_zero_parts) 342 { 343 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 344 psa_key_type_t key_type = key_type_arg; 345 psa_algorithm_t alg = alg_arg; 346 psa_aead_operation_t operation = psa_aead_operation_init_short(); 347 unsigned char *output_data = NULL; 348 unsigned char *part_data = NULL; 349 unsigned char *final_data = NULL; 350 size_t data_true_size = 0; 351 size_t part_data_size = 0; 352 size_t output_size = 0; 353 size_t final_output_size = 0; 354 size_t output_length = 0; 355 size_t key_bits = 0; 356 size_t tag_length = 0; 357 size_t part_offset = 0; 358 size_t part_length = 0; 359 size_t output_part_length = 0; 360 size_t tag_size = 0; 361 size_t ad_part_len = 0; 362 size_t data_part_len = 0; 363 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 364 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 365 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 366 367 int test_ok = 0; 368 size_t part_count = 0; 369 370 PSA_ASSERT(psa_crypto_init()); 371 372 if (is_encrypt) { 373 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 374 } else { 375 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 376 } 377 378 psa_set_key_algorithm(&attributes, alg); 379 psa_set_key_type(&attributes, key_type); 380 381 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 382 &key)); 383 384 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 385 key_bits = psa_get_key_bits(&attributes); 386 387 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg); 388 389 if (is_encrypt) { 390 /* Tag gets written at end of buffer. */ 391 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, 392 (input_data->len + 393 tag_length)); 394 data_true_size = input_data->len; 395 } else { 396 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, 397 (input_data->len - 398 tag_length)); 399 400 /* Do not want to attempt to decrypt tag. */ 401 data_true_size = input_data->len - tag_length; 402 } 403 404 TEST_CALLOC(output_data, output_size); 405 406 if (is_encrypt) { 407 final_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 408 TEST_LE_U(final_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE); 409 } else { 410 final_output_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg); 411 TEST_LE_U(final_output_size, PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE); 412 } 413 414 TEST_CALLOC(final_data, final_output_size); 415 416 if (is_encrypt) { 417 status = psa_aead_encrypt_setup(&operation, key, alg); 418 } else { 419 status = psa_aead_decrypt_setup(&operation, key, alg); 420 } 421 422 /* If the operation is not supported, just skip and not fail in case the 423 * encryption involves a common limitation of cryptography hardwares and 424 * an alternative implementation. */ 425 if (status == PSA_ERROR_NOT_SUPPORTED) { 426 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 427 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 428 } 429 430 PSA_ASSERT(status); 431 432 if (set_lengths_method == DO_NOT_SET_LENGTHS) { 433 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 434 } else if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) { 435 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 436 data_true_size)); 437 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 438 } else if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) { 439 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 440 441 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 442 data_true_size)); 443 } 444 445 if (ad_part_len_arg != -1) { 446 /* Pass additional data in parts */ 447 ad_part_len = (size_t) ad_part_len_arg; 448 449 for (part_offset = 0, part_count = 0; 450 part_offset < additional_data->len; 451 part_offset += part_length, part_count++) { 452 if (do_zero_parts && (part_count & 0x01)) { 453 part_length = 0; 454 } else if (additional_data->len - part_offset < ad_part_len) { 455 part_length = additional_data->len - part_offset; 456 } else { 457 part_length = ad_part_len; 458 } 459 460 PSA_ASSERT(psa_aead_update_ad(&operation, 461 additional_data->x + part_offset, 462 part_length)); 463 464 } 465 } else { 466 /* Pass additional data in one go. */ 467 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 468 additional_data->len)); 469 } 470 471 if (data_part_len_arg != -1) { 472 /* Pass data in parts */ 473 data_part_len = (size_t) data_part_len_arg; 474 part_data_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, 475 (size_t) data_part_len); 476 477 TEST_CALLOC(part_data, part_data_size); 478 479 for (part_offset = 0, part_count = 0; 480 part_offset < data_true_size; 481 part_offset += part_length, part_count++) { 482 if (do_zero_parts && (part_count & 0x01)) { 483 part_length = 0; 484 } else if ((data_true_size - part_offset) < data_part_len) { 485 part_length = (data_true_size - part_offset); 486 } else { 487 part_length = data_part_len; 488 } 489 490 PSA_ASSERT(psa_aead_update(&operation, 491 (input_data->x + part_offset), 492 part_length, part_data, 493 part_data_size, 494 &output_part_length)); 495 496 if (output_data && output_part_length) { 497 memcpy((output_data + output_length), part_data, 498 output_part_length); 499 } 500 501 output_length += output_part_length; 502 } 503 } else { 504 /* Pass all data in one go. */ 505 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 506 data_true_size, output_data, 507 output_size, &output_length)); 508 } 509 510 if (is_encrypt) { 511 PSA_ASSERT(psa_aead_finish(&operation, final_data, 512 final_output_size, 513 &output_part_length, 514 tag_buffer, tag_length, 515 &tag_size)); 516 } else { 517 PSA_ASSERT(psa_aead_verify(&operation, final_data, 518 final_output_size, 519 &output_part_length, 520 (input_data->x + data_true_size), 521 tag_length)); 522 } 523 524 if (output_data && output_part_length) { 525 memcpy((output_data + output_length), final_data, 526 output_part_length); 527 } 528 529 output_length += output_part_length; 530 531 532 /* For all currently defined algorithms, PSA_AEAD_xxx_OUTPUT_SIZE 533 * should be exact.*/ 534 if (is_encrypt) { 535 TEST_EQUAL(tag_length, tag_size); 536 537 if (output_data && tag_length) { 538 memcpy((output_data + output_length), tag_buffer, 539 tag_length); 540 } 541 542 output_length += tag_length; 543 544 TEST_EQUAL(output_length, 545 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, 546 input_data->len)); 547 TEST_LE_U(output_length, 548 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len)); 549 } else { 550 TEST_EQUAL(output_length, 551 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, 552 input_data->len)); 553 TEST_LE_U(output_length, 554 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len)); 555 } 556 557 558 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 559 output_data, output_length); 560 561 562 test_ok = 1; 563 564 exit: 565 psa_destroy_key(key); 566 psa_aead_abort(&operation); 567 mbedtls_free(output_data); 568 mbedtls_free(part_data); 569 mbedtls_free(final_data); 570 PSA_DONE(); 571 572 return test_ok; 573 } 574 575 /*! 576 * \brief Internal Function for MAC multipart tests. 577 * \param key_type_arg Type of key passed in 578 * \param key_data The encryption / decryption key data 579 * \param alg_arg The type of algorithm used 580 * \param input_data Data to encrypt / decrypt 581 * \param data_part_len_arg If not -1, the length of chunks to feed 582 * the data in to be encrypted / decrypted. If 583 * -1, no chunking 584 * \param expected_output Expected output 585 * \param is_verify If non-zero this is a verify operation. 586 * \param do_zero_parts If non-zero, interleave zero length chunks 587 * with normal length chunks. 588 * \return int Zero on failure, non-zero on success. 589 */ 590 static int mac_multipart_internal_func(int key_type_arg, data_t *key_data, 591 int alg_arg, 592 data_t *input_data, 593 int data_part_len_arg, 594 data_t *expected_output, 595 int is_verify, 596 int do_zero_parts) 597 { 598 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 599 psa_key_type_t key_type = key_type_arg; 600 psa_algorithm_t alg = alg_arg; 601 psa_mac_operation_t operation = psa_mac_operation_init_short(); 602 unsigned char mac[PSA_MAC_MAX_SIZE]; 603 size_t part_offset = 0; 604 size_t part_length = 0; 605 size_t data_part_len = 0; 606 size_t mac_len = 0; 607 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 608 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 609 610 int test_ok = 0; 611 size_t part_count = 0; 612 613 PSA_INIT(); 614 615 if (is_verify) { 616 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 617 } else { 618 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 619 } 620 621 psa_set_key_algorithm(&attributes, alg); 622 psa_set_key_type(&attributes, key_type); 623 624 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 625 &key)); 626 627 if (is_verify) { 628 status = psa_mac_verify_setup(&operation, key, alg); 629 } else { 630 status = psa_mac_sign_setup(&operation, key, alg); 631 } 632 633 PSA_ASSERT(status); 634 635 if (data_part_len_arg != -1) { 636 /* Pass data in parts */ 637 data_part_len = (size_t) data_part_len_arg; 638 639 for (part_offset = 0, part_count = 0; 640 part_offset < input_data->len; 641 part_offset += part_length, part_count++) { 642 if (do_zero_parts && (part_count & 0x01)) { 643 part_length = 0; 644 } else if ((input_data->len - part_offset) < data_part_len) { 645 part_length = (input_data->len - part_offset); 646 } else { 647 part_length = data_part_len; 648 } 649 650 PSA_ASSERT(psa_mac_update(&operation, 651 (input_data->x + part_offset), 652 part_length)); 653 } 654 } else { 655 /* Pass all data in one go. */ 656 PSA_ASSERT(psa_mac_update(&operation, input_data->x, 657 input_data->len)); 658 } 659 660 if (is_verify) { 661 PSA_ASSERT(psa_mac_verify_finish(&operation, expected_output->x, 662 expected_output->len)); 663 } else { 664 PSA_ASSERT(psa_mac_sign_finish(&operation, mac, 665 PSA_MAC_MAX_SIZE, &mac_len)); 666 667 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 668 mac, mac_len); 669 } 670 671 test_ok = 1; 672 673 exit: 674 psa_destroy_key(key); 675 psa_mac_abort(&operation); 676 PSA_DONE(); 677 678 return test_ok; 679 } 680 681 #if defined(PSA_WANT_ALG_JPAKE) 682 static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, 683 psa_pake_operation_t *server, 684 psa_pake_operation_t *client, 685 int client_input_first, 686 int round, int inject_error) 687 { 688 unsigned char *buffer0 = NULL, *buffer1 = NULL; 689 size_t buffer_length = ( 690 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + 691 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + 692 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; 693 /* The output should be exactly this size according to the spec */ 694 const size_t expected_size_key_share = 695 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); 696 /* The output should be exactly this size according to the spec */ 697 const size_t expected_size_zk_public = 698 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); 699 /* The output can be smaller: the spec allows stripping leading zeroes */ 700 const size_t max_expected_size_zk_proof = 701 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); 702 size_t buffer0_off = 0; 703 size_t buffer1_off = 0; 704 size_t s_g1_len, s_g2_len, s_a_len; 705 size_t s_g1_off, s_g2_off, s_a_off; 706 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len; 707 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off; 708 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len; 709 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off; 710 size_t c_g1_len, c_g2_len, c_a_len; 711 size_t c_g1_off, c_g2_off, c_a_off; 712 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len; 713 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; 714 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; 715 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; 716 psa_status_t expected_status = PSA_SUCCESS; 717 psa_status_t status; 718 719 TEST_CALLOC(buffer0, buffer_length); 720 TEST_CALLOC(buffer1, buffer_length); 721 722 switch (round) { 723 case 1: 724 /* Server first round Output */ 725 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 726 buffer0 + buffer0_off, 727 buffer_length - buffer0_off, &s_g1_len)); 728 TEST_EQUAL(s_g1_len, expected_size_key_share); 729 s_g1_off = buffer0_off; 730 buffer0_off += s_g1_len; 731 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 732 buffer0 + buffer0_off, 733 buffer_length - buffer0_off, &s_x1_pk_len)); 734 TEST_EQUAL(s_x1_pk_len, expected_size_zk_public); 735 s_x1_pk_off = buffer0_off; 736 buffer0_off += s_x1_pk_len; 737 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 738 buffer0 + buffer0_off, 739 buffer_length - buffer0_off, &s_x1_pr_len)); 740 TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof); 741 s_x1_pr_off = buffer0_off; 742 buffer0_off += s_x1_pr_len; 743 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 744 buffer0 + buffer0_off, 745 buffer_length - buffer0_off, &s_g2_len)); 746 TEST_EQUAL(s_g2_len, expected_size_key_share); 747 s_g2_off = buffer0_off; 748 buffer0_off += s_g2_len; 749 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 750 buffer0 + buffer0_off, 751 buffer_length - buffer0_off, &s_x2_pk_len)); 752 TEST_EQUAL(s_x2_pk_len, expected_size_zk_public); 753 s_x2_pk_off = buffer0_off; 754 buffer0_off += s_x2_pk_len; 755 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 756 buffer0 + buffer0_off, 757 buffer_length - buffer0_off, &s_x2_pr_len)); 758 TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof); 759 s_x2_pr_off = buffer0_off; 760 buffer0_off += s_x2_pr_len; 761 762 if (inject_error == 1) { 763 buffer0[s_x1_pr_off + 8] ^= 1; 764 buffer0[s_x2_pr_off + 7] ^= 1; 765 expected_status = PSA_ERROR_DATA_INVALID; 766 } 767 768 /* 769 * When injecting errors in inputs, the implementation is 770 * free to detect it right away of with a delay. 771 * This permits delaying the error until the end of the input 772 * sequence, if no error appears then, this will be treated 773 * as an error. 774 */ 775 776 if (client_input_first == 1) { 777 /* Client first round Input */ 778 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 779 buffer0 + s_g1_off, s_g1_len); 780 if (inject_error == 1 && status != PSA_SUCCESS) { 781 TEST_EQUAL(status, expected_status); 782 break; 783 } else { 784 TEST_EQUAL(status, PSA_SUCCESS); 785 } 786 787 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 788 buffer0 + s_x1_pk_off, 789 s_x1_pk_len); 790 if (inject_error == 1 && status != PSA_SUCCESS) { 791 TEST_EQUAL(status, expected_status); 792 break; 793 } else { 794 TEST_EQUAL(status, PSA_SUCCESS); 795 } 796 797 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 798 buffer0 + s_x1_pr_off, 799 s_x1_pr_len); 800 if (inject_error == 1 && status != PSA_SUCCESS) { 801 TEST_EQUAL(status, expected_status); 802 break; 803 } else { 804 TEST_EQUAL(status, PSA_SUCCESS); 805 } 806 807 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 808 buffer0 + s_g2_off, 809 s_g2_len); 810 if (inject_error == 1 && status != PSA_SUCCESS) { 811 TEST_EQUAL(status, expected_status); 812 break; 813 } else { 814 TEST_EQUAL(status, PSA_SUCCESS); 815 } 816 817 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 818 buffer0 + s_x2_pk_off, 819 s_x2_pk_len); 820 if (inject_error == 1 && status != PSA_SUCCESS) { 821 TEST_EQUAL(status, expected_status); 822 break; 823 } else { 824 TEST_EQUAL(status, PSA_SUCCESS); 825 } 826 827 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 828 buffer0 + s_x2_pr_off, 829 s_x2_pr_len); 830 if (inject_error == 1 && status != PSA_SUCCESS) { 831 TEST_EQUAL(status, expected_status); 832 break; 833 } else { 834 TEST_EQUAL(status, PSA_SUCCESS); 835 } 836 837 /* Error didn't trigger, make test fail */ 838 if (inject_error == 1) { 839 TEST_ASSERT( 840 !"One of the last psa_pake_input() calls should have returned the expected error."); 841 } 842 } 843 844 /* Client first round Output */ 845 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 846 buffer1 + buffer1_off, 847 buffer_length - buffer1_off, &c_g1_len)); 848 TEST_EQUAL(c_g1_len, expected_size_key_share); 849 c_g1_off = buffer1_off; 850 buffer1_off += c_g1_len; 851 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 852 buffer1 + buffer1_off, 853 buffer_length - buffer1_off, &c_x1_pk_len)); 854 TEST_EQUAL(c_x1_pk_len, expected_size_zk_public); 855 c_x1_pk_off = buffer1_off; 856 buffer1_off += c_x1_pk_len; 857 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 858 buffer1 + buffer1_off, 859 buffer_length - buffer1_off, &c_x1_pr_len)); 860 TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof); 861 c_x1_pr_off = buffer1_off; 862 buffer1_off += c_x1_pr_len; 863 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 864 buffer1 + buffer1_off, 865 buffer_length - buffer1_off, &c_g2_len)); 866 TEST_EQUAL(c_g2_len, expected_size_key_share); 867 c_g2_off = buffer1_off; 868 buffer1_off += c_g2_len; 869 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 870 buffer1 + buffer1_off, 871 buffer_length - buffer1_off, &c_x2_pk_len)); 872 TEST_EQUAL(c_x2_pk_len, expected_size_zk_public); 873 c_x2_pk_off = buffer1_off; 874 buffer1_off += c_x2_pk_len; 875 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 876 buffer1 + buffer1_off, 877 buffer_length - buffer1_off, &c_x2_pr_len)); 878 TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof); 879 c_x2_pr_off = buffer1_off; 880 buffer1_off += c_x2_pr_len; 881 882 if (client_input_first == 0) { 883 /* Client first round Input */ 884 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 885 buffer0 + s_g1_off, s_g1_len); 886 if (inject_error == 1 && status != PSA_SUCCESS) { 887 TEST_EQUAL(status, expected_status); 888 break; 889 } else { 890 TEST_EQUAL(status, PSA_SUCCESS); 891 } 892 893 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 894 buffer0 + s_x1_pk_off, 895 s_x1_pk_len); 896 if (inject_error == 1 && status != PSA_SUCCESS) { 897 TEST_EQUAL(status, expected_status); 898 break; 899 } else { 900 TEST_EQUAL(status, PSA_SUCCESS); 901 } 902 903 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 904 buffer0 + s_x1_pr_off, 905 s_x1_pr_len); 906 if (inject_error == 1 && status != PSA_SUCCESS) { 907 TEST_EQUAL(status, expected_status); 908 break; 909 } else { 910 TEST_EQUAL(status, PSA_SUCCESS); 911 } 912 913 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 914 buffer0 + s_g2_off, 915 s_g2_len); 916 if (inject_error == 1 && status != PSA_SUCCESS) { 917 TEST_EQUAL(status, expected_status); 918 break; 919 } else { 920 TEST_EQUAL(status, PSA_SUCCESS); 921 } 922 923 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 924 buffer0 + s_x2_pk_off, 925 s_x2_pk_len); 926 if (inject_error == 1 && status != PSA_SUCCESS) { 927 TEST_EQUAL(status, expected_status); 928 break; 929 } else { 930 TEST_EQUAL(status, PSA_SUCCESS); 931 } 932 933 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 934 buffer0 + s_x2_pr_off, 935 s_x2_pr_len); 936 if (inject_error == 1 && status != PSA_SUCCESS) { 937 TEST_EQUAL(status, expected_status); 938 break; 939 } else { 940 TEST_EQUAL(status, PSA_SUCCESS); 941 } 942 943 /* Error didn't trigger, make test fail */ 944 if (inject_error == 1) { 945 TEST_ASSERT( 946 !"One of the last psa_pake_input() calls should have returned the expected error."); 947 } 948 } 949 950 if (inject_error == 2) { 951 buffer1[c_x1_pr_off + 12] ^= 1; 952 buffer1[c_x2_pr_off + 7] ^= 1; 953 expected_status = PSA_ERROR_DATA_INVALID; 954 } 955 956 /* Server first round Input */ 957 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 958 buffer1 + c_g1_off, c_g1_len); 959 if (inject_error == 2 && status != PSA_SUCCESS) { 960 TEST_EQUAL(status, expected_status); 961 break; 962 } else { 963 TEST_EQUAL(status, PSA_SUCCESS); 964 } 965 966 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 967 buffer1 + c_x1_pk_off, c_x1_pk_len); 968 if (inject_error == 2 && status != PSA_SUCCESS) { 969 TEST_EQUAL(status, expected_status); 970 break; 971 } else { 972 TEST_EQUAL(status, PSA_SUCCESS); 973 } 974 975 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 976 buffer1 + c_x1_pr_off, c_x1_pr_len); 977 if (inject_error == 2 && status != PSA_SUCCESS) { 978 TEST_EQUAL(status, expected_status); 979 break; 980 } else { 981 TEST_EQUAL(status, PSA_SUCCESS); 982 } 983 984 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 985 buffer1 + c_g2_off, c_g2_len); 986 if (inject_error == 2 && status != PSA_SUCCESS) { 987 TEST_EQUAL(status, expected_status); 988 break; 989 } else { 990 TEST_EQUAL(status, PSA_SUCCESS); 991 } 992 993 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 994 buffer1 + c_x2_pk_off, c_x2_pk_len); 995 if (inject_error == 2 && status != PSA_SUCCESS) { 996 TEST_EQUAL(status, expected_status); 997 break; 998 } else { 999 TEST_EQUAL(status, PSA_SUCCESS); 1000 } 1001 1002 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 1003 buffer1 + c_x2_pr_off, c_x2_pr_len); 1004 if (inject_error == 2 && status != PSA_SUCCESS) { 1005 TEST_EQUAL(status, expected_status); 1006 break; 1007 } else { 1008 TEST_EQUAL(status, PSA_SUCCESS); 1009 } 1010 1011 /* Error didn't trigger, make test fail */ 1012 if (inject_error == 2) { 1013 TEST_ASSERT( 1014 !"One of the last psa_pake_input() calls should have returned the expected error."); 1015 } 1016 1017 break; 1018 1019 case 2: 1020 /* Server second round Output */ 1021 buffer0_off = 0; 1022 1023 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 1024 buffer0 + buffer0_off, 1025 buffer_length - buffer0_off, &s_a_len)); 1026 TEST_EQUAL(s_a_len, expected_size_key_share); 1027 s_a_off = buffer0_off; 1028 buffer0_off += s_a_len; 1029 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 1030 buffer0 + buffer0_off, 1031 buffer_length - buffer0_off, &s_x2s_pk_len)); 1032 TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public); 1033 s_x2s_pk_off = buffer0_off; 1034 buffer0_off += s_x2s_pk_len; 1035 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 1036 buffer0 + buffer0_off, 1037 buffer_length - buffer0_off, &s_x2s_pr_len)); 1038 TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof); 1039 s_x2s_pr_off = buffer0_off; 1040 buffer0_off += s_x2s_pr_len; 1041 1042 if (inject_error == 3) { 1043 buffer0[s_x2s_pk_off + 12] += 0x33; 1044 expected_status = PSA_ERROR_DATA_INVALID; 1045 } 1046 1047 if (client_input_first == 1) { 1048 /* Client second round Input */ 1049 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 1050 buffer0 + s_a_off, s_a_len); 1051 if (inject_error == 3 && status != PSA_SUCCESS) { 1052 TEST_EQUAL(status, expected_status); 1053 break; 1054 } else { 1055 TEST_EQUAL(status, PSA_SUCCESS); 1056 } 1057 1058 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 1059 buffer0 + s_x2s_pk_off, 1060 s_x2s_pk_len); 1061 if (inject_error == 3 && status != PSA_SUCCESS) { 1062 TEST_EQUAL(status, expected_status); 1063 break; 1064 } else { 1065 TEST_EQUAL(status, PSA_SUCCESS); 1066 } 1067 1068 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 1069 buffer0 + s_x2s_pr_off, 1070 s_x2s_pr_len); 1071 if (inject_error == 3 && status != PSA_SUCCESS) { 1072 TEST_EQUAL(status, expected_status); 1073 break; 1074 } else { 1075 TEST_EQUAL(status, PSA_SUCCESS); 1076 } 1077 1078 /* Error didn't trigger, make test fail */ 1079 if (inject_error == 3) { 1080 TEST_ASSERT( 1081 !"One of the last psa_pake_input() calls should have returned the expected error."); 1082 } 1083 } 1084 1085 /* Client second round Output */ 1086 buffer1_off = 0; 1087 1088 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 1089 buffer1 + buffer1_off, 1090 buffer_length - buffer1_off, &c_a_len)); 1091 TEST_EQUAL(c_a_len, expected_size_key_share); 1092 c_a_off = buffer1_off; 1093 buffer1_off += c_a_len; 1094 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 1095 buffer1 + buffer1_off, 1096 buffer_length - buffer1_off, &c_x2s_pk_len)); 1097 TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public); 1098 c_x2s_pk_off = buffer1_off; 1099 buffer1_off += c_x2s_pk_len; 1100 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 1101 buffer1 + buffer1_off, 1102 buffer_length - buffer1_off, &c_x2s_pr_len)); 1103 TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof); 1104 c_x2s_pr_off = buffer1_off; 1105 buffer1_off += c_x2s_pr_len; 1106 1107 if (client_input_first == 0) { 1108 /* Client second round Input */ 1109 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 1110 buffer0 + s_a_off, s_a_len); 1111 if (inject_error == 3 && status != PSA_SUCCESS) { 1112 TEST_EQUAL(status, expected_status); 1113 break; 1114 } else { 1115 TEST_EQUAL(status, PSA_SUCCESS); 1116 } 1117 1118 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 1119 buffer0 + s_x2s_pk_off, 1120 s_x2s_pk_len); 1121 if (inject_error == 3 && status != PSA_SUCCESS) { 1122 TEST_EQUAL(status, expected_status); 1123 break; 1124 } else { 1125 TEST_EQUAL(status, PSA_SUCCESS); 1126 } 1127 1128 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 1129 buffer0 + s_x2s_pr_off, 1130 s_x2s_pr_len); 1131 if (inject_error == 3 && status != PSA_SUCCESS) { 1132 TEST_EQUAL(status, expected_status); 1133 break; 1134 } else { 1135 TEST_EQUAL(status, PSA_SUCCESS); 1136 } 1137 1138 /* Error didn't trigger, make test fail */ 1139 if (inject_error == 3) { 1140 TEST_ASSERT( 1141 !"One of the last psa_pake_input() calls should have returned the expected error."); 1142 } 1143 } 1144 1145 if (inject_error == 4) { 1146 buffer1[c_x2s_pk_off + 7] += 0x28; 1147 expected_status = PSA_ERROR_DATA_INVALID; 1148 } 1149 1150 /* Server second round Input */ 1151 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 1152 buffer1 + c_a_off, c_a_len); 1153 if (inject_error == 4 && status != PSA_SUCCESS) { 1154 TEST_EQUAL(status, expected_status); 1155 break; 1156 } else { 1157 TEST_EQUAL(status, PSA_SUCCESS); 1158 } 1159 1160 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 1161 buffer1 + c_x2s_pk_off, c_x2s_pk_len); 1162 if (inject_error == 4 && status != PSA_SUCCESS) { 1163 TEST_EQUAL(status, expected_status); 1164 break; 1165 } else { 1166 TEST_EQUAL(status, PSA_SUCCESS); 1167 } 1168 1169 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 1170 buffer1 + c_x2s_pr_off, c_x2s_pr_len); 1171 if (inject_error == 4 && status != PSA_SUCCESS) { 1172 TEST_EQUAL(status, expected_status); 1173 break; 1174 } else { 1175 TEST_EQUAL(status, PSA_SUCCESS); 1176 } 1177 1178 /* Error didn't trigger, make test fail */ 1179 if (inject_error == 4) { 1180 TEST_ASSERT( 1181 !"One of the last psa_pake_input() calls should have returned the expected error."); 1182 } 1183 1184 break; 1185 1186 } 1187 1188 exit: 1189 mbedtls_free(buffer0); 1190 mbedtls_free(buffer1); 1191 } 1192 #endif /* PSA_WANT_ALG_JPAKE */ 1193 1194 typedef enum { 1195 INJECT_ERR_NONE = 0, 1196 INJECT_ERR_UNINITIALIZED_ACCESS, 1197 INJECT_ERR_DUPLICATE_SETUP, 1198 INJECT_ERR_INVALID_USER, 1199 INJECT_ERR_INVALID_PEER, 1200 INJECT_ERR_SET_USER, 1201 INJECT_ERR_SET_PEER, 1202 INJECT_EMPTY_IO_BUFFER, 1203 INJECT_UNKNOWN_STEP, 1204 INJECT_INVALID_FIRST_STEP, 1205 INJECT_WRONG_BUFFER_SIZE, 1206 INJECT_VALID_OPERATION_AFTER_FAILURE, 1207 INJECT_ANTICIPATE_KEY_DERIVATION_1, 1208 INJECT_ANTICIPATE_KEY_DERIVATION_2, 1209 } ecjpake_injected_failure_t; 1210 1211 #if defined(MBEDTLS_ECP_RESTARTABLE) 1212 1213 static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, 1214 psa_status_t expected_status, 1215 size_t *min_completes, 1216 size_t *max_completes) 1217 { 1218 1219 /* This is slightly contrived, but we only really know that with a minimum 1220 value of max_ops that a successful operation should take more than one op 1221 to complete, and likewise that with a max_ops of 1222 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */ 1223 if (max_ops == 0 || max_ops == 1) { 1224 1225 if (expected_status == PSA_SUCCESS) { 1226 *min_completes = 2; 1227 } else { 1228 *min_completes = 1; 1229 } 1230 1231 *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; 1232 } else { 1233 *min_completes = 1; 1234 *max_completes = 1; 1235 } 1236 } 1237 #endif /* MBEDTLS_ECP_RESTARTABLE */ 1238 1239 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) && defined(MBEDTLS_ASN1_PARSE_C) 1240 static int rsa_test_e(mbedtls_svc_key_id_t key, 1241 size_t bits, 1242 const data_t *e_arg) 1243 { 1244 uint8_t *exported = NULL; 1245 size_t exported_size = 1246 PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits); 1247 size_t exported_length = SIZE_MAX; 1248 int ok = 0; 1249 1250 TEST_CALLOC(exported, exported_size); 1251 PSA_ASSERT(psa_export_public_key(key, 1252 exported, exported_size, 1253 &exported_length)); 1254 uint8_t *p = exported; 1255 uint8_t *end = exported + exported_length; 1256 size_t len; 1257 /* RSAPublicKey ::= SEQUENCE { 1258 * modulus INTEGER, -- n 1259 * publicExponent INTEGER } -- e 1260 */ 1261 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len, 1262 MBEDTLS_ASN1_SEQUENCE | 1263 MBEDTLS_ASN1_CONSTRUCTED)); 1264 TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1)); 1265 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len, 1266 MBEDTLS_ASN1_INTEGER)); 1267 if (len >= 1 && p[0] == 0) { 1268 ++p; 1269 --len; 1270 } 1271 if (e_arg->len == 0) { 1272 TEST_EQUAL(len, 3); 1273 TEST_EQUAL(p[0], 1); 1274 TEST_EQUAL(p[1], 0); 1275 TEST_EQUAL(p[2], 1); 1276 } else { 1277 const uint8_t *expected = e_arg->x; 1278 size_t expected_len = e_arg->len; 1279 while (expected_len > 0 && *expected == 0) { 1280 ++expected; 1281 --expected_len; 1282 } 1283 TEST_MEMORY_COMPARE(p, len, expected, expected_len); 1284 } 1285 ok = 1; 1286 1287 exit: 1288 mbedtls_free(exported); 1289 return ok; 1290 } 1291 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */ 1292 1293 static int setup_key_production_parameters( 1294 psa_key_production_parameters_t **params, size_t *params_data_length, 1295 int flags_arg, const data_t *params_data) 1296 { 1297 *params_data_length = params_data->len; 1298 /* If there are N bytes of padding at the end of 1299 * psa_key_production_parameters_t, then it's enough to allocate 1300 * MIN(sizeof(psa_key_production_parameters_t), 1301 * offsetof(psa_key_production_parameters_t, data) + params_data_length). 1302 * 1303 * For simplicity, here, we allocate up to N more bytes than necessary. 1304 * In practice, the current layout of psa_key_production_parameters_t 1305 * makes padding extremely unlikely, so we don't worry about testing 1306 * that the library code doesn't try to access these extra N bytes. 1307 */ 1308 *params = mbedtls_calloc(1, sizeof(**params) + *params_data_length); 1309 TEST_ASSERT(*params != NULL); 1310 (*params)->flags = (uint32_t) flags_arg; 1311 memcpy((*params)->data, params_data->x, params_data->len); 1312 return 1; 1313 exit: 1314 return 0; 1315 } 1316 1317 #if defined(MBEDTLS_THREADING_PTHREAD) 1318 1319 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) 1320 typedef struct same_key_context { 1321 data_t *data; 1322 mbedtls_svc_key_id_t key; 1323 psa_key_attributes_t *attributes; 1324 int type; 1325 int bits; 1326 /* The following two parameters are used to ensure that when multiple 1327 * threads attempt to load/destroy the key, exactly one thread succeeds. */ 1328 int key_loaded; 1329 mbedtls_threading_mutex_t MBEDTLS_PRIVATE(key_loaded_mutex); 1330 } 1331 same_key_context; 1332 1333 /* Attempt to import the key in ctx. This handles any valid error codes 1334 * and reports an error for any invalid codes. This function also insures 1335 * that once imported by some thread, all threads can use the key. */ 1336 static void *thread_import_key(void *ctx) 1337 { 1338 mbedtls_svc_key_id_t returned_key_id; 1339 same_key_context *skc = (struct same_key_context *) ctx; 1340 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1341 1342 /* Import the key, exactly one thread must succeed. */ 1343 psa_status_t status = psa_import_key(skc->attributes, skc->data->x, 1344 skc->data->len, &returned_key_id); 1345 switch (status) { 1346 case PSA_SUCCESS: 1347 if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) { 1348 if (skc->key_loaded) { 1349 mbedtls_mutex_unlock(&skc->key_loaded_mutex); 1350 /* More than one thread has succeeded, report a failure. */ 1351 TEST_FAIL("The same key has been loaded into the key store multiple times."); 1352 } 1353 skc->key_loaded = 1; 1354 mbedtls_mutex_unlock(&skc->key_loaded_mutex); 1355 } 1356 break; 1357 case PSA_ERROR_INSUFFICIENT_MEMORY: 1358 /* If all of the key slots are reserved when a thread 1359 * locks the mutex to reserve a new slot, it will return 1360 * PSA_ERROR_INSUFFICIENT_MEMORY; this is correct behaviour. 1361 * There is a chance for this to occur here when the number of 1362 * threads running this function is larger than the number of 1363 * free key slots. Each thread reserves an empty key slot, 1364 * unlocks the mutex, then relocks it to finalize key creation. 1365 * It is at that point where the thread sees that the key 1366 * already exists, releases the reserved slot, 1367 * and returns PSA_ERROR_ALREADY_EXISTS. 1368 * There is no guarantee that the key is loaded upon this return 1369 * code, so we can't test the key information. Just stop this 1370 * thread from executing, note that this is not an error. */ 1371 goto exit; 1372 break; 1373 case PSA_ERROR_ALREADY_EXISTS: 1374 /* The key has been loaded by a different thread. */ 1375 break; 1376 default: 1377 PSA_ASSERT(status); 1378 } 1379 /* At this point the key must exist, test the key information. */ 1380 status = psa_get_key_attributes(skc->key, &got_attributes); 1381 if (status == PSA_ERROR_INSUFFICIENT_MEMORY) { 1382 /* This is not a test failure. The following sequence of events 1383 * causes this to occur: 1384 * 1: This thread successfuly imports a persistent key skc->key. 1385 * 2: N threads reserve an empty key slot in psa_import_key, 1386 * where N is equal to the number of free key slots. 1387 * 3: A final thread attempts to reserve an empty key slot, kicking 1388 * skc->key (which has no registered readers) out of its slot. 1389 * 4: This thread calls psa_get_key_attributes(skc->key,...): 1390 * it sees that skc->key is not in a slot, attempts to load it and 1391 * finds that there are no free slots. 1392 * This thread returns PSA_ERROR_INSUFFICIENT_MEMORY. 1393 * 1394 * The PSA spec allows this behaviour, it is an unavoidable consequence 1395 * of allowing persistent keys to be kicked out of the key store while 1396 * they are still valid. */ 1397 goto exit; 1398 } 1399 PSA_ASSERT(status); 1400 TEST_EQUAL(psa_get_key_type(&got_attributes), skc->type); 1401 TEST_EQUAL(psa_get_key_bits(&got_attributes), skc->bits); 1402 1403 exit: 1404 /* Key attributes may have been returned by psa_get_key_attributes(), 1405 * reset them as required. */ 1406 psa_reset_key_attributes(&got_attributes); 1407 return NULL; 1408 } 1409 1410 static void *thread_use_and_destroy_key(void *ctx) 1411 { 1412 same_key_context *skc = (struct same_key_context *) ctx; 1413 1414 /* Do something with the key according 1415 * to its type and permitted usage. */ 1416 TEST_ASSERT(mbedtls_test_psa_exercise_key(skc->key, 1417 skc->attributes->policy.usage, 1418 skc->attributes->policy.alg, 1)); 1419 1420 psa_status_t status = psa_destroy_key(skc->key); 1421 if (status == PSA_SUCCESS) { 1422 if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) { 1423 /* Ensure that we are the only thread to succeed. */ 1424 if (skc->key_loaded != 1) { 1425 mbedtls_mutex_unlock(&skc->key_loaded_mutex); 1426 TEST_FAIL("The same key has been destroyed multiple times."); 1427 } 1428 skc->key_loaded = 0; 1429 mbedtls_mutex_unlock(&skc->key_loaded_mutex); 1430 } 1431 } else { 1432 TEST_EQUAL(status, PSA_ERROR_INVALID_HANDLE); 1433 } 1434 1435 exit: 1436 return NULL; 1437 } 1438 #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ 1439 1440 typedef struct generate_key_context { 1441 psa_key_type_t type; 1442 psa_key_usage_t usage; 1443 size_t bits; 1444 psa_algorithm_t alg; 1445 psa_status_t expected_status; 1446 psa_key_attributes_t *attributes; 1447 int is_large_key; 1448 int reps; 1449 } 1450 generate_key_context; 1451 static void *thread_generate_key(void *ctx) 1452 { 1453 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1454 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1455 generate_key_context *gkc = (struct generate_key_context *) ctx; 1456 1457 /* If there are race conditions, it is likely the case that they do not 1458 * arise every time the code runs. We repeat the code to increase the 1459 * chance that any race conditions will be hit. */ 1460 for (int n = 0; n < gkc->reps; n++) { 1461 /* Generate a key */ 1462 psa_status_t status = psa_generate_key(gkc->attributes, &key); 1463 1464 if (gkc->is_large_key > 0) { 1465 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); 1466 } 1467 1468 TEST_EQUAL(status, gkc->expected_status); 1469 if (gkc->expected_status != PSA_SUCCESS) { 1470 PSA_ASSERT(psa_destroy_key(key)); 1471 goto exit; 1472 } 1473 1474 /* Test the key information */ 1475 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 1476 TEST_EQUAL(psa_get_key_type(&got_attributes), gkc->type); 1477 TEST_EQUAL(psa_get_key_bits(&got_attributes), gkc->bits); 1478 1479 /* Do something with the key according 1480 * to its type and permitted usage. */ 1481 if (!mbedtls_test_psa_exercise_key(key, gkc->usage, gkc->alg, 0)) { 1482 psa_destroy_key(key); 1483 goto exit; 1484 } 1485 psa_reset_key_attributes(&got_attributes); 1486 1487 PSA_ASSERT(psa_destroy_key(key)); 1488 } 1489 exit: 1490 /* 1491 * Key attributes may have been returned by psa_get_key_attributes() 1492 * thus reset them as required. 1493 */ 1494 psa_reset_key_attributes(&got_attributes); 1495 return NULL; 1496 } 1497 #endif /* MBEDTLS_THREADING_PTHREAD */ 1498 1499 /* END_HEADER */ 1500 1501 /* BEGIN_DEPENDENCIES 1502 * depends_on:MBEDTLS_PSA_CRYPTO_C 1503 * END_DEPENDENCIES 1504 */ 1505 1506 /* BEGIN_CASE */ 1507 void psa_can_do_hash() 1508 { 1509 /* We can't test that this is specific to drivers until partial init has 1510 * been implemented, but we can at least test before/after full init. */ 1511 TEST_EQUAL(0, psa_can_do_hash(PSA_ALG_NONE)); 1512 PSA_INIT(); 1513 TEST_EQUAL(1, psa_can_do_hash(PSA_ALG_NONE)); 1514 PSA_DONE(); 1515 } 1516 /* END_CASE */ 1517 1518 /* BEGIN_CASE */ 1519 void static_checks() 1520 { 1521 size_t max_truncated_mac_size = 1522 PSA_ALG_MAC_TRUNCATION_MASK >> PSA_MAC_TRUNCATION_OFFSET; 1523 1524 /* Check that the length for a truncated MAC always fits in the algorithm 1525 * encoding. The shifted mask is the maximum truncated value. The 1526 * untruncated algorithm may be one byte larger. */ 1527 TEST_LE_U(PSA_MAC_MAX_SIZE, 1 + max_truncated_mac_size); 1528 } 1529 /* END_CASE */ 1530 1531 /* BEGIN_CASE */ 1532 void import_with_policy(int type_arg, 1533 int usage_arg, int alg_arg, 1534 int expected_status_arg) 1535 { 1536 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1537 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1538 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1539 psa_key_type_t type = type_arg; 1540 psa_key_usage_t usage = usage_arg; 1541 psa_algorithm_t alg = alg_arg; 1542 psa_status_t expected_status = expected_status_arg; 1543 const uint8_t key_material[16] = { 0 }; 1544 psa_status_t status; 1545 1546 PSA_ASSERT(psa_crypto_init()); 1547 1548 psa_set_key_type(&attributes, type); 1549 psa_set_key_usage_flags(&attributes, usage); 1550 psa_set_key_algorithm(&attributes, alg); 1551 1552 status = psa_import_key(&attributes, 1553 key_material, sizeof(key_material), 1554 &key); 1555 TEST_EQUAL(status, expected_status); 1556 if (status != PSA_SUCCESS) { 1557 goto exit; 1558 } 1559 1560 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 1561 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 1562 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes), 1563 mbedtls_test_update_key_usage_flags(usage)); 1564 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg); 1565 ASSERT_NO_SLOT_NUMBER(&got_attributes); 1566 1567 PSA_ASSERT(psa_destroy_key(key)); 1568 test_operations_on_invalid_key(key); 1569 1570 exit: 1571 /* 1572 * Key attributes may have been returned by psa_get_key_attributes() 1573 * thus reset them as required. 1574 */ 1575 psa_reset_key_attributes(&got_attributes); 1576 1577 psa_destroy_key(key); 1578 PSA_DONE(); 1579 } 1580 /* END_CASE */ 1581 1582 /* BEGIN_CASE */ 1583 void import_with_data(data_t *data, int type_arg, 1584 int attr_bits_arg, 1585 int expected_status_arg) 1586 { 1587 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1588 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1589 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1590 psa_key_type_t type = type_arg; 1591 size_t attr_bits = attr_bits_arg; 1592 psa_status_t expected_status = expected_status_arg; 1593 psa_status_t status; 1594 1595 PSA_ASSERT(psa_crypto_init()); 1596 1597 psa_set_key_type(&attributes, type); 1598 psa_set_key_bits(&attributes, attr_bits); 1599 1600 status = psa_import_key(&attributes, data->x, data->len, &key); 1601 /* When expecting INVALID_ARGUMENT, also accept NOT_SUPPORTED. 1602 * 1603 * This can happen with a type supported only by a driver: 1604 * - the driver sees the invalid data (for example wrong size) and thinks 1605 * "well perhaps this is a key size I don't support" so it returns 1606 * NOT_SUPPORTED which is correct at this point; 1607 * - we fallback to built-ins, which don't support this type, so return 1608 * NOT_SUPPORTED which again is correct at this point. 1609 */ 1610 if (expected_status == PSA_ERROR_INVALID_ARGUMENT && 1611 status == PSA_ERROR_NOT_SUPPORTED) { 1612 ; // OK 1613 } else { 1614 TEST_EQUAL(status, expected_status); 1615 } 1616 if (status != PSA_SUCCESS) { 1617 goto exit; 1618 } 1619 1620 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 1621 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 1622 if (attr_bits != 0) { 1623 TEST_EQUAL(attr_bits, psa_get_key_bits(&got_attributes)); 1624 } 1625 ASSERT_NO_SLOT_NUMBER(&got_attributes); 1626 1627 PSA_ASSERT(psa_destroy_key(key)); 1628 test_operations_on_invalid_key(key); 1629 1630 exit: 1631 /* 1632 * Key attributes may have been returned by psa_get_key_attributes() 1633 * thus reset them as required. 1634 */ 1635 psa_reset_key_attributes(&got_attributes); 1636 1637 psa_destroy_key(key); 1638 PSA_DONE(); 1639 } 1640 /* END_CASE */ 1641 1642 /* BEGIN_CASE depends_on: !MBEDTLS_PSA_STATIC_KEY_SLOTS*/ 1643 /* Construct and attempt to import a large unstructured key. */ 1644 void import_large_key(int type_arg, int byte_size_arg, 1645 int expected_status_arg) 1646 { 1647 psa_key_type_t type = type_arg; 1648 size_t byte_size = byte_size_arg; 1649 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1650 psa_status_t expected_status = expected_status_arg; 1651 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1652 psa_status_t status; 1653 uint8_t *buffer = NULL; 1654 size_t buffer_size = byte_size + 1; 1655 size_t n; 1656 1657 /* Skip the test case if the target running the test cannot 1658 * accommodate large keys due to heap size constraints */ 1659 TEST_CALLOC_OR_SKIP(buffer, buffer_size); 1660 memset(buffer, 'K', byte_size); 1661 1662 PSA_ASSERT(psa_crypto_init()); 1663 1664 /* Try importing the key */ 1665 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT); 1666 psa_set_key_type(&attributes, type); 1667 status = psa_import_key(&attributes, buffer, byte_size, &key); 1668 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); 1669 TEST_EQUAL(status, expected_status); 1670 1671 if (status == PSA_SUCCESS) { 1672 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 1673 TEST_EQUAL(psa_get_key_type(&attributes), type); 1674 TEST_EQUAL(psa_get_key_bits(&attributes), 1675 PSA_BYTES_TO_BITS(byte_size)); 1676 ASSERT_NO_SLOT_NUMBER(&attributes); 1677 memset(buffer, 0, byte_size + 1); 1678 PSA_ASSERT(psa_export_key(key, buffer, byte_size, &n)); 1679 for (n = 0; n < byte_size; n++) { 1680 TEST_EQUAL(buffer[n], 'K'); 1681 } 1682 for (n = byte_size; n < buffer_size; n++) { 1683 TEST_EQUAL(buffer[n], 0); 1684 } 1685 } 1686 1687 exit: 1688 /* 1689 * Key attributes may have been returned by psa_get_key_attributes() 1690 * thus reset them as required. 1691 */ 1692 psa_reset_key_attributes(&attributes); 1693 1694 psa_destroy_key(key); 1695 PSA_DONE(); 1696 mbedtls_free(buffer); 1697 } 1698 /* END_CASE */ 1699 1700 /* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */ 1701 /* Import an RSA key with a valid structure (but not valid numbers 1702 * inside, beyond having sensible size and parity). This is expected to 1703 * fail for large keys. */ 1704 void import_rsa_made_up(int bits_arg, int keypair, int expected_status_arg) 1705 { 1706 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1707 size_t bits = bits_arg; 1708 psa_status_t expected_status = expected_status_arg; 1709 psa_status_t status; 1710 psa_key_type_t type = 1711 keypair ? PSA_KEY_TYPE_RSA_KEY_PAIR : PSA_KEY_TYPE_RSA_PUBLIC_KEY; 1712 size_t buffer_size = /* Slight overapproximations */ 1713 keypair ? bits * 9 / 16 + 80 : bits / 8 + 20; 1714 unsigned char *buffer = NULL; 1715 unsigned char *p; 1716 int ret; 1717 size_t length; 1718 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1719 1720 PSA_ASSERT(psa_crypto_init()); 1721 TEST_CALLOC(buffer, buffer_size); 1722 1723 TEST_ASSERT((ret = construct_fake_rsa_key(buffer, buffer_size, &p, 1724 bits, keypair)) >= 0); 1725 length = ret; 1726 1727 /* Try importing the key */ 1728 psa_set_key_type(&attributes, type); 1729 status = psa_import_key(&attributes, p, length, &key); 1730 TEST_EQUAL(status, expected_status); 1731 1732 if (status == PSA_SUCCESS) { 1733 PSA_ASSERT(psa_destroy_key(key)); 1734 } 1735 1736 exit: 1737 mbedtls_free(buffer); 1738 PSA_DONE(); 1739 } 1740 /* END_CASE */ 1741 1742 /* BEGIN_CASE */ 1743 void import_export(data_t *data, 1744 int type_arg, 1745 int usage_arg, int alg_arg, 1746 int lifetime_arg, 1747 int expected_bits, 1748 int export_size_delta, 1749 int expected_export_status_arg, 1750 /*whether reexport must give the original input exactly*/ 1751 int canonical_input) 1752 { 1753 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1754 psa_key_type_t type = type_arg; 1755 psa_algorithm_t alg = alg_arg; 1756 psa_status_t expected_export_status = expected_export_status_arg; 1757 psa_status_t status; 1758 psa_key_lifetime_t lifetime = lifetime_arg; 1759 unsigned char *exported = NULL; 1760 unsigned char *reexported = NULL; 1761 size_t export_size; 1762 size_t exported_length = INVALID_EXPORT_LENGTH; 1763 size_t reexported_length; 1764 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1765 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1766 1767 export_size = (ptrdiff_t) data->len + export_size_delta; 1768 TEST_CALLOC(exported, export_size); 1769 if (!canonical_input) { 1770 TEST_CALLOC(reexported, export_size); 1771 } 1772 PSA_ASSERT(psa_crypto_init()); 1773 1774 psa_set_key_lifetime(&attributes, lifetime); 1775 psa_set_key_usage_flags(&attributes, usage_arg); 1776 psa_set_key_algorithm(&attributes, alg); 1777 psa_set_key_type(&attributes, type); 1778 1779 if (PSA_KEY_TYPE_IS_DH(type) && 1780 expected_export_status == PSA_ERROR_BUFFER_TOO_SMALL) { 1781 /* Simulate that buffer is too small, by decreasing its size by 1 byte. */ 1782 export_size -= 1; 1783 } 1784 1785 /* Import the key */ 1786 TEST_EQUAL(psa_import_key(&attributes, data->x, data->len, &key), 1787 PSA_SUCCESS); 1788 1789 /* Test the key information */ 1790 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 1791 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 1792 TEST_EQUAL(psa_get_key_bits(&got_attributes), (size_t) expected_bits); 1793 ASSERT_NO_SLOT_NUMBER(&got_attributes); 1794 1795 /* Export the key */ 1796 status = psa_export_key(key, exported, export_size, &exported_length); 1797 TEST_EQUAL(status, expected_export_status); 1798 1799 /* The exported length must be set by psa_export_key() to a value between 0 1800 * and export_size. On errors, the exported length must be 0. */ 1801 TEST_ASSERT(exported_length != INVALID_EXPORT_LENGTH); 1802 TEST_ASSERT(status == PSA_SUCCESS || exported_length == 0); 1803 TEST_LE_U(exported_length, export_size); 1804 1805 TEST_ASSERT(mem_is_char(exported + exported_length, 0, 1806 export_size - exported_length)); 1807 if (status != PSA_SUCCESS) { 1808 TEST_EQUAL(exported_length, 0); 1809 goto destroy; 1810 } 1811 1812 /* Run sanity checks on the exported key. For non-canonical inputs, 1813 * this validates the canonical representations. For canonical inputs, 1814 * this doesn't directly validate the implementation, but it still helps 1815 * by cross-validating the test data with the sanity check code. */ 1816 if (!psa_key_lifetime_is_external(lifetime)) { 1817 if (!mbedtls_test_psa_exercise_key(key, usage_arg, 0, 0)) { 1818 goto exit; 1819 } 1820 } 1821 1822 if (canonical_input) { 1823 TEST_MEMORY_COMPARE(data->x, data->len, exported, exported_length); 1824 } else { 1825 mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT; 1826 PSA_ASSERT(psa_import_key(&attributes, exported, exported_length, 1827 &key2)); 1828 PSA_ASSERT(psa_export_key(key2, 1829 reexported, 1830 export_size, 1831 &reexported_length)); 1832 TEST_MEMORY_COMPARE(exported, exported_length, 1833 reexported, reexported_length); 1834 PSA_ASSERT(psa_destroy_key(key2)); 1835 } 1836 TEST_LE_U(exported_length, 1837 PSA_EXPORT_KEY_OUTPUT_SIZE(type, 1838 psa_get_key_bits(&got_attributes))); 1839 if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) { 1840 TEST_LE_U(exported_length, PSA_EXPORT_KEY_PAIR_MAX_SIZE); 1841 } else if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) { 1842 TEST_LE_U(exported_length, PSA_EXPORT_PUBLIC_KEY_MAX_SIZE); 1843 } 1844 1845 destroy: 1846 /* Destroy the key */ 1847 PSA_ASSERT(psa_destroy_key(key)); 1848 test_operations_on_invalid_key(key); 1849 1850 exit: 1851 /* 1852 * Key attributes may have been returned by psa_get_key_attributes() 1853 * thus reset them as required. 1854 */ 1855 psa_reset_key_attributes(&got_attributes); 1856 psa_destroy_key(key); 1857 mbedtls_free(exported); 1858 mbedtls_free(reexported); 1859 PSA_DONE(); 1860 } 1861 /* END_CASE */ 1862 1863 /* BEGIN_CASE */ 1864 void import_export_public_key(data_t *data, 1865 int type_arg, // key pair or public key 1866 int alg_arg, 1867 int lifetime_arg, 1868 int export_size_delta, 1869 int expected_export_status_arg, 1870 data_t *expected_public_key) 1871 { 1872 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1873 psa_key_type_t type = type_arg; 1874 psa_algorithm_t alg = alg_arg; 1875 psa_status_t expected_export_status = expected_export_status_arg; 1876 psa_status_t status; 1877 psa_key_lifetime_t lifetime = lifetime_arg; 1878 unsigned char *exported = NULL; 1879 size_t export_size = expected_public_key->len + export_size_delta; 1880 size_t exported_length = INVALID_EXPORT_LENGTH; 1881 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1882 1883 PSA_ASSERT(psa_crypto_init()); 1884 1885 psa_set_key_lifetime(&attributes, lifetime); 1886 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT); 1887 psa_set_key_algorithm(&attributes, alg); 1888 psa_set_key_type(&attributes, type); 1889 1890 /* Import the key */ 1891 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key)); 1892 1893 /* Export the public key */ 1894 TEST_CALLOC(exported, export_size); 1895 status = psa_export_public_key(key, 1896 exported, export_size, 1897 &exported_length); 1898 TEST_EQUAL(status, expected_export_status); 1899 if (status == PSA_SUCCESS) { 1900 psa_key_type_t public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type); 1901 size_t bits; 1902 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 1903 bits = psa_get_key_bits(&attributes); 1904 TEST_LE_U(expected_public_key->len, 1905 PSA_EXPORT_KEY_OUTPUT_SIZE(public_type, bits)); 1906 TEST_LE_U(expected_public_key->len, 1907 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(public_type, bits)); 1908 TEST_LE_U(expected_public_key->len, 1909 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE); 1910 TEST_MEMORY_COMPARE(expected_public_key->x, expected_public_key->len, 1911 exported, exported_length); 1912 } 1913 exit: 1914 /* 1915 * Key attributes may have been returned by psa_get_key_attributes() 1916 * thus reset them as required. 1917 */ 1918 psa_reset_key_attributes(&attributes); 1919 1920 mbedtls_free(exported); 1921 psa_destroy_key(key); 1922 PSA_DONE(); 1923 } 1924 /* END_CASE */ 1925 1926 1927 #if defined(MBEDTLS_THREADING_PTHREAD) 1928 /* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 1929 void concurrently_use_same_persistent_key(data_t *data, 1930 int type_arg, 1931 int bits_arg, 1932 int alg_arg, 1933 int thread_count_arg) 1934 { 1935 size_t thread_count = (size_t) thread_count_arg; 1936 mbedtls_test_thread_t *threads = NULL; 1937 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1); 1938 same_key_context skc; 1939 skc.data = data; 1940 skc.key = key_id; 1941 skc.type = type_arg; 1942 skc.bits = bits_arg; 1943 skc.key_loaded = 0; 1944 mbedtls_mutex_init(&skc.key_loaded_mutex); 1945 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(skc.type, alg_arg); 1946 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1947 1948 PSA_ASSERT(psa_crypto_init()); 1949 1950 psa_set_key_id(&attributes, key_id); 1951 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_PERSISTENT); 1952 psa_set_key_usage_flags(&attributes, usage); 1953 psa_set_key_algorithm(&attributes, alg_arg); 1954 psa_set_key_type(&attributes, type_arg); 1955 psa_set_key_bits(&attributes, bits_arg); 1956 skc.attributes = &attributes; 1957 1958 TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count); 1959 1960 /* Test that when multiple threads import the same key, 1961 * exactly one thread succeeds and the rest fail with valid errors. 1962 * Also test that all threads can use the key as soon as it has been 1963 * imported. */ 1964 for (size_t i = 0; i < thread_count; i++) { 1965 TEST_EQUAL( 1966 mbedtls_test_thread_create(&threads[i], thread_import_key, 1967 (void *) &skc), 0); 1968 } 1969 1970 /* Join threads. */ 1971 for (size_t i = 0; i < thread_count; i++) { 1972 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0); 1973 } 1974 1975 /* Test that when multiple threads use and destroy a key no corruption 1976 * occurs, and exactly one thread succeeds when destroying the key. */ 1977 for (size_t i = 0; i < thread_count; i++) { 1978 TEST_EQUAL( 1979 mbedtls_test_thread_create(&threads[i], thread_use_and_destroy_key, 1980 (void *) &skc), 0); 1981 } 1982 1983 /* Join threads. */ 1984 for (size_t i = 0; i < thread_count; i++) { 1985 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0); 1986 } 1987 /* Ensure that one thread succeeded in destroying the key. */ 1988 TEST_ASSERT(!skc.key_loaded); 1989 exit: 1990 psa_reset_key_attributes(&attributes); 1991 mbedtls_mutex_free(&skc.key_loaded_mutex); 1992 mbedtls_free(threads); 1993 PSA_DONE(); 1994 } 1995 /* END_CASE */ 1996 #endif 1997 1998 /* BEGIN_CASE */ 1999 void import_and_exercise_key(data_t *data, 2000 int type_arg, 2001 int bits_arg, 2002 int alg_arg) 2003 { 2004 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2005 psa_key_type_t type = type_arg; 2006 size_t bits = bits_arg; 2007 psa_algorithm_t alg = alg_arg; 2008 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(type, alg); 2009 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2010 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 2011 2012 PSA_ASSERT(psa_crypto_init()); 2013 2014 psa_set_key_usage_flags(&attributes, usage); 2015 psa_set_key_algorithm(&attributes, alg); 2016 psa_set_key_type(&attributes, type); 2017 2018 /* Import the key */ 2019 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key)); 2020 2021 /* Test the key information */ 2022 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 2023 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 2024 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); 2025 2026 /* Do something with the key according to its type and permitted usage. */ 2027 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 2028 goto exit; 2029 } 2030 2031 PSA_ASSERT(psa_destroy_key(key)); 2032 test_operations_on_invalid_key(key); 2033 2034 exit: 2035 /* 2036 * Key attributes may have been returned by psa_get_key_attributes() 2037 * thus reset them as required. 2038 */ 2039 psa_reset_key_attributes(&got_attributes); 2040 2041 psa_reset_key_attributes(&attributes); 2042 psa_destroy_key(key); 2043 PSA_DONE(); 2044 } 2045 /* END_CASE */ 2046 2047 /* BEGIN_CASE */ 2048 void effective_key_attributes(int type_arg, int expected_type_arg, 2049 int bits_arg, int expected_bits_arg, 2050 int usage_arg, int expected_usage_arg, 2051 int alg_arg, int expected_alg_arg) 2052 { 2053 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2054 psa_key_type_t key_type = type_arg; 2055 psa_key_type_t expected_key_type = expected_type_arg; 2056 size_t bits = bits_arg; 2057 size_t expected_bits = expected_bits_arg; 2058 psa_algorithm_t alg = alg_arg; 2059 psa_algorithm_t expected_alg = expected_alg_arg; 2060 psa_key_usage_t usage = usage_arg; 2061 psa_key_usage_t expected_usage = expected_usage_arg; 2062 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2063 2064 PSA_ASSERT(psa_crypto_init()); 2065 2066 psa_set_key_usage_flags(&attributes, usage); 2067 psa_set_key_algorithm(&attributes, alg); 2068 psa_set_key_type(&attributes, key_type); 2069 psa_set_key_bits(&attributes, bits); 2070 2071 PSA_ASSERT(psa_generate_key(&attributes, &key)); 2072 psa_reset_key_attributes(&attributes); 2073 2074 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 2075 TEST_EQUAL(psa_get_key_type(&attributes), expected_key_type); 2076 TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits); 2077 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); 2078 TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg); 2079 2080 exit: 2081 /* 2082 * Key attributes may have been returned by psa_get_key_attributes() 2083 * thus reset them as required. 2084 */ 2085 psa_reset_key_attributes(&attributes); 2086 2087 psa_destroy_key(key); 2088 PSA_DONE(); 2089 } 2090 /* END_CASE */ 2091 2092 /* BEGIN_CASE */ 2093 void check_key_policy(int type_arg, int bits_arg, 2094 int usage_arg, int alg_arg) 2095 { 2096 test_effective_key_attributes(type_arg, type_arg, bits_arg, bits_arg, 2097 usage_arg, 2098 mbedtls_test_update_key_usage_flags(usage_arg), 2099 alg_arg, alg_arg); 2100 goto exit; 2101 } 2102 /* END_CASE */ 2103 2104 /* BEGIN_CASE */ 2105 void key_attributes_init() 2106 { 2107 /* Test each valid way of initializing the object, except for `= {0}`, as 2108 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 2109 * though it's OK by the C standard. We could test for this, but we'd need 2110 * to suppress the Clang warning for the test. */ 2111 psa_key_attributes_t func = psa_key_attributes_init(); 2112 psa_key_attributes_t init = PSA_KEY_ATTRIBUTES_INIT; 2113 psa_key_attributes_t zero; 2114 2115 memset(&zero, 0, sizeof(zero)); 2116 2117 TEST_EQUAL(psa_get_key_lifetime(&func), PSA_KEY_LIFETIME_VOLATILE); 2118 TEST_EQUAL(psa_get_key_lifetime(&init), PSA_KEY_LIFETIME_VOLATILE); 2119 TEST_EQUAL(psa_get_key_lifetime(&zero), PSA_KEY_LIFETIME_VOLATILE); 2120 2121 TEST_EQUAL(psa_get_key_type(&func), 0); 2122 TEST_EQUAL(psa_get_key_type(&init), 0); 2123 TEST_EQUAL(psa_get_key_type(&zero), 0); 2124 2125 TEST_EQUAL(psa_get_key_bits(&func), 0); 2126 TEST_EQUAL(psa_get_key_bits(&init), 0); 2127 TEST_EQUAL(psa_get_key_bits(&zero), 0); 2128 2129 TEST_EQUAL(psa_get_key_usage_flags(&func), 0); 2130 TEST_EQUAL(psa_get_key_usage_flags(&init), 0); 2131 TEST_EQUAL(psa_get_key_usage_flags(&zero), 0); 2132 2133 TEST_EQUAL(psa_get_key_algorithm(&func), 0); 2134 TEST_EQUAL(psa_get_key_algorithm(&init), 0); 2135 TEST_EQUAL(psa_get_key_algorithm(&zero), 0); 2136 } 2137 /* END_CASE */ 2138 2139 /* BEGIN_CASE */ 2140 void mac_key_policy(int policy_usage_arg, 2141 int policy_alg_arg, 2142 int key_type_arg, 2143 data_t *key_data, 2144 int exercise_alg_arg, 2145 int expected_status_sign_arg, 2146 int expected_status_verify_arg) 2147 { 2148 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2149 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2150 psa_mac_operation_t operation = psa_mac_operation_init_short(); 2151 psa_key_type_t key_type = key_type_arg; 2152 psa_algorithm_t policy_alg = policy_alg_arg; 2153 psa_algorithm_t exercise_alg = exercise_alg_arg; 2154 psa_key_usage_t policy_usage = policy_usage_arg; 2155 psa_status_t status; 2156 psa_status_t expected_status_sign = expected_status_sign_arg; 2157 psa_status_t expected_status_verify = expected_status_verify_arg; 2158 unsigned char mac[PSA_MAC_MAX_SIZE]; 2159 2160 PSA_ASSERT(psa_crypto_init()); 2161 2162 psa_set_key_usage_flags(&attributes, policy_usage); 2163 psa_set_key_algorithm(&attributes, policy_alg); 2164 psa_set_key_type(&attributes, key_type); 2165 2166 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2167 &key)); 2168 2169 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 2170 mbedtls_test_update_key_usage_flags(policy_usage)); 2171 2172 status = psa_mac_sign_setup(&operation, key, exercise_alg); 2173 TEST_EQUAL(status, expected_status_sign); 2174 2175 /* Calculate the MAC, one-shot case. */ 2176 uint8_t input[128] = { 0 }; 2177 size_t mac_len; 2178 TEST_EQUAL(psa_mac_compute(key, exercise_alg, 2179 input, 128, 2180 mac, PSA_MAC_MAX_SIZE, &mac_len), 2181 expected_status_sign); 2182 2183 /* Calculate the MAC, multi-part case. */ 2184 PSA_ASSERT(psa_mac_abort(&operation)); 2185 status = psa_mac_sign_setup(&operation, key, exercise_alg); 2186 if (status == PSA_SUCCESS) { 2187 status = psa_mac_update(&operation, input, 128); 2188 if (status == PSA_SUCCESS) { 2189 TEST_EQUAL(psa_mac_sign_finish(&operation, mac, PSA_MAC_MAX_SIZE, 2190 &mac_len), 2191 expected_status_sign); 2192 } else { 2193 TEST_EQUAL(status, expected_status_sign); 2194 } 2195 } else { 2196 TEST_EQUAL(status, expected_status_sign); 2197 } 2198 PSA_ASSERT(psa_mac_abort(&operation)); 2199 2200 /* Verify correct MAC, one-shot case. */ 2201 status = psa_mac_verify(key, exercise_alg, input, 128, 2202 mac, mac_len); 2203 2204 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) { 2205 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2206 } else { 2207 TEST_EQUAL(status, expected_status_verify); 2208 } 2209 2210 /* Verify correct MAC, multi-part case. */ 2211 status = psa_mac_verify_setup(&operation, key, exercise_alg); 2212 if (status == PSA_SUCCESS) { 2213 status = psa_mac_update(&operation, input, 128); 2214 if (status == PSA_SUCCESS) { 2215 status = psa_mac_verify_finish(&operation, mac, mac_len); 2216 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) { 2217 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2218 } else { 2219 TEST_EQUAL(status, expected_status_verify); 2220 } 2221 } else { 2222 TEST_EQUAL(status, expected_status_verify); 2223 } 2224 } else { 2225 TEST_EQUAL(status, expected_status_verify); 2226 } 2227 2228 psa_mac_abort(&operation); 2229 2230 memset(mac, 0, sizeof(mac)); 2231 status = psa_mac_verify_setup(&operation, key, exercise_alg); 2232 TEST_EQUAL(status, expected_status_verify); 2233 2234 exit: 2235 psa_mac_abort(&operation); 2236 psa_destroy_key(key); 2237 PSA_DONE(); 2238 } 2239 /* END_CASE */ 2240 2241 /* BEGIN_CASE */ 2242 void cipher_key_policy(int policy_usage_arg, 2243 int policy_alg, 2244 int key_type, 2245 data_t *key_data, 2246 int exercise_alg) 2247 { 2248 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2249 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2250 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 2251 psa_key_usage_t policy_usage = policy_usage_arg; 2252 size_t output_buffer_size = 0; 2253 size_t input_buffer_size = 0; 2254 size_t output_length = 0; 2255 uint8_t *output = NULL; 2256 uint8_t *input = NULL; 2257 psa_status_t status; 2258 2259 input_buffer_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(exercise_alg); 2260 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, exercise_alg, 2261 input_buffer_size); 2262 2263 TEST_CALLOC(input, input_buffer_size); 2264 TEST_CALLOC(output, output_buffer_size); 2265 2266 PSA_ASSERT(psa_crypto_init()); 2267 2268 psa_set_key_usage_flags(&attributes, policy_usage); 2269 psa_set_key_algorithm(&attributes, policy_alg); 2270 psa_set_key_type(&attributes, key_type); 2271 2272 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2273 &key)); 2274 2275 /* Check if no key usage flag implication is done */ 2276 TEST_EQUAL(policy_usage, 2277 mbedtls_test_update_key_usage_flags(policy_usage)); 2278 2279 /* Encrypt check, one-shot */ 2280 status = psa_cipher_encrypt(key, exercise_alg, input, input_buffer_size, 2281 output, output_buffer_size, 2282 &output_length); 2283 if (policy_alg == exercise_alg && 2284 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2285 PSA_ASSERT(status); 2286 } else { 2287 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2288 } 2289 2290 /* Encrypt check, multi-part */ 2291 status = psa_cipher_encrypt_setup(&operation, key, exercise_alg); 2292 if (policy_alg == exercise_alg && 2293 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2294 PSA_ASSERT(status); 2295 } else { 2296 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2297 } 2298 psa_cipher_abort(&operation); 2299 2300 /* Decrypt check, one-shot */ 2301 status = psa_cipher_decrypt(key, exercise_alg, output, output_buffer_size, 2302 input, input_buffer_size, 2303 &output_length); 2304 if (policy_alg == exercise_alg && 2305 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) { 2306 PSA_ASSERT(status); 2307 } else { 2308 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2309 } 2310 2311 /* Decrypt check, multi-part */ 2312 status = psa_cipher_decrypt_setup(&operation, key, exercise_alg); 2313 if (policy_alg == exercise_alg && 2314 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) { 2315 PSA_ASSERT(status); 2316 } else { 2317 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2318 } 2319 2320 exit: 2321 psa_cipher_abort(&operation); 2322 mbedtls_free(input); 2323 mbedtls_free(output); 2324 psa_destroy_key(key); 2325 PSA_DONE(); 2326 } 2327 /* END_CASE */ 2328 2329 /* BEGIN_CASE */ 2330 void aead_key_policy(int policy_usage_arg, 2331 int policy_alg, 2332 int key_type, 2333 data_t *key_data, 2334 int nonce_length_arg, 2335 int tag_length_arg, 2336 int exercise_alg, 2337 int expected_status_arg) 2338 { 2339 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2340 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2341 psa_aead_operation_t operation = psa_aead_operation_init_short(); 2342 psa_key_usage_t policy_usage = policy_usage_arg; 2343 psa_status_t status; 2344 psa_status_t expected_status = expected_status_arg; 2345 unsigned char nonce[16] = { 0 }; 2346 size_t nonce_length = nonce_length_arg; 2347 unsigned char tag[16]; 2348 size_t tag_length = tag_length_arg; 2349 size_t output_length; 2350 2351 TEST_LE_U(nonce_length, sizeof(nonce)); 2352 TEST_LE_U(tag_length, sizeof(tag)); 2353 2354 PSA_ASSERT(psa_crypto_init()); 2355 2356 psa_set_key_usage_flags(&attributes, policy_usage); 2357 psa_set_key_algorithm(&attributes, policy_alg); 2358 psa_set_key_type(&attributes, key_type); 2359 2360 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2361 &key)); 2362 2363 /* Check if no key usage implication is done */ 2364 TEST_EQUAL(policy_usage, 2365 mbedtls_test_update_key_usage_flags(policy_usage)); 2366 2367 /* Encrypt check, one-shot */ 2368 status = psa_aead_encrypt(key, exercise_alg, 2369 nonce, nonce_length, 2370 NULL, 0, 2371 NULL, 0, 2372 tag, tag_length, 2373 &output_length); 2374 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2375 TEST_EQUAL(status, expected_status); 2376 } else { 2377 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2378 } 2379 2380 /* Encrypt check, multi-part */ 2381 status = psa_aead_encrypt_setup(&operation, key, exercise_alg); 2382 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2383 TEST_EQUAL(status, expected_status); 2384 } else { 2385 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2386 } 2387 2388 /* Decrypt check, one-shot */ 2389 memset(tag, 0, sizeof(tag)); 2390 status = psa_aead_decrypt(key, exercise_alg, 2391 nonce, nonce_length, 2392 NULL, 0, 2393 tag, tag_length, 2394 NULL, 0, 2395 &output_length); 2396 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) { 2397 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2398 } else if (expected_status == PSA_SUCCESS) { 2399 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2400 } else { 2401 TEST_EQUAL(status, expected_status); 2402 } 2403 2404 /* Decrypt check, multi-part */ 2405 PSA_ASSERT(psa_aead_abort(&operation)); 2406 status = psa_aead_decrypt_setup(&operation, key, exercise_alg); 2407 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) { 2408 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2409 } else { 2410 TEST_EQUAL(status, expected_status); 2411 } 2412 2413 exit: 2414 PSA_ASSERT(psa_aead_abort(&operation)); 2415 psa_destroy_key(key); 2416 PSA_DONE(); 2417 } 2418 /* END_CASE */ 2419 2420 /* BEGIN_CASE */ 2421 void asymmetric_encryption_key_policy(int policy_usage_arg, 2422 int policy_alg, 2423 int key_type, 2424 data_t *key_data, 2425 int exercise_alg, 2426 int use_opaque_key) 2427 { 2428 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2429 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2430 psa_key_usage_t policy_usage = policy_usage_arg; 2431 psa_status_t status; 2432 size_t key_bits; 2433 size_t buffer_length; 2434 unsigned char *buffer = NULL; 2435 size_t output_length; 2436 2437 PSA_ASSERT(psa_crypto_init()); 2438 2439 psa_set_key_usage_flags(&attributes, policy_usage); 2440 psa_set_key_algorithm(&attributes, policy_alg); 2441 psa_set_key_type(&attributes, key_type); 2442 2443 if (use_opaque_key) { 2444 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( 2445 PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION)); 2446 } 2447 2448 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2449 &key)); 2450 2451 /* Check if no key usage implication is done */ 2452 TEST_EQUAL(policy_usage, 2453 mbedtls_test_update_key_usage_flags(policy_usage)); 2454 2455 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 2456 key_bits = psa_get_key_bits(&attributes); 2457 buffer_length = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, 2458 exercise_alg); 2459 TEST_CALLOC(buffer, buffer_length); 2460 2461 status = psa_asymmetric_encrypt(key, exercise_alg, 2462 NULL, 0, 2463 NULL, 0, 2464 buffer, buffer_length, 2465 &output_length); 2466 if (policy_alg == exercise_alg && 2467 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2468 PSA_ASSERT(status); 2469 } else { 2470 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2471 } 2472 2473 if (buffer_length != 0) { 2474 memset(buffer, 0, buffer_length); 2475 } 2476 status = psa_asymmetric_decrypt(key, exercise_alg, 2477 buffer, buffer_length, 2478 NULL, 0, 2479 buffer, buffer_length, 2480 &output_length); 2481 if (policy_alg == exercise_alg && 2482 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) { 2483 TEST_EQUAL(status, PSA_ERROR_INVALID_PADDING); 2484 } else { 2485 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2486 } 2487 2488 exit: 2489 /* 2490 * Key attributes may have been returned by psa_get_key_attributes() 2491 * thus reset them as required. 2492 */ 2493 psa_reset_key_attributes(&attributes); 2494 2495 psa_destroy_key(key); 2496 PSA_DONE(); 2497 mbedtls_free(buffer); 2498 } 2499 /* END_CASE */ 2500 2501 /* BEGIN_CASE */ 2502 void asymmetric_signature_key_policy(int policy_usage_arg, 2503 int policy_alg, 2504 int key_type, 2505 data_t *key_data, 2506 int exercise_alg, 2507 int payload_length_arg, 2508 int expected_usage_arg) 2509 { 2510 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2511 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2512 psa_key_usage_t policy_usage = policy_usage_arg; 2513 psa_key_usage_t expected_usage = expected_usage_arg; 2514 psa_status_t status; 2515 unsigned char payload[PSA_HASH_MAX_SIZE] = { 1 }; 2516 /* If `payload_length_arg > 0`, `exercise_alg` is supposed to be 2517 * compatible with the policy and `payload_length_arg` is supposed to be 2518 * a valid input length to sign. If `payload_length_arg <= 0`, 2519 * `exercise_alg` is supposed to be forbidden by the policy. */ 2520 int compatible_alg = payload_length_arg > 0; 2521 size_t payload_length = compatible_alg ? payload_length_arg : 0; 2522 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = { 0 }; 2523 size_t signature_length; 2524 2525 /* Check if all implicit usage flags are deployed 2526 in the expected usage flags. */ 2527 TEST_EQUAL(expected_usage, 2528 mbedtls_test_update_key_usage_flags(policy_usage)); 2529 2530 PSA_ASSERT(psa_crypto_init()); 2531 2532 psa_set_key_usage_flags(&attributes, policy_usage); 2533 psa_set_key_algorithm(&attributes, policy_alg); 2534 psa_set_key_type(&attributes, key_type); 2535 2536 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2537 &key)); 2538 2539 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); 2540 2541 status = psa_sign_hash(key, exercise_alg, 2542 payload, payload_length, 2543 signature, sizeof(signature), 2544 &signature_length); 2545 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_HASH) != 0) { 2546 PSA_ASSERT(status); 2547 } else { 2548 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2549 } 2550 2551 memset(signature, 0, sizeof(signature)); 2552 status = psa_verify_hash(key, exercise_alg, 2553 payload, payload_length, 2554 signature, sizeof(signature)); 2555 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) != 0) { 2556 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2557 } else { 2558 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2559 } 2560 2561 if (PSA_ALG_IS_SIGN_HASH(exercise_alg) && 2562 PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(exercise_alg))) { 2563 status = psa_sign_message(key, exercise_alg, 2564 payload, payload_length, 2565 signature, sizeof(signature), 2566 &signature_length); 2567 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) != 0) { 2568 PSA_ASSERT(status); 2569 } else { 2570 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2571 } 2572 2573 memset(signature, 0, sizeof(signature)); 2574 status = psa_verify_message(key, exercise_alg, 2575 payload, payload_length, 2576 signature, sizeof(signature)); 2577 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_MESSAGE) != 0) { 2578 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2579 } else { 2580 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2581 } 2582 } 2583 2584 exit: 2585 psa_destroy_key(key); 2586 PSA_DONE(); 2587 } 2588 /* END_CASE */ 2589 2590 /* BEGIN_CASE */ 2591 void derive_key_policy(int policy_usage, 2592 int policy_alg, 2593 int key_type, 2594 data_t *key_data, 2595 int exercise_alg) 2596 { 2597 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2598 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2599 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 2600 psa_status_t status; 2601 2602 PSA_ASSERT(psa_crypto_init()); 2603 2604 psa_set_key_usage_flags(&attributes, policy_usage); 2605 psa_set_key_algorithm(&attributes, policy_alg); 2606 psa_set_key_type(&attributes, key_type); 2607 2608 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2609 &key)); 2610 2611 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg)); 2612 2613 if (PSA_ALG_IS_TLS12_PRF(exercise_alg) || 2614 PSA_ALG_IS_TLS12_PSK_TO_MS(exercise_alg)) { 2615 PSA_ASSERT(psa_key_derivation_input_bytes( 2616 &operation, 2617 PSA_KEY_DERIVATION_INPUT_SEED, 2618 (const uint8_t *) "", 0)); 2619 } 2620 2621 status = psa_key_derivation_input_key(&operation, 2622 PSA_KEY_DERIVATION_INPUT_SECRET, 2623 key); 2624 2625 if (policy_alg == exercise_alg && 2626 (policy_usage & PSA_KEY_USAGE_DERIVE) != 0) { 2627 PSA_ASSERT(status); 2628 } else { 2629 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2630 } 2631 2632 exit: 2633 psa_key_derivation_abort(&operation); 2634 psa_destroy_key(key); 2635 PSA_DONE(); 2636 } 2637 /* END_CASE */ 2638 2639 /* BEGIN_CASE */ 2640 void agreement_key_policy(int policy_usage, 2641 int policy_alg, 2642 int key_type_arg, 2643 data_t *key_data, 2644 int exercise_alg, 2645 int expected_status_arg) 2646 { 2647 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2648 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2649 psa_key_type_t key_type = key_type_arg; 2650 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 2651 psa_status_t status; 2652 psa_status_t expected_status = expected_status_arg; 2653 2654 PSA_ASSERT(psa_crypto_init()); 2655 2656 psa_set_key_usage_flags(&attributes, policy_usage); 2657 psa_set_key_algorithm(&attributes, policy_alg); 2658 psa_set_key_type(&attributes, key_type); 2659 2660 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2661 &key)); 2662 2663 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg)); 2664 status = mbedtls_test_psa_key_agreement_with_self(&operation, key, 0); 2665 2666 TEST_EQUAL(status, expected_status); 2667 2668 exit: 2669 psa_key_derivation_abort(&operation); 2670 psa_destroy_key(key); 2671 PSA_DONE(); 2672 } 2673 /* END_CASE */ 2674 2675 /* BEGIN_CASE */ 2676 void key_policy_alg2(int key_type_arg, data_t *key_data, 2677 int usage_arg, int alg_arg, int alg2_arg) 2678 { 2679 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2680 psa_key_type_t key_type = key_type_arg; 2681 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2682 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 2683 psa_key_usage_t usage = usage_arg; 2684 psa_algorithm_t alg = alg_arg; 2685 psa_algorithm_t alg2 = alg2_arg; 2686 2687 PSA_ASSERT(psa_crypto_init()); 2688 2689 psa_set_key_usage_flags(&attributes, usage); 2690 psa_set_key_algorithm(&attributes, alg); 2691 psa_set_key_enrollment_algorithm(&attributes, alg2); 2692 psa_set_key_type(&attributes, key_type); 2693 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2694 &key)); 2695 2696 /* Update the usage flags to obtain implicit usage flags */ 2697 usage = mbedtls_test_update_key_usage_flags(usage); 2698 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 2699 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes), usage); 2700 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg); 2701 TEST_EQUAL(psa_get_key_enrollment_algorithm(&got_attributes), alg2); 2702 2703 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 2704 goto exit; 2705 } 2706 if (!mbedtls_test_psa_exercise_key(key, usage, alg2, 0)) { 2707 goto exit; 2708 } 2709 2710 exit: 2711 /* 2712 * Key attributes may have been returned by psa_get_key_attributes() 2713 * thus reset them as required. 2714 */ 2715 psa_reset_key_attributes(&got_attributes); 2716 2717 psa_destroy_key(key); 2718 PSA_DONE(); 2719 } 2720 /* END_CASE */ 2721 2722 /* BEGIN_CASE */ 2723 void raw_agreement_key_policy(int policy_usage, 2724 int policy_alg, 2725 int key_type_arg, 2726 data_t *key_data, 2727 int exercise_alg, 2728 int expected_status_arg) 2729 { 2730 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2731 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2732 psa_key_type_t key_type = key_type_arg; 2733 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 2734 psa_status_t status; 2735 psa_status_t expected_status = expected_status_arg; 2736 2737 PSA_ASSERT(psa_crypto_init()); 2738 2739 psa_set_key_usage_flags(&attributes, policy_usage); 2740 psa_set_key_algorithm(&attributes, policy_alg); 2741 psa_set_key_type(&attributes, key_type); 2742 2743 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2744 &key)); 2745 2746 status = mbedtls_test_psa_raw_key_agreement_with_self(exercise_alg, key, 0); 2747 2748 TEST_EQUAL(status, expected_status); 2749 2750 exit: 2751 psa_key_derivation_abort(&operation); 2752 psa_destroy_key(key); 2753 PSA_DONE(); 2754 } 2755 /* END_CASE */ 2756 2757 /* BEGIN_CASE */ 2758 void copy_success(int source_usage_arg, 2759 int source_alg_arg, int source_alg2_arg, 2760 int source_lifetime_arg, 2761 int type_arg, data_t *material, 2762 int copy_attributes, 2763 int target_usage_arg, 2764 int target_alg_arg, int target_alg2_arg, 2765 int target_lifetime_arg, 2766 int expected_usage_arg, 2767 int expected_alg_arg, int expected_alg2_arg) 2768 { 2769 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 2770 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 2771 psa_key_usage_t expected_usage = expected_usage_arg; 2772 psa_algorithm_t expected_alg = expected_alg_arg; 2773 psa_algorithm_t expected_alg2 = expected_alg2_arg; 2774 psa_key_lifetime_t source_lifetime = source_lifetime_arg; 2775 psa_key_lifetime_t target_lifetime = target_lifetime_arg; 2776 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT; 2777 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT; 2778 uint8_t *export_buffer = NULL; 2779 2780 PSA_ASSERT(psa_crypto_init()); 2781 2782 /* Prepare the source key. */ 2783 psa_set_key_usage_flags(&source_attributes, source_usage_arg); 2784 psa_set_key_algorithm(&source_attributes, source_alg_arg); 2785 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg); 2786 psa_set_key_type(&source_attributes, type_arg); 2787 psa_set_key_lifetime(&source_attributes, source_lifetime); 2788 PSA_ASSERT(psa_import_key(&source_attributes, 2789 material->x, material->len, 2790 &source_key)); 2791 PSA_ASSERT(psa_get_key_attributes(source_key, &source_attributes)); 2792 2793 /* Prepare the target attributes. */ 2794 if (copy_attributes) { 2795 target_attributes = source_attributes; 2796 } 2797 psa_set_key_lifetime(&target_attributes, target_lifetime); 2798 2799 if (target_usage_arg != -1) { 2800 psa_set_key_usage_flags(&target_attributes, target_usage_arg); 2801 } 2802 if (target_alg_arg != -1) { 2803 psa_set_key_algorithm(&target_attributes, target_alg_arg); 2804 } 2805 if (target_alg2_arg != -1) { 2806 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg); 2807 } 2808 2809 2810 /* Copy the key. */ 2811 PSA_ASSERT(psa_copy_key(source_key, 2812 &target_attributes, &target_key)); 2813 2814 /* Destroy the source to ensure that this doesn't affect the target. */ 2815 PSA_ASSERT(psa_destroy_key(source_key)); 2816 2817 /* Test that the target slot has the expected content and policy. */ 2818 PSA_ASSERT(psa_get_key_attributes(target_key, &target_attributes)); 2819 TEST_EQUAL(psa_get_key_type(&source_attributes), 2820 psa_get_key_type(&target_attributes)); 2821 TEST_EQUAL(psa_get_key_bits(&source_attributes), 2822 psa_get_key_bits(&target_attributes)); 2823 TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&target_attributes)); 2824 TEST_EQUAL(expected_alg, psa_get_key_algorithm(&target_attributes)); 2825 TEST_EQUAL(expected_alg2, 2826 psa_get_key_enrollment_algorithm(&target_attributes)); 2827 if (expected_usage & PSA_KEY_USAGE_EXPORT) { 2828 size_t length; 2829 TEST_CALLOC(export_buffer, material->len); 2830 PSA_ASSERT(psa_export_key(target_key, export_buffer, 2831 material->len, &length)); 2832 TEST_MEMORY_COMPARE(material->x, material->len, 2833 export_buffer, length); 2834 } 2835 2836 if (!psa_key_lifetime_is_external(target_lifetime)) { 2837 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg, 0)) { 2838 goto exit; 2839 } 2840 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg2, 0)) { 2841 goto exit; 2842 } 2843 } 2844 2845 PSA_ASSERT(psa_destroy_key(target_key)); 2846 2847 exit: 2848 /* 2849 * Source and target key attributes may have been returned by 2850 * psa_get_key_attributes() thus reset them as required. 2851 */ 2852 psa_reset_key_attributes(&source_attributes); 2853 psa_reset_key_attributes(&target_attributes); 2854 2855 PSA_DONE(); 2856 mbedtls_free(export_buffer); 2857 } 2858 /* END_CASE */ 2859 2860 /* BEGIN_CASE */ 2861 void copy_fail(int source_usage_arg, 2862 int source_alg_arg, int source_alg2_arg, 2863 int source_lifetime_arg, 2864 int type_arg, data_t *material, 2865 int target_type_arg, int target_bits_arg, 2866 int target_usage_arg, 2867 int target_alg_arg, int target_alg2_arg, 2868 int target_id_arg, int target_lifetime_arg, 2869 int expected_status_arg) 2870 { 2871 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 2872 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 2873 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT; 2874 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT; 2875 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, target_id_arg); 2876 2877 PSA_ASSERT(psa_crypto_init()); 2878 2879 /* Prepare the source key. */ 2880 psa_set_key_usage_flags(&source_attributes, source_usage_arg); 2881 psa_set_key_algorithm(&source_attributes, source_alg_arg); 2882 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg); 2883 psa_set_key_type(&source_attributes, type_arg); 2884 psa_set_key_lifetime(&source_attributes, source_lifetime_arg); 2885 PSA_ASSERT(psa_import_key(&source_attributes, 2886 material->x, material->len, 2887 &source_key)); 2888 2889 /* Prepare the target attributes. */ 2890 psa_set_key_id(&target_attributes, key_id); 2891 psa_set_key_lifetime(&target_attributes, target_lifetime_arg); 2892 psa_set_key_type(&target_attributes, target_type_arg); 2893 psa_set_key_bits(&target_attributes, target_bits_arg); 2894 psa_set_key_usage_flags(&target_attributes, target_usage_arg); 2895 psa_set_key_algorithm(&target_attributes, target_alg_arg); 2896 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg); 2897 2898 /* Try to copy the key. */ 2899 TEST_EQUAL(psa_copy_key(source_key, 2900 &target_attributes, &target_key), 2901 expected_status_arg); 2902 2903 PSA_ASSERT(psa_destroy_key(source_key)); 2904 2905 exit: 2906 psa_reset_key_attributes(&source_attributes); 2907 psa_reset_key_attributes(&target_attributes); 2908 PSA_DONE(); 2909 } 2910 /* END_CASE */ 2911 2912 /* BEGIN_CASE */ 2913 void hash_operation_init() 2914 { 2915 const uint8_t input[1] = { 0 }; 2916 /* Test each valid way of initializing the object, except for `= {0}`, as 2917 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 2918 * though it's OK by the C standard. We could test for this, but we'd need 2919 * to suppress the Clang warning for the test. */ 2920 psa_hash_operation_t short_wrapper = psa_hash_operation_init_short(); 2921 psa_hash_operation_t func = psa_hash_operation_init(); 2922 psa_hash_operation_t init = PSA_HASH_OPERATION_INIT; 2923 psa_hash_operation_t zero; 2924 memset(&zero, 0, sizeof(zero)); 2925 2926 /* A freshly-initialized hash operation should not be usable. */ 2927 TEST_EQUAL(psa_hash_update(&short_wrapper, input, sizeof(input)), 2928 PSA_ERROR_BAD_STATE); 2929 TEST_EQUAL(psa_hash_update(&func, input, sizeof(input)), 2930 PSA_ERROR_BAD_STATE); 2931 TEST_EQUAL(psa_hash_update(&init, input, sizeof(input)), 2932 PSA_ERROR_BAD_STATE); 2933 TEST_EQUAL(psa_hash_update(&zero, input, sizeof(input)), 2934 PSA_ERROR_BAD_STATE); 2935 2936 /* A default hash operation should be abortable without error. */ 2937 PSA_ASSERT(psa_hash_abort(&short_wrapper)); 2938 PSA_ASSERT(psa_hash_abort(&func)); 2939 PSA_ASSERT(psa_hash_abort(&init)); 2940 PSA_ASSERT(psa_hash_abort(&zero)); 2941 } 2942 /* END_CASE */ 2943 2944 /* BEGIN_CASE */ 2945 void hash_setup(int alg_arg, 2946 int expected_status_arg) 2947 { 2948 psa_algorithm_t alg = alg_arg; 2949 uint8_t *output = NULL; 2950 size_t output_size = 0; 2951 size_t output_length = 0; 2952 psa_status_t expected_status = expected_status_arg; 2953 psa_hash_operation_t operation = psa_hash_operation_init_short(); 2954 psa_status_t status; 2955 2956 PSA_ASSERT(psa_crypto_init()); 2957 2958 /* Hash Setup, one-shot */ 2959 output_size = PSA_HASH_LENGTH(alg); 2960 TEST_CALLOC(output, output_size); 2961 2962 status = psa_hash_compute(alg, NULL, 0, 2963 output, output_size, &output_length); 2964 TEST_EQUAL(status, expected_status); 2965 2966 /* Hash Setup, multi-part */ 2967 status = psa_hash_setup(&operation, alg); 2968 TEST_EQUAL(status, expected_status); 2969 2970 /* Whether setup succeeded or failed, abort must succeed. */ 2971 PSA_ASSERT(psa_hash_abort(&operation)); 2972 2973 /* If setup failed, reproduce the failure, so as to 2974 * test the resulting state of the operation object. */ 2975 if (status != PSA_SUCCESS) { 2976 TEST_EQUAL(psa_hash_setup(&operation, alg), status); 2977 } 2978 2979 /* Now the operation object should be reusable. */ 2980 #if defined(KNOWN_SUPPORTED_HASH_ALG) 2981 PSA_ASSERT(psa_hash_setup(&operation, KNOWN_SUPPORTED_HASH_ALG)); 2982 PSA_ASSERT(psa_hash_abort(&operation)); 2983 #endif 2984 2985 exit: 2986 mbedtls_free(output); 2987 PSA_DONE(); 2988 } 2989 /* END_CASE */ 2990 2991 /* BEGIN_CASE */ 2992 void hash_compute_fail(int alg_arg, data_t *input, 2993 int output_size_arg, int expected_status_arg) 2994 { 2995 psa_algorithm_t alg = alg_arg; 2996 uint8_t *output = NULL; 2997 size_t output_size = output_size_arg; 2998 size_t output_length = INVALID_EXPORT_LENGTH; 2999 psa_hash_operation_t operation = psa_hash_operation_init_short(); 3000 psa_status_t expected_status = expected_status_arg; 3001 psa_status_t status; 3002 3003 TEST_CALLOC(output, output_size); 3004 3005 PSA_ASSERT(psa_crypto_init()); 3006 3007 /* Hash Compute, one-shot */ 3008 status = psa_hash_compute(alg, input->x, input->len, 3009 output, output_size, &output_length); 3010 TEST_EQUAL(status, expected_status); 3011 TEST_LE_U(output_length, output_size); 3012 3013 /* Hash Compute, multi-part */ 3014 status = psa_hash_setup(&operation, alg); 3015 if (status == PSA_SUCCESS) { 3016 status = psa_hash_update(&operation, input->x, input->len); 3017 if (status == PSA_SUCCESS) { 3018 status = psa_hash_finish(&operation, output, output_size, 3019 &output_length); 3020 if (status == PSA_SUCCESS) { 3021 TEST_LE_U(output_length, output_size); 3022 } else { 3023 TEST_EQUAL(status, expected_status); 3024 } 3025 } else { 3026 TEST_EQUAL(status, expected_status); 3027 } 3028 } else { 3029 TEST_EQUAL(status, expected_status); 3030 } 3031 3032 exit: 3033 PSA_ASSERT(psa_hash_abort(&operation)); 3034 mbedtls_free(output); 3035 PSA_DONE(); 3036 } 3037 /* END_CASE */ 3038 3039 /* BEGIN_CASE */ 3040 void hash_compare_fail(int alg_arg, data_t *input, 3041 data_t *reference_hash, 3042 int expected_status_arg) 3043 { 3044 psa_algorithm_t alg = alg_arg; 3045 psa_status_t expected_status = expected_status_arg; 3046 psa_hash_operation_t operation = psa_hash_operation_init_short(); 3047 psa_status_t status; 3048 3049 PSA_ASSERT(psa_crypto_init()); 3050 3051 /* Hash Compare, one-shot */ 3052 status = psa_hash_compare(alg, input->x, input->len, 3053 reference_hash->x, reference_hash->len); 3054 TEST_EQUAL(status, expected_status); 3055 3056 /* Hash Compare, multi-part */ 3057 status = psa_hash_setup(&operation, alg); 3058 if (status == PSA_SUCCESS) { 3059 status = psa_hash_update(&operation, input->x, input->len); 3060 if (status == PSA_SUCCESS) { 3061 status = psa_hash_verify(&operation, reference_hash->x, 3062 reference_hash->len); 3063 TEST_EQUAL(status, expected_status); 3064 } else { 3065 TEST_EQUAL(status, expected_status); 3066 } 3067 } else { 3068 TEST_EQUAL(status, expected_status); 3069 } 3070 3071 exit: 3072 PSA_ASSERT(psa_hash_abort(&operation)); 3073 PSA_DONE(); 3074 } 3075 /* END_CASE */ 3076 3077 /* BEGIN_CASE */ 3078 void hash_compute_compare(int alg_arg, data_t *input, 3079 data_t *expected_output) 3080 { 3081 psa_algorithm_t alg = alg_arg; 3082 uint8_t output[PSA_HASH_MAX_SIZE + 1]; 3083 size_t output_length = INVALID_EXPORT_LENGTH; 3084 psa_hash_operation_t operation = psa_hash_operation_init_short(); 3085 size_t i; 3086 3087 PSA_ASSERT(psa_crypto_init()); 3088 3089 /* Compute with tight buffer, one-shot */ 3090 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len, 3091 output, PSA_HASH_LENGTH(alg), 3092 &output_length)); 3093 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg)); 3094 TEST_MEMORY_COMPARE(output, output_length, 3095 expected_output->x, expected_output->len); 3096 3097 /* Compute with tight buffer, multi-part */ 3098 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3099 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3100 PSA_ASSERT(psa_hash_finish(&operation, output, 3101 PSA_HASH_LENGTH(alg), 3102 &output_length)); 3103 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg)); 3104 TEST_MEMORY_COMPARE(output, output_length, 3105 expected_output->x, expected_output->len); 3106 3107 /* Compute with larger buffer, one-shot */ 3108 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len, 3109 output, sizeof(output), 3110 &output_length)); 3111 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg)); 3112 TEST_MEMORY_COMPARE(output, output_length, 3113 expected_output->x, expected_output->len); 3114 3115 /* Compute with larger buffer, multi-part */ 3116 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3117 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3118 PSA_ASSERT(psa_hash_finish(&operation, output, 3119 sizeof(output), &output_length)); 3120 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg)); 3121 TEST_MEMORY_COMPARE(output, output_length, 3122 expected_output->x, expected_output->len); 3123 3124 /* Compare with correct hash, one-shot */ 3125 PSA_ASSERT(psa_hash_compare(alg, input->x, input->len, 3126 output, output_length)); 3127 3128 /* Compare with correct hash, multi-part */ 3129 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3130 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3131 PSA_ASSERT(psa_hash_verify(&operation, output, 3132 output_length)); 3133 3134 /* Compare with trailing garbage, one-shot */ 3135 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len, 3136 output, output_length + 1), 3137 PSA_ERROR_INVALID_SIGNATURE); 3138 3139 /* Compare with trailing garbage, multi-part */ 3140 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3141 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3142 TEST_EQUAL(psa_hash_verify(&operation, output, output_length + 1), 3143 PSA_ERROR_INVALID_SIGNATURE); 3144 3145 /* Compare with truncated hash, one-shot */ 3146 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len, 3147 output, output_length - 1), 3148 PSA_ERROR_INVALID_SIGNATURE); 3149 3150 /* Compare with truncated hash, multi-part */ 3151 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3152 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3153 TEST_EQUAL(psa_hash_verify(&operation, output, output_length - 1), 3154 PSA_ERROR_INVALID_SIGNATURE); 3155 3156 /* Compare with corrupted value */ 3157 for (i = 0; i < output_length; i++) { 3158 mbedtls_test_set_step(i); 3159 output[i] ^= 1; 3160 3161 /* One-shot */ 3162 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len, 3163 output, output_length), 3164 PSA_ERROR_INVALID_SIGNATURE); 3165 3166 /* Multi-Part */ 3167 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3168 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3169 TEST_EQUAL(psa_hash_verify(&operation, output, output_length), 3170 PSA_ERROR_INVALID_SIGNATURE); 3171 3172 output[i] ^= 1; 3173 } 3174 3175 exit: 3176 PSA_ASSERT(psa_hash_abort(&operation)); 3177 PSA_DONE(); 3178 } 3179 /* END_CASE */ 3180 3181 /* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3182 void hash_bad_order() 3183 { 3184 psa_algorithm_t alg = PSA_ALG_SHA_256; 3185 unsigned char input[] = ""; 3186 /* SHA-256 hash of an empty string */ 3187 const unsigned char valid_hash[] = { 3188 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 3189 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 3190 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 3191 }; 3192 unsigned char hash[sizeof(valid_hash)] = { 0 }; 3193 size_t hash_len; 3194 psa_hash_operation_t operation = psa_hash_operation_init_short(); 3195 3196 PSA_ASSERT(psa_crypto_init()); 3197 3198 /* Call setup twice in a row. */ 3199 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3200 ASSERT_OPERATION_IS_ACTIVE(operation); 3201 TEST_EQUAL(psa_hash_setup(&operation, alg), 3202 PSA_ERROR_BAD_STATE); 3203 ASSERT_OPERATION_IS_INACTIVE(operation); 3204 PSA_ASSERT(psa_hash_abort(&operation)); 3205 ASSERT_OPERATION_IS_INACTIVE(operation); 3206 3207 /* Call update without calling setup beforehand. */ 3208 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)), 3209 PSA_ERROR_BAD_STATE); 3210 PSA_ASSERT(psa_hash_abort(&operation)); 3211 3212 /* Check that update calls abort on error. */ 3213 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3214 operation.id = UINT_MAX; 3215 ASSERT_OPERATION_IS_ACTIVE(operation); 3216 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)), 3217 PSA_ERROR_BAD_STATE); 3218 ASSERT_OPERATION_IS_INACTIVE(operation); 3219 PSA_ASSERT(psa_hash_abort(&operation)); 3220 ASSERT_OPERATION_IS_INACTIVE(operation); 3221 3222 /* Call update after finish. */ 3223 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3224 PSA_ASSERT(psa_hash_finish(&operation, 3225 hash, sizeof(hash), &hash_len)); 3226 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)), 3227 PSA_ERROR_BAD_STATE); 3228 PSA_ASSERT(psa_hash_abort(&operation)); 3229 3230 /* Call verify without calling setup beforehand. */ 3231 TEST_EQUAL(psa_hash_verify(&operation, 3232 valid_hash, sizeof(valid_hash)), 3233 PSA_ERROR_BAD_STATE); 3234 PSA_ASSERT(psa_hash_abort(&operation)); 3235 3236 /* Call verify after finish. */ 3237 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3238 PSA_ASSERT(psa_hash_finish(&operation, 3239 hash, sizeof(hash), &hash_len)); 3240 TEST_EQUAL(psa_hash_verify(&operation, 3241 valid_hash, sizeof(valid_hash)), 3242 PSA_ERROR_BAD_STATE); 3243 PSA_ASSERT(psa_hash_abort(&operation)); 3244 3245 /* Call verify twice in a row. */ 3246 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3247 ASSERT_OPERATION_IS_ACTIVE(operation); 3248 PSA_ASSERT(psa_hash_verify(&operation, 3249 valid_hash, sizeof(valid_hash))); 3250 ASSERT_OPERATION_IS_INACTIVE(operation); 3251 TEST_EQUAL(psa_hash_verify(&operation, 3252 valid_hash, sizeof(valid_hash)), 3253 PSA_ERROR_BAD_STATE); 3254 ASSERT_OPERATION_IS_INACTIVE(operation); 3255 PSA_ASSERT(psa_hash_abort(&operation)); 3256 3257 /* Call finish without calling setup beforehand. */ 3258 TEST_EQUAL(psa_hash_finish(&operation, 3259 hash, sizeof(hash), &hash_len), 3260 PSA_ERROR_BAD_STATE); 3261 PSA_ASSERT(psa_hash_abort(&operation)); 3262 3263 /* Call finish twice in a row. */ 3264 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3265 PSA_ASSERT(psa_hash_finish(&operation, 3266 hash, sizeof(hash), &hash_len)); 3267 TEST_EQUAL(psa_hash_finish(&operation, 3268 hash, sizeof(hash), &hash_len), 3269 PSA_ERROR_BAD_STATE); 3270 PSA_ASSERT(psa_hash_abort(&operation)); 3271 3272 /* Call finish after calling verify. */ 3273 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3274 PSA_ASSERT(psa_hash_verify(&operation, 3275 valid_hash, sizeof(valid_hash))); 3276 TEST_EQUAL(psa_hash_finish(&operation, 3277 hash, sizeof(hash), &hash_len), 3278 PSA_ERROR_BAD_STATE); 3279 PSA_ASSERT(psa_hash_abort(&operation)); 3280 3281 exit: 3282 PSA_DONE(); 3283 } 3284 /* END_CASE */ 3285 3286 /* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3287 void hash_verify_bad_args() 3288 { 3289 psa_algorithm_t alg = PSA_ALG_SHA_256; 3290 /* SHA-256 hash of an empty string with 2 extra bytes (0xaa and 0xbb) 3291 * appended to it */ 3292 unsigned char hash[] = { 3293 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 3294 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 3295 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55, 0xaa, 0xbb 3296 }; 3297 size_t expected_size = PSA_HASH_LENGTH(alg); 3298 psa_hash_operation_t operation = psa_hash_operation_init_short(); 3299 3300 PSA_ASSERT(psa_crypto_init()); 3301 3302 /* psa_hash_verify with a smaller hash than expected */ 3303 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3304 ASSERT_OPERATION_IS_ACTIVE(operation); 3305 TEST_EQUAL(psa_hash_verify(&operation, hash, expected_size - 1), 3306 PSA_ERROR_INVALID_SIGNATURE); 3307 ASSERT_OPERATION_IS_INACTIVE(operation); 3308 PSA_ASSERT(psa_hash_abort(&operation)); 3309 ASSERT_OPERATION_IS_INACTIVE(operation); 3310 3311 /* psa_hash_verify with a non-matching hash */ 3312 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3313 TEST_EQUAL(psa_hash_verify(&operation, hash + 1, expected_size), 3314 PSA_ERROR_INVALID_SIGNATURE); 3315 3316 /* psa_hash_verify with a hash longer than expected */ 3317 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3318 TEST_EQUAL(psa_hash_verify(&operation, hash, sizeof(hash)), 3319 PSA_ERROR_INVALID_SIGNATURE); 3320 3321 exit: 3322 PSA_DONE(); 3323 } 3324 /* END_CASE */ 3325 3326 /* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3327 void hash_finish_bad_args() 3328 { 3329 psa_algorithm_t alg = PSA_ALG_SHA_256; 3330 unsigned char hash[PSA_HASH_MAX_SIZE]; 3331 size_t expected_size = PSA_HASH_LENGTH(alg); 3332 psa_hash_operation_t operation = psa_hash_operation_init_short(); 3333 size_t hash_len; 3334 3335 PSA_ASSERT(psa_crypto_init()); 3336 3337 /* psa_hash_finish with a smaller hash buffer than expected */ 3338 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3339 TEST_EQUAL(psa_hash_finish(&operation, 3340 hash, expected_size - 1, &hash_len), 3341 PSA_ERROR_BUFFER_TOO_SMALL); 3342 3343 exit: 3344 PSA_DONE(); 3345 } 3346 /* END_CASE */ 3347 3348 /* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3349 void hash_clone_source_state() 3350 { 3351 psa_algorithm_t alg = PSA_ALG_SHA_256; 3352 unsigned char hash[PSA_HASH_MAX_SIZE]; 3353 psa_hash_operation_t op_source = psa_hash_operation_init_short(); 3354 psa_hash_operation_t op_init = psa_hash_operation_init_short(); 3355 psa_hash_operation_t op_setup = psa_hash_operation_init_short(); 3356 psa_hash_operation_t op_finished = psa_hash_operation_init_short(); 3357 psa_hash_operation_t op_aborted = psa_hash_operation_init_short(); 3358 size_t hash_len; 3359 3360 PSA_ASSERT(psa_crypto_init()); 3361 PSA_ASSERT(psa_hash_setup(&op_source, alg)); 3362 3363 PSA_ASSERT(psa_hash_setup(&op_setup, alg)); 3364 PSA_ASSERT(psa_hash_setup(&op_finished, alg)); 3365 PSA_ASSERT(psa_hash_finish(&op_finished, 3366 hash, sizeof(hash), &hash_len)); 3367 PSA_ASSERT(psa_hash_setup(&op_aborted, alg)); 3368 PSA_ASSERT(psa_hash_abort(&op_aborted)); 3369 3370 TEST_EQUAL(psa_hash_clone(&op_source, &op_setup), 3371 PSA_ERROR_BAD_STATE); 3372 3373 PSA_ASSERT(psa_hash_clone(&op_source, &op_init)); 3374 PSA_ASSERT(psa_hash_finish(&op_init, 3375 hash, sizeof(hash), &hash_len)); 3376 PSA_ASSERT(psa_hash_clone(&op_source, &op_finished)); 3377 PSA_ASSERT(psa_hash_finish(&op_finished, 3378 hash, sizeof(hash), &hash_len)); 3379 PSA_ASSERT(psa_hash_clone(&op_source, &op_aborted)); 3380 PSA_ASSERT(psa_hash_finish(&op_aborted, 3381 hash, sizeof(hash), &hash_len)); 3382 3383 exit: 3384 psa_hash_abort(&op_source); 3385 psa_hash_abort(&op_init); 3386 psa_hash_abort(&op_setup); 3387 psa_hash_abort(&op_finished); 3388 psa_hash_abort(&op_aborted); 3389 PSA_DONE(); 3390 } 3391 /* END_CASE */ 3392 3393 /* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3394 void hash_clone_target_state() 3395 { 3396 psa_algorithm_t alg = PSA_ALG_SHA_256; 3397 unsigned char hash[PSA_HASH_MAX_SIZE]; 3398 psa_hash_operation_t op_init = psa_hash_operation_init_short(); 3399 psa_hash_operation_t op_setup = psa_hash_operation_init_short(); 3400 psa_hash_operation_t op_finished = psa_hash_operation_init_short(); 3401 psa_hash_operation_t op_aborted = psa_hash_operation_init_short(); 3402 psa_hash_operation_t op_target = psa_hash_operation_init_short(); 3403 size_t hash_len; 3404 3405 PSA_ASSERT(psa_crypto_init()); 3406 3407 PSA_ASSERT(psa_hash_setup(&op_setup, alg)); 3408 PSA_ASSERT(psa_hash_setup(&op_finished, alg)); 3409 PSA_ASSERT(psa_hash_finish(&op_finished, 3410 hash, sizeof(hash), &hash_len)); 3411 PSA_ASSERT(psa_hash_setup(&op_aborted, alg)); 3412 PSA_ASSERT(psa_hash_abort(&op_aborted)); 3413 3414 PSA_ASSERT(psa_hash_clone(&op_setup, &op_target)); 3415 PSA_ASSERT(psa_hash_finish(&op_target, 3416 hash, sizeof(hash), &hash_len)); 3417 3418 TEST_EQUAL(psa_hash_clone(&op_init, &op_target), PSA_ERROR_BAD_STATE); 3419 TEST_EQUAL(psa_hash_clone(&op_finished, &op_target), 3420 PSA_ERROR_BAD_STATE); 3421 TEST_EQUAL(psa_hash_clone(&op_aborted, &op_target), 3422 PSA_ERROR_BAD_STATE); 3423 3424 exit: 3425 psa_hash_abort(&op_target); 3426 psa_hash_abort(&op_init); 3427 psa_hash_abort(&op_setup); 3428 psa_hash_abort(&op_finished); 3429 psa_hash_abort(&op_aborted); 3430 PSA_DONE(); 3431 } 3432 /* END_CASE */ 3433 3434 /* BEGIN_CASE */ 3435 void mac_operation_init() 3436 { 3437 const uint8_t input[1] = { 0 }; 3438 3439 /* Test each valid way of initializing the object, except for `= {0}`, as 3440 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 3441 * though it's OK by the C standard. We could test for this, but we'd need 3442 * to suppress the Clang warning for the test. */ 3443 psa_mac_operation_t short_wrapper = psa_mac_operation_init_short(); 3444 psa_mac_operation_t func = psa_mac_operation_init(); 3445 psa_mac_operation_t init = PSA_MAC_OPERATION_INIT; 3446 psa_mac_operation_t zero; 3447 memset(&zero, 0, sizeof(zero)); 3448 3449 /* A freshly-initialized MAC operation should not be usable. */ 3450 TEST_EQUAL(psa_mac_update(&short_wrapper, 3451 input, sizeof(input)), 3452 PSA_ERROR_BAD_STATE); 3453 TEST_EQUAL(psa_mac_update(&func, 3454 input, sizeof(input)), 3455 PSA_ERROR_BAD_STATE); 3456 TEST_EQUAL(psa_mac_update(&init, 3457 input, sizeof(input)), 3458 PSA_ERROR_BAD_STATE); 3459 TEST_EQUAL(psa_mac_update(&zero, 3460 input, sizeof(input)), 3461 PSA_ERROR_BAD_STATE); 3462 3463 /* A default MAC operation should be abortable without error. */ 3464 PSA_ASSERT(psa_mac_abort(&short_wrapper)); 3465 PSA_ASSERT(psa_mac_abort(&func)); 3466 PSA_ASSERT(psa_mac_abort(&init)); 3467 PSA_ASSERT(psa_mac_abort(&zero)); 3468 } 3469 /* END_CASE */ 3470 3471 /* BEGIN_CASE */ 3472 void mac_setup(int key_type_arg, 3473 data_t *key, 3474 int alg_arg, 3475 int expected_status_arg) 3476 { 3477 psa_key_type_t key_type = key_type_arg; 3478 psa_algorithm_t alg = alg_arg; 3479 psa_status_t expected_status = expected_status_arg; 3480 psa_mac_operation_t operation = psa_mac_operation_init_short(); 3481 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 3482 #if defined(KNOWN_SUPPORTED_MAC_ALG) 3483 /* We need to tell the compiler that we meant to leave out the null character. */ 3484 const uint8_t smoke_test_key_data[16] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = 3485 "kkkkkkkkkkkkkkkk"; 3486 #endif 3487 3488 PSA_ASSERT(psa_crypto_init()); 3489 3490 if (!exercise_mac_setup(key_type, key->x, key->len, alg, 3491 &operation, &status)) { 3492 goto exit; 3493 } 3494 TEST_EQUAL(status, expected_status); 3495 3496 /* The operation object should be reusable. */ 3497 #if defined(KNOWN_SUPPORTED_MAC_ALG) 3498 if (!exercise_mac_setup(KNOWN_SUPPORTED_MAC_KEY_TYPE, 3499 smoke_test_key_data, 3500 sizeof(smoke_test_key_data), 3501 KNOWN_SUPPORTED_MAC_ALG, 3502 &operation, &status)) { 3503 goto exit; 3504 } 3505 TEST_EQUAL(status, PSA_SUCCESS); 3506 #endif 3507 3508 exit: 3509 PSA_DONE(); 3510 } 3511 /* END_CASE */ 3512 3513 /* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_HMAC:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256 */ 3514 void mac_bad_order() 3515 { 3516 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3517 psa_key_type_t key_type = PSA_KEY_TYPE_HMAC; 3518 psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256); 3519 const uint8_t key_data[] = { 3520 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3521 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3522 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa 3523 }; 3524 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3525 psa_mac_operation_t operation = psa_mac_operation_init_short(); 3526 uint8_t sign_mac[PSA_MAC_MAX_SIZE + 10] = { 0 }; 3527 size_t sign_mac_length = 0; 3528 const uint8_t input[] = { 0xbb, 0xbb, 0xbb, 0xbb }; 3529 const uint8_t verify_mac[] = { 3530 0x74, 0x65, 0x93, 0x8c, 0xeb, 0x1d, 0xb3, 0x76, 0x5a, 0x38, 0xe7, 0xdd, 3531 0x85, 0xc5, 0xad, 0x4f, 0x07, 0xe7, 0xd5, 0xb2, 0x64, 0xf0, 0x1a, 0x1a, 3532 0x2c, 0xf9, 0x18, 0xca, 0x59, 0x7e, 0x5d, 0xf6 3533 }; 3534 3535 PSA_ASSERT(psa_crypto_init()); 3536 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); 3537 psa_set_key_algorithm(&attributes, alg); 3538 psa_set_key_type(&attributes, key_type); 3539 3540 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data), 3541 &key)); 3542 3543 /* Call update without calling setup beforehand. */ 3544 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)), 3545 PSA_ERROR_BAD_STATE); 3546 PSA_ASSERT(psa_mac_abort(&operation)); 3547 3548 /* Call sign finish without calling setup beforehand. */ 3549 TEST_EQUAL(psa_mac_sign_finish(&operation, sign_mac, sizeof(sign_mac), 3550 &sign_mac_length), 3551 PSA_ERROR_BAD_STATE); 3552 PSA_ASSERT(psa_mac_abort(&operation)); 3553 3554 /* Call verify finish without calling setup beforehand. */ 3555 TEST_EQUAL(psa_mac_verify_finish(&operation, 3556 verify_mac, sizeof(verify_mac)), 3557 PSA_ERROR_BAD_STATE); 3558 PSA_ASSERT(psa_mac_abort(&operation)); 3559 3560 /* Call setup twice in a row. */ 3561 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3562 ASSERT_OPERATION_IS_ACTIVE(operation); 3563 TEST_EQUAL(psa_mac_sign_setup(&operation, key, alg), 3564 PSA_ERROR_BAD_STATE); 3565 ASSERT_OPERATION_IS_INACTIVE(operation); 3566 PSA_ASSERT(psa_mac_abort(&operation)); 3567 ASSERT_OPERATION_IS_INACTIVE(operation); 3568 3569 /* Call update after sign finish. */ 3570 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3571 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3572 PSA_ASSERT(psa_mac_sign_finish(&operation, 3573 sign_mac, sizeof(sign_mac), 3574 &sign_mac_length)); 3575 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)), 3576 PSA_ERROR_BAD_STATE); 3577 PSA_ASSERT(psa_mac_abort(&operation)); 3578 3579 /* Call update after verify finish. */ 3580 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3581 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3582 PSA_ASSERT(psa_mac_verify_finish(&operation, 3583 verify_mac, sizeof(verify_mac))); 3584 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)), 3585 PSA_ERROR_BAD_STATE); 3586 PSA_ASSERT(psa_mac_abort(&operation)); 3587 3588 /* Call sign finish twice in a row. */ 3589 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3590 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3591 PSA_ASSERT(psa_mac_sign_finish(&operation, 3592 sign_mac, sizeof(sign_mac), 3593 &sign_mac_length)); 3594 TEST_EQUAL(psa_mac_sign_finish(&operation, 3595 sign_mac, sizeof(sign_mac), 3596 &sign_mac_length), 3597 PSA_ERROR_BAD_STATE); 3598 PSA_ASSERT(psa_mac_abort(&operation)); 3599 3600 /* Call verify finish twice in a row. */ 3601 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3602 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3603 PSA_ASSERT(psa_mac_verify_finish(&operation, 3604 verify_mac, sizeof(verify_mac))); 3605 TEST_EQUAL(psa_mac_verify_finish(&operation, 3606 verify_mac, sizeof(verify_mac)), 3607 PSA_ERROR_BAD_STATE); 3608 PSA_ASSERT(psa_mac_abort(&operation)); 3609 3610 /* Setup sign but try verify. */ 3611 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3612 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3613 ASSERT_OPERATION_IS_ACTIVE(operation); 3614 TEST_EQUAL(psa_mac_verify_finish(&operation, 3615 verify_mac, sizeof(verify_mac)), 3616 PSA_ERROR_BAD_STATE); 3617 ASSERT_OPERATION_IS_INACTIVE(operation); 3618 PSA_ASSERT(psa_mac_abort(&operation)); 3619 ASSERT_OPERATION_IS_INACTIVE(operation); 3620 3621 /* Setup verify but try sign. */ 3622 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3623 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3624 ASSERT_OPERATION_IS_ACTIVE(operation); 3625 TEST_EQUAL(psa_mac_sign_finish(&operation, 3626 sign_mac, sizeof(sign_mac), 3627 &sign_mac_length), 3628 PSA_ERROR_BAD_STATE); 3629 ASSERT_OPERATION_IS_INACTIVE(operation); 3630 PSA_ASSERT(psa_mac_abort(&operation)); 3631 ASSERT_OPERATION_IS_INACTIVE(operation); 3632 3633 PSA_ASSERT(psa_destroy_key(key)); 3634 3635 exit: 3636 PSA_DONE(); 3637 } 3638 /* END_CASE */ 3639 3640 /* BEGIN_CASE */ 3641 void mac_sign_verify_multi(int key_type_arg, 3642 data_t *key_data, 3643 int alg_arg, 3644 data_t *input, 3645 int is_verify, 3646 data_t *expected_mac) 3647 { 3648 size_t data_part_len = 0; 3649 3650 for (data_part_len = 1; data_part_len <= input->len; data_part_len++) { 3651 /* Split data into length(data_part_len) parts. */ 3652 mbedtls_test_set_step(2000 + data_part_len); 3653 3654 if (mac_multipart_internal_func(key_type_arg, key_data, 3655 alg_arg, 3656 input, data_part_len, 3657 expected_mac, 3658 is_verify, 0) == 0) { 3659 break; 3660 } 3661 3662 /* length(0) part, length(data_part_len) part, length(0) part... */ 3663 mbedtls_test_set_step(3000 + data_part_len); 3664 3665 if (mac_multipart_internal_func(key_type_arg, key_data, 3666 alg_arg, 3667 input, data_part_len, 3668 expected_mac, 3669 is_verify, 1) == 0) { 3670 break; 3671 } 3672 } 3673 3674 /* Goto is required to silence warnings about unused labels, as we 3675 * don't actually do any test assertions in this function. */ 3676 goto exit; 3677 } 3678 /* END_CASE */ 3679 3680 /* BEGIN_CASE */ 3681 void mac_sign(int key_type_arg, 3682 data_t *key_data, 3683 int alg_arg, 3684 data_t *input, 3685 data_t *expected_mac) 3686 { 3687 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3688 psa_key_type_t key_type = key_type_arg; 3689 psa_algorithm_t alg = alg_arg; 3690 psa_mac_operation_t operation = psa_mac_operation_init_short(); 3691 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3692 uint8_t *actual_mac = NULL; 3693 size_t mac_buffer_size = 3694 PSA_MAC_LENGTH(key_type, PSA_BYTES_TO_BITS(key_data->len), alg); 3695 size_t mac_length = 0; 3696 const size_t output_sizes_to_test[] = { 3697 0, 3698 1, 3699 expected_mac->len - 1, 3700 expected_mac->len, 3701 expected_mac->len + 1, 3702 }; 3703 3704 TEST_LE_U(mac_buffer_size, PSA_MAC_MAX_SIZE); 3705 /* We expect PSA_MAC_LENGTH to be exact. */ 3706 TEST_ASSERT(expected_mac->len == mac_buffer_size); 3707 3708 PSA_ASSERT(psa_crypto_init()); 3709 3710 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 3711 psa_set_key_algorithm(&attributes, alg); 3712 psa_set_key_type(&attributes, key_type); 3713 3714 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 3715 &key)); 3716 3717 for (size_t i = 0; i < ARRAY_LENGTH(output_sizes_to_test); i++) { 3718 const size_t output_size = output_sizes_to_test[i]; 3719 psa_status_t expected_status = 3720 (output_size >= expected_mac->len ? PSA_SUCCESS : 3721 PSA_ERROR_BUFFER_TOO_SMALL); 3722 3723 mbedtls_test_set_step(output_size); 3724 TEST_CALLOC(actual_mac, output_size); 3725 3726 /* Calculate the MAC, one-shot case. */ 3727 TEST_EQUAL(psa_mac_compute(key, alg, 3728 input->x, input->len, 3729 actual_mac, output_size, &mac_length), 3730 expected_status); 3731 if (expected_status == PSA_SUCCESS) { 3732 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len, 3733 actual_mac, mac_length); 3734 } 3735 3736 if (output_size > 0) { 3737 memset(actual_mac, 0, output_size); 3738 } 3739 3740 /* Calculate the MAC, multi-part case. */ 3741 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3742 PSA_ASSERT(psa_mac_update(&operation, 3743 input->x, input->len)); 3744 TEST_EQUAL(psa_mac_sign_finish(&operation, 3745 actual_mac, output_size, 3746 &mac_length), 3747 expected_status); 3748 PSA_ASSERT(psa_mac_abort(&operation)); 3749 3750 if (expected_status == PSA_SUCCESS) { 3751 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len, 3752 actual_mac, mac_length); 3753 } 3754 mbedtls_free(actual_mac); 3755 actual_mac = NULL; 3756 } 3757 3758 exit: 3759 psa_mac_abort(&operation); 3760 psa_destroy_key(key); 3761 PSA_DONE(); 3762 mbedtls_free(actual_mac); 3763 } 3764 /* END_CASE */ 3765 3766 /* BEGIN_CASE */ 3767 void mac_verify(int key_type_arg, 3768 data_t *key_data, 3769 int alg_arg, 3770 data_t *input, 3771 data_t *expected_mac) 3772 { 3773 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3774 psa_key_type_t key_type = key_type_arg; 3775 psa_algorithm_t alg = alg_arg; 3776 psa_mac_operation_t operation = psa_mac_operation_init_short(); 3777 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3778 uint8_t *perturbed_mac = NULL; 3779 3780 TEST_LE_U(expected_mac->len, PSA_MAC_MAX_SIZE); 3781 3782 PSA_ASSERT(psa_crypto_init()); 3783 3784 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 3785 psa_set_key_algorithm(&attributes, alg); 3786 psa_set_key_type(&attributes, key_type); 3787 3788 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 3789 &key)); 3790 3791 /* Verify correct MAC, one-shot case. */ 3792 PSA_ASSERT(psa_mac_verify(key, alg, input->x, input->len, 3793 expected_mac->x, expected_mac->len)); 3794 3795 /* Verify correct MAC, multi-part case. */ 3796 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3797 PSA_ASSERT(psa_mac_update(&operation, 3798 input->x, input->len)); 3799 PSA_ASSERT(psa_mac_verify_finish(&operation, 3800 expected_mac->x, 3801 expected_mac->len)); 3802 3803 /* Test a MAC that's too short, one-shot case. */ 3804 TEST_EQUAL(psa_mac_verify(key, alg, 3805 input->x, input->len, 3806 expected_mac->x, 3807 expected_mac->len - 1), 3808 PSA_ERROR_INVALID_SIGNATURE); 3809 3810 /* Test a MAC that's too short, multi-part case. */ 3811 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3812 PSA_ASSERT(psa_mac_update(&operation, 3813 input->x, input->len)); 3814 TEST_EQUAL(psa_mac_verify_finish(&operation, 3815 expected_mac->x, 3816 expected_mac->len - 1), 3817 PSA_ERROR_INVALID_SIGNATURE); 3818 3819 /* Test a MAC that's too long, one-shot case. */ 3820 TEST_CALLOC(perturbed_mac, expected_mac->len + 1); 3821 memcpy(perturbed_mac, expected_mac->x, expected_mac->len); 3822 TEST_EQUAL(psa_mac_verify(key, alg, 3823 input->x, input->len, 3824 perturbed_mac, expected_mac->len + 1), 3825 PSA_ERROR_INVALID_SIGNATURE); 3826 3827 /* Test a MAC that's too long, multi-part case. */ 3828 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3829 PSA_ASSERT(psa_mac_update(&operation, 3830 input->x, input->len)); 3831 TEST_EQUAL(psa_mac_verify_finish(&operation, 3832 perturbed_mac, 3833 expected_mac->len + 1), 3834 PSA_ERROR_INVALID_SIGNATURE); 3835 3836 /* Test changing one byte. */ 3837 for (size_t i = 0; i < expected_mac->len; i++) { 3838 mbedtls_test_set_step(i); 3839 perturbed_mac[i] ^= 1; 3840 3841 TEST_EQUAL(psa_mac_verify(key, alg, 3842 input->x, input->len, 3843 perturbed_mac, expected_mac->len), 3844 PSA_ERROR_INVALID_SIGNATURE); 3845 3846 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3847 PSA_ASSERT(psa_mac_update(&operation, 3848 input->x, input->len)); 3849 TEST_EQUAL(psa_mac_verify_finish(&operation, 3850 perturbed_mac, 3851 expected_mac->len), 3852 PSA_ERROR_INVALID_SIGNATURE); 3853 perturbed_mac[i] ^= 1; 3854 } 3855 3856 exit: 3857 psa_mac_abort(&operation); 3858 psa_destroy_key(key); 3859 PSA_DONE(); 3860 mbedtls_free(perturbed_mac); 3861 } 3862 /* END_CASE */ 3863 3864 /* BEGIN_CASE */ 3865 void cipher_operation_init() 3866 { 3867 const uint8_t input[1] = { 0 }; 3868 unsigned char output[1] = { 0 }; 3869 size_t output_length; 3870 /* Test each valid way of initializing the object, except for `= {0}`, as 3871 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 3872 * though it's OK by the C standard. We could test for this, but we'd need 3873 * to suppress the Clang warning for the test. */ 3874 psa_cipher_operation_t short_wrapper = psa_cipher_operation_init_short(); 3875 psa_cipher_operation_t func = psa_cipher_operation_init(); 3876 psa_cipher_operation_t init = PSA_CIPHER_OPERATION_INIT; 3877 psa_cipher_operation_t zero; 3878 memset(&zero, 0, sizeof(zero)); 3879 3880 /* A freshly-initialized cipher operation should not be usable. */ 3881 TEST_EQUAL(psa_cipher_update(&short_wrapper, 3882 input, sizeof(input), 3883 output, sizeof(output), 3884 &output_length), 3885 PSA_ERROR_BAD_STATE); 3886 TEST_EQUAL(psa_cipher_update(&func, 3887 input, sizeof(input), 3888 output, sizeof(output), 3889 &output_length), 3890 PSA_ERROR_BAD_STATE); 3891 TEST_EQUAL(psa_cipher_update(&init, 3892 input, sizeof(input), 3893 output, sizeof(output), 3894 &output_length), 3895 PSA_ERROR_BAD_STATE); 3896 TEST_EQUAL(psa_cipher_update(&zero, 3897 input, sizeof(input), 3898 output, sizeof(output), 3899 &output_length), 3900 PSA_ERROR_BAD_STATE); 3901 3902 /* A default cipher operation should be abortable without error. */ 3903 PSA_ASSERT(psa_cipher_abort(&short_wrapper)); 3904 PSA_ASSERT(psa_cipher_abort(&func)); 3905 PSA_ASSERT(psa_cipher_abort(&init)); 3906 PSA_ASSERT(psa_cipher_abort(&zero)); 3907 } 3908 /* END_CASE */ 3909 3910 /* BEGIN_CASE */ 3911 void cipher_setup(int key_type_arg, 3912 data_t *key, 3913 int alg_arg, 3914 int expected_status_arg) 3915 { 3916 psa_key_type_t key_type = key_type_arg; 3917 psa_algorithm_t alg = alg_arg; 3918 psa_status_t expected_status = expected_status_arg; 3919 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 3920 psa_status_t status; 3921 #if defined(KNOWN_SUPPORTED_CIPHER_ALG) 3922 /* We need to tell the compiler that we meant to leave out the null character. */ 3923 const uint8_t smoke_test_key_data[16] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = 3924 "kkkkkkkkkkkkkkkk"; 3925 #endif 3926 3927 PSA_ASSERT(psa_crypto_init()); 3928 3929 if (!exercise_cipher_setup(key_type, key->x, key->len, alg, 3930 &operation, &status)) { 3931 goto exit; 3932 } 3933 TEST_EQUAL(status, expected_status); 3934 3935 /* The operation object should be reusable. */ 3936 #if defined(KNOWN_SUPPORTED_CIPHER_ALG) 3937 if (!exercise_cipher_setup(KNOWN_SUPPORTED_CIPHER_KEY_TYPE, 3938 smoke_test_key_data, 3939 sizeof(smoke_test_key_data), 3940 KNOWN_SUPPORTED_CIPHER_ALG, 3941 &operation, &status)) { 3942 goto exit; 3943 } 3944 TEST_EQUAL(status, PSA_SUCCESS); 3945 #endif 3946 3947 exit: 3948 psa_cipher_abort(&operation); 3949 PSA_DONE(); 3950 } 3951 /* END_CASE */ 3952 3953 /* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_PKCS7 */ 3954 void cipher_bad_order() 3955 { 3956 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3957 psa_key_type_t key_type = PSA_KEY_TYPE_AES; 3958 psa_algorithm_t alg = PSA_ALG_CBC_PKCS7; 3959 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3960 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 3961 unsigned char iv[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 }; 3962 const uint8_t key_data[] = { 3963 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3964 0xaa, 0xaa, 0xaa, 0xaa 3965 }; 3966 const uint8_t text[] = { 3967 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 3968 0xbb, 0xbb, 0xbb, 0xbb 3969 }; 3970 uint8_t buffer[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 }; 3971 size_t length = 0; 3972 3973 PSA_ASSERT(psa_crypto_init()); 3974 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 3975 psa_set_key_algorithm(&attributes, alg); 3976 psa_set_key_type(&attributes, key_type); 3977 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data), 3978 &key)); 3979 3980 /* Call encrypt setup twice in a row. */ 3981 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 3982 ASSERT_OPERATION_IS_ACTIVE(operation); 3983 TEST_EQUAL(psa_cipher_encrypt_setup(&operation, key, alg), 3984 PSA_ERROR_BAD_STATE); 3985 ASSERT_OPERATION_IS_INACTIVE(operation); 3986 PSA_ASSERT(psa_cipher_abort(&operation)); 3987 ASSERT_OPERATION_IS_INACTIVE(operation); 3988 3989 /* Call decrypt setup twice in a row. */ 3990 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 3991 ASSERT_OPERATION_IS_ACTIVE(operation); 3992 TEST_EQUAL(psa_cipher_decrypt_setup(&operation, key, alg), 3993 PSA_ERROR_BAD_STATE); 3994 ASSERT_OPERATION_IS_INACTIVE(operation); 3995 PSA_ASSERT(psa_cipher_abort(&operation)); 3996 ASSERT_OPERATION_IS_INACTIVE(operation); 3997 3998 /* Generate an IV without calling setup beforehand. */ 3999 TEST_EQUAL(psa_cipher_generate_iv(&operation, 4000 buffer, sizeof(buffer), 4001 &length), 4002 PSA_ERROR_BAD_STATE); 4003 PSA_ASSERT(psa_cipher_abort(&operation)); 4004 4005 /* Generate an IV twice in a row. */ 4006 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4007 PSA_ASSERT(psa_cipher_generate_iv(&operation, 4008 buffer, sizeof(buffer), 4009 &length)); 4010 ASSERT_OPERATION_IS_ACTIVE(operation); 4011 TEST_EQUAL(psa_cipher_generate_iv(&operation, 4012 buffer, sizeof(buffer), 4013 &length), 4014 PSA_ERROR_BAD_STATE); 4015 ASSERT_OPERATION_IS_INACTIVE(operation); 4016 PSA_ASSERT(psa_cipher_abort(&operation)); 4017 ASSERT_OPERATION_IS_INACTIVE(operation); 4018 4019 /* Generate an IV after it's already set. */ 4020 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4021 PSA_ASSERT(psa_cipher_set_iv(&operation, 4022 iv, sizeof(iv))); 4023 TEST_EQUAL(psa_cipher_generate_iv(&operation, 4024 buffer, sizeof(buffer), 4025 &length), 4026 PSA_ERROR_BAD_STATE); 4027 PSA_ASSERT(psa_cipher_abort(&operation)); 4028 4029 /* Set an IV without calling setup beforehand. */ 4030 TEST_EQUAL(psa_cipher_set_iv(&operation, 4031 iv, sizeof(iv)), 4032 PSA_ERROR_BAD_STATE); 4033 PSA_ASSERT(psa_cipher_abort(&operation)); 4034 4035 /* Set an IV after it's already set. */ 4036 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4037 PSA_ASSERT(psa_cipher_set_iv(&operation, 4038 iv, sizeof(iv))); 4039 ASSERT_OPERATION_IS_ACTIVE(operation); 4040 TEST_EQUAL(psa_cipher_set_iv(&operation, 4041 iv, sizeof(iv)), 4042 PSA_ERROR_BAD_STATE); 4043 ASSERT_OPERATION_IS_INACTIVE(operation); 4044 PSA_ASSERT(psa_cipher_abort(&operation)); 4045 ASSERT_OPERATION_IS_INACTIVE(operation); 4046 4047 /* Set an IV after it's already generated. */ 4048 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4049 PSA_ASSERT(psa_cipher_generate_iv(&operation, 4050 buffer, sizeof(buffer), 4051 &length)); 4052 TEST_EQUAL(psa_cipher_set_iv(&operation, 4053 iv, sizeof(iv)), 4054 PSA_ERROR_BAD_STATE); 4055 PSA_ASSERT(psa_cipher_abort(&operation)); 4056 4057 /* Call update without calling setup beforehand. */ 4058 TEST_EQUAL(psa_cipher_update(&operation, 4059 text, sizeof(text), 4060 buffer, sizeof(buffer), 4061 &length), 4062 PSA_ERROR_BAD_STATE); 4063 PSA_ASSERT(psa_cipher_abort(&operation)); 4064 4065 /* Call update without an IV where an IV is required. */ 4066 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4067 ASSERT_OPERATION_IS_ACTIVE(operation); 4068 TEST_EQUAL(psa_cipher_update(&operation, 4069 text, sizeof(text), 4070 buffer, sizeof(buffer), 4071 &length), 4072 PSA_ERROR_BAD_STATE); 4073 ASSERT_OPERATION_IS_INACTIVE(operation); 4074 PSA_ASSERT(psa_cipher_abort(&operation)); 4075 ASSERT_OPERATION_IS_INACTIVE(operation); 4076 4077 /* Call update after finish. */ 4078 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4079 PSA_ASSERT(psa_cipher_set_iv(&operation, 4080 iv, sizeof(iv))); 4081 PSA_ASSERT(psa_cipher_finish(&operation, 4082 buffer, sizeof(buffer), &length)); 4083 TEST_EQUAL(psa_cipher_update(&operation, 4084 text, sizeof(text), 4085 buffer, sizeof(buffer), 4086 &length), 4087 PSA_ERROR_BAD_STATE); 4088 PSA_ASSERT(psa_cipher_abort(&operation)); 4089 4090 /* Call finish without calling setup beforehand. */ 4091 TEST_EQUAL(psa_cipher_finish(&operation, 4092 buffer, sizeof(buffer), &length), 4093 PSA_ERROR_BAD_STATE); 4094 PSA_ASSERT(psa_cipher_abort(&operation)); 4095 4096 /* Call finish without an IV where an IV is required. */ 4097 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4098 /* Not calling update means we are encrypting an empty buffer, which is OK 4099 * for cipher modes with padding. */ 4100 ASSERT_OPERATION_IS_ACTIVE(operation); 4101 TEST_EQUAL(psa_cipher_finish(&operation, 4102 buffer, sizeof(buffer), &length), 4103 PSA_ERROR_BAD_STATE); 4104 ASSERT_OPERATION_IS_INACTIVE(operation); 4105 PSA_ASSERT(psa_cipher_abort(&operation)); 4106 ASSERT_OPERATION_IS_INACTIVE(operation); 4107 4108 /* Call finish twice in a row. */ 4109 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4110 PSA_ASSERT(psa_cipher_set_iv(&operation, 4111 iv, sizeof(iv))); 4112 PSA_ASSERT(psa_cipher_finish(&operation, 4113 buffer, sizeof(buffer), &length)); 4114 TEST_EQUAL(psa_cipher_finish(&operation, 4115 buffer, sizeof(buffer), &length), 4116 PSA_ERROR_BAD_STATE); 4117 PSA_ASSERT(psa_cipher_abort(&operation)); 4118 4119 PSA_ASSERT(psa_destroy_key(key)); 4120 4121 exit: 4122 psa_cipher_abort(&operation); 4123 PSA_DONE(); 4124 } 4125 /* END_CASE */ 4126 4127 /* BEGIN_CASE */ 4128 void cipher_encrypt_fail(int alg_arg, 4129 int key_type_arg, 4130 data_t *key_data, 4131 data_t *input, 4132 int expected_status_arg) 4133 { 4134 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4135 psa_status_t status; 4136 psa_key_type_t key_type = key_type_arg; 4137 psa_algorithm_t alg = alg_arg; 4138 psa_status_t expected_status = expected_status_arg; 4139 unsigned char iv[PSA_CIPHER_IV_MAX_SIZE] = { 0 }; 4140 size_t iv_size = PSA_CIPHER_IV_MAX_SIZE; 4141 size_t iv_length = 0; 4142 unsigned char *output = NULL; 4143 size_t output_buffer_size = 0; 4144 size_t output_length = 0; 4145 size_t function_output_length; 4146 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 4147 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4148 4149 if (PSA_ERROR_BAD_STATE != expected_status) { 4150 PSA_ASSERT(psa_crypto_init()); 4151 4152 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4153 psa_set_key_algorithm(&attributes, alg); 4154 psa_set_key_type(&attributes, key_type); 4155 4156 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 4157 input->len); 4158 TEST_CALLOC(output, output_buffer_size); 4159 4160 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4161 &key)); 4162 } 4163 4164 /* Encrypt, one-shot */ 4165 status = psa_cipher_encrypt(key, alg, input->x, input->len, output, 4166 output_buffer_size, &output_length); 4167 4168 TEST_EQUAL(status, expected_status); 4169 4170 /* Encrypt, multi-part */ 4171 status = psa_cipher_encrypt_setup(&operation, key, alg); 4172 if (status == PSA_SUCCESS) { 4173 if (alg != PSA_ALG_ECB_NO_PADDING) { 4174 PSA_ASSERT(psa_cipher_generate_iv(&operation, 4175 iv, iv_size, 4176 &iv_length)); 4177 } 4178 4179 status = psa_cipher_update(&operation, input->x, input->len, 4180 output, output_buffer_size, 4181 &function_output_length); 4182 if (status == PSA_SUCCESS) { 4183 output_length += function_output_length; 4184 4185 status = psa_cipher_finish(&operation, output + output_length, 4186 output_buffer_size - output_length, 4187 &function_output_length); 4188 4189 TEST_EQUAL(status, expected_status); 4190 } else { 4191 TEST_EQUAL(status, expected_status); 4192 } 4193 } else { 4194 TEST_EQUAL(status, expected_status); 4195 } 4196 4197 exit: 4198 psa_cipher_abort(&operation); 4199 mbedtls_free(output); 4200 psa_destroy_key(key); 4201 PSA_DONE(); 4202 } 4203 /* END_CASE */ 4204 4205 /* BEGIN_CASE */ 4206 void cipher_encrypt_validate_iv_length(int alg, int key_type, data_t *key_data, 4207 data_t *input, int iv_length, 4208 int expected_result) 4209 { 4210 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4211 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 4212 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4213 size_t output_buffer_size = 0; 4214 unsigned char *output = NULL; 4215 4216 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len); 4217 TEST_CALLOC(output, output_buffer_size); 4218 4219 PSA_ASSERT(psa_crypto_init()); 4220 4221 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4222 psa_set_key_algorithm(&attributes, alg); 4223 psa_set_key_type(&attributes, key_type); 4224 4225 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4226 &key)); 4227 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4228 TEST_EQUAL(expected_result, psa_cipher_set_iv(&operation, output, 4229 iv_length)); 4230 4231 exit: 4232 psa_cipher_abort(&operation); 4233 mbedtls_free(output); 4234 psa_destroy_key(key); 4235 PSA_DONE(); 4236 } 4237 /* END_CASE */ 4238 4239 /* BEGIN_CASE */ 4240 void cipher_alg_without_iv(int alg_arg, int key_type_arg, data_t *key_data, 4241 data_t *plaintext, data_t *ciphertext) 4242 { 4243 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4244 psa_key_type_t key_type = key_type_arg; 4245 psa_algorithm_t alg = alg_arg; 4246 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 4247 uint8_t iv[1] = { 0x5a }; 4248 unsigned char *output = NULL; 4249 size_t output_buffer_size = 0; 4250 size_t output_length, length; 4251 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4252 4253 PSA_ASSERT(psa_crypto_init()); 4254 4255 /* Validate size macros */ 4256 TEST_LE_U(ciphertext->len, 4257 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len)); 4258 TEST_LE_U(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len), 4259 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(plaintext->len)); 4260 TEST_LE_U(plaintext->len, 4261 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len)); 4262 TEST_LE_U(PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len), 4263 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(ciphertext->len)); 4264 4265 4266 /* Set up key and output buffer */ 4267 psa_set_key_usage_flags(&attributes, 4268 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 4269 psa_set_key_algorithm(&attributes, alg); 4270 psa_set_key_type(&attributes, key_type); 4271 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4272 &key)); 4273 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 4274 plaintext->len); 4275 TEST_CALLOC(output, output_buffer_size); 4276 4277 /* set_iv() is not allowed */ 4278 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4279 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)), 4280 PSA_ERROR_BAD_STATE); 4281 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 4282 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)), 4283 PSA_ERROR_BAD_STATE); 4284 4285 /* generate_iv() is not allowed */ 4286 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4287 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv), 4288 &length), 4289 PSA_ERROR_BAD_STATE); 4290 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 4291 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv), 4292 &length), 4293 PSA_ERROR_BAD_STATE); 4294 4295 /* Multipart encryption */ 4296 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4297 output_length = 0; 4298 length = ~0; 4299 PSA_ASSERT(psa_cipher_update(&operation, 4300 plaintext->x, plaintext->len, 4301 output, output_buffer_size, 4302 &length)); 4303 TEST_LE_U(length, output_buffer_size); 4304 output_length += length; 4305 PSA_ASSERT(psa_cipher_finish(&operation, 4306 mbedtls_buffer_offset(output, output_length), 4307 output_buffer_size - output_length, 4308 &length)); 4309 output_length += length; 4310 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len, 4311 output, output_length); 4312 4313 /* Multipart encryption */ 4314 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 4315 output_length = 0; 4316 length = ~0; 4317 PSA_ASSERT(psa_cipher_update(&operation, 4318 ciphertext->x, ciphertext->len, 4319 output, output_buffer_size, 4320 &length)); 4321 TEST_LE_U(length, output_buffer_size); 4322 output_length += length; 4323 PSA_ASSERT(psa_cipher_finish(&operation, 4324 mbedtls_buffer_offset(output, output_length), 4325 output_buffer_size - output_length, 4326 &length)); 4327 output_length += length; 4328 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len, 4329 output, output_length); 4330 4331 /* One-shot encryption */ 4332 output_length = ~0; 4333 PSA_ASSERT(psa_cipher_encrypt(key, alg, plaintext->x, plaintext->len, 4334 output, output_buffer_size, 4335 &output_length)); 4336 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len, 4337 output, output_length); 4338 4339 /* One-shot decryption */ 4340 output_length = ~0; 4341 PSA_ASSERT(psa_cipher_decrypt(key, alg, ciphertext->x, ciphertext->len, 4342 output, output_buffer_size, 4343 &output_length)); 4344 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len, 4345 output, output_length); 4346 4347 exit: 4348 PSA_ASSERT(psa_cipher_abort(&operation)); 4349 mbedtls_free(output); 4350 psa_cipher_abort(&operation); 4351 psa_destroy_key(key); 4352 PSA_DONE(); 4353 } 4354 /* END_CASE */ 4355 4356 /* BEGIN_CASE */ 4357 void cipher_bad_key(int alg_arg, int key_type_arg, data_t *key_data) 4358 { 4359 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4360 psa_algorithm_t alg = alg_arg; 4361 psa_key_type_t key_type = key_type_arg; 4362 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4363 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 4364 psa_status_t status; 4365 4366 PSA_ASSERT(psa_crypto_init()); 4367 4368 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4369 psa_set_key_algorithm(&attributes, alg); 4370 psa_set_key_type(&attributes, key_type); 4371 4372 /* Usage of either of these two size macros would cause divide by zero 4373 * with incorrect key types previously. Input length should be irrelevant 4374 * here. */ 4375 TEST_EQUAL(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 16), 4376 0); 4377 TEST_EQUAL(PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, 16), 0); 4378 4379 4380 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4381 &key)); 4382 4383 /* Should fail due to invalid alg type (to support invalid key type). 4384 * Encrypt or decrypt will end up in the same place. */ 4385 status = psa_cipher_encrypt_setup(&operation, key, alg); 4386 4387 TEST_EQUAL(status, PSA_ERROR_INVALID_ARGUMENT); 4388 4389 exit: 4390 psa_cipher_abort(&operation); 4391 psa_destroy_key(key); 4392 PSA_DONE(); 4393 } 4394 /* END_CASE */ 4395 4396 /* BEGIN_CASE */ 4397 void cipher_encrypt_validation(int alg_arg, 4398 int key_type_arg, 4399 data_t *key_data, 4400 data_t *input) 4401 { 4402 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4403 psa_key_type_t key_type = key_type_arg; 4404 psa_algorithm_t alg = alg_arg; 4405 size_t iv_size = PSA_CIPHER_IV_LENGTH(key_type, alg); 4406 unsigned char *output1 = NULL; 4407 size_t output1_buffer_size = 0; 4408 size_t output1_length = 0; 4409 unsigned char *output2 = NULL; 4410 size_t output2_buffer_size = 0; 4411 size_t output2_length = 0; 4412 size_t function_output_length = 0; 4413 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 4414 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4415 4416 PSA_ASSERT(psa_crypto_init()); 4417 4418 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4419 psa_set_key_algorithm(&attributes, alg); 4420 psa_set_key_type(&attributes, key_type); 4421 4422 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len); 4423 output2_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) + 4424 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg); 4425 TEST_CALLOC(output1, output1_buffer_size); 4426 TEST_CALLOC(output2, output2_buffer_size); 4427 4428 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4429 &key)); 4430 4431 /* The one-shot cipher encryption uses generated iv so validating 4432 the output is not possible. Validating with multipart encryption. */ 4433 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len, output1, 4434 output1_buffer_size, &output1_length)); 4435 TEST_LE_U(output1_length, 4436 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len)); 4437 TEST_LE_U(output1_length, 4438 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len)); 4439 4440 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4441 PSA_ASSERT(psa_cipher_set_iv(&operation, output1, iv_size)); 4442 4443 PSA_ASSERT(psa_cipher_update(&operation, 4444 input->x, input->len, 4445 output2, output2_buffer_size, 4446 &function_output_length)); 4447 TEST_LE_U(function_output_length, 4448 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len)); 4449 TEST_LE_U(function_output_length, 4450 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len)); 4451 output2_length += function_output_length; 4452 4453 PSA_ASSERT(psa_cipher_finish(&operation, 4454 output2 + output2_length, 4455 output2_buffer_size - output2_length, 4456 &function_output_length)); 4457 TEST_LE_U(function_output_length, 4458 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4459 TEST_LE_U(function_output_length, 4460 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4461 output2_length += function_output_length; 4462 4463 PSA_ASSERT(psa_cipher_abort(&operation)); 4464 TEST_MEMORY_COMPARE(output1 + iv_size, output1_length - iv_size, 4465 output2, output2_length); 4466 4467 exit: 4468 psa_cipher_abort(&operation); 4469 mbedtls_free(output1); 4470 mbedtls_free(output2); 4471 psa_destroy_key(key); 4472 PSA_DONE(); 4473 } 4474 /* END_CASE */ 4475 4476 /* BEGIN_CASE */ 4477 void cipher_encrypt_multipart(int alg_arg, int key_type_arg, 4478 data_t *key_data, data_t *iv, 4479 data_t *input, 4480 int first_part_size_arg, 4481 int output1_length_arg, int output2_length_arg, 4482 data_t *expected_output, 4483 int expected_status_arg) 4484 { 4485 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4486 psa_key_type_t key_type = key_type_arg; 4487 psa_algorithm_t alg = alg_arg; 4488 psa_status_t status; 4489 psa_status_t expected_status = expected_status_arg; 4490 size_t first_part_size = first_part_size_arg; 4491 size_t output1_length = output1_length_arg; 4492 size_t output2_length = output2_length_arg; 4493 unsigned char *output = NULL; 4494 size_t output_buffer_size = 0; 4495 size_t function_output_length = 0; 4496 size_t total_output_length = 0; 4497 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 4498 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4499 4500 PSA_ASSERT(psa_crypto_init()); 4501 4502 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4503 psa_set_key_algorithm(&attributes, alg); 4504 psa_set_key_type(&attributes, key_type); 4505 4506 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4507 &key)); 4508 4509 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4510 4511 if (iv->len > 0) { 4512 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len)); 4513 } 4514 4515 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) + 4516 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg); 4517 TEST_CALLOC(output, output_buffer_size); 4518 4519 TEST_LE_U(first_part_size, input->len); 4520 PSA_ASSERT(psa_cipher_update(&operation, input->x, first_part_size, 4521 output, output_buffer_size, 4522 &function_output_length)); 4523 TEST_ASSERT(function_output_length == output1_length); 4524 TEST_LE_U(function_output_length, 4525 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size)); 4526 TEST_LE_U(function_output_length, 4527 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size)); 4528 total_output_length += function_output_length; 4529 4530 if (first_part_size < input->len) { 4531 PSA_ASSERT(psa_cipher_update(&operation, 4532 input->x + first_part_size, 4533 input->len - first_part_size, 4534 (output_buffer_size == 0 ? NULL : 4535 output + total_output_length), 4536 output_buffer_size - total_output_length, 4537 &function_output_length)); 4538 TEST_ASSERT(function_output_length == output2_length); 4539 TEST_LE_U(function_output_length, 4540 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, 4541 alg, 4542 input->len - first_part_size)); 4543 TEST_LE_U(function_output_length, 4544 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len)); 4545 total_output_length += function_output_length; 4546 } 4547 4548 status = psa_cipher_finish(&operation, 4549 (output_buffer_size == 0 ? NULL : 4550 output + total_output_length), 4551 output_buffer_size - total_output_length, 4552 &function_output_length); 4553 TEST_LE_U(function_output_length, 4554 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4555 TEST_LE_U(function_output_length, 4556 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4557 total_output_length += function_output_length; 4558 TEST_EQUAL(status, expected_status); 4559 4560 if (expected_status == PSA_SUCCESS) { 4561 PSA_ASSERT(psa_cipher_abort(&operation)); 4562 4563 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 4564 output, total_output_length); 4565 } 4566 4567 exit: 4568 psa_cipher_abort(&operation); 4569 mbedtls_free(output); 4570 psa_destroy_key(key); 4571 PSA_DONE(); 4572 } 4573 /* END_CASE */ 4574 4575 /* BEGIN_CASE */ 4576 void cipher_decrypt_multipart(int alg_arg, int key_type_arg, 4577 data_t *key_data, data_t *iv, 4578 data_t *input, 4579 int first_part_size_arg, 4580 int output1_length_arg, int output2_length_arg, 4581 data_t *expected_output, 4582 int expected_status_arg) 4583 { 4584 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4585 psa_key_type_t key_type = key_type_arg; 4586 psa_algorithm_t alg = alg_arg; 4587 psa_status_t status; 4588 psa_status_t expected_status = expected_status_arg; 4589 size_t first_part_size = first_part_size_arg; 4590 size_t output1_length = output1_length_arg; 4591 size_t output2_length = output2_length_arg; 4592 unsigned char *output = NULL; 4593 size_t output_buffer_size = 0; 4594 size_t function_output_length = 0; 4595 size_t total_output_length = 0; 4596 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 4597 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4598 4599 PSA_ASSERT(psa_crypto_init()); 4600 4601 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 4602 psa_set_key_algorithm(&attributes, alg); 4603 psa_set_key_type(&attributes, key_type); 4604 4605 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4606 &key)); 4607 4608 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 4609 4610 if (iv->len > 0) { 4611 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len)); 4612 } 4613 4614 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) + 4615 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg); 4616 TEST_CALLOC(output, output_buffer_size); 4617 4618 TEST_LE_U(first_part_size, input->len); 4619 PSA_ASSERT(psa_cipher_update(&operation, 4620 input->x, first_part_size, 4621 output, output_buffer_size, 4622 &function_output_length)); 4623 TEST_ASSERT(function_output_length == output1_length); 4624 TEST_LE_U(function_output_length, 4625 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size)); 4626 TEST_LE_U(function_output_length, 4627 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size)); 4628 total_output_length += function_output_length; 4629 4630 if (first_part_size < input->len) { 4631 PSA_ASSERT(psa_cipher_update(&operation, 4632 input->x + first_part_size, 4633 input->len - first_part_size, 4634 (output_buffer_size == 0 ? NULL : 4635 output + total_output_length), 4636 output_buffer_size - total_output_length, 4637 &function_output_length)); 4638 TEST_ASSERT(function_output_length == output2_length); 4639 TEST_LE_U(function_output_length, 4640 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, 4641 alg, 4642 input->len - first_part_size)); 4643 TEST_LE_U(function_output_length, 4644 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len)); 4645 total_output_length += function_output_length; 4646 } 4647 4648 status = psa_cipher_finish(&operation, 4649 (output_buffer_size == 0 ? NULL : 4650 output + total_output_length), 4651 output_buffer_size - total_output_length, 4652 &function_output_length); 4653 TEST_LE_U(function_output_length, 4654 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4655 TEST_LE_U(function_output_length, 4656 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4657 total_output_length += function_output_length; 4658 TEST_EQUAL(status, expected_status); 4659 4660 if (expected_status == PSA_SUCCESS) { 4661 PSA_ASSERT(psa_cipher_abort(&operation)); 4662 4663 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 4664 output, total_output_length); 4665 } 4666 4667 exit: 4668 psa_cipher_abort(&operation); 4669 mbedtls_free(output); 4670 psa_destroy_key(key); 4671 PSA_DONE(); 4672 } 4673 /* END_CASE */ 4674 4675 /* BEGIN_CASE */ 4676 void cipher_decrypt_fail(int alg_arg, 4677 int key_type_arg, 4678 data_t *key_data, 4679 data_t *iv, 4680 data_t *input_arg, 4681 int expected_status_arg) 4682 { 4683 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4684 psa_status_t status; 4685 psa_key_type_t key_type = key_type_arg; 4686 psa_algorithm_t alg = alg_arg; 4687 psa_status_t expected_status = expected_status_arg; 4688 unsigned char *input = NULL; 4689 size_t input_buffer_size = 0; 4690 unsigned char *output = NULL; 4691 unsigned char *output_multi = NULL; 4692 size_t output_buffer_size = 0; 4693 size_t output_length = 0; 4694 size_t function_output_length; 4695 psa_cipher_operation_t operation = psa_cipher_operation_init_short(); 4696 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4697 4698 if (PSA_ERROR_BAD_STATE != expected_status) { 4699 PSA_ASSERT(psa_crypto_init()); 4700 4701 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 4702 psa_set_key_algorithm(&attributes, alg); 4703 psa_set_key_type(&attributes, key_type); 4704 4705 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4706 &key)); 4707 } 4708 4709 /* Allocate input buffer and copy the iv and the plaintext */ 4710 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len); 4711 if (input_buffer_size > 0) { 4712 TEST_CALLOC(input, input_buffer_size); 4713 memcpy(input, iv->x, iv->len); 4714 memcpy(input + iv->len, input_arg->x, input_arg->len); 4715 } 4716 4717 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size); 4718 TEST_CALLOC(output, output_buffer_size); 4719 4720 /* Decrypt, one-short */ 4721 status = psa_cipher_decrypt(key, alg, input, input_buffer_size, output, 4722 output_buffer_size, &output_length); 4723 TEST_EQUAL(status, expected_status); 4724 4725 /* Decrypt, multi-part */ 4726 status = psa_cipher_decrypt_setup(&operation, key, alg); 4727 if (status == PSA_SUCCESS) { 4728 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, 4729 input_arg->len) + 4730 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg); 4731 TEST_CALLOC(output_multi, output_buffer_size); 4732 4733 if (iv->len > 0) { 4734 status = psa_cipher_set_iv(&operation, iv->x, iv->len); 4735 4736 if (status != PSA_SUCCESS) { 4737 TEST_EQUAL(status, expected_status); 4738 } 4739 } 4740 4741 if (status == PSA_SUCCESS) { 4742 status = psa_cipher_update(&operation, 4743 input_arg->x, input_arg->len, 4744 output_multi, output_buffer_size, 4745 &function_output_length); 4746 if (status == PSA_SUCCESS) { 4747 output_length = function_output_length; 4748 4749 status = psa_cipher_finish(&operation, 4750 output_multi + output_length, 4751 output_buffer_size - output_length, 4752 &function_output_length); 4753 4754 TEST_EQUAL(status, expected_status); 4755 } else { 4756 TEST_EQUAL(status, expected_status); 4757 } 4758 } else { 4759 TEST_EQUAL(status, expected_status); 4760 } 4761 } else { 4762 TEST_EQUAL(status, expected_status); 4763 } 4764 4765 exit: 4766 psa_cipher_abort(&operation); 4767 mbedtls_free(input); 4768 mbedtls_free(output); 4769 mbedtls_free(output_multi); 4770 psa_destroy_key(key); 4771 PSA_DONE(); 4772 } 4773 /* END_CASE */ 4774 4775 /* BEGIN_CASE */ 4776 void cipher_decrypt(int alg_arg, 4777 int key_type_arg, 4778 data_t *key_data, 4779 data_t *iv, 4780 data_t *input_arg, 4781 data_t *expected_output) 4782 { 4783 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4784 psa_key_type_t key_type = key_type_arg; 4785 psa_algorithm_t alg = alg_arg; 4786 unsigned char *input = NULL; 4787 size_t input_buffer_size = 0; 4788 unsigned char *output = NULL; 4789 size_t output_buffer_size = 0; 4790 size_t output_length = 0; 4791 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4792 4793 PSA_ASSERT(psa_crypto_init()); 4794 4795 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 4796 psa_set_key_algorithm(&attributes, alg); 4797 psa_set_key_type(&attributes, key_type); 4798 4799 /* Allocate input buffer and copy the iv and the plaintext */ 4800 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len); 4801 if (input_buffer_size > 0) { 4802 TEST_CALLOC(input, input_buffer_size); 4803 memcpy(input, iv->x, iv->len); 4804 memcpy(input + iv->len, input_arg->x, input_arg->len); 4805 } 4806 4807 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size); 4808 TEST_CALLOC(output, output_buffer_size); 4809 4810 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4811 &key)); 4812 4813 PSA_ASSERT(psa_cipher_decrypt(key, alg, input, input_buffer_size, output, 4814 output_buffer_size, &output_length)); 4815 TEST_LE_U(output_length, 4816 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size)); 4817 TEST_LE_U(output_length, 4818 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_buffer_size)); 4819 4820 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 4821 output, output_length); 4822 exit: 4823 mbedtls_free(input); 4824 mbedtls_free(output); 4825 psa_destroy_key(key); 4826 PSA_DONE(); 4827 } 4828 /* END_CASE */ 4829 4830 /* BEGIN_CASE */ 4831 void cipher_verify_output(int alg_arg, 4832 int key_type_arg, 4833 data_t *key_data, 4834 data_t *input) 4835 { 4836 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4837 psa_key_type_t key_type = key_type_arg; 4838 psa_algorithm_t alg = alg_arg; 4839 unsigned char *output1 = NULL; 4840 size_t output1_size = 0; 4841 size_t output1_length = 0; 4842 unsigned char *output2 = NULL; 4843 size_t output2_size = 0; 4844 size_t output2_length = 0; 4845 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4846 4847 PSA_ASSERT(psa_crypto_init()); 4848 4849 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 4850 psa_set_key_algorithm(&attributes, alg); 4851 psa_set_key_type(&attributes, key_type); 4852 4853 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4854 &key)); 4855 output1_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len); 4856 TEST_CALLOC(output1, output1_size); 4857 4858 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len, 4859 output1, output1_size, 4860 &output1_length)); 4861 TEST_LE_U(output1_length, 4862 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len)); 4863 TEST_LE_U(output1_length, 4864 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len)); 4865 4866 output2_size = output1_length; 4867 TEST_CALLOC(output2, output2_size); 4868 4869 PSA_ASSERT(psa_cipher_decrypt(key, alg, output1, output1_length, 4870 output2, output2_size, 4871 &output2_length)); 4872 TEST_LE_U(output2_length, 4873 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length)); 4874 TEST_LE_U(output2_length, 4875 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length)); 4876 4877 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length); 4878 4879 exit: 4880 mbedtls_free(output1); 4881 mbedtls_free(output2); 4882 psa_destroy_key(key); 4883 PSA_DONE(); 4884 } 4885 /* END_CASE */ 4886 4887 /* BEGIN_CASE */ 4888 void cipher_verify_output_multipart(int alg_arg, 4889 int key_type_arg, 4890 data_t *key_data, 4891 data_t *input, 4892 int first_part_size_arg) 4893 { 4894 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4895 psa_key_type_t key_type = key_type_arg; 4896 psa_algorithm_t alg = alg_arg; 4897 size_t first_part_size = first_part_size_arg; 4898 unsigned char iv[16] = { 0 }; 4899 size_t iv_size = 16; 4900 size_t iv_length = 0; 4901 unsigned char *output1 = NULL; 4902 size_t output1_buffer_size = 0; 4903 size_t output1_length = 0; 4904 unsigned char *output2 = NULL; 4905 size_t output2_buffer_size = 0; 4906 size_t output2_length = 0; 4907 size_t function_output_length; 4908 psa_cipher_operation_t operation1 = psa_cipher_operation_init_short(); 4909 psa_cipher_operation_t operation2 = psa_cipher_operation_init_short(); 4910 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4911 4912 PSA_ASSERT(psa_crypto_init()); 4913 4914 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 4915 psa_set_key_algorithm(&attributes, alg); 4916 psa_set_key_type(&attributes, key_type); 4917 4918 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4919 &key)); 4920 4921 PSA_ASSERT(psa_cipher_encrypt_setup(&operation1, key, alg)); 4922 PSA_ASSERT(psa_cipher_decrypt_setup(&operation2, key, alg)); 4923 4924 if (alg != PSA_ALG_ECB_NO_PADDING) { 4925 PSA_ASSERT(psa_cipher_generate_iv(&operation1, 4926 iv, iv_size, 4927 &iv_length)); 4928 } 4929 4930 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len); 4931 TEST_LE_U(output1_buffer_size, 4932 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len)); 4933 TEST_CALLOC(output1, output1_buffer_size); 4934 4935 TEST_LE_U(first_part_size, input->len); 4936 4937 PSA_ASSERT(psa_cipher_update(&operation1, input->x, first_part_size, 4938 output1, output1_buffer_size, 4939 &function_output_length)); 4940 TEST_LE_U(function_output_length, 4941 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size)); 4942 TEST_LE_U(function_output_length, 4943 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size)); 4944 output1_length += function_output_length; 4945 4946 PSA_ASSERT(psa_cipher_update(&operation1, 4947 input->x + first_part_size, 4948 input->len - first_part_size, 4949 output1 + output1_length, 4950 output1_buffer_size - output1_length, 4951 &function_output_length)); 4952 TEST_LE_U(function_output_length, 4953 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, 4954 alg, 4955 input->len - first_part_size)); 4956 TEST_LE_U(function_output_length, 4957 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len - first_part_size)); 4958 output1_length += function_output_length; 4959 4960 PSA_ASSERT(psa_cipher_finish(&operation1, 4961 output1 + output1_length, 4962 output1_buffer_size - output1_length, 4963 &function_output_length)); 4964 TEST_LE_U(function_output_length, 4965 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4966 TEST_LE_U(function_output_length, 4967 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4968 output1_length += function_output_length; 4969 4970 PSA_ASSERT(psa_cipher_abort(&operation1)); 4971 4972 output2_buffer_size = output1_length; 4973 TEST_LE_U(output2_buffer_size, 4974 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length)); 4975 TEST_LE_U(output2_buffer_size, 4976 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length)); 4977 TEST_CALLOC(output2, output2_buffer_size); 4978 4979 if (iv_length > 0) { 4980 PSA_ASSERT(psa_cipher_set_iv(&operation2, 4981 iv, iv_length)); 4982 } 4983 4984 PSA_ASSERT(psa_cipher_update(&operation2, output1, first_part_size, 4985 output2, output2_buffer_size, 4986 &function_output_length)); 4987 TEST_LE_U(function_output_length, 4988 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size)); 4989 TEST_LE_U(function_output_length, 4990 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size)); 4991 output2_length += function_output_length; 4992 4993 PSA_ASSERT(psa_cipher_update(&operation2, 4994 output1 + first_part_size, 4995 output1_length - first_part_size, 4996 output2 + output2_length, 4997 output2_buffer_size - output2_length, 4998 &function_output_length)); 4999 TEST_LE_U(function_output_length, 5000 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, 5001 alg, 5002 output1_length - first_part_size)); 5003 TEST_LE_U(function_output_length, 5004 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(output1_length - first_part_size)); 5005 output2_length += function_output_length; 5006 5007 PSA_ASSERT(psa_cipher_finish(&operation2, 5008 output2 + output2_length, 5009 output2_buffer_size - output2_length, 5010 &function_output_length)); 5011 TEST_LE_U(function_output_length, 5012 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 5013 TEST_LE_U(function_output_length, 5014 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 5015 output2_length += function_output_length; 5016 5017 PSA_ASSERT(psa_cipher_abort(&operation2)); 5018 5019 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length); 5020 5021 exit: 5022 psa_cipher_abort(&operation1); 5023 psa_cipher_abort(&operation2); 5024 mbedtls_free(output1); 5025 mbedtls_free(output2); 5026 psa_destroy_key(key); 5027 PSA_DONE(); 5028 } 5029 /* END_CASE */ 5030 5031 /* BEGIN_CASE */ 5032 void aead_encrypt_decrypt(int key_type_arg, data_t *key_data, 5033 int alg_arg, 5034 data_t *nonce, 5035 data_t *additional_data, 5036 data_t *input_data, 5037 int expected_result_arg) 5038 { 5039 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5040 psa_key_type_t key_type = key_type_arg; 5041 psa_algorithm_t alg = alg_arg; 5042 size_t key_bits; 5043 unsigned char *output_data = NULL; 5044 size_t output_size = 0; 5045 size_t output_length = 0; 5046 unsigned char *output_data2 = NULL; 5047 size_t output_length2 = 0; 5048 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5049 psa_status_t expected_result = expected_result_arg; 5050 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5051 5052 PSA_ASSERT(psa_crypto_init()); 5053 5054 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 5055 psa_set_key_algorithm(&attributes, alg); 5056 psa_set_key_type(&attributes, key_type); 5057 5058 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5059 &key)); 5060 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5061 key_bits = psa_get_key_bits(&attributes); 5062 5063 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits, 5064 alg); 5065 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE 5066 * should be exact. */ 5067 if (expected_result != PSA_ERROR_INVALID_ARGUMENT && 5068 expected_result != PSA_ERROR_NOT_SUPPORTED) { 5069 TEST_EQUAL(output_size, 5070 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len)); 5071 TEST_LE_U(output_size, 5072 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len)); 5073 } 5074 TEST_CALLOC(output_data, output_size); 5075 5076 status = psa_aead_encrypt(key, alg, 5077 nonce->x, nonce->len, 5078 additional_data->x, 5079 additional_data->len, 5080 input_data->x, input_data->len, 5081 output_data, output_size, 5082 &output_length); 5083 5084 /* If the operation is not supported, just skip and not fail in case the 5085 * encryption involves a common limitation of cryptography hardwares and 5086 * an alternative implementation. */ 5087 if (status == PSA_ERROR_NOT_SUPPORTED) { 5088 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5089 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5090 } 5091 5092 TEST_EQUAL(status, expected_result); 5093 5094 if (PSA_SUCCESS == expected_result) { 5095 TEST_CALLOC(output_data2, output_length); 5096 5097 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE 5098 * should be exact. */ 5099 TEST_EQUAL(input_data->len, 5100 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, output_length)); 5101 5102 TEST_LE_U(input_data->len, 5103 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(output_length)); 5104 5105 TEST_EQUAL(psa_aead_decrypt(key, alg, 5106 nonce->x, nonce->len, 5107 additional_data->x, 5108 additional_data->len, 5109 output_data, output_length, 5110 output_data2, output_length, 5111 &output_length2), 5112 expected_result); 5113 5114 TEST_MEMORY_COMPARE(input_data->x, input_data->len, 5115 output_data2, output_length2); 5116 } 5117 5118 exit: 5119 psa_destroy_key(key); 5120 mbedtls_free(output_data); 5121 mbedtls_free(output_data2); 5122 PSA_DONE(); 5123 } 5124 /* END_CASE */ 5125 5126 /* BEGIN_CASE */ 5127 void aead_encrypt(int key_type_arg, data_t *key_data, 5128 int alg_arg, 5129 data_t *nonce, 5130 data_t *additional_data, 5131 data_t *input_data, 5132 data_t *expected_result) 5133 { 5134 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5135 psa_key_type_t key_type = key_type_arg; 5136 psa_algorithm_t alg = alg_arg; 5137 size_t key_bits; 5138 unsigned char *output_data = NULL; 5139 size_t output_size = 0; 5140 size_t output_length = 0; 5141 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5142 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5143 5144 PSA_ASSERT(psa_crypto_init()); 5145 5146 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5147 psa_set_key_algorithm(&attributes, alg); 5148 psa_set_key_type(&attributes, key_type); 5149 5150 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5151 &key)); 5152 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5153 key_bits = psa_get_key_bits(&attributes); 5154 5155 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits, 5156 alg); 5157 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE 5158 * should be exact. */ 5159 TEST_EQUAL(output_size, 5160 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len)); 5161 TEST_LE_U(output_size, 5162 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len)); 5163 TEST_CALLOC(output_data, output_size); 5164 5165 status = psa_aead_encrypt(key, alg, 5166 nonce->x, nonce->len, 5167 additional_data->x, additional_data->len, 5168 input_data->x, input_data->len, 5169 output_data, output_size, 5170 &output_length); 5171 5172 /* If the operation is not supported, just skip and not fail in case the 5173 * encryption involves a common limitation of cryptography hardwares and 5174 * an alternative implementation. */ 5175 if (status == PSA_ERROR_NOT_SUPPORTED) { 5176 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5177 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5178 } 5179 5180 PSA_ASSERT(status); 5181 TEST_MEMORY_COMPARE(expected_result->x, expected_result->len, 5182 output_data, output_length); 5183 5184 exit: 5185 psa_destroy_key(key); 5186 mbedtls_free(output_data); 5187 PSA_DONE(); 5188 } 5189 /* END_CASE */ 5190 5191 /* BEGIN_CASE */ 5192 void aead_decrypt(int key_type_arg, data_t *key_data, 5193 int alg_arg, 5194 data_t *nonce, 5195 data_t *additional_data, 5196 data_t *input_data, 5197 data_t *expected_data, 5198 int expected_result_arg) 5199 { 5200 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5201 psa_key_type_t key_type = key_type_arg; 5202 psa_algorithm_t alg = alg_arg; 5203 size_t key_bits; 5204 unsigned char *output_data = NULL; 5205 size_t output_size = 0; 5206 size_t output_length = 0; 5207 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5208 psa_status_t expected_result = expected_result_arg; 5209 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5210 5211 PSA_ASSERT(psa_crypto_init()); 5212 5213 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 5214 psa_set_key_algorithm(&attributes, alg); 5215 psa_set_key_type(&attributes, key_type); 5216 5217 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5218 &key)); 5219 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5220 key_bits = psa_get_key_bits(&attributes); 5221 5222 output_size = input_data->len - PSA_AEAD_TAG_LENGTH(key_type, key_bits, 5223 alg); 5224 if (expected_result != PSA_ERROR_INVALID_ARGUMENT && 5225 expected_result != PSA_ERROR_NOT_SUPPORTED) { 5226 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE 5227 * should be exact. */ 5228 TEST_EQUAL(output_size, 5229 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, input_data->len)); 5230 TEST_LE_U(output_size, 5231 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len)); 5232 } 5233 TEST_CALLOC(output_data, output_size); 5234 5235 status = psa_aead_decrypt(key, alg, 5236 nonce->x, nonce->len, 5237 additional_data->x, 5238 additional_data->len, 5239 input_data->x, input_data->len, 5240 output_data, output_size, 5241 &output_length); 5242 5243 /* If the operation is not supported, just skip and not fail in case the 5244 * decryption involves a common limitation of cryptography hardwares and 5245 * an alternative implementation. */ 5246 if (status == PSA_ERROR_NOT_SUPPORTED) { 5247 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5248 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5249 } 5250 5251 TEST_EQUAL(status, expected_result); 5252 5253 if (expected_result == PSA_SUCCESS) { 5254 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len, 5255 output_data, output_length); 5256 } 5257 5258 exit: 5259 psa_destroy_key(key); 5260 mbedtls_free(output_data); 5261 PSA_DONE(); 5262 } 5263 /* END_CASE */ 5264 5265 /* BEGIN_CASE */ 5266 void aead_multipart_encrypt(int key_type_arg, data_t *key_data, 5267 int alg_arg, 5268 data_t *nonce, 5269 data_t *additional_data, 5270 data_t *input_data, 5271 int do_set_lengths, 5272 data_t *expected_output) 5273 { 5274 size_t ad_part_len = 0; 5275 size_t data_part_len = 0; 5276 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS; 5277 5278 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) { 5279 mbedtls_test_set_step(ad_part_len); 5280 5281 if (do_set_lengths) { 5282 if (ad_part_len & 0x01) { 5283 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5284 } else { 5285 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5286 } 5287 } 5288 5289 /* Split ad into length(ad_part_len) parts. */ 5290 if (!aead_multipart_internal_func(key_type_arg, key_data, 5291 alg_arg, nonce, 5292 additional_data, 5293 ad_part_len, 5294 input_data, -1, 5295 set_lengths_method, 5296 expected_output, 5297 1, 0)) { 5298 break; 5299 } 5300 5301 /* length(0) part, length(ad_part_len) part, length(0) part... */ 5302 mbedtls_test_set_step(1000 + ad_part_len); 5303 5304 if (!aead_multipart_internal_func(key_type_arg, key_data, 5305 alg_arg, nonce, 5306 additional_data, 5307 ad_part_len, 5308 input_data, -1, 5309 set_lengths_method, 5310 expected_output, 5311 1, 1)) { 5312 break; 5313 } 5314 } 5315 5316 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) { 5317 /* Split data into length(data_part_len) parts. */ 5318 mbedtls_test_set_step(2000 + data_part_len); 5319 5320 if (do_set_lengths) { 5321 if (data_part_len & 0x01) { 5322 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5323 } else { 5324 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5325 } 5326 } 5327 5328 if (!aead_multipart_internal_func(key_type_arg, key_data, 5329 alg_arg, nonce, 5330 additional_data, -1, 5331 input_data, data_part_len, 5332 set_lengths_method, 5333 expected_output, 5334 1, 0)) { 5335 break; 5336 } 5337 5338 /* length(0) part, length(data_part_len) part, length(0) part... */ 5339 mbedtls_test_set_step(3000 + data_part_len); 5340 5341 if (!aead_multipart_internal_func(key_type_arg, key_data, 5342 alg_arg, nonce, 5343 additional_data, -1, 5344 input_data, data_part_len, 5345 set_lengths_method, 5346 expected_output, 5347 1, 1)) { 5348 break; 5349 } 5350 } 5351 5352 /* Goto is required to silence warnings about unused labels, as we 5353 * don't actually do any test assertions in this function. */ 5354 goto exit; 5355 } 5356 /* END_CASE */ 5357 5358 /* BEGIN_CASE */ 5359 void aead_multipart_decrypt(int key_type_arg, data_t *key_data, 5360 int alg_arg, 5361 data_t *nonce, 5362 data_t *additional_data, 5363 data_t *input_data, 5364 int do_set_lengths, 5365 data_t *expected_output) 5366 { 5367 size_t ad_part_len = 0; 5368 size_t data_part_len = 0; 5369 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS; 5370 5371 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) { 5372 /* Split ad into length(ad_part_len) parts. */ 5373 mbedtls_test_set_step(ad_part_len); 5374 5375 if (do_set_lengths) { 5376 if (ad_part_len & 0x01) { 5377 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5378 } else { 5379 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5380 } 5381 } 5382 5383 if (!aead_multipart_internal_func(key_type_arg, key_data, 5384 alg_arg, nonce, 5385 additional_data, 5386 ad_part_len, 5387 input_data, -1, 5388 set_lengths_method, 5389 expected_output, 5390 0, 0)) { 5391 break; 5392 } 5393 5394 /* length(0) part, length(ad_part_len) part, length(0) part... */ 5395 mbedtls_test_set_step(1000 + ad_part_len); 5396 5397 if (!aead_multipart_internal_func(key_type_arg, key_data, 5398 alg_arg, nonce, 5399 additional_data, 5400 ad_part_len, 5401 input_data, -1, 5402 set_lengths_method, 5403 expected_output, 5404 0, 1)) { 5405 break; 5406 } 5407 } 5408 5409 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) { 5410 /* Split data into length(data_part_len) parts. */ 5411 mbedtls_test_set_step(2000 + data_part_len); 5412 5413 if (do_set_lengths) { 5414 if (data_part_len & 0x01) { 5415 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5416 } else { 5417 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5418 } 5419 } 5420 5421 if (!aead_multipart_internal_func(key_type_arg, key_data, 5422 alg_arg, nonce, 5423 additional_data, -1, 5424 input_data, data_part_len, 5425 set_lengths_method, 5426 expected_output, 5427 0, 0)) { 5428 break; 5429 } 5430 5431 /* length(0) part, length(data_part_len) part, length(0) part... */ 5432 mbedtls_test_set_step(3000 + data_part_len); 5433 5434 if (!aead_multipart_internal_func(key_type_arg, key_data, 5435 alg_arg, nonce, 5436 additional_data, -1, 5437 input_data, data_part_len, 5438 set_lengths_method, 5439 expected_output, 5440 0, 1)) { 5441 break; 5442 } 5443 } 5444 5445 /* Goto is required to silence warnings about unused labels, as we 5446 * don't actually do any test assertions in this function. */ 5447 goto exit; 5448 } 5449 /* END_CASE */ 5450 5451 /* BEGIN_CASE */ 5452 void aead_multipart_generate_nonce(int key_type_arg, data_t *key_data, 5453 int alg_arg, 5454 int nonce_length, 5455 int expected_nonce_length_arg, 5456 data_t *additional_data, 5457 data_t *input_data, 5458 int expected_status_arg) 5459 { 5460 5461 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5462 psa_key_type_t key_type = key_type_arg; 5463 psa_algorithm_t alg = alg_arg; 5464 psa_aead_operation_t operation = psa_aead_operation_init_short(); 5465 /* Some tests try to get more than the maximum nonce length, 5466 * so allocate double. */ 5467 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE * 2]; 5468 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5469 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5470 psa_status_t expected_status = expected_status_arg; 5471 size_t actual_nonce_length = 0; 5472 size_t expected_nonce_length = expected_nonce_length_arg; 5473 unsigned char *output = NULL; 5474 unsigned char *ciphertext = NULL; 5475 size_t output_size = 0; 5476 size_t ciphertext_size = 0; 5477 size_t ciphertext_length = 0; 5478 size_t tag_length = 0; 5479 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5480 5481 PSA_ASSERT(psa_crypto_init()); 5482 5483 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5484 psa_set_key_algorithm(&attributes, alg); 5485 psa_set_key_type(&attributes, key_type); 5486 5487 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5488 &key)); 5489 5490 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5491 5492 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len); 5493 5494 TEST_CALLOC(output, output_size); 5495 5496 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 5497 5498 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE); 5499 5500 TEST_CALLOC(ciphertext, ciphertext_size); 5501 5502 status = psa_aead_encrypt_setup(&operation, key, alg); 5503 5504 /* If the operation is not supported, just skip and not fail in case the 5505 * encryption involves a common limitation of cryptography hardwares and 5506 * an alternative implementation. */ 5507 if (status == PSA_ERROR_NOT_SUPPORTED) { 5508 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5509 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length); 5510 } 5511 5512 PSA_ASSERT(status); 5513 5514 status = psa_aead_generate_nonce(&operation, nonce_buffer, 5515 nonce_length, 5516 &actual_nonce_length); 5517 5518 TEST_EQUAL(status, expected_status); 5519 5520 TEST_EQUAL(actual_nonce_length, expected_nonce_length); 5521 5522 if (expected_status == PSA_SUCCESS) { 5523 TEST_EQUAL(actual_nonce_length, PSA_AEAD_NONCE_LENGTH(key_type, 5524 alg)); 5525 } 5526 5527 TEST_LE_U(actual_nonce_length, PSA_AEAD_NONCE_MAX_SIZE); 5528 5529 if (expected_status == PSA_SUCCESS) { 5530 /* Ensure we can still complete operation. */ 5531 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5532 input_data->len)); 5533 5534 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 5535 additional_data->len)); 5536 5537 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len, 5538 output, output_size, 5539 &ciphertext_length)); 5540 5541 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size, 5542 &ciphertext_length, tag_buffer, 5543 PSA_AEAD_TAG_MAX_SIZE, &tag_length)); 5544 } 5545 5546 exit: 5547 psa_destroy_key(key); 5548 mbedtls_free(output); 5549 mbedtls_free(ciphertext); 5550 psa_aead_abort(&operation); 5551 PSA_DONE(); 5552 } 5553 /* END_CASE */ 5554 5555 /* BEGIN_CASE */ 5556 void aead_multipart_set_nonce(int key_type_arg, data_t *key_data, 5557 int alg_arg, 5558 int nonce_length_arg, 5559 int set_lengths_method_arg, 5560 data_t *additional_data, 5561 data_t *input_data, 5562 int expected_status_arg) 5563 { 5564 5565 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5566 psa_key_type_t key_type = key_type_arg; 5567 psa_algorithm_t alg = alg_arg; 5568 psa_aead_operation_t operation = psa_aead_operation_init_short(); 5569 uint8_t *nonce_buffer = NULL; 5570 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5571 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5572 psa_status_t expected_status = expected_status_arg; 5573 unsigned char *output = NULL; 5574 unsigned char *ciphertext = NULL; 5575 size_t nonce_length; 5576 size_t output_size = 0; 5577 size_t ciphertext_size = 0; 5578 size_t ciphertext_length = 0; 5579 size_t tag_length = 0; 5580 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5581 size_t index = 0; 5582 set_lengths_method_t set_lengths_method = set_lengths_method_arg; 5583 5584 PSA_ASSERT(psa_crypto_init()); 5585 5586 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5587 psa_set_key_algorithm(&attributes, alg); 5588 psa_set_key_type(&attributes, key_type); 5589 5590 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5591 &key)); 5592 5593 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5594 5595 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len); 5596 5597 TEST_CALLOC(output, output_size); 5598 5599 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 5600 5601 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE); 5602 5603 TEST_CALLOC(ciphertext, ciphertext_size); 5604 5605 status = psa_aead_encrypt_setup(&operation, key, alg); 5606 5607 /* If the operation is not supported, just skip and not fail in case the 5608 * encryption involves a common limitation of cryptography hardwares and 5609 * an alternative implementation. */ 5610 if (status == PSA_ERROR_NOT_SUPPORTED) { 5611 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5612 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length_arg); 5613 } 5614 5615 PSA_ASSERT(status); 5616 5617 /* -1 == zero length and valid buffer, 0 = zero length and NULL buffer. */ 5618 if (nonce_length_arg == -1) { 5619 /* Arbitrary size buffer, to test zero length valid buffer. */ 5620 TEST_CALLOC(nonce_buffer, 4); 5621 nonce_length = 0; 5622 } else { 5623 /* If length is zero, then this will return NULL. */ 5624 nonce_length = (size_t) nonce_length_arg; 5625 TEST_CALLOC(nonce_buffer, nonce_length); 5626 5627 if (nonce_buffer) { 5628 for (index = 0; index < nonce_length - 1; ++index) { 5629 nonce_buffer[index] = 'a' + index; 5630 } 5631 } 5632 } 5633 5634 if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) { 5635 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5636 input_data->len)); 5637 } 5638 5639 status = psa_aead_set_nonce(&operation, nonce_buffer, nonce_length); 5640 5641 TEST_EQUAL(status, expected_status); 5642 5643 if (expected_status == PSA_SUCCESS) { 5644 if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) { 5645 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5646 input_data->len)); 5647 } 5648 if (operation.alg == PSA_ALG_CCM && set_lengths_method == DO_NOT_SET_LENGTHS) { 5649 expected_status = PSA_ERROR_BAD_STATE; 5650 } 5651 5652 /* Ensure we can still complete operation, unless it's CCM and we didn't set lengths. */ 5653 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 5654 additional_data->len), 5655 expected_status); 5656 5657 TEST_EQUAL(psa_aead_update(&operation, input_data->x, input_data->len, 5658 output, output_size, 5659 &ciphertext_length), 5660 expected_status); 5661 5662 TEST_EQUAL(psa_aead_finish(&operation, ciphertext, ciphertext_size, 5663 &ciphertext_length, tag_buffer, 5664 PSA_AEAD_TAG_MAX_SIZE, &tag_length), 5665 expected_status); 5666 } 5667 5668 exit: 5669 psa_destroy_key(key); 5670 mbedtls_free(output); 5671 mbedtls_free(ciphertext); 5672 mbedtls_free(nonce_buffer); 5673 psa_aead_abort(&operation); 5674 PSA_DONE(); 5675 } 5676 /* END_CASE */ 5677 5678 /* BEGIN_CASE */ 5679 void aead_multipart_update_buffer_test(int key_type_arg, data_t *key_data, 5680 int alg_arg, 5681 int output_size_arg, 5682 data_t *nonce, 5683 data_t *additional_data, 5684 data_t *input_data, 5685 int expected_status_arg) 5686 { 5687 5688 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5689 psa_key_type_t key_type = key_type_arg; 5690 psa_algorithm_t alg = alg_arg; 5691 psa_aead_operation_t operation = psa_aead_operation_init_short(); 5692 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5693 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5694 psa_status_t expected_status = expected_status_arg; 5695 unsigned char *output = NULL; 5696 unsigned char *ciphertext = NULL; 5697 size_t output_size = output_size_arg; 5698 size_t ciphertext_size = 0; 5699 size_t ciphertext_length = 0; 5700 size_t tag_length = 0; 5701 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5702 5703 PSA_ASSERT(psa_crypto_init()); 5704 5705 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5706 psa_set_key_algorithm(&attributes, alg); 5707 psa_set_key_type(&attributes, key_type); 5708 5709 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5710 &key)); 5711 5712 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5713 5714 TEST_CALLOC(output, output_size); 5715 5716 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 5717 5718 TEST_CALLOC(ciphertext, ciphertext_size); 5719 5720 status = psa_aead_encrypt_setup(&operation, key, alg); 5721 5722 /* If the operation is not supported, just skip and not fail in case the 5723 * encryption involves a common limitation of cryptography hardwares and 5724 * an alternative implementation. */ 5725 if (status == PSA_ERROR_NOT_SUPPORTED) { 5726 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5727 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5728 } 5729 5730 PSA_ASSERT(status); 5731 5732 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5733 input_data->len)); 5734 5735 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 5736 5737 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 5738 additional_data->len)); 5739 5740 status = psa_aead_update(&operation, input_data->x, input_data->len, 5741 output, output_size, &ciphertext_length); 5742 5743 TEST_EQUAL(status, expected_status); 5744 5745 if (expected_status == PSA_SUCCESS) { 5746 /* Ensure we can still complete operation. */ 5747 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size, 5748 &ciphertext_length, tag_buffer, 5749 PSA_AEAD_TAG_MAX_SIZE, &tag_length)); 5750 } 5751 5752 exit: 5753 psa_destroy_key(key); 5754 mbedtls_free(output); 5755 mbedtls_free(ciphertext); 5756 psa_aead_abort(&operation); 5757 PSA_DONE(); 5758 } 5759 /* END_CASE */ 5760 5761 /* BEGIN_CASE */ 5762 void aead_multipart_finish_buffer_test(int key_type_arg, data_t *key_data, 5763 int alg_arg, 5764 int finish_ciphertext_size_arg, 5765 int tag_size_arg, 5766 data_t *nonce, 5767 data_t *additional_data, 5768 data_t *input_data, 5769 int expected_status_arg) 5770 { 5771 5772 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5773 psa_key_type_t key_type = key_type_arg; 5774 psa_algorithm_t alg = alg_arg; 5775 psa_aead_operation_t operation = psa_aead_operation_init_short(); 5776 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5777 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5778 psa_status_t expected_status = expected_status_arg; 5779 unsigned char *ciphertext = NULL; 5780 unsigned char *finish_ciphertext = NULL; 5781 unsigned char *tag_buffer = NULL; 5782 size_t ciphertext_size = 0; 5783 size_t ciphertext_length = 0; 5784 size_t finish_ciphertext_size = (size_t) finish_ciphertext_size_arg; 5785 size_t tag_size = (size_t) tag_size_arg; 5786 size_t tag_length = 0; 5787 5788 PSA_ASSERT(psa_crypto_init()); 5789 5790 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5791 psa_set_key_algorithm(&attributes, alg); 5792 psa_set_key_type(&attributes, key_type); 5793 5794 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5795 &key)); 5796 5797 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5798 5799 ciphertext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len); 5800 5801 TEST_CALLOC(ciphertext, ciphertext_size); 5802 5803 TEST_CALLOC(finish_ciphertext, finish_ciphertext_size); 5804 5805 TEST_CALLOC(tag_buffer, tag_size); 5806 5807 status = psa_aead_encrypt_setup(&operation, key, alg); 5808 5809 /* If the operation is not supported, just skip and not fail in case the 5810 * encryption involves a common limitation of cryptography hardwares and 5811 * an alternative implementation. */ 5812 if (status == PSA_ERROR_NOT_SUPPORTED) { 5813 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5814 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5815 } 5816 5817 PSA_ASSERT(status); 5818 5819 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 5820 5821 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5822 input_data->len)); 5823 5824 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 5825 additional_data->len)); 5826 5827 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len, 5828 ciphertext, ciphertext_size, &ciphertext_length)); 5829 5830 /* Ensure we can still complete operation. */ 5831 status = psa_aead_finish(&operation, finish_ciphertext, 5832 finish_ciphertext_size, 5833 &ciphertext_length, tag_buffer, 5834 tag_size, &tag_length); 5835 5836 TEST_EQUAL(status, expected_status); 5837 5838 exit: 5839 psa_destroy_key(key); 5840 mbedtls_free(ciphertext); 5841 mbedtls_free(finish_ciphertext); 5842 mbedtls_free(tag_buffer); 5843 psa_aead_abort(&operation); 5844 PSA_DONE(); 5845 } 5846 /* END_CASE */ 5847 5848 /* BEGIN_CASE */ 5849 void aead_multipart_verify(int key_type_arg, data_t *key_data, 5850 int alg_arg, 5851 data_t *nonce, 5852 data_t *additional_data, 5853 data_t *input_data, 5854 data_t *tag, 5855 int tag_usage_arg, 5856 int expected_setup_status_arg, 5857 int expected_status_arg) 5858 { 5859 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5860 psa_key_type_t key_type = key_type_arg; 5861 psa_algorithm_t alg = alg_arg; 5862 psa_aead_operation_t operation = psa_aead_operation_init_short(); 5863 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5864 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5865 psa_status_t expected_status = expected_status_arg; 5866 psa_status_t expected_setup_status = expected_setup_status_arg; 5867 unsigned char *plaintext = NULL; 5868 unsigned char *finish_plaintext = NULL; 5869 size_t plaintext_size = 0; 5870 size_t plaintext_length = 0; 5871 size_t verify_plaintext_size = 0; 5872 tag_usage_method_t tag_usage = tag_usage_arg; 5873 unsigned char *tag_buffer = NULL; 5874 size_t tag_size = 0; 5875 5876 PSA_ASSERT(psa_crypto_init()); 5877 5878 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 5879 psa_set_key_algorithm(&attributes, alg); 5880 psa_set_key_type(&attributes, key_type); 5881 5882 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5883 &key)); 5884 5885 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5886 5887 plaintext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, 5888 input_data->len); 5889 5890 TEST_CALLOC(plaintext, plaintext_size); 5891 5892 verify_plaintext_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg); 5893 5894 TEST_CALLOC(finish_plaintext, verify_plaintext_size); 5895 5896 status = psa_aead_decrypt_setup(&operation, key, alg); 5897 5898 /* If the operation is not supported, just skip and not fail in case the 5899 * encryption involves a common limitation of cryptography hardwares and 5900 * an alternative implementation. */ 5901 if (status == PSA_ERROR_NOT_SUPPORTED) { 5902 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5903 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5904 } 5905 TEST_EQUAL(status, expected_setup_status); 5906 5907 if (status != PSA_SUCCESS) { 5908 goto exit; 5909 } 5910 5911 PSA_ASSERT(status); 5912 5913 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 5914 5915 status = psa_aead_set_lengths(&operation, additional_data->len, 5916 input_data->len); 5917 PSA_ASSERT(status); 5918 5919 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 5920 additional_data->len)); 5921 5922 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 5923 input_data->len, 5924 plaintext, plaintext_size, 5925 &plaintext_length)); 5926 5927 if (tag_usage == USE_GIVEN_TAG) { 5928 tag_buffer = tag->x; 5929 tag_size = tag->len; 5930 } 5931 5932 status = psa_aead_verify(&operation, finish_plaintext, 5933 verify_plaintext_size, 5934 &plaintext_length, 5935 tag_buffer, tag_size); 5936 5937 TEST_EQUAL(status, expected_status); 5938 5939 exit: 5940 psa_destroy_key(key); 5941 mbedtls_free(plaintext); 5942 mbedtls_free(finish_plaintext); 5943 psa_aead_abort(&operation); 5944 PSA_DONE(); 5945 } 5946 /* END_CASE */ 5947 5948 /* BEGIN_CASE */ 5949 void aead_multipart_setup(int key_type_arg, data_t *key_data, 5950 int alg_arg, int expected_status_arg) 5951 { 5952 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5953 psa_key_type_t key_type = key_type_arg; 5954 psa_algorithm_t alg = alg_arg; 5955 psa_aead_operation_t operation = psa_aead_operation_init_short(); 5956 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5957 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5958 psa_status_t expected_status = expected_status_arg; 5959 5960 PSA_ASSERT(psa_crypto_init()); 5961 5962 psa_set_key_usage_flags(&attributes, 5963 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 5964 psa_set_key_algorithm(&attributes, alg); 5965 psa_set_key_type(&attributes, key_type); 5966 5967 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5968 &key)); 5969 5970 status = psa_aead_encrypt_setup(&operation, key, alg); 5971 5972 TEST_EQUAL(status, expected_status); 5973 5974 psa_aead_abort(&operation); 5975 5976 status = psa_aead_decrypt_setup(&operation, key, alg); 5977 5978 TEST_EQUAL(status, expected_status); 5979 5980 exit: 5981 psa_destroy_key(key); 5982 psa_aead_abort(&operation); 5983 PSA_DONE(); 5984 } 5985 /* END_CASE */ 5986 5987 /* BEGIN_CASE */ 5988 void aead_multipart_state_test(int key_type_arg, data_t *key_data, 5989 int alg_arg, 5990 data_t *nonce, 5991 data_t *additional_data, 5992 data_t *input_data) 5993 { 5994 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5995 psa_key_type_t key_type = key_type_arg; 5996 psa_algorithm_t alg = alg_arg; 5997 psa_aead_operation_t operation = psa_aead_operation_init_short(); 5998 unsigned char *output_data = NULL; 5999 unsigned char *final_data = NULL; 6000 size_t output_size = 0; 6001 size_t finish_output_size = 0; 6002 size_t output_length = 0; 6003 size_t key_bits = 0; 6004 size_t tag_length = 0; 6005 size_t tag_size = 0; 6006 size_t nonce_length = 0; 6007 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE]; 6008 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 6009 size_t output_part_length = 0; 6010 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6011 6012 PSA_ASSERT(psa_crypto_init()); 6013 6014 psa_set_key_usage_flags(&attributes, 6015 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 6016 psa_set_key_algorithm(&attributes, alg); 6017 psa_set_key_type(&attributes, key_type); 6018 6019 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 6020 &key)); 6021 6022 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 6023 key_bits = psa_get_key_bits(&attributes); 6024 6025 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg); 6026 6027 TEST_LE_U(tag_length, PSA_AEAD_TAG_MAX_SIZE); 6028 6029 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len); 6030 6031 TEST_CALLOC(output_data, output_size); 6032 6033 finish_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 6034 6035 TEST_LE_U(finish_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE); 6036 6037 TEST_CALLOC(final_data, finish_output_size); 6038 6039 /* Test all operations error without calling setup first. */ 6040 6041 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6042 PSA_ERROR_BAD_STATE); 6043 6044 psa_aead_abort(&operation); 6045 6046 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6047 PSA_AEAD_NONCE_MAX_SIZE, 6048 &nonce_length), 6049 PSA_ERROR_BAD_STATE); 6050 6051 psa_aead_abort(&operation); 6052 6053 /* ------------------------------------------------------- */ 6054 6055 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6056 input_data->len), 6057 PSA_ERROR_BAD_STATE); 6058 6059 psa_aead_abort(&operation); 6060 6061 /* ------------------------------------------------------- */ 6062 6063 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6064 additional_data->len), 6065 PSA_ERROR_BAD_STATE); 6066 6067 psa_aead_abort(&operation); 6068 6069 /* ------------------------------------------------------- */ 6070 6071 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6072 input_data->len, output_data, 6073 output_size, &output_length), 6074 PSA_ERROR_BAD_STATE); 6075 6076 psa_aead_abort(&operation); 6077 6078 /* ------------------------------------------------------- */ 6079 6080 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6081 finish_output_size, 6082 &output_part_length, 6083 tag_buffer, tag_length, 6084 &tag_size), 6085 PSA_ERROR_BAD_STATE); 6086 6087 psa_aead_abort(&operation); 6088 6089 /* ------------------------------------------------------- */ 6090 6091 TEST_EQUAL(psa_aead_verify(&operation, final_data, 6092 finish_output_size, 6093 &output_part_length, 6094 tag_buffer, 6095 tag_length), 6096 PSA_ERROR_BAD_STATE); 6097 6098 psa_aead_abort(&operation); 6099 6100 /* Test for double setups. */ 6101 6102 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6103 6104 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg), 6105 PSA_ERROR_BAD_STATE); 6106 6107 psa_aead_abort(&operation); 6108 6109 /* ------------------------------------------------------- */ 6110 6111 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6112 6113 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg), 6114 PSA_ERROR_BAD_STATE); 6115 6116 psa_aead_abort(&operation); 6117 6118 /* ------------------------------------------------------- */ 6119 6120 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6121 6122 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg), 6123 PSA_ERROR_BAD_STATE); 6124 6125 psa_aead_abort(&operation); 6126 6127 /* ------------------------------------------------------- */ 6128 6129 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6130 6131 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg), 6132 PSA_ERROR_BAD_STATE); 6133 6134 psa_aead_abort(&operation); 6135 6136 /* Test for not setting a nonce. */ 6137 6138 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6139 6140 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6141 additional_data->len), 6142 PSA_ERROR_BAD_STATE); 6143 6144 psa_aead_abort(&operation); 6145 6146 /* ------------------------------------------------------- */ 6147 6148 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6149 6150 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6151 input_data->len, output_data, 6152 output_size, &output_length), 6153 PSA_ERROR_BAD_STATE); 6154 6155 psa_aead_abort(&operation); 6156 6157 /* ------------------------------------------------------- */ 6158 6159 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6160 6161 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6162 finish_output_size, 6163 &output_part_length, 6164 tag_buffer, tag_length, 6165 &tag_size), 6166 PSA_ERROR_BAD_STATE); 6167 6168 psa_aead_abort(&operation); 6169 6170 /* ------------------------------------------------------- */ 6171 6172 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6173 6174 TEST_EQUAL(psa_aead_verify(&operation, final_data, 6175 finish_output_size, 6176 &output_part_length, 6177 tag_buffer, 6178 tag_length), 6179 PSA_ERROR_BAD_STATE); 6180 6181 psa_aead_abort(&operation); 6182 6183 /* Test for double setting nonce. */ 6184 6185 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6186 6187 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6188 6189 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6190 PSA_ERROR_BAD_STATE); 6191 6192 psa_aead_abort(&operation); 6193 6194 /* Test for double generating nonce. */ 6195 6196 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6197 6198 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6199 PSA_AEAD_NONCE_MAX_SIZE, 6200 &nonce_length)); 6201 6202 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6203 PSA_AEAD_NONCE_MAX_SIZE, 6204 &nonce_length), 6205 PSA_ERROR_BAD_STATE); 6206 6207 6208 psa_aead_abort(&operation); 6209 6210 /* Test for generate nonce then set and vice versa */ 6211 6212 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6213 6214 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6215 PSA_AEAD_NONCE_MAX_SIZE, 6216 &nonce_length)); 6217 6218 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6219 PSA_ERROR_BAD_STATE); 6220 6221 psa_aead_abort(&operation); 6222 6223 /* Test for generating nonce after calling set lengths */ 6224 6225 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6226 6227 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6228 input_data->len)); 6229 6230 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6231 PSA_AEAD_NONCE_MAX_SIZE, 6232 &nonce_length)); 6233 6234 psa_aead_abort(&operation); 6235 6236 /* Test for generating nonce after calling set lengths with UINT32_MAX ad_data length */ 6237 6238 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6239 6240 if (operation.alg == PSA_ALG_CCM) { 6241 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX, 6242 input_data->len), 6243 PSA_ERROR_INVALID_ARGUMENT); 6244 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6245 PSA_AEAD_NONCE_MAX_SIZE, 6246 &nonce_length), 6247 PSA_ERROR_BAD_STATE); 6248 } else { 6249 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX, 6250 input_data->len)); 6251 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6252 PSA_AEAD_NONCE_MAX_SIZE, 6253 &nonce_length)); 6254 } 6255 6256 psa_aead_abort(&operation); 6257 6258 /* Test for generating nonce after calling set lengths with SIZE_MAX ad_data length */ 6259 #if SIZE_MAX > UINT32_MAX 6260 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6261 6262 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) { 6263 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX, 6264 input_data->len), 6265 PSA_ERROR_INVALID_ARGUMENT); 6266 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6267 PSA_AEAD_NONCE_MAX_SIZE, 6268 &nonce_length), 6269 PSA_ERROR_BAD_STATE); 6270 } else { 6271 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX, 6272 input_data->len)); 6273 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6274 PSA_AEAD_NONCE_MAX_SIZE, 6275 &nonce_length)); 6276 } 6277 6278 psa_aead_abort(&operation); 6279 #endif 6280 6281 /* Test for calling set lengths with a UINT32_MAX ad_data length, after generating nonce */ 6282 6283 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6284 6285 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6286 PSA_AEAD_NONCE_MAX_SIZE, 6287 &nonce_length)); 6288 6289 if (operation.alg == PSA_ALG_CCM) { 6290 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX, 6291 input_data->len), 6292 PSA_ERROR_INVALID_ARGUMENT); 6293 } else { 6294 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX, 6295 input_data->len)); 6296 } 6297 6298 psa_aead_abort(&operation); 6299 6300 /* ------------------------------------------------------- */ 6301 /* Test for setting nonce after calling set lengths */ 6302 6303 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6304 6305 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6306 input_data->len)); 6307 6308 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6309 6310 psa_aead_abort(&operation); 6311 6312 /* Test for setting nonce after calling set lengths with UINT32_MAX ad_data length */ 6313 6314 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6315 6316 if (operation.alg == PSA_ALG_CCM) { 6317 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX, 6318 input_data->len), 6319 PSA_ERROR_INVALID_ARGUMENT); 6320 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6321 PSA_ERROR_BAD_STATE); 6322 } else { 6323 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX, 6324 input_data->len)); 6325 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6326 } 6327 6328 psa_aead_abort(&operation); 6329 6330 /* Test for setting nonce after calling set lengths with SIZE_MAX ad_data length */ 6331 #if SIZE_MAX > UINT32_MAX 6332 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6333 6334 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) { 6335 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX, 6336 input_data->len), 6337 PSA_ERROR_INVALID_ARGUMENT); 6338 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6339 PSA_ERROR_BAD_STATE); 6340 } else { 6341 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX, 6342 input_data->len)); 6343 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6344 } 6345 6346 psa_aead_abort(&operation); 6347 #endif 6348 6349 /* Test for calling set lengths with an ad_data length of UINT32_MAX, after setting nonce */ 6350 6351 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6352 6353 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6354 6355 if (operation.alg == PSA_ALG_CCM) { 6356 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX, 6357 input_data->len), 6358 PSA_ERROR_INVALID_ARGUMENT); 6359 } else { 6360 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX, 6361 input_data->len)); 6362 } 6363 6364 psa_aead_abort(&operation); 6365 6366 /* Test for setting nonce after calling set lengths with plaintext length of SIZE_MAX */ 6367 #if SIZE_MAX > UINT32_MAX 6368 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6369 6370 if (operation.alg == PSA_ALG_GCM) { 6371 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6372 SIZE_MAX), 6373 PSA_ERROR_INVALID_ARGUMENT); 6374 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6375 PSA_ERROR_BAD_STATE); 6376 } else if (operation.alg != PSA_ALG_CCM) { 6377 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6378 SIZE_MAX)); 6379 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6380 } 6381 6382 psa_aead_abort(&operation); 6383 #endif 6384 6385 /* Test for calling set lengths with a plaintext length of SIZE_MAX, after setting nonce */ 6386 #if SIZE_MAX > UINT32_MAX 6387 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6388 6389 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6390 6391 if (operation.alg == PSA_ALG_GCM) { 6392 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6393 SIZE_MAX), 6394 PSA_ERROR_INVALID_ARGUMENT); 6395 } else if (operation.alg != PSA_ALG_CCM) { 6396 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6397 SIZE_MAX)); 6398 } 6399 6400 psa_aead_abort(&operation); 6401 #endif 6402 6403 /* ------------------------------------------------------- */ 6404 6405 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6406 6407 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6408 6409 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6410 PSA_AEAD_NONCE_MAX_SIZE, 6411 &nonce_length), 6412 PSA_ERROR_BAD_STATE); 6413 6414 psa_aead_abort(&operation); 6415 6416 /* Test for generating nonce in decrypt setup. */ 6417 6418 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6419 6420 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6421 PSA_AEAD_NONCE_MAX_SIZE, 6422 &nonce_length), 6423 PSA_ERROR_BAD_STATE); 6424 6425 psa_aead_abort(&operation); 6426 6427 /* Test for setting lengths twice. */ 6428 6429 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6430 6431 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6432 6433 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6434 input_data->len)); 6435 6436 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6437 input_data->len), 6438 PSA_ERROR_BAD_STATE); 6439 6440 psa_aead_abort(&operation); 6441 6442 /* Test for setting lengths after setting nonce + already starting data. */ 6443 6444 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6445 6446 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6447 6448 if (operation.alg == PSA_ALG_CCM) { 6449 6450 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6451 additional_data->len), 6452 PSA_ERROR_BAD_STATE); 6453 } else { 6454 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6455 additional_data->len)); 6456 6457 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6458 input_data->len), 6459 PSA_ERROR_BAD_STATE); 6460 } 6461 psa_aead_abort(&operation); 6462 6463 /* ------------------------------------------------------- */ 6464 6465 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6466 6467 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6468 6469 if (operation.alg == PSA_ALG_CCM) { 6470 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6471 input_data->len, output_data, 6472 output_size, &output_length), 6473 PSA_ERROR_BAD_STATE); 6474 6475 } else { 6476 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 6477 input_data->len, output_data, 6478 output_size, &output_length)); 6479 6480 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6481 input_data->len), 6482 PSA_ERROR_BAD_STATE); 6483 } 6484 psa_aead_abort(&operation); 6485 6486 /* ------------------------------------------------------- */ 6487 6488 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6489 6490 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6491 6492 if (operation.alg == PSA_ALG_CCM) { 6493 PSA_ASSERT(psa_aead_finish(&operation, final_data, 6494 finish_output_size, 6495 &output_part_length, 6496 tag_buffer, tag_length, 6497 &tag_size)); 6498 } else { 6499 PSA_ASSERT(psa_aead_finish(&operation, final_data, 6500 finish_output_size, 6501 &output_part_length, 6502 tag_buffer, tag_length, 6503 &tag_size)); 6504 6505 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6506 input_data->len), 6507 PSA_ERROR_BAD_STATE); 6508 } 6509 psa_aead_abort(&operation); 6510 6511 /* Test for setting lengths after generating nonce + already starting data. */ 6512 6513 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6514 6515 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6516 PSA_AEAD_NONCE_MAX_SIZE, 6517 &nonce_length)); 6518 if (operation.alg == PSA_ALG_CCM) { 6519 6520 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6521 additional_data->len), 6522 PSA_ERROR_BAD_STATE); 6523 } else { 6524 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6525 additional_data->len)); 6526 6527 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6528 input_data->len), 6529 PSA_ERROR_BAD_STATE); 6530 } 6531 psa_aead_abort(&operation); 6532 6533 /* ------------------------------------------------------- */ 6534 6535 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6536 6537 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6538 PSA_AEAD_NONCE_MAX_SIZE, 6539 &nonce_length)); 6540 if (operation.alg == PSA_ALG_CCM) { 6541 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6542 input_data->len, output_data, 6543 output_size, &output_length), 6544 PSA_ERROR_BAD_STATE); 6545 6546 } else { 6547 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 6548 input_data->len, output_data, 6549 output_size, &output_length)); 6550 6551 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6552 input_data->len), 6553 PSA_ERROR_BAD_STATE); 6554 } 6555 psa_aead_abort(&operation); 6556 6557 /* ------------------------------------------------------- */ 6558 6559 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6560 6561 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6562 PSA_AEAD_NONCE_MAX_SIZE, 6563 &nonce_length)); 6564 if (operation.alg == PSA_ALG_CCM) { 6565 PSA_ASSERT(psa_aead_finish(&operation, final_data, 6566 finish_output_size, 6567 &output_part_length, 6568 tag_buffer, tag_length, 6569 &tag_size)); 6570 } else { 6571 PSA_ASSERT(psa_aead_finish(&operation, final_data, 6572 finish_output_size, 6573 &output_part_length, 6574 tag_buffer, tag_length, 6575 &tag_size)); 6576 6577 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6578 input_data->len), 6579 PSA_ERROR_BAD_STATE); 6580 } 6581 psa_aead_abort(&operation); 6582 6583 /* Test for not sending any additional data or data after setting non zero 6584 * lengths for them. (encrypt) */ 6585 6586 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6587 6588 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6589 6590 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6591 input_data->len)); 6592 6593 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6594 finish_output_size, 6595 &output_part_length, 6596 tag_buffer, tag_length, 6597 &tag_size), 6598 PSA_ERROR_INVALID_ARGUMENT); 6599 6600 psa_aead_abort(&operation); 6601 6602 /* Test for not sending any additional data or data after setting non-zero 6603 * lengths for them. (decrypt) */ 6604 6605 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6606 6607 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6608 6609 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6610 input_data->len)); 6611 6612 TEST_EQUAL(psa_aead_verify(&operation, final_data, 6613 finish_output_size, 6614 &output_part_length, 6615 tag_buffer, 6616 tag_length), 6617 PSA_ERROR_INVALID_ARGUMENT); 6618 6619 psa_aead_abort(&operation); 6620 6621 /* Test for not sending any additional data after setting a non-zero length 6622 * for it. */ 6623 6624 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6625 6626 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6627 6628 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6629 input_data->len)); 6630 6631 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6632 input_data->len, output_data, 6633 output_size, &output_length), 6634 PSA_ERROR_INVALID_ARGUMENT); 6635 6636 psa_aead_abort(&operation); 6637 6638 /* Test for not sending any data after setting a non-zero length for it.*/ 6639 6640 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6641 6642 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6643 6644 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6645 input_data->len)); 6646 6647 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6648 additional_data->len)); 6649 6650 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6651 finish_output_size, 6652 &output_part_length, 6653 tag_buffer, tag_length, 6654 &tag_size), 6655 PSA_ERROR_INVALID_ARGUMENT); 6656 6657 psa_aead_abort(&operation); 6658 6659 /* Test for sending too much additional data after setting lengths. */ 6660 6661 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6662 6663 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6664 6665 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0)); 6666 6667 6668 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6669 additional_data->len), 6670 PSA_ERROR_INVALID_ARGUMENT); 6671 6672 psa_aead_abort(&operation); 6673 6674 /* ------------------------------------------------------- */ 6675 6676 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6677 6678 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6679 6680 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6681 input_data->len)); 6682 6683 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6684 additional_data->len)); 6685 6686 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6687 1), 6688 PSA_ERROR_INVALID_ARGUMENT); 6689 6690 psa_aead_abort(&operation); 6691 6692 /* Test for sending too much data after setting lengths. */ 6693 6694 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6695 6696 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6697 6698 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0)); 6699 6700 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6701 input_data->len, output_data, 6702 output_size, &output_length), 6703 PSA_ERROR_INVALID_ARGUMENT); 6704 6705 psa_aead_abort(&operation); 6706 6707 /* ------------------------------------------------------- */ 6708 6709 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6710 6711 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6712 6713 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6714 input_data->len)); 6715 6716 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6717 additional_data->len)); 6718 6719 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 6720 input_data->len, output_data, 6721 output_size, &output_length)); 6722 6723 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6724 1, output_data, 6725 output_size, &output_length), 6726 PSA_ERROR_INVALID_ARGUMENT); 6727 6728 psa_aead_abort(&operation); 6729 6730 /* Test sending additional data after data. */ 6731 6732 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6733 6734 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6735 6736 if (operation.alg != PSA_ALG_CCM) { 6737 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 6738 input_data->len, output_data, 6739 output_size, &output_length)); 6740 6741 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6742 additional_data->len), 6743 PSA_ERROR_BAD_STATE); 6744 } 6745 psa_aead_abort(&operation); 6746 6747 /* Test calling finish on decryption. */ 6748 6749 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6750 6751 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6752 6753 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6754 finish_output_size, 6755 &output_part_length, 6756 tag_buffer, tag_length, 6757 &tag_size), 6758 PSA_ERROR_BAD_STATE); 6759 6760 psa_aead_abort(&operation); 6761 6762 /* Test calling verify on encryption. */ 6763 6764 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6765 6766 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6767 6768 TEST_EQUAL(psa_aead_verify(&operation, final_data, 6769 finish_output_size, 6770 &output_part_length, 6771 tag_buffer, 6772 tag_length), 6773 PSA_ERROR_BAD_STATE); 6774 6775 psa_aead_abort(&operation); 6776 6777 6778 exit: 6779 psa_destroy_key(key); 6780 psa_aead_abort(&operation); 6781 mbedtls_free(output_data); 6782 mbedtls_free(final_data); 6783 PSA_DONE(); 6784 } 6785 /* END_CASE */ 6786 6787 /* BEGIN_CASE */ 6788 void signature_size(int type_arg, 6789 int bits, 6790 int alg_arg, 6791 int expected_size_arg) 6792 { 6793 psa_key_type_t type = type_arg; 6794 psa_algorithm_t alg = alg_arg; 6795 size_t actual_size = PSA_SIGN_OUTPUT_SIZE(type, bits, alg); 6796 6797 TEST_EQUAL(actual_size, (size_t) expected_size_arg); 6798 6799 exit: 6800 ; 6801 } 6802 /* END_CASE */ 6803 6804 /* BEGIN_CASE */ 6805 void sign_hash_deterministic(int key_type_arg, data_t *key_data, 6806 int alg_arg, data_t *input_data, 6807 data_t *output_data) 6808 { 6809 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6810 psa_key_type_t key_type = key_type_arg; 6811 psa_algorithm_t alg = alg_arg; 6812 size_t key_bits; 6813 unsigned char *signature = NULL; 6814 size_t signature_size; 6815 size_t signature_length = 0xdeadbeef; 6816 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6817 6818 PSA_ASSERT(psa_crypto_init()); 6819 6820 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 6821 psa_set_key_algorithm(&attributes, alg); 6822 psa_set_key_type(&attributes, key_type); 6823 6824 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 6825 &key)); 6826 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 6827 key_bits = psa_get_key_bits(&attributes); 6828 6829 /* Allocate a buffer which has the size advertised by the 6830 * library. */ 6831 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 6832 key_bits, alg); 6833 TEST_ASSERT(signature_size != 0); 6834 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 6835 TEST_CALLOC(signature, signature_size); 6836 6837 /* Perform the signature. */ 6838 PSA_ASSERT(psa_sign_hash(key, alg, 6839 input_data->x, input_data->len, 6840 signature, signature_size, 6841 &signature_length)); 6842 /* Verify that the signature is what is expected. */ 6843 TEST_MEMORY_COMPARE(output_data->x, output_data->len, 6844 signature, signature_length); 6845 6846 exit: 6847 /* 6848 * Key attributes may have been returned by psa_get_key_attributes() 6849 * thus reset them as required. 6850 */ 6851 psa_reset_key_attributes(&attributes); 6852 6853 psa_destroy_key(key); 6854 mbedtls_free(signature); 6855 PSA_DONE(); 6856 } 6857 /* END_CASE */ 6858 6859 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 6860 /** 6861 * sign_hash_interruptible() test intentions: 6862 * 6863 * Note: This test can currently only handle ECDSA. 6864 * 6865 * 1. Test interruptible sign hash with known outcomes (deterministic ECDSA 6866 * and private keys / keypairs only). 6867 * 6868 * 2. Test the number of calls to psa_sign_hash_complete() required are as 6869 * expected for different max_ops values. 6870 * 6871 * 3. Test that the number of ops done prior to start and after abort is zero 6872 * and that each successful stage completes some ops (this is not mandated by 6873 * the PSA specification, but is currently the case). 6874 * 6875 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between 6876 * complete() calls does not alter the number of ops returned. 6877 */ 6878 void sign_hash_interruptible(int key_type_arg, data_t *key_data, 6879 int alg_arg, data_t *input_data, 6880 data_t *output_data, int max_ops_arg) 6881 { 6882 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6883 psa_key_type_t key_type = key_type_arg; 6884 psa_algorithm_t alg = alg_arg; 6885 size_t key_bits; 6886 unsigned char *signature = NULL; 6887 size_t signature_size; 6888 size_t signature_length = 0xdeadbeef; 6889 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6890 psa_status_t status = PSA_OPERATION_INCOMPLETE; 6891 uint32_t num_ops = 0; 6892 uint32_t max_ops = max_ops_arg; 6893 size_t num_ops_prior = 0; 6894 size_t num_completes = 0; 6895 size_t min_completes = 0; 6896 size_t max_completes = 0; 6897 6898 psa_sign_hash_interruptible_operation_t operation = 6899 psa_sign_hash_interruptible_operation_init_short(); 6900 6901 PSA_ASSERT(psa_crypto_init()); 6902 6903 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 6904 psa_set_key_algorithm(&attributes, alg); 6905 psa_set_key_type(&attributes, key_type); 6906 6907 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 6908 &key)); 6909 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 6910 key_bits = psa_get_key_bits(&attributes); 6911 6912 /* Allocate a buffer which has the size advertised by the 6913 * library. */ 6914 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 6915 key_bits, alg); 6916 TEST_ASSERT(signature_size != 0); 6917 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 6918 TEST_CALLOC(signature, signature_size); 6919 6920 psa_interruptible_set_max_ops(max_ops); 6921 6922 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, 6923 &min_completes, &max_completes); 6924 6925 num_ops_prior = psa_sign_hash_get_num_ops(&operation); 6926 TEST_ASSERT(num_ops_prior == 0); 6927 6928 /* Start performing the signature. */ 6929 PSA_ASSERT(psa_sign_hash_start(&operation, key, alg, 6930 input_data->x, input_data->len)); 6931 6932 num_ops_prior = psa_sign_hash_get_num_ops(&operation); 6933 TEST_ASSERT(num_ops_prior == 0); 6934 6935 /* Continue performing the signature until complete. */ 6936 do { 6937 status = psa_sign_hash_complete(&operation, signature, signature_size, 6938 &signature_length); 6939 6940 num_completes++; 6941 6942 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { 6943 num_ops = psa_sign_hash_get_num_ops(&operation); 6944 /* We are asserting here that every complete makes progress 6945 * (completes some ops), which is true of the internal 6946 * implementation and probably any implementation, however this is 6947 * not mandated by the PSA specification. */ 6948 TEST_ASSERT(num_ops > num_ops_prior); 6949 6950 num_ops_prior = num_ops; 6951 6952 /* Ensure calling get_num_ops() twice still returns the same 6953 * number of ops as previously reported. */ 6954 num_ops = psa_sign_hash_get_num_ops(&operation); 6955 6956 TEST_EQUAL(num_ops, num_ops_prior); 6957 } 6958 } while (status == PSA_OPERATION_INCOMPLETE); 6959 6960 TEST_ASSERT(status == PSA_SUCCESS); 6961 6962 TEST_LE_U(min_completes, num_completes); 6963 TEST_LE_U(num_completes, max_completes); 6964 6965 /* Verify that the signature is what is expected. */ 6966 TEST_MEMORY_COMPARE(output_data->x, output_data->len, 6967 signature, signature_length); 6968 6969 PSA_ASSERT(psa_sign_hash_abort(&operation)); 6970 6971 num_ops = psa_sign_hash_get_num_ops(&operation); 6972 TEST_ASSERT(num_ops == 0); 6973 6974 exit: 6975 6976 /* 6977 * Key attributes may have been returned by psa_get_key_attributes() 6978 * thus reset them as required. 6979 */ 6980 psa_reset_key_attributes(&attributes); 6981 6982 psa_destroy_key(key); 6983 mbedtls_free(signature); 6984 PSA_DONE(); 6985 } 6986 /* END_CASE */ 6987 6988 /* BEGIN_CASE */ 6989 void sign_hash_fail(int key_type_arg, data_t *key_data, 6990 int alg_arg, data_t *input_data, 6991 int signature_size_arg, int expected_status_arg) 6992 { 6993 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6994 psa_key_type_t key_type = key_type_arg; 6995 psa_algorithm_t alg = alg_arg; 6996 size_t signature_size = signature_size_arg; 6997 psa_status_t actual_status; 6998 psa_status_t expected_status = expected_status_arg; 6999 unsigned char *signature = NULL; 7000 size_t signature_length = 0xdeadbeef; 7001 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7002 7003 TEST_CALLOC(signature, signature_size); 7004 7005 PSA_ASSERT(psa_crypto_init()); 7006 7007 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 7008 psa_set_key_algorithm(&attributes, alg); 7009 psa_set_key_type(&attributes, key_type); 7010 7011 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7012 &key)); 7013 7014 actual_status = psa_sign_hash(key, alg, 7015 input_data->x, input_data->len, 7016 signature, signature_size, 7017 &signature_length); 7018 TEST_EQUAL(actual_status, expected_status); 7019 /* The value of *signature_length is unspecified on error, but 7020 * whatever it is, it should be less than signature_size, so that 7021 * if the caller tries to read *signature_length bytes without 7022 * checking the error code then they don't overflow a buffer. */ 7023 TEST_LE_U(signature_length, signature_size); 7024 7025 exit: 7026 psa_reset_key_attributes(&attributes); 7027 psa_destroy_key(key); 7028 mbedtls_free(signature); 7029 PSA_DONE(); 7030 } 7031 /* END_CASE */ 7032 7033 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7034 /** 7035 * sign_hash_fail_interruptible() test intentions: 7036 * 7037 * Note: This test can currently only handle ECDSA. 7038 * 7039 * 1. Test that various failure cases for interruptible sign hash fail with the 7040 * correct error codes, and at the correct point (at start or during 7041 * complete). 7042 * 7043 * 2. Test the number of calls to psa_sign_hash_complete() required are as 7044 * expected for different max_ops values. 7045 * 7046 * 3. Test that the number of ops done prior to start and after abort is zero 7047 * and that each successful stage completes some ops (this is not mandated by 7048 * the PSA specification, but is currently the case). 7049 * 7050 * 4. Check that calling complete() when start() fails and complete() 7051 * after completion results in a BAD_STATE error. 7052 * 7053 * 5. Check that calling start() again after start fails results in a BAD_STATE 7054 * error. 7055 */ 7056 void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, 7057 int alg_arg, data_t *input_data, 7058 int signature_size_arg, 7059 int expected_start_status_arg, 7060 int expected_complete_status_arg, 7061 int max_ops_arg) 7062 { 7063 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7064 psa_key_type_t key_type = key_type_arg; 7065 psa_algorithm_t alg = alg_arg; 7066 size_t signature_size = signature_size_arg; 7067 psa_status_t actual_status; 7068 psa_status_t expected_start_status = expected_start_status_arg; 7069 psa_status_t expected_complete_status = expected_complete_status_arg; 7070 unsigned char *signature = NULL; 7071 size_t signature_length = 0xdeadbeef; 7072 uint32_t num_ops = 0; 7073 uint32_t max_ops = max_ops_arg; 7074 size_t num_ops_prior = 0; 7075 size_t num_completes = 0; 7076 size_t min_completes = 0; 7077 size_t max_completes = 0; 7078 7079 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7080 psa_sign_hash_interruptible_operation_t operation = 7081 psa_sign_hash_interruptible_operation_init_short(); 7082 7083 TEST_CALLOC(signature, signature_size); 7084 7085 PSA_ASSERT(psa_crypto_init()); 7086 7087 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 7088 psa_set_key_algorithm(&attributes, alg); 7089 psa_set_key_type(&attributes, key_type); 7090 7091 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7092 &key)); 7093 7094 psa_interruptible_set_max_ops(max_ops); 7095 7096 interruptible_signverify_get_minmax_completes(max_ops, 7097 expected_complete_status, 7098 &min_completes, 7099 &max_completes); 7100 7101 num_ops_prior = psa_sign_hash_get_num_ops(&operation); 7102 TEST_ASSERT(num_ops_prior == 0); 7103 7104 /* Start performing the signature. */ 7105 actual_status = psa_sign_hash_start(&operation, key, alg, 7106 input_data->x, input_data->len); 7107 7108 TEST_EQUAL(actual_status, expected_start_status); 7109 7110 if (expected_start_status != PSA_SUCCESS) { 7111 /* Emulate poor application code, and call complete anyway, even though 7112 * start failed. */ 7113 actual_status = psa_sign_hash_complete(&operation, signature, 7114 signature_size, 7115 &signature_length); 7116 7117 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7118 7119 /* Test that calling start again after failure also causes BAD_STATE. */ 7120 actual_status = psa_sign_hash_start(&operation, key, alg, 7121 input_data->x, input_data->len); 7122 7123 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7124 } 7125 7126 num_ops_prior = psa_sign_hash_get_num_ops(&operation); 7127 TEST_ASSERT(num_ops_prior == 0); 7128 7129 /* Continue performing the signature until complete. */ 7130 do { 7131 actual_status = psa_sign_hash_complete(&operation, signature, 7132 signature_size, 7133 &signature_length); 7134 7135 num_completes++; 7136 7137 if (actual_status == PSA_SUCCESS || 7138 actual_status == PSA_OPERATION_INCOMPLETE) { 7139 num_ops = psa_sign_hash_get_num_ops(&operation); 7140 /* We are asserting here that every complete makes progress 7141 * (completes some ops), which is true of the internal 7142 * implementation and probably any implementation, however this is 7143 * not mandated by the PSA specification. */ 7144 TEST_ASSERT(num_ops > num_ops_prior); 7145 7146 num_ops_prior = num_ops; 7147 } 7148 } while (actual_status == PSA_OPERATION_INCOMPLETE); 7149 7150 TEST_EQUAL(actual_status, expected_complete_status); 7151 7152 /* Check that another complete returns BAD_STATE. */ 7153 actual_status = psa_sign_hash_complete(&operation, signature, 7154 signature_size, 7155 &signature_length); 7156 7157 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7158 7159 PSA_ASSERT(psa_sign_hash_abort(&operation)); 7160 7161 num_ops = psa_sign_hash_get_num_ops(&operation); 7162 TEST_ASSERT(num_ops == 0); 7163 7164 /* The value of *signature_length is unspecified on error, but 7165 * whatever it is, it should be less than signature_size, so that 7166 * if the caller tries to read *signature_length bytes without 7167 * checking the error code then they don't overflow a buffer. */ 7168 TEST_LE_U(signature_length, signature_size); 7169 7170 TEST_LE_U(min_completes, num_completes); 7171 TEST_LE_U(num_completes, max_completes); 7172 7173 exit: 7174 psa_reset_key_attributes(&attributes); 7175 psa_destroy_key(key); 7176 mbedtls_free(signature); 7177 PSA_DONE(); 7178 } 7179 /* END_CASE */ 7180 7181 /* BEGIN_CASE */ 7182 void sign_verify_hash(int key_type_arg, data_t *key_data, 7183 int alg_arg, data_t *input_data) 7184 { 7185 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7186 psa_key_type_t key_type = key_type_arg; 7187 psa_algorithm_t alg = alg_arg; 7188 size_t key_bits; 7189 unsigned char *signature = NULL; 7190 size_t signature_size; 7191 size_t signature_length = 0xdeadbeef; 7192 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7193 7194 PSA_ASSERT(psa_crypto_init()); 7195 7196 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); 7197 psa_set_key_algorithm(&attributes, alg); 7198 psa_set_key_type(&attributes, key_type); 7199 7200 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7201 &key)); 7202 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 7203 key_bits = psa_get_key_bits(&attributes); 7204 7205 /* Allocate a buffer which has the size advertised by the 7206 * library. */ 7207 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 7208 key_bits, alg); 7209 TEST_ASSERT(signature_size != 0); 7210 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 7211 TEST_CALLOC(signature, signature_size); 7212 7213 /* Perform the signature. */ 7214 PSA_ASSERT(psa_sign_hash(key, alg, 7215 input_data->x, input_data->len, 7216 signature, signature_size, 7217 &signature_length)); 7218 /* Check that the signature length looks sensible. */ 7219 TEST_LE_U(signature_length, signature_size); 7220 TEST_ASSERT(signature_length > 0); 7221 7222 /* Use the library to verify that the signature is correct. */ 7223 PSA_ASSERT(psa_verify_hash(key, alg, 7224 input_data->x, input_data->len, 7225 signature, signature_length)); 7226 7227 if (input_data->len != 0) { 7228 /* Flip a bit in the input and verify that the signature is now 7229 * detected as invalid. Flip a bit at the beginning, not at the end, 7230 * because ECDSA may ignore the last few bits of the input. */ 7231 input_data->x[0] ^= 1; 7232 TEST_EQUAL(psa_verify_hash(key, alg, 7233 input_data->x, input_data->len, 7234 signature, signature_length), 7235 PSA_ERROR_INVALID_SIGNATURE); 7236 } 7237 7238 exit: 7239 /* 7240 * Key attributes may have been returned by psa_get_key_attributes() 7241 * thus reset them as required. 7242 */ 7243 psa_reset_key_attributes(&attributes); 7244 7245 psa_destroy_key(key); 7246 mbedtls_free(signature); 7247 PSA_DONE(); 7248 } 7249 /* END_CASE */ 7250 7251 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7252 /** 7253 * sign_verify_hash_interruptible() test intentions: 7254 * 7255 * Note: This test can currently only handle ECDSA. 7256 * 7257 * 1. Test that we can sign an input hash with the given keypair and then 7258 * afterwards verify that signature. This is currently the only way to test 7259 * non deterministic ECDSA, but this test can also handle deterministic. 7260 * 7261 * 2. Test that after corrupting the hash, the verification detects an invalid 7262 * signature. 7263 * 7264 * 3. Test the number of calls to psa_sign_hash_complete() required are as 7265 * expected for different max_ops values. 7266 * 7267 * 4. Test that the number of ops done prior to starting signing and after abort 7268 * is zero and that each successful signing stage completes some ops (this is 7269 * not mandated by the PSA specification, but is currently the case). 7270 */ 7271 void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, 7272 int alg_arg, data_t *input_data, 7273 int max_ops_arg) 7274 { 7275 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7276 psa_key_type_t key_type = key_type_arg; 7277 psa_algorithm_t alg = alg_arg; 7278 size_t key_bits; 7279 unsigned char *signature = NULL; 7280 size_t signature_size; 7281 size_t signature_length = 0xdeadbeef; 7282 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7283 psa_status_t status = PSA_OPERATION_INCOMPLETE; 7284 uint32_t max_ops = max_ops_arg; 7285 uint32_t num_ops = 0; 7286 uint32_t num_ops_prior = 0; 7287 size_t num_completes = 0; 7288 size_t min_completes = 0; 7289 size_t max_completes = 0; 7290 7291 psa_sign_hash_interruptible_operation_t sign_operation = 7292 psa_sign_hash_interruptible_operation_init_short(); 7293 psa_verify_hash_interruptible_operation_t verify_operation = 7294 psa_verify_hash_interruptible_operation_init_short(); 7295 7296 PSA_ASSERT(psa_crypto_init()); 7297 7298 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | 7299 PSA_KEY_USAGE_VERIFY_HASH); 7300 psa_set_key_algorithm(&attributes, alg); 7301 psa_set_key_type(&attributes, key_type); 7302 7303 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7304 &key)); 7305 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 7306 key_bits = psa_get_key_bits(&attributes); 7307 7308 /* Allocate a buffer which has the size advertised by the 7309 * library. */ 7310 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 7311 key_bits, alg); 7312 TEST_ASSERT(signature_size != 0); 7313 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 7314 TEST_CALLOC(signature, signature_size); 7315 7316 psa_interruptible_set_max_ops(max_ops); 7317 7318 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, 7319 &min_completes, &max_completes); 7320 7321 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation); 7322 TEST_ASSERT(num_ops_prior == 0); 7323 7324 /* Start performing the signature. */ 7325 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7326 input_data->x, input_data->len)); 7327 7328 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation); 7329 TEST_ASSERT(num_ops_prior == 0); 7330 7331 /* Continue performing the signature until complete. */ 7332 do { 7333 7334 status = psa_sign_hash_complete(&sign_operation, signature, 7335 signature_size, 7336 &signature_length); 7337 7338 num_completes++; 7339 7340 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { 7341 num_ops = psa_sign_hash_get_num_ops(&sign_operation); 7342 /* We are asserting here that every complete makes progress 7343 * (completes some ops), which is true of the internal 7344 * implementation and probably any implementation, however this is 7345 * not mandated by the PSA specification. */ 7346 TEST_ASSERT(num_ops > num_ops_prior); 7347 7348 num_ops_prior = num_ops; 7349 } 7350 } while (status == PSA_OPERATION_INCOMPLETE); 7351 7352 TEST_ASSERT(status == PSA_SUCCESS); 7353 7354 TEST_LE_U(min_completes, num_completes); 7355 TEST_LE_U(num_completes, max_completes); 7356 7357 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7358 7359 num_ops = psa_sign_hash_get_num_ops(&sign_operation); 7360 TEST_ASSERT(num_ops == 0); 7361 7362 /* Check that the signature length looks sensible. */ 7363 TEST_LE_U(signature_length, signature_size); 7364 TEST_ASSERT(signature_length > 0); 7365 7366 num_completes = 0; 7367 7368 /* Start verification. */ 7369 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7370 input_data->x, input_data->len, 7371 signature, signature_length)); 7372 7373 /* Continue performing the signature until complete. */ 7374 do { 7375 status = psa_verify_hash_complete(&verify_operation); 7376 7377 num_completes++; 7378 } while (status == PSA_OPERATION_INCOMPLETE); 7379 7380 TEST_ASSERT(status == PSA_SUCCESS); 7381 7382 TEST_LE_U(min_completes, num_completes); 7383 TEST_LE_U(num_completes, max_completes); 7384 7385 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7386 7387 verify_operation = psa_verify_hash_interruptible_operation_init_short(); 7388 7389 if (input_data->len != 0) { 7390 /* Flip a bit in the input and verify that the signature is now 7391 * detected as invalid. Flip a bit at the beginning, not at the end, 7392 * because ECDSA may ignore the last few bits of the input. */ 7393 input_data->x[0] ^= 1; 7394 7395 /* Start verification. */ 7396 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7397 input_data->x, input_data->len, 7398 signature, signature_length)); 7399 7400 /* Continue performing the signature until complete. */ 7401 do { 7402 status = psa_verify_hash_complete(&verify_operation); 7403 } while (status == PSA_OPERATION_INCOMPLETE); 7404 7405 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE); 7406 } 7407 7408 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7409 7410 exit: 7411 /* 7412 * Key attributes may have been returned by psa_get_key_attributes() 7413 * thus reset them as required. 7414 */ 7415 psa_reset_key_attributes(&attributes); 7416 7417 psa_destroy_key(key); 7418 mbedtls_free(signature); 7419 PSA_DONE(); 7420 } 7421 /* END_CASE */ 7422 7423 /* BEGIN_CASE */ 7424 void verify_hash(int key_type_arg, data_t *key_data, 7425 int alg_arg, data_t *hash_data, 7426 data_t *signature_data) 7427 { 7428 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7429 psa_key_type_t key_type = key_type_arg; 7430 psa_algorithm_t alg = alg_arg; 7431 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7432 7433 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE); 7434 7435 PSA_ASSERT(psa_crypto_init()); 7436 7437 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 7438 psa_set_key_algorithm(&attributes, alg); 7439 psa_set_key_type(&attributes, key_type); 7440 7441 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7442 &key)); 7443 7444 PSA_ASSERT(psa_verify_hash(key, alg, 7445 hash_data->x, hash_data->len, 7446 signature_data->x, signature_data->len)); 7447 7448 exit: 7449 psa_reset_key_attributes(&attributes); 7450 psa_destroy_key(key); 7451 PSA_DONE(); 7452 } 7453 /* END_CASE */ 7454 7455 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7456 /** 7457 * verify_hash_interruptible() test intentions: 7458 * 7459 * Note: This test can currently only handle ECDSA. 7460 * 7461 * 1. Test interruptible verify hash with known outcomes (deterministic ECDSA 7462 * only). Given this test only does verification it can accept public keys as 7463 * well as private keys / keypairs. 7464 * 7465 * 2. Test the number of calls to psa_verify_hash_complete() required are as 7466 * expected for different max_ops values. 7467 * 7468 * 3. Test that the number of ops done prior to start and after abort is zero 7469 * and that each successful stage completes some ops (this is not mandated by 7470 * the PSA specification, but is currently the case). 7471 * 7472 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between 7473 * complete() calls does not alter the number of ops returned. 7474 * 7475 * 5. Test that after corrupting the hash, the verification detects an invalid 7476 * signature. 7477 */ 7478 void verify_hash_interruptible(int key_type_arg, data_t *key_data, 7479 int alg_arg, data_t *hash_data, 7480 data_t *signature_data, int max_ops_arg) 7481 { 7482 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7483 psa_key_type_t key_type = key_type_arg; 7484 psa_algorithm_t alg = alg_arg; 7485 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7486 psa_status_t status = PSA_OPERATION_INCOMPLETE; 7487 uint32_t num_ops = 0; 7488 uint32_t max_ops = max_ops_arg; 7489 size_t num_ops_prior = 0; 7490 size_t num_completes = 0; 7491 size_t min_completes = 0; 7492 size_t max_completes = 0; 7493 7494 psa_verify_hash_interruptible_operation_t operation = 7495 psa_verify_hash_interruptible_operation_init_short(); 7496 7497 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE); 7498 7499 PSA_ASSERT(psa_crypto_init()); 7500 7501 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 7502 psa_set_key_algorithm(&attributes, alg); 7503 psa_set_key_type(&attributes, key_type); 7504 7505 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7506 &key)); 7507 7508 psa_interruptible_set_max_ops(max_ops); 7509 7510 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, 7511 &min_completes, &max_completes); 7512 7513 num_ops_prior = psa_verify_hash_get_num_ops(&operation); 7514 7515 TEST_ASSERT(num_ops_prior == 0); 7516 7517 /* Start verification. */ 7518 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg, 7519 hash_data->x, hash_data->len, 7520 signature_data->x, signature_data->len) 7521 ); 7522 7523 num_ops_prior = psa_verify_hash_get_num_ops(&operation); 7524 7525 TEST_ASSERT(num_ops_prior == 0); 7526 7527 /* Continue performing the signature until complete. */ 7528 do { 7529 status = psa_verify_hash_complete(&operation); 7530 7531 num_completes++; 7532 7533 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { 7534 num_ops = psa_verify_hash_get_num_ops(&operation); 7535 /* We are asserting here that every complete makes progress 7536 * (completes some ops), which is true of the internal 7537 * implementation and probably any implementation, however this is 7538 * not mandated by the PSA specification. */ 7539 TEST_ASSERT(num_ops > num_ops_prior); 7540 7541 num_ops_prior = num_ops; 7542 7543 /* Ensure calling get_num_ops() twice still returns the same 7544 * number of ops as previously reported. */ 7545 num_ops = psa_verify_hash_get_num_ops(&operation); 7546 7547 TEST_EQUAL(num_ops, num_ops_prior); 7548 } 7549 } while (status == PSA_OPERATION_INCOMPLETE); 7550 7551 TEST_ASSERT(status == PSA_SUCCESS); 7552 7553 TEST_LE_U(min_completes, num_completes); 7554 TEST_LE_U(num_completes, max_completes); 7555 7556 PSA_ASSERT(psa_verify_hash_abort(&operation)); 7557 7558 num_ops = psa_verify_hash_get_num_ops(&operation); 7559 TEST_ASSERT(num_ops == 0); 7560 7561 if (hash_data->len != 0) { 7562 /* Flip a bit in the hash and verify that the signature is now detected 7563 * as invalid. Flip a bit at the beginning, not at the end, because 7564 * ECDSA may ignore the last few bits of the input. */ 7565 hash_data->x[0] ^= 1; 7566 7567 /* Start verification. */ 7568 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg, 7569 hash_data->x, hash_data->len, 7570 signature_data->x, signature_data->len)); 7571 7572 /* Continue performing the signature until complete. */ 7573 do { 7574 status = psa_verify_hash_complete(&operation); 7575 } while (status == PSA_OPERATION_INCOMPLETE); 7576 7577 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE); 7578 } 7579 7580 exit: 7581 psa_reset_key_attributes(&attributes); 7582 psa_destroy_key(key); 7583 PSA_DONE(); 7584 } 7585 /* END_CASE */ 7586 7587 /* BEGIN_CASE */ 7588 void verify_hash_fail(int key_type_arg, data_t *key_data, 7589 int alg_arg, data_t *hash_data, 7590 data_t *signature_data, 7591 int expected_status_arg) 7592 { 7593 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7594 psa_key_type_t key_type = key_type_arg; 7595 psa_algorithm_t alg = alg_arg; 7596 psa_status_t actual_status; 7597 psa_status_t expected_status = expected_status_arg; 7598 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7599 7600 PSA_ASSERT(psa_crypto_init()); 7601 7602 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 7603 psa_set_key_algorithm(&attributes, alg); 7604 psa_set_key_type(&attributes, key_type); 7605 7606 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7607 &key)); 7608 7609 actual_status = psa_verify_hash(key, alg, 7610 hash_data->x, hash_data->len, 7611 signature_data->x, signature_data->len); 7612 TEST_EQUAL(actual_status, expected_status); 7613 7614 exit: 7615 psa_reset_key_attributes(&attributes); 7616 psa_destroy_key(key); 7617 PSA_DONE(); 7618 } 7619 /* END_CASE */ 7620 7621 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7622 /** 7623 * verify_hash_fail_interruptible() test intentions: 7624 * 7625 * Note: This test can currently only handle ECDSA. 7626 * 7627 * 1. Test that various failure cases for interruptible verify hash fail with 7628 * the correct error codes, and at the correct point (at start or during 7629 * complete). 7630 * 7631 * 2. Test the number of calls to psa_verify_hash_complete() required are as 7632 * expected for different max_ops values. 7633 * 7634 * 3. Test that the number of ops done prior to start and after abort is zero 7635 * and that each successful stage completes some ops (this is not mandated by 7636 * the PSA specification, but is currently the case). 7637 * 7638 * 4. Check that calling complete() when start() fails and complete() 7639 * after completion results in a BAD_STATE error. 7640 * 7641 * 5. Check that calling start() again after start fails results in a BAD_STATE 7642 * error. 7643 */ 7644 void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, 7645 int alg_arg, data_t *hash_data, 7646 data_t *signature_data, 7647 int expected_start_status_arg, 7648 int expected_complete_status_arg, 7649 int max_ops_arg) 7650 { 7651 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7652 psa_key_type_t key_type = key_type_arg; 7653 psa_algorithm_t alg = alg_arg; 7654 psa_status_t actual_status; 7655 psa_status_t expected_start_status = expected_start_status_arg; 7656 psa_status_t expected_complete_status = expected_complete_status_arg; 7657 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7658 uint32_t num_ops = 0; 7659 uint32_t max_ops = max_ops_arg; 7660 size_t num_ops_prior = 0; 7661 size_t num_completes = 0; 7662 size_t min_completes = 0; 7663 size_t max_completes = 0; 7664 psa_verify_hash_interruptible_operation_t operation = 7665 psa_verify_hash_interruptible_operation_init_short(); 7666 7667 PSA_ASSERT(psa_crypto_init()); 7668 7669 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 7670 psa_set_key_algorithm(&attributes, alg); 7671 psa_set_key_type(&attributes, key_type); 7672 7673 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7674 &key)); 7675 7676 psa_interruptible_set_max_ops(max_ops); 7677 7678 interruptible_signverify_get_minmax_completes(max_ops, 7679 expected_complete_status, 7680 &min_completes, 7681 &max_completes); 7682 7683 num_ops_prior = psa_verify_hash_get_num_ops(&operation); 7684 TEST_ASSERT(num_ops_prior == 0); 7685 7686 /* Start verification. */ 7687 actual_status = psa_verify_hash_start(&operation, key, alg, 7688 hash_data->x, hash_data->len, 7689 signature_data->x, 7690 signature_data->len); 7691 7692 TEST_EQUAL(actual_status, expected_start_status); 7693 7694 if (expected_start_status != PSA_SUCCESS) { 7695 /* Emulate poor application code, and call complete anyway, even though 7696 * start failed. */ 7697 actual_status = psa_verify_hash_complete(&operation); 7698 7699 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7700 7701 /* Test that calling start again after failure also causes BAD_STATE. */ 7702 actual_status = psa_verify_hash_start(&operation, key, alg, 7703 hash_data->x, hash_data->len, 7704 signature_data->x, 7705 signature_data->len); 7706 7707 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7708 } 7709 7710 num_ops_prior = psa_verify_hash_get_num_ops(&operation); 7711 TEST_ASSERT(num_ops_prior == 0); 7712 7713 /* Continue performing the signature until complete. */ 7714 do { 7715 actual_status = psa_verify_hash_complete(&operation); 7716 7717 num_completes++; 7718 7719 if (actual_status == PSA_SUCCESS || 7720 actual_status == PSA_OPERATION_INCOMPLETE) { 7721 num_ops = psa_verify_hash_get_num_ops(&operation); 7722 /* We are asserting here that every complete makes progress 7723 * (completes some ops), which is true of the internal 7724 * implementation and probably any implementation, however this is 7725 * not mandated by the PSA specification. */ 7726 TEST_ASSERT(num_ops > num_ops_prior); 7727 7728 num_ops_prior = num_ops; 7729 } 7730 } while (actual_status == PSA_OPERATION_INCOMPLETE); 7731 7732 TEST_EQUAL(actual_status, expected_complete_status); 7733 7734 /* Check that another complete returns BAD_STATE. */ 7735 actual_status = psa_verify_hash_complete(&operation); 7736 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7737 7738 TEST_LE_U(min_completes, num_completes); 7739 TEST_LE_U(num_completes, max_completes); 7740 7741 PSA_ASSERT(psa_verify_hash_abort(&operation)); 7742 7743 num_ops = psa_verify_hash_get_num_ops(&operation); 7744 TEST_ASSERT(num_ops == 0); 7745 7746 exit: 7747 psa_reset_key_attributes(&attributes); 7748 psa_destroy_key(key); 7749 PSA_DONE(); 7750 } 7751 /* END_CASE */ 7752 7753 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7754 /** 7755 * interruptible_signverify_hash_state_test() test intentions: 7756 * 7757 * Note: This test can currently only handle ECDSA. 7758 * 7759 * 1. Test that calling the various interruptible sign and verify hash functions 7760 * in incorrect orders returns BAD_STATE errors. 7761 */ 7762 void interruptible_signverify_hash_state_test(int key_type_arg, 7763 data_t *key_data, int alg_arg, data_t *input_data) 7764 { 7765 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7766 psa_key_type_t key_type = key_type_arg; 7767 psa_algorithm_t alg = alg_arg; 7768 size_t key_bits; 7769 unsigned char *signature = NULL; 7770 size_t signature_size; 7771 size_t signature_length = 0xdeadbeef; 7772 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7773 psa_sign_hash_interruptible_operation_t sign_operation = 7774 psa_sign_hash_interruptible_operation_init_short(); 7775 psa_verify_hash_interruptible_operation_t verify_operation = 7776 psa_verify_hash_interruptible_operation_init_short(); 7777 7778 PSA_ASSERT(psa_crypto_init()); 7779 7780 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | 7781 PSA_KEY_USAGE_VERIFY_HASH); 7782 psa_set_key_algorithm(&attributes, alg); 7783 psa_set_key_type(&attributes, key_type); 7784 7785 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7786 &key)); 7787 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 7788 key_bits = psa_get_key_bits(&attributes); 7789 7790 /* Allocate a buffer which has the size advertised by the 7791 * library. */ 7792 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 7793 key_bits, alg); 7794 TEST_ASSERT(signature_size != 0); 7795 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 7796 TEST_CALLOC(signature, signature_size); 7797 7798 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 7799 7800 /* --- Attempt completes prior to starts --- */ 7801 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7802 signature_size, 7803 &signature_length), 7804 PSA_ERROR_BAD_STATE); 7805 7806 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7807 7808 TEST_EQUAL(psa_verify_hash_complete(&verify_operation), 7809 PSA_ERROR_BAD_STATE); 7810 7811 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7812 7813 /* --- Aborts in all other places. --- */ 7814 psa_sign_hash_abort(&sign_operation); 7815 7816 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7817 input_data->x, input_data->len)); 7818 7819 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7820 7821 psa_interruptible_set_max_ops(1); 7822 7823 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7824 input_data->x, input_data->len)); 7825 7826 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7827 signature_size, 7828 &signature_length), 7829 PSA_OPERATION_INCOMPLETE); 7830 7831 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7832 7833 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 7834 7835 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7836 input_data->x, input_data->len)); 7837 7838 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, 7839 signature_size, 7840 &signature_length)); 7841 7842 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7843 7844 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7845 7846 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7847 input_data->x, input_data->len, 7848 signature, signature_length)); 7849 7850 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7851 7852 psa_interruptible_set_max_ops(1); 7853 7854 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7855 input_data->x, input_data->len, 7856 signature, signature_length)); 7857 7858 TEST_EQUAL(psa_verify_hash_complete(&verify_operation), 7859 PSA_OPERATION_INCOMPLETE); 7860 7861 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7862 7863 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 7864 7865 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7866 input_data->x, input_data->len, 7867 signature, signature_length)); 7868 7869 PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); 7870 7871 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7872 7873 /* --- Attempt double starts. --- */ 7874 7875 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7876 input_data->x, input_data->len)); 7877 7878 TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg, 7879 input_data->x, input_data->len), 7880 PSA_ERROR_BAD_STATE); 7881 7882 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7883 7884 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7885 input_data->x, input_data->len, 7886 signature, signature_length)); 7887 7888 TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg, 7889 input_data->x, input_data->len, 7890 signature, signature_length), 7891 PSA_ERROR_BAD_STATE); 7892 7893 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7894 7895 exit: 7896 /* 7897 * Key attributes may have been returned by psa_get_key_attributes() 7898 * thus reset them as required. 7899 */ 7900 psa_reset_key_attributes(&attributes); 7901 7902 psa_destroy_key(key); 7903 mbedtls_free(signature); 7904 PSA_DONE(); 7905 } 7906 /* END_CASE */ 7907 7908 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7909 /** 7910 * interruptible_signverify_hash_edgecase_tests() test intentions: 7911 * 7912 * Note: This test can currently only handle ECDSA. 7913 * 7914 * 1. Test various edge cases in the interruptible sign and verify hash 7915 * interfaces. 7916 */ 7917 void interruptible_signverify_hash_edgecase_tests(int key_type_arg, 7918 data_t *key_data, int alg_arg, data_t *input_data) 7919 { 7920 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7921 psa_key_type_t key_type = key_type_arg; 7922 psa_algorithm_t alg = alg_arg; 7923 size_t key_bits; 7924 unsigned char *signature = NULL; 7925 size_t signature_size; 7926 size_t signature_length = 0xdeadbeef; 7927 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7928 uint8_t *input_buffer = NULL; 7929 psa_sign_hash_interruptible_operation_t sign_operation = 7930 psa_sign_hash_interruptible_operation_init_short(); 7931 psa_verify_hash_interruptible_operation_t verify_operation = 7932 psa_verify_hash_interruptible_operation_init_short(); 7933 7934 PSA_ASSERT(psa_crypto_init()); 7935 7936 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | 7937 PSA_KEY_USAGE_VERIFY_HASH); 7938 psa_set_key_algorithm(&attributes, alg); 7939 psa_set_key_type(&attributes, key_type); 7940 7941 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7942 &key)); 7943 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 7944 key_bits = psa_get_key_bits(&attributes); 7945 7946 /* Allocate a buffer which has the size advertised by the 7947 * library. */ 7948 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 7949 key_bits, alg); 7950 TEST_ASSERT(signature_size != 0); 7951 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 7952 TEST_CALLOC(signature, signature_size); 7953 7954 /* --- Change function inputs mid run, to cause an error (sign only, 7955 * verify passes all inputs to start. --- */ 7956 7957 psa_interruptible_set_max_ops(1); 7958 7959 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7960 input_data->x, input_data->len)); 7961 7962 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7963 signature_size, 7964 &signature_length), 7965 PSA_OPERATION_INCOMPLETE); 7966 7967 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7968 0, 7969 &signature_length), 7970 PSA_ERROR_BUFFER_TOO_SMALL); 7971 7972 /* And test that this invalidates the operation. */ 7973 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7974 0, 7975 &signature_length), 7976 PSA_ERROR_BAD_STATE); 7977 7978 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7979 7980 /* Trash the hash buffer in between start and complete, to ensure 7981 * no reliance on external buffers. */ 7982 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 7983 7984 TEST_CALLOC(input_buffer, input_data->len); 7985 7986 memcpy(input_buffer, input_data->x, input_data->len); 7987 7988 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7989 input_buffer, input_data->len)); 7990 7991 memset(input_buffer, '!', input_data->len); 7992 mbedtls_free(input_buffer); 7993 input_buffer = NULL; 7994 7995 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, 7996 signature_size, 7997 &signature_length)); 7998 7999 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8000 8001 TEST_CALLOC(input_buffer, input_data->len); 8002 8003 memcpy(input_buffer, input_data->x, input_data->len); 8004 8005 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8006 input_buffer, input_data->len, 8007 signature, signature_length)); 8008 8009 memset(input_buffer, '!', input_data->len); 8010 mbedtls_free(input_buffer); 8011 input_buffer = NULL; 8012 8013 PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); 8014 8015 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8016 8017 exit: 8018 /* 8019 * Key attributes may have been returned by psa_get_key_attributes() 8020 * thus reset them as required. 8021 */ 8022 psa_reset_key_attributes(&attributes); 8023 8024 psa_destroy_key(key); 8025 mbedtls_free(signature); 8026 mbedtls_free(input_buffer); 8027 PSA_DONE(); 8028 } 8029 /* END_CASE */ 8030 8031 /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 8032 /** 8033 * interruptible_signverify_hash_ops_tests() test intentions: 8034 * 8035 * Note: This test can currently only handle ECDSA. 8036 * 8037 * 1. Test that setting max ops is reflected in both interruptible sign and 8038 * verify hash 8039 * 2. Test that changing the value of max_ops to unlimited during an operation 8040 * causes that operation to complete in the next call. 8041 * 8042 * 3. Test that calling get_num_ops() between complete calls gives the same 8043 * result as calling get_num_ops() once at the end of the operation. 8044 */ 8045 void interruptible_signverify_hash_ops_tests(int key_type_arg, 8046 data_t *key_data, int alg_arg, 8047 data_t *input_data) 8048 { 8049 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8050 psa_key_type_t key_type = key_type_arg; 8051 psa_algorithm_t alg = alg_arg; 8052 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8053 size_t key_bits; 8054 unsigned char *signature = NULL; 8055 size_t signature_size; 8056 size_t signature_length = 0xdeadbeef; 8057 uint32_t num_ops = 0; 8058 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8059 8060 psa_sign_hash_interruptible_operation_t sign_operation = 8061 psa_sign_hash_interruptible_operation_init_short(); 8062 psa_verify_hash_interruptible_operation_t verify_operation = 8063 psa_verify_hash_interruptible_operation_init_short(); 8064 8065 PSA_ASSERT(psa_crypto_init()); 8066 8067 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | 8068 PSA_KEY_USAGE_VERIFY_HASH); 8069 psa_set_key_algorithm(&attributes, alg); 8070 psa_set_key_type(&attributes, key_type); 8071 8072 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key)); 8073 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8074 key_bits = psa_get_key_bits(&attributes); 8075 8076 /* Allocate a buffer which has the size advertised by the 8077 * library. */ 8078 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg); 8079 8080 TEST_ASSERT(signature_size != 0); 8081 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 8082 TEST_CALLOC(signature, signature_size); 8083 8084 /* Check that default max ops gets set if we don't set it. */ 8085 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 8086 input_data->x, input_data->len)); 8087 8088 TEST_EQUAL(psa_interruptible_get_max_ops(), 8089 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 8090 8091 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8092 8093 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8094 input_data->x, input_data->len, 8095 signature, signature_size)); 8096 8097 TEST_EQUAL(psa_interruptible_get_max_ops(), 8098 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 8099 8100 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8101 8102 /* Check that max ops gets set properly. */ 8103 8104 psa_interruptible_set_max_ops(0xbeef); 8105 8106 TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef); 8107 8108 /* --- Ensure changing the max ops mid operation works (operation should 8109 * complete successfully after setting max ops to unlimited --- */ 8110 psa_interruptible_set_max_ops(1); 8111 8112 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 8113 input_data->x, input_data->len)); 8114 8115 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 8116 signature_size, 8117 &signature_length), 8118 PSA_OPERATION_INCOMPLETE); 8119 8120 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 8121 8122 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, 8123 signature_size, 8124 &signature_length)); 8125 8126 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8127 8128 psa_interruptible_set_max_ops(1); 8129 8130 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8131 input_data->x, input_data->len, 8132 signature, signature_length)); 8133 8134 TEST_EQUAL(psa_verify_hash_complete(&verify_operation), 8135 PSA_OPERATION_INCOMPLETE); 8136 8137 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 8138 8139 PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); 8140 8141 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8142 8143 /* --- Test that not calling get_num_ops inbetween complete calls does not 8144 * result in lost ops. ---*/ 8145 8146 psa_interruptible_set_max_ops(1); 8147 8148 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 8149 input_data->x, input_data->len)); 8150 8151 /* Continue performing the signature until complete. */ 8152 do { 8153 status = psa_sign_hash_complete(&sign_operation, signature, 8154 signature_size, 8155 &signature_length); 8156 8157 num_ops = psa_sign_hash_get_num_ops(&sign_operation); 8158 8159 } while (status == PSA_OPERATION_INCOMPLETE); 8160 8161 PSA_ASSERT(status); 8162 8163 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8164 8165 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 8166 input_data->x, input_data->len)); 8167 8168 /* Continue performing the signature until complete. */ 8169 do { 8170 status = psa_sign_hash_complete(&sign_operation, signature, 8171 signature_size, 8172 &signature_length); 8173 } while (status == PSA_OPERATION_INCOMPLETE); 8174 8175 PSA_ASSERT(status); 8176 8177 TEST_EQUAL(num_ops, psa_sign_hash_get_num_ops(&sign_operation)); 8178 8179 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8180 8181 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8182 input_data->x, input_data->len, 8183 signature, signature_length)); 8184 8185 /* Continue performing the verification until complete. */ 8186 do { 8187 status = psa_verify_hash_complete(&verify_operation); 8188 8189 num_ops = psa_verify_hash_get_num_ops(&verify_operation); 8190 8191 } while (status == PSA_OPERATION_INCOMPLETE); 8192 8193 PSA_ASSERT(status); 8194 8195 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8196 8197 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8198 input_data->x, input_data->len, 8199 signature, signature_length)); 8200 8201 /* Continue performing the verification until complete. */ 8202 do { 8203 status = psa_verify_hash_complete(&verify_operation); 8204 8205 } while (status == PSA_OPERATION_INCOMPLETE); 8206 8207 PSA_ASSERT(status); 8208 8209 TEST_EQUAL(num_ops, psa_verify_hash_get_num_ops(&verify_operation)); 8210 8211 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8212 8213 exit: 8214 /* 8215 * Key attributes may have been returned by psa_get_key_attributes() 8216 * thus reset them as required. 8217 */ 8218 psa_reset_key_attributes(&attributes); 8219 8220 psa_destroy_key(key); 8221 mbedtls_free(signature); 8222 PSA_DONE(); 8223 } 8224 /* END_CASE */ 8225 8226 /* BEGIN_CASE */ 8227 void sign_message_deterministic(int key_type_arg, 8228 data_t *key_data, 8229 int alg_arg, 8230 data_t *input_data, 8231 data_t *output_data) 8232 { 8233 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8234 psa_key_type_t key_type = key_type_arg; 8235 psa_algorithm_t alg = alg_arg; 8236 size_t key_bits; 8237 unsigned char *signature = NULL; 8238 size_t signature_size; 8239 size_t signature_length = 0xdeadbeef; 8240 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8241 8242 PSA_ASSERT(psa_crypto_init()); 8243 8244 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 8245 psa_set_key_algorithm(&attributes, alg); 8246 psa_set_key_type(&attributes, key_type); 8247 8248 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8249 &key)); 8250 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8251 key_bits = psa_get_key_bits(&attributes); 8252 8253 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg); 8254 TEST_ASSERT(signature_size != 0); 8255 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 8256 TEST_CALLOC(signature, signature_size); 8257 8258 PSA_ASSERT(psa_sign_message(key, alg, 8259 input_data->x, input_data->len, 8260 signature, signature_size, 8261 &signature_length)); 8262 8263 TEST_MEMORY_COMPARE(output_data->x, output_data->len, 8264 signature, signature_length); 8265 8266 exit: 8267 psa_reset_key_attributes(&attributes); 8268 8269 psa_destroy_key(key); 8270 mbedtls_free(signature); 8271 PSA_DONE(); 8272 8273 } 8274 /* END_CASE */ 8275 8276 /* BEGIN_CASE */ 8277 void sign_message_fail(int key_type_arg, 8278 data_t *key_data, 8279 int alg_arg, 8280 data_t *input_data, 8281 int signature_size_arg, 8282 int expected_status_arg) 8283 { 8284 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8285 psa_key_type_t key_type = key_type_arg; 8286 psa_algorithm_t alg = alg_arg; 8287 size_t signature_size = signature_size_arg; 8288 psa_status_t actual_status; 8289 psa_status_t expected_status = expected_status_arg; 8290 unsigned char *signature = NULL; 8291 size_t signature_length = 0xdeadbeef; 8292 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8293 8294 TEST_CALLOC(signature, signature_size); 8295 8296 PSA_ASSERT(psa_crypto_init()); 8297 8298 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 8299 psa_set_key_algorithm(&attributes, alg); 8300 psa_set_key_type(&attributes, key_type); 8301 8302 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8303 &key)); 8304 8305 actual_status = psa_sign_message(key, alg, 8306 input_data->x, input_data->len, 8307 signature, signature_size, 8308 &signature_length); 8309 TEST_EQUAL(actual_status, expected_status); 8310 /* The value of *signature_length is unspecified on error, but 8311 * whatever it is, it should be less than signature_size, so that 8312 * if the caller tries to read *signature_length bytes without 8313 * checking the error code then they don't overflow a buffer. */ 8314 TEST_LE_U(signature_length, signature_size); 8315 8316 exit: 8317 psa_reset_key_attributes(&attributes); 8318 psa_destroy_key(key); 8319 mbedtls_free(signature); 8320 PSA_DONE(); 8321 } 8322 /* END_CASE */ 8323 8324 /* BEGIN_CASE */ 8325 void sign_verify_message(int key_type_arg, 8326 data_t *key_data, 8327 int alg_arg, 8328 data_t *input_data) 8329 { 8330 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8331 psa_key_type_t key_type = key_type_arg; 8332 psa_algorithm_t alg = alg_arg; 8333 size_t key_bits; 8334 unsigned char *signature = NULL; 8335 size_t signature_size; 8336 size_t signature_length = 0xdeadbeef; 8337 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8338 8339 PSA_ASSERT(psa_crypto_init()); 8340 8341 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE | 8342 PSA_KEY_USAGE_VERIFY_MESSAGE); 8343 psa_set_key_algorithm(&attributes, alg); 8344 psa_set_key_type(&attributes, key_type); 8345 8346 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8347 &key)); 8348 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8349 key_bits = psa_get_key_bits(&attributes); 8350 8351 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg); 8352 TEST_ASSERT(signature_size != 0); 8353 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 8354 TEST_CALLOC(signature, signature_size); 8355 8356 PSA_ASSERT(psa_sign_message(key, alg, 8357 input_data->x, input_data->len, 8358 signature, signature_size, 8359 &signature_length)); 8360 TEST_LE_U(signature_length, signature_size); 8361 TEST_ASSERT(signature_length > 0); 8362 8363 PSA_ASSERT(psa_verify_message(key, alg, 8364 input_data->x, input_data->len, 8365 signature, signature_length)); 8366 8367 if (input_data->len != 0) { 8368 /* Flip a bit in the input and verify that the signature is now 8369 * detected as invalid. Flip a bit at the beginning, not at the end, 8370 * because ECDSA may ignore the last few bits of the input. */ 8371 input_data->x[0] ^= 1; 8372 TEST_EQUAL(psa_verify_message(key, alg, 8373 input_data->x, input_data->len, 8374 signature, signature_length), 8375 PSA_ERROR_INVALID_SIGNATURE); 8376 } 8377 8378 exit: 8379 psa_reset_key_attributes(&attributes); 8380 8381 psa_destroy_key(key); 8382 mbedtls_free(signature); 8383 PSA_DONE(); 8384 } 8385 /* END_CASE */ 8386 8387 /* BEGIN_CASE */ 8388 void verify_message(int key_type_arg, 8389 data_t *key_data, 8390 int alg_arg, 8391 data_t *input_data, 8392 data_t *signature_data) 8393 { 8394 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8395 psa_key_type_t key_type = key_type_arg; 8396 psa_algorithm_t alg = alg_arg; 8397 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8398 8399 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE); 8400 8401 PSA_ASSERT(psa_crypto_init()); 8402 8403 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE); 8404 psa_set_key_algorithm(&attributes, alg); 8405 psa_set_key_type(&attributes, key_type); 8406 8407 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8408 &key)); 8409 8410 PSA_ASSERT(psa_verify_message(key, alg, 8411 input_data->x, input_data->len, 8412 signature_data->x, signature_data->len)); 8413 8414 exit: 8415 psa_reset_key_attributes(&attributes); 8416 psa_destroy_key(key); 8417 PSA_DONE(); 8418 } 8419 /* END_CASE */ 8420 8421 /* BEGIN_CASE */ 8422 void verify_message_fail(int key_type_arg, 8423 data_t *key_data, 8424 int alg_arg, 8425 data_t *hash_data, 8426 data_t *signature_data, 8427 int expected_status_arg) 8428 { 8429 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8430 psa_key_type_t key_type = key_type_arg; 8431 psa_algorithm_t alg = alg_arg; 8432 psa_status_t actual_status; 8433 psa_status_t expected_status = expected_status_arg; 8434 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8435 8436 PSA_ASSERT(psa_crypto_init()); 8437 8438 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE); 8439 psa_set_key_algorithm(&attributes, alg); 8440 psa_set_key_type(&attributes, key_type); 8441 8442 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8443 &key)); 8444 8445 actual_status = psa_verify_message(key, alg, 8446 hash_data->x, hash_data->len, 8447 signature_data->x, 8448 signature_data->len); 8449 TEST_EQUAL(actual_status, expected_status); 8450 8451 exit: 8452 psa_reset_key_attributes(&attributes); 8453 psa_destroy_key(key); 8454 PSA_DONE(); 8455 } 8456 /* END_CASE */ 8457 8458 /* BEGIN_CASE */ 8459 void asymmetric_encrypt(int key_type_arg, 8460 data_t *key_data, 8461 int alg_arg, 8462 data_t *input_data, 8463 data_t *label, 8464 int expected_output_length_arg, 8465 int expected_status_arg) 8466 { 8467 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8468 psa_key_type_t key_type = key_type_arg; 8469 psa_algorithm_t alg = alg_arg; 8470 size_t expected_output_length = expected_output_length_arg; 8471 size_t key_bits; 8472 unsigned char *output = NULL; 8473 size_t output_size; 8474 size_t output_length = ~0; 8475 psa_status_t actual_status; 8476 psa_status_t expected_status = expected_status_arg; 8477 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8478 8479 PSA_ASSERT(psa_crypto_init()); 8480 8481 /* Import the key */ 8482 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 8483 psa_set_key_algorithm(&attributes, alg); 8484 psa_set_key_type(&attributes, key_type); 8485 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8486 &key)); 8487 8488 /* Determine the maximum output length */ 8489 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8490 key_bits = psa_get_key_bits(&attributes); 8491 8492 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg); 8493 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE); 8494 TEST_CALLOC(output, output_size); 8495 8496 /* Encrypt the input */ 8497 actual_status = psa_asymmetric_encrypt(key, alg, 8498 input_data->x, input_data->len, 8499 label->x, label->len, 8500 output, output_size, 8501 &output_length); 8502 TEST_EQUAL(actual_status, expected_status); 8503 if (actual_status == PSA_SUCCESS) { 8504 TEST_EQUAL(output_length, expected_output_length); 8505 } else { 8506 TEST_LE_U(output_length, output_size); 8507 } 8508 8509 /* If the label is empty, the test framework puts a non-null pointer 8510 * in label->x. Test that a null pointer works as well. */ 8511 if (label->len == 0) { 8512 output_length = ~0; 8513 if (output_size != 0) { 8514 memset(output, 0, output_size); 8515 } 8516 actual_status = psa_asymmetric_encrypt(key, alg, 8517 input_data->x, input_data->len, 8518 NULL, label->len, 8519 output, output_size, 8520 &output_length); 8521 TEST_EQUAL(actual_status, expected_status); 8522 if (actual_status == PSA_SUCCESS) { 8523 TEST_EQUAL(output_length, expected_output_length); 8524 } else { 8525 TEST_LE_U(output_length, output_size); 8526 } 8527 } 8528 8529 exit: 8530 /* 8531 * Key attributes may have been returned by psa_get_key_attributes() 8532 * thus reset them as required. 8533 */ 8534 psa_reset_key_attributes(&attributes); 8535 8536 psa_destroy_key(key); 8537 mbedtls_free(output); 8538 PSA_DONE(); 8539 } 8540 /* END_CASE */ 8541 8542 /* BEGIN_CASE */ 8543 void asymmetric_encrypt_decrypt(int key_type_arg, 8544 data_t *key_data, 8545 int alg_arg, 8546 data_t *input_data, 8547 data_t *label) 8548 { 8549 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8550 psa_key_type_t key_type = key_type_arg; 8551 psa_algorithm_t alg = alg_arg; 8552 size_t key_bits; 8553 unsigned char *output = NULL; 8554 size_t output_size; 8555 size_t output_length = ~0; 8556 unsigned char *output2 = NULL; 8557 size_t output2_size; 8558 size_t output2_length = ~0; 8559 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8560 8561 PSA_ASSERT(psa_crypto_init()); 8562 8563 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 8564 psa_set_key_algorithm(&attributes, alg); 8565 psa_set_key_type(&attributes, key_type); 8566 8567 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8568 &key)); 8569 8570 /* Determine the maximum ciphertext length */ 8571 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8572 key_bits = psa_get_key_bits(&attributes); 8573 8574 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg); 8575 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE); 8576 TEST_CALLOC(output, output_size); 8577 8578 output2_size = input_data->len; 8579 TEST_LE_U(output2_size, 8580 PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg)); 8581 TEST_LE_U(output2_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE); 8582 TEST_CALLOC(output2, output2_size); 8583 8584 /* We test encryption by checking that encrypt-then-decrypt gives back 8585 * the original plaintext because of the non-optional random 8586 * part of encryption process which prevents using fixed vectors. */ 8587 PSA_ASSERT(psa_asymmetric_encrypt(key, alg, 8588 input_data->x, input_data->len, 8589 label->x, label->len, 8590 output, output_size, 8591 &output_length)); 8592 /* We don't know what ciphertext length to expect, but check that 8593 * it looks sensible. */ 8594 TEST_LE_U(output_length, output_size); 8595 8596 PSA_ASSERT(psa_asymmetric_decrypt(key, alg, 8597 output, output_length, 8598 label->x, label->len, 8599 output2, output2_size, 8600 &output2_length)); 8601 TEST_MEMORY_COMPARE(input_data->x, input_data->len, 8602 output2, output2_length); 8603 8604 exit: 8605 /* 8606 * Key attributes may have been returned by psa_get_key_attributes() 8607 * thus reset them as required. 8608 */ 8609 psa_reset_key_attributes(&attributes); 8610 8611 psa_destroy_key(key); 8612 mbedtls_free(output); 8613 mbedtls_free(output2); 8614 PSA_DONE(); 8615 } 8616 /* END_CASE */ 8617 8618 /* BEGIN_CASE */ 8619 void asymmetric_decrypt(int key_type_arg, 8620 data_t *key_data, 8621 int alg_arg, 8622 data_t *input_data, 8623 data_t *label, 8624 data_t *expected_data) 8625 { 8626 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8627 psa_key_type_t key_type = key_type_arg; 8628 psa_algorithm_t alg = alg_arg; 8629 size_t key_bits; 8630 unsigned char *output = NULL; 8631 size_t output_size = 0; 8632 size_t output_length = ~0; 8633 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8634 8635 PSA_ASSERT(psa_crypto_init()); 8636 8637 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 8638 psa_set_key_algorithm(&attributes, alg); 8639 psa_set_key_type(&attributes, key_type); 8640 8641 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8642 &key)); 8643 8644 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8645 key_bits = psa_get_key_bits(&attributes); 8646 8647 /* Determine the maximum ciphertext length */ 8648 output_size = PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg); 8649 TEST_LE_U(output_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE); 8650 TEST_CALLOC(output, output_size); 8651 8652 PSA_ASSERT(psa_asymmetric_decrypt(key, alg, 8653 input_data->x, input_data->len, 8654 label->x, label->len, 8655 output, 8656 output_size, 8657 &output_length)); 8658 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len, 8659 output, output_length); 8660 8661 /* If the label is empty, the test framework puts a non-null pointer 8662 * in label->x. Test that a null pointer works as well. */ 8663 if (label->len == 0) { 8664 output_length = ~0; 8665 if (output_size != 0) { 8666 memset(output, 0, output_size); 8667 } 8668 PSA_ASSERT(psa_asymmetric_decrypt(key, alg, 8669 input_data->x, input_data->len, 8670 NULL, label->len, 8671 output, 8672 output_size, 8673 &output_length)); 8674 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len, 8675 output, output_length); 8676 } 8677 8678 exit: 8679 psa_reset_key_attributes(&attributes); 8680 psa_destroy_key(key); 8681 mbedtls_free(output); 8682 PSA_DONE(); 8683 } 8684 /* END_CASE */ 8685 8686 /* BEGIN_CASE */ 8687 void asymmetric_decrypt_fail(int key_type_arg, 8688 data_t *key_data, 8689 int alg_arg, 8690 data_t *input_data, 8691 data_t *label, 8692 int output_size_arg, 8693 int expected_status_arg) 8694 { 8695 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8696 psa_key_type_t key_type = key_type_arg; 8697 psa_algorithm_t alg = alg_arg; 8698 unsigned char *output = NULL; 8699 size_t output_size = output_size_arg; 8700 size_t output_length = ~0; 8701 psa_status_t actual_status; 8702 psa_status_t expected_status = expected_status_arg; 8703 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8704 8705 TEST_CALLOC(output, output_size); 8706 8707 PSA_ASSERT(psa_crypto_init()); 8708 8709 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 8710 psa_set_key_algorithm(&attributes, alg); 8711 psa_set_key_type(&attributes, key_type); 8712 8713 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8714 &key)); 8715 8716 actual_status = psa_asymmetric_decrypt(key, alg, 8717 input_data->x, input_data->len, 8718 label->x, label->len, 8719 output, output_size, 8720 &output_length); 8721 TEST_EQUAL(actual_status, expected_status); 8722 TEST_LE_U(output_length, output_size); 8723 8724 /* If the label is empty, the test framework puts a non-null pointer 8725 * in label->x. Test that a null pointer works as well. */ 8726 if (label->len == 0) { 8727 output_length = ~0; 8728 if (output_size != 0) { 8729 memset(output, 0, output_size); 8730 } 8731 actual_status = psa_asymmetric_decrypt(key, alg, 8732 input_data->x, input_data->len, 8733 NULL, label->len, 8734 output, output_size, 8735 &output_length); 8736 TEST_EQUAL(actual_status, expected_status); 8737 TEST_LE_U(output_length, output_size); 8738 } 8739 8740 exit: 8741 psa_reset_key_attributes(&attributes); 8742 psa_destroy_key(key); 8743 mbedtls_free(output); 8744 PSA_DONE(); 8745 } 8746 /* END_CASE */ 8747 8748 /* BEGIN_CASE */ 8749 void key_derivation_init() 8750 { 8751 /* Test each valid way of initializing the object, except for `= {0}`, as 8752 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 8753 * though it's OK by the C standard. We could test for this, but we'd need 8754 * to suppress the Clang warning for the test. */ 8755 size_t capacity; 8756 psa_key_derivation_operation_t short_wrapper = psa_key_derivation_operation_init_short(); 8757 psa_key_derivation_operation_t func = psa_key_derivation_operation_init(); 8758 psa_key_derivation_operation_t init = PSA_KEY_DERIVATION_OPERATION_INIT; 8759 psa_key_derivation_operation_t zero; 8760 memset(&zero, 0, sizeof(zero)); 8761 8762 /* A default operation should not be able to report its capacity. */ 8763 TEST_EQUAL(psa_key_derivation_get_capacity(&short_wrapper, &capacity), 8764 PSA_ERROR_BAD_STATE); 8765 TEST_EQUAL(psa_key_derivation_get_capacity(&func, &capacity), 8766 PSA_ERROR_BAD_STATE); 8767 TEST_EQUAL(psa_key_derivation_get_capacity(&init, &capacity), 8768 PSA_ERROR_BAD_STATE); 8769 TEST_EQUAL(psa_key_derivation_get_capacity(&zero, &capacity), 8770 PSA_ERROR_BAD_STATE); 8771 8772 /* A default operation should be abortable without error. */ 8773 PSA_ASSERT(psa_key_derivation_abort(&short_wrapper)); 8774 PSA_ASSERT(psa_key_derivation_abort(&func)); 8775 PSA_ASSERT(psa_key_derivation_abort(&init)); 8776 PSA_ASSERT(psa_key_derivation_abort(&zero)); 8777 } 8778 /* END_CASE */ 8779 8780 /* BEGIN_CASE */ 8781 void derive_setup(int alg_arg, int expected_status_arg) 8782 { 8783 psa_algorithm_t alg = alg_arg; 8784 psa_status_t expected_status = expected_status_arg; 8785 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 8786 8787 PSA_ASSERT(psa_crypto_init()); 8788 8789 TEST_EQUAL(psa_key_derivation_setup(&operation, alg), 8790 expected_status); 8791 8792 exit: 8793 psa_key_derivation_abort(&operation); 8794 PSA_DONE(); 8795 } 8796 /* END_CASE */ 8797 8798 /* BEGIN_CASE */ 8799 void derive_set_capacity(int alg_arg, int64_t capacity_arg, 8800 int expected_status_arg) 8801 { 8802 psa_algorithm_t alg = alg_arg; 8803 size_t capacity = capacity_arg; 8804 psa_status_t expected_status = expected_status_arg; 8805 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 8806 8807 PSA_ASSERT(psa_crypto_init()); 8808 8809 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 8810 8811 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity), 8812 expected_status); 8813 8814 exit: 8815 psa_key_derivation_abort(&operation); 8816 PSA_DONE(); 8817 } 8818 /* END_CASE */ 8819 8820 /* BEGIN_CASE */ 8821 void parse_binary_string_test(data_t *input, int output) 8822 { 8823 uint64_t value; 8824 value = mbedtls_test_parse_binary_string(input); 8825 TEST_EQUAL(value, output); 8826 } 8827 /* END_CASE */ 8828 8829 /* BEGIN_CASE */ 8830 void derive_input(int alg_arg, 8831 int step_arg1, int key_type_arg1, data_t *input1, 8832 int expected_status_arg1, 8833 int step_arg2, int key_type_arg2, data_t *input2, 8834 int expected_status_arg2, 8835 int step_arg3, int key_type_arg3, data_t *input3, 8836 int expected_status_arg3, 8837 int output_key_type_arg, int expected_output_status_arg) 8838 { 8839 psa_algorithm_t alg = alg_arg; 8840 psa_key_derivation_step_t steps[] = { step_arg1, step_arg2, step_arg3 }; 8841 uint32_t key_types[] = { key_type_arg1, key_type_arg2, key_type_arg3 }; 8842 psa_status_t expected_statuses[] = { expected_status_arg1, 8843 expected_status_arg2, 8844 expected_status_arg3 }; 8845 data_t *inputs[] = { input1, input2, input3 }; 8846 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT, 8847 MBEDTLS_SVC_KEY_ID_INIT, 8848 MBEDTLS_SVC_KEY_ID_INIT }; 8849 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 8850 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8851 size_t i; 8852 psa_key_type_t output_key_type = output_key_type_arg; 8853 mbedtls_svc_key_id_t output_key = MBEDTLS_SVC_KEY_ID_INIT; 8854 psa_status_t expected_output_status = expected_output_status_arg; 8855 psa_status_t actual_output_status; 8856 8857 PSA_ASSERT(psa_crypto_init()); 8858 8859 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 8860 psa_set_key_algorithm(&attributes, alg); 8861 8862 if (alg != PSA_ALG_NONE) { 8863 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 8864 } 8865 8866 for (i = 0; i < ARRAY_LENGTH(steps); i++) { 8867 mbedtls_test_set_step(i); 8868 if (steps[i] == 0) { 8869 /* Skip this step */ 8870 } else if (((psa_key_type_t) key_types[i]) != PSA_KEY_TYPE_NONE && 8871 key_types[i] != INPUT_INTEGER) { 8872 psa_set_key_type(&attributes, ((psa_key_type_t) key_types[i])); 8873 PSA_ASSERT(psa_import_key(&attributes, 8874 inputs[i]->x, inputs[i]->len, 8875 &keys[i])); 8876 if (PSA_KEY_TYPE_IS_KEY_PAIR((psa_key_type_t) key_types[i]) && 8877 steps[i] == PSA_KEY_DERIVATION_INPUT_SECRET) { 8878 // When taking a private key as secret input, use key agreement 8879 // to add the shared secret to the derivation 8880 TEST_EQUAL(mbedtls_test_psa_key_agreement_with_self( 8881 &operation, keys[i], 0), 8882 expected_statuses[i]); 8883 } else { 8884 TEST_EQUAL(psa_key_derivation_input_key(&operation, steps[i], 8885 keys[i]), 8886 expected_statuses[i]); 8887 } 8888 } else { 8889 if (key_types[i] == INPUT_INTEGER) { 8890 TEST_EQUAL(psa_key_derivation_input_integer( 8891 &operation, steps[i], 8892 mbedtls_test_parse_binary_string(inputs[i])), 8893 expected_statuses[i]); 8894 } else { 8895 TEST_EQUAL(psa_key_derivation_input_bytes( 8896 &operation, steps[i], 8897 inputs[i]->x, inputs[i]->len), 8898 expected_statuses[i]); 8899 } 8900 } 8901 } 8902 8903 if (output_key_type != PSA_KEY_TYPE_NONE) { 8904 psa_reset_key_attributes(&attributes); 8905 psa_set_key_type(&attributes, output_key_type); 8906 psa_set_key_bits(&attributes, 8); 8907 actual_output_status = 8908 psa_key_derivation_output_key(&attributes, &operation, 8909 &output_key); 8910 } else { 8911 uint8_t buffer[1]; 8912 actual_output_status = 8913 psa_key_derivation_output_bytes(&operation, 8914 buffer, sizeof(buffer)); 8915 } 8916 TEST_EQUAL(actual_output_status, expected_output_status); 8917 8918 exit: 8919 psa_key_derivation_abort(&operation); 8920 for (i = 0; i < ARRAY_LENGTH(keys); i++) { 8921 psa_destroy_key(keys[i]); 8922 } 8923 psa_destroy_key(output_key); 8924 PSA_DONE(); 8925 } 8926 /* END_CASE */ 8927 8928 /* BEGIN_CASE*/ 8929 void derive_input_invalid_cost(int alg_arg, int64_t cost) 8930 { 8931 psa_algorithm_t alg = alg_arg; 8932 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 8933 8934 PSA_ASSERT(psa_crypto_init()); 8935 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 8936 8937 TEST_EQUAL(psa_key_derivation_input_integer(&operation, 8938 PSA_KEY_DERIVATION_INPUT_COST, 8939 cost), 8940 PSA_ERROR_NOT_SUPPORTED); 8941 8942 exit: 8943 psa_key_derivation_abort(&operation); 8944 PSA_DONE(); 8945 } 8946 /* END_CASE*/ 8947 8948 /* BEGIN_CASE */ 8949 void derive_over_capacity(int alg_arg) 8950 { 8951 psa_algorithm_t alg = alg_arg; 8952 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8953 size_t key_type = PSA_KEY_TYPE_DERIVE; 8954 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 8955 unsigned char input1[] = "Input 1"; 8956 size_t input1_length = sizeof(input1); 8957 unsigned char input2[] = "Input 2"; 8958 size_t input2_length = sizeof(input2); 8959 uint8_t buffer[42]; 8960 size_t capacity = sizeof(buffer); 8961 const uint8_t key_data[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 8962 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 8963 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b }; 8964 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8965 8966 PSA_ASSERT(psa_crypto_init()); 8967 8968 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 8969 psa_set_key_algorithm(&attributes, alg); 8970 psa_set_key_type(&attributes, key_type); 8971 8972 PSA_ASSERT(psa_import_key(&attributes, 8973 key_data, sizeof(key_data), 8974 &key)); 8975 8976 /* valid key derivation */ 8977 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg, 8978 input1, input1_length, 8979 input2, input2_length, 8980 capacity, 0)) { 8981 goto exit; 8982 } 8983 8984 /* state of operation shouldn't allow additional generation */ 8985 TEST_EQUAL(psa_key_derivation_setup(&operation, alg), 8986 PSA_ERROR_BAD_STATE); 8987 8988 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, buffer, capacity)); 8989 8990 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, buffer, capacity), 8991 PSA_ERROR_INSUFFICIENT_DATA); 8992 8993 exit: 8994 psa_key_derivation_abort(&operation); 8995 psa_destroy_key(key); 8996 PSA_DONE(); 8997 } 8998 /* END_CASE */ 8999 9000 /* BEGIN_CASE */ 9001 void derive_actions_without_setup() 9002 { 9003 uint8_t output_buffer[16]; 9004 size_t buffer_size = 16; 9005 size_t capacity = 0; 9006 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9007 9008 TEST_ASSERT(psa_key_derivation_output_bytes(&operation, 9009 output_buffer, buffer_size) 9010 == PSA_ERROR_BAD_STATE); 9011 9012 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity) 9013 == PSA_ERROR_BAD_STATE); 9014 9015 PSA_ASSERT(psa_key_derivation_abort(&operation)); 9016 9017 TEST_ASSERT(psa_key_derivation_output_bytes(&operation, 9018 output_buffer, buffer_size) 9019 == PSA_ERROR_BAD_STATE); 9020 9021 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity) 9022 == PSA_ERROR_BAD_STATE); 9023 9024 exit: 9025 psa_key_derivation_abort(&operation); 9026 } 9027 /* END_CASE */ 9028 9029 /* BEGIN_CASE */ 9030 void derive_output(int alg_arg, 9031 int step1_arg, data_t *input1, int expected_status_arg1, 9032 int step2_arg, data_t *input2, int expected_status_arg2, 9033 int step3_arg, data_t *input3, int expected_status_arg3, 9034 int step4_arg, data_t *input4, int expected_status_arg4, 9035 data_t *key_agreement_peer_key, 9036 int requested_capacity_arg, 9037 data_t *expected_output1, 9038 data_t *expected_output2, 9039 int other_key_input_type, 9040 int key_input_type, 9041 int derive_type) 9042 { 9043 psa_algorithm_t alg = alg_arg; 9044 psa_key_derivation_step_t steps[] = { step1_arg, step2_arg, step3_arg, step4_arg }; 9045 data_t *inputs[] = { input1, input2, input3, input4 }; 9046 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT, 9047 MBEDTLS_SVC_KEY_ID_INIT, 9048 MBEDTLS_SVC_KEY_ID_INIT, 9049 MBEDTLS_SVC_KEY_ID_INIT }; 9050 psa_status_t statuses[] = { expected_status_arg1, expected_status_arg2, 9051 expected_status_arg3, expected_status_arg4 }; 9052 size_t requested_capacity = requested_capacity_arg; 9053 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9054 uint8_t *expected_outputs[2] = 9055 { expected_output1->x, expected_output2->x }; 9056 size_t output_sizes[2] = 9057 { expected_output1->len, expected_output2->len }; 9058 size_t output_buffer_size = 0; 9059 uint8_t *output_buffer = NULL; 9060 size_t expected_capacity; 9061 size_t current_capacity; 9062 psa_key_attributes_t attributes1 = PSA_KEY_ATTRIBUTES_INIT; 9063 psa_key_attributes_t attributes2 = PSA_KEY_ATTRIBUTES_INIT; 9064 psa_key_attributes_t attributes3 = PSA_KEY_ATTRIBUTES_INIT; 9065 psa_key_attributes_t attributes4 = PSA_KEY_ATTRIBUTES_INIT; 9066 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9067 psa_status_t status; 9068 size_t i; 9069 9070 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) { 9071 if (output_sizes[i] > output_buffer_size) { 9072 output_buffer_size = output_sizes[i]; 9073 } 9074 if (output_sizes[i] == 0) { 9075 expected_outputs[i] = NULL; 9076 } 9077 } 9078 TEST_CALLOC(output_buffer, output_buffer_size); 9079 PSA_ASSERT(psa_crypto_init()); 9080 9081 /* Extraction phase. */ 9082 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 9083 PSA_ASSERT(psa_key_derivation_set_capacity(&operation, 9084 requested_capacity)); 9085 for (i = 0; i < ARRAY_LENGTH(steps); i++) { 9086 switch (steps[i]) { 9087 case 0: 9088 break; 9089 case PSA_KEY_DERIVATION_INPUT_COST: 9090 TEST_EQUAL(psa_key_derivation_input_integer( 9091 &operation, steps[i], 9092 mbedtls_test_parse_binary_string(inputs[i])), 9093 statuses[i]); 9094 if (statuses[i] != PSA_SUCCESS) { 9095 goto exit; 9096 } 9097 break; 9098 case PSA_KEY_DERIVATION_INPUT_PASSWORD: 9099 case PSA_KEY_DERIVATION_INPUT_SECRET: 9100 switch (key_input_type) { 9101 case 0: // input bytes 9102 TEST_EQUAL(psa_key_derivation_input_bytes( 9103 &operation, steps[i], 9104 inputs[i]->x, inputs[i]->len), 9105 statuses[i]); 9106 9107 if (statuses[i] != PSA_SUCCESS) { 9108 goto exit; 9109 } 9110 break; 9111 case 1: // input key 9112 psa_set_key_usage_flags(&attributes1, PSA_KEY_USAGE_DERIVE); 9113 psa_set_key_algorithm(&attributes1, alg); 9114 psa_set_key_type(&attributes1, PSA_KEY_TYPE_DERIVE); 9115 9116 PSA_ASSERT(psa_import_key(&attributes1, 9117 inputs[i]->x, inputs[i]->len, 9118 &keys[i])); 9119 9120 if (PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { 9121 PSA_ASSERT(psa_get_key_attributes(keys[i], &attributes1)); 9122 TEST_LE_U(PSA_BITS_TO_BYTES(psa_get_key_bits(&attributes1)), 9123 PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE); 9124 } 9125 9126 TEST_EQUAL(psa_key_derivation_input_key(&operation, 9127 steps[i], 9128 keys[i]), 9129 statuses[i]); 9130 9131 if (statuses[i] != PSA_SUCCESS) { 9132 goto exit; 9133 } 9134 break; 9135 default: 9136 TEST_FAIL("default case not supported"); 9137 break; 9138 } 9139 break; 9140 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET: 9141 switch (other_key_input_type) { 9142 case 0: // input bytes 9143 TEST_EQUAL(psa_key_derivation_input_bytes(&operation, 9144 steps[i], 9145 inputs[i]->x, 9146 inputs[i]->len), 9147 statuses[i]); 9148 break; 9149 case 1: // input key, type DERIVE 9150 case 11: // input key, type RAW 9151 psa_set_key_usage_flags(&attributes2, PSA_KEY_USAGE_DERIVE); 9152 psa_set_key_algorithm(&attributes2, alg); 9153 psa_set_key_type(&attributes2, PSA_KEY_TYPE_DERIVE); 9154 9155 // other secret of type RAW_DATA passed with input_key 9156 if (other_key_input_type == 11) { 9157 psa_set_key_type(&attributes2, PSA_KEY_TYPE_RAW_DATA); 9158 } 9159 9160 PSA_ASSERT(psa_import_key(&attributes2, 9161 inputs[i]->x, inputs[i]->len, 9162 &keys[i])); 9163 9164 TEST_EQUAL(psa_key_derivation_input_key(&operation, 9165 steps[i], 9166 keys[i]), 9167 statuses[i]); 9168 break; 9169 case 2: // key agreement 9170 psa_set_key_usage_flags(&attributes3, PSA_KEY_USAGE_DERIVE); 9171 psa_set_key_algorithm(&attributes3, alg); 9172 psa_set_key_type(&attributes3, 9173 PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); 9174 9175 PSA_ASSERT(psa_import_key(&attributes3, 9176 inputs[i]->x, inputs[i]->len, 9177 &keys[i])); 9178 9179 TEST_EQUAL(psa_key_derivation_key_agreement( 9180 &operation, 9181 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, 9182 keys[i], key_agreement_peer_key->x, 9183 key_agreement_peer_key->len), statuses[i]); 9184 break; 9185 default: 9186 TEST_FAIL("default case not supported"); 9187 break; 9188 } 9189 9190 if (statuses[i] != PSA_SUCCESS) { 9191 goto exit; 9192 } 9193 break; 9194 default: 9195 TEST_EQUAL(psa_key_derivation_input_bytes( 9196 &operation, steps[i], 9197 inputs[i]->x, inputs[i]->len), statuses[i]); 9198 9199 if (statuses[i] != PSA_SUCCESS) { 9200 goto exit; 9201 } 9202 break; 9203 } 9204 } 9205 9206 PSA_ASSERT(psa_key_derivation_get_capacity(&operation, 9207 ¤t_capacity)); 9208 TEST_EQUAL(current_capacity, requested_capacity); 9209 expected_capacity = requested_capacity; 9210 9211 if (derive_type == 1) { // output key 9212 psa_status_t expected_status = PSA_ERROR_NOT_PERMITTED; 9213 9214 /* For output key derivation secret must be provided using 9215 input key, otherwise operation is not permitted. */ 9216 if (key_input_type == 1) { 9217 expected_status = PSA_SUCCESS; 9218 } 9219 9220 psa_set_key_usage_flags(&attributes4, PSA_KEY_USAGE_EXPORT); 9221 psa_set_key_algorithm(&attributes4, alg); 9222 psa_set_key_type(&attributes4, PSA_KEY_TYPE_DERIVE); 9223 psa_set_key_bits(&attributes4, PSA_BYTES_TO_BITS(requested_capacity)); 9224 9225 TEST_EQUAL(psa_key_derivation_output_key(&attributes4, &operation, 9226 &derived_key), expected_status); 9227 } else { // output bytes 9228 /* Expansion phase. */ 9229 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) { 9230 /* Read some bytes. */ 9231 status = psa_key_derivation_output_bytes(&operation, 9232 output_buffer, output_sizes[i]); 9233 if (expected_capacity == 0 && output_sizes[i] == 0) { 9234 /* Reading 0 bytes when 0 bytes are available can go either way. */ 9235 TEST_ASSERT(status == PSA_SUCCESS || 9236 status == PSA_ERROR_INSUFFICIENT_DATA); 9237 continue; 9238 } else if (expected_capacity == 0 || 9239 output_sizes[i] > expected_capacity) { 9240 /* Capacity exceeded. */ 9241 TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_DATA); 9242 expected_capacity = 0; 9243 continue; 9244 } 9245 /* Success. Check the read data. */ 9246 PSA_ASSERT(status); 9247 if (output_sizes[i] != 0) { 9248 TEST_MEMORY_COMPARE(output_buffer, output_sizes[i], 9249 expected_outputs[i], output_sizes[i]); 9250 } 9251 /* Check the operation status. */ 9252 expected_capacity -= output_sizes[i]; 9253 PSA_ASSERT(psa_key_derivation_get_capacity(&operation, 9254 ¤t_capacity)); 9255 TEST_EQUAL(expected_capacity, current_capacity); 9256 } 9257 } 9258 PSA_ASSERT(psa_key_derivation_abort(&operation)); 9259 9260 exit: 9261 mbedtls_free(output_buffer); 9262 psa_key_derivation_abort(&operation); 9263 for (i = 0; i < ARRAY_LENGTH(keys); i++) { 9264 psa_destroy_key(keys[i]); 9265 } 9266 psa_destroy_key(derived_key); 9267 PSA_DONE(); 9268 } 9269 /* END_CASE */ 9270 9271 /* BEGIN_CASE */ 9272 void derive_full(int alg_arg, 9273 data_t *key_data, 9274 data_t *input1, 9275 data_t *input2, 9276 int requested_capacity_arg) 9277 { 9278 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 9279 psa_algorithm_t alg = alg_arg; 9280 size_t requested_capacity = requested_capacity_arg; 9281 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9282 unsigned char output_buffer[32]; 9283 size_t expected_capacity = requested_capacity; 9284 size_t current_capacity; 9285 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9286 9287 PSA_ASSERT(psa_crypto_init()); 9288 9289 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9290 psa_set_key_algorithm(&attributes, alg); 9291 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE); 9292 9293 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 9294 &key)); 9295 9296 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg, 9297 input1->x, input1->len, 9298 input2->x, input2->len, 9299 requested_capacity, 0)) { 9300 goto exit; 9301 } 9302 9303 PSA_ASSERT(psa_key_derivation_get_capacity(&operation, 9304 ¤t_capacity)); 9305 TEST_EQUAL(current_capacity, expected_capacity); 9306 9307 /* Expansion phase. */ 9308 while (current_capacity > 0) { 9309 size_t read_size = sizeof(output_buffer); 9310 if (read_size > current_capacity) { 9311 read_size = current_capacity; 9312 } 9313 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 9314 output_buffer, 9315 read_size)); 9316 expected_capacity -= read_size; 9317 PSA_ASSERT(psa_key_derivation_get_capacity(&operation, 9318 ¤t_capacity)); 9319 TEST_EQUAL(current_capacity, expected_capacity); 9320 } 9321 9322 /* Check that the operation refuses to go over capacity. */ 9323 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output_buffer, 1), 9324 PSA_ERROR_INSUFFICIENT_DATA); 9325 9326 PSA_ASSERT(psa_key_derivation_abort(&operation)); 9327 9328 exit: 9329 psa_key_derivation_abort(&operation); 9330 psa_destroy_key(key); 9331 PSA_DONE(); 9332 } 9333 /* END_CASE */ 9334 9335 /* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */ 9336 void derive_ecjpake_to_pms(data_t *input, int expected_input_status_arg, 9337 int derivation_step, 9338 int capacity, int expected_capacity_status_arg, 9339 data_t *expected_output, 9340 int expected_output_status_arg) 9341 { 9342 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; 9343 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9344 psa_key_derivation_step_t step = (psa_key_derivation_step_t) derivation_step; 9345 uint8_t *output_buffer = NULL; 9346 psa_status_t status; 9347 psa_status_t expected_input_status = (psa_status_t) expected_input_status_arg; 9348 psa_status_t expected_capacity_status = (psa_status_t) expected_capacity_status_arg; 9349 psa_status_t expected_output_status = (psa_status_t) expected_output_status_arg; 9350 9351 TEST_CALLOC(output_buffer, expected_output->len); 9352 PSA_ASSERT(psa_crypto_init()); 9353 9354 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 9355 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity), 9356 expected_capacity_status); 9357 9358 TEST_EQUAL(psa_key_derivation_input_bytes(&operation, 9359 step, input->x, input->len), 9360 expected_input_status); 9361 9362 if (((psa_status_t) expected_input_status) != PSA_SUCCESS) { 9363 goto exit; 9364 } 9365 9366 status = psa_key_derivation_output_bytes(&operation, output_buffer, 9367 expected_output->len); 9368 9369 TEST_EQUAL(status, expected_output_status); 9370 if (expected_output->len != 0 && expected_output_status == PSA_SUCCESS) { 9371 TEST_MEMORY_COMPARE(output_buffer, expected_output->len, expected_output->x, 9372 expected_output->len); 9373 } 9374 9375 exit: 9376 mbedtls_free(output_buffer); 9377 psa_key_derivation_abort(&operation); 9378 PSA_DONE(); 9379 } 9380 /* END_CASE */ 9381 9382 /* BEGIN_CASE */ 9383 void derive_key_exercise(int alg_arg, 9384 data_t *key_data, 9385 data_t *input1, 9386 data_t *input2, 9387 int derived_type_arg, 9388 int derived_bits_arg, 9389 int derived_usage_arg, 9390 int derived_alg_arg) 9391 { 9392 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9393 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9394 psa_algorithm_t alg = alg_arg; 9395 psa_key_type_t derived_type = derived_type_arg; 9396 size_t derived_bits = derived_bits_arg; 9397 psa_key_usage_t derived_usage = derived_usage_arg; 9398 psa_algorithm_t derived_alg = derived_alg_arg; 9399 size_t capacity = PSA_BITS_TO_BYTES(derived_bits); 9400 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9401 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9402 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 9403 9404 PSA_ASSERT(psa_crypto_init()); 9405 9406 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9407 psa_set_key_algorithm(&attributes, alg); 9408 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE); 9409 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 9410 &base_key)); 9411 9412 /* Derive a key. */ 9413 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg, 9414 input1->x, input1->len, 9415 input2->x, input2->len, 9416 capacity, 0)) { 9417 goto exit; 9418 } 9419 9420 psa_set_key_usage_flags(&attributes, derived_usage); 9421 psa_set_key_algorithm(&attributes, derived_alg); 9422 psa_set_key_type(&attributes, derived_type); 9423 psa_set_key_bits(&attributes, derived_bits); 9424 PSA_ASSERT(psa_key_derivation_output_key(&attributes, &operation, 9425 &derived_key)); 9426 9427 /* Test the key information */ 9428 PSA_ASSERT(psa_get_key_attributes(derived_key, &got_attributes)); 9429 TEST_EQUAL(psa_get_key_type(&got_attributes), derived_type); 9430 TEST_EQUAL(psa_get_key_bits(&got_attributes), derived_bits); 9431 9432 /* Exercise the derived key. */ 9433 if (!mbedtls_test_psa_exercise_key(derived_key, derived_usage, derived_alg, 0)) { 9434 goto exit; 9435 } 9436 9437 exit: 9438 /* 9439 * Key attributes may have been returned by psa_get_key_attributes() 9440 * thus reset them as required. 9441 */ 9442 psa_reset_key_attributes(&got_attributes); 9443 9444 psa_key_derivation_abort(&operation); 9445 psa_destroy_key(base_key); 9446 psa_destroy_key(derived_key); 9447 PSA_DONE(); 9448 } 9449 /* END_CASE */ 9450 9451 /* BEGIN_CASE */ 9452 void derive_key_export(int alg_arg, 9453 data_t *key_data, 9454 data_t *input1, 9455 data_t *input2, 9456 int bytes1_arg, 9457 int bytes2_arg) 9458 { 9459 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9460 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9461 psa_algorithm_t alg = alg_arg; 9462 size_t bytes1 = bytes1_arg; 9463 size_t bytes2 = bytes2_arg; 9464 size_t capacity = bytes1 + bytes2; 9465 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9466 uint8_t *output_buffer = NULL; 9467 uint8_t *export_buffer = NULL; 9468 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9469 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9470 size_t length; 9471 9472 TEST_CALLOC(output_buffer, capacity); 9473 TEST_CALLOC(export_buffer, capacity); 9474 PSA_ASSERT(psa_crypto_init()); 9475 9476 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9477 psa_set_key_algorithm(&base_attributes, alg); 9478 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9479 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9480 &base_key)); 9481 9482 /* Derive some material and output it. */ 9483 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg, 9484 input1->x, input1->len, 9485 input2->x, input2->len, 9486 capacity, 0)) { 9487 goto exit; 9488 } 9489 9490 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 9491 output_buffer, 9492 capacity)); 9493 PSA_ASSERT(psa_key_derivation_abort(&operation)); 9494 9495 /* Derive the same output again, but this time store it in key objects. */ 9496 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg, 9497 input1->x, input1->len, 9498 input2->x, input2->len, 9499 capacity, 0)) { 9500 goto exit; 9501 } 9502 9503 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9504 psa_set_key_algorithm(&derived_attributes, 0); 9505 psa_set_key_type(&derived_attributes, PSA_KEY_TYPE_RAW_DATA); 9506 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes1)); 9507 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation, 9508 &derived_key)); 9509 PSA_ASSERT(psa_export_key(derived_key, 9510 export_buffer, bytes1, 9511 &length)); 9512 TEST_EQUAL(length, bytes1); 9513 PSA_ASSERT(psa_destroy_key(derived_key)); 9514 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes2)); 9515 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation, 9516 &derived_key)); 9517 PSA_ASSERT(psa_export_key(derived_key, 9518 export_buffer + bytes1, bytes2, 9519 &length)); 9520 TEST_EQUAL(length, bytes2); 9521 9522 /* Compare the outputs from the two runs. */ 9523 TEST_MEMORY_COMPARE(output_buffer, bytes1 + bytes2, 9524 export_buffer, capacity); 9525 9526 exit: 9527 mbedtls_free(output_buffer); 9528 mbedtls_free(export_buffer); 9529 psa_key_derivation_abort(&operation); 9530 psa_destroy_key(base_key); 9531 psa_destroy_key(derived_key); 9532 PSA_DONE(); 9533 } 9534 /* END_CASE */ 9535 9536 /* BEGIN_CASE */ 9537 void derive_key_type(int alg_arg, 9538 data_t *key_data, 9539 data_t *input1, 9540 data_t *input2, 9541 int key_type_arg, int bits_arg, 9542 data_t *expected_export) 9543 { 9544 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9545 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9546 const psa_algorithm_t alg = alg_arg; 9547 const psa_key_type_t key_type = key_type_arg; 9548 const size_t bits = bits_arg; 9549 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9550 const size_t export_buffer_size = 9551 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); 9552 uint8_t *export_buffer = NULL; 9553 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9554 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9555 size_t export_length; 9556 9557 TEST_CALLOC(export_buffer, export_buffer_size); 9558 PSA_ASSERT(psa_crypto_init()); 9559 9560 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9561 psa_set_key_algorithm(&base_attributes, alg); 9562 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9563 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9564 &base_key)); 9565 9566 if (mbedtls_test_psa_setup_key_derivation_wrap( 9567 &operation, base_key, alg, 9568 input1->x, input1->len, 9569 input2->x, input2->len, 9570 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) { 9571 goto exit; 9572 } 9573 9574 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9575 psa_set_key_algorithm(&derived_attributes, 0); 9576 psa_set_key_type(&derived_attributes, key_type); 9577 psa_set_key_bits(&derived_attributes, bits); 9578 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation, 9579 &derived_key)); 9580 9581 PSA_ASSERT(psa_export_key(derived_key, 9582 export_buffer, export_buffer_size, 9583 &export_length)); 9584 TEST_MEMORY_COMPARE(export_buffer, export_length, 9585 expected_export->x, expected_export->len); 9586 9587 exit: 9588 mbedtls_free(export_buffer); 9589 psa_key_derivation_abort(&operation); 9590 psa_destroy_key(base_key); 9591 psa_destroy_key(derived_key); 9592 PSA_DONE(); 9593 } 9594 /* END_CASE */ 9595 9596 /* BEGIN_CASE */ 9597 void derive_key_custom(int alg_arg, 9598 data_t *key_data, 9599 data_t *input1, 9600 data_t *input2, 9601 int key_type_arg, int bits_arg, 9602 int flags_arg, 9603 data_t *custom_data, 9604 psa_status_t expected_status, 9605 data_t *expected_export) 9606 { 9607 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9608 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9609 const psa_algorithm_t alg = alg_arg; 9610 const psa_key_type_t key_type = key_type_arg; 9611 const size_t bits = bits_arg; 9612 psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT; 9613 custom.flags = flags_arg; 9614 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9615 const size_t export_buffer_size = 9616 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); 9617 uint8_t *export_buffer = NULL; 9618 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9619 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9620 size_t export_length; 9621 9622 TEST_CALLOC(export_buffer, export_buffer_size); 9623 PSA_ASSERT(psa_crypto_init()); 9624 9625 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9626 psa_set_key_algorithm(&base_attributes, alg); 9627 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9628 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9629 &base_key)); 9630 9631 if (mbedtls_test_psa_setup_key_derivation_wrap( 9632 &operation, base_key, alg, 9633 input1->x, input1->len, 9634 input2->x, input2->len, 9635 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) { 9636 goto exit; 9637 } 9638 9639 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9640 psa_set_key_algorithm(&derived_attributes, 0); 9641 psa_set_key_type(&derived_attributes, key_type); 9642 psa_set_key_bits(&derived_attributes, bits); 9643 9644 TEST_EQUAL(psa_key_derivation_output_key_custom( 9645 &derived_attributes, &operation, 9646 &custom, custom_data->x, custom_data->len, 9647 &derived_key), 9648 expected_status); 9649 9650 if (expected_status == PSA_SUCCESS) { 9651 PSA_ASSERT(psa_export_key(derived_key, 9652 export_buffer, export_buffer_size, 9653 &export_length)); 9654 TEST_MEMORY_COMPARE(export_buffer, export_length, 9655 expected_export->x, expected_export->len); 9656 } 9657 9658 exit: 9659 mbedtls_free(export_buffer); 9660 psa_key_derivation_abort(&operation); 9661 psa_destroy_key(base_key); 9662 psa_destroy_key(derived_key); 9663 PSA_DONE(); 9664 } 9665 /* END_CASE */ 9666 9667 /* BEGIN_CASE */ 9668 void derive_key_ext(int alg_arg, 9669 data_t *key_data, 9670 data_t *input1, 9671 data_t *input2, 9672 int key_type_arg, int bits_arg, 9673 int flags_arg, 9674 data_t *params_data, 9675 psa_status_t expected_status, 9676 data_t *expected_export) 9677 { 9678 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9679 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9680 const psa_algorithm_t alg = alg_arg; 9681 const psa_key_type_t key_type = key_type_arg; 9682 const size_t bits = bits_arg; 9683 psa_key_production_parameters_t *params = NULL; 9684 size_t params_data_length = 0; 9685 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9686 const size_t export_buffer_size = 9687 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); 9688 uint8_t *export_buffer = NULL; 9689 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9690 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9691 size_t export_length; 9692 9693 TEST_CALLOC(export_buffer, export_buffer_size); 9694 PSA_ASSERT(psa_crypto_init()); 9695 9696 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9697 psa_set_key_algorithm(&base_attributes, alg); 9698 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9699 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9700 &base_key)); 9701 9702 if (mbedtls_test_psa_setup_key_derivation_wrap( 9703 &operation, base_key, alg, 9704 input1->x, input1->len, 9705 input2->x, input2->len, 9706 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) { 9707 goto exit; 9708 } 9709 9710 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9711 psa_set_key_algorithm(&derived_attributes, 0); 9712 psa_set_key_type(&derived_attributes, key_type); 9713 psa_set_key_bits(&derived_attributes, bits); 9714 if (!setup_key_production_parameters(¶ms, ¶ms_data_length, 9715 flags_arg, params_data)) { 9716 goto exit; 9717 } 9718 9719 TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation, 9720 params, params_data_length, 9721 &derived_key), 9722 expected_status); 9723 9724 if (expected_status == PSA_SUCCESS) { 9725 PSA_ASSERT(psa_export_key(derived_key, 9726 export_buffer, export_buffer_size, 9727 &export_length)); 9728 TEST_MEMORY_COMPARE(export_buffer, export_length, 9729 expected_export->x, expected_export->len); 9730 } 9731 9732 exit: 9733 mbedtls_free(export_buffer); 9734 mbedtls_free(params); 9735 psa_key_derivation_abort(&operation); 9736 psa_destroy_key(base_key); 9737 psa_destroy_key(derived_key); 9738 PSA_DONE(); 9739 } 9740 /* END_CASE */ 9741 9742 /* BEGIN_CASE */ 9743 void derive_key(int alg_arg, 9744 data_t *key_data, data_t *input1, data_t *input2, 9745 int type_arg, int bits_arg, 9746 int expected_status_arg, 9747 int is_large_output) 9748 { 9749 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9750 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9751 psa_algorithm_t alg = alg_arg; 9752 psa_key_type_t type = type_arg; 9753 size_t bits = bits_arg; 9754 psa_status_t expected_status = expected_status_arg; 9755 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9756 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9757 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9758 9759 PSA_ASSERT(psa_crypto_init()); 9760 9761 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9762 psa_set_key_algorithm(&base_attributes, alg); 9763 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9764 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9765 &base_key)); 9766 9767 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg, 9768 input1->x, input1->len, 9769 input2->x, input2->len, 9770 SIZE_MAX, 0)) { 9771 goto exit; 9772 } 9773 9774 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9775 psa_set_key_algorithm(&derived_attributes, 0); 9776 psa_set_key_type(&derived_attributes, type); 9777 psa_set_key_bits(&derived_attributes, bits); 9778 9779 psa_status_t status = 9780 psa_key_derivation_output_key(&derived_attributes, 9781 &operation, 9782 &derived_key); 9783 if (is_large_output > 0) { 9784 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); 9785 } 9786 TEST_EQUAL(status, expected_status); 9787 9788 exit: 9789 psa_key_derivation_abort(&operation); 9790 psa_destroy_key(base_key); 9791 psa_destroy_key(derived_key); 9792 PSA_DONE(); 9793 } 9794 /* END_CASE */ 9795 9796 /* BEGIN_CASE */ 9797 void key_agreement_setup(int alg_arg, 9798 int our_key_type_arg, int our_key_alg_arg, 9799 data_t *our_key_data, data_t *peer_key_data, 9800 int expected_status_arg) 9801 { 9802 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 9803 psa_algorithm_t alg = alg_arg; 9804 psa_algorithm_t our_key_alg = our_key_alg_arg; 9805 psa_key_type_t our_key_type = our_key_type_arg; 9806 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9807 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9808 psa_status_t expected_status = expected_status_arg; 9809 psa_status_t status; 9810 9811 PSA_ASSERT(psa_crypto_init()); 9812 9813 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9814 psa_set_key_algorithm(&attributes, our_key_alg); 9815 psa_set_key_type(&attributes, our_key_type); 9816 PSA_ASSERT(psa_import_key(&attributes, 9817 our_key_data->x, our_key_data->len, 9818 &our_key)); 9819 9820 /* The tests currently include inputs that should fail at either step. 9821 * Test cases that fail at the setup step should be changed to call 9822 * key_derivation_setup instead, and this function should be renamed 9823 * to key_agreement_fail. */ 9824 status = psa_key_derivation_setup(&operation, alg); 9825 if (status == PSA_SUCCESS) { 9826 TEST_EQUAL(psa_key_derivation_key_agreement( 9827 &operation, PSA_KEY_DERIVATION_INPUT_SECRET, 9828 our_key, 9829 peer_key_data->x, peer_key_data->len), 9830 expected_status); 9831 } else { 9832 TEST_ASSERT(status == expected_status); 9833 } 9834 9835 exit: 9836 psa_key_derivation_abort(&operation); 9837 psa_destroy_key(our_key); 9838 PSA_DONE(); 9839 } 9840 /* END_CASE */ 9841 9842 /* BEGIN_CASE */ 9843 void raw_key_agreement(int alg_arg, 9844 int our_key_type_arg, data_t *our_key_data, 9845 data_t *peer_key_data, 9846 data_t *expected_output) 9847 { 9848 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 9849 psa_algorithm_t alg = alg_arg; 9850 psa_key_type_t our_key_type = our_key_type_arg; 9851 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9852 unsigned char *output = NULL; 9853 size_t output_length = ~0; 9854 size_t key_bits; 9855 9856 PSA_ASSERT(psa_crypto_init()); 9857 9858 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9859 psa_set_key_algorithm(&attributes, alg); 9860 psa_set_key_type(&attributes, our_key_type); 9861 PSA_ASSERT(psa_import_key(&attributes, 9862 our_key_data->x, our_key_data->len, 9863 &our_key)); 9864 9865 PSA_ASSERT(psa_get_key_attributes(our_key, &attributes)); 9866 key_bits = psa_get_key_bits(&attributes); 9867 9868 /* Validate size macros */ 9869 TEST_LE_U(expected_output->len, 9870 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits)); 9871 TEST_LE_U(PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits), 9872 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE); 9873 9874 /* Good case with exact output size */ 9875 TEST_CALLOC(output, expected_output->len); 9876 PSA_ASSERT(psa_raw_key_agreement(alg, our_key, 9877 peer_key_data->x, peer_key_data->len, 9878 output, expected_output->len, 9879 &output_length)); 9880 TEST_MEMORY_COMPARE(output, output_length, 9881 expected_output->x, expected_output->len); 9882 mbedtls_free(output); 9883 output = NULL; 9884 output_length = ~0; 9885 9886 /* Larger buffer */ 9887 TEST_CALLOC(output, expected_output->len + 1); 9888 PSA_ASSERT(psa_raw_key_agreement(alg, our_key, 9889 peer_key_data->x, peer_key_data->len, 9890 output, expected_output->len + 1, 9891 &output_length)); 9892 TEST_MEMORY_COMPARE(output, output_length, 9893 expected_output->x, expected_output->len); 9894 mbedtls_free(output); 9895 output = NULL; 9896 output_length = ~0; 9897 9898 /* Buffer too small */ 9899 TEST_CALLOC(output, expected_output->len - 1); 9900 TEST_EQUAL(psa_raw_key_agreement(alg, our_key, 9901 peer_key_data->x, peer_key_data->len, 9902 output, expected_output->len - 1, 9903 &output_length), 9904 PSA_ERROR_BUFFER_TOO_SMALL); 9905 /* Not required by the spec, but good robustness */ 9906 TEST_LE_U(output_length, expected_output->len - 1); 9907 mbedtls_free(output); 9908 output = NULL; 9909 9910 exit: 9911 mbedtls_free(output); 9912 psa_destroy_key(our_key); 9913 PSA_DONE(); 9914 } 9915 /* END_CASE */ 9916 9917 /* BEGIN_CASE */ 9918 void key_agreement_capacity(int alg_arg, 9919 int our_key_type_arg, data_t *our_key_data, 9920 data_t *peer_key_data, 9921 int expected_capacity_arg) 9922 { 9923 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 9924 psa_algorithm_t alg = alg_arg; 9925 psa_key_type_t our_key_type = our_key_type_arg; 9926 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 9927 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9928 size_t actual_capacity; 9929 unsigned char output[16]; 9930 9931 PSA_ASSERT(psa_crypto_init()); 9932 9933 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9934 psa_set_key_algorithm(&attributes, alg); 9935 psa_set_key_type(&attributes, our_key_type); 9936 PSA_ASSERT(psa_import_key(&attributes, 9937 our_key_data->x, our_key_data->len, 9938 &our_key)); 9939 9940 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 9941 PSA_ASSERT(psa_key_derivation_key_agreement( 9942 &operation, 9943 PSA_KEY_DERIVATION_INPUT_SECRET, our_key, 9944 peer_key_data->x, peer_key_data->len)); 9945 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) { 9946 /* The test data is for info="" */ 9947 PSA_ASSERT(psa_key_derivation_input_bytes(&operation, 9948 PSA_KEY_DERIVATION_INPUT_INFO, 9949 NULL, 0)); 9950 } 9951 9952 /* Test the advertised capacity. */ 9953 PSA_ASSERT(psa_key_derivation_get_capacity( 9954 &operation, &actual_capacity)); 9955 TEST_EQUAL(actual_capacity, (size_t) expected_capacity_arg); 9956 9957 /* Test the actual capacity by reading the output. */ 9958 while (actual_capacity > sizeof(output)) { 9959 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 9960 output, sizeof(output))); 9961 actual_capacity -= sizeof(output); 9962 } 9963 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 9964 output, actual_capacity)); 9965 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output, 1), 9966 PSA_ERROR_INSUFFICIENT_DATA); 9967 9968 exit: 9969 psa_key_derivation_abort(&operation); 9970 psa_destroy_key(our_key); 9971 PSA_DONE(); 9972 } 9973 /* END_CASE */ 9974 9975 /* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ 9976 void ecc_conversion_functions(int grp_id_arg, int psa_family_arg, int bits_arg) 9977 { 9978 mbedtls_ecp_group_id grp_id = grp_id_arg; 9979 psa_ecc_family_t ecc_family = psa_family_arg; 9980 size_t bits = bits_arg; 9981 size_t bits_tmp; 9982 9983 TEST_EQUAL(ecc_family, mbedtls_ecc_group_to_psa(grp_id, &bits_tmp)); 9984 TEST_EQUAL(bits, bits_tmp); 9985 TEST_EQUAL(grp_id, mbedtls_ecc_group_from_psa(ecc_family, bits)); 9986 } 9987 /* END_CASE */ 9988 9989 /* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ 9990 void ecc_conversion_functions_fail() 9991 { 9992 size_t bits; 9993 9994 /* Invalid legacy curve identifiers. */ 9995 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_MAX, &bits)); 9996 TEST_EQUAL(0, bits); 9997 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_NONE, &bits)); 9998 TEST_EQUAL(0, bits); 9999 10000 /* Invalid PSA EC family. */ 10001 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(0, 192)); 10002 /* Invalid bit-size for a valid EC family. */ 10003 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_SECP_R1, 512)); 10004 10005 /* Twisted-Edward curves are not supported yet. */ 10006 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, 10007 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 255)); 10008 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, 10009 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 448)); 10010 } 10011 /* END_CASE */ 10012 10013 10014 /* BEGIN_CASE */ 10015 void key_agreement_output(int alg_arg, 10016 int our_key_type_arg, data_t *our_key_data, 10017 data_t *peer_key_data, 10018 data_t *expected_output1, data_t *expected_output2) 10019 { 10020 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 10021 psa_algorithm_t alg = alg_arg; 10022 psa_key_type_t our_key_type = our_key_type_arg; 10023 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 10024 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10025 uint8_t *actual_output = NULL; 10026 10027 TEST_CALLOC(actual_output, MAX(expected_output1->len, 10028 expected_output2->len)); 10029 10030 PSA_ASSERT(psa_crypto_init()); 10031 10032 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 10033 psa_set_key_algorithm(&attributes, alg); 10034 psa_set_key_type(&attributes, our_key_type); 10035 PSA_ASSERT(psa_import_key(&attributes, 10036 our_key_data->x, our_key_data->len, 10037 &our_key)); 10038 10039 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 10040 PSA_ASSERT(psa_key_derivation_key_agreement( 10041 &operation, 10042 PSA_KEY_DERIVATION_INPUT_SECRET, our_key, 10043 peer_key_data->x, peer_key_data->len)); 10044 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) { 10045 /* The test data is for info="" */ 10046 PSA_ASSERT(psa_key_derivation_input_bytes(&operation, 10047 PSA_KEY_DERIVATION_INPUT_INFO, 10048 NULL, 0)); 10049 } 10050 10051 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 10052 actual_output, 10053 expected_output1->len)); 10054 TEST_MEMORY_COMPARE(actual_output, expected_output1->len, 10055 expected_output1->x, expected_output1->len); 10056 if (expected_output2->len != 0) { 10057 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 10058 actual_output, 10059 expected_output2->len)); 10060 TEST_MEMORY_COMPARE(actual_output, expected_output2->len, 10061 expected_output2->x, expected_output2->len); 10062 } 10063 10064 exit: 10065 psa_key_derivation_abort(&operation); 10066 psa_destroy_key(our_key); 10067 PSA_DONE(); 10068 mbedtls_free(actual_output); 10069 } 10070 /* END_CASE */ 10071 10072 /* BEGIN_CASE */ 10073 void generate_random(int bytes_arg) 10074 { 10075 size_t bytes = bytes_arg; 10076 unsigned char *output = NULL; 10077 unsigned char *changed = NULL; 10078 size_t i; 10079 unsigned run; 10080 10081 TEST_ASSERT(bytes_arg >= 0); 10082 10083 TEST_CALLOC(output, bytes); 10084 TEST_CALLOC(changed, bytes); 10085 10086 PSA_ASSERT(psa_crypto_init()); 10087 10088 /* Run several times, to ensure that every output byte will be 10089 * nonzero at least once with overwhelming probability 10090 * (2^(-8*number_of_runs)). */ 10091 for (run = 0; run < 10; run++) { 10092 if (bytes != 0) { 10093 memset(output, 0, bytes); 10094 } 10095 PSA_ASSERT(psa_generate_random(output, bytes)); 10096 10097 for (i = 0; i < bytes; i++) { 10098 if (output[i] != 0) { 10099 ++changed[i]; 10100 } 10101 } 10102 } 10103 10104 /* Check that every byte was changed to nonzero at least once. This 10105 * validates that psa_generate_random is overwriting every byte of 10106 * the output buffer. */ 10107 for (i = 0; i < bytes; i++) { 10108 TEST_ASSERT(changed[i] != 0); 10109 } 10110 10111 exit: 10112 PSA_DONE(); 10113 mbedtls_free(output); 10114 mbedtls_free(changed); 10115 } 10116 /* END_CASE */ 10117 10118 #if defined MBEDTLS_THREADING_PTHREAD 10119 10120 /* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */ 10121 void concurrently_generate_keys(int type_arg, 10122 int bits_arg, 10123 int usage_arg, 10124 int alg_arg, 10125 int expected_status_arg, 10126 int is_large_key_arg, 10127 int arg_thread_count, 10128 int reps_arg) 10129 { 10130 size_t thread_count = (size_t) arg_thread_count; 10131 mbedtls_test_thread_t *threads = NULL; 10132 generate_key_context gkc; 10133 gkc.type = type_arg; 10134 gkc.usage = usage_arg; 10135 gkc.bits = bits_arg; 10136 gkc.alg = alg_arg; 10137 gkc.expected_status = expected_status_arg; 10138 gkc.is_large_key = is_large_key_arg; 10139 gkc.reps = reps_arg; 10140 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10141 10142 PSA_ASSERT(psa_crypto_init()); 10143 10144 psa_set_key_usage_flags(&attributes, usage_arg); 10145 psa_set_key_algorithm(&attributes, alg_arg); 10146 psa_set_key_type(&attributes, type_arg); 10147 psa_set_key_bits(&attributes, bits_arg); 10148 gkc.attributes = &attributes; 10149 10150 TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count); 10151 10152 /* Split threads to generate key then destroy key. */ 10153 for (size_t i = 0; i < thread_count; i++) { 10154 TEST_EQUAL( 10155 mbedtls_test_thread_create(&threads[i], thread_generate_key, 10156 (void *) &gkc), 0); 10157 } 10158 10159 /* Join threads. */ 10160 for (size_t i = 0; i < thread_count; i++) { 10161 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0); 10162 } 10163 10164 exit: 10165 mbedtls_free(threads); 10166 PSA_DONE(); 10167 } 10168 /* END_CASE */ 10169 #endif 10170 10171 /* BEGIN_CASE */ 10172 void generate_key(int type_arg, 10173 int bits_arg, 10174 int usage_arg, 10175 int alg_arg, 10176 int expected_status_arg, 10177 int is_large_key) 10178 { 10179 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10180 psa_key_type_t type = type_arg; 10181 psa_key_usage_t usage = usage_arg; 10182 size_t bits = bits_arg; 10183 psa_algorithm_t alg = alg_arg; 10184 psa_status_t expected_status = expected_status_arg; 10185 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10186 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 10187 10188 PSA_ASSERT(psa_crypto_init()); 10189 10190 psa_set_key_usage_flags(&attributes, usage); 10191 psa_set_key_algorithm(&attributes, alg); 10192 psa_set_key_type(&attributes, type); 10193 psa_set_key_bits(&attributes, bits); 10194 10195 /* Generate a key */ 10196 psa_status_t status = psa_generate_key(&attributes, &key); 10197 10198 if (is_large_key > 0) { 10199 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); 10200 } 10201 TEST_EQUAL(status, expected_status); 10202 if (expected_status != PSA_SUCCESS) { 10203 goto exit; 10204 } 10205 10206 /* Test the key information */ 10207 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 10208 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 10209 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); 10210 10211 /* Do something with the key according to its type and permitted usage. */ 10212 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 10213 goto exit; 10214 } 10215 10216 exit: 10217 /* 10218 * Key attributes may have been returned by psa_get_key_attributes() 10219 * thus reset them as required. 10220 */ 10221 psa_reset_key_attributes(&got_attributes); 10222 10223 psa_destroy_key(key); 10224 PSA_DONE(); 10225 } 10226 /* END_CASE */ 10227 10228 /* BEGIN_CASE */ 10229 void generate_key_custom(int type_arg, 10230 int bits_arg, 10231 int usage_arg, 10232 int alg_arg, 10233 int flags_arg, 10234 data_t *custom_data, 10235 int expected_status_arg) 10236 { 10237 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10238 psa_key_type_t type = type_arg; 10239 psa_key_usage_t usage = usage_arg; 10240 size_t bits = bits_arg; 10241 psa_algorithm_t alg = alg_arg; 10242 psa_status_t expected_status = expected_status_arg; 10243 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10244 psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT; 10245 custom.flags = flags_arg; 10246 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 10247 10248 PSA_ASSERT(psa_crypto_init()); 10249 10250 psa_set_key_usage_flags(&attributes, usage); 10251 psa_set_key_algorithm(&attributes, alg); 10252 psa_set_key_type(&attributes, type); 10253 psa_set_key_bits(&attributes, bits); 10254 10255 /* Generate a key */ 10256 psa_status_t status = 10257 psa_generate_key_custom(&attributes, 10258 &custom, custom_data->x, custom_data->len, 10259 &key); 10260 10261 TEST_EQUAL(status, expected_status); 10262 if (expected_status != PSA_SUCCESS) { 10263 goto exit; 10264 } 10265 10266 /* Test the key information */ 10267 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 10268 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 10269 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); 10270 10271 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) && defined(MBEDTLS_ASN1_PARSE_C) 10272 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { 10273 TEST_ASSERT(rsa_test_e(key, bits, custom_data)); 10274 } 10275 #endif 10276 10277 /* Do something with the key according to its type and permitted usage. */ 10278 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 10279 goto exit; 10280 } 10281 10282 exit: 10283 /* 10284 * Key attributes may have been returned by psa_get_key_attributes() 10285 * thus reset them as required. 10286 */ 10287 psa_reset_key_attributes(&got_attributes); 10288 psa_destroy_key(key); 10289 PSA_DONE(); 10290 } 10291 /* END_CASE */ 10292 10293 /* BEGIN_CASE */ 10294 void generate_key_ext(int type_arg, 10295 int bits_arg, 10296 int usage_arg, 10297 int alg_arg, 10298 int flags_arg, 10299 data_t *params_data, 10300 int expected_status_arg) 10301 { 10302 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10303 psa_key_type_t type = type_arg; 10304 psa_key_usage_t usage = usage_arg; 10305 size_t bits = bits_arg; 10306 psa_algorithm_t alg = alg_arg; 10307 psa_status_t expected_status = expected_status_arg; 10308 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10309 psa_key_production_parameters_t *params = NULL; 10310 size_t params_data_length = 0; 10311 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 10312 10313 PSA_ASSERT(psa_crypto_init()); 10314 10315 psa_set_key_usage_flags(&attributes, usage); 10316 psa_set_key_algorithm(&attributes, alg); 10317 psa_set_key_type(&attributes, type); 10318 psa_set_key_bits(&attributes, bits); 10319 10320 if (!setup_key_production_parameters(¶ms, ¶ms_data_length, 10321 flags_arg, params_data)) { 10322 goto exit; 10323 } 10324 10325 /* Generate a key */ 10326 psa_status_t status = psa_generate_key_ext(&attributes, 10327 params, params_data_length, 10328 &key); 10329 10330 TEST_EQUAL(status, expected_status); 10331 if (expected_status != PSA_SUCCESS) { 10332 goto exit; 10333 } 10334 10335 /* Test the key information */ 10336 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 10337 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 10338 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); 10339 10340 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) 10341 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { 10342 TEST_ASSERT(rsa_test_e(key, bits, params_data)); 10343 } 10344 #endif 10345 10346 /* Do something with the key according to its type and permitted usage. */ 10347 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 10348 goto exit; 10349 } 10350 10351 exit: 10352 /* 10353 * Key attributes may have been returned by psa_get_key_attributes() 10354 * thus reset them as required. 10355 */ 10356 psa_reset_key_attributes(&got_attributes); 10357 mbedtls_free(params); 10358 psa_destroy_key(key); 10359 PSA_DONE(); 10360 } 10361 /* END_CASE */ 10362 10363 /* BEGIN_CASE */ 10364 void key_production_parameters_init() 10365 { 10366 psa_key_production_parameters_t init = PSA_KEY_PRODUCTION_PARAMETERS_INIT; 10367 psa_key_production_parameters_t zero; 10368 memset(&zero, 0, sizeof(zero)); 10369 10370 TEST_EQUAL(init.flags, 0); 10371 TEST_EQUAL(zero.flags, 0); 10372 } 10373 /* END_CASE */ 10374 10375 /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 10376 void persistent_key_load_key_from_storage(data_t *data, 10377 int type_arg, int bits_arg, 10378 int usage_flags_arg, int alg_arg, 10379 int generation_method) 10380 { 10381 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1); 10382 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10383 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10384 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 10385 psa_key_type_t type = type_arg; 10386 size_t bits = bits_arg; 10387 psa_key_usage_t usage_flags = usage_flags_arg; 10388 psa_algorithm_t alg = alg_arg; 10389 psa_key_derivation_operation_t operation = psa_key_derivation_operation_init_short(); 10390 unsigned char *first_export = NULL; 10391 unsigned char *second_export = NULL; 10392 size_t export_size = PSA_EXPORT_KEY_OUTPUT_SIZE(type, bits); 10393 size_t first_exported_length = 0; 10394 size_t second_exported_length; 10395 10396 if (usage_flags & PSA_KEY_USAGE_EXPORT) { 10397 TEST_CALLOC(first_export, export_size); 10398 TEST_CALLOC(second_export, export_size); 10399 } 10400 10401 PSA_ASSERT(psa_crypto_init()); 10402 10403 psa_set_key_id(&attributes, key_id); 10404 psa_set_key_usage_flags(&attributes, usage_flags); 10405 psa_set_key_algorithm(&attributes, alg); 10406 psa_set_key_type(&attributes, type); 10407 psa_set_key_bits(&attributes, bits); 10408 10409 switch (generation_method) { 10410 case IMPORT_KEY: 10411 /* Import the key */ 10412 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, 10413 &key)); 10414 break; 10415 10416 case GENERATE_KEY: 10417 /* Generate a key */ 10418 PSA_ASSERT(psa_generate_key(&attributes, &key)); 10419 break; 10420 10421 case DERIVE_KEY: 10422 #if defined(PSA_WANT_ALG_HKDF) && defined(PSA_WANT_ALG_SHA_256) 10423 { 10424 /* Create base key */ 10425 psa_algorithm_t derive_alg = PSA_ALG_HKDF(PSA_ALG_SHA_256); 10426 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 10427 psa_set_key_usage_flags(&base_attributes, 10428 PSA_KEY_USAGE_DERIVE); 10429 psa_set_key_algorithm(&base_attributes, derive_alg); 10430 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 10431 PSA_ASSERT(psa_import_key(&base_attributes, 10432 data->x, data->len, 10433 &base_key)); 10434 /* Derive a key. */ 10435 PSA_ASSERT(psa_key_derivation_setup(&operation, derive_alg)); 10436 PSA_ASSERT(psa_key_derivation_input_key( 10437 &operation, 10438 PSA_KEY_DERIVATION_INPUT_SECRET, base_key)); 10439 PSA_ASSERT(psa_key_derivation_input_bytes( 10440 &operation, PSA_KEY_DERIVATION_INPUT_INFO, 10441 NULL, 0)); 10442 PSA_ASSERT(psa_key_derivation_output_key(&attributes, 10443 &operation, 10444 &key)); 10445 PSA_ASSERT(psa_key_derivation_abort(&operation)); 10446 PSA_ASSERT(psa_destroy_key(base_key)); 10447 base_key = MBEDTLS_SVC_KEY_ID_INIT; 10448 } 10449 #else 10450 TEST_ASSUME(!"KDF not supported in this configuration"); 10451 #endif 10452 break; 10453 10454 default: 10455 TEST_FAIL("generation_method not implemented in test"); 10456 break; 10457 } 10458 psa_reset_key_attributes(&attributes); 10459 10460 /* Export the key if permitted by the key policy. */ 10461 if (usage_flags & PSA_KEY_USAGE_EXPORT) { 10462 PSA_ASSERT(psa_export_key(key, 10463 first_export, export_size, 10464 &first_exported_length)); 10465 if (generation_method == IMPORT_KEY) { 10466 TEST_MEMORY_COMPARE(data->x, data->len, 10467 first_export, first_exported_length); 10468 } 10469 } 10470 10471 /* Shutdown and restart */ 10472 PSA_ASSERT(psa_purge_key(key)); 10473 PSA_DONE(); 10474 PSA_ASSERT(psa_crypto_init()); 10475 10476 /* Check key slot still contains key data */ 10477 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 10478 TEST_ASSERT(mbedtls_svc_key_id_equal( 10479 psa_get_key_id(&attributes), key_id)); 10480 TEST_EQUAL(psa_get_key_lifetime(&attributes), 10481 PSA_KEY_LIFETIME_PERSISTENT); 10482 TEST_EQUAL(psa_get_key_type(&attributes), type); 10483 TEST_EQUAL(psa_get_key_bits(&attributes), bits); 10484 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 10485 mbedtls_test_update_key_usage_flags(usage_flags)); 10486 TEST_EQUAL(psa_get_key_algorithm(&attributes), alg); 10487 10488 /* Export the key again if permitted by the key policy. */ 10489 if (usage_flags & PSA_KEY_USAGE_EXPORT) { 10490 PSA_ASSERT(psa_export_key(key, 10491 second_export, export_size, 10492 &second_exported_length)); 10493 TEST_MEMORY_COMPARE(first_export, first_exported_length, 10494 second_export, second_exported_length); 10495 } 10496 10497 /* Do something with the key according to its type and permitted usage. */ 10498 if (!mbedtls_test_psa_exercise_key(key, usage_flags, alg, 0)) { 10499 goto exit; 10500 } 10501 10502 exit: 10503 /* 10504 * Key attributes may have been returned by psa_get_key_attributes() 10505 * thus reset them as required. 10506 */ 10507 psa_reset_key_attributes(&attributes); 10508 10509 mbedtls_free(first_export); 10510 mbedtls_free(second_export); 10511 psa_key_derivation_abort(&operation); 10512 psa_destroy_key(base_key); 10513 psa_destroy_key(key); 10514 PSA_DONE(); 10515 } 10516 /* END_CASE */ 10517 10518 /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 10519 void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, 10520 int primitive_arg, int hash_arg, int role_arg, 10521 int test_input, data_t *pw_data, 10522 int inj_err_type_arg, 10523 int expected_error_arg) 10524 { 10525 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 10526 psa_pake_operation_t operation = psa_pake_operation_init_short(); 10527 psa_algorithm_t alg = alg_arg; 10528 psa_pake_primitive_t primitive = primitive_arg; 10529 psa_key_type_t key_type_pw = key_type_pw_arg; 10530 psa_key_usage_t key_usage_pw = key_usage_pw_arg; 10531 psa_algorithm_t hash_alg = hash_arg; 10532 psa_pake_role_t role = role_arg; 10533 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10534 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10535 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; 10536 psa_status_t expected_error = expected_error_arg; 10537 psa_status_t status; 10538 unsigned char *output_buffer = NULL; 10539 size_t output_len = 0; 10540 10541 PSA_INIT(); 10542 10543 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, 10544 PSA_PAKE_STEP_KEY_SHARE); 10545 TEST_CALLOC(output_buffer, buf_size); 10546 10547 if (pw_data->len > 0) { 10548 psa_set_key_usage_flags(&attributes, key_usage_pw); 10549 psa_set_key_algorithm(&attributes, alg); 10550 psa_set_key_type(&attributes, key_type_pw); 10551 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 10552 &key)); 10553 } 10554 10555 psa_pake_cs_set_algorithm(&cipher_suite, alg); 10556 psa_pake_cs_set_primitive(&cipher_suite, primitive); 10557 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 10558 10559 PSA_ASSERT(psa_pake_abort(&operation)); 10560 10561 if (inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS) { 10562 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0), 10563 expected_error); 10564 PSA_ASSERT(psa_pake_abort(&operation)); 10565 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0), 10566 expected_error); 10567 PSA_ASSERT(psa_pake_abort(&operation)); 10568 TEST_EQUAL(psa_pake_set_password_key(&operation, key), 10569 expected_error); 10570 PSA_ASSERT(psa_pake_abort(&operation)); 10571 TEST_EQUAL(psa_pake_set_role(&operation, role), 10572 expected_error); 10573 PSA_ASSERT(psa_pake_abort(&operation)); 10574 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, 10575 NULL, 0, NULL), 10576 expected_error); 10577 PSA_ASSERT(psa_pake_abort(&operation)); 10578 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0), 10579 expected_error); 10580 PSA_ASSERT(psa_pake_abort(&operation)); 10581 goto exit; 10582 } 10583 10584 status = psa_pake_setup(&operation, &cipher_suite); 10585 if (status != PSA_SUCCESS) { 10586 TEST_EQUAL(status, expected_error); 10587 goto exit; 10588 } 10589 10590 if (inj_err_type == INJECT_ERR_DUPLICATE_SETUP) { 10591 TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), 10592 expected_error); 10593 goto exit; 10594 } 10595 10596 status = psa_pake_set_role(&operation, role); 10597 if (status != PSA_SUCCESS) { 10598 TEST_EQUAL(status, expected_error); 10599 goto exit; 10600 } 10601 10602 if (pw_data->len > 0) { 10603 status = psa_pake_set_password_key(&operation, key); 10604 if (status != PSA_SUCCESS) { 10605 TEST_EQUAL(status, expected_error); 10606 goto exit; 10607 } 10608 } 10609 10610 if (inj_err_type == INJECT_ERR_INVALID_USER) { 10611 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0), 10612 PSA_ERROR_INVALID_ARGUMENT); 10613 goto exit; 10614 } 10615 10616 if (inj_err_type == INJECT_ERR_INVALID_PEER) { 10617 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0), 10618 PSA_ERROR_INVALID_ARGUMENT); 10619 goto exit; 10620 } 10621 10622 if (inj_err_type == INJECT_ERR_SET_USER) { 10623 const uint8_t unsupported_id[] = "abcd"; 10624 TEST_EQUAL(psa_pake_set_user(&operation, unsupported_id, 4), 10625 PSA_ERROR_NOT_SUPPORTED); 10626 goto exit; 10627 } 10628 10629 if (inj_err_type == INJECT_ERR_SET_PEER) { 10630 const uint8_t unsupported_id[] = "abcd"; 10631 TEST_EQUAL(psa_pake_set_peer(&operation, unsupported_id, 4), 10632 PSA_ERROR_NOT_SUPPORTED); 10633 goto exit; 10634 } 10635 10636 const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive, 10637 PSA_PAKE_STEP_KEY_SHARE); 10638 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE(alg, primitive, 10639 PSA_PAKE_STEP_ZK_PUBLIC); 10640 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE(alg, primitive, 10641 PSA_PAKE_STEP_ZK_PROOF); 10642 10643 if (test_input) { 10644 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) { 10645 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0), 10646 PSA_ERROR_INVALID_ARGUMENT); 10647 goto exit; 10648 } 10649 10650 if (inj_err_type == INJECT_UNKNOWN_STEP) { 10651 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF + 10, 10652 output_buffer, size_zk_proof), 10653 PSA_ERROR_INVALID_ARGUMENT); 10654 goto exit; 10655 } 10656 10657 if (inj_err_type == INJECT_INVALID_FIRST_STEP) { 10658 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF, 10659 output_buffer, size_zk_proof), 10660 PSA_ERROR_BAD_STATE); 10661 goto exit; 10662 } 10663 10664 status = psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, 10665 output_buffer, size_key_share); 10666 if (status != PSA_SUCCESS) { 10667 TEST_EQUAL(status, expected_error); 10668 goto exit; 10669 } 10670 10671 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) { 10672 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10673 output_buffer, size_zk_public + 1), 10674 PSA_ERROR_INVALID_ARGUMENT); 10675 goto exit; 10676 } 10677 10678 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) { 10679 // Just trigger any kind of error. We don't care about the result here 10680 psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10681 output_buffer, size_zk_public + 1); 10682 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10683 output_buffer, size_zk_public), 10684 PSA_ERROR_BAD_STATE); 10685 goto exit; 10686 } 10687 } else { 10688 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) { 10689 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF, 10690 NULL, 0, NULL), 10691 PSA_ERROR_INVALID_ARGUMENT); 10692 goto exit; 10693 } 10694 10695 if (inj_err_type == INJECT_UNKNOWN_STEP) { 10696 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF + 10, 10697 output_buffer, buf_size, &output_len), 10698 PSA_ERROR_INVALID_ARGUMENT); 10699 goto exit; 10700 } 10701 10702 if (inj_err_type == INJECT_INVALID_FIRST_STEP) { 10703 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF, 10704 output_buffer, buf_size, &output_len), 10705 PSA_ERROR_BAD_STATE); 10706 goto exit; 10707 } 10708 10709 status = psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, 10710 output_buffer, buf_size, &output_len); 10711 if (status != PSA_SUCCESS) { 10712 TEST_EQUAL(status, expected_error); 10713 goto exit; 10714 } 10715 10716 TEST_ASSERT(output_len > 0); 10717 10718 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) { 10719 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10720 output_buffer, size_zk_public - 1, &output_len), 10721 PSA_ERROR_BUFFER_TOO_SMALL); 10722 goto exit; 10723 } 10724 10725 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) { 10726 // Just trigger any kind of error. We don't care about the result here 10727 psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10728 output_buffer, size_zk_public - 1, &output_len); 10729 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10730 output_buffer, buf_size, &output_len), 10731 PSA_ERROR_BAD_STATE); 10732 goto exit; 10733 } 10734 } 10735 10736 exit: 10737 PSA_ASSERT(psa_destroy_key(key)); 10738 PSA_ASSERT(psa_pake_abort(&operation)); 10739 mbedtls_free(output_buffer); 10740 PSA_DONE(); 10741 } 10742 /* END_CASE */ 10743 10744 /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 10745 void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg, 10746 int client_input_first, int inject_error, 10747 data_t *pw_data) 10748 { 10749 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 10750 psa_pake_operation_t server = psa_pake_operation_init_short(); 10751 psa_pake_operation_t client = psa_pake_operation_init_short(); 10752 psa_algorithm_t alg = alg_arg; 10753 psa_algorithm_t hash_alg = hash_arg; 10754 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10755 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10756 10757 PSA_INIT(); 10758 10759 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 10760 psa_set_key_algorithm(&attributes, alg); 10761 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 10762 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 10763 &key)); 10764 10765 psa_pake_cs_set_algorithm(&cipher_suite, alg); 10766 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 10767 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 10768 10769 10770 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 10771 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 10772 10773 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER)); 10774 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT)); 10775 10776 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 10777 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 10778 10779 ecjpake_do_round(alg, primitive_arg, &server, &client, 10780 client_input_first, 1, inject_error); 10781 10782 if (inject_error == 1 || inject_error == 2) { 10783 goto exit; 10784 } 10785 10786 ecjpake_do_round(alg, primitive_arg, &server, &client, 10787 client_input_first, 2, inject_error); 10788 10789 exit: 10790 psa_destroy_key(key); 10791 psa_pake_abort(&server); 10792 psa_pake_abort(&client); 10793 PSA_DONE(); 10794 } 10795 /* END_CASE */ 10796 10797 /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 10798 void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, 10799 int derive_alg_arg, data_t *pw_data, 10800 int client_input_first, int inj_err_type_arg) 10801 { 10802 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 10803 psa_pake_operation_t server = psa_pake_operation_init_short(); 10804 psa_pake_operation_t client = psa_pake_operation_init_short(); 10805 psa_algorithm_t alg = alg_arg; 10806 psa_algorithm_t hash_alg = hash_arg; 10807 psa_algorithm_t derive_alg = derive_alg_arg; 10808 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10809 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10810 psa_key_derivation_operation_t server_derive = 10811 psa_key_derivation_operation_init_short(); 10812 psa_key_derivation_operation_t client_derive = 10813 psa_key_derivation_operation_init_short(); 10814 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; 10815 10816 PSA_INIT(); 10817 10818 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 10819 psa_set_key_algorithm(&attributes, alg); 10820 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 10821 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 10822 &key)); 10823 10824 psa_pake_cs_set_algorithm(&cipher_suite, alg); 10825 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 10826 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 10827 10828 /* Get shared key */ 10829 PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg)); 10830 PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg)); 10831 10832 if (PSA_ALG_IS_TLS12_PRF(derive_alg) || 10833 PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) { 10834 PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive, 10835 PSA_KEY_DERIVATION_INPUT_SEED, 10836 (const uint8_t *) "", 0)); 10837 PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive, 10838 PSA_KEY_DERIVATION_INPUT_SEED, 10839 (const uint8_t *) "", 0)); 10840 } 10841 10842 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 10843 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 10844 10845 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER)); 10846 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT)); 10847 10848 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 10849 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 10850 10851 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1) { 10852 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 10853 PSA_ERROR_BAD_STATE); 10854 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 10855 PSA_ERROR_BAD_STATE); 10856 goto exit; 10857 } 10858 10859 /* First round */ 10860 ecjpake_do_round(alg, primitive_arg, &server, &client, 10861 client_input_first, 1, 0); 10862 10863 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2) { 10864 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 10865 PSA_ERROR_BAD_STATE); 10866 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 10867 PSA_ERROR_BAD_STATE); 10868 goto exit; 10869 } 10870 10871 /* Second round */ 10872 ecjpake_do_round(alg, primitive_arg, &server, &client, 10873 client_input_first, 2, 0); 10874 10875 PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive)); 10876 PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive)); 10877 10878 exit: 10879 psa_key_derivation_abort(&server_derive); 10880 psa_key_derivation_abort(&client_derive); 10881 psa_destroy_key(key); 10882 psa_pake_abort(&server); 10883 psa_pake_abort(&client); 10884 PSA_DONE(); 10885 } 10886 /* END_CASE */ 10887 10888 /* BEGIN_CASE */ 10889 void ecjpake_size_macros() 10890 { 10891 const psa_algorithm_t alg = PSA_ALG_JPAKE; 10892 const size_t bits = 256; 10893 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( 10894 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits); 10895 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( 10896 PSA_ECC_FAMILY_SECP_R1); 10897 10898 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types 10899 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */ 10900 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 10901 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 10902 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 10903 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 10904 /* The output for ZK_PROOF is the same bitsize as the curve */ 10905 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 10906 PSA_BITS_TO_BYTES(bits)); 10907 10908 /* Input sizes are the same as output sizes */ 10909 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 10910 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE)); 10911 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 10912 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC)); 10913 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 10914 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF)); 10915 10916 /* These inequalities will always hold even when other PAKEs are added */ 10917 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 10918 PSA_PAKE_OUTPUT_MAX_SIZE); 10919 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 10920 PSA_PAKE_OUTPUT_MAX_SIZE); 10921 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 10922 PSA_PAKE_OUTPUT_MAX_SIZE); 10923 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 10924 PSA_PAKE_INPUT_MAX_SIZE); 10925 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 10926 PSA_PAKE_INPUT_MAX_SIZE); 10927 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 10928 PSA_PAKE_INPUT_MAX_SIZE); 10929 } 10930 /* END_CASE */