1/* BEGIN_HEADER */ 2#include <stdint.h> 3 4#include "psa/crypto.h" 5#include "psa/crypto_extra.h" 6 7typedef enum { 8 ERR_NONE = 0, 9 /* errors forced internally in the code */ 10 ERR_INJECT_UNINITIALIZED_ACCESS, 11 ERR_INJECT_DUPLICATE_SETUP, 12 ERR_INJECT_SET_USER, 13 ERR_INJECT_SET_PEER, 14 ERR_INJECT_SET_ROLE, 15 ERR_DUPLICATE_SET_USER, 16 ERR_DUPLICATE_SET_PEER, 17 ERR_INJECT_EMPTY_IO_BUFFER, 18 ERR_INJECT_UNKNOWN_STEP, 19 ERR_INJECT_INVALID_FIRST_STEP, 20 ERR_INJECT_WRONG_BUFFER_SIZE, 21 ERR_INJECT_WRONG_BUFFER_SIZE_2, 22 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE, 23 ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1, 24 ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2, 25 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1, 26 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1, 27 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1, 28 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2, 29 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2, 30 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2, 31 ERR_INJECT_ROUND2_CLIENT_KEY_SHARE, 32 ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC, 33 ERR_INJECT_ROUND2_CLIENT_ZK_PROOF, 34 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1, 35 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1, 36 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1, 37 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2, 38 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2, 39 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2, 40 ERR_INJECT_ROUND2_SERVER_KEY_SHARE, 41 ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC, 42 ERR_INJECT_ROUND2_SERVER_ZK_PROOF, 43 ERR_INJECT_EXTRA_OUTPUT, 44 ERR_INJECT_EXTRA_INPUT, 45 ERR_INJECT_EXTRA_OUTPUT_AT_END, 46 ERR_INJECT_EXTRA_INPUT_AT_END, 47 /* erros issued from the .data file */ 48 ERR_IN_SETUP, 49 ERR_IN_SET_USER, 50 ERR_IN_SET_PEER, 51 ERR_IN_SET_ROLE, 52 ERR_IN_SET_PASSWORD_KEY, 53 ERR_IN_INPUT, 54 ERR_IN_OUTPUT, 55} ecjpake_error_stage_t; 56 57typedef enum { 58 PAKE_ROUND_ONE, 59 PAKE_ROUND_TWO 60} pake_round_t; 61 62/* The only two JPAKE user/peer identifiers supported for the time being. */ 63static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 64static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; 65 66/* 67 * Inject an error on the specified buffer ONLY it this is the correct stage. 68 * Offset 7 is arbitrary, but chosen because it's "in the middle" of the part 69 * we're corrupting. 70 */ 71#define DO_ROUND_CONDITIONAL_INJECT(this_stage, buf) \ 72 if (this_stage == err_stage) \ 73 { \ 74 *(buf + 7) ^= 1; \ 75 } 76 77#define DO_ROUND_CONDITIONAL_CHECK_FAILURE(this_stage, function) \ 78 if (this_stage == err_stage) \ 79 { \ 80 TEST_EQUAL(function, expected_error_arg); \ 81 break; \ 82 } 83 84#define DO_ROUND_UPDATE_OFFSETS(main_buf_offset, step_offset, step_size) \ 85 { \ 86 step_offset = main_buf_offset; \ 87 main_buf_offset += step_size; \ 88 } 89 90#define DO_ROUND_CHECK_FAILURE() \ 91 if (err_stage != ERR_NONE && status != PSA_SUCCESS) \ 92 { \ 93 TEST_EQUAL(status, expected_error_arg); \ 94 break; \ 95 } \ 96 else \ 97 { \ 98 TEST_EQUAL(status, PSA_SUCCESS); \ 99 } 100 101#if defined(PSA_WANT_ALG_JPAKE) 102static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, 103 psa_pake_operation_t *server, 104 psa_pake_operation_t *client, 105 int client_input_first, 106 pake_round_t round, 107 ecjpake_error_stage_t err_stage, 108 int expected_error_arg) 109{ 110 unsigned char *buffer0 = NULL, *buffer1 = NULL; 111 size_t buffer_length = ( 112 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + 113 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + 114 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; 115 /* The output should be exactly this size according to the spec */ 116 const size_t expected_size_key_share = 117 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); 118 /* The output should be exactly this size according to the spec */ 119 const size_t expected_size_zk_public = 120 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); 121 /* The output can be smaller: the spec allows stripping leading zeroes */ 122 const size_t max_expected_size_zk_proof = 123 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); 124 size_t buffer0_off = 0; 125 size_t buffer1_off = 0; 126 size_t s_g1_len, s_g2_len, s_a_len; 127 size_t s_g1_off, s_g2_off, s_a_off; 128 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len; 129 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off; 130 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len; 131 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off; 132 size_t c_g1_len, c_g2_len, c_a_len; 133 size_t c_g1_off, c_g2_off, c_a_off; 134 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len; 135 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; 136 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; 137 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; 138 psa_status_t status; 139 140 TEST_CALLOC(buffer0, buffer_length); 141 TEST_CALLOC(buffer1, buffer_length); 142 143 switch (round) { 144 case PAKE_ROUND_ONE: 145 /* Server first round Output */ 146 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 147 buffer0 + buffer0_off, 148 512 - buffer0_off, &s_g1_len)); 149 TEST_EQUAL(s_g1_len, expected_size_key_share); 150 DO_ROUND_CONDITIONAL_INJECT( 151 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1, 152 buffer0 + buffer0_off); 153 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_g1_off, s_g1_len); 154 155 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 156 buffer0 + buffer0_off, 157 512 - buffer0_off, &s_x1_pk_len)); 158 TEST_EQUAL(s_x1_pk_len, expected_size_zk_public); 159 DO_ROUND_CONDITIONAL_INJECT( 160 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1, 161 buffer0 + buffer0_off); 162 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x1_pk_off, s_x1_pk_len); 163 164 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 165 buffer0 + buffer0_off, 166 512 - buffer0_off, &s_x1_pr_len)); 167 TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof); 168 DO_ROUND_CONDITIONAL_INJECT( 169 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1, 170 buffer0 + buffer0_off); 171 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x1_pr_off, s_x1_pr_len); 172 173 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 174 buffer0 + buffer0_off, 175 512 - buffer0_off, &s_g2_len)); 176 TEST_EQUAL(s_g2_len, expected_size_key_share); 177 DO_ROUND_CONDITIONAL_INJECT( 178 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2, 179 buffer0 + buffer0_off); 180 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_g2_off, s_g2_len); 181 182 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 183 buffer0 + buffer0_off, 184 512 - buffer0_off, &s_x2_pk_len)); 185 TEST_EQUAL(s_x2_pk_len, expected_size_zk_public); 186 DO_ROUND_CONDITIONAL_INJECT( 187 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2, 188 buffer0 + buffer0_off); 189 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2_pk_off, s_x2_pk_len); 190 191 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 192 buffer0 + buffer0_off, 193 512 - buffer0_off, &s_x2_pr_len)); 194 TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof); 195 DO_ROUND_CONDITIONAL_INJECT( 196 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2, 197 buffer0 + buffer0_off); 198 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2_pr_off, s_x2_pr_len); 199 200 size_t extra_output_len; 201 DO_ROUND_CONDITIONAL_CHECK_FAILURE( 202 ERR_INJECT_EXTRA_OUTPUT, 203 psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 204 buffer0 + s_g2_off, 512 - s_g2_off, &extra_output_len)); 205 (void) extra_output_len; 206 /* 207 * When injecting errors in inputs, the implementation is 208 * free to detect it right away of with a delay. 209 * This permits delaying the error until the end of the input 210 * sequence, if no error appears then, this will be treated 211 * as an error. 212 */ 213 if (client_input_first == 1) { 214 /* Client first round Input */ 215 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 216 buffer0 + s_g1_off, s_g1_len); 217 DO_ROUND_CHECK_FAILURE(); 218 219 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 220 buffer0 + s_x1_pk_off, 221 s_x1_pk_len); 222 DO_ROUND_CHECK_FAILURE(); 223 224 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 225 buffer0 + s_x1_pr_off, 226 s_x1_pr_len); 227 DO_ROUND_CHECK_FAILURE(); 228 229 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 230 buffer0 + s_g2_off, 231 s_g2_len); 232 DO_ROUND_CHECK_FAILURE(); 233 234 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 235 buffer0 + s_x2_pk_off, 236 s_x2_pk_len); 237 DO_ROUND_CHECK_FAILURE(); 238 239 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 240 buffer0 + s_x2_pr_off, 241 s_x2_pr_len); 242 DO_ROUND_CHECK_FAILURE(); 243 244 /* Note: Must have client_input_first == 1 to inject extra input */ 245 DO_ROUND_CONDITIONAL_CHECK_FAILURE( 246 ERR_INJECT_EXTRA_INPUT, 247 psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 248 buffer0 + s_g2_off, s_g2_len)); 249 250 /* Error didn't trigger, make test fail */ 251 if ((err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1) && 252 (err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2)) { 253 TEST_ASSERT( 254 !"One of the last psa_pake_input() calls should have returned the expected error."); 255 } 256 } 257 258 /* Client first round Output */ 259 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 260 buffer1 + buffer1_off, 261 512 - buffer1_off, &c_g1_len)); 262 TEST_EQUAL(c_g1_len, expected_size_key_share); 263 DO_ROUND_CONDITIONAL_INJECT( 264 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1, 265 buffer1 + buffer1_off); 266 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_g1_off, c_g1_len); 267 268 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 269 buffer1 + buffer1_off, 270 512 - buffer1_off, &c_x1_pk_len)); 271 TEST_EQUAL(c_x1_pk_len, expected_size_zk_public); 272 DO_ROUND_CONDITIONAL_INJECT( 273 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1, 274 buffer1 + buffer1_off); 275 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x1_pk_off, c_x1_pk_len); 276 277 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 278 buffer1 + buffer1_off, 279 512 - buffer1_off, &c_x1_pr_len)); 280 TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof); 281 DO_ROUND_CONDITIONAL_INJECT( 282 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1, 283 buffer1 + buffer1_off); 284 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x1_pr_off, c_x1_pr_len); 285 286 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 287 buffer1 + buffer1_off, 288 512 - buffer1_off, &c_g2_len)); 289 TEST_EQUAL(c_g2_len, expected_size_key_share); 290 DO_ROUND_CONDITIONAL_INJECT( 291 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2, 292 buffer1 + buffer1_off); 293 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_g2_off, c_g2_len); 294 295 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 296 buffer1 + buffer1_off, 297 512 - buffer1_off, &c_x2_pk_len)); 298 TEST_EQUAL(c_x2_pk_len, expected_size_zk_public); 299 DO_ROUND_CONDITIONAL_INJECT( 300 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2, 301 buffer1 + buffer1_off); 302 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2_pk_off, c_x2_pk_len); 303 304 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 305 buffer1 + buffer1_off, 306 512 - buffer1_off, &c_x2_pr_len)); 307 TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof); 308 DO_ROUND_CONDITIONAL_INJECT( 309 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2, 310 buffer1 + buffer1_off); 311 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2_pr_off, buffer1_off); 312 313 if (client_input_first == 0) { 314 /* Client first round Input */ 315 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 316 buffer0 + s_g1_off, s_g1_len); 317 DO_ROUND_CHECK_FAILURE(); 318 319 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 320 buffer0 + s_x1_pk_off, 321 s_x1_pk_len); 322 DO_ROUND_CHECK_FAILURE(); 323 324 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 325 buffer0 + s_x1_pr_off, 326 s_x1_pr_len); 327 DO_ROUND_CHECK_FAILURE(); 328 329 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 330 buffer0 + s_g2_off, 331 s_g2_len); 332 DO_ROUND_CHECK_FAILURE(); 333 334 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 335 buffer0 + s_x2_pk_off, 336 s_x2_pk_len); 337 DO_ROUND_CHECK_FAILURE(); 338 339 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 340 buffer0 + s_x2_pr_off, 341 s_x2_pr_len); 342 DO_ROUND_CHECK_FAILURE(); 343 344 /* Error didn't trigger, make test fail */ 345 if ((err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1) && 346 (err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2)) { 347 TEST_ASSERT( 348 !"One of the last psa_pake_input() calls should have returned the expected error."); 349 } 350 } 351 352 /* Server first round Input */ 353 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 354 buffer1 + c_g1_off, c_g1_len); 355 DO_ROUND_CHECK_FAILURE(); 356 357 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 358 buffer1 + c_x1_pk_off, c_x1_pk_len); 359 DO_ROUND_CHECK_FAILURE(); 360 361 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 362 buffer1 + c_x1_pr_off, c_x1_pr_len); 363 DO_ROUND_CHECK_FAILURE(); 364 365 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 366 buffer1 + c_g2_off, c_g2_len); 367 DO_ROUND_CHECK_FAILURE(); 368 369 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 370 buffer1 + c_x2_pk_off, c_x2_pk_len); 371 DO_ROUND_CHECK_FAILURE(); 372 373 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 374 buffer1 + c_x2_pr_off, c_x2_pr_len); 375 DO_ROUND_CHECK_FAILURE(); 376 377 /* Error didn't trigger, make test fail */ 378 if ((err_stage >= ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1) && 379 (err_stage <= ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2)) { 380 TEST_ASSERT( 381 !"One of the last psa_pake_input() calls should have returned the expected error."); 382 } 383 384 break; 385 386 case PAKE_ROUND_TWO: 387 /* Server second round Output */ 388 buffer0_off = 0; 389 390 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 391 buffer0 + buffer0_off, 392 512 - buffer0_off, &s_a_len)); 393 TEST_EQUAL(s_a_len, expected_size_key_share); 394 DO_ROUND_CONDITIONAL_INJECT( 395 ERR_INJECT_ROUND2_SERVER_KEY_SHARE, 396 buffer0 + buffer0_off); 397 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_a_off, s_a_len); 398 399 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 400 buffer0 + buffer0_off, 401 512 - buffer0_off, &s_x2s_pk_len)); 402 TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public); 403 DO_ROUND_CONDITIONAL_INJECT( 404 ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC, 405 buffer0 + buffer0_off); 406 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2s_pk_off, s_x2s_pk_len); 407 408 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 409 buffer0 + buffer0_off, 410 512 - buffer0_off, &s_x2s_pr_len)); 411 TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof); 412 DO_ROUND_CONDITIONAL_INJECT( 413 ERR_INJECT_ROUND2_SERVER_ZK_PROOF, 414 buffer0 + buffer0_off); 415 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2s_pr_off, s_x2s_pr_len); 416 417 if (client_input_first == 1) { 418 /* Client second round Input */ 419 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 420 buffer0 + s_a_off, s_a_len); 421 DO_ROUND_CHECK_FAILURE(); 422 423 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 424 buffer0 + s_x2s_pk_off, 425 s_x2s_pk_len); 426 DO_ROUND_CHECK_FAILURE(); 427 428 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 429 buffer0 + s_x2s_pr_off, 430 s_x2s_pr_len); 431 DO_ROUND_CHECK_FAILURE(); 432 433 /* Error didn't trigger, make test fail */ 434 if ((err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE) && 435 (err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF)) { 436 TEST_ASSERT( 437 !"One of the last psa_pake_input() calls should have returned the expected error."); 438 } 439 } 440 441 /* Client second round Output */ 442 buffer1_off = 0; 443 444 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 445 buffer1 + buffer1_off, 446 512 - buffer1_off, &c_a_len)); 447 TEST_EQUAL(c_a_len, expected_size_key_share); 448 DO_ROUND_CONDITIONAL_INJECT( 449 ERR_INJECT_ROUND2_CLIENT_KEY_SHARE, 450 buffer1 + buffer1_off); 451 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_a_off, c_a_len); 452 453 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 454 buffer1 + buffer1_off, 455 512 - buffer1_off, &c_x2s_pk_len)); 456 TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public); 457 DO_ROUND_CONDITIONAL_INJECT( 458 ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC, 459 buffer1 + buffer1_off); 460 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2s_pk_off, c_x2s_pk_len); 461 462 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 463 buffer1 + buffer1_off, 464 512 - buffer1_off, &c_x2s_pr_len)); 465 TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof); 466 DO_ROUND_CONDITIONAL_INJECT( 467 ERR_INJECT_ROUND2_CLIENT_ZK_PROOF, 468 buffer1 + buffer1_off); 469 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2s_pr_off, c_x2s_pr_len); 470 471 if (client_input_first == 1) { 472 size_t extra_output_at_end_len; 473 DO_ROUND_CONDITIONAL_CHECK_FAILURE( 474 ERR_INJECT_EXTRA_OUTPUT_AT_END, 475 psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 476 buffer1 + c_a_off, 512 - c_a_off, 477 &extra_output_at_end_len)); 478 (void) extra_output_at_end_len; 479 } 480 481 if (client_input_first == 0) { 482 /* Client second round Input */ 483 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 484 buffer0 + s_a_off, s_a_len); 485 DO_ROUND_CHECK_FAILURE(); 486 487 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 488 buffer0 + s_x2s_pk_off, 489 s_x2s_pk_len); 490 DO_ROUND_CHECK_FAILURE(); 491 492 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 493 buffer0 + s_x2s_pr_off, 494 s_x2s_pr_len); 495 DO_ROUND_CHECK_FAILURE(); 496 497 /* Error didn't trigger, make test fail */ 498 if ((err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE) && 499 (err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF)) { 500 TEST_ASSERT( 501 !"One of the last psa_pake_input() calls should have returned the expected error."); 502 } 503 } 504 505 /* Server second round Input */ 506 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 507 buffer1 + c_a_off, c_a_len); 508 DO_ROUND_CHECK_FAILURE(); 509 510 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 511 buffer1 + c_x2s_pk_off, c_x2s_pk_len); 512 DO_ROUND_CHECK_FAILURE(); 513 514 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 515 buffer1 + c_x2s_pr_off, c_x2s_pr_len); 516 DO_ROUND_CHECK_FAILURE(); 517 518 DO_ROUND_CONDITIONAL_CHECK_FAILURE( 519 ERR_INJECT_EXTRA_INPUT_AT_END, 520 psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 521 buffer1 + c_a_off, c_a_len)); 522 523 524 /* Error didn't trigger, make test fail */ 525 if ((err_stage >= ERR_INJECT_ROUND2_CLIENT_KEY_SHARE) && 526 (err_stage <= ERR_INJECT_ROUND2_CLIENT_ZK_PROOF)) { 527 TEST_ASSERT( 528 !"One of the last psa_pake_input() calls should have returned the expected error."); 529 } 530 531 break; 532 533 } 534 535exit: 536 mbedtls_free(buffer0); 537 mbedtls_free(buffer1); 538} 539#endif /* PSA_WANT_ALG_JPAKE */ 540 541/* 542 * This check is used for functions that might either succeed or fail depending 543 * on the parameters that are passed in from the *.data file: 544 * - in case of success following functions depend on the current one 545 * - in case of failure the test is always terminated. There are two options 546 * here 547 * - terminated successfully if this exact error was expected at this stage 548 * - terminated with failure otherwise (either no error was expected at this 549 * stage or a different error code was expected) 550 */ 551#define SETUP_ALWAYS_CHECK_STEP(test_function, this_check_err_stage) \ 552 status = test_function; \ 553 if (err_stage != this_check_err_stage) \ 554 { \ 555 PSA_ASSERT(status); \ 556 } \ 557 else \ 558 { \ 559 TEST_EQUAL(status, expected_error); \ 560 goto exit; \ 561 } 562 563/* 564 * This check is used for failures that are injected at code level. There's only 565 * 1 input parameter that is relevant in this case and it's the stage at which 566 * the error should be injected. 567 * The check is conditional in this case because, once the error is triggered, 568 * the pake's context structure is compromised and the setup function cannot 569 * proceed further. As a consequence the test is terminated. 570 * The test succeeds if the returned error is exactly the expected one, 571 * otherwise it fails. 572 */ 573#define SETUP_CONDITIONAL_CHECK_STEP(test_function, this_check_err_stage) \ 574 if (err_stage == this_check_err_stage) \ 575 { \ 576 TEST_EQUAL(test_function, expected_error); \ 577 goto exit; \ 578 } 579/* END_HEADER */ 580 581/* BEGIN_DEPENDENCIES 582 * depends_on:MBEDTLS_PSA_CRYPTO_C 583 * END_DEPENDENCIES 584 */ 585 586/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 587void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, 588 int primitive_arg, int hash_arg, char *user_arg, char *peer_arg, 589 int test_input, 590 int err_stage_arg, 591 int expected_error_arg) 592{ 593 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 594 psa_pake_operation_t operation = psa_pake_operation_init(); 595 psa_algorithm_t alg = alg_arg; 596 psa_pake_primitive_t primitive = primitive_arg; 597 psa_key_type_t key_type_pw = key_type_pw_arg; 598 psa_key_usage_t key_usage_pw = key_usage_pw_arg; 599 psa_algorithm_t hash_alg = hash_arg; 600 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 601 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 602 ecjpake_error_stage_t err_stage = err_stage_arg; 603 psa_status_t expected_error = expected_error_arg; 604 psa_status_t status; 605 unsigned char *output_buffer = NULL; 606 size_t output_len = 0; 607 const uint8_t password[] = "abcd"; 608 uint8_t *user = (uint8_t *) user_arg; 609 uint8_t *peer = (uint8_t *) peer_arg; 610 size_t user_len = strlen(user_arg); 611 size_t peer_len = strlen(peer_arg); 612 613 psa_key_derivation_operation_t key_derivation = 614 PSA_KEY_DERIVATION_OPERATION_INIT; 615 616 PSA_INIT(); 617 618 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, 619 PSA_PAKE_STEP_KEY_SHARE); 620 TEST_CALLOC(output_buffer, buf_size); 621 622 psa_set_key_usage_flags(&attributes, key_usage_pw); 623 psa_set_key_algorithm(&attributes, alg); 624 psa_set_key_type(&attributes, key_type_pw); 625 PSA_ASSERT(psa_import_key(&attributes, password, sizeof(password), 626 &key)); 627 628 psa_pake_cs_set_algorithm(&cipher_suite, alg); 629 psa_pake_cs_set_primitive(&cipher_suite, primitive); 630 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 631 632 PSA_ASSERT(psa_pake_abort(&operation)); 633 634 if (err_stage == ERR_INJECT_UNINITIALIZED_ACCESS) { 635 TEST_EQUAL(psa_pake_set_user(&operation, user, user_len), 636 expected_error); 637 TEST_EQUAL(psa_pake_set_peer(&operation, peer, peer_len), 638 expected_error); 639 TEST_EQUAL(psa_pake_set_password_key(&operation, key), 640 expected_error); 641 TEST_EQUAL(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), 642 expected_error); 643 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, 644 output_buffer, 0, &output_len), 645 expected_error); 646 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, 647 output_buffer, 0), 648 expected_error); 649 TEST_EQUAL(psa_pake_get_implicit_key(&operation, &key_derivation), 650 expected_error); 651 goto exit; 652 } 653 654 SETUP_ALWAYS_CHECK_STEP(psa_pake_setup(&operation, &cipher_suite), 655 ERR_IN_SETUP); 656 657 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_setup(&operation, &cipher_suite), 658 ERR_INJECT_DUPLICATE_SETUP); 659 660 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), 661 ERR_INJECT_SET_ROLE); 662 663 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_role(&operation, PSA_PAKE_ROLE_NONE), 664 ERR_IN_SET_ROLE); 665 666 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_user(&operation, user, user_len), 667 ERR_IN_SET_USER); 668 669 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_peer(&operation, peer, peer_len), 670 ERR_IN_SET_PEER); 671 672 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_user(&operation, user, user_len), 673 ERR_DUPLICATE_SET_USER); 674 675 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_peer(&operation, peer, peer_len), 676 ERR_DUPLICATE_SET_PEER); 677 678 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_password_key(&operation, key), 679 ERR_IN_SET_PASSWORD_KEY); 680 681 const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive, 682 PSA_PAKE_STEP_KEY_SHARE); 683 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE(alg, primitive, 684 PSA_PAKE_STEP_ZK_PUBLIC); 685 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE(alg, primitive, 686 PSA_PAKE_STEP_ZK_PROOF); 687 688 if (test_input) { 689 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 690 PSA_PAKE_STEP_ZK_PROOF, 691 output_buffer, 0), 692 ERR_INJECT_EMPTY_IO_BUFFER); 693 694 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 695 PSA_PAKE_STEP_ZK_PROOF + 10, 696 output_buffer, size_zk_proof), 697 ERR_INJECT_UNKNOWN_STEP); 698 699 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 700 PSA_PAKE_STEP_ZK_PROOF, 701 output_buffer, size_zk_proof), 702 ERR_INJECT_INVALID_FIRST_STEP) 703 704 SETUP_ALWAYS_CHECK_STEP(psa_pake_input(&operation, 705 PSA_PAKE_STEP_KEY_SHARE, 706 output_buffer, size_key_share), 707 ERR_IN_INPUT); 708 709 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 710 PSA_PAKE_STEP_ZK_PUBLIC, 711 output_buffer, size_zk_public + 1), 712 ERR_INJECT_WRONG_BUFFER_SIZE); 713 714 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 715 PSA_PAKE_STEP_ZK_PROOF, 716 output_buffer, size_zk_proof + 1), 717 ERR_INJECT_WRONG_BUFFER_SIZE_2); 718 719 SETUP_CONDITIONAL_CHECK_STEP( 720 (psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 721 output_buffer, size_zk_public + 1), 722 psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 723 output_buffer, size_zk_public)), 724 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE); 725 } else { 726 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 727 PSA_PAKE_STEP_ZK_PROOF, 728 output_buffer, 0, 729 &output_len), 730 ERR_INJECT_EMPTY_IO_BUFFER); 731 732 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 733 PSA_PAKE_STEP_ZK_PROOF + 10, 734 output_buffer, buf_size, &output_len), 735 ERR_INJECT_UNKNOWN_STEP); 736 737 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 738 PSA_PAKE_STEP_ZK_PROOF, 739 output_buffer, buf_size, &output_len), 740 ERR_INJECT_INVALID_FIRST_STEP); 741 742 SETUP_ALWAYS_CHECK_STEP(psa_pake_output(&operation, 743 PSA_PAKE_STEP_KEY_SHARE, 744 output_buffer, buf_size, &output_len), 745 ERR_IN_OUTPUT); 746 747 TEST_ASSERT(output_len > 0); 748 749 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 750 PSA_PAKE_STEP_ZK_PUBLIC, 751 output_buffer, size_zk_public - 1, 752 &output_len), 753 ERR_INJECT_WRONG_BUFFER_SIZE); 754 755 SETUP_CONDITIONAL_CHECK_STEP( 756 (psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 757 output_buffer, size_zk_public - 1, &output_len), 758 psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 759 output_buffer, buf_size, &output_len)), 760 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE); 761 } 762 763exit: 764 PSA_ASSERT(psa_destroy_key(key)); 765 PSA_ASSERT(psa_pake_abort(&operation)); 766 mbedtls_free(output_buffer); 767 PSA_DONE(); 768} 769/* END_CASE */ 770 771/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 772void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg, 773 int client_input_first, 774 data_t *pw_data, 775 int err_stage_arg, 776 int expected_error_arg, 777 int inject_in_second_round) 778{ 779 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 780 psa_pake_operation_t server = psa_pake_operation_init(); 781 psa_pake_operation_t client = psa_pake_operation_init(); 782 psa_algorithm_t alg = alg_arg; 783 psa_algorithm_t hash_alg = hash_arg; 784 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 785 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 786 ecjpake_error_stage_t err_stage = err_stage_arg; 787 788 PSA_INIT(); 789 790 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 791 psa_set_key_algorithm(&attributes, alg); 792 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 793 794 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 795 &key)); 796 797 psa_pake_cs_set_algorithm(&cipher_suite, alg); 798 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 799 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 800 801 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 802 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 803 804 PSA_ASSERT(psa_pake_set_user(&server, jpake_server_id, sizeof(jpake_server_id))); 805 PSA_ASSERT(psa_pake_set_peer(&server, jpake_client_id, sizeof(jpake_client_id))); 806 PSA_ASSERT(psa_pake_set_user(&client, jpake_client_id, sizeof(jpake_client_id))); 807 PSA_ASSERT(psa_pake_set_peer(&client, jpake_server_id, sizeof(jpake_server_id))); 808 809 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 810 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 811 812 ecjpake_do_round(alg, primitive_arg, &server, &client, 813 client_input_first, PAKE_ROUND_ONE, 814 inject_in_second_round ? ERR_NONE : err_stage, 815 expected_error_arg); 816 817 if (!inject_in_second_round && err_stage != ERR_NONE) { 818 goto exit; 819 } 820 821 ecjpake_do_round(alg, primitive_arg, &server, &client, 822 client_input_first, PAKE_ROUND_TWO, 823 err_stage, expected_error_arg); 824 825exit: 826 psa_destroy_key(key); 827 psa_pake_abort(&server); 828 psa_pake_abort(&client); 829 PSA_DONE(); 830} 831/* END_CASE */ 832 833/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 834void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, 835 int derive_alg_arg, data_t *pw_data, 836 int client_input_first, int destroy_key, 837 int err_stage_arg) 838{ 839 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 840 psa_pake_operation_t server = psa_pake_operation_init(); 841 psa_pake_operation_t client = psa_pake_operation_init(); 842 psa_algorithm_t alg = alg_arg; 843 psa_algorithm_t hash_alg = hash_arg; 844 psa_algorithm_t derive_alg = derive_alg_arg; 845 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 846 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 847 psa_key_derivation_operation_t server_derive = 848 PSA_KEY_DERIVATION_OPERATION_INIT; 849 psa_key_derivation_operation_t client_derive = 850 PSA_KEY_DERIVATION_OPERATION_INIT; 851 ecjpake_error_stage_t err_stage = err_stage_arg; 852 853 PSA_INIT(); 854 855 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 856 psa_set_key_algorithm(&attributes, alg); 857 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 858 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 859 &key)); 860 861 psa_pake_cs_set_algorithm(&cipher_suite, alg); 862 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 863 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 864 865 /* Get shared key */ 866 PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg)); 867 PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg)); 868 869 if (PSA_ALG_IS_TLS12_PRF(derive_alg) || 870 PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) { 871 PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive, 872 PSA_KEY_DERIVATION_INPUT_SEED, 873 (const uint8_t *) "", 0)); 874 PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive, 875 PSA_KEY_DERIVATION_INPUT_SEED, 876 (const uint8_t *) "", 0)); 877 } 878 879 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 880 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 881 882 PSA_ASSERT(psa_pake_set_user(&server, jpake_server_id, sizeof(jpake_server_id))); 883 PSA_ASSERT(psa_pake_set_peer(&server, jpake_client_id, sizeof(jpake_client_id))); 884 PSA_ASSERT(psa_pake_set_user(&client, jpake_client_id, sizeof(jpake_client_id))); 885 PSA_ASSERT(psa_pake_set_peer(&client, jpake_server_id, sizeof(jpake_server_id))); 886 887 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 888 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 889 890 if (destroy_key == 1) { 891 psa_destroy_key(key); 892 } 893 894 if (err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1) { 895 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 896 PSA_ERROR_BAD_STATE); 897 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 898 PSA_ERROR_BAD_STATE); 899 goto exit; 900 } 901 902 /* First round */ 903 ecjpake_do_round(alg, primitive_arg, &server, &client, 904 client_input_first, PAKE_ROUND_ONE, 905 ERR_NONE, PSA_SUCCESS); 906 907 if (err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2) { 908 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 909 PSA_ERROR_BAD_STATE); 910 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 911 PSA_ERROR_BAD_STATE); 912 goto exit; 913 } 914 915 /* Second round */ 916 ecjpake_do_round(alg, primitive_arg, &server, &client, 917 client_input_first, PAKE_ROUND_TWO, 918 ERR_NONE, PSA_SUCCESS); 919 920 PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive)); 921 PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive)); 922 923exit: 924 psa_key_derivation_abort(&server_derive); 925 psa_key_derivation_abort(&client_derive); 926 psa_destroy_key(key); 927 psa_pake_abort(&server); 928 psa_pake_abort(&client); 929 PSA_DONE(); 930} 931/* END_CASE */ 932 933/* BEGIN_CASE */ 934void ecjpake_size_macros() 935{ 936 const psa_algorithm_t alg = PSA_ALG_JPAKE; 937 const size_t bits = 256; 938 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( 939 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits); 940 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( 941 PSA_ECC_FAMILY_SECP_R1); 942 943 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types 944 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */ 945 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 946 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 947 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 948 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 949 /* The output for ZK_PROOF is the same bitsize as the curve */ 950 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 951 PSA_BITS_TO_BYTES(bits)); 952 953 /* Input sizes are the same as output sizes */ 954 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 955 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE)); 956 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 957 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC)); 958 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 959 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF)); 960 961 /* These inequalities will always hold even when other PAKEs are added */ 962 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 963 PSA_PAKE_OUTPUT_MAX_SIZE); 964 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 965 PSA_PAKE_OUTPUT_MAX_SIZE); 966 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 967 PSA_PAKE_OUTPUT_MAX_SIZE); 968 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 969 PSA_PAKE_INPUT_MAX_SIZE); 970 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 971 PSA_PAKE_INPUT_MAX_SIZE); 972 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 973 PSA_PAKE_INPUT_MAX_SIZE); 974} 975/* END_CASE */ 976 977/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 978void pake_input_getters_password() 979{ 980 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 981 psa_pake_operation_t operation = psa_pake_operation_init(); 982 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 983 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 984 const char *password = "password"; 985 uint8_t password_ret[20] = { 0 }; // max key length is 20 bytes 986 size_t password_len_ret = 0; 987 size_t buffer_len_ret = 0; 988 989 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 990 PSA_PAKE_PRIMITIVE_TYPE_ECC, 991 PSA_ECC_FAMILY_SECP_R1, 256); 992 993 PSA_INIT(); 994 995 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 996 psa_pake_cs_set_primitive(&cipher_suite, primitive); 997 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 998 999 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 1000 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 1001 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 1002 1003 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1004 1005 PSA_ASSERT(psa_import_key(&attributes, (uint8_t *) password, strlen(password), &key)); 1006 1007 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 1008 (uint8_t *) &password_ret, 1009 10, &buffer_len_ret), 1010 PSA_ERROR_BAD_STATE); 1011 1012 TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), 1013 PSA_ERROR_BAD_STATE); 1014 1015 PSA_ASSERT(psa_pake_set_password_key(&operation, key)); 1016 1017 TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), 1018 PSA_SUCCESS); 1019 1020 TEST_EQUAL(password_len_ret, strlen(password)); 1021 1022 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 1023 (uint8_t *) &password_ret, 1024 password_len_ret - 1, 1025 &buffer_len_ret), 1026 PSA_ERROR_BUFFER_TOO_SMALL); 1027 1028 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 1029 (uint8_t *) &password_ret, 1030 password_len_ret, 1031 &buffer_len_ret), 1032 PSA_SUCCESS); 1033 1034 TEST_MEMORY_COMPARE(password_ret, buffer_len_ret, password, strlen(password)); 1035exit: 1036 PSA_ASSERT(psa_destroy_key(key)); 1037 PSA_ASSERT(psa_pake_abort(&operation)); 1038 PSA_DONE(); 1039} 1040/* END_CASE */ 1041 1042/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1043void pake_input_getters_cipher_suite() 1044{ 1045 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1046 psa_pake_operation_t operation = psa_pake_operation_init(); 1047 psa_pake_cipher_suite_t cipher_suite_ret = psa_pake_cipher_suite_init(); 1048 1049 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1050 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1051 PSA_ECC_FAMILY_SECP_R1, 256); 1052 1053 PSA_INIT(); 1054 1055 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1056 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1057 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1058 1059 TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), 1060 PSA_ERROR_BAD_STATE); 1061 1062 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1063 1064 TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), 1065 PSA_SUCCESS); 1066 1067 TEST_MEMORY_COMPARE(&cipher_suite_ret, sizeof(cipher_suite_ret), 1068 &cipher_suite, sizeof(cipher_suite)); 1069 1070exit: 1071 PSA_ASSERT(psa_pake_abort(&operation)); 1072 PSA_DONE(); 1073} 1074/* END_CASE */ 1075 1076/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1077void pake_input_getters_user() 1078{ 1079 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1080 psa_pake_operation_t operation = psa_pake_operation_init(); 1081 const char *users[] = { "client", "server", "other" }; 1082 uint8_t user_ret[20] = { 0 }; // max user length is 20 bytes 1083 size_t user_len_ret = 0; 1084 size_t buffer_len_ret = 0; 1085 1086 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1087 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1088 PSA_ECC_FAMILY_SECP_R1, 256); 1089 1090 PSA_INIT(); 1091 1092 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1093 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1094 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1095 1096 for (size_t i = 0; i < ARRAY_LENGTH(users); i++) { 1097 uint8_t *user = (uint8_t *) users[i]; 1098 uint8_t user_len = strlen(users[i]); 1099 1100 PSA_ASSERT(psa_pake_abort(&operation)); 1101 1102 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1103 1104 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1105 (uint8_t *) &user_ret, 1106 10, &buffer_len_ret), 1107 PSA_ERROR_BAD_STATE); 1108 1109 TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret), 1110 PSA_ERROR_BAD_STATE); 1111 1112 PSA_ASSERT(psa_pake_set_user(&operation, user, user_len)); 1113 1114 TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret), 1115 PSA_SUCCESS); 1116 1117 TEST_EQUAL(user_len_ret, user_len); 1118 1119 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1120 (uint8_t *) &user_ret, 1121 user_len_ret - 1, 1122 &buffer_len_ret), 1123 PSA_ERROR_BUFFER_TOO_SMALL); 1124 1125 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1126 (uint8_t *) &user_ret, 1127 user_len_ret, 1128 &buffer_len_ret), 1129 PSA_SUCCESS); 1130 1131 TEST_MEMORY_COMPARE(user_ret, buffer_len_ret, user, user_len); 1132 } 1133exit: 1134 PSA_ASSERT(psa_pake_abort(&operation)); 1135 PSA_DONE(); 1136} 1137/* END_CASE */ 1138 1139/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1140void pake_input_getters_peer() 1141{ 1142 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1143 psa_pake_operation_t operation = psa_pake_operation_init(); 1144 const char *peers[] = { "client", "server", "other" }; 1145 uint8_t peer_ret[20] = { 0 }; // max peer length is 20 bytes 1146 size_t peer_len_ret = 0; 1147 size_t buffer_len_ret = 0; 1148 1149 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1150 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1151 PSA_ECC_FAMILY_SECP_R1, 256); 1152 1153 PSA_INIT(); 1154 1155 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1156 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1157 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1158 1159 for (size_t i = 0; i < ARRAY_LENGTH(peers); i++) { 1160 uint8_t *peer = (uint8_t *) peers[i]; 1161 uint8_t peer_len = strlen(peers[i]); 1162 1163 PSA_ASSERT(psa_pake_abort(&operation)); 1164 1165 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1166 1167 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1168 (uint8_t *) &peer_ret, 1169 10, &buffer_len_ret), 1170 PSA_ERROR_BAD_STATE); 1171 1172 TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret), 1173 PSA_ERROR_BAD_STATE); 1174 1175 PSA_ASSERT(psa_pake_set_peer(&operation, peer, peer_len)); 1176 1177 TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret), 1178 PSA_SUCCESS); 1179 1180 TEST_EQUAL(peer_len_ret, peer_len); 1181 1182 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1183 (uint8_t *) &peer_ret, 1184 peer_len_ret - 1, 1185 &buffer_len_ret), 1186 PSA_ERROR_BUFFER_TOO_SMALL); 1187 1188 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1189 (uint8_t *) &peer_ret, 1190 peer_len_ret, 1191 &buffer_len_ret), 1192 PSA_SUCCESS); 1193 1194 TEST_MEMORY_COMPARE(peer_ret, buffer_len_ret, peer, peer_len); 1195 } 1196exit: 1197 PSA_ASSERT(psa_pake_abort(&operation)); 1198 PSA_DONE(); 1199} 1200/* END_CASE */ 1201
