1/* BEGIN_HEADER */ 2#include <stdint.h> 3 4#include "mbedtls/asn1.h" 5#include "mbedtls/asn1write.h" 6#include "mbedtls/oid.h" 7#include "common.h" 8 9#include "mbedtls/psa_util.h" 10 11/* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random() 12 * uses mbedtls_ctr_drbg internally. */ 13#include "mbedtls/ctr_drbg.h" 14 15#include "psa/crypto.h" 16#include "psa_crypto_slot_management.h" 17 18#include "psa_crypto_core.h" 19 20#include "test/asn1_helpers.h" 21#include "test/psa_crypto_helpers.h" 22#include "test/psa_exercise_key.h" 23#if defined(PSA_CRYPTO_DRIVER_TEST) 24#include "test/drivers/test_driver.h" 25#define TEST_DRIVER_LOCATION PSA_CRYPTO_TEST_DRIVER_LOCATION 26#else 27#define TEST_DRIVER_LOCATION 0x7fffff 28#endif 29 30#if defined(MBEDTLS_THREADING_PTHREAD) 31#include "mbedtls/threading.h" 32#endif 33 34/* If this comes up, it's a bug in the test code or in the test data. */ 35#define UNUSED 0xdeadbeef 36 37/* Assert that an operation is (not) active. 38 * This serves as a proxy for checking if the operation is aborted. */ 39#define ASSERT_OPERATION_IS_ACTIVE(operation) TEST_ASSERT(operation.id != 0) 40#define ASSERT_OPERATION_IS_INACTIVE(operation) TEST_ASSERT(operation.id == 0) 41 42/** An invalid export length that will never be set by psa_export_key(). */ 43static const size_t INVALID_EXPORT_LENGTH = ~0U; 44 45/** Test if a buffer contains a constant byte value. 46 * 47 * `mem_is_char(buffer, c, size)` is true after `memset(buffer, c, size)`. 48 * 49 * \param buffer Pointer to the beginning of the buffer. 50 * \param c Expected value of every byte. 51 * \param size Size of the buffer in bytes. 52 * 53 * \return 1 if the buffer is all-bits-zero. 54 * \return 0 if there is at least one nonzero byte. 55 */ 56static int mem_is_char(void *buffer, unsigned char c, size_t size) 57{ 58 size_t i; 59 for (i = 0; i < size; i++) { 60 if (((unsigned char *) buffer)[i] != c) { 61 return 0; 62 } 63 } 64 return 1; 65} 66#if defined(MBEDTLS_ASN1_WRITE_C) 67/* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */ 68static int asn1_write_10x(unsigned char **p, 69 unsigned char *start, 70 size_t bits, 71 unsigned char x) 72{ 73 int ret; 74 int len = bits / 8 + 1; 75 if (bits == 0) { 76 return MBEDTLS_ERR_ASN1_INVALID_DATA; 77 } 78 if (bits <= 8 && x >= 1 << (bits - 1)) { 79 return MBEDTLS_ERR_ASN1_INVALID_DATA; 80 } 81 if (*p < start || *p - start < (ptrdiff_t) len) { 82 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; 83 } 84 *p -= len; 85 (*p)[len-1] = x; 86 if (bits % 8 == 0) { 87 (*p)[1] |= 1; 88 } else { 89 (*p)[0] |= 1 << (bits % 8); 90 } 91 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); 92 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, 93 MBEDTLS_ASN1_INTEGER)); 94 return len; 95} 96 97static int construct_fake_rsa_key(unsigned char *buffer, 98 size_t buffer_size, 99 unsigned char **p, 100 size_t bits, 101 int keypair) 102{ 103 size_t half_bits = (bits + 1) / 2; 104 int ret; 105 int len = 0; 106 /* Construct something that looks like a DER encoding of 107 * as defined by PKCS#1 v2.2 (RFC 8017) section A.1.2: 108 * RSAPrivateKey ::= SEQUENCE { 109 * version Version, 110 * modulus INTEGER, -- n 111 * publicExponent INTEGER, -- e 112 * privateExponent INTEGER, -- d 113 * prime1 INTEGER, -- p 114 * prime2 INTEGER, -- q 115 * exponent1 INTEGER, -- d mod (p-1) 116 * exponent2 INTEGER, -- d mod (q-1) 117 * coefficient INTEGER, -- (inverse of q) mod p 118 * otherPrimeInfos OtherPrimeInfos OPTIONAL 119 * } 120 * Or, for a public key, the same structure with only 121 * version, modulus and publicExponent. 122 */ 123 *p = buffer + buffer_size; 124 if (keypair) { 125 MBEDTLS_ASN1_CHK_ADD(len, /* pq */ 126 asn1_write_10x(p, buffer, half_bits, 1)); 127 MBEDTLS_ASN1_CHK_ADD(len, /* dq */ 128 asn1_write_10x(p, buffer, half_bits, 1)); 129 MBEDTLS_ASN1_CHK_ADD(len, /* dp */ 130 asn1_write_10x(p, buffer, half_bits, 1)); 131 MBEDTLS_ASN1_CHK_ADD(len, /* q */ 132 asn1_write_10x(p, buffer, half_bits, 1)); 133 MBEDTLS_ASN1_CHK_ADD(len, /* p != q to pass mbedtls sanity checks */ 134 asn1_write_10x(p, buffer, half_bits, 3)); 135 MBEDTLS_ASN1_CHK_ADD(len, /* d */ 136 asn1_write_10x(p, buffer, bits, 1)); 137 } 138 MBEDTLS_ASN1_CHK_ADD(len, /* e = 65537 */ 139 asn1_write_10x(p, buffer, 17, 1)); 140 MBEDTLS_ASN1_CHK_ADD(len, /* n */ 141 asn1_write_10x(p, buffer, bits, 1)); 142 if (keypair) { 143 MBEDTLS_ASN1_CHK_ADD(len, /* version = 0 */ 144 mbedtls_asn1_write_int(p, buffer, 0)); 145 } 146 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buffer, len)); 147 { 148 const unsigned char tag = 149 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE; 150 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buffer, tag)); 151 } 152 return len; 153} 154#endif /* MBEDTLS_ASN1_WRITE_C */ 155 156static int exercise_mac_setup(psa_key_type_t key_type, 157 const unsigned char *key_bytes, 158 size_t key_length, 159 psa_algorithm_t alg, 160 psa_mac_operation_t *operation, 161 psa_status_t *status) 162{ 163 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 164 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 165 166 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 167 psa_set_key_algorithm(&attributes, alg); 168 psa_set_key_type(&attributes, key_type); 169 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key)); 170 171 *status = psa_mac_sign_setup(operation, key, alg); 172 /* Whether setup succeeded or failed, abort must succeed. */ 173 PSA_ASSERT(psa_mac_abort(operation)); 174 /* If setup failed, reproduce the failure, so that the caller can 175 * test the resulting state of the operation object. */ 176 if (*status != PSA_SUCCESS) { 177 TEST_EQUAL(psa_mac_sign_setup(operation, key, alg), *status); 178 } 179 180 psa_destroy_key(key); 181 return 1; 182 183exit: 184 psa_destroy_key(key); 185 return 0; 186} 187 188static int exercise_cipher_setup(psa_key_type_t key_type, 189 const unsigned char *key_bytes, 190 size_t key_length, 191 psa_algorithm_t alg, 192 psa_cipher_operation_t *operation, 193 psa_status_t *status) 194{ 195 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 196 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 197 198 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 199 psa_set_key_algorithm(&attributes, alg); 200 psa_set_key_type(&attributes, key_type); 201 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key)); 202 203 *status = psa_cipher_encrypt_setup(operation, key, alg); 204 /* Whether setup succeeded or failed, abort must succeed. */ 205 PSA_ASSERT(psa_cipher_abort(operation)); 206 /* If setup failed, reproduce the failure, so that the caller can 207 * test the resulting state of the operation object. */ 208 if (*status != PSA_SUCCESS) { 209 TEST_EQUAL(psa_cipher_encrypt_setup(operation, key, alg), 210 *status); 211 } 212 213 psa_destroy_key(key); 214 return 1; 215 216exit: 217 psa_destroy_key(key); 218 return 0; 219} 220 221static int test_operations_on_invalid_key(mbedtls_svc_key_id_t key) 222{ 223 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 224 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 0x6964); 225 uint8_t buffer[1]; 226 size_t length; 227 int ok = 0; 228 229 psa_set_key_id(&attributes, key_id); 230 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 231 psa_set_key_algorithm(&attributes, PSA_ALG_CTR); 232 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); 233 TEST_EQUAL(psa_get_key_attributes(key, &attributes), 234 PSA_ERROR_INVALID_HANDLE); 235 TEST_EQUAL( 236 MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(&attributes)), 0); 237 TEST_EQUAL( 238 MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(psa_get_key_id(&attributes)), 0); 239 TEST_EQUAL(psa_get_key_lifetime(&attributes), 0); 240 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 0); 241 TEST_EQUAL(psa_get_key_algorithm(&attributes), 0); 242 TEST_EQUAL(psa_get_key_type(&attributes), 0); 243 TEST_EQUAL(psa_get_key_bits(&attributes), 0); 244 245 TEST_EQUAL(psa_export_key(key, buffer, sizeof(buffer), &length), 246 PSA_ERROR_INVALID_HANDLE); 247 TEST_EQUAL(psa_export_public_key(key, 248 buffer, sizeof(buffer), &length), 249 PSA_ERROR_INVALID_HANDLE); 250 251 ok = 1; 252 253exit: 254 /* 255 * Key attributes may have been returned by psa_get_key_attributes() 256 * thus reset them as required. 257 */ 258 psa_reset_key_attributes(&attributes); 259 260 return ok; 261} 262 263/* Assert that a key isn't reported as having a slot number. */ 264#if defined(MBEDTLS_PSA_CRYPTO_SE_C) 265#define ASSERT_NO_SLOT_NUMBER(attributes) \ 266 do \ 267 { \ 268 psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \ 269 TEST_EQUAL(psa_get_key_slot_number( \ 270 attributes, \ 271 &ASSERT_NO_SLOT_NUMBER_slot_number), \ 272 PSA_ERROR_INVALID_ARGUMENT); \ 273 } \ 274 while (0) 275#else /* MBEDTLS_PSA_CRYPTO_SE_C */ 276#define ASSERT_NO_SLOT_NUMBER(attributes) \ 277 ((void) 0) 278#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 279 280#define INPUT_INTEGER 0x10000 /* Out of range of psa_key_type_t */ 281 282/* An overapproximation of the amount of storage needed for a key of the 283 * given type and with the given content. The API doesn't make it easy 284 * to find a good value for the size. The current implementation doesn't 285 * care about the value anyway. */ 286#define KEY_BITS_FROM_DATA(type, data) \ 287 (data)->len 288 289typedef enum { 290 IMPORT_KEY = 0, 291 GENERATE_KEY = 1, 292 DERIVE_KEY = 2 293} generate_method; 294 295typedef enum { 296 DO_NOT_SET_LENGTHS = 0, 297 SET_LENGTHS_BEFORE_NONCE = 1, 298 SET_LENGTHS_AFTER_NONCE = 2 299} set_lengths_method_t; 300 301typedef enum { 302 USE_NULL_TAG = 0, 303 USE_GIVEN_TAG = 1, 304} tag_usage_method_t; 305 306 307/*! 308 * \brief Internal Function for AEAD multipart tests. 309 * \param key_type_arg Type of key passed in 310 * \param key_data The encryption / decryption key data 311 * \param alg_arg The type of algorithm used 312 * \param nonce Nonce data 313 * \param additional_data Additional data 314 * \param ad_part_len_arg If not -1, the length of chunks to 315 * feed additional data in to be encrypted / 316 * decrypted. If -1, no chunking. 317 * \param input_data Data to encrypt / decrypt 318 * \param data_part_len_arg If not -1, the length of chunks to feed 319 * the data in to be encrypted / decrypted. If 320 * -1, no chunking 321 * \param set_lengths_method A member of the set_lengths_method_t enum is 322 * expected here, this controls whether or not 323 * to set lengths, and in what order with 324 * respect to set nonce. 325 * \param expected_output Expected output 326 * \param is_encrypt If non-zero this is an encryption operation. 327 * \param do_zero_parts If non-zero, interleave zero length chunks 328 * with normal length chunks. 329 * \return int Zero on failure, non-zero on success. 330 */ 331static int aead_multipart_internal_func(int key_type_arg, data_t *key_data, 332 int alg_arg, 333 data_t *nonce, 334 data_t *additional_data, 335 int ad_part_len_arg, 336 data_t *input_data, 337 int data_part_len_arg, 338 set_lengths_method_t set_lengths_method, 339 data_t *expected_output, 340 int is_encrypt, 341 int do_zero_parts) 342{ 343 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 344 psa_key_type_t key_type = key_type_arg; 345 psa_algorithm_t alg = alg_arg; 346 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 347 unsigned char *output_data = NULL; 348 unsigned char *part_data = NULL; 349 unsigned char *final_data = NULL; 350 size_t data_true_size = 0; 351 size_t part_data_size = 0; 352 size_t output_size = 0; 353 size_t final_output_size = 0; 354 size_t output_length = 0; 355 size_t key_bits = 0; 356 size_t tag_length = 0; 357 size_t part_offset = 0; 358 size_t part_length = 0; 359 size_t output_part_length = 0; 360 size_t tag_size = 0; 361 size_t ad_part_len = 0; 362 size_t data_part_len = 0; 363 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 364 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 365 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 366 367 int test_ok = 0; 368 size_t part_count = 0; 369 370 PSA_ASSERT(psa_crypto_init()); 371 372 if (is_encrypt) { 373 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 374 } else { 375 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 376 } 377 378 psa_set_key_algorithm(&attributes, alg); 379 psa_set_key_type(&attributes, key_type); 380 381 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 382 &key)); 383 384 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 385 key_bits = psa_get_key_bits(&attributes); 386 387 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg); 388 389 if (is_encrypt) { 390 /* Tag gets written at end of buffer. */ 391 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, 392 (input_data->len + 393 tag_length)); 394 data_true_size = input_data->len; 395 } else { 396 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, 397 (input_data->len - 398 tag_length)); 399 400 /* Do not want to attempt to decrypt tag. */ 401 data_true_size = input_data->len - tag_length; 402 } 403 404 TEST_CALLOC(output_data, output_size); 405 406 if (is_encrypt) { 407 final_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 408 TEST_LE_U(final_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE); 409 } else { 410 final_output_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg); 411 TEST_LE_U(final_output_size, PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE); 412 } 413 414 TEST_CALLOC(final_data, final_output_size); 415 416 if (is_encrypt) { 417 status = psa_aead_encrypt_setup(&operation, key, alg); 418 } else { 419 status = psa_aead_decrypt_setup(&operation, key, alg); 420 } 421 422 /* If the operation is not supported, just skip and not fail in case the 423 * encryption involves a common limitation of cryptography hardwares and 424 * an alternative implementation. */ 425 if (status == PSA_ERROR_NOT_SUPPORTED) { 426 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 427 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 428 } 429 430 PSA_ASSERT(status); 431 432 if (set_lengths_method == DO_NOT_SET_LENGTHS) { 433 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 434 } else if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) { 435 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 436 data_true_size)); 437 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 438 } else if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) { 439 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 440 441 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 442 data_true_size)); 443 } 444 445 if (ad_part_len_arg != -1) { 446 /* Pass additional data in parts */ 447 ad_part_len = (size_t) ad_part_len_arg; 448 449 for (part_offset = 0, part_count = 0; 450 part_offset < additional_data->len; 451 part_offset += part_length, part_count++) { 452 if (do_zero_parts && (part_count & 0x01)) { 453 part_length = 0; 454 } else if (additional_data->len - part_offset < ad_part_len) { 455 part_length = additional_data->len - part_offset; 456 } else { 457 part_length = ad_part_len; 458 } 459 460 PSA_ASSERT(psa_aead_update_ad(&operation, 461 additional_data->x + part_offset, 462 part_length)); 463 464 } 465 } else { 466 /* Pass additional data in one go. */ 467 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 468 additional_data->len)); 469 } 470 471 if (data_part_len_arg != -1) { 472 /* Pass data in parts */ 473 data_part_len = (size_t) data_part_len_arg; 474 part_data_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, 475 (size_t) data_part_len); 476 477 TEST_CALLOC(part_data, part_data_size); 478 479 for (part_offset = 0, part_count = 0; 480 part_offset < data_true_size; 481 part_offset += part_length, part_count++) { 482 if (do_zero_parts && (part_count & 0x01)) { 483 part_length = 0; 484 } else if ((data_true_size - part_offset) < data_part_len) { 485 part_length = (data_true_size - part_offset); 486 } else { 487 part_length = data_part_len; 488 } 489 490 PSA_ASSERT(psa_aead_update(&operation, 491 (input_data->x + part_offset), 492 part_length, part_data, 493 part_data_size, 494 &output_part_length)); 495 496 if (output_data && output_part_length) { 497 memcpy((output_data + output_length), part_data, 498 output_part_length); 499 } 500 501 output_length += output_part_length; 502 } 503 } else { 504 /* Pass all data in one go. */ 505 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 506 data_true_size, output_data, 507 output_size, &output_length)); 508 } 509 510 if (is_encrypt) { 511 PSA_ASSERT(psa_aead_finish(&operation, final_data, 512 final_output_size, 513 &output_part_length, 514 tag_buffer, tag_length, 515 &tag_size)); 516 } else { 517 PSA_ASSERT(psa_aead_verify(&operation, final_data, 518 final_output_size, 519 &output_part_length, 520 (input_data->x + data_true_size), 521 tag_length)); 522 } 523 524 if (output_data && output_part_length) { 525 memcpy((output_data + output_length), final_data, 526 output_part_length); 527 } 528 529 output_length += output_part_length; 530 531 532 /* For all currently defined algorithms, PSA_AEAD_xxx_OUTPUT_SIZE 533 * should be exact.*/ 534 if (is_encrypt) { 535 TEST_EQUAL(tag_length, tag_size); 536 537 if (output_data && tag_length) { 538 memcpy((output_data + output_length), tag_buffer, 539 tag_length); 540 } 541 542 output_length += tag_length; 543 544 TEST_EQUAL(output_length, 545 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, 546 input_data->len)); 547 TEST_LE_U(output_length, 548 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len)); 549 } else { 550 TEST_EQUAL(output_length, 551 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, 552 input_data->len)); 553 TEST_LE_U(output_length, 554 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len)); 555 } 556 557 558 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 559 output_data, output_length); 560 561 562 test_ok = 1; 563 564exit: 565 psa_destroy_key(key); 566 psa_aead_abort(&operation); 567 mbedtls_free(output_data); 568 mbedtls_free(part_data); 569 mbedtls_free(final_data); 570 PSA_DONE(); 571 572 return test_ok; 573} 574 575/*! 576 * \brief Internal Function for MAC multipart tests. 577 * \param key_type_arg Type of key passed in 578 * \param key_data The encryption / decryption key data 579 * \param alg_arg The type of algorithm used 580 * \param input_data Data to encrypt / decrypt 581 * \param data_part_len_arg If not -1, the length of chunks to feed 582 * the data in to be encrypted / decrypted. If 583 * -1, no chunking 584 * \param expected_output Expected output 585 * \param is_verify If non-zero this is a verify operation. 586 * \param do_zero_parts If non-zero, interleave zero length chunks 587 * with normal length chunks. 588 * \return int Zero on failure, non-zero on success. 589 */ 590static int mac_multipart_internal_func(int key_type_arg, data_t *key_data, 591 int alg_arg, 592 data_t *input_data, 593 int data_part_len_arg, 594 data_t *expected_output, 595 int is_verify, 596 int do_zero_parts) 597{ 598 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 599 psa_key_type_t key_type = key_type_arg; 600 psa_algorithm_t alg = alg_arg; 601 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 602 unsigned char mac[PSA_MAC_MAX_SIZE]; 603 size_t part_offset = 0; 604 size_t part_length = 0; 605 size_t data_part_len = 0; 606 size_t mac_len = 0; 607 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 608 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 609 610 int test_ok = 0; 611 size_t part_count = 0; 612 613 PSA_INIT(); 614 615 if (is_verify) { 616 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 617 } else { 618 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 619 } 620 621 psa_set_key_algorithm(&attributes, alg); 622 psa_set_key_type(&attributes, key_type); 623 624 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 625 &key)); 626 627 if (is_verify) { 628 status = psa_mac_verify_setup(&operation, key, alg); 629 } else { 630 status = psa_mac_sign_setup(&operation, key, alg); 631 } 632 633 PSA_ASSERT(status); 634 635 if (data_part_len_arg != -1) { 636 /* Pass data in parts */ 637 data_part_len = (size_t) data_part_len_arg; 638 639 for (part_offset = 0, part_count = 0; 640 part_offset < input_data->len; 641 part_offset += part_length, part_count++) { 642 if (do_zero_parts && (part_count & 0x01)) { 643 part_length = 0; 644 } else if ((input_data->len - part_offset) < data_part_len) { 645 part_length = (input_data->len - part_offset); 646 } else { 647 part_length = data_part_len; 648 } 649 650 PSA_ASSERT(psa_mac_update(&operation, 651 (input_data->x + part_offset), 652 part_length)); 653 } 654 } else { 655 /* Pass all data in one go. */ 656 PSA_ASSERT(psa_mac_update(&operation, input_data->x, 657 input_data->len)); 658 } 659 660 if (is_verify) { 661 PSA_ASSERT(psa_mac_verify_finish(&operation, expected_output->x, 662 expected_output->len)); 663 } else { 664 PSA_ASSERT(psa_mac_sign_finish(&operation, mac, 665 PSA_MAC_MAX_SIZE, &mac_len)); 666 667 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 668 mac, mac_len); 669 } 670 671 test_ok = 1; 672 673exit: 674 psa_destroy_key(key); 675 psa_mac_abort(&operation); 676 PSA_DONE(); 677 678 return test_ok; 679} 680 681#if defined(PSA_WANT_ALG_JPAKE) 682static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, 683 psa_pake_operation_t *server, 684 psa_pake_operation_t *client, 685 int client_input_first, 686 int round, int inject_error) 687{ 688 unsigned char *buffer0 = NULL, *buffer1 = NULL; 689 size_t buffer_length = ( 690 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + 691 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + 692 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; 693 /* The output should be exactly this size according to the spec */ 694 const size_t expected_size_key_share = 695 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); 696 /* The output should be exactly this size according to the spec */ 697 const size_t expected_size_zk_public = 698 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); 699 /* The output can be smaller: the spec allows stripping leading zeroes */ 700 const size_t max_expected_size_zk_proof = 701 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); 702 size_t buffer0_off = 0; 703 size_t buffer1_off = 0; 704 size_t s_g1_len, s_g2_len, s_a_len; 705 size_t s_g1_off, s_g2_off, s_a_off; 706 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len; 707 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off; 708 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len; 709 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off; 710 size_t c_g1_len, c_g2_len, c_a_len; 711 size_t c_g1_off, c_g2_off, c_a_off; 712 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len; 713 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; 714 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; 715 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; 716 psa_status_t expected_status = PSA_SUCCESS; 717 psa_status_t status; 718 719 TEST_CALLOC(buffer0, buffer_length); 720 TEST_CALLOC(buffer1, buffer_length); 721 722 switch (round) { 723 case 1: 724 /* Server first round Output */ 725 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 726 buffer0 + buffer0_off, 727 buffer_length - buffer0_off, &s_g1_len)); 728 TEST_EQUAL(s_g1_len, expected_size_key_share); 729 s_g1_off = buffer0_off; 730 buffer0_off += s_g1_len; 731 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 732 buffer0 + buffer0_off, 733 buffer_length - buffer0_off, &s_x1_pk_len)); 734 TEST_EQUAL(s_x1_pk_len, expected_size_zk_public); 735 s_x1_pk_off = buffer0_off; 736 buffer0_off += s_x1_pk_len; 737 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 738 buffer0 + buffer0_off, 739 buffer_length - buffer0_off, &s_x1_pr_len)); 740 TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof); 741 s_x1_pr_off = buffer0_off; 742 buffer0_off += s_x1_pr_len; 743 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 744 buffer0 + buffer0_off, 745 buffer_length - buffer0_off, &s_g2_len)); 746 TEST_EQUAL(s_g2_len, expected_size_key_share); 747 s_g2_off = buffer0_off; 748 buffer0_off += s_g2_len; 749 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 750 buffer0 + buffer0_off, 751 buffer_length - buffer0_off, &s_x2_pk_len)); 752 TEST_EQUAL(s_x2_pk_len, expected_size_zk_public); 753 s_x2_pk_off = buffer0_off; 754 buffer0_off += s_x2_pk_len; 755 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 756 buffer0 + buffer0_off, 757 buffer_length - buffer0_off, &s_x2_pr_len)); 758 TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof); 759 s_x2_pr_off = buffer0_off; 760 buffer0_off += s_x2_pr_len; 761 762 if (inject_error == 1) { 763 buffer0[s_x1_pr_off + 8] ^= 1; 764 buffer0[s_x2_pr_off + 7] ^= 1; 765 expected_status = PSA_ERROR_DATA_INVALID; 766 } 767 768 /* 769 * When injecting errors in inputs, the implementation is 770 * free to detect it right away of with a delay. 771 * This permits delaying the error until the end of the input 772 * sequence, if no error appears then, this will be treated 773 * as an error. 774 */ 775 776 if (client_input_first == 1) { 777 /* Client first round Input */ 778 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 779 buffer0 + s_g1_off, s_g1_len); 780 if (inject_error == 1 && status != PSA_SUCCESS) { 781 TEST_EQUAL(status, expected_status); 782 break; 783 } else { 784 TEST_EQUAL(status, PSA_SUCCESS); 785 } 786 787 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 788 buffer0 + s_x1_pk_off, 789 s_x1_pk_len); 790 if (inject_error == 1 && status != PSA_SUCCESS) { 791 TEST_EQUAL(status, expected_status); 792 break; 793 } else { 794 TEST_EQUAL(status, PSA_SUCCESS); 795 } 796 797 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 798 buffer0 + s_x1_pr_off, 799 s_x1_pr_len); 800 if (inject_error == 1 && status != PSA_SUCCESS) { 801 TEST_EQUAL(status, expected_status); 802 break; 803 } else { 804 TEST_EQUAL(status, PSA_SUCCESS); 805 } 806 807 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 808 buffer0 + s_g2_off, 809 s_g2_len); 810 if (inject_error == 1 && status != PSA_SUCCESS) { 811 TEST_EQUAL(status, expected_status); 812 break; 813 } else { 814 TEST_EQUAL(status, PSA_SUCCESS); 815 } 816 817 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 818 buffer0 + s_x2_pk_off, 819 s_x2_pk_len); 820 if (inject_error == 1 && status != PSA_SUCCESS) { 821 TEST_EQUAL(status, expected_status); 822 break; 823 } else { 824 TEST_EQUAL(status, PSA_SUCCESS); 825 } 826 827 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 828 buffer0 + s_x2_pr_off, 829 s_x2_pr_len); 830 if (inject_error == 1 && status != PSA_SUCCESS) { 831 TEST_EQUAL(status, expected_status); 832 break; 833 } else { 834 TEST_EQUAL(status, PSA_SUCCESS); 835 } 836 837 /* Error didn't trigger, make test fail */ 838 if (inject_error == 1) { 839 TEST_ASSERT( 840 !"One of the last psa_pake_input() calls should have returned the expected error."); 841 } 842 } 843 844 /* Client first round Output */ 845 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 846 buffer1 + buffer1_off, 847 buffer_length - buffer1_off, &c_g1_len)); 848 TEST_EQUAL(c_g1_len, expected_size_key_share); 849 c_g1_off = buffer1_off; 850 buffer1_off += c_g1_len; 851 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 852 buffer1 + buffer1_off, 853 buffer_length - buffer1_off, &c_x1_pk_len)); 854 TEST_EQUAL(c_x1_pk_len, expected_size_zk_public); 855 c_x1_pk_off = buffer1_off; 856 buffer1_off += c_x1_pk_len; 857 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 858 buffer1 + buffer1_off, 859 buffer_length - buffer1_off, &c_x1_pr_len)); 860 TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof); 861 c_x1_pr_off = buffer1_off; 862 buffer1_off += c_x1_pr_len; 863 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 864 buffer1 + buffer1_off, 865 buffer_length - buffer1_off, &c_g2_len)); 866 TEST_EQUAL(c_g2_len, expected_size_key_share); 867 c_g2_off = buffer1_off; 868 buffer1_off += c_g2_len; 869 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 870 buffer1 + buffer1_off, 871 buffer_length - buffer1_off, &c_x2_pk_len)); 872 TEST_EQUAL(c_x2_pk_len, expected_size_zk_public); 873 c_x2_pk_off = buffer1_off; 874 buffer1_off += c_x2_pk_len; 875 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 876 buffer1 + buffer1_off, 877 buffer_length - buffer1_off, &c_x2_pr_len)); 878 TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof); 879 c_x2_pr_off = buffer1_off; 880 buffer1_off += c_x2_pr_len; 881 882 if (client_input_first == 0) { 883 /* Client first round Input */ 884 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 885 buffer0 + s_g1_off, s_g1_len); 886 if (inject_error == 1 && status != PSA_SUCCESS) { 887 TEST_EQUAL(status, expected_status); 888 break; 889 } else { 890 TEST_EQUAL(status, PSA_SUCCESS); 891 } 892 893 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 894 buffer0 + s_x1_pk_off, 895 s_x1_pk_len); 896 if (inject_error == 1 && status != PSA_SUCCESS) { 897 TEST_EQUAL(status, expected_status); 898 break; 899 } else { 900 TEST_EQUAL(status, PSA_SUCCESS); 901 } 902 903 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 904 buffer0 + s_x1_pr_off, 905 s_x1_pr_len); 906 if (inject_error == 1 && status != PSA_SUCCESS) { 907 TEST_EQUAL(status, expected_status); 908 break; 909 } else { 910 TEST_EQUAL(status, PSA_SUCCESS); 911 } 912 913 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 914 buffer0 + s_g2_off, 915 s_g2_len); 916 if (inject_error == 1 && status != PSA_SUCCESS) { 917 TEST_EQUAL(status, expected_status); 918 break; 919 } else { 920 TEST_EQUAL(status, PSA_SUCCESS); 921 } 922 923 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 924 buffer0 + s_x2_pk_off, 925 s_x2_pk_len); 926 if (inject_error == 1 && status != PSA_SUCCESS) { 927 TEST_EQUAL(status, expected_status); 928 break; 929 } else { 930 TEST_EQUAL(status, PSA_SUCCESS); 931 } 932 933 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 934 buffer0 + s_x2_pr_off, 935 s_x2_pr_len); 936 if (inject_error == 1 && status != PSA_SUCCESS) { 937 TEST_EQUAL(status, expected_status); 938 break; 939 } else { 940 TEST_EQUAL(status, PSA_SUCCESS); 941 } 942 943 /* Error didn't trigger, make test fail */ 944 if (inject_error == 1) { 945 TEST_ASSERT( 946 !"One of the last psa_pake_input() calls should have returned the expected error."); 947 } 948 } 949 950 if (inject_error == 2) { 951 buffer1[c_x1_pr_off + 12] ^= 1; 952 buffer1[c_x2_pr_off + 7] ^= 1; 953 expected_status = PSA_ERROR_DATA_INVALID; 954 } 955 956 /* Server first round Input */ 957 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 958 buffer1 + c_g1_off, c_g1_len); 959 if (inject_error == 2 && status != PSA_SUCCESS) { 960 TEST_EQUAL(status, expected_status); 961 break; 962 } else { 963 TEST_EQUAL(status, PSA_SUCCESS); 964 } 965 966 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 967 buffer1 + c_x1_pk_off, c_x1_pk_len); 968 if (inject_error == 2 && status != PSA_SUCCESS) { 969 TEST_EQUAL(status, expected_status); 970 break; 971 } else { 972 TEST_EQUAL(status, PSA_SUCCESS); 973 } 974 975 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 976 buffer1 + c_x1_pr_off, c_x1_pr_len); 977 if (inject_error == 2 && status != PSA_SUCCESS) { 978 TEST_EQUAL(status, expected_status); 979 break; 980 } else { 981 TEST_EQUAL(status, PSA_SUCCESS); 982 } 983 984 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 985 buffer1 + c_g2_off, c_g2_len); 986 if (inject_error == 2 && status != PSA_SUCCESS) { 987 TEST_EQUAL(status, expected_status); 988 break; 989 } else { 990 TEST_EQUAL(status, PSA_SUCCESS); 991 } 992 993 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 994 buffer1 + c_x2_pk_off, c_x2_pk_len); 995 if (inject_error == 2 && status != PSA_SUCCESS) { 996 TEST_EQUAL(status, expected_status); 997 break; 998 } else { 999 TEST_EQUAL(status, PSA_SUCCESS); 1000 } 1001 1002 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 1003 buffer1 + c_x2_pr_off, c_x2_pr_len); 1004 if (inject_error == 2 && status != PSA_SUCCESS) { 1005 TEST_EQUAL(status, expected_status); 1006 break; 1007 } else { 1008 TEST_EQUAL(status, PSA_SUCCESS); 1009 } 1010 1011 /* Error didn't trigger, make test fail */ 1012 if (inject_error == 2) { 1013 TEST_ASSERT( 1014 !"One of the last psa_pake_input() calls should have returned the expected error."); 1015 } 1016 1017 break; 1018 1019 case 2: 1020 /* Server second round Output */ 1021 buffer0_off = 0; 1022 1023 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 1024 buffer0 + buffer0_off, 1025 buffer_length - buffer0_off, &s_a_len)); 1026 TEST_EQUAL(s_a_len, expected_size_key_share); 1027 s_a_off = buffer0_off; 1028 buffer0_off += s_a_len; 1029 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 1030 buffer0 + buffer0_off, 1031 buffer_length - buffer0_off, &s_x2s_pk_len)); 1032 TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public); 1033 s_x2s_pk_off = buffer0_off; 1034 buffer0_off += s_x2s_pk_len; 1035 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 1036 buffer0 + buffer0_off, 1037 buffer_length - buffer0_off, &s_x2s_pr_len)); 1038 TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof); 1039 s_x2s_pr_off = buffer0_off; 1040 buffer0_off += s_x2s_pr_len; 1041 1042 if (inject_error == 3) { 1043 buffer0[s_x2s_pk_off + 12] += 0x33; 1044 expected_status = PSA_ERROR_DATA_INVALID; 1045 } 1046 1047 if (client_input_first == 1) { 1048 /* Client second round Input */ 1049 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 1050 buffer0 + s_a_off, s_a_len); 1051 if (inject_error == 3 && status != PSA_SUCCESS) { 1052 TEST_EQUAL(status, expected_status); 1053 break; 1054 } else { 1055 TEST_EQUAL(status, PSA_SUCCESS); 1056 } 1057 1058 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 1059 buffer0 + s_x2s_pk_off, 1060 s_x2s_pk_len); 1061 if (inject_error == 3 && status != PSA_SUCCESS) { 1062 TEST_EQUAL(status, expected_status); 1063 break; 1064 } else { 1065 TEST_EQUAL(status, PSA_SUCCESS); 1066 } 1067 1068 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 1069 buffer0 + s_x2s_pr_off, 1070 s_x2s_pr_len); 1071 if (inject_error == 3 && status != PSA_SUCCESS) { 1072 TEST_EQUAL(status, expected_status); 1073 break; 1074 } else { 1075 TEST_EQUAL(status, PSA_SUCCESS); 1076 } 1077 1078 /* Error didn't trigger, make test fail */ 1079 if (inject_error == 3) { 1080 TEST_ASSERT( 1081 !"One of the last psa_pake_input() calls should have returned the expected error."); 1082 } 1083 } 1084 1085 /* Client second round Output */ 1086 buffer1_off = 0; 1087 1088 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 1089 buffer1 + buffer1_off, 1090 buffer_length - buffer1_off, &c_a_len)); 1091 TEST_EQUAL(c_a_len, expected_size_key_share); 1092 c_a_off = buffer1_off; 1093 buffer1_off += c_a_len; 1094 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 1095 buffer1 + buffer1_off, 1096 buffer_length - buffer1_off, &c_x2s_pk_len)); 1097 TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public); 1098 c_x2s_pk_off = buffer1_off; 1099 buffer1_off += c_x2s_pk_len; 1100 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 1101 buffer1 + buffer1_off, 1102 buffer_length - buffer1_off, &c_x2s_pr_len)); 1103 TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof); 1104 c_x2s_pr_off = buffer1_off; 1105 buffer1_off += c_x2s_pr_len; 1106 1107 if (client_input_first == 0) { 1108 /* Client second round Input */ 1109 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 1110 buffer0 + s_a_off, s_a_len); 1111 if (inject_error == 3 && status != PSA_SUCCESS) { 1112 TEST_EQUAL(status, expected_status); 1113 break; 1114 } else { 1115 TEST_EQUAL(status, PSA_SUCCESS); 1116 } 1117 1118 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 1119 buffer0 + s_x2s_pk_off, 1120 s_x2s_pk_len); 1121 if (inject_error == 3 && status != PSA_SUCCESS) { 1122 TEST_EQUAL(status, expected_status); 1123 break; 1124 } else { 1125 TEST_EQUAL(status, PSA_SUCCESS); 1126 } 1127 1128 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 1129 buffer0 + s_x2s_pr_off, 1130 s_x2s_pr_len); 1131 if (inject_error == 3 && status != PSA_SUCCESS) { 1132 TEST_EQUAL(status, expected_status); 1133 break; 1134 } else { 1135 TEST_EQUAL(status, PSA_SUCCESS); 1136 } 1137 1138 /* Error didn't trigger, make test fail */ 1139 if (inject_error == 3) { 1140 TEST_ASSERT( 1141 !"One of the last psa_pake_input() calls should have returned the expected error."); 1142 } 1143 } 1144 1145 if (inject_error == 4) { 1146 buffer1[c_x2s_pk_off + 7] += 0x28; 1147 expected_status = PSA_ERROR_DATA_INVALID; 1148 } 1149 1150 /* Server second round Input */ 1151 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 1152 buffer1 + c_a_off, c_a_len); 1153 if (inject_error == 4 && status != PSA_SUCCESS) { 1154 TEST_EQUAL(status, expected_status); 1155 break; 1156 } else { 1157 TEST_EQUAL(status, PSA_SUCCESS); 1158 } 1159 1160 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 1161 buffer1 + c_x2s_pk_off, c_x2s_pk_len); 1162 if (inject_error == 4 && status != PSA_SUCCESS) { 1163 TEST_EQUAL(status, expected_status); 1164 break; 1165 } else { 1166 TEST_EQUAL(status, PSA_SUCCESS); 1167 } 1168 1169 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 1170 buffer1 + c_x2s_pr_off, c_x2s_pr_len); 1171 if (inject_error == 4 && status != PSA_SUCCESS) { 1172 TEST_EQUAL(status, expected_status); 1173 break; 1174 } else { 1175 TEST_EQUAL(status, PSA_SUCCESS); 1176 } 1177 1178 /* Error didn't trigger, make test fail */ 1179 if (inject_error == 4) { 1180 TEST_ASSERT( 1181 !"One of the last psa_pake_input() calls should have returned the expected error."); 1182 } 1183 1184 break; 1185 1186 } 1187 1188exit: 1189 mbedtls_free(buffer0); 1190 mbedtls_free(buffer1); 1191} 1192#endif /* PSA_WANT_ALG_JPAKE */ 1193 1194typedef enum { 1195 INJECT_ERR_NONE = 0, 1196 INJECT_ERR_UNINITIALIZED_ACCESS, 1197 INJECT_ERR_DUPLICATE_SETUP, 1198 INJECT_ERR_INVALID_USER, 1199 INJECT_ERR_INVALID_PEER, 1200 INJECT_ERR_SET_USER, 1201 INJECT_ERR_SET_PEER, 1202 INJECT_EMPTY_IO_BUFFER, 1203 INJECT_UNKNOWN_STEP, 1204 INJECT_INVALID_FIRST_STEP, 1205 INJECT_WRONG_BUFFER_SIZE, 1206 INJECT_VALID_OPERATION_AFTER_FAILURE, 1207 INJECT_ANTICIPATE_KEY_DERIVATION_1, 1208 INJECT_ANTICIPATE_KEY_DERIVATION_2, 1209} ecjpake_injected_failure_t; 1210 1211#if defined(MBEDTLS_ECP_RESTARTABLE) 1212 1213static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, 1214 psa_status_t expected_status, 1215 size_t *min_completes, 1216 size_t *max_completes) 1217{ 1218 1219 /* This is slightly contrived, but we only really know that with a minimum 1220 value of max_ops that a successful operation should take more than one op 1221 to complete, and likewise that with a max_ops of 1222 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */ 1223 if (max_ops == 0 || max_ops == 1) { 1224 1225 if (expected_status == PSA_SUCCESS) { 1226 *min_completes = 2; 1227 } else { 1228 *min_completes = 1; 1229 } 1230 1231 *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; 1232 } else { 1233 *min_completes = 1; 1234 *max_completes = 1; 1235 } 1236} 1237#endif /* MBEDTLS_ECP_RESTARTABLE */ 1238 1239#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) 1240static int rsa_test_e(mbedtls_svc_key_id_t key, 1241 size_t bits, 1242 const data_t *e_arg) 1243{ 1244 uint8_t *exported = NULL; 1245 size_t exported_size = 1246 PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits); 1247 size_t exported_length = SIZE_MAX; 1248 int ok = 0; 1249 1250 TEST_CALLOC(exported, exported_size); 1251 PSA_ASSERT(psa_export_public_key(key, 1252 exported, exported_size, 1253 &exported_length)); 1254 uint8_t *p = exported; 1255 uint8_t *end = exported + exported_length; 1256 size_t len; 1257 /* RSAPublicKey ::= SEQUENCE { 1258 * modulus INTEGER, -- n 1259 * publicExponent INTEGER } -- e 1260 */ 1261 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len, 1262 MBEDTLS_ASN1_SEQUENCE | 1263 MBEDTLS_ASN1_CONSTRUCTED)); 1264 TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1)); 1265 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len, 1266 MBEDTLS_ASN1_INTEGER)); 1267 if (len >= 1 && p[0] == 0) { 1268 ++p; 1269 --len; 1270 } 1271 if (e_arg->len == 0) { 1272 TEST_EQUAL(len, 3); 1273 TEST_EQUAL(p[0], 1); 1274 TEST_EQUAL(p[1], 0); 1275 TEST_EQUAL(p[2], 1); 1276 } else { 1277 const uint8_t *expected = e_arg->x; 1278 size_t expected_len = e_arg->len; 1279 while (expected_len > 0 && *expected == 0) { 1280 ++expected; 1281 --expected_len; 1282 } 1283 TEST_MEMORY_COMPARE(p, len, expected, expected_len); 1284 } 1285 ok = 1; 1286 1287exit: 1288 mbedtls_free(exported); 1289 return ok; 1290} 1291#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */ 1292 1293static int setup_key_production_parameters( 1294 psa_key_production_parameters_t **params, size_t *params_data_length, 1295 int flags_arg, const data_t *params_data) 1296{ 1297 *params_data_length = params_data->len; 1298 /* If there are N bytes of padding at the end of 1299 * psa_key_production_parameters_t, then it's enough to allocate 1300 * MIN(sizeof(psa_key_production_parameters_t), 1301 * offsetof(psa_key_production_parameters_t, data) + params_data_length). 1302 * 1303 * For simplicity, here, we allocate up to N more bytes than necessary. 1304 * In practice, the current layout of psa_key_production_parameters_t 1305 * makes padding extremely unlikely, so we don't worry about testing 1306 * that the library code doesn't try to access these extra N bytes. 1307 */ 1308 *params = mbedtls_calloc(1, sizeof(**params) + *params_data_length); 1309 TEST_ASSERT(*params != NULL); 1310 (*params)->flags = (uint32_t) flags_arg; 1311 memcpy((*params)->data, params_data->x, params_data->len); 1312 return 1; 1313exit: 1314 return 0; 1315} 1316 1317#if defined(MBEDTLS_THREADING_PTHREAD) 1318 1319#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) 1320typedef struct same_key_context { 1321 data_t *data; 1322 mbedtls_svc_key_id_t key; 1323 psa_key_attributes_t *attributes; 1324 int type; 1325 int bits; 1326 /* The following two parameters are used to ensure that when multiple 1327 * threads attempt to load/destroy the key, exactly one thread succeeds. */ 1328 int key_loaded; 1329 mbedtls_threading_mutex_t MBEDTLS_PRIVATE(key_loaded_mutex); 1330} 1331same_key_context; 1332 1333/* Attempt to import the key in ctx. This handles any valid error codes 1334 * and reports an error for any invalid codes. This function also insures 1335 * that once imported by some thread, all threads can use the key. */ 1336static void *thread_import_key(void *ctx) 1337{ 1338 mbedtls_svc_key_id_t returned_key_id; 1339 same_key_context *skc = (struct same_key_context *) ctx; 1340 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1341 1342 /* Import the key, exactly one thread must succeed. */ 1343 psa_status_t status = psa_import_key(skc->attributes, skc->data->x, 1344 skc->data->len, &returned_key_id); 1345 switch (status) { 1346 case PSA_SUCCESS: 1347 if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) { 1348 if (skc->key_loaded) { 1349 mbedtls_mutex_unlock(&skc->key_loaded_mutex); 1350 /* More than one thread has succeeded, report a failure. */ 1351 TEST_FAIL("The same key has been loaded into the key store multiple times."); 1352 } 1353 skc->key_loaded = 1; 1354 mbedtls_mutex_unlock(&skc->key_loaded_mutex); 1355 } 1356 break; 1357 case PSA_ERROR_INSUFFICIENT_MEMORY: 1358 /* If all of the key slots are reserved when a thread 1359 * locks the mutex to reserve a new slot, it will return 1360 * PSA_ERROR_INSUFFICIENT_MEMORY; this is correct behaviour. 1361 * There is a chance for this to occur here when the number of 1362 * threads running this function is larger than the number of 1363 * free key slots. Each thread reserves an empty key slot, 1364 * unlocks the mutex, then relocks it to finalize key creation. 1365 * It is at that point where the thread sees that the key 1366 * already exists, releases the reserved slot, 1367 * and returns PSA_ERROR_ALREADY_EXISTS. 1368 * There is no guarantee that the key is loaded upon this return 1369 * code, so we can't test the key information. Just stop this 1370 * thread from executing, note that this is not an error. */ 1371 goto exit; 1372 break; 1373 case PSA_ERROR_ALREADY_EXISTS: 1374 /* The key has been loaded by a different thread. */ 1375 break; 1376 default: 1377 PSA_ASSERT(status); 1378 } 1379 /* At this point the key must exist, test the key information. */ 1380 status = psa_get_key_attributes(skc->key, &got_attributes); 1381 if (status == PSA_ERROR_INSUFFICIENT_MEMORY) { 1382 /* This is not a test failure. The following sequence of events 1383 * causes this to occur: 1384 * 1: This thread successfuly imports a persistent key skc->key. 1385 * 2: N threads reserve an empty key slot in psa_import_key, 1386 * where N is equal to the number of free key slots. 1387 * 3: A final thread attempts to reserve an empty key slot, kicking 1388 * skc->key (which has no registered readers) out of its slot. 1389 * 4: This thread calls psa_get_key_attributes(skc->key,...): 1390 * it sees that skc->key is not in a slot, attempts to load it and 1391 * finds that there are no free slots. 1392 * This thread returns PSA_ERROR_INSUFFICIENT_MEMORY. 1393 * 1394 * The PSA spec allows this behaviour, it is an unavoidable consequence 1395 * of allowing persistent keys to be kicked out of the key store while 1396 * they are still valid. */ 1397 goto exit; 1398 } 1399 PSA_ASSERT(status); 1400 TEST_EQUAL(psa_get_key_type(&got_attributes), skc->type); 1401 TEST_EQUAL(psa_get_key_bits(&got_attributes), skc->bits); 1402 1403exit: 1404 /* Key attributes may have been returned by psa_get_key_attributes(), 1405 * reset them as required. */ 1406 psa_reset_key_attributes(&got_attributes); 1407 return NULL; 1408} 1409 1410static void *thread_use_and_destroy_key(void *ctx) 1411{ 1412 same_key_context *skc = (struct same_key_context *) ctx; 1413 1414 /* Do something with the key according 1415 * to its type and permitted usage. */ 1416 TEST_ASSERT(mbedtls_test_psa_exercise_key(skc->key, 1417 skc->attributes->policy.usage, 1418 skc->attributes->policy.alg, 1)); 1419 1420 psa_status_t status = psa_destroy_key(skc->key); 1421 if (status == PSA_SUCCESS) { 1422 if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) { 1423 /* Ensure that we are the only thread to succeed. */ 1424 if (skc->key_loaded != 1) { 1425 mbedtls_mutex_unlock(&skc->key_loaded_mutex); 1426 TEST_FAIL("The same key has been destroyed multiple times."); 1427 } 1428 skc->key_loaded = 0; 1429 mbedtls_mutex_unlock(&skc->key_loaded_mutex); 1430 } 1431 } else { 1432 TEST_EQUAL(status, PSA_ERROR_INVALID_HANDLE); 1433 } 1434 1435exit: 1436 return NULL; 1437} 1438#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ 1439 1440typedef struct generate_key_context { 1441 psa_key_type_t type; 1442 psa_key_usage_t usage; 1443 size_t bits; 1444 psa_algorithm_t alg; 1445 psa_status_t expected_status; 1446 psa_key_attributes_t *attributes; 1447 int is_large_key; 1448 int reps; 1449} 1450generate_key_context; 1451static void *thread_generate_key(void *ctx) 1452{ 1453 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1454 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1455 generate_key_context *gkc = (struct generate_key_context *) ctx; 1456 1457 /* If there are race conditions, it is likely the case that they do not 1458 * arise every time the code runs. We repeat the code to increase the 1459 * chance that any race conditions will be hit. */ 1460 for (int n = 0; n < gkc->reps; n++) { 1461 /* Generate a key */ 1462 psa_status_t status = psa_generate_key(gkc->attributes, &key); 1463 1464 if (gkc->is_large_key > 0) { 1465 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); 1466 } 1467 1468 TEST_EQUAL(status, gkc->expected_status); 1469 if (gkc->expected_status != PSA_SUCCESS) { 1470 PSA_ASSERT(psa_destroy_key(key)); 1471 goto exit; 1472 } 1473 1474 /* Test the key information */ 1475 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 1476 TEST_EQUAL(psa_get_key_type(&got_attributes), gkc->type); 1477 TEST_EQUAL(psa_get_key_bits(&got_attributes), gkc->bits); 1478 1479 /* Do something with the key according 1480 * to its type and permitted usage. */ 1481 if (!mbedtls_test_psa_exercise_key(key, gkc->usage, gkc->alg, 0)) { 1482 psa_destroy_key(key); 1483 goto exit; 1484 } 1485 psa_reset_key_attributes(&got_attributes); 1486 1487 PSA_ASSERT(psa_destroy_key(key)); 1488 } 1489exit: 1490 /* 1491 * Key attributes may have been returned by psa_get_key_attributes() 1492 * thus reset them as required. 1493 */ 1494 psa_reset_key_attributes(&got_attributes); 1495 return NULL; 1496} 1497#endif /* MBEDTLS_THREADING_PTHREAD */ 1498 1499/* END_HEADER */ 1500 1501/* BEGIN_DEPENDENCIES 1502 * depends_on:MBEDTLS_PSA_CRYPTO_C 1503 * END_DEPENDENCIES 1504 */ 1505 1506/* BEGIN_CASE */ 1507void psa_can_do_hash() 1508{ 1509 /* We can't test that this is specific to drivers until partial init has 1510 * been implemented, but we can at least test before/after full init. */ 1511 TEST_EQUAL(0, psa_can_do_hash(PSA_ALG_NONE)); 1512 PSA_INIT(); 1513 TEST_EQUAL(1, psa_can_do_hash(PSA_ALG_NONE)); 1514 PSA_DONE(); 1515} 1516/* END_CASE */ 1517 1518/* BEGIN_CASE */ 1519void static_checks() 1520{ 1521 size_t max_truncated_mac_size = 1522 PSA_ALG_MAC_TRUNCATION_MASK >> PSA_MAC_TRUNCATION_OFFSET; 1523 1524 /* Check that the length for a truncated MAC always fits in the algorithm 1525 * encoding. The shifted mask is the maximum truncated value. The 1526 * untruncated algorithm may be one byte larger. */ 1527 TEST_LE_U(PSA_MAC_MAX_SIZE, 1 + max_truncated_mac_size); 1528} 1529/* END_CASE */ 1530 1531/* BEGIN_CASE */ 1532void import_with_policy(int type_arg, 1533 int usage_arg, int alg_arg, 1534 int expected_status_arg) 1535{ 1536 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1537 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1538 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1539 psa_key_type_t type = type_arg; 1540 psa_key_usage_t usage = usage_arg; 1541 psa_algorithm_t alg = alg_arg; 1542 psa_status_t expected_status = expected_status_arg; 1543 const uint8_t key_material[16] = { 0 }; 1544 psa_status_t status; 1545 1546 PSA_ASSERT(psa_crypto_init()); 1547 1548 psa_set_key_type(&attributes, type); 1549 psa_set_key_usage_flags(&attributes, usage); 1550 psa_set_key_algorithm(&attributes, alg); 1551 1552 status = psa_import_key(&attributes, 1553 key_material, sizeof(key_material), 1554 &key); 1555 TEST_EQUAL(status, expected_status); 1556 if (status != PSA_SUCCESS) { 1557 goto exit; 1558 } 1559 1560 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 1561 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 1562 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes), 1563 mbedtls_test_update_key_usage_flags(usage)); 1564 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg); 1565 ASSERT_NO_SLOT_NUMBER(&got_attributes); 1566 1567 PSA_ASSERT(psa_destroy_key(key)); 1568 test_operations_on_invalid_key(key); 1569 1570exit: 1571 /* 1572 * Key attributes may have been returned by psa_get_key_attributes() 1573 * thus reset them as required. 1574 */ 1575 psa_reset_key_attributes(&got_attributes); 1576 1577 psa_destroy_key(key); 1578 PSA_DONE(); 1579} 1580/* END_CASE */ 1581 1582/* BEGIN_CASE */ 1583void import_with_data(data_t *data, int type_arg, 1584 int attr_bits_arg, 1585 int expected_status_arg) 1586{ 1587 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1588 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1589 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1590 psa_key_type_t type = type_arg; 1591 size_t attr_bits = attr_bits_arg; 1592 psa_status_t expected_status = expected_status_arg; 1593 psa_status_t status; 1594 1595 PSA_ASSERT(psa_crypto_init()); 1596 1597 psa_set_key_type(&attributes, type); 1598 psa_set_key_bits(&attributes, attr_bits); 1599 1600 status = psa_import_key(&attributes, data->x, data->len, &key); 1601 /* When expecting INVALID_ARGUMENT, also accept NOT_SUPPORTED. 1602 * 1603 * This can happen with a type supported only by a driver: 1604 * - the driver sees the invalid data (for example wrong size) and thinks 1605 * "well perhaps this is a key size I don't support" so it returns 1606 * NOT_SUPPORTED which is correct at this point; 1607 * - we fallback to built-ins, which don't support this type, so return 1608 * NOT_SUPPORTED which again is correct at this point. 1609 */ 1610 if (expected_status == PSA_ERROR_INVALID_ARGUMENT && 1611 status == PSA_ERROR_NOT_SUPPORTED) { 1612 ; // OK 1613 } else { 1614 TEST_EQUAL(status, expected_status); 1615 } 1616 if (status != PSA_SUCCESS) { 1617 goto exit; 1618 } 1619 1620 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 1621 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 1622 if (attr_bits != 0) { 1623 TEST_EQUAL(attr_bits, psa_get_key_bits(&got_attributes)); 1624 } 1625 ASSERT_NO_SLOT_NUMBER(&got_attributes); 1626 1627 PSA_ASSERT(psa_destroy_key(key)); 1628 test_operations_on_invalid_key(key); 1629 1630exit: 1631 /* 1632 * Key attributes may have been returned by psa_get_key_attributes() 1633 * thus reset them as required. 1634 */ 1635 psa_reset_key_attributes(&got_attributes); 1636 1637 psa_destroy_key(key); 1638 PSA_DONE(); 1639} 1640/* END_CASE */ 1641 1642/* BEGIN_CASE */ 1643/* Construct and attempt to import a large unstructured key. */ 1644void import_large_key(int type_arg, int byte_size_arg, 1645 int expected_status_arg) 1646{ 1647 psa_key_type_t type = type_arg; 1648 size_t byte_size = byte_size_arg; 1649 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1650 psa_status_t expected_status = expected_status_arg; 1651 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1652 psa_status_t status; 1653 uint8_t *buffer = NULL; 1654 size_t buffer_size = byte_size + 1; 1655 size_t n; 1656 1657 /* Skip the test case if the target running the test cannot 1658 * accommodate large keys due to heap size constraints */ 1659 TEST_CALLOC_OR_SKIP(buffer, buffer_size); 1660 memset(buffer, 'K', byte_size); 1661 1662 PSA_ASSERT(psa_crypto_init()); 1663 1664 /* Try importing the key */ 1665 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT); 1666 psa_set_key_type(&attributes, type); 1667 status = psa_import_key(&attributes, buffer, byte_size, &key); 1668 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); 1669 TEST_EQUAL(status, expected_status); 1670 1671 if (status == PSA_SUCCESS) { 1672 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 1673 TEST_EQUAL(psa_get_key_type(&attributes), type); 1674 TEST_EQUAL(psa_get_key_bits(&attributes), 1675 PSA_BYTES_TO_BITS(byte_size)); 1676 ASSERT_NO_SLOT_NUMBER(&attributes); 1677 memset(buffer, 0, byte_size + 1); 1678 PSA_ASSERT(psa_export_key(key, buffer, byte_size, &n)); 1679 for (n = 0; n < byte_size; n++) { 1680 TEST_EQUAL(buffer[n], 'K'); 1681 } 1682 for (n = byte_size; n < buffer_size; n++) { 1683 TEST_EQUAL(buffer[n], 0); 1684 } 1685 } 1686 1687exit: 1688 /* 1689 * Key attributes may have been returned by psa_get_key_attributes() 1690 * thus reset them as required. 1691 */ 1692 psa_reset_key_attributes(&attributes); 1693 1694 psa_destroy_key(key); 1695 PSA_DONE(); 1696 mbedtls_free(buffer); 1697} 1698/* END_CASE */ 1699 1700/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */ 1701/* Import an RSA key with a valid structure (but not valid numbers 1702 * inside, beyond having sensible size and parity). This is expected to 1703 * fail for large keys. */ 1704void import_rsa_made_up(int bits_arg, int keypair, int expected_status_arg) 1705{ 1706 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1707 size_t bits = bits_arg; 1708 psa_status_t expected_status = expected_status_arg; 1709 psa_status_t status; 1710 psa_key_type_t type = 1711 keypair ? PSA_KEY_TYPE_RSA_KEY_PAIR : PSA_KEY_TYPE_RSA_PUBLIC_KEY; 1712 size_t buffer_size = /* Slight overapproximations */ 1713 keypair ? bits * 9 / 16 + 80 : bits / 8 + 20; 1714 unsigned char *buffer = NULL; 1715 unsigned char *p; 1716 int ret; 1717 size_t length; 1718 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1719 1720 PSA_ASSERT(psa_crypto_init()); 1721 TEST_CALLOC(buffer, buffer_size); 1722 1723 TEST_ASSERT((ret = construct_fake_rsa_key(buffer, buffer_size, &p, 1724 bits, keypair)) >= 0); 1725 length = ret; 1726 1727 /* Try importing the key */ 1728 psa_set_key_type(&attributes, type); 1729 status = psa_import_key(&attributes, p, length, &key); 1730 TEST_EQUAL(status, expected_status); 1731 1732 if (status == PSA_SUCCESS) { 1733 PSA_ASSERT(psa_destroy_key(key)); 1734 } 1735 1736exit: 1737 mbedtls_free(buffer); 1738 PSA_DONE(); 1739} 1740/* END_CASE */ 1741 1742/* BEGIN_CASE */ 1743void import_export(data_t *data, 1744 int type_arg, 1745 int usage_arg, int alg_arg, 1746 int lifetime_arg, 1747 int expected_bits, 1748 int export_size_delta, 1749 int expected_export_status_arg, 1750 /*whether reexport must give the original input exactly*/ 1751 int canonical_input) 1752{ 1753 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1754 psa_key_type_t type = type_arg; 1755 psa_algorithm_t alg = alg_arg; 1756 psa_status_t expected_export_status = expected_export_status_arg; 1757 psa_status_t status; 1758 psa_key_lifetime_t lifetime = lifetime_arg; 1759 unsigned char *exported = NULL; 1760 unsigned char *reexported = NULL; 1761 size_t export_size; 1762 size_t exported_length = INVALID_EXPORT_LENGTH; 1763 size_t reexported_length; 1764 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1765 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1766 1767 export_size = (ptrdiff_t) data->len + export_size_delta; 1768 TEST_CALLOC(exported, export_size); 1769 if (!canonical_input) { 1770 TEST_CALLOC(reexported, export_size); 1771 } 1772 PSA_ASSERT(psa_crypto_init()); 1773 1774 psa_set_key_lifetime(&attributes, lifetime); 1775 psa_set_key_usage_flags(&attributes, usage_arg); 1776 psa_set_key_algorithm(&attributes, alg); 1777 psa_set_key_type(&attributes, type); 1778 1779 if (PSA_KEY_TYPE_IS_DH(type) && 1780 expected_export_status == PSA_ERROR_BUFFER_TOO_SMALL) { 1781 /* Simulate that buffer is too small, by decreasing its size by 1 byte. */ 1782 export_size -= 1; 1783 } 1784 1785 /* Import the key */ 1786 TEST_EQUAL(psa_import_key(&attributes, data->x, data->len, &key), 1787 PSA_SUCCESS); 1788 1789 /* Test the key information */ 1790 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 1791 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 1792 TEST_EQUAL(psa_get_key_bits(&got_attributes), (size_t) expected_bits); 1793 ASSERT_NO_SLOT_NUMBER(&got_attributes); 1794 1795 /* Export the key */ 1796 status = psa_export_key(key, exported, export_size, &exported_length); 1797 TEST_EQUAL(status, expected_export_status); 1798 1799 /* The exported length must be set by psa_export_key() to a value between 0 1800 * and export_size. On errors, the exported length must be 0. */ 1801 TEST_ASSERT(exported_length != INVALID_EXPORT_LENGTH); 1802 TEST_ASSERT(status == PSA_SUCCESS || exported_length == 0); 1803 TEST_LE_U(exported_length, export_size); 1804 1805 TEST_ASSERT(mem_is_char(exported + exported_length, 0, 1806 export_size - exported_length)); 1807 if (status != PSA_SUCCESS) { 1808 TEST_EQUAL(exported_length, 0); 1809 goto destroy; 1810 } 1811 1812 /* Run sanity checks on the exported key. For non-canonical inputs, 1813 * this validates the canonical representations. For canonical inputs, 1814 * this doesn't directly validate the implementation, but it still helps 1815 * by cross-validating the test data with the sanity check code. */ 1816 if (!psa_key_lifetime_is_external(lifetime)) { 1817 if (!mbedtls_test_psa_exercise_key(key, usage_arg, 0, 0)) { 1818 goto exit; 1819 } 1820 } 1821 1822 if (canonical_input) { 1823 TEST_MEMORY_COMPARE(data->x, data->len, exported, exported_length); 1824 } else { 1825 mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT; 1826 PSA_ASSERT(psa_import_key(&attributes, exported, exported_length, 1827 &key2)); 1828 PSA_ASSERT(psa_export_key(key2, 1829 reexported, 1830 export_size, 1831 &reexported_length)); 1832 TEST_MEMORY_COMPARE(exported, exported_length, 1833 reexported, reexported_length); 1834 PSA_ASSERT(psa_destroy_key(key2)); 1835 } 1836 TEST_LE_U(exported_length, 1837 PSA_EXPORT_KEY_OUTPUT_SIZE(type, 1838 psa_get_key_bits(&got_attributes))); 1839 if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) { 1840 TEST_LE_U(exported_length, PSA_EXPORT_KEY_PAIR_MAX_SIZE); 1841 } else if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) { 1842 TEST_LE_U(exported_length, PSA_EXPORT_PUBLIC_KEY_MAX_SIZE); 1843 } 1844 1845destroy: 1846 /* Destroy the key */ 1847 PSA_ASSERT(psa_destroy_key(key)); 1848 test_operations_on_invalid_key(key); 1849 1850exit: 1851 /* 1852 * Key attributes may have been returned by psa_get_key_attributes() 1853 * thus reset them as required. 1854 */ 1855 psa_reset_key_attributes(&got_attributes); 1856 psa_destroy_key(key); 1857 mbedtls_free(exported); 1858 mbedtls_free(reexported); 1859 PSA_DONE(); 1860} 1861/* END_CASE */ 1862 1863/* BEGIN_CASE */ 1864void import_export_public_key(data_t *data, 1865 int type_arg, // key pair or public key 1866 int alg_arg, 1867 int lifetime_arg, 1868 int export_size_delta, 1869 int expected_export_status_arg, 1870 data_t *expected_public_key) 1871{ 1872 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1873 psa_key_type_t type = type_arg; 1874 psa_algorithm_t alg = alg_arg; 1875 psa_status_t expected_export_status = expected_export_status_arg; 1876 psa_status_t status; 1877 psa_key_lifetime_t lifetime = lifetime_arg; 1878 unsigned char *exported = NULL; 1879 size_t export_size = expected_public_key->len + export_size_delta; 1880 size_t exported_length = INVALID_EXPORT_LENGTH; 1881 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1882 1883 PSA_ASSERT(psa_crypto_init()); 1884 1885 psa_set_key_lifetime(&attributes, lifetime); 1886 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT); 1887 psa_set_key_algorithm(&attributes, alg); 1888 psa_set_key_type(&attributes, type); 1889 1890 /* Import the key */ 1891 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key)); 1892 1893 /* Export the public key */ 1894 TEST_CALLOC(exported, export_size); 1895 status = psa_export_public_key(key, 1896 exported, export_size, 1897 &exported_length); 1898 TEST_EQUAL(status, expected_export_status); 1899 if (status == PSA_SUCCESS) { 1900 psa_key_type_t public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type); 1901 size_t bits; 1902 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 1903 bits = psa_get_key_bits(&attributes); 1904 TEST_LE_U(expected_public_key->len, 1905 PSA_EXPORT_KEY_OUTPUT_SIZE(public_type, bits)); 1906 TEST_LE_U(expected_public_key->len, 1907 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(public_type, bits)); 1908 TEST_LE_U(expected_public_key->len, 1909 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE); 1910 TEST_MEMORY_COMPARE(expected_public_key->x, expected_public_key->len, 1911 exported, exported_length); 1912 } 1913exit: 1914 /* 1915 * Key attributes may have been returned by psa_get_key_attributes() 1916 * thus reset them as required. 1917 */ 1918 psa_reset_key_attributes(&attributes); 1919 1920 mbedtls_free(exported); 1921 psa_destroy_key(key); 1922 PSA_DONE(); 1923} 1924/* END_CASE */ 1925 1926 1927#if defined(MBEDTLS_THREADING_PTHREAD) 1928/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 1929void concurrently_use_same_persistent_key(data_t *data, 1930 int type_arg, 1931 int bits_arg, 1932 int alg_arg, 1933 int thread_count_arg) 1934{ 1935 size_t thread_count = (size_t) thread_count_arg; 1936 mbedtls_test_thread_t *threads = NULL; 1937 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1); 1938 same_key_context skc; 1939 skc.data = data; 1940 skc.key = key_id; 1941 skc.type = type_arg; 1942 skc.bits = bits_arg; 1943 skc.key_loaded = 0; 1944 mbedtls_mutex_init(&skc.key_loaded_mutex); 1945 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(skc.type, alg_arg); 1946 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1947 1948 PSA_ASSERT(psa_crypto_init()); 1949 1950 psa_set_key_id(&attributes, key_id); 1951 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_PERSISTENT); 1952 psa_set_key_usage_flags(&attributes, usage); 1953 psa_set_key_algorithm(&attributes, alg_arg); 1954 psa_set_key_type(&attributes, type_arg); 1955 psa_set_key_bits(&attributes, bits_arg); 1956 skc.attributes = &attributes; 1957 1958 TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count); 1959 1960 /* Test that when multiple threads import the same key, 1961 * exactly one thread succeeds and the rest fail with valid errors. 1962 * Also test that all threads can use the key as soon as it has been 1963 * imported. */ 1964 for (size_t i = 0; i < thread_count; i++) { 1965 TEST_EQUAL( 1966 mbedtls_test_thread_create(&threads[i], thread_import_key, 1967 (void *) &skc), 0); 1968 } 1969 1970 /* Join threads. */ 1971 for (size_t i = 0; i < thread_count; i++) { 1972 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0); 1973 } 1974 1975 /* Test that when multiple threads use and destroy a key no corruption 1976 * occurs, and exactly one thread succeeds when destroying the key. */ 1977 for (size_t i = 0; i < thread_count; i++) { 1978 TEST_EQUAL( 1979 mbedtls_test_thread_create(&threads[i], thread_use_and_destroy_key, 1980 (void *) &skc), 0); 1981 } 1982 1983 /* Join threads. */ 1984 for (size_t i = 0; i < thread_count; i++) { 1985 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0); 1986 } 1987 /* Ensure that one thread succeeded in destroying the key. */ 1988 TEST_ASSERT(!skc.key_loaded); 1989exit: 1990 psa_reset_key_attributes(&attributes); 1991 mbedtls_mutex_free(&skc.key_loaded_mutex); 1992 mbedtls_free(threads); 1993 PSA_DONE(); 1994} 1995/* END_CASE */ 1996#endif 1997 1998/* BEGIN_CASE */ 1999void import_and_exercise_key(data_t *data, 2000 int type_arg, 2001 int bits_arg, 2002 int alg_arg) 2003{ 2004 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2005 psa_key_type_t type = type_arg; 2006 size_t bits = bits_arg; 2007 psa_algorithm_t alg = alg_arg; 2008 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(type, alg); 2009 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2010 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 2011 2012 PSA_ASSERT(psa_crypto_init()); 2013 2014 psa_set_key_usage_flags(&attributes, usage); 2015 psa_set_key_algorithm(&attributes, alg); 2016 psa_set_key_type(&attributes, type); 2017 2018 /* Import the key */ 2019 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key)); 2020 2021 /* Test the key information */ 2022 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 2023 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 2024 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); 2025 2026 /* Do something with the key according to its type and permitted usage. */ 2027 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 2028 goto exit; 2029 } 2030 2031 PSA_ASSERT(psa_destroy_key(key)); 2032 test_operations_on_invalid_key(key); 2033 2034exit: 2035 /* 2036 * Key attributes may have been returned by psa_get_key_attributes() 2037 * thus reset them as required. 2038 */ 2039 psa_reset_key_attributes(&got_attributes); 2040 2041 psa_reset_key_attributes(&attributes); 2042 psa_destroy_key(key); 2043 PSA_DONE(); 2044} 2045/* END_CASE */ 2046 2047/* BEGIN_CASE */ 2048void effective_key_attributes(int type_arg, int expected_type_arg, 2049 int bits_arg, int expected_bits_arg, 2050 int usage_arg, int expected_usage_arg, 2051 int alg_arg, int expected_alg_arg) 2052{ 2053 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2054 psa_key_type_t key_type = type_arg; 2055 psa_key_type_t expected_key_type = expected_type_arg; 2056 size_t bits = bits_arg; 2057 size_t expected_bits = expected_bits_arg; 2058 psa_algorithm_t alg = alg_arg; 2059 psa_algorithm_t expected_alg = expected_alg_arg; 2060 psa_key_usage_t usage = usage_arg; 2061 psa_key_usage_t expected_usage = expected_usage_arg; 2062 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2063 2064 PSA_ASSERT(psa_crypto_init()); 2065 2066 psa_set_key_usage_flags(&attributes, usage); 2067 psa_set_key_algorithm(&attributes, alg); 2068 psa_set_key_type(&attributes, key_type); 2069 psa_set_key_bits(&attributes, bits); 2070 2071 PSA_ASSERT(psa_generate_key(&attributes, &key)); 2072 psa_reset_key_attributes(&attributes); 2073 2074 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 2075 TEST_EQUAL(psa_get_key_type(&attributes), expected_key_type); 2076 TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits); 2077 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); 2078 TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg); 2079 2080exit: 2081 /* 2082 * Key attributes may have been returned by psa_get_key_attributes() 2083 * thus reset them as required. 2084 */ 2085 psa_reset_key_attributes(&attributes); 2086 2087 psa_destroy_key(key); 2088 PSA_DONE(); 2089} 2090/* END_CASE */ 2091 2092/* BEGIN_CASE */ 2093void check_key_policy(int type_arg, int bits_arg, 2094 int usage_arg, int alg_arg) 2095{ 2096 test_effective_key_attributes(type_arg, type_arg, bits_arg, bits_arg, 2097 usage_arg, 2098 mbedtls_test_update_key_usage_flags(usage_arg), 2099 alg_arg, alg_arg); 2100 goto exit; 2101} 2102/* END_CASE */ 2103 2104/* BEGIN_CASE */ 2105void key_attributes_init() 2106{ 2107 /* Test each valid way of initializing the object, except for `= {0}`, as 2108 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 2109 * though it's OK by the C standard. We could test for this, but we'd need 2110 * to suppress the Clang warning for the test. */ 2111 psa_key_attributes_t func = psa_key_attributes_init(); 2112 psa_key_attributes_t init = PSA_KEY_ATTRIBUTES_INIT; 2113 psa_key_attributes_t zero; 2114 2115 memset(&zero, 0, sizeof(zero)); 2116 2117 TEST_EQUAL(psa_get_key_lifetime(&func), PSA_KEY_LIFETIME_VOLATILE); 2118 TEST_EQUAL(psa_get_key_lifetime(&init), PSA_KEY_LIFETIME_VOLATILE); 2119 TEST_EQUAL(psa_get_key_lifetime(&zero), PSA_KEY_LIFETIME_VOLATILE); 2120 2121 TEST_EQUAL(psa_get_key_type(&func), 0); 2122 TEST_EQUAL(psa_get_key_type(&init), 0); 2123 TEST_EQUAL(psa_get_key_type(&zero), 0); 2124 2125 TEST_EQUAL(psa_get_key_bits(&func), 0); 2126 TEST_EQUAL(psa_get_key_bits(&init), 0); 2127 TEST_EQUAL(psa_get_key_bits(&zero), 0); 2128 2129 TEST_EQUAL(psa_get_key_usage_flags(&func), 0); 2130 TEST_EQUAL(psa_get_key_usage_flags(&init), 0); 2131 TEST_EQUAL(psa_get_key_usage_flags(&zero), 0); 2132 2133 TEST_EQUAL(psa_get_key_algorithm(&func), 0); 2134 TEST_EQUAL(psa_get_key_algorithm(&init), 0); 2135 TEST_EQUAL(psa_get_key_algorithm(&zero), 0); 2136} 2137/* END_CASE */ 2138 2139/* BEGIN_CASE */ 2140void mac_key_policy(int policy_usage_arg, 2141 int policy_alg_arg, 2142 int key_type_arg, 2143 data_t *key_data, 2144 int exercise_alg_arg, 2145 int expected_status_sign_arg, 2146 int expected_status_verify_arg) 2147{ 2148 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2149 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2150 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 2151 psa_key_type_t key_type = key_type_arg; 2152 psa_algorithm_t policy_alg = policy_alg_arg; 2153 psa_algorithm_t exercise_alg = exercise_alg_arg; 2154 psa_key_usage_t policy_usage = policy_usage_arg; 2155 psa_status_t status; 2156 psa_status_t expected_status_sign = expected_status_sign_arg; 2157 psa_status_t expected_status_verify = expected_status_verify_arg; 2158 unsigned char mac[PSA_MAC_MAX_SIZE]; 2159 2160 PSA_ASSERT(psa_crypto_init()); 2161 2162 psa_set_key_usage_flags(&attributes, policy_usage); 2163 psa_set_key_algorithm(&attributes, policy_alg); 2164 psa_set_key_type(&attributes, key_type); 2165 2166 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2167 &key)); 2168 2169 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 2170 mbedtls_test_update_key_usage_flags(policy_usage)); 2171 2172 status = psa_mac_sign_setup(&operation, key, exercise_alg); 2173 TEST_EQUAL(status, expected_status_sign); 2174 2175 /* Calculate the MAC, one-shot case. */ 2176 uint8_t input[128] = { 0 }; 2177 size_t mac_len; 2178 TEST_EQUAL(psa_mac_compute(key, exercise_alg, 2179 input, 128, 2180 mac, PSA_MAC_MAX_SIZE, &mac_len), 2181 expected_status_sign); 2182 2183 /* Calculate the MAC, multi-part case. */ 2184 PSA_ASSERT(psa_mac_abort(&operation)); 2185 status = psa_mac_sign_setup(&operation, key, exercise_alg); 2186 if (status == PSA_SUCCESS) { 2187 status = psa_mac_update(&operation, input, 128); 2188 if (status == PSA_SUCCESS) { 2189 TEST_EQUAL(psa_mac_sign_finish(&operation, mac, PSA_MAC_MAX_SIZE, 2190 &mac_len), 2191 expected_status_sign); 2192 } else { 2193 TEST_EQUAL(status, expected_status_sign); 2194 } 2195 } else { 2196 TEST_EQUAL(status, expected_status_sign); 2197 } 2198 PSA_ASSERT(psa_mac_abort(&operation)); 2199 2200 /* Verify correct MAC, one-shot case. */ 2201 status = psa_mac_verify(key, exercise_alg, input, 128, 2202 mac, mac_len); 2203 2204 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) { 2205 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2206 } else { 2207 TEST_EQUAL(status, expected_status_verify); 2208 } 2209 2210 /* Verify correct MAC, multi-part case. */ 2211 status = psa_mac_verify_setup(&operation, key, exercise_alg); 2212 if (status == PSA_SUCCESS) { 2213 status = psa_mac_update(&operation, input, 128); 2214 if (status == PSA_SUCCESS) { 2215 status = psa_mac_verify_finish(&operation, mac, mac_len); 2216 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) { 2217 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2218 } else { 2219 TEST_EQUAL(status, expected_status_verify); 2220 } 2221 } else { 2222 TEST_EQUAL(status, expected_status_verify); 2223 } 2224 } else { 2225 TEST_EQUAL(status, expected_status_verify); 2226 } 2227 2228 psa_mac_abort(&operation); 2229 2230 memset(mac, 0, sizeof(mac)); 2231 status = psa_mac_verify_setup(&operation, key, exercise_alg); 2232 TEST_EQUAL(status, expected_status_verify); 2233 2234exit: 2235 psa_mac_abort(&operation); 2236 psa_destroy_key(key); 2237 PSA_DONE(); 2238} 2239/* END_CASE */ 2240 2241/* BEGIN_CASE */ 2242void cipher_key_policy(int policy_usage_arg, 2243 int policy_alg, 2244 int key_type, 2245 data_t *key_data, 2246 int exercise_alg) 2247{ 2248 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2249 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2250 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 2251 psa_key_usage_t policy_usage = policy_usage_arg; 2252 size_t output_buffer_size = 0; 2253 size_t input_buffer_size = 0; 2254 size_t output_length = 0; 2255 uint8_t *output = NULL; 2256 uint8_t *input = NULL; 2257 psa_status_t status; 2258 2259 input_buffer_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(exercise_alg); 2260 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, exercise_alg, 2261 input_buffer_size); 2262 2263 TEST_CALLOC(input, input_buffer_size); 2264 TEST_CALLOC(output, output_buffer_size); 2265 2266 PSA_ASSERT(psa_crypto_init()); 2267 2268 psa_set_key_usage_flags(&attributes, policy_usage); 2269 psa_set_key_algorithm(&attributes, policy_alg); 2270 psa_set_key_type(&attributes, key_type); 2271 2272 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2273 &key)); 2274 2275 /* Check if no key usage flag implication is done */ 2276 TEST_EQUAL(policy_usage, 2277 mbedtls_test_update_key_usage_flags(policy_usage)); 2278 2279 /* Encrypt check, one-shot */ 2280 status = psa_cipher_encrypt(key, exercise_alg, input, input_buffer_size, 2281 output, output_buffer_size, 2282 &output_length); 2283 if (policy_alg == exercise_alg && 2284 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2285 PSA_ASSERT(status); 2286 } else { 2287 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2288 } 2289 2290 /* Encrypt check, multi-part */ 2291 status = psa_cipher_encrypt_setup(&operation, key, exercise_alg); 2292 if (policy_alg == exercise_alg && 2293 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2294 PSA_ASSERT(status); 2295 } else { 2296 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2297 } 2298 psa_cipher_abort(&operation); 2299 2300 /* Decrypt check, one-shot */ 2301 status = psa_cipher_decrypt(key, exercise_alg, output, output_buffer_size, 2302 input, input_buffer_size, 2303 &output_length); 2304 if (policy_alg == exercise_alg && 2305 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) { 2306 PSA_ASSERT(status); 2307 } else { 2308 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2309 } 2310 2311 /* Decrypt check, multi-part */ 2312 status = psa_cipher_decrypt_setup(&operation, key, exercise_alg); 2313 if (policy_alg == exercise_alg && 2314 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) { 2315 PSA_ASSERT(status); 2316 } else { 2317 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2318 } 2319 2320exit: 2321 psa_cipher_abort(&operation); 2322 mbedtls_free(input); 2323 mbedtls_free(output); 2324 psa_destroy_key(key); 2325 PSA_DONE(); 2326} 2327/* END_CASE */ 2328 2329/* BEGIN_CASE */ 2330void aead_key_policy(int policy_usage_arg, 2331 int policy_alg, 2332 int key_type, 2333 data_t *key_data, 2334 int nonce_length_arg, 2335 int tag_length_arg, 2336 int exercise_alg, 2337 int expected_status_arg) 2338{ 2339 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2340 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2341 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 2342 psa_key_usage_t policy_usage = policy_usage_arg; 2343 psa_status_t status; 2344 psa_status_t expected_status = expected_status_arg; 2345 unsigned char nonce[16] = { 0 }; 2346 size_t nonce_length = nonce_length_arg; 2347 unsigned char tag[16]; 2348 size_t tag_length = tag_length_arg; 2349 size_t output_length; 2350 2351 TEST_LE_U(nonce_length, sizeof(nonce)); 2352 TEST_LE_U(tag_length, sizeof(tag)); 2353 2354 PSA_ASSERT(psa_crypto_init()); 2355 2356 psa_set_key_usage_flags(&attributes, policy_usage); 2357 psa_set_key_algorithm(&attributes, policy_alg); 2358 psa_set_key_type(&attributes, key_type); 2359 2360 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2361 &key)); 2362 2363 /* Check if no key usage implication is done */ 2364 TEST_EQUAL(policy_usage, 2365 mbedtls_test_update_key_usage_flags(policy_usage)); 2366 2367 /* Encrypt check, one-shot */ 2368 status = psa_aead_encrypt(key, exercise_alg, 2369 nonce, nonce_length, 2370 NULL, 0, 2371 NULL, 0, 2372 tag, tag_length, 2373 &output_length); 2374 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2375 TEST_EQUAL(status, expected_status); 2376 } else { 2377 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2378 } 2379 2380 /* Encrypt check, multi-part */ 2381 status = psa_aead_encrypt_setup(&operation, key, exercise_alg); 2382 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2383 TEST_EQUAL(status, expected_status); 2384 } else { 2385 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2386 } 2387 2388 /* Decrypt check, one-shot */ 2389 memset(tag, 0, sizeof(tag)); 2390 status = psa_aead_decrypt(key, exercise_alg, 2391 nonce, nonce_length, 2392 NULL, 0, 2393 tag, tag_length, 2394 NULL, 0, 2395 &output_length); 2396 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) { 2397 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2398 } else if (expected_status == PSA_SUCCESS) { 2399 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2400 } else { 2401 TEST_EQUAL(status, expected_status); 2402 } 2403 2404 /* Decrypt check, multi-part */ 2405 PSA_ASSERT(psa_aead_abort(&operation)); 2406 status = psa_aead_decrypt_setup(&operation, key, exercise_alg); 2407 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) { 2408 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2409 } else { 2410 TEST_EQUAL(status, expected_status); 2411 } 2412 2413exit: 2414 PSA_ASSERT(psa_aead_abort(&operation)); 2415 psa_destroy_key(key); 2416 PSA_DONE(); 2417} 2418/* END_CASE */ 2419 2420/* BEGIN_CASE */ 2421void asymmetric_encryption_key_policy(int policy_usage_arg, 2422 int policy_alg, 2423 int key_type, 2424 data_t *key_data, 2425 int exercise_alg, 2426 int use_opaque_key) 2427{ 2428 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2429 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2430 psa_key_usage_t policy_usage = policy_usage_arg; 2431 psa_status_t status; 2432 size_t key_bits; 2433 size_t buffer_length; 2434 unsigned char *buffer = NULL; 2435 size_t output_length; 2436 2437 PSA_ASSERT(psa_crypto_init()); 2438 2439 psa_set_key_usage_flags(&attributes, policy_usage); 2440 psa_set_key_algorithm(&attributes, policy_alg); 2441 psa_set_key_type(&attributes, key_type); 2442 2443 if (use_opaque_key) { 2444 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( 2445 PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION)); 2446 } 2447 2448 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2449 &key)); 2450 2451 /* Check if no key usage implication is done */ 2452 TEST_EQUAL(policy_usage, 2453 mbedtls_test_update_key_usage_flags(policy_usage)); 2454 2455 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 2456 key_bits = psa_get_key_bits(&attributes); 2457 buffer_length = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, 2458 exercise_alg); 2459 TEST_CALLOC(buffer, buffer_length); 2460 2461 status = psa_asymmetric_encrypt(key, exercise_alg, 2462 NULL, 0, 2463 NULL, 0, 2464 buffer, buffer_length, 2465 &output_length); 2466 if (policy_alg == exercise_alg && 2467 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) { 2468 PSA_ASSERT(status); 2469 } else { 2470 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2471 } 2472 2473 if (buffer_length != 0) { 2474 memset(buffer, 0, buffer_length); 2475 } 2476 status = psa_asymmetric_decrypt(key, exercise_alg, 2477 buffer, buffer_length, 2478 NULL, 0, 2479 buffer, buffer_length, 2480 &output_length); 2481 if (policy_alg == exercise_alg && 2482 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) { 2483 TEST_EQUAL(status, PSA_ERROR_INVALID_PADDING); 2484 } else { 2485 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2486 } 2487 2488exit: 2489 /* 2490 * Key attributes may have been returned by psa_get_key_attributes() 2491 * thus reset them as required. 2492 */ 2493 psa_reset_key_attributes(&attributes); 2494 2495 psa_destroy_key(key); 2496 PSA_DONE(); 2497 mbedtls_free(buffer); 2498} 2499/* END_CASE */ 2500 2501/* BEGIN_CASE */ 2502void asymmetric_signature_key_policy(int policy_usage_arg, 2503 int policy_alg, 2504 int key_type, 2505 data_t *key_data, 2506 int exercise_alg, 2507 int payload_length_arg, 2508 int expected_usage_arg) 2509{ 2510 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2511 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2512 psa_key_usage_t policy_usage = policy_usage_arg; 2513 psa_key_usage_t expected_usage = expected_usage_arg; 2514 psa_status_t status; 2515 unsigned char payload[PSA_HASH_MAX_SIZE] = { 1 }; 2516 /* If `payload_length_arg > 0`, `exercise_alg` is supposed to be 2517 * compatible with the policy and `payload_length_arg` is supposed to be 2518 * a valid input length to sign. If `payload_length_arg <= 0`, 2519 * `exercise_alg` is supposed to be forbidden by the policy. */ 2520 int compatible_alg = payload_length_arg > 0; 2521 size_t payload_length = compatible_alg ? payload_length_arg : 0; 2522 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = { 0 }; 2523 size_t signature_length; 2524 2525 /* Check if all implicit usage flags are deployed 2526 in the expected usage flags. */ 2527 TEST_EQUAL(expected_usage, 2528 mbedtls_test_update_key_usage_flags(policy_usage)); 2529 2530 PSA_ASSERT(psa_crypto_init()); 2531 2532 psa_set_key_usage_flags(&attributes, policy_usage); 2533 psa_set_key_algorithm(&attributes, policy_alg); 2534 psa_set_key_type(&attributes, key_type); 2535 2536 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2537 &key)); 2538 2539 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); 2540 2541 status = psa_sign_hash(key, exercise_alg, 2542 payload, payload_length, 2543 signature, sizeof(signature), 2544 &signature_length); 2545 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_HASH) != 0) { 2546 PSA_ASSERT(status); 2547 } else { 2548 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2549 } 2550 2551 memset(signature, 0, sizeof(signature)); 2552 status = psa_verify_hash(key, exercise_alg, 2553 payload, payload_length, 2554 signature, sizeof(signature)); 2555 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) != 0) { 2556 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2557 } else { 2558 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2559 } 2560 2561 if (PSA_ALG_IS_SIGN_HASH(exercise_alg) && 2562 PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(exercise_alg))) { 2563 status = psa_sign_message(key, exercise_alg, 2564 payload, payload_length, 2565 signature, sizeof(signature), 2566 &signature_length); 2567 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) != 0) { 2568 PSA_ASSERT(status); 2569 } else { 2570 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2571 } 2572 2573 memset(signature, 0, sizeof(signature)); 2574 status = psa_verify_message(key, exercise_alg, 2575 payload, payload_length, 2576 signature, sizeof(signature)); 2577 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_MESSAGE) != 0) { 2578 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE); 2579 } else { 2580 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2581 } 2582 } 2583 2584exit: 2585 psa_destroy_key(key); 2586 PSA_DONE(); 2587} 2588/* END_CASE */ 2589 2590/* BEGIN_CASE */ 2591void derive_key_policy(int policy_usage, 2592 int policy_alg, 2593 int key_type, 2594 data_t *key_data, 2595 int exercise_alg) 2596{ 2597 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2598 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2599 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 2600 psa_status_t status; 2601 2602 PSA_ASSERT(psa_crypto_init()); 2603 2604 psa_set_key_usage_flags(&attributes, policy_usage); 2605 psa_set_key_algorithm(&attributes, policy_alg); 2606 psa_set_key_type(&attributes, key_type); 2607 2608 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2609 &key)); 2610 2611 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg)); 2612 2613 if (PSA_ALG_IS_TLS12_PRF(exercise_alg) || 2614 PSA_ALG_IS_TLS12_PSK_TO_MS(exercise_alg)) { 2615 PSA_ASSERT(psa_key_derivation_input_bytes( 2616 &operation, 2617 PSA_KEY_DERIVATION_INPUT_SEED, 2618 (const uint8_t *) "", 0)); 2619 } 2620 2621 status = psa_key_derivation_input_key(&operation, 2622 PSA_KEY_DERIVATION_INPUT_SECRET, 2623 key); 2624 2625 if (policy_alg == exercise_alg && 2626 (policy_usage & PSA_KEY_USAGE_DERIVE) != 0) { 2627 PSA_ASSERT(status); 2628 } else { 2629 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); 2630 } 2631 2632exit: 2633 psa_key_derivation_abort(&operation); 2634 psa_destroy_key(key); 2635 PSA_DONE(); 2636} 2637/* END_CASE */ 2638 2639/* BEGIN_CASE */ 2640void agreement_key_policy(int policy_usage, 2641 int policy_alg, 2642 int key_type_arg, 2643 data_t *key_data, 2644 int exercise_alg, 2645 int expected_status_arg) 2646{ 2647 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2648 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2649 psa_key_type_t key_type = key_type_arg; 2650 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 2651 psa_status_t status; 2652 psa_status_t expected_status = expected_status_arg; 2653 2654 PSA_ASSERT(psa_crypto_init()); 2655 2656 psa_set_key_usage_flags(&attributes, policy_usage); 2657 psa_set_key_algorithm(&attributes, policy_alg); 2658 psa_set_key_type(&attributes, key_type); 2659 2660 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2661 &key)); 2662 2663 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg)); 2664 status = mbedtls_test_psa_key_agreement_with_self(&operation, key, 0); 2665 2666 TEST_EQUAL(status, expected_status); 2667 2668exit: 2669 psa_key_derivation_abort(&operation); 2670 psa_destroy_key(key); 2671 PSA_DONE(); 2672} 2673/* END_CASE */ 2674 2675/* BEGIN_CASE */ 2676void key_policy_alg2(int key_type_arg, data_t *key_data, 2677 int usage_arg, int alg_arg, int alg2_arg) 2678{ 2679 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2680 psa_key_type_t key_type = key_type_arg; 2681 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2682 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 2683 psa_key_usage_t usage = usage_arg; 2684 psa_algorithm_t alg = alg_arg; 2685 psa_algorithm_t alg2 = alg2_arg; 2686 2687 PSA_ASSERT(psa_crypto_init()); 2688 2689 psa_set_key_usage_flags(&attributes, usage); 2690 psa_set_key_algorithm(&attributes, alg); 2691 psa_set_key_enrollment_algorithm(&attributes, alg2); 2692 psa_set_key_type(&attributes, key_type); 2693 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2694 &key)); 2695 2696 /* Update the usage flags to obtain implicit usage flags */ 2697 usage = mbedtls_test_update_key_usage_flags(usage); 2698 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 2699 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes), usage); 2700 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg); 2701 TEST_EQUAL(psa_get_key_enrollment_algorithm(&got_attributes), alg2); 2702 2703 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 2704 goto exit; 2705 } 2706 if (!mbedtls_test_psa_exercise_key(key, usage, alg2, 0)) { 2707 goto exit; 2708 } 2709 2710exit: 2711 /* 2712 * Key attributes may have been returned by psa_get_key_attributes() 2713 * thus reset them as required. 2714 */ 2715 psa_reset_key_attributes(&got_attributes); 2716 2717 psa_destroy_key(key); 2718 PSA_DONE(); 2719} 2720/* END_CASE */ 2721 2722/* BEGIN_CASE */ 2723void raw_agreement_key_policy(int policy_usage, 2724 int policy_alg, 2725 int key_type_arg, 2726 data_t *key_data, 2727 int exercise_alg, 2728 int expected_status_arg) 2729{ 2730 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2731 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2732 psa_key_type_t key_type = key_type_arg; 2733 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 2734 psa_status_t status; 2735 psa_status_t expected_status = expected_status_arg; 2736 2737 PSA_ASSERT(psa_crypto_init()); 2738 2739 psa_set_key_usage_flags(&attributes, policy_usage); 2740 psa_set_key_algorithm(&attributes, policy_alg); 2741 psa_set_key_type(&attributes, key_type); 2742 2743 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 2744 &key)); 2745 2746 status = mbedtls_test_psa_raw_key_agreement_with_self(exercise_alg, key, 0); 2747 2748 TEST_EQUAL(status, expected_status); 2749 2750exit: 2751 psa_key_derivation_abort(&operation); 2752 psa_destroy_key(key); 2753 PSA_DONE(); 2754} 2755/* END_CASE */ 2756 2757/* BEGIN_CASE */ 2758void copy_success(int source_usage_arg, 2759 int source_alg_arg, int source_alg2_arg, 2760 int source_lifetime_arg, 2761 int type_arg, data_t *material, 2762 int copy_attributes, 2763 int target_usage_arg, 2764 int target_alg_arg, int target_alg2_arg, 2765 int target_lifetime_arg, 2766 int expected_usage_arg, 2767 int expected_alg_arg, int expected_alg2_arg) 2768{ 2769 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 2770 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 2771 psa_key_usage_t expected_usage = expected_usage_arg; 2772 psa_algorithm_t expected_alg = expected_alg_arg; 2773 psa_algorithm_t expected_alg2 = expected_alg2_arg; 2774 psa_key_lifetime_t source_lifetime = source_lifetime_arg; 2775 psa_key_lifetime_t target_lifetime = target_lifetime_arg; 2776 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT; 2777 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT; 2778 uint8_t *export_buffer = NULL; 2779 2780 PSA_ASSERT(psa_crypto_init()); 2781 2782 /* Prepare the source key. */ 2783 psa_set_key_usage_flags(&source_attributes, source_usage_arg); 2784 psa_set_key_algorithm(&source_attributes, source_alg_arg); 2785 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg); 2786 psa_set_key_type(&source_attributes, type_arg); 2787 psa_set_key_lifetime(&source_attributes, source_lifetime); 2788 PSA_ASSERT(psa_import_key(&source_attributes, 2789 material->x, material->len, 2790 &source_key)); 2791 PSA_ASSERT(psa_get_key_attributes(source_key, &source_attributes)); 2792 2793 /* Prepare the target attributes. */ 2794 if (copy_attributes) { 2795 target_attributes = source_attributes; 2796 } 2797 psa_set_key_lifetime(&target_attributes, target_lifetime); 2798 2799 if (target_usage_arg != -1) { 2800 psa_set_key_usage_flags(&target_attributes, target_usage_arg); 2801 } 2802 if (target_alg_arg != -1) { 2803 psa_set_key_algorithm(&target_attributes, target_alg_arg); 2804 } 2805 if (target_alg2_arg != -1) { 2806 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg); 2807 } 2808 2809 2810 /* Copy the key. */ 2811 PSA_ASSERT(psa_copy_key(source_key, 2812 &target_attributes, &target_key)); 2813 2814 /* Destroy the source to ensure that this doesn't affect the target. */ 2815 PSA_ASSERT(psa_destroy_key(source_key)); 2816 2817 /* Test that the target slot has the expected content and policy. */ 2818 PSA_ASSERT(psa_get_key_attributes(target_key, &target_attributes)); 2819 TEST_EQUAL(psa_get_key_type(&source_attributes), 2820 psa_get_key_type(&target_attributes)); 2821 TEST_EQUAL(psa_get_key_bits(&source_attributes), 2822 psa_get_key_bits(&target_attributes)); 2823 TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&target_attributes)); 2824 TEST_EQUAL(expected_alg, psa_get_key_algorithm(&target_attributes)); 2825 TEST_EQUAL(expected_alg2, 2826 psa_get_key_enrollment_algorithm(&target_attributes)); 2827 if (expected_usage & PSA_KEY_USAGE_EXPORT) { 2828 size_t length; 2829 TEST_CALLOC(export_buffer, material->len); 2830 PSA_ASSERT(psa_export_key(target_key, export_buffer, 2831 material->len, &length)); 2832 TEST_MEMORY_COMPARE(material->x, material->len, 2833 export_buffer, length); 2834 } 2835 2836 if (!psa_key_lifetime_is_external(target_lifetime)) { 2837 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg, 0)) { 2838 goto exit; 2839 } 2840 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg2, 0)) { 2841 goto exit; 2842 } 2843 } 2844 2845 PSA_ASSERT(psa_destroy_key(target_key)); 2846 2847exit: 2848 /* 2849 * Source and target key attributes may have been returned by 2850 * psa_get_key_attributes() thus reset them as required. 2851 */ 2852 psa_reset_key_attributes(&source_attributes); 2853 psa_reset_key_attributes(&target_attributes); 2854 2855 PSA_DONE(); 2856 mbedtls_free(export_buffer); 2857} 2858/* END_CASE */ 2859 2860/* BEGIN_CASE */ 2861void copy_fail(int source_usage_arg, 2862 int source_alg_arg, int source_alg2_arg, 2863 int source_lifetime_arg, 2864 int type_arg, data_t *material, 2865 int target_type_arg, int target_bits_arg, 2866 int target_usage_arg, 2867 int target_alg_arg, int target_alg2_arg, 2868 int target_id_arg, int target_lifetime_arg, 2869 int expected_status_arg) 2870{ 2871 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 2872 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 2873 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT; 2874 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT; 2875 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, target_id_arg); 2876 2877 PSA_ASSERT(psa_crypto_init()); 2878 2879 /* Prepare the source key. */ 2880 psa_set_key_usage_flags(&source_attributes, source_usage_arg); 2881 psa_set_key_algorithm(&source_attributes, source_alg_arg); 2882 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg); 2883 psa_set_key_type(&source_attributes, type_arg); 2884 psa_set_key_lifetime(&source_attributes, source_lifetime_arg); 2885 PSA_ASSERT(psa_import_key(&source_attributes, 2886 material->x, material->len, 2887 &source_key)); 2888 2889 /* Prepare the target attributes. */ 2890 psa_set_key_id(&target_attributes, key_id); 2891 psa_set_key_lifetime(&target_attributes, target_lifetime_arg); 2892 psa_set_key_type(&target_attributes, target_type_arg); 2893 psa_set_key_bits(&target_attributes, target_bits_arg); 2894 psa_set_key_usage_flags(&target_attributes, target_usage_arg); 2895 psa_set_key_algorithm(&target_attributes, target_alg_arg); 2896 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg); 2897 2898 /* Try to copy the key. */ 2899 TEST_EQUAL(psa_copy_key(source_key, 2900 &target_attributes, &target_key), 2901 expected_status_arg); 2902 2903 PSA_ASSERT(psa_destroy_key(source_key)); 2904 2905exit: 2906 psa_reset_key_attributes(&source_attributes); 2907 psa_reset_key_attributes(&target_attributes); 2908 PSA_DONE(); 2909} 2910/* END_CASE */ 2911 2912/* BEGIN_CASE */ 2913void hash_operation_init() 2914{ 2915 const uint8_t input[1] = { 0 }; 2916 /* Test each valid way of initializing the object, except for `= {0}`, as 2917 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 2918 * though it's OK by the C standard. We could test for this, but we'd need 2919 * to suppress the Clang warning for the test. */ 2920 psa_hash_operation_t func = psa_hash_operation_init(); 2921 psa_hash_operation_t init = PSA_HASH_OPERATION_INIT; 2922 psa_hash_operation_t zero; 2923 2924 memset(&zero, 0, sizeof(zero)); 2925 2926 /* A freshly-initialized hash operation should not be usable. */ 2927 TEST_EQUAL(psa_hash_update(&func, input, sizeof(input)), 2928 PSA_ERROR_BAD_STATE); 2929 TEST_EQUAL(psa_hash_update(&init, input, sizeof(input)), 2930 PSA_ERROR_BAD_STATE); 2931 TEST_EQUAL(psa_hash_update(&zero, input, sizeof(input)), 2932 PSA_ERROR_BAD_STATE); 2933 2934 /* A default hash operation should be abortable without error. */ 2935 PSA_ASSERT(psa_hash_abort(&func)); 2936 PSA_ASSERT(psa_hash_abort(&init)); 2937 PSA_ASSERT(psa_hash_abort(&zero)); 2938} 2939/* END_CASE */ 2940 2941/* BEGIN_CASE */ 2942void hash_setup(int alg_arg, 2943 int expected_status_arg) 2944{ 2945 psa_algorithm_t alg = alg_arg; 2946 uint8_t *output = NULL; 2947 size_t output_size = 0; 2948 size_t output_length = 0; 2949 psa_status_t expected_status = expected_status_arg; 2950 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2951 psa_status_t status; 2952 2953 PSA_ASSERT(psa_crypto_init()); 2954 2955 /* Hash Setup, one-shot */ 2956 output_size = PSA_HASH_LENGTH(alg); 2957 TEST_CALLOC(output, output_size); 2958 2959 status = psa_hash_compute(alg, NULL, 0, 2960 output, output_size, &output_length); 2961 TEST_EQUAL(status, expected_status); 2962 2963 /* Hash Setup, multi-part */ 2964 status = psa_hash_setup(&operation, alg); 2965 TEST_EQUAL(status, expected_status); 2966 2967 /* Whether setup succeeded or failed, abort must succeed. */ 2968 PSA_ASSERT(psa_hash_abort(&operation)); 2969 2970 /* If setup failed, reproduce the failure, so as to 2971 * test the resulting state of the operation object. */ 2972 if (status != PSA_SUCCESS) { 2973 TEST_EQUAL(psa_hash_setup(&operation, alg), status); 2974 } 2975 2976 /* Now the operation object should be reusable. */ 2977#if defined(KNOWN_SUPPORTED_HASH_ALG) 2978 PSA_ASSERT(psa_hash_setup(&operation, KNOWN_SUPPORTED_HASH_ALG)); 2979 PSA_ASSERT(psa_hash_abort(&operation)); 2980#endif 2981 2982exit: 2983 mbedtls_free(output); 2984 PSA_DONE(); 2985} 2986/* END_CASE */ 2987 2988/* BEGIN_CASE */ 2989void hash_compute_fail(int alg_arg, data_t *input, 2990 int output_size_arg, int expected_status_arg) 2991{ 2992 psa_algorithm_t alg = alg_arg; 2993 uint8_t *output = NULL; 2994 size_t output_size = output_size_arg; 2995 size_t output_length = INVALID_EXPORT_LENGTH; 2996 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2997 psa_status_t expected_status = expected_status_arg; 2998 psa_status_t status; 2999 3000 TEST_CALLOC(output, output_size); 3001 3002 PSA_ASSERT(psa_crypto_init()); 3003 3004 /* Hash Compute, one-shot */ 3005 status = psa_hash_compute(alg, input->x, input->len, 3006 output, output_size, &output_length); 3007 TEST_EQUAL(status, expected_status); 3008 TEST_LE_U(output_length, output_size); 3009 3010 /* Hash Compute, multi-part */ 3011 status = psa_hash_setup(&operation, alg); 3012 if (status == PSA_SUCCESS) { 3013 status = psa_hash_update(&operation, input->x, input->len); 3014 if (status == PSA_SUCCESS) { 3015 status = psa_hash_finish(&operation, output, output_size, 3016 &output_length); 3017 if (status == PSA_SUCCESS) { 3018 TEST_LE_U(output_length, output_size); 3019 } else { 3020 TEST_EQUAL(status, expected_status); 3021 } 3022 } else { 3023 TEST_EQUAL(status, expected_status); 3024 } 3025 } else { 3026 TEST_EQUAL(status, expected_status); 3027 } 3028 3029exit: 3030 PSA_ASSERT(psa_hash_abort(&operation)); 3031 mbedtls_free(output); 3032 PSA_DONE(); 3033} 3034/* END_CASE */ 3035 3036/* BEGIN_CASE */ 3037void hash_compare_fail(int alg_arg, data_t *input, 3038 data_t *reference_hash, 3039 int expected_status_arg) 3040{ 3041 psa_algorithm_t alg = alg_arg; 3042 psa_status_t expected_status = expected_status_arg; 3043 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 3044 psa_status_t status; 3045 3046 PSA_ASSERT(psa_crypto_init()); 3047 3048 /* Hash Compare, one-shot */ 3049 status = psa_hash_compare(alg, input->x, input->len, 3050 reference_hash->x, reference_hash->len); 3051 TEST_EQUAL(status, expected_status); 3052 3053 /* Hash Compare, multi-part */ 3054 status = psa_hash_setup(&operation, alg); 3055 if (status == PSA_SUCCESS) { 3056 status = psa_hash_update(&operation, input->x, input->len); 3057 if (status == PSA_SUCCESS) { 3058 status = psa_hash_verify(&operation, reference_hash->x, 3059 reference_hash->len); 3060 TEST_EQUAL(status, expected_status); 3061 } else { 3062 TEST_EQUAL(status, expected_status); 3063 } 3064 } else { 3065 TEST_EQUAL(status, expected_status); 3066 } 3067 3068exit: 3069 PSA_ASSERT(psa_hash_abort(&operation)); 3070 PSA_DONE(); 3071} 3072/* END_CASE */ 3073 3074/* BEGIN_CASE */ 3075void hash_compute_compare(int alg_arg, data_t *input, 3076 data_t *expected_output) 3077{ 3078 psa_algorithm_t alg = alg_arg; 3079 uint8_t output[PSA_HASH_MAX_SIZE + 1]; 3080 size_t output_length = INVALID_EXPORT_LENGTH; 3081 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 3082 size_t i; 3083 3084 PSA_ASSERT(psa_crypto_init()); 3085 3086 /* Compute with tight buffer, one-shot */ 3087 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len, 3088 output, PSA_HASH_LENGTH(alg), 3089 &output_length)); 3090 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg)); 3091 TEST_MEMORY_COMPARE(output, output_length, 3092 expected_output->x, expected_output->len); 3093 3094 /* Compute with tight buffer, multi-part */ 3095 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3096 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3097 PSA_ASSERT(psa_hash_finish(&operation, output, 3098 PSA_HASH_LENGTH(alg), 3099 &output_length)); 3100 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg)); 3101 TEST_MEMORY_COMPARE(output, output_length, 3102 expected_output->x, expected_output->len); 3103 3104 /* Compute with larger buffer, one-shot */ 3105 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len, 3106 output, sizeof(output), 3107 &output_length)); 3108 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg)); 3109 TEST_MEMORY_COMPARE(output, output_length, 3110 expected_output->x, expected_output->len); 3111 3112 /* Compute with larger buffer, multi-part */ 3113 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3114 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3115 PSA_ASSERT(psa_hash_finish(&operation, output, 3116 sizeof(output), &output_length)); 3117 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg)); 3118 TEST_MEMORY_COMPARE(output, output_length, 3119 expected_output->x, expected_output->len); 3120 3121 /* Compare with correct hash, one-shot */ 3122 PSA_ASSERT(psa_hash_compare(alg, input->x, input->len, 3123 output, output_length)); 3124 3125 /* Compare with correct hash, multi-part */ 3126 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3127 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3128 PSA_ASSERT(psa_hash_verify(&operation, output, 3129 output_length)); 3130 3131 /* Compare with trailing garbage, one-shot */ 3132 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len, 3133 output, output_length + 1), 3134 PSA_ERROR_INVALID_SIGNATURE); 3135 3136 /* Compare with trailing garbage, multi-part */ 3137 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3138 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3139 TEST_EQUAL(psa_hash_verify(&operation, output, output_length + 1), 3140 PSA_ERROR_INVALID_SIGNATURE); 3141 3142 /* Compare with truncated hash, one-shot */ 3143 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len, 3144 output, output_length - 1), 3145 PSA_ERROR_INVALID_SIGNATURE); 3146 3147 /* Compare with truncated hash, multi-part */ 3148 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3149 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3150 TEST_EQUAL(psa_hash_verify(&operation, output, output_length - 1), 3151 PSA_ERROR_INVALID_SIGNATURE); 3152 3153 /* Compare with corrupted value */ 3154 for (i = 0; i < output_length; i++) { 3155 mbedtls_test_set_step(i); 3156 output[i] ^= 1; 3157 3158 /* One-shot */ 3159 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len, 3160 output, output_length), 3161 PSA_ERROR_INVALID_SIGNATURE); 3162 3163 /* Multi-Part */ 3164 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3165 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len)); 3166 TEST_EQUAL(psa_hash_verify(&operation, output, output_length), 3167 PSA_ERROR_INVALID_SIGNATURE); 3168 3169 output[i] ^= 1; 3170 } 3171 3172exit: 3173 PSA_ASSERT(psa_hash_abort(&operation)); 3174 PSA_DONE(); 3175} 3176/* END_CASE */ 3177 3178/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3179void hash_bad_order() 3180{ 3181 psa_algorithm_t alg = PSA_ALG_SHA_256; 3182 unsigned char input[] = ""; 3183 /* SHA-256 hash of an empty string */ 3184 const unsigned char valid_hash[] = { 3185 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 3186 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 3187 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 3188 }; 3189 unsigned char hash[sizeof(valid_hash)] = { 0 }; 3190 size_t hash_len; 3191 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 3192 3193 PSA_ASSERT(psa_crypto_init()); 3194 3195 /* Call setup twice in a row. */ 3196 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3197 ASSERT_OPERATION_IS_ACTIVE(operation); 3198 TEST_EQUAL(psa_hash_setup(&operation, alg), 3199 PSA_ERROR_BAD_STATE); 3200 ASSERT_OPERATION_IS_INACTIVE(operation); 3201 PSA_ASSERT(psa_hash_abort(&operation)); 3202 ASSERT_OPERATION_IS_INACTIVE(operation); 3203 3204 /* Call update without calling setup beforehand. */ 3205 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)), 3206 PSA_ERROR_BAD_STATE); 3207 PSA_ASSERT(psa_hash_abort(&operation)); 3208 3209 /* Check that update calls abort on error. */ 3210 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3211 operation.id = UINT_MAX; 3212 ASSERT_OPERATION_IS_ACTIVE(operation); 3213 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)), 3214 PSA_ERROR_BAD_STATE); 3215 ASSERT_OPERATION_IS_INACTIVE(operation); 3216 PSA_ASSERT(psa_hash_abort(&operation)); 3217 ASSERT_OPERATION_IS_INACTIVE(operation); 3218 3219 /* Call update after finish. */ 3220 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3221 PSA_ASSERT(psa_hash_finish(&operation, 3222 hash, sizeof(hash), &hash_len)); 3223 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)), 3224 PSA_ERROR_BAD_STATE); 3225 PSA_ASSERT(psa_hash_abort(&operation)); 3226 3227 /* Call verify without calling setup beforehand. */ 3228 TEST_EQUAL(psa_hash_verify(&operation, 3229 valid_hash, sizeof(valid_hash)), 3230 PSA_ERROR_BAD_STATE); 3231 PSA_ASSERT(psa_hash_abort(&operation)); 3232 3233 /* Call verify after finish. */ 3234 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3235 PSA_ASSERT(psa_hash_finish(&operation, 3236 hash, sizeof(hash), &hash_len)); 3237 TEST_EQUAL(psa_hash_verify(&operation, 3238 valid_hash, sizeof(valid_hash)), 3239 PSA_ERROR_BAD_STATE); 3240 PSA_ASSERT(psa_hash_abort(&operation)); 3241 3242 /* Call verify twice in a row. */ 3243 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3244 ASSERT_OPERATION_IS_ACTIVE(operation); 3245 PSA_ASSERT(psa_hash_verify(&operation, 3246 valid_hash, sizeof(valid_hash))); 3247 ASSERT_OPERATION_IS_INACTIVE(operation); 3248 TEST_EQUAL(psa_hash_verify(&operation, 3249 valid_hash, sizeof(valid_hash)), 3250 PSA_ERROR_BAD_STATE); 3251 ASSERT_OPERATION_IS_INACTIVE(operation); 3252 PSA_ASSERT(psa_hash_abort(&operation)); 3253 3254 /* Call finish without calling setup beforehand. */ 3255 TEST_EQUAL(psa_hash_finish(&operation, 3256 hash, sizeof(hash), &hash_len), 3257 PSA_ERROR_BAD_STATE); 3258 PSA_ASSERT(psa_hash_abort(&operation)); 3259 3260 /* Call finish twice in a row. */ 3261 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3262 PSA_ASSERT(psa_hash_finish(&operation, 3263 hash, sizeof(hash), &hash_len)); 3264 TEST_EQUAL(psa_hash_finish(&operation, 3265 hash, sizeof(hash), &hash_len), 3266 PSA_ERROR_BAD_STATE); 3267 PSA_ASSERT(psa_hash_abort(&operation)); 3268 3269 /* Call finish after calling verify. */ 3270 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3271 PSA_ASSERT(psa_hash_verify(&operation, 3272 valid_hash, sizeof(valid_hash))); 3273 TEST_EQUAL(psa_hash_finish(&operation, 3274 hash, sizeof(hash), &hash_len), 3275 PSA_ERROR_BAD_STATE); 3276 PSA_ASSERT(psa_hash_abort(&operation)); 3277 3278exit: 3279 PSA_DONE(); 3280} 3281/* END_CASE */ 3282 3283/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3284void hash_verify_bad_args() 3285{ 3286 psa_algorithm_t alg = PSA_ALG_SHA_256; 3287 /* SHA-256 hash of an empty string with 2 extra bytes (0xaa and 0xbb) 3288 * appended to it */ 3289 unsigned char hash[] = { 3290 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 3291 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 3292 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55, 0xaa, 0xbb 3293 }; 3294 size_t expected_size = PSA_HASH_LENGTH(alg); 3295 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 3296 3297 PSA_ASSERT(psa_crypto_init()); 3298 3299 /* psa_hash_verify with a smaller hash than expected */ 3300 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3301 ASSERT_OPERATION_IS_ACTIVE(operation); 3302 TEST_EQUAL(psa_hash_verify(&operation, hash, expected_size - 1), 3303 PSA_ERROR_INVALID_SIGNATURE); 3304 ASSERT_OPERATION_IS_INACTIVE(operation); 3305 PSA_ASSERT(psa_hash_abort(&operation)); 3306 ASSERT_OPERATION_IS_INACTIVE(operation); 3307 3308 /* psa_hash_verify with a non-matching hash */ 3309 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3310 TEST_EQUAL(psa_hash_verify(&operation, hash + 1, expected_size), 3311 PSA_ERROR_INVALID_SIGNATURE); 3312 3313 /* psa_hash_verify with a hash longer than expected */ 3314 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3315 TEST_EQUAL(psa_hash_verify(&operation, hash, sizeof(hash)), 3316 PSA_ERROR_INVALID_SIGNATURE); 3317 3318exit: 3319 PSA_DONE(); 3320} 3321/* END_CASE */ 3322 3323/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3324void hash_finish_bad_args() 3325{ 3326 psa_algorithm_t alg = PSA_ALG_SHA_256; 3327 unsigned char hash[PSA_HASH_MAX_SIZE]; 3328 size_t expected_size = PSA_HASH_LENGTH(alg); 3329 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 3330 size_t hash_len; 3331 3332 PSA_ASSERT(psa_crypto_init()); 3333 3334 /* psa_hash_finish with a smaller hash buffer than expected */ 3335 PSA_ASSERT(psa_hash_setup(&operation, alg)); 3336 TEST_EQUAL(psa_hash_finish(&operation, 3337 hash, expected_size - 1, &hash_len), 3338 PSA_ERROR_BUFFER_TOO_SMALL); 3339 3340exit: 3341 PSA_DONE(); 3342} 3343/* END_CASE */ 3344 3345/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3346void hash_clone_source_state() 3347{ 3348 psa_algorithm_t alg = PSA_ALG_SHA_256; 3349 unsigned char hash[PSA_HASH_MAX_SIZE]; 3350 psa_hash_operation_t op_source = PSA_HASH_OPERATION_INIT; 3351 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT; 3352 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT; 3353 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT; 3354 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT; 3355 size_t hash_len; 3356 3357 PSA_ASSERT(psa_crypto_init()); 3358 PSA_ASSERT(psa_hash_setup(&op_source, alg)); 3359 3360 PSA_ASSERT(psa_hash_setup(&op_setup, alg)); 3361 PSA_ASSERT(psa_hash_setup(&op_finished, alg)); 3362 PSA_ASSERT(psa_hash_finish(&op_finished, 3363 hash, sizeof(hash), &hash_len)); 3364 PSA_ASSERT(psa_hash_setup(&op_aborted, alg)); 3365 PSA_ASSERT(psa_hash_abort(&op_aborted)); 3366 3367 TEST_EQUAL(psa_hash_clone(&op_source, &op_setup), 3368 PSA_ERROR_BAD_STATE); 3369 3370 PSA_ASSERT(psa_hash_clone(&op_source, &op_init)); 3371 PSA_ASSERT(psa_hash_finish(&op_init, 3372 hash, sizeof(hash), &hash_len)); 3373 PSA_ASSERT(psa_hash_clone(&op_source, &op_finished)); 3374 PSA_ASSERT(psa_hash_finish(&op_finished, 3375 hash, sizeof(hash), &hash_len)); 3376 PSA_ASSERT(psa_hash_clone(&op_source, &op_aborted)); 3377 PSA_ASSERT(psa_hash_finish(&op_aborted, 3378 hash, sizeof(hash), &hash_len)); 3379 3380exit: 3381 psa_hash_abort(&op_source); 3382 psa_hash_abort(&op_init); 3383 psa_hash_abort(&op_setup); 3384 psa_hash_abort(&op_finished); 3385 psa_hash_abort(&op_aborted); 3386 PSA_DONE(); 3387} 3388/* END_CASE */ 3389 3390/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3391void hash_clone_target_state() 3392{ 3393 psa_algorithm_t alg = PSA_ALG_SHA_256; 3394 unsigned char hash[PSA_HASH_MAX_SIZE]; 3395 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT; 3396 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT; 3397 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT; 3398 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT; 3399 psa_hash_operation_t op_target = PSA_HASH_OPERATION_INIT; 3400 size_t hash_len; 3401 3402 PSA_ASSERT(psa_crypto_init()); 3403 3404 PSA_ASSERT(psa_hash_setup(&op_setup, alg)); 3405 PSA_ASSERT(psa_hash_setup(&op_finished, alg)); 3406 PSA_ASSERT(psa_hash_finish(&op_finished, 3407 hash, sizeof(hash), &hash_len)); 3408 PSA_ASSERT(psa_hash_setup(&op_aborted, alg)); 3409 PSA_ASSERT(psa_hash_abort(&op_aborted)); 3410 3411 PSA_ASSERT(psa_hash_clone(&op_setup, &op_target)); 3412 PSA_ASSERT(psa_hash_finish(&op_target, 3413 hash, sizeof(hash), &hash_len)); 3414 3415 TEST_EQUAL(psa_hash_clone(&op_init, &op_target), PSA_ERROR_BAD_STATE); 3416 TEST_EQUAL(psa_hash_clone(&op_finished, &op_target), 3417 PSA_ERROR_BAD_STATE); 3418 TEST_EQUAL(psa_hash_clone(&op_aborted, &op_target), 3419 PSA_ERROR_BAD_STATE); 3420 3421exit: 3422 psa_hash_abort(&op_target); 3423 psa_hash_abort(&op_init); 3424 psa_hash_abort(&op_setup); 3425 psa_hash_abort(&op_finished); 3426 psa_hash_abort(&op_aborted); 3427 PSA_DONE(); 3428} 3429/* END_CASE */ 3430 3431/* BEGIN_CASE */ 3432void mac_operation_init() 3433{ 3434 const uint8_t input[1] = { 0 }; 3435 3436 /* Test each valid way of initializing the object, except for `= {0}`, as 3437 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 3438 * though it's OK by the C standard. We could test for this, but we'd need 3439 * to suppress the Clang warning for the test. */ 3440 psa_mac_operation_t func = psa_mac_operation_init(); 3441 psa_mac_operation_t init = PSA_MAC_OPERATION_INIT; 3442 psa_mac_operation_t zero; 3443 3444 memset(&zero, 0, sizeof(zero)); 3445 3446 /* A freshly-initialized MAC operation should not be usable. */ 3447 TEST_EQUAL(psa_mac_update(&func, 3448 input, sizeof(input)), 3449 PSA_ERROR_BAD_STATE); 3450 TEST_EQUAL(psa_mac_update(&init, 3451 input, sizeof(input)), 3452 PSA_ERROR_BAD_STATE); 3453 TEST_EQUAL(psa_mac_update(&zero, 3454 input, sizeof(input)), 3455 PSA_ERROR_BAD_STATE); 3456 3457 /* A default MAC operation should be abortable without error. */ 3458 PSA_ASSERT(psa_mac_abort(&func)); 3459 PSA_ASSERT(psa_mac_abort(&init)); 3460 PSA_ASSERT(psa_mac_abort(&zero)); 3461} 3462/* END_CASE */ 3463 3464/* BEGIN_CASE */ 3465void mac_setup(int key_type_arg, 3466 data_t *key, 3467 int alg_arg, 3468 int expected_status_arg) 3469{ 3470 psa_key_type_t key_type = key_type_arg; 3471 psa_algorithm_t alg = alg_arg; 3472 psa_status_t expected_status = expected_status_arg; 3473 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 3474 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 3475#if defined(KNOWN_SUPPORTED_MAC_ALG) 3476 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk"; 3477#endif 3478 3479 PSA_ASSERT(psa_crypto_init()); 3480 3481 if (!exercise_mac_setup(key_type, key->x, key->len, alg, 3482 &operation, &status)) { 3483 goto exit; 3484 } 3485 TEST_EQUAL(status, expected_status); 3486 3487 /* The operation object should be reusable. */ 3488#if defined(KNOWN_SUPPORTED_MAC_ALG) 3489 if (!exercise_mac_setup(KNOWN_SUPPORTED_MAC_KEY_TYPE, 3490 smoke_test_key_data, 3491 sizeof(smoke_test_key_data), 3492 KNOWN_SUPPORTED_MAC_ALG, 3493 &operation, &status)) { 3494 goto exit; 3495 } 3496 TEST_EQUAL(status, PSA_SUCCESS); 3497#endif 3498 3499exit: 3500 PSA_DONE(); 3501} 3502/* END_CASE */ 3503 3504/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_HMAC:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256 */ 3505void mac_bad_order() 3506{ 3507 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3508 psa_key_type_t key_type = PSA_KEY_TYPE_HMAC; 3509 psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256); 3510 const uint8_t key_data[] = { 3511 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3512 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3513 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa 3514 }; 3515 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3516 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 3517 uint8_t sign_mac[PSA_MAC_MAX_SIZE + 10] = { 0 }; 3518 size_t sign_mac_length = 0; 3519 const uint8_t input[] = { 0xbb, 0xbb, 0xbb, 0xbb }; 3520 const uint8_t verify_mac[] = { 3521 0x74, 0x65, 0x93, 0x8c, 0xeb, 0x1d, 0xb3, 0x76, 0x5a, 0x38, 0xe7, 0xdd, 3522 0x85, 0xc5, 0xad, 0x4f, 0x07, 0xe7, 0xd5, 0xb2, 0x64, 0xf0, 0x1a, 0x1a, 3523 0x2c, 0xf9, 0x18, 0xca, 0x59, 0x7e, 0x5d, 0xf6 3524 }; 3525 3526 PSA_ASSERT(psa_crypto_init()); 3527 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); 3528 psa_set_key_algorithm(&attributes, alg); 3529 psa_set_key_type(&attributes, key_type); 3530 3531 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data), 3532 &key)); 3533 3534 /* Call update without calling setup beforehand. */ 3535 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)), 3536 PSA_ERROR_BAD_STATE); 3537 PSA_ASSERT(psa_mac_abort(&operation)); 3538 3539 /* Call sign finish without calling setup beforehand. */ 3540 TEST_EQUAL(psa_mac_sign_finish(&operation, sign_mac, sizeof(sign_mac), 3541 &sign_mac_length), 3542 PSA_ERROR_BAD_STATE); 3543 PSA_ASSERT(psa_mac_abort(&operation)); 3544 3545 /* Call verify finish without calling setup beforehand. */ 3546 TEST_EQUAL(psa_mac_verify_finish(&operation, 3547 verify_mac, sizeof(verify_mac)), 3548 PSA_ERROR_BAD_STATE); 3549 PSA_ASSERT(psa_mac_abort(&operation)); 3550 3551 /* Call setup twice in a row. */ 3552 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3553 ASSERT_OPERATION_IS_ACTIVE(operation); 3554 TEST_EQUAL(psa_mac_sign_setup(&operation, key, alg), 3555 PSA_ERROR_BAD_STATE); 3556 ASSERT_OPERATION_IS_INACTIVE(operation); 3557 PSA_ASSERT(psa_mac_abort(&operation)); 3558 ASSERT_OPERATION_IS_INACTIVE(operation); 3559 3560 /* Call update after sign finish. */ 3561 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3562 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3563 PSA_ASSERT(psa_mac_sign_finish(&operation, 3564 sign_mac, sizeof(sign_mac), 3565 &sign_mac_length)); 3566 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)), 3567 PSA_ERROR_BAD_STATE); 3568 PSA_ASSERT(psa_mac_abort(&operation)); 3569 3570 /* Call update after verify finish. */ 3571 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3572 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3573 PSA_ASSERT(psa_mac_verify_finish(&operation, 3574 verify_mac, sizeof(verify_mac))); 3575 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)), 3576 PSA_ERROR_BAD_STATE); 3577 PSA_ASSERT(psa_mac_abort(&operation)); 3578 3579 /* Call sign finish twice in a row. */ 3580 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3581 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3582 PSA_ASSERT(psa_mac_sign_finish(&operation, 3583 sign_mac, sizeof(sign_mac), 3584 &sign_mac_length)); 3585 TEST_EQUAL(psa_mac_sign_finish(&operation, 3586 sign_mac, sizeof(sign_mac), 3587 &sign_mac_length), 3588 PSA_ERROR_BAD_STATE); 3589 PSA_ASSERT(psa_mac_abort(&operation)); 3590 3591 /* Call verify finish twice in a row. */ 3592 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3593 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3594 PSA_ASSERT(psa_mac_verify_finish(&operation, 3595 verify_mac, sizeof(verify_mac))); 3596 TEST_EQUAL(psa_mac_verify_finish(&operation, 3597 verify_mac, sizeof(verify_mac)), 3598 PSA_ERROR_BAD_STATE); 3599 PSA_ASSERT(psa_mac_abort(&operation)); 3600 3601 /* Setup sign but try verify. */ 3602 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3603 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3604 ASSERT_OPERATION_IS_ACTIVE(operation); 3605 TEST_EQUAL(psa_mac_verify_finish(&operation, 3606 verify_mac, sizeof(verify_mac)), 3607 PSA_ERROR_BAD_STATE); 3608 ASSERT_OPERATION_IS_INACTIVE(operation); 3609 PSA_ASSERT(psa_mac_abort(&operation)); 3610 ASSERT_OPERATION_IS_INACTIVE(operation); 3611 3612 /* Setup verify but try sign. */ 3613 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3614 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input))); 3615 ASSERT_OPERATION_IS_ACTIVE(operation); 3616 TEST_EQUAL(psa_mac_sign_finish(&operation, 3617 sign_mac, sizeof(sign_mac), 3618 &sign_mac_length), 3619 PSA_ERROR_BAD_STATE); 3620 ASSERT_OPERATION_IS_INACTIVE(operation); 3621 PSA_ASSERT(psa_mac_abort(&operation)); 3622 ASSERT_OPERATION_IS_INACTIVE(operation); 3623 3624 PSA_ASSERT(psa_destroy_key(key)); 3625 3626exit: 3627 PSA_DONE(); 3628} 3629/* END_CASE */ 3630 3631/* BEGIN_CASE */ 3632void mac_sign_verify_multi(int key_type_arg, 3633 data_t *key_data, 3634 int alg_arg, 3635 data_t *input, 3636 int is_verify, 3637 data_t *expected_mac) 3638{ 3639 size_t data_part_len = 0; 3640 3641 for (data_part_len = 1; data_part_len <= input->len; data_part_len++) { 3642 /* Split data into length(data_part_len) parts. */ 3643 mbedtls_test_set_step(2000 + data_part_len); 3644 3645 if (mac_multipart_internal_func(key_type_arg, key_data, 3646 alg_arg, 3647 input, data_part_len, 3648 expected_mac, 3649 is_verify, 0) == 0) { 3650 break; 3651 } 3652 3653 /* length(0) part, length(data_part_len) part, length(0) part... */ 3654 mbedtls_test_set_step(3000 + data_part_len); 3655 3656 if (mac_multipart_internal_func(key_type_arg, key_data, 3657 alg_arg, 3658 input, data_part_len, 3659 expected_mac, 3660 is_verify, 1) == 0) { 3661 break; 3662 } 3663 } 3664 3665 /* Goto is required to silence warnings about unused labels, as we 3666 * don't actually do any test assertions in this function. */ 3667 goto exit; 3668} 3669/* END_CASE */ 3670 3671/* BEGIN_CASE */ 3672void mac_sign(int key_type_arg, 3673 data_t *key_data, 3674 int alg_arg, 3675 data_t *input, 3676 data_t *expected_mac) 3677{ 3678 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3679 psa_key_type_t key_type = key_type_arg; 3680 psa_algorithm_t alg = alg_arg; 3681 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 3682 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3683 uint8_t *actual_mac = NULL; 3684 size_t mac_buffer_size = 3685 PSA_MAC_LENGTH(key_type, PSA_BYTES_TO_BITS(key_data->len), alg); 3686 size_t mac_length = 0; 3687 const size_t output_sizes_to_test[] = { 3688 0, 3689 1, 3690 expected_mac->len - 1, 3691 expected_mac->len, 3692 expected_mac->len + 1, 3693 }; 3694 3695 TEST_LE_U(mac_buffer_size, PSA_MAC_MAX_SIZE); 3696 /* We expect PSA_MAC_LENGTH to be exact. */ 3697 TEST_ASSERT(expected_mac->len == mac_buffer_size); 3698 3699 PSA_ASSERT(psa_crypto_init()); 3700 3701 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 3702 psa_set_key_algorithm(&attributes, alg); 3703 psa_set_key_type(&attributes, key_type); 3704 3705 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 3706 &key)); 3707 3708 for (size_t i = 0; i < ARRAY_LENGTH(output_sizes_to_test); i++) { 3709 const size_t output_size = output_sizes_to_test[i]; 3710 psa_status_t expected_status = 3711 (output_size >= expected_mac->len ? PSA_SUCCESS : 3712 PSA_ERROR_BUFFER_TOO_SMALL); 3713 3714 mbedtls_test_set_step(output_size); 3715 TEST_CALLOC(actual_mac, output_size); 3716 3717 /* Calculate the MAC, one-shot case. */ 3718 TEST_EQUAL(psa_mac_compute(key, alg, 3719 input->x, input->len, 3720 actual_mac, output_size, &mac_length), 3721 expected_status); 3722 if (expected_status == PSA_SUCCESS) { 3723 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len, 3724 actual_mac, mac_length); 3725 } 3726 3727 if (output_size > 0) { 3728 memset(actual_mac, 0, output_size); 3729 } 3730 3731 /* Calculate the MAC, multi-part case. */ 3732 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg)); 3733 PSA_ASSERT(psa_mac_update(&operation, 3734 input->x, input->len)); 3735 TEST_EQUAL(psa_mac_sign_finish(&operation, 3736 actual_mac, output_size, 3737 &mac_length), 3738 expected_status); 3739 PSA_ASSERT(psa_mac_abort(&operation)); 3740 3741 if (expected_status == PSA_SUCCESS) { 3742 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len, 3743 actual_mac, mac_length); 3744 } 3745 mbedtls_free(actual_mac); 3746 actual_mac = NULL; 3747 } 3748 3749exit: 3750 psa_mac_abort(&operation); 3751 psa_destroy_key(key); 3752 PSA_DONE(); 3753 mbedtls_free(actual_mac); 3754} 3755/* END_CASE */ 3756 3757/* BEGIN_CASE */ 3758void mac_verify(int key_type_arg, 3759 data_t *key_data, 3760 int alg_arg, 3761 data_t *input, 3762 data_t *expected_mac) 3763{ 3764 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3765 psa_key_type_t key_type = key_type_arg; 3766 psa_algorithm_t alg = alg_arg; 3767 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 3768 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3769 uint8_t *perturbed_mac = NULL; 3770 3771 TEST_LE_U(expected_mac->len, PSA_MAC_MAX_SIZE); 3772 3773 PSA_ASSERT(psa_crypto_init()); 3774 3775 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 3776 psa_set_key_algorithm(&attributes, alg); 3777 psa_set_key_type(&attributes, key_type); 3778 3779 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 3780 &key)); 3781 3782 /* Verify correct MAC, one-shot case. */ 3783 PSA_ASSERT(psa_mac_verify(key, alg, input->x, input->len, 3784 expected_mac->x, expected_mac->len)); 3785 3786 /* Verify correct MAC, multi-part case. */ 3787 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3788 PSA_ASSERT(psa_mac_update(&operation, 3789 input->x, input->len)); 3790 PSA_ASSERT(psa_mac_verify_finish(&operation, 3791 expected_mac->x, 3792 expected_mac->len)); 3793 3794 /* Test a MAC that's too short, one-shot case. */ 3795 TEST_EQUAL(psa_mac_verify(key, alg, 3796 input->x, input->len, 3797 expected_mac->x, 3798 expected_mac->len - 1), 3799 PSA_ERROR_INVALID_SIGNATURE); 3800 3801 /* Test a MAC that's too short, multi-part case. */ 3802 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3803 PSA_ASSERT(psa_mac_update(&operation, 3804 input->x, input->len)); 3805 TEST_EQUAL(psa_mac_verify_finish(&operation, 3806 expected_mac->x, 3807 expected_mac->len - 1), 3808 PSA_ERROR_INVALID_SIGNATURE); 3809 3810 /* Test a MAC that's too long, one-shot case. */ 3811 TEST_CALLOC(perturbed_mac, expected_mac->len + 1); 3812 memcpy(perturbed_mac, expected_mac->x, expected_mac->len); 3813 TEST_EQUAL(psa_mac_verify(key, alg, 3814 input->x, input->len, 3815 perturbed_mac, expected_mac->len + 1), 3816 PSA_ERROR_INVALID_SIGNATURE); 3817 3818 /* Test a MAC that's too long, multi-part case. */ 3819 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3820 PSA_ASSERT(psa_mac_update(&operation, 3821 input->x, input->len)); 3822 TEST_EQUAL(psa_mac_verify_finish(&operation, 3823 perturbed_mac, 3824 expected_mac->len + 1), 3825 PSA_ERROR_INVALID_SIGNATURE); 3826 3827 /* Test changing one byte. */ 3828 for (size_t i = 0; i < expected_mac->len; i++) { 3829 mbedtls_test_set_step(i); 3830 perturbed_mac[i] ^= 1; 3831 3832 TEST_EQUAL(psa_mac_verify(key, alg, 3833 input->x, input->len, 3834 perturbed_mac, expected_mac->len), 3835 PSA_ERROR_INVALID_SIGNATURE); 3836 3837 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg)); 3838 PSA_ASSERT(psa_mac_update(&operation, 3839 input->x, input->len)); 3840 TEST_EQUAL(psa_mac_verify_finish(&operation, 3841 perturbed_mac, 3842 expected_mac->len), 3843 PSA_ERROR_INVALID_SIGNATURE); 3844 perturbed_mac[i] ^= 1; 3845 } 3846 3847exit: 3848 psa_mac_abort(&operation); 3849 psa_destroy_key(key); 3850 PSA_DONE(); 3851 mbedtls_free(perturbed_mac); 3852} 3853/* END_CASE */ 3854 3855/* BEGIN_CASE */ 3856void cipher_operation_init() 3857{ 3858 const uint8_t input[1] = { 0 }; 3859 unsigned char output[1] = { 0 }; 3860 size_t output_length; 3861 /* Test each valid way of initializing the object, except for `= {0}`, as 3862 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 3863 * though it's OK by the C standard. We could test for this, but we'd need 3864 * to suppress the Clang warning for the test. */ 3865 psa_cipher_operation_t func = psa_cipher_operation_init(); 3866 psa_cipher_operation_t init = PSA_CIPHER_OPERATION_INIT; 3867 psa_cipher_operation_t zero; 3868 3869 memset(&zero, 0, sizeof(zero)); 3870 3871 /* A freshly-initialized cipher operation should not be usable. */ 3872 TEST_EQUAL(psa_cipher_update(&func, 3873 input, sizeof(input), 3874 output, sizeof(output), 3875 &output_length), 3876 PSA_ERROR_BAD_STATE); 3877 TEST_EQUAL(psa_cipher_update(&init, 3878 input, sizeof(input), 3879 output, sizeof(output), 3880 &output_length), 3881 PSA_ERROR_BAD_STATE); 3882 TEST_EQUAL(psa_cipher_update(&zero, 3883 input, sizeof(input), 3884 output, sizeof(output), 3885 &output_length), 3886 PSA_ERROR_BAD_STATE); 3887 3888 /* A default cipher operation should be abortable without error. */ 3889 PSA_ASSERT(psa_cipher_abort(&func)); 3890 PSA_ASSERT(psa_cipher_abort(&init)); 3891 PSA_ASSERT(psa_cipher_abort(&zero)); 3892} 3893/* END_CASE */ 3894 3895/* BEGIN_CASE */ 3896void cipher_setup(int key_type_arg, 3897 data_t *key, 3898 int alg_arg, 3899 int expected_status_arg) 3900{ 3901 psa_key_type_t key_type = key_type_arg; 3902 psa_algorithm_t alg = alg_arg; 3903 psa_status_t expected_status = expected_status_arg; 3904 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3905 psa_status_t status; 3906#if defined(KNOWN_SUPPORTED_CIPHER_ALG) 3907 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk"; 3908#endif 3909 3910 PSA_ASSERT(psa_crypto_init()); 3911 3912 if (!exercise_cipher_setup(key_type, key->x, key->len, alg, 3913 &operation, &status)) { 3914 goto exit; 3915 } 3916 TEST_EQUAL(status, expected_status); 3917 3918 /* The operation object should be reusable. */ 3919#if defined(KNOWN_SUPPORTED_CIPHER_ALG) 3920 if (!exercise_cipher_setup(KNOWN_SUPPORTED_CIPHER_KEY_TYPE, 3921 smoke_test_key_data, 3922 sizeof(smoke_test_key_data), 3923 KNOWN_SUPPORTED_CIPHER_ALG, 3924 &operation, &status)) { 3925 goto exit; 3926 } 3927 TEST_EQUAL(status, PSA_SUCCESS); 3928#endif 3929 3930exit: 3931 psa_cipher_abort(&operation); 3932 PSA_DONE(); 3933} 3934/* END_CASE */ 3935 3936/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_PKCS7 */ 3937void cipher_bad_order() 3938{ 3939 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3940 psa_key_type_t key_type = PSA_KEY_TYPE_AES; 3941 psa_algorithm_t alg = PSA_ALG_CBC_PKCS7; 3942 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3943 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3944 unsigned char iv[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 }; 3945 const uint8_t key_data[] = { 3946 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3947 0xaa, 0xaa, 0xaa, 0xaa 3948 }; 3949 const uint8_t text[] = { 3950 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 3951 0xbb, 0xbb, 0xbb, 0xbb 3952 }; 3953 uint8_t buffer[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 }; 3954 size_t length = 0; 3955 3956 PSA_ASSERT(psa_crypto_init()); 3957 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 3958 psa_set_key_algorithm(&attributes, alg); 3959 psa_set_key_type(&attributes, key_type); 3960 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data), 3961 &key)); 3962 3963 /* Call encrypt setup twice in a row. */ 3964 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 3965 ASSERT_OPERATION_IS_ACTIVE(operation); 3966 TEST_EQUAL(psa_cipher_encrypt_setup(&operation, key, alg), 3967 PSA_ERROR_BAD_STATE); 3968 ASSERT_OPERATION_IS_INACTIVE(operation); 3969 PSA_ASSERT(psa_cipher_abort(&operation)); 3970 ASSERT_OPERATION_IS_INACTIVE(operation); 3971 3972 /* Call decrypt setup twice in a row. */ 3973 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 3974 ASSERT_OPERATION_IS_ACTIVE(operation); 3975 TEST_EQUAL(psa_cipher_decrypt_setup(&operation, key, alg), 3976 PSA_ERROR_BAD_STATE); 3977 ASSERT_OPERATION_IS_INACTIVE(operation); 3978 PSA_ASSERT(psa_cipher_abort(&operation)); 3979 ASSERT_OPERATION_IS_INACTIVE(operation); 3980 3981 /* Generate an IV without calling setup beforehand. */ 3982 TEST_EQUAL(psa_cipher_generate_iv(&operation, 3983 buffer, sizeof(buffer), 3984 &length), 3985 PSA_ERROR_BAD_STATE); 3986 PSA_ASSERT(psa_cipher_abort(&operation)); 3987 3988 /* Generate an IV twice in a row. */ 3989 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 3990 PSA_ASSERT(psa_cipher_generate_iv(&operation, 3991 buffer, sizeof(buffer), 3992 &length)); 3993 ASSERT_OPERATION_IS_ACTIVE(operation); 3994 TEST_EQUAL(psa_cipher_generate_iv(&operation, 3995 buffer, sizeof(buffer), 3996 &length), 3997 PSA_ERROR_BAD_STATE); 3998 ASSERT_OPERATION_IS_INACTIVE(operation); 3999 PSA_ASSERT(psa_cipher_abort(&operation)); 4000 ASSERT_OPERATION_IS_INACTIVE(operation); 4001 4002 /* Generate an IV after it's already set. */ 4003 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4004 PSA_ASSERT(psa_cipher_set_iv(&operation, 4005 iv, sizeof(iv))); 4006 TEST_EQUAL(psa_cipher_generate_iv(&operation, 4007 buffer, sizeof(buffer), 4008 &length), 4009 PSA_ERROR_BAD_STATE); 4010 PSA_ASSERT(psa_cipher_abort(&operation)); 4011 4012 /* Set an IV without calling setup beforehand. */ 4013 TEST_EQUAL(psa_cipher_set_iv(&operation, 4014 iv, sizeof(iv)), 4015 PSA_ERROR_BAD_STATE); 4016 PSA_ASSERT(psa_cipher_abort(&operation)); 4017 4018 /* Set an IV after it's already set. */ 4019 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4020 PSA_ASSERT(psa_cipher_set_iv(&operation, 4021 iv, sizeof(iv))); 4022 ASSERT_OPERATION_IS_ACTIVE(operation); 4023 TEST_EQUAL(psa_cipher_set_iv(&operation, 4024 iv, sizeof(iv)), 4025 PSA_ERROR_BAD_STATE); 4026 ASSERT_OPERATION_IS_INACTIVE(operation); 4027 PSA_ASSERT(psa_cipher_abort(&operation)); 4028 ASSERT_OPERATION_IS_INACTIVE(operation); 4029 4030 /* Set an IV after it's already generated. */ 4031 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4032 PSA_ASSERT(psa_cipher_generate_iv(&operation, 4033 buffer, sizeof(buffer), 4034 &length)); 4035 TEST_EQUAL(psa_cipher_set_iv(&operation, 4036 iv, sizeof(iv)), 4037 PSA_ERROR_BAD_STATE); 4038 PSA_ASSERT(psa_cipher_abort(&operation)); 4039 4040 /* Call update without calling setup beforehand. */ 4041 TEST_EQUAL(psa_cipher_update(&operation, 4042 text, sizeof(text), 4043 buffer, sizeof(buffer), 4044 &length), 4045 PSA_ERROR_BAD_STATE); 4046 PSA_ASSERT(psa_cipher_abort(&operation)); 4047 4048 /* Call update without an IV where an IV is required. */ 4049 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4050 ASSERT_OPERATION_IS_ACTIVE(operation); 4051 TEST_EQUAL(psa_cipher_update(&operation, 4052 text, sizeof(text), 4053 buffer, sizeof(buffer), 4054 &length), 4055 PSA_ERROR_BAD_STATE); 4056 ASSERT_OPERATION_IS_INACTIVE(operation); 4057 PSA_ASSERT(psa_cipher_abort(&operation)); 4058 ASSERT_OPERATION_IS_INACTIVE(operation); 4059 4060 /* Call update after finish. */ 4061 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4062 PSA_ASSERT(psa_cipher_set_iv(&operation, 4063 iv, sizeof(iv))); 4064 PSA_ASSERT(psa_cipher_finish(&operation, 4065 buffer, sizeof(buffer), &length)); 4066 TEST_EQUAL(psa_cipher_update(&operation, 4067 text, sizeof(text), 4068 buffer, sizeof(buffer), 4069 &length), 4070 PSA_ERROR_BAD_STATE); 4071 PSA_ASSERT(psa_cipher_abort(&operation)); 4072 4073 /* Call finish without calling setup beforehand. */ 4074 TEST_EQUAL(psa_cipher_finish(&operation, 4075 buffer, sizeof(buffer), &length), 4076 PSA_ERROR_BAD_STATE); 4077 PSA_ASSERT(psa_cipher_abort(&operation)); 4078 4079 /* Call finish without an IV where an IV is required. */ 4080 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4081 /* Not calling update means we are encrypting an empty buffer, which is OK 4082 * for cipher modes with padding. */ 4083 ASSERT_OPERATION_IS_ACTIVE(operation); 4084 TEST_EQUAL(psa_cipher_finish(&operation, 4085 buffer, sizeof(buffer), &length), 4086 PSA_ERROR_BAD_STATE); 4087 ASSERT_OPERATION_IS_INACTIVE(operation); 4088 PSA_ASSERT(psa_cipher_abort(&operation)); 4089 ASSERT_OPERATION_IS_INACTIVE(operation); 4090 4091 /* Call finish twice in a row. */ 4092 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4093 PSA_ASSERT(psa_cipher_set_iv(&operation, 4094 iv, sizeof(iv))); 4095 PSA_ASSERT(psa_cipher_finish(&operation, 4096 buffer, sizeof(buffer), &length)); 4097 TEST_EQUAL(psa_cipher_finish(&operation, 4098 buffer, sizeof(buffer), &length), 4099 PSA_ERROR_BAD_STATE); 4100 PSA_ASSERT(psa_cipher_abort(&operation)); 4101 4102 PSA_ASSERT(psa_destroy_key(key)); 4103 4104exit: 4105 psa_cipher_abort(&operation); 4106 PSA_DONE(); 4107} 4108/* END_CASE */ 4109 4110/* BEGIN_CASE */ 4111void cipher_encrypt_fail(int alg_arg, 4112 int key_type_arg, 4113 data_t *key_data, 4114 data_t *input, 4115 int expected_status_arg) 4116{ 4117 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4118 psa_status_t status; 4119 psa_key_type_t key_type = key_type_arg; 4120 psa_algorithm_t alg = alg_arg; 4121 psa_status_t expected_status = expected_status_arg; 4122 unsigned char iv[PSA_CIPHER_IV_MAX_SIZE] = { 0 }; 4123 size_t iv_size = PSA_CIPHER_IV_MAX_SIZE; 4124 size_t iv_length = 0; 4125 unsigned char *output = NULL; 4126 size_t output_buffer_size = 0; 4127 size_t output_length = 0; 4128 size_t function_output_length; 4129 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4130 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4131 4132 if (PSA_ERROR_BAD_STATE != expected_status) { 4133 PSA_ASSERT(psa_crypto_init()); 4134 4135 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4136 psa_set_key_algorithm(&attributes, alg); 4137 psa_set_key_type(&attributes, key_type); 4138 4139 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 4140 input->len); 4141 TEST_CALLOC(output, output_buffer_size); 4142 4143 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4144 &key)); 4145 } 4146 4147 /* Encrypt, one-shot */ 4148 status = psa_cipher_encrypt(key, alg, input->x, input->len, output, 4149 output_buffer_size, &output_length); 4150 4151 TEST_EQUAL(status, expected_status); 4152 4153 /* Encrypt, multi-part */ 4154 status = psa_cipher_encrypt_setup(&operation, key, alg); 4155 if (status == PSA_SUCCESS) { 4156 if (alg != PSA_ALG_ECB_NO_PADDING) { 4157 PSA_ASSERT(psa_cipher_generate_iv(&operation, 4158 iv, iv_size, 4159 &iv_length)); 4160 } 4161 4162 status = psa_cipher_update(&operation, input->x, input->len, 4163 output, output_buffer_size, 4164 &function_output_length); 4165 if (status == PSA_SUCCESS) { 4166 output_length += function_output_length; 4167 4168 status = psa_cipher_finish(&operation, output + output_length, 4169 output_buffer_size - output_length, 4170 &function_output_length); 4171 4172 TEST_EQUAL(status, expected_status); 4173 } else { 4174 TEST_EQUAL(status, expected_status); 4175 } 4176 } else { 4177 TEST_EQUAL(status, expected_status); 4178 } 4179 4180exit: 4181 psa_cipher_abort(&operation); 4182 mbedtls_free(output); 4183 psa_destroy_key(key); 4184 PSA_DONE(); 4185} 4186/* END_CASE */ 4187 4188/* BEGIN_CASE */ 4189void cipher_encrypt_validate_iv_length(int alg, int key_type, data_t *key_data, 4190 data_t *input, int iv_length, 4191 int expected_result) 4192{ 4193 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4194 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4195 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4196 size_t output_buffer_size = 0; 4197 unsigned char *output = NULL; 4198 4199 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len); 4200 TEST_CALLOC(output, output_buffer_size); 4201 4202 PSA_ASSERT(psa_crypto_init()); 4203 4204 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4205 psa_set_key_algorithm(&attributes, alg); 4206 psa_set_key_type(&attributes, key_type); 4207 4208 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4209 &key)); 4210 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4211 TEST_EQUAL(expected_result, psa_cipher_set_iv(&operation, output, 4212 iv_length)); 4213 4214exit: 4215 psa_cipher_abort(&operation); 4216 mbedtls_free(output); 4217 psa_destroy_key(key); 4218 PSA_DONE(); 4219} 4220/* END_CASE */ 4221 4222/* BEGIN_CASE */ 4223void cipher_alg_without_iv(int alg_arg, int key_type_arg, data_t *key_data, 4224 data_t *plaintext, data_t *ciphertext) 4225{ 4226 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4227 psa_key_type_t key_type = key_type_arg; 4228 psa_algorithm_t alg = alg_arg; 4229 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4230 uint8_t iv[1] = { 0x5a }; 4231 unsigned char *output = NULL; 4232 size_t output_buffer_size = 0; 4233 size_t output_length, length; 4234 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4235 4236 PSA_ASSERT(psa_crypto_init()); 4237 4238 /* Validate size macros */ 4239 TEST_LE_U(ciphertext->len, 4240 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len)); 4241 TEST_LE_U(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len), 4242 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(plaintext->len)); 4243 TEST_LE_U(plaintext->len, 4244 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len)); 4245 TEST_LE_U(PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len), 4246 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(ciphertext->len)); 4247 4248 4249 /* Set up key and output buffer */ 4250 psa_set_key_usage_flags(&attributes, 4251 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 4252 psa_set_key_algorithm(&attributes, alg); 4253 psa_set_key_type(&attributes, key_type); 4254 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4255 &key)); 4256 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 4257 plaintext->len); 4258 TEST_CALLOC(output, output_buffer_size); 4259 4260 /* set_iv() is not allowed */ 4261 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4262 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)), 4263 PSA_ERROR_BAD_STATE); 4264 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 4265 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)), 4266 PSA_ERROR_BAD_STATE); 4267 4268 /* generate_iv() is not allowed */ 4269 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4270 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv), 4271 &length), 4272 PSA_ERROR_BAD_STATE); 4273 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 4274 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv), 4275 &length), 4276 PSA_ERROR_BAD_STATE); 4277 4278 /* Multipart encryption */ 4279 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4280 output_length = 0; 4281 length = ~0; 4282 PSA_ASSERT(psa_cipher_update(&operation, 4283 plaintext->x, plaintext->len, 4284 output, output_buffer_size, 4285 &length)); 4286 TEST_LE_U(length, output_buffer_size); 4287 output_length += length; 4288 PSA_ASSERT(psa_cipher_finish(&operation, 4289 mbedtls_buffer_offset(output, output_length), 4290 output_buffer_size - output_length, 4291 &length)); 4292 output_length += length; 4293 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len, 4294 output, output_length); 4295 4296 /* Multipart encryption */ 4297 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 4298 output_length = 0; 4299 length = ~0; 4300 PSA_ASSERT(psa_cipher_update(&operation, 4301 ciphertext->x, ciphertext->len, 4302 output, output_buffer_size, 4303 &length)); 4304 TEST_LE_U(length, output_buffer_size); 4305 output_length += length; 4306 PSA_ASSERT(psa_cipher_finish(&operation, 4307 mbedtls_buffer_offset(output, output_length), 4308 output_buffer_size - output_length, 4309 &length)); 4310 output_length += length; 4311 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len, 4312 output, output_length); 4313 4314 /* One-shot encryption */ 4315 output_length = ~0; 4316 PSA_ASSERT(psa_cipher_encrypt(key, alg, plaintext->x, plaintext->len, 4317 output, output_buffer_size, 4318 &output_length)); 4319 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len, 4320 output, output_length); 4321 4322 /* One-shot decryption */ 4323 output_length = ~0; 4324 PSA_ASSERT(psa_cipher_decrypt(key, alg, ciphertext->x, ciphertext->len, 4325 output, output_buffer_size, 4326 &output_length)); 4327 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len, 4328 output, output_length); 4329 4330exit: 4331 PSA_ASSERT(psa_cipher_abort(&operation)); 4332 mbedtls_free(output); 4333 psa_cipher_abort(&operation); 4334 psa_destroy_key(key); 4335 PSA_DONE(); 4336} 4337/* END_CASE */ 4338 4339/* BEGIN_CASE */ 4340void cipher_bad_key(int alg_arg, int key_type_arg, data_t *key_data) 4341{ 4342 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4343 psa_algorithm_t alg = alg_arg; 4344 psa_key_type_t key_type = key_type_arg; 4345 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4346 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4347 psa_status_t status; 4348 4349 PSA_ASSERT(psa_crypto_init()); 4350 4351 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4352 psa_set_key_algorithm(&attributes, alg); 4353 psa_set_key_type(&attributes, key_type); 4354 4355 /* Usage of either of these two size macros would cause divide by zero 4356 * with incorrect key types previously. Input length should be irrelevant 4357 * here. */ 4358 TEST_EQUAL(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 16), 4359 0); 4360 TEST_EQUAL(PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, 16), 0); 4361 4362 4363 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4364 &key)); 4365 4366 /* Should fail due to invalid alg type (to support invalid key type). 4367 * Encrypt or decrypt will end up in the same place. */ 4368 status = psa_cipher_encrypt_setup(&operation, key, alg); 4369 4370 TEST_EQUAL(status, PSA_ERROR_INVALID_ARGUMENT); 4371 4372exit: 4373 psa_cipher_abort(&operation); 4374 psa_destroy_key(key); 4375 PSA_DONE(); 4376} 4377/* END_CASE */ 4378 4379/* BEGIN_CASE */ 4380void cipher_encrypt_validation(int alg_arg, 4381 int key_type_arg, 4382 data_t *key_data, 4383 data_t *input) 4384{ 4385 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4386 psa_key_type_t key_type = key_type_arg; 4387 psa_algorithm_t alg = alg_arg; 4388 size_t iv_size = PSA_CIPHER_IV_LENGTH(key_type, alg); 4389 unsigned char *output1 = NULL; 4390 size_t output1_buffer_size = 0; 4391 size_t output1_length = 0; 4392 unsigned char *output2 = NULL; 4393 size_t output2_buffer_size = 0; 4394 size_t output2_length = 0; 4395 size_t function_output_length = 0; 4396 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4397 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4398 4399 PSA_ASSERT(psa_crypto_init()); 4400 4401 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4402 psa_set_key_algorithm(&attributes, alg); 4403 psa_set_key_type(&attributes, key_type); 4404 4405 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len); 4406 output2_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) + 4407 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg); 4408 TEST_CALLOC(output1, output1_buffer_size); 4409 TEST_CALLOC(output2, output2_buffer_size); 4410 4411 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4412 &key)); 4413 4414 /* The one-shot cipher encryption uses generated iv so validating 4415 the output is not possible. Validating with multipart encryption. */ 4416 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len, output1, 4417 output1_buffer_size, &output1_length)); 4418 TEST_LE_U(output1_length, 4419 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len)); 4420 TEST_LE_U(output1_length, 4421 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len)); 4422 4423 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4424 PSA_ASSERT(psa_cipher_set_iv(&operation, output1, iv_size)); 4425 4426 PSA_ASSERT(psa_cipher_update(&operation, 4427 input->x, input->len, 4428 output2, output2_buffer_size, 4429 &function_output_length)); 4430 TEST_LE_U(function_output_length, 4431 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len)); 4432 TEST_LE_U(function_output_length, 4433 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len)); 4434 output2_length += function_output_length; 4435 4436 PSA_ASSERT(psa_cipher_finish(&operation, 4437 output2 + output2_length, 4438 output2_buffer_size - output2_length, 4439 &function_output_length)); 4440 TEST_LE_U(function_output_length, 4441 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4442 TEST_LE_U(function_output_length, 4443 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4444 output2_length += function_output_length; 4445 4446 PSA_ASSERT(psa_cipher_abort(&operation)); 4447 TEST_MEMORY_COMPARE(output1 + iv_size, output1_length - iv_size, 4448 output2, output2_length); 4449 4450exit: 4451 psa_cipher_abort(&operation); 4452 mbedtls_free(output1); 4453 mbedtls_free(output2); 4454 psa_destroy_key(key); 4455 PSA_DONE(); 4456} 4457/* END_CASE */ 4458 4459/* BEGIN_CASE */ 4460void cipher_encrypt_multipart(int alg_arg, int key_type_arg, 4461 data_t *key_data, data_t *iv, 4462 data_t *input, 4463 int first_part_size_arg, 4464 int output1_length_arg, int output2_length_arg, 4465 data_t *expected_output, 4466 int expected_status_arg) 4467{ 4468 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4469 psa_key_type_t key_type = key_type_arg; 4470 psa_algorithm_t alg = alg_arg; 4471 psa_status_t status; 4472 psa_status_t expected_status = expected_status_arg; 4473 size_t first_part_size = first_part_size_arg; 4474 size_t output1_length = output1_length_arg; 4475 size_t output2_length = output2_length_arg; 4476 unsigned char *output = NULL; 4477 size_t output_buffer_size = 0; 4478 size_t function_output_length = 0; 4479 size_t total_output_length = 0; 4480 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4481 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4482 4483 PSA_ASSERT(psa_crypto_init()); 4484 4485 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 4486 psa_set_key_algorithm(&attributes, alg); 4487 psa_set_key_type(&attributes, key_type); 4488 4489 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4490 &key)); 4491 4492 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg)); 4493 4494 if (iv->len > 0) { 4495 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len)); 4496 } 4497 4498 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) + 4499 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg); 4500 TEST_CALLOC(output, output_buffer_size); 4501 4502 TEST_LE_U(first_part_size, input->len); 4503 PSA_ASSERT(psa_cipher_update(&operation, input->x, first_part_size, 4504 output, output_buffer_size, 4505 &function_output_length)); 4506 TEST_ASSERT(function_output_length == output1_length); 4507 TEST_LE_U(function_output_length, 4508 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size)); 4509 TEST_LE_U(function_output_length, 4510 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size)); 4511 total_output_length += function_output_length; 4512 4513 if (first_part_size < input->len) { 4514 PSA_ASSERT(psa_cipher_update(&operation, 4515 input->x + first_part_size, 4516 input->len - first_part_size, 4517 (output_buffer_size == 0 ? NULL : 4518 output + total_output_length), 4519 output_buffer_size - total_output_length, 4520 &function_output_length)); 4521 TEST_ASSERT(function_output_length == output2_length); 4522 TEST_LE_U(function_output_length, 4523 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, 4524 alg, 4525 input->len - first_part_size)); 4526 TEST_LE_U(function_output_length, 4527 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len)); 4528 total_output_length += function_output_length; 4529 } 4530 4531 status = psa_cipher_finish(&operation, 4532 (output_buffer_size == 0 ? NULL : 4533 output + total_output_length), 4534 output_buffer_size - total_output_length, 4535 &function_output_length); 4536 TEST_LE_U(function_output_length, 4537 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4538 TEST_LE_U(function_output_length, 4539 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4540 total_output_length += function_output_length; 4541 TEST_EQUAL(status, expected_status); 4542 4543 if (expected_status == PSA_SUCCESS) { 4544 PSA_ASSERT(psa_cipher_abort(&operation)); 4545 4546 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 4547 output, total_output_length); 4548 } 4549 4550exit: 4551 psa_cipher_abort(&operation); 4552 mbedtls_free(output); 4553 psa_destroy_key(key); 4554 PSA_DONE(); 4555} 4556/* END_CASE */ 4557 4558/* BEGIN_CASE */ 4559void cipher_decrypt_multipart(int alg_arg, int key_type_arg, 4560 data_t *key_data, data_t *iv, 4561 data_t *input, 4562 int first_part_size_arg, 4563 int output1_length_arg, int output2_length_arg, 4564 data_t *expected_output, 4565 int expected_status_arg) 4566{ 4567 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4568 psa_key_type_t key_type = key_type_arg; 4569 psa_algorithm_t alg = alg_arg; 4570 psa_status_t status; 4571 psa_status_t expected_status = expected_status_arg; 4572 size_t first_part_size = first_part_size_arg; 4573 size_t output1_length = output1_length_arg; 4574 size_t output2_length = output2_length_arg; 4575 unsigned char *output = NULL; 4576 size_t output_buffer_size = 0; 4577 size_t function_output_length = 0; 4578 size_t total_output_length = 0; 4579 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4580 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4581 4582 PSA_ASSERT(psa_crypto_init()); 4583 4584 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 4585 psa_set_key_algorithm(&attributes, alg); 4586 psa_set_key_type(&attributes, key_type); 4587 4588 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4589 &key)); 4590 4591 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg)); 4592 4593 if (iv->len > 0) { 4594 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len)); 4595 } 4596 4597 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) + 4598 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg); 4599 TEST_CALLOC(output, output_buffer_size); 4600 4601 TEST_LE_U(first_part_size, input->len); 4602 PSA_ASSERT(psa_cipher_update(&operation, 4603 input->x, first_part_size, 4604 output, output_buffer_size, 4605 &function_output_length)); 4606 TEST_ASSERT(function_output_length == output1_length); 4607 TEST_LE_U(function_output_length, 4608 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size)); 4609 TEST_LE_U(function_output_length, 4610 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size)); 4611 total_output_length += function_output_length; 4612 4613 if (first_part_size < input->len) { 4614 PSA_ASSERT(psa_cipher_update(&operation, 4615 input->x + first_part_size, 4616 input->len - first_part_size, 4617 (output_buffer_size == 0 ? NULL : 4618 output + total_output_length), 4619 output_buffer_size - total_output_length, 4620 &function_output_length)); 4621 TEST_ASSERT(function_output_length == output2_length); 4622 TEST_LE_U(function_output_length, 4623 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, 4624 alg, 4625 input->len - first_part_size)); 4626 TEST_LE_U(function_output_length, 4627 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len)); 4628 total_output_length += function_output_length; 4629 } 4630 4631 status = psa_cipher_finish(&operation, 4632 (output_buffer_size == 0 ? NULL : 4633 output + total_output_length), 4634 output_buffer_size - total_output_length, 4635 &function_output_length); 4636 TEST_LE_U(function_output_length, 4637 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4638 TEST_LE_U(function_output_length, 4639 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4640 total_output_length += function_output_length; 4641 TEST_EQUAL(status, expected_status); 4642 4643 if (expected_status == PSA_SUCCESS) { 4644 PSA_ASSERT(psa_cipher_abort(&operation)); 4645 4646 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 4647 output, total_output_length); 4648 } 4649 4650exit: 4651 psa_cipher_abort(&operation); 4652 mbedtls_free(output); 4653 psa_destroy_key(key); 4654 PSA_DONE(); 4655} 4656/* END_CASE */ 4657 4658/* BEGIN_CASE */ 4659void cipher_decrypt_fail(int alg_arg, 4660 int key_type_arg, 4661 data_t *key_data, 4662 data_t *iv, 4663 data_t *input_arg, 4664 int expected_status_arg) 4665{ 4666 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4667 psa_status_t status; 4668 psa_key_type_t key_type = key_type_arg; 4669 psa_algorithm_t alg = alg_arg; 4670 psa_status_t expected_status = expected_status_arg; 4671 unsigned char *input = NULL; 4672 size_t input_buffer_size = 0; 4673 unsigned char *output = NULL; 4674 unsigned char *output_multi = NULL; 4675 size_t output_buffer_size = 0; 4676 size_t output_length = 0; 4677 size_t function_output_length; 4678 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4679 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4680 4681 if (PSA_ERROR_BAD_STATE != expected_status) { 4682 PSA_ASSERT(psa_crypto_init()); 4683 4684 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 4685 psa_set_key_algorithm(&attributes, alg); 4686 psa_set_key_type(&attributes, key_type); 4687 4688 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4689 &key)); 4690 } 4691 4692 /* Allocate input buffer and copy the iv and the plaintext */ 4693 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len); 4694 if (input_buffer_size > 0) { 4695 TEST_CALLOC(input, input_buffer_size); 4696 memcpy(input, iv->x, iv->len); 4697 memcpy(input + iv->len, input_arg->x, input_arg->len); 4698 } 4699 4700 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size); 4701 TEST_CALLOC(output, output_buffer_size); 4702 4703 /* Decrypt, one-short */ 4704 status = psa_cipher_decrypt(key, alg, input, input_buffer_size, output, 4705 output_buffer_size, &output_length); 4706 TEST_EQUAL(status, expected_status); 4707 4708 /* Decrypt, multi-part */ 4709 status = psa_cipher_decrypt_setup(&operation, key, alg); 4710 if (status == PSA_SUCCESS) { 4711 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, 4712 input_arg->len) + 4713 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg); 4714 TEST_CALLOC(output_multi, output_buffer_size); 4715 4716 if (iv->len > 0) { 4717 status = psa_cipher_set_iv(&operation, iv->x, iv->len); 4718 4719 if (status != PSA_SUCCESS) { 4720 TEST_EQUAL(status, expected_status); 4721 } 4722 } 4723 4724 if (status == PSA_SUCCESS) { 4725 status = psa_cipher_update(&operation, 4726 input_arg->x, input_arg->len, 4727 output_multi, output_buffer_size, 4728 &function_output_length); 4729 if (status == PSA_SUCCESS) { 4730 output_length = function_output_length; 4731 4732 status = psa_cipher_finish(&operation, 4733 output_multi + output_length, 4734 output_buffer_size - output_length, 4735 &function_output_length); 4736 4737 TEST_EQUAL(status, expected_status); 4738 } else { 4739 TEST_EQUAL(status, expected_status); 4740 } 4741 } else { 4742 TEST_EQUAL(status, expected_status); 4743 } 4744 } else { 4745 TEST_EQUAL(status, expected_status); 4746 } 4747 4748exit: 4749 psa_cipher_abort(&operation); 4750 mbedtls_free(input); 4751 mbedtls_free(output); 4752 mbedtls_free(output_multi); 4753 psa_destroy_key(key); 4754 PSA_DONE(); 4755} 4756/* END_CASE */ 4757 4758/* BEGIN_CASE */ 4759void cipher_decrypt(int alg_arg, 4760 int key_type_arg, 4761 data_t *key_data, 4762 data_t *iv, 4763 data_t *input_arg, 4764 data_t *expected_output) 4765{ 4766 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4767 psa_key_type_t key_type = key_type_arg; 4768 psa_algorithm_t alg = alg_arg; 4769 unsigned char *input = NULL; 4770 size_t input_buffer_size = 0; 4771 unsigned char *output = NULL; 4772 size_t output_buffer_size = 0; 4773 size_t output_length = 0; 4774 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4775 4776 PSA_ASSERT(psa_crypto_init()); 4777 4778 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 4779 psa_set_key_algorithm(&attributes, alg); 4780 psa_set_key_type(&attributes, key_type); 4781 4782 /* Allocate input buffer and copy the iv and the plaintext */ 4783 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len); 4784 if (input_buffer_size > 0) { 4785 TEST_CALLOC(input, input_buffer_size); 4786 memcpy(input, iv->x, iv->len); 4787 memcpy(input + iv->len, input_arg->x, input_arg->len); 4788 } 4789 4790 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size); 4791 TEST_CALLOC(output, output_buffer_size); 4792 4793 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4794 &key)); 4795 4796 PSA_ASSERT(psa_cipher_decrypt(key, alg, input, input_buffer_size, output, 4797 output_buffer_size, &output_length)); 4798 TEST_LE_U(output_length, 4799 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size)); 4800 TEST_LE_U(output_length, 4801 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_buffer_size)); 4802 4803 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len, 4804 output, output_length); 4805exit: 4806 mbedtls_free(input); 4807 mbedtls_free(output); 4808 psa_destroy_key(key); 4809 PSA_DONE(); 4810} 4811/* END_CASE */ 4812 4813/* BEGIN_CASE */ 4814void cipher_verify_output(int alg_arg, 4815 int key_type_arg, 4816 data_t *key_data, 4817 data_t *input) 4818{ 4819 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4820 psa_key_type_t key_type = key_type_arg; 4821 psa_algorithm_t alg = alg_arg; 4822 unsigned char *output1 = NULL; 4823 size_t output1_size = 0; 4824 size_t output1_length = 0; 4825 unsigned char *output2 = NULL; 4826 size_t output2_size = 0; 4827 size_t output2_length = 0; 4828 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4829 4830 PSA_ASSERT(psa_crypto_init()); 4831 4832 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 4833 psa_set_key_algorithm(&attributes, alg); 4834 psa_set_key_type(&attributes, key_type); 4835 4836 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4837 &key)); 4838 output1_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len); 4839 TEST_CALLOC(output1, output1_size); 4840 4841 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len, 4842 output1, output1_size, 4843 &output1_length)); 4844 TEST_LE_U(output1_length, 4845 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len)); 4846 TEST_LE_U(output1_length, 4847 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len)); 4848 4849 output2_size = output1_length; 4850 TEST_CALLOC(output2, output2_size); 4851 4852 PSA_ASSERT(psa_cipher_decrypt(key, alg, output1, output1_length, 4853 output2, output2_size, 4854 &output2_length)); 4855 TEST_LE_U(output2_length, 4856 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length)); 4857 TEST_LE_U(output2_length, 4858 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length)); 4859 4860 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length); 4861 4862exit: 4863 mbedtls_free(output1); 4864 mbedtls_free(output2); 4865 psa_destroy_key(key); 4866 PSA_DONE(); 4867} 4868/* END_CASE */ 4869 4870/* BEGIN_CASE */ 4871void cipher_verify_output_multipart(int alg_arg, 4872 int key_type_arg, 4873 data_t *key_data, 4874 data_t *input, 4875 int first_part_size_arg) 4876{ 4877 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4878 psa_key_type_t key_type = key_type_arg; 4879 psa_algorithm_t alg = alg_arg; 4880 size_t first_part_size = first_part_size_arg; 4881 unsigned char iv[16] = { 0 }; 4882 size_t iv_size = 16; 4883 size_t iv_length = 0; 4884 unsigned char *output1 = NULL; 4885 size_t output1_buffer_size = 0; 4886 size_t output1_length = 0; 4887 unsigned char *output2 = NULL; 4888 size_t output2_buffer_size = 0; 4889 size_t output2_length = 0; 4890 size_t function_output_length; 4891 psa_cipher_operation_t operation1 = PSA_CIPHER_OPERATION_INIT; 4892 psa_cipher_operation_t operation2 = PSA_CIPHER_OPERATION_INIT; 4893 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4894 4895 PSA_ASSERT(psa_crypto_init()); 4896 4897 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 4898 psa_set_key_algorithm(&attributes, alg); 4899 psa_set_key_type(&attributes, key_type); 4900 4901 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 4902 &key)); 4903 4904 PSA_ASSERT(psa_cipher_encrypt_setup(&operation1, key, alg)); 4905 PSA_ASSERT(psa_cipher_decrypt_setup(&operation2, key, alg)); 4906 4907 if (alg != PSA_ALG_ECB_NO_PADDING) { 4908 PSA_ASSERT(psa_cipher_generate_iv(&operation1, 4909 iv, iv_size, 4910 &iv_length)); 4911 } 4912 4913 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len); 4914 TEST_LE_U(output1_buffer_size, 4915 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len)); 4916 TEST_CALLOC(output1, output1_buffer_size); 4917 4918 TEST_LE_U(first_part_size, input->len); 4919 4920 PSA_ASSERT(psa_cipher_update(&operation1, input->x, first_part_size, 4921 output1, output1_buffer_size, 4922 &function_output_length)); 4923 TEST_LE_U(function_output_length, 4924 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size)); 4925 TEST_LE_U(function_output_length, 4926 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size)); 4927 output1_length += function_output_length; 4928 4929 PSA_ASSERT(psa_cipher_update(&operation1, 4930 input->x + first_part_size, 4931 input->len - first_part_size, 4932 output1 + output1_length, 4933 output1_buffer_size - output1_length, 4934 &function_output_length)); 4935 TEST_LE_U(function_output_length, 4936 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, 4937 alg, 4938 input->len - first_part_size)); 4939 TEST_LE_U(function_output_length, 4940 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len - first_part_size)); 4941 output1_length += function_output_length; 4942 4943 PSA_ASSERT(psa_cipher_finish(&operation1, 4944 output1 + output1_length, 4945 output1_buffer_size - output1_length, 4946 &function_output_length)); 4947 TEST_LE_U(function_output_length, 4948 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4949 TEST_LE_U(function_output_length, 4950 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4951 output1_length += function_output_length; 4952 4953 PSA_ASSERT(psa_cipher_abort(&operation1)); 4954 4955 output2_buffer_size = output1_length; 4956 TEST_LE_U(output2_buffer_size, 4957 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length)); 4958 TEST_LE_U(output2_buffer_size, 4959 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length)); 4960 TEST_CALLOC(output2, output2_buffer_size); 4961 4962 if (iv_length > 0) { 4963 PSA_ASSERT(psa_cipher_set_iv(&operation2, 4964 iv, iv_length)); 4965 } 4966 4967 PSA_ASSERT(psa_cipher_update(&operation2, output1, first_part_size, 4968 output2, output2_buffer_size, 4969 &function_output_length)); 4970 TEST_LE_U(function_output_length, 4971 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size)); 4972 TEST_LE_U(function_output_length, 4973 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size)); 4974 output2_length += function_output_length; 4975 4976 PSA_ASSERT(psa_cipher_update(&operation2, 4977 output1 + first_part_size, 4978 output1_length - first_part_size, 4979 output2 + output2_length, 4980 output2_buffer_size - output2_length, 4981 &function_output_length)); 4982 TEST_LE_U(function_output_length, 4983 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, 4984 alg, 4985 output1_length - first_part_size)); 4986 TEST_LE_U(function_output_length, 4987 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(output1_length - first_part_size)); 4988 output2_length += function_output_length; 4989 4990 PSA_ASSERT(psa_cipher_finish(&operation2, 4991 output2 + output2_length, 4992 output2_buffer_size - output2_length, 4993 &function_output_length)); 4994 TEST_LE_U(function_output_length, 4995 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)); 4996 TEST_LE_U(function_output_length, 4997 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE); 4998 output2_length += function_output_length; 4999 5000 PSA_ASSERT(psa_cipher_abort(&operation2)); 5001 5002 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length); 5003 5004exit: 5005 psa_cipher_abort(&operation1); 5006 psa_cipher_abort(&operation2); 5007 mbedtls_free(output1); 5008 mbedtls_free(output2); 5009 psa_destroy_key(key); 5010 PSA_DONE(); 5011} 5012/* END_CASE */ 5013 5014/* BEGIN_CASE */ 5015void aead_encrypt_decrypt(int key_type_arg, data_t *key_data, 5016 int alg_arg, 5017 data_t *nonce, 5018 data_t *additional_data, 5019 data_t *input_data, 5020 int expected_result_arg) 5021{ 5022 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5023 psa_key_type_t key_type = key_type_arg; 5024 psa_algorithm_t alg = alg_arg; 5025 size_t key_bits; 5026 unsigned char *output_data = NULL; 5027 size_t output_size = 0; 5028 size_t output_length = 0; 5029 unsigned char *output_data2 = NULL; 5030 size_t output_length2 = 0; 5031 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5032 psa_status_t expected_result = expected_result_arg; 5033 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5034 5035 PSA_ASSERT(psa_crypto_init()); 5036 5037 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 5038 psa_set_key_algorithm(&attributes, alg); 5039 psa_set_key_type(&attributes, key_type); 5040 5041 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5042 &key)); 5043 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5044 key_bits = psa_get_key_bits(&attributes); 5045 5046 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits, 5047 alg); 5048 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE 5049 * should be exact. */ 5050 if (expected_result != PSA_ERROR_INVALID_ARGUMENT && 5051 expected_result != PSA_ERROR_NOT_SUPPORTED) { 5052 TEST_EQUAL(output_size, 5053 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len)); 5054 TEST_LE_U(output_size, 5055 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len)); 5056 } 5057 TEST_CALLOC(output_data, output_size); 5058 5059 status = psa_aead_encrypt(key, alg, 5060 nonce->x, nonce->len, 5061 additional_data->x, 5062 additional_data->len, 5063 input_data->x, input_data->len, 5064 output_data, output_size, 5065 &output_length); 5066 5067 /* If the operation is not supported, just skip and not fail in case the 5068 * encryption involves a common limitation of cryptography hardwares and 5069 * an alternative implementation. */ 5070 if (status == PSA_ERROR_NOT_SUPPORTED) { 5071 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5072 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5073 } 5074 5075 TEST_EQUAL(status, expected_result); 5076 5077 if (PSA_SUCCESS == expected_result) { 5078 TEST_CALLOC(output_data2, output_length); 5079 5080 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE 5081 * should be exact. */ 5082 TEST_EQUAL(input_data->len, 5083 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, output_length)); 5084 5085 TEST_LE_U(input_data->len, 5086 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(output_length)); 5087 5088 TEST_EQUAL(psa_aead_decrypt(key, alg, 5089 nonce->x, nonce->len, 5090 additional_data->x, 5091 additional_data->len, 5092 output_data, output_length, 5093 output_data2, output_length, 5094 &output_length2), 5095 expected_result); 5096 5097 TEST_MEMORY_COMPARE(input_data->x, input_data->len, 5098 output_data2, output_length2); 5099 } 5100 5101exit: 5102 psa_destroy_key(key); 5103 mbedtls_free(output_data); 5104 mbedtls_free(output_data2); 5105 PSA_DONE(); 5106} 5107/* END_CASE */ 5108 5109/* BEGIN_CASE */ 5110void aead_encrypt(int key_type_arg, data_t *key_data, 5111 int alg_arg, 5112 data_t *nonce, 5113 data_t *additional_data, 5114 data_t *input_data, 5115 data_t *expected_result) 5116{ 5117 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5118 psa_key_type_t key_type = key_type_arg; 5119 psa_algorithm_t alg = alg_arg; 5120 size_t key_bits; 5121 unsigned char *output_data = NULL; 5122 size_t output_size = 0; 5123 size_t output_length = 0; 5124 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5125 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5126 5127 PSA_ASSERT(psa_crypto_init()); 5128 5129 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5130 psa_set_key_algorithm(&attributes, alg); 5131 psa_set_key_type(&attributes, key_type); 5132 5133 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5134 &key)); 5135 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5136 key_bits = psa_get_key_bits(&attributes); 5137 5138 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits, 5139 alg); 5140 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE 5141 * should be exact. */ 5142 TEST_EQUAL(output_size, 5143 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len)); 5144 TEST_LE_U(output_size, 5145 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len)); 5146 TEST_CALLOC(output_data, output_size); 5147 5148 status = psa_aead_encrypt(key, alg, 5149 nonce->x, nonce->len, 5150 additional_data->x, additional_data->len, 5151 input_data->x, input_data->len, 5152 output_data, output_size, 5153 &output_length); 5154 5155 /* If the operation is not supported, just skip and not fail in case the 5156 * encryption involves a common limitation of cryptography hardwares and 5157 * an alternative implementation. */ 5158 if (status == PSA_ERROR_NOT_SUPPORTED) { 5159 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5160 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5161 } 5162 5163 PSA_ASSERT(status); 5164 TEST_MEMORY_COMPARE(expected_result->x, expected_result->len, 5165 output_data, output_length); 5166 5167exit: 5168 psa_destroy_key(key); 5169 mbedtls_free(output_data); 5170 PSA_DONE(); 5171} 5172/* END_CASE */ 5173 5174/* BEGIN_CASE */ 5175void aead_decrypt(int key_type_arg, data_t *key_data, 5176 int alg_arg, 5177 data_t *nonce, 5178 data_t *additional_data, 5179 data_t *input_data, 5180 data_t *expected_data, 5181 int expected_result_arg) 5182{ 5183 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5184 psa_key_type_t key_type = key_type_arg; 5185 psa_algorithm_t alg = alg_arg; 5186 size_t key_bits; 5187 unsigned char *output_data = NULL; 5188 size_t output_size = 0; 5189 size_t output_length = 0; 5190 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5191 psa_status_t expected_result = expected_result_arg; 5192 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5193 5194 PSA_ASSERT(psa_crypto_init()); 5195 5196 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 5197 psa_set_key_algorithm(&attributes, alg); 5198 psa_set_key_type(&attributes, key_type); 5199 5200 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5201 &key)); 5202 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5203 key_bits = psa_get_key_bits(&attributes); 5204 5205 output_size = input_data->len - PSA_AEAD_TAG_LENGTH(key_type, key_bits, 5206 alg); 5207 if (expected_result != PSA_ERROR_INVALID_ARGUMENT && 5208 expected_result != PSA_ERROR_NOT_SUPPORTED) { 5209 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE 5210 * should be exact. */ 5211 TEST_EQUAL(output_size, 5212 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, input_data->len)); 5213 TEST_LE_U(output_size, 5214 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len)); 5215 } 5216 TEST_CALLOC(output_data, output_size); 5217 5218 status = psa_aead_decrypt(key, alg, 5219 nonce->x, nonce->len, 5220 additional_data->x, 5221 additional_data->len, 5222 input_data->x, input_data->len, 5223 output_data, output_size, 5224 &output_length); 5225 5226 /* If the operation is not supported, just skip and not fail in case the 5227 * decryption involves a common limitation of cryptography hardwares and 5228 * an alternative implementation. */ 5229 if (status == PSA_ERROR_NOT_SUPPORTED) { 5230 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5231 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5232 } 5233 5234 TEST_EQUAL(status, expected_result); 5235 5236 if (expected_result == PSA_SUCCESS) { 5237 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len, 5238 output_data, output_length); 5239 } 5240 5241exit: 5242 psa_destroy_key(key); 5243 mbedtls_free(output_data); 5244 PSA_DONE(); 5245} 5246/* END_CASE */ 5247 5248/* BEGIN_CASE */ 5249void aead_multipart_encrypt(int key_type_arg, data_t *key_data, 5250 int alg_arg, 5251 data_t *nonce, 5252 data_t *additional_data, 5253 data_t *input_data, 5254 int do_set_lengths, 5255 data_t *expected_output) 5256{ 5257 size_t ad_part_len = 0; 5258 size_t data_part_len = 0; 5259 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS; 5260 5261 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) { 5262 mbedtls_test_set_step(ad_part_len); 5263 5264 if (do_set_lengths) { 5265 if (ad_part_len & 0x01) { 5266 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5267 } else { 5268 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5269 } 5270 } 5271 5272 /* Split ad into length(ad_part_len) parts. */ 5273 if (!aead_multipart_internal_func(key_type_arg, key_data, 5274 alg_arg, nonce, 5275 additional_data, 5276 ad_part_len, 5277 input_data, -1, 5278 set_lengths_method, 5279 expected_output, 5280 1, 0)) { 5281 break; 5282 } 5283 5284 /* length(0) part, length(ad_part_len) part, length(0) part... */ 5285 mbedtls_test_set_step(1000 + ad_part_len); 5286 5287 if (!aead_multipart_internal_func(key_type_arg, key_data, 5288 alg_arg, nonce, 5289 additional_data, 5290 ad_part_len, 5291 input_data, -1, 5292 set_lengths_method, 5293 expected_output, 5294 1, 1)) { 5295 break; 5296 } 5297 } 5298 5299 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) { 5300 /* Split data into length(data_part_len) parts. */ 5301 mbedtls_test_set_step(2000 + data_part_len); 5302 5303 if (do_set_lengths) { 5304 if (data_part_len & 0x01) { 5305 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5306 } else { 5307 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5308 } 5309 } 5310 5311 if (!aead_multipart_internal_func(key_type_arg, key_data, 5312 alg_arg, nonce, 5313 additional_data, -1, 5314 input_data, data_part_len, 5315 set_lengths_method, 5316 expected_output, 5317 1, 0)) { 5318 break; 5319 } 5320 5321 /* length(0) part, length(data_part_len) part, length(0) part... */ 5322 mbedtls_test_set_step(3000 + data_part_len); 5323 5324 if (!aead_multipart_internal_func(key_type_arg, key_data, 5325 alg_arg, nonce, 5326 additional_data, -1, 5327 input_data, data_part_len, 5328 set_lengths_method, 5329 expected_output, 5330 1, 1)) { 5331 break; 5332 } 5333 } 5334 5335 /* Goto is required to silence warnings about unused labels, as we 5336 * don't actually do any test assertions in this function. */ 5337 goto exit; 5338} 5339/* END_CASE */ 5340 5341/* BEGIN_CASE */ 5342void aead_multipart_decrypt(int key_type_arg, data_t *key_data, 5343 int alg_arg, 5344 data_t *nonce, 5345 data_t *additional_data, 5346 data_t *input_data, 5347 int do_set_lengths, 5348 data_t *expected_output) 5349{ 5350 size_t ad_part_len = 0; 5351 size_t data_part_len = 0; 5352 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS; 5353 5354 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) { 5355 /* Split ad into length(ad_part_len) parts. */ 5356 mbedtls_test_set_step(ad_part_len); 5357 5358 if (do_set_lengths) { 5359 if (ad_part_len & 0x01) { 5360 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5361 } else { 5362 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5363 } 5364 } 5365 5366 if (!aead_multipart_internal_func(key_type_arg, key_data, 5367 alg_arg, nonce, 5368 additional_data, 5369 ad_part_len, 5370 input_data, -1, 5371 set_lengths_method, 5372 expected_output, 5373 0, 0)) { 5374 break; 5375 } 5376 5377 /* length(0) part, length(ad_part_len) part, length(0) part... */ 5378 mbedtls_test_set_step(1000 + ad_part_len); 5379 5380 if (!aead_multipart_internal_func(key_type_arg, key_data, 5381 alg_arg, nonce, 5382 additional_data, 5383 ad_part_len, 5384 input_data, -1, 5385 set_lengths_method, 5386 expected_output, 5387 0, 1)) { 5388 break; 5389 } 5390 } 5391 5392 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) { 5393 /* Split data into length(data_part_len) parts. */ 5394 mbedtls_test_set_step(2000 + data_part_len); 5395 5396 if (do_set_lengths) { 5397 if (data_part_len & 0x01) { 5398 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5399 } else { 5400 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5401 } 5402 } 5403 5404 if (!aead_multipart_internal_func(key_type_arg, key_data, 5405 alg_arg, nonce, 5406 additional_data, -1, 5407 input_data, data_part_len, 5408 set_lengths_method, 5409 expected_output, 5410 0, 0)) { 5411 break; 5412 } 5413 5414 /* length(0) part, length(data_part_len) part, length(0) part... */ 5415 mbedtls_test_set_step(3000 + data_part_len); 5416 5417 if (!aead_multipart_internal_func(key_type_arg, key_data, 5418 alg_arg, nonce, 5419 additional_data, -1, 5420 input_data, data_part_len, 5421 set_lengths_method, 5422 expected_output, 5423 0, 1)) { 5424 break; 5425 } 5426 } 5427 5428 /* Goto is required to silence warnings about unused labels, as we 5429 * don't actually do any test assertions in this function. */ 5430 goto exit; 5431} 5432/* END_CASE */ 5433 5434/* BEGIN_CASE */ 5435void aead_multipart_generate_nonce(int key_type_arg, data_t *key_data, 5436 int alg_arg, 5437 int nonce_length, 5438 int expected_nonce_length_arg, 5439 data_t *additional_data, 5440 data_t *input_data, 5441 int expected_status_arg) 5442{ 5443 5444 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5445 psa_key_type_t key_type = key_type_arg; 5446 psa_algorithm_t alg = alg_arg; 5447 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5448 /* Some tests try to get more than the maximum nonce length, 5449 * so allocate double. */ 5450 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE * 2]; 5451 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5452 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5453 psa_status_t expected_status = expected_status_arg; 5454 size_t actual_nonce_length = 0; 5455 size_t expected_nonce_length = expected_nonce_length_arg; 5456 unsigned char *output = NULL; 5457 unsigned char *ciphertext = NULL; 5458 size_t output_size = 0; 5459 size_t ciphertext_size = 0; 5460 size_t ciphertext_length = 0; 5461 size_t tag_length = 0; 5462 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5463 5464 PSA_ASSERT(psa_crypto_init()); 5465 5466 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5467 psa_set_key_algorithm(&attributes, alg); 5468 psa_set_key_type(&attributes, key_type); 5469 5470 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5471 &key)); 5472 5473 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5474 5475 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len); 5476 5477 TEST_CALLOC(output, output_size); 5478 5479 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 5480 5481 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE); 5482 5483 TEST_CALLOC(ciphertext, ciphertext_size); 5484 5485 status = psa_aead_encrypt_setup(&operation, key, alg); 5486 5487 /* If the operation is not supported, just skip and not fail in case the 5488 * encryption involves a common limitation of cryptography hardwares and 5489 * an alternative implementation. */ 5490 if (status == PSA_ERROR_NOT_SUPPORTED) { 5491 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5492 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length); 5493 } 5494 5495 PSA_ASSERT(status); 5496 5497 status = psa_aead_generate_nonce(&operation, nonce_buffer, 5498 nonce_length, 5499 &actual_nonce_length); 5500 5501 TEST_EQUAL(status, expected_status); 5502 5503 TEST_EQUAL(actual_nonce_length, expected_nonce_length); 5504 5505 if (expected_status == PSA_SUCCESS) { 5506 TEST_EQUAL(actual_nonce_length, PSA_AEAD_NONCE_LENGTH(key_type, 5507 alg)); 5508 } 5509 5510 TEST_LE_U(actual_nonce_length, PSA_AEAD_NONCE_MAX_SIZE); 5511 5512 if (expected_status == PSA_SUCCESS) { 5513 /* Ensure we can still complete operation. */ 5514 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5515 input_data->len)); 5516 5517 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 5518 additional_data->len)); 5519 5520 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len, 5521 output, output_size, 5522 &ciphertext_length)); 5523 5524 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size, 5525 &ciphertext_length, tag_buffer, 5526 PSA_AEAD_TAG_MAX_SIZE, &tag_length)); 5527 } 5528 5529exit: 5530 psa_destroy_key(key); 5531 mbedtls_free(output); 5532 mbedtls_free(ciphertext); 5533 psa_aead_abort(&operation); 5534 PSA_DONE(); 5535} 5536/* END_CASE */ 5537 5538/* BEGIN_CASE */ 5539void aead_multipart_set_nonce(int key_type_arg, data_t *key_data, 5540 int alg_arg, 5541 int nonce_length_arg, 5542 int set_lengths_method_arg, 5543 data_t *additional_data, 5544 data_t *input_data, 5545 int expected_status_arg) 5546{ 5547 5548 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5549 psa_key_type_t key_type = key_type_arg; 5550 psa_algorithm_t alg = alg_arg; 5551 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5552 uint8_t *nonce_buffer = NULL; 5553 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5554 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5555 psa_status_t expected_status = expected_status_arg; 5556 unsigned char *output = NULL; 5557 unsigned char *ciphertext = NULL; 5558 size_t nonce_length; 5559 size_t output_size = 0; 5560 size_t ciphertext_size = 0; 5561 size_t ciphertext_length = 0; 5562 size_t tag_length = 0; 5563 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5564 size_t index = 0; 5565 set_lengths_method_t set_lengths_method = set_lengths_method_arg; 5566 5567 PSA_ASSERT(psa_crypto_init()); 5568 5569 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5570 psa_set_key_algorithm(&attributes, alg); 5571 psa_set_key_type(&attributes, key_type); 5572 5573 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5574 &key)); 5575 5576 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5577 5578 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len); 5579 5580 TEST_CALLOC(output, output_size); 5581 5582 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 5583 5584 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE); 5585 5586 TEST_CALLOC(ciphertext, ciphertext_size); 5587 5588 status = psa_aead_encrypt_setup(&operation, key, alg); 5589 5590 /* If the operation is not supported, just skip and not fail in case the 5591 * encryption involves a common limitation of cryptography hardwares and 5592 * an alternative implementation. */ 5593 if (status == PSA_ERROR_NOT_SUPPORTED) { 5594 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5595 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length_arg); 5596 } 5597 5598 PSA_ASSERT(status); 5599 5600 /* -1 == zero length and valid buffer, 0 = zero length and NULL buffer. */ 5601 if (nonce_length_arg == -1) { 5602 /* Arbitrary size buffer, to test zero length valid buffer. */ 5603 TEST_CALLOC(nonce_buffer, 4); 5604 nonce_length = 0; 5605 } else { 5606 /* If length is zero, then this will return NULL. */ 5607 nonce_length = (size_t) nonce_length_arg; 5608 TEST_CALLOC(nonce_buffer, nonce_length); 5609 5610 if (nonce_buffer) { 5611 for (index = 0; index < nonce_length - 1; ++index) { 5612 nonce_buffer[index] = 'a' + index; 5613 } 5614 } 5615 } 5616 5617 if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) { 5618 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5619 input_data->len)); 5620 } 5621 5622 status = psa_aead_set_nonce(&operation, nonce_buffer, nonce_length); 5623 5624 TEST_EQUAL(status, expected_status); 5625 5626 if (expected_status == PSA_SUCCESS) { 5627 if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) { 5628 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5629 input_data->len)); 5630 } 5631 if (operation.alg == PSA_ALG_CCM && set_lengths_method == DO_NOT_SET_LENGTHS) { 5632 expected_status = PSA_ERROR_BAD_STATE; 5633 } 5634 5635 /* Ensure we can still complete operation, unless it's CCM and we didn't set lengths. */ 5636 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 5637 additional_data->len), 5638 expected_status); 5639 5640 TEST_EQUAL(psa_aead_update(&operation, input_data->x, input_data->len, 5641 output, output_size, 5642 &ciphertext_length), 5643 expected_status); 5644 5645 TEST_EQUAL(psa_aead_finish(&operation, ciphertext, ciphertext_size, 5646 &ciphertext_length, tag_buffer, 5647 PSA_AEAD_TAG_MAX_SIZE, &tag_length), 5648 expected_status); 5649 } 5650 5651exit: 5652 psa_destroy_key(key); 5653 mbedtls_free(output); 5654 mbedtls_free(ciphertext); 5655 mbedtls_free(nonce_buffer); 5656 psa_aead_abort(&operation); 5657 PSA_DONE(); 5658} 5659/* END_CASE */ 5660 5661/* BEGIN_CASE */ 5662void aead_multipart_update_buffer_test(int key_type_arg, data_t *key_data, 5663 int alg_arg, 5664 int output_size_arg, 5665 data_t *nonce, 5666 data_t *additional_data, 5667 data_t *input_data, 5668 int expected_status_arg) 5669{ 5670 5671 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5672 psa_key_type_t key_type = key_type_arg; 5673 psa_algorithm_t alg = alg_arg; 5674 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5675 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5676 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5677 psa_status_t expected_status = expected_status_arg; 5678 unsigned char *output = NULL; 5679 unsigned char *ciphertext = NULL; 5680 size_t output_size = output_size_arg; 5681 size_t ciphertext_size = 0; 5682 size_t ciphertext_length = 0; 5683 size_t tag_length = 0; 5684 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5685 5686 PSA_ASSERT(psa_crypto_init()); 5687 5688 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5689 psa_set_key_algorithm(&attributes, alg); 5690 psa_set_key_type(&attributes, key_type); 5691 5692 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5693 &key)); 5694 5695 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5696 5697 TEST_CALLOC(output, output_size); 5698 5699 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 5700 5701 TEST_CALLOC(ciphertext, ciphertext_size); 5702 5703 status = psa_aead_encrypt_setup(&operation, key, alg); 5704 5705 /* If the operation is not supported, just skip and not fail in case the 5706 * encryption involves a common limitation of cryptography hardwares and 5707 * an alternative implementation. */ 5708 if (status == PSA_ERROR_NOT_SUPPORTED) { 5709 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5710 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5711 } 5712 5713 PSA_ASSERT(status); 5714 5715 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5716 input_data->len)); 5717 5718 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 5719 5720 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 5721 additional_data->len)); 5722 5723 status = psa_aead_update(&operation, input_data->x, input_data->len, 5724 output, output_size, &ciphertext_length); 5725 5726 TEST_EQUAL(status, expected_status); 5727 5728 if (expected_status == PSA_SUCCESS) { 5729 /* Ensure we can still complete operation. */ 5730 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size, 5731 &ciphertext_length, tag_buffer, 5732 PSA_AEAD_TAG_MAX_SIZE, &tag_length)); 5733 } 5734 5735exit: 5736 psa_destroy_key(key); 5737 mbedtls_free(output); 5738 mbedtls_free(ciphertext); 5739 psa_aead_abort(&operation); 5740 PSA_DONE(); 5741} 5742/* END_CASE */ 5743 5744/* BEGIN_CASE */ 5745void aead_multipart_finish_buffer_test(int key_type_arg, data_t *key_data, 5746 int alg_arg, 5747 int finish_ciphertext_size_arg, 5748 int tag_size_arg, 5749 data_t *nonce, 5750 data_t *additional_data, 5751 data_t *input_data, 5752 int expected_status_arg) 5753{ 5754 5755 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5756 psa_key_type_t key_type = key_type_arg; 5757 psa_algorithm_t alg = alg_arg; 5758 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5759 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5760 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5761 psa_status_t expected_status = expected_status_arg; 5762 unsigned char *ciphertext = NULL; 5763 unsigned char *finish_ciphertext = NULL; 5764 unsigned char *tag_buffer = NULL; 5765 size_t ciphertext_size = 0; 5766 size_t ciphertext_length = 0; 5767 size_t finish_ciphertext_size = (size_t) finish_ciphertext_size_arg; 5768 size_t tag_size = (size_t) tag_size_arg; 5769 size_t tag_length = 0; 5770 5771 PSA_ASSERT(psa_crypto_init()); 5772 5773 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 5774 psa_set_key_algorithm(&attributes, alg); 5775 psa_set_key_type(&attributes, key_type); 5776 5777 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5778 &key)); 5779 5780 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5781 5782 ciphertext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len); 5783 5784 TEST_CALLOC(ciphertext, ciphertext_size); 5785 5786 TEST_CALLOC(finish_ciphertext, finish_ciphertext_size); 5787 5788 TEST_CALLOC(tag_buffer, tag_size); 5789 5790 status = psa_aead_encrypt_setup(&operation, key, alg); 5791 5792 /* If the operation is not supported, just skip and not fail in case the 5793 * encryption involves a common limitation of cryptography hardwares and 5794 * an alternative implementation. */ 5795 if (status == PSA_ERROR_NOT_SUPPORTED) { 5796 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5797 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5798 } 5799 5800 PSA_ASSERT(status); 5801 5802 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 5803 5804 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 5805 input_data->len)); 5806 5807 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 5808 additional_data->len)); 5809 5810 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len, 5811 ciphertext, ciphertext_size, &ciphertext_length)); 5812 5813 /* Ensure we can still complete operation. */ 5814 status = psa_aead_finish(&operation, finish_ciphertext, 5815 finish_ciphertext_size, 5816 &ciphertext_length, tag_buffer, 5817 tag_size, &tag_length); 5818 5819 TEST_EQUAL(status, expected_status); 5820 5821exit: 5822 psa_destroy_key(key); 5823 mbedtls_free(ciphertext); 5824 mbedtls_free(finish_ciphertext); 5825 mbedtls_free(tag_buffer); 5826 psa_aead_abort(&operation); 5827 PSA_DONE(); 5828} 5829/* END_CASE */ 5830 5831/* BEGIN_CASE */ 5832void aead_multipart_verify(int key_type_arg, data_t *key_data, 5833 int alg_arg, 5834 data_t *nonce, 5835 data_t *additional_data, 5836 data_t *input_data, 5837 data_t *tag, 5838 int tag_usage_arg, 5839 int expected_setup_status_arg, 5840 int expected_status_arg) 5841{ 5842 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5843 psa_key_type_t key_type = key_type_arg; 5844 psa_algorithm_t alg = alg_arg; 5845 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5846 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5847 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5848 psa_status_t expected_status = expected_status_arg; 5849 psa_status_t expected_setup_status = expected_setup_status_arg; 5850 unsigned char *plaintext = NULL; 5851 unsigned char *finish_plaintext = NULL; 5852 size_t plaintext_size = 0; 5853 size_t plaintext_length = 0; 5854 size_t verify_plaintext_size = 0; 5855 tag_usage_method_t tag_usage = tag_usage_arg; 5856 unsigned char *tag_buffer = NULL; 5857 size_t tag_size = 0; 5858 5859 PSA_ASSERT(psa_crypto_init()); 5860 5861 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 5862 psa_set_key_algorithm(&attributes, alg); 5863 psa_set_key_type(&attributes, key_type); 5864 5865 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5866 &key)); 5867 5868 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 5869 5870 plaintext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, 5871 input_data->len); 5872 5873 TEST_CALLOC(plaintext, plaintext_size); 5874 5875 verify_plaintext_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg); 5876 5877 TEST_CALLOC(finish_plaintext, verify_plaintext_size); 5878 5879 status = psa_aead_decrypt_setup(&operation, key, alg); 5880 5881 /* If the operation is not supported, just skip and not fail in case the 5882 * encryption involves a common limitation of cryptography hardwares and 5883 * an alternative implementation. */ 5884 if (status == PSA_ERROR_NOT_SUPPORTED) { 5885 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8); 5886 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len); 5887 } 5888 TEST_EQUAL(status, expected_setup_status); 5889 5890 if (status != PSA_SUCCESS) { 5891 goto exit; 5892 } 5893 5894 PSA_ASSERT(status); 5895 5896 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 5897 5898 status = psa_aead_set_lengths(&operation, additional_data->len, 5899 input_data->len); 5900 PSA_ASSERT(status); 5901 5902 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 5903 additional_data->len)); 5904 5905 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 5906 input_data->len, 5907 plaintext, plaintext_size, 5908 &plaintext_length)); 5909 5910 if (tag_usage == USE_GIVEN_TAG) { 5911 tag_buffer = tag->x; 5912 tag_size = tag->len; 5913 } 5914 5915 status = psa_aead_verify(&operation, finish_plaintext, 5916 verify_plaintext_size, 5917 &plaintext_length, 5918 tag_buffer, tag_size); 5919 5920 TEST_EQUAL(status, expected_status); 5921 5922exit: 5923 psa_destroy_key(key); 5924 mbedtls_free(plaintext); 5925 mbedtls_free(finish_plaintext); 5926 psa_aead_abort(&operation); 5927 PSA_DONE(); 5928} 5929/* END_CASE */ 5930 5931/* BEGIN_CASE */ 5932void aead_multipart_setup(int key_type_arg, data_t *key_data, 5933 int alg_arg, int expected_status_arg) 5934{ 5935 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5936 psa_key_type_t key_type = key_type_arg; 5937 psa_algorithm_t alg = alg_arg; 5938 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5939 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5940 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5941 psa_status_t expected_status = expected_status_arg; 5942 5943 PSA_ASSERT(psa_crypto_init()); 5944 5945 psa_set_key_usage_flags(&attributes, 5946 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 5947 psa_set_key_algorithm(&attributes, alg); 5948 psa_set_key_type(&attributes, key_type); 5949 5950 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 5951 &key)); 5952 5953 status = psa_aead_encrypt_setup(&operation, key, alg); 5954 5955 TEST_EQUAL(status, expected_status); 5956 5957 psa_aead_abort(&operation); 5958 5959 status = psa_aead_decrypt_setup(&operation, key, alg); 5960 5961 TEST_EQUAL(status, expected_status); 5962 5963exit: 5964 psa_destroy_key(key); 5965 psa_aead_abort(&operation); 5966 PSA_DONE(); 5967} 5968/* END_CASE */ 5969 5970/* BEGIN_CASE */ 5971void aead_multipart_state_test(int key_type_arg, data_t *key_data, 5972 int alg_arg, 5973 data_t *nonce, 5974 data_t *additional_data, 5975 data_t *input_data) 5976{ 5977 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5978 psa_key_type_t key_type = key_type_arg; 5979 psa_algorithm_t alg = alg_arg; 5980 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5981 unsigned char *output_data = NULL; 5982 unsigned char *final_data = NULL; 5983 size_t output_size = 0; 5984 size_t finish_output_size = 0; 5985 size_t output_length = 0; 5986 size_t key_bits = 0; 5987 size_t tag_length = 0; 5988 size_t tag_size = 0; 5989 size_t nonce_length = 0; 5990 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE]; 5991 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5992 size_t output_part_length = 0; 5993 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5994 5995 PSA_ASSERT(psa_crypto_init()); 5996 5997 psa_set_key_usage_flags(&attributes, 5998 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 5999 psa_set_key_algorithm(&attributes, alg); 6000 psa_set_key_type(&attributes, key_type); 6001 6002 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 6003 &key)); 6004 6005 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 6006 key_bits = psa_get_key_bits(&attributes); 6007 6008 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg); 6009 6010 TEST_LE_U(tag_length, PSA_AEAD_TAG_MAX_SIZE); 6011 6012 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len); 6013 6014 TEST_CALLOC(output_data, output_size); 6015 6016 finish_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg); 6017 6018 TEST_LE_U(finish_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE); 6019 6020 TEST_CALLOC(final_data, finish_output_size); 6021 6022 /* Test all operations error without calling setup first. */ 6023 6024 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6025 PSA_ERROR_BAD_STATE); 6026 6027 psa_aead_abort(&operation); 6028 6029 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6030 PSA_AEAD_NONCE_MAX_SIZE, 6031 &nonce_length), 6032 PSA_ERROR_BAD_STATE); 6033 6034 psa_aead_abort(&operation); 6035 6036 /* ------------------------------------------------------- */ 6037 6038 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6039 input_data->len), 6040 PSA_ERROR_BAD_STATE); 6041 6042 psa_aead_abort(&operation); 6043 6044 /* ------------------------------------------------------- */ 6045 6046 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6047 additional_data->len), 6048 PSA_ERROR_BAD_STATE); 6049 6050 psa_aead_abort(&operation); 6051 6052 /* ------------------------------------------------------- */ 6053 6054 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6055 input_data->len, output_data, 6056 output_size, &output_length), 6057 PSA_ERROR_BAD_STATE); 6058 6059 psa_aead_abort(&operation); 6060 6061 /* ------------------------------------------------------- */ 6062 6063 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6064 finish_output_size, 6065 &output_part_length, 6066 tag_buffer, tag_length, 6067 &tag_size), 6068 PSA_ERROR_BAD_STATE); 6069 6070 psa_aead_abort(&operation); 6071 6072 /* ------------------------------------------------------- */ 6073 6074 TEST_EQUAL(psa_aead_verify(&operation, final_data, 6075 finish_output_size, 6076 &output_part_length, 6077 tag_buffer, 6078 tag_length), 6079 PSA_ERROR_BAD_STATE); 6080 6081 psa_aead_abort(&operation); 6082 6083 /* Test for double setups. */ 6084 6085 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6086 6087 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg), 6088 PSA_ERROR_BAD_STATE); 6089 6090 psa_aead_abort(&operation); 6091 6092 /* ------------------------------------------------------- */ 6093 6094 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6095 6096 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg), 6097 PSA_ERROR_BAD_STATE); 6098 6099 psa_aead_abort(&operation); 6100 6101 /* ------------------------------------------------------- */ 6102 6103 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6104 6105 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg), 6106 PSA_ERROR_BAD_STATE); 6107 6108 psa_aead_abort(&operation); 6109 6110 /* ------------------------------------------------------- */ 6111 6112 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6113 6114 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg), 6115 PSA_ERROR_BAD_STATE); 6116 6117 psa_aead_abort(&operation); 6118 6119 /* Test for not setting a nonce. */ 6120 6121 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6122 6123 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6124 additional_data->len), 6125 PSA_ERROR_BAD_STATE); 6126 6127 psa_aead_abort(&operation); 6128 6129 /* ------------------------------------------------------- */ 6130 6131 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6132 6133 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6134 input_data->len, output_data, 6135 output_size, &output_length), 6136 PSA_ERROR_BAD_STATE); 6137 6138 psa_aead_abort(&operation); 6139 6140 /* ------------------------------------------------------- */ 6141 6142 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6143 6144 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6145 finish_output_size, 6146 &output_part_length, 6147 tag_buffer, tag_length, 6148 &tag_size), 6149 PSA_ERROR_BAD_STATE); 6150 6151 psa_aead_abort(&operation); 6152 6153 /* ------------------------------------------------------- */ 6154 6155 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6156 6157 TEST_EQUAL(psa_aead_verify(&operation, final_data, 6158 finish_output_size, 6159 &output_part_length, 6160 tag_buffer, 6161 tag_length), 6162 PSA_ERROR_BAD_STATE); 6163 6164 psa_aead_abort(&operation); 6165 6166 /* Test for double setting nonce. */ 6167 6168 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6169 6170 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6171 6172 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6173 PSA_ERROR_BAD_STATE); 6174 6175 psa_aead_abort(&operation); 6176 6177 /* Test for double generating nonce. */ 6178 6179 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6180 6181 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6182 PSA_AEAD_NONCE_MAX_SIZE, 6183 &nonce_length)); 6184 6185 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6186 PSA_AEAD_NONCE_MAX_SIZE, 6187 &nonce_length), 6188 PSA_ERROR_BAD_STATE); 6189 6190 6191 psa_aead_abort(&operation); 6192 6193 /* Test for generate nonce then set and vice versa */ 6194 6195 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6196 6197 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6198 PSA_AEAD_NONCE_MAX_SIZE, 6199 &nonce_length)); 6200 6201 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6202 PSA_ERROR_BAD_STATE); 6203 6204 psa_aead_abort(&operation); 6205 6206 /* Test for generating nonce after calling set lengths */ 6207 6208 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6209 6210 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6211 input_data->len)); 6212 6213 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6214 PSA_AEAD_NONCE_MAX_SIZE, 6215 &nonce_length)); 6216 6217 psa_aead_abort(&operation); 6218 6219 /* Test for generating nonce after calling set lengths with UINT32_MAX ad_data length */ 6220 6221 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6222 6223 if (operation.alg == PSA_ALG_CCM) { 6224 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX, 6225 input_data->len), 6226 PSA_ERROR_INVALID_ARGUMENT); 6227 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6228 PSA_AEAD_NONCE_MAX_SIZE, 6229 &nonce_length), 6230 PSA_ERROR_BAD_STATE); 6231 } else { 6232 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX, 6233 input_data->len)); 6234 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6235 PSA_AEAD_NONCE_MAX_SIZE, 6236 &nonce_length)); 6237 } 6238 6239 psa_aead_abort(&operation); 6240 6241 /* Test for generating nonce after calling set lengths with SIZE_MAX ad_data length */ 6242#if SIZE_MAX > UINT32_MAX 6243 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6244 6245 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) { 6246 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX, 6247 input_data->len), 6248 PSA_ERROR_INVALID_ARGUMENT); 6249 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6250 PSA_AEAD_NONCE_MAX_SIZE, 6251 &nonce_length), 6252 PSA_ERROR_BAD_STATE); 6253 } else { 6254 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX, 6255 input_data->len)); 6256 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6257 PSA_AEAD_NONCE_MAX_SIZE, 6258 &nonce_length)); 6259 } 6260 6261 psa_aead_abort(&operation); 6262#endif 6263 6264 /* Test for calling set lengths with a UINT32_MAX ad_data length, after generating nonce */ 6265 6266 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6267 6268 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6269 PSA_AEAD_NONCE_MAX_SIZE, 6270 &nonce_length)); 6271 6272 if (operation.alg == PSA_ALG_CCM) { 6273 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX, 6274 input_data->len), 6275 PSA_ERROR_INVALID_ARGUMENT); 6276 } else { 6277 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX, 6278 input_data->len)); 6279 } 6280 6281 psa_aead_abort(&operation); 6282 6283 /* ------------------------------------------------------- */ 6284 /* Test for setting nonce after calling set lengths */ 6285 6286 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6287 6288 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6289 input_data->len)); 6290 6291 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6292 6293 psa_aead_abort(&operation); 6294 6295 /* Test for setting nonce after calling set lengths with UINT32_MAX ad_data length */ 6296 6297 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6298 6299 if (operation.alg == PSA_ALG_CCM) { 6300 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX, 6301 input_data->len), 6302 PSA_ERROR_INVALID_ARGUMENT); 6303 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6304 PSA_ERROR_BAD_STATE); 6305 } else { 6306 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX, 6307 input_data->len)); 6308 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6309 } 6310 6311 psa_aead_abort(&operation); 6312 6313 /* Test for setting nonce after calling set lengths with SIZE_MAX ad_data length */ 6314#if SIZE_MAX > UINT32_MAX 6315 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6316 6317 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) { 6318 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX, 6319 input_data->len), 6320 PSA_ERROR_INVALID_ARGUMENT); 6321 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6322 PSA_ERROR_BAD_STATE); 6323 } else { 6324 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX, 6325 input_data->len)); 6326 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6327 } 6328 6329 psa_aead_abort(&operation); 6330#endif 6331 6332 /* Test for calling set lengths with an ad_data length of UINT32_MAX, after setting nonce */ 6333 6334 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6335 6336 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6337 6338 if (operation.alg == PSA_ALG_CCM) { 6339 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX, 6340 input_data->len), 6341 PSA_ERROR_INVALID_ARGUMENT); 6342 } else { 6343 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX, 6344 input_data->len)); 6345 } 6346 6347 psa_aead_abort(&operation); 6348 6349 /* Test for setting nonce after calling set lengths with plaintext length of SIZE_MAX */ 6350#if SIZE_MAX > UINT32_MAX 6351 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6352 6353 if (operation.alg == PSA_ALG_GCM) { 6354 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6355 SIZE_MAX), 6356 PSA_ERROR_INVALID_ARGUMENT); 6357 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len), 6358 PSA_ERROR_BAD_STATE); 6359 } else if (operation.alg != PSA_ALG_CCM) { 6360 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6361 SIZE_MAX)); 6362 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6363 } 6364 6365 psa_aead_abort(&operation); 6366#endif 6367 6368 /* Test for calling set lengths with a plaintext length of SIZE_MAX, after setting nonce */ 6369#if SIZE_MAX > UINT32_MAX 6370 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6371 6372 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6373 6374 if (operation.alg == PSA_ALG_GCM) { 6375 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6376 SIZE_MAX), 6377 PSA_ERROR_INVALID_ARGUMENT); 6378 } else if (operation.alg != PSA_ALG_CCM) { 6379 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6380 SIZE_MAX)); 6381 } 6382 6383 psa_aead_abort(&operation); 6384#endif 6385 6386 /* ------------------------------------------------------- */ 6387 6388 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6389 6390 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6391 6392 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6393 PSA_AEAD_NONCE_MAX_SIZE, 6394 &nonce_length), 6395 PSA_ERROR_BAD_STATE); 6396 6397 psa_aead_abort(&operation); 6398 6399 /* Test for generating nonce in decrypt setup. */ 6400 6401 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6402 6403 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer, 6404 PSA_AEAD_NONCE_MAX_SIZE, 6405 &nonce_length), 6406 PSA_ERROR_BAD_STATE); 6407 6408 psa_aead_abort(&operation); 6409 6410 /* Test for setting lengths twice. */ 6411 6412 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6413 6414 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6415 6416 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6417 input_data->len)); 6418 6419 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6420 input_data->len), 6421 PSA_ERROR_BAD_STATE); 6422 6423 psa_aead_abort(&operation); 6424 6425 /* Test for setting lengths after setting nonce + already starting data. */ 6426 6427 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6428 6429 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6430 6431 if (operation.alg == PSA_ALG_CCM) { 6432 6433 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6434 additional_data->len), 6435 PSA_ERROR_BAD_STATE); 6436 } else { 6437 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6438 additional_data->len)); 6439 6440 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6441 input_data->len), 6442 PSA_ERROR_BAD_STATE); 6443 } 6444 psa_aead_abort(&operation); 6445 6446 /* ------------------------------------------------------- */ 6447 6448 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6449 6450 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6451 6452 if (operation.alg == PSA_ALG_CCM) { 6453 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6454 input_data->len, output_data, 6455 output_size, &output_length), 6456 PSA_ERROR_BAD_STATE); 6457 6458 } else { 6459 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 6460 input_data->len, output_data, 6461 output_size, &output_length)); 6462 6463 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6464 input_data->len), 6465 PSA_ERROR_BAD_STATE); 6466 } 6467 psa_aead_abort(&operation); 6468 6469 /* ------------------------------------------------------- */ 6470 6471 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6472 6473 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6474 6475 if (operation.alg == PSA_ALG_CCM) { 6476 PSA_ASSERT(psa_aead_finish(&operation, final_data, 6477 finish_output_size, 6478 &output_part_length, 6479 tag_buffer, tag_length, 6480 &tag_size)); 6481 } else { 6482 PSA_ASSERT(psa_aead_finish(&operation, final_data, 6483 finish_output_size, 6484 &output_part_length, 6485 tag_buffer, tag_length, 6486 &tag_size)); 6487 6488 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6489 input_data->len), 6490 PSA_ERROR_BAD_STATE); 6491 } 6492 psa_aead_abort(&operation); 6493 6494 /* Test for setting lengths after generating nonce + already starting data. */ 6495 6496 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6497 6498 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6499 PSA_AEAD_NONCE_MAX_SIZE, 6500 &nonce_length)); 6501 if (operation.alg == PSA_ALG_CCM) { 6502 6503 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6504 additional_data->len), 6505 PSA_ERROR_BAD_STATE); 6506 } else { 6507 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6508 additional_data->len)); 6509 6510 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6511 input_data->len), 6512 PSA_ERROR_BAD_STATE); 6513 } 6514 psa_aead_abort(&operation); 6515 6516 /* ------------------------------------------------------- */ 6517 6518 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6519 6520 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6521 PSA_AEAD_NONCE_MAX_SIZE, 6522 &nonce_length)); 6523 if (operation.alg == PSA_ALG_CCM) { 6524 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6525 input_data->len, output_data, 6526 output_size, &output_length), 6527 PSA_ERROR_BAD_STATE); 6528 6529 } else { 6530 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 6531 input_data->len, output_data, 6532 output_size, &output_length)); 6533 6534 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6535 input_data->len), 6536 PSA_ERROR_BAD_STATE); 6537 } 6538 psa_aead_abort(&operation); 6539 6540 /* ------------------------------------------------------- */ 6541 6542 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6543 6544 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer, 6545 PSA_AEAD_NONCE_MAX_SIZE, 6546 &nonce_length)); 6547 if (operation.alg == PSA_ALG_CCM) { 6548 PSA_ASSERT(psa_aead_finish(&operation, final_data, 6549 finish_output_size, 6550 &output_part_length, 6551 tag_buffer, tag_length, 6552 &tag_size)); 6553 } else { 6554 PSA_ASSERT(psa_aead_finish(&operation, final_data, 6555 finish_output_size, 6556 &output_part_length, 6557 tag_buffer, tag_length, 6558 &tag_size)); 6559 6560 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len, 6561 input_data->len), 6562 PSA_ERROR_BAD_STATE); 6563 } 6564 psa_aead_abort(&operation); 6565 6566 /* Test for not sending any additional data or data after setting non zero 6567 * lengths for them. (encrypt) */ 6568 6569 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6570 6571 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6572 6573 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6574 input_data->len)); 6575 6576 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6577 finish_output_size, 6578 &output_part_length, 6579 tag_buffer, tag_length, 6580 &tag_size), 6581 PSA_ERROR_INVALID_ARGUMENT); 6582 6583 psa_aead_abort(&operation); 6584 6585 /* Test for not sending any additional data or data after setting non-zero 6586 * lengths for them. (decrypt) */ 6587 6588 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6589 6590 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6591 6592 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6593 input_data->len)); 6594 6595 TEST_EQUAL(psa_aead_verify(&operation, final_data, 6596 finish_output_size, 6597 &output_part_length, 6598 tag_buffer, 6599 tag_length), 6600 PSA_ERROR_INVALID_ARGUMENT); 6601 6602 psa_aead_abort(&operation); 6603 6604 /* Test for not sending any additional data after setting a non-zero length 6605 * for it. */ 6606 6607 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6608 6609 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6610 6611 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6612 input_data->len)); 6613 6614 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6615 input_data->len, output_data, 6616 output_size, &output_length), 6617 PSA_ERROR_INVALID_ARGUMENT); 6618 6619 psa_aead_abort(&operation); 6620 6621 /* Test for not sending any data after setting a non-zero length for it.*/ 6622 6623 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6624 6625 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6626 6627 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6628 input_data->len)); 6629 6630 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6631 additional_data->len)); 6632 6633 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6634 finish_output_size, 6635 &output_part_length, 6636 tag_buffer, tag_length, 6637 &tag_size), 6638 PSA_ERROR_INVALID_ARGUMENT); 6639 6640 psa_aead_abort(&operation); 6641 6642 /* Test for sending too much additional data after setting lengths. */ 6643 6644 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6645 6646 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6647 6648 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0)); 6649 6650 6651 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6652 additional_data->len), 6653 PSA_ERROR_INVALID_ARGUMENT); 6654 6655 psa_aead_abort(&operation); 6656 6657 /* ------------------------------------------------------- */ 6658 6659 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6660 6661 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6662 6663 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6664 input_data->len)); 6665 6666 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6667 additional_data->len)); 6668 6669 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6670 1), 6671 PSA_ERROR_INVALID_ARGUMENT); 6672 6673 psa_aead_abort(&operation); 6674 6675 /* Test for sending too much data after setting lengths. */ 6676 6677 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6678 6679 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6680 6681 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0)); 6682 6683 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6684 input_data->len, output_data, 6685 output_size, &output_length), 6686 PSA_ERROR_INVALID_ARGUMENT); 6687 6688 psa_aead_abort(&operation); 6689 6690 /* ------------------------------------------------------- */ 6691 6692 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6693 6694 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6695 6696 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len, 6697 input_data->len)); 6698 6699 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x, 6700 additional_data->len)); 6701 6702 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 6703 input_data->len, output_data, 6704 output_size, &output_length)); 6705 6706 TEST_EQUAL(psa_aead_update(&operation, input_data->x, 6707 1, output_data, 6708 output_size, &output_length), 6709 PSA_ERROR_INVALID_ARGUMENT); 6710 6711 psa_aead_abort(&operation); 6712 6713 /* Test sending additional data after data. */ 6714 6715 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6716 6717 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6718 6719 if (operation.alg != PSA_ALG_CCM) { 6720 PSA_ASSERT(psa_aead_update(&operation, input_data->x, 6721 input_data->len, output_data, 6722 output_size, &output_length)); 6723 6724 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x, 6725 additional_data->len), 6726 PSA_ERROR_BAD_STATE); 6727 } 6728 psa_aead_abort(&operation); 6729 6730 /* Test calling finish on decryption. */ 6731 6732 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg)); 6733 6734 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6735 6736 TEST_EQUAL(psa_aead_finish(&operation, final_data, 6737 finish_output_size, 6738 &output_part_length, 6739 tag_buffer, tag_length, 6740 &tag_size), 6741 PSA_ERROR_BAD_STATE); 6742 6743 psa_aead_abort(&operation); 6744 6745 /* Test calling verify on encryption. */ 6746 6747 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg)); 6748 6749 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len)); 6750 6751 TEST_EQUAL(psa_aead_verify(&operation, final_data, 6752 finish_output_size, 6753 &output_part_length, 6754 tag_buffer, 6755 tag_length), 6756 PSA_ERROR_BAD_STATE); 6757 6758 psa_aead_abort(&operation); 6759 6760 6761exit: 6762 psa_destroy_key(key); 6763 psa_aead_abort(&operation); 6764 mbedtls_free(output_data); 6765 mbedtls_free(final_data); 6766 PSA_DONE(); 6767} 6768/* END_CASE */ 6769 6770/* BEGIN_CASE */ 6771void signature_size(int type_arg, 6772 int bits, 6773 int alg_arg, 6774 int expected_size_arg) 6775{ 6776 psa_key_type_t type = type_arg; 6777 psa_algorithm_t alg = alg_arg; 6778 size_t actual_size = PSA_SIGN_OUTPUT_SIZE(type, bits, alg); 6779 6780 TEST_EQUAL(actual_size, (size_t) expected_size_arg); 6781 6782exit: 6783 ; 6784} 6785/* END_CASE */ 6786 6787/* BEGIN_CASE */ 6788void sign_hash_deterministic(int key_type_arg, data_t *key_data, 6789 int alg_arg, data_t *input_data, 6790 data_t *output_data) 6791{ 6792 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6793 psa_key_type_t key_type = key_type_arg; 6794 psa_algorithm_t alg = alg_arg; 6795 size_t key_bits; 6796 unsigned char *signature = NULL; 6797 size_t signature_size; 6798 size_t signature_length = 0xdeadbeef; 6799 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6800 6801 PSA_ASSERT(psa_crypto_init()); 6802 6803 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 6804 psa_set_key_algorithm(&attributes, alg); 6805 psa_set_key_type(&attributes, key_type); 6806 6807 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 6808 &key)); 6809 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 6810 key_bits = psa_get_key_bits(&attributes); 6811 6812 /* Allocate a buffer which has the size advertised by the 6813 * library. */ 6814 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 6815 key_bits, alg); 6816 TEST_ASSERT(signature_size != 0); 6817 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 6818 TEST_CALLOC(signature, signature_size); 6819 6820 /* Perform the signature. */ 6821 PSA_ASSERT(psa_sign_hash(key, alg, 6822 input_data->x, input_data->len, 6823 signature, signature_size, 6824 &signature_length)); 6825 /* Verify that the signature is what is expected. */ 6826 TEST_MEMORY_COMPARE(output_data->x, output_data->len, 6827 signature, signature_length); 6828 6829exit: 6830 /* 6831 * Key attributes may have been returned by psa_get_key_attributes() 6832 * thus reset them as required. 6833 */ 6834 psa_reset_key_attributes(&attributes); 6835 6836 psa_destroy_key(key); 6837 mbedtls_free(signature); 6838 PSA_DONE(); 6839} 6840/* END_CASE */ 6841 6842/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 6843/** 6844 * sign_hash_interruptible() test intentions: 6845 * 6846 * Note: This test can currently only handle ECDSA. 6847 * 6848 * 1. Test interruptible sign hash with known outcomes (deterministic ECDSA 6849 * and private keys / keypairs only). 6850 * 6851 * 2. Test the number of calls to psa_sign_hash_complete() required are as 6852 * expected for different max_ops values. 6853 * 6854 * 3. Test that the number of ops done prior to start and after abort is zero 6855 * and that each successful stage completes some ops (this is not mandated by 6856 * the PSA specification, but is currently the case). 6857 * 6858 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between 6859 * complete() calls does not alter the number of ops returned. 6860 */ 6861void sign_hash_interruptible(int key_type_arg, data_t *key_data, 6862 int alg_arg, data_t *input_data, 6863 data_t *output_data, int max_ops_arg) 6864{ 6865 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6866 psa_key_type_t key_type = key_type_arg; 6867 psa_algorithm_t alg = alg_arg; 6868 size_t key_bits; 6869 unsigned char *signature = NULL; 6870 size_t signature_size; 6871 size_t signature_length = 0xdeadbeef; 6872 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6873 psa_status_t status = PSA_OPERATION_INCOMPLETE; 6874 uint32_t num_ops = 0; 6875 uint32_t max_ops = max_ops_arg; 6876 size_t num_ops_prior = 0; 6877 size_t num_completes = 0; 6878 size_t min_completes = 0; 6879 size_t max_completes = 0; 6880 6881 psa_sign_hash_interruptible_operation_t operation = 6882 psa_sign_hash_interruptible_operation_init(); 6883 6884 PSA_ASSERT(psa_crypto_init()); 6885 6886 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 6887 psa_set_key_algorithm(&attributes, alg); 6888 psa_set_key_type(&attributes, key_type); 6889 6890 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 6891 &key)); 6892 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 6893 key_bits = psa_get_key_bits(&attributes); 6894 6895 /* Allocate a buffer which has the size advertised by the 6896 * library. */ 6897 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 6898 key_bits, alg); 6899 TEST_ASSERT(signature_size != 0); 6900 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 6901 TEST_CALLOC(signature, signature_size); 6902 6903 psa_interruptible_set_max_ops(max_ops); 6904 6905 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, 6906 &min_completes, &max_completes); 6907 6908 num_ops_prior = psa_sign_hash_get_num_ops(&operation); 6909 TEST_ASSERT(num_ops_prior == 0); 6910 6911 /* Start performing the signature. */ 6912 PSA_ASSERT(psa_sign_hash_start(&operation, key, alg, 6913 input_data->x, input_data->len)); 6914 6915 num_ops_prior = psa_sign_hash_get_num_ops(&operation); 6916 TEST_ASSERT(num_ops_prior == 0); 6917 6918 /* Continue performing the signature until complete. */ 6919 do { 6920 status = psa_sign_hash_complete(&operation, signature, signature_size, 6921 &signature_length); 6922 6923 num_completes++; 6924 6925 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { 6926 num_ops = psa_sign_hash_get_num_ops(&operation); 6927 /* We are asserting here that every complete makes progress 6928 * (completes some ops), which is true of the internal 6929 * implementation and probably any implementation, however this is 6930 * not mandated by the PSA specification. */ 6931 TEST_ASSERT(num_ops > num_ops_prior); 6932 6933 num_ops_prior = num_ops; 6934 6935 /* Ensure calling get_num_ops() twice still returns the same 6936 * number of ops as previously reported. */ 6937 num_ops = psa_sign_hash_get_num_ops(&operation); 6938 6939 TEST_EQUAL(num_ops, num_ops_prior); 6940 } 6941 } while (status == PSA_OPERATION_INCOMPLETE); 6942 6943 TEST_ASSERT(status == PSA_SUCCESS); 6944 6945 TEST_LE_U(min_completes, num_completes); 6946 TEST_LE_U(num_completes, max_completes); 6947 6948 /* Verify that the signature is what is expected. */ 6949 TEST_MEMORY_COMPARE(output_data->x, output_data->len, 6950 signature, signature_length); 6951 6952 PSA_ASSERT(psa_sign_hash_abort(&operation)); 6953 6954 num_ops = psa_sign_hash_get_num_ops(&operation); 6955 TEST_ASSERT(num_ops == 0); 6956 6957exit: 6958 6959 /* 6960 * Key attributes may have been returned by psa_get_key_attributes() 6961 * thus reset them as required. 6962 */ 6963 psa_reset_key_attributes(&attributes); 6964 6965 psa_destroy_key(key); 6966 mbedtls_free(signature); 6967 PSA_DONE(); 6968} 6969/* END_CASE */ 6970 6971/* BEGIN_CASE */ 6972void sign_hash_fail(int key_type_arg, data_t *key_data, 6973 int alg_arg, data_t *input_data, 6974 int signature_size_arg, int expected_status_arg) 6975{ 6976 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6977 psa_key_type_t key_type = key_type_arg; 6978 psa_algorithm_t alg = alg_arg; 6979 size_t signature_size = signature_size_arg; 6980 psa_status_t actual_status; 6981 psa_status_t expected_status = expected_status_arg; 6982 unsigned char *signature = NULL; 6983 size_t signature_length = 0xdeadbeef; 6984 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6985 6986 TEST_CALLOC(signature, signature_size); 6987 6988 PSA_ASSERT(psa_crypto_init()); 6989 6990 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 6991 psa_set_key_algorithm(&attributes, alg); 6992 psa_set_key_type(&attributes, key_type); 6993 6994 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 6995 &key)); 6996 6997 actual_status = psa_sign_hash(key, alg, 6998 input_data->x, input_data->len, 6999 signature, signature_size, 7000 &signature_length); 7001 TEST_EQUAL(actual_status, expected_status); 7002 /* The value of *signature_length is unspecified on error, but 7003 * whatever it is, it should be less than signature_size, so that 7004 * if the caller tries to read *signature_length bytes without 7005 * checking the error code then they don't overflow a buffer. */ 7006 TEST_LE_U(signature_length, signature_size); 7007 7008exit: 7009 psa_reset_key_attributes(&attributes); 7010 psa_destroy_key(key); 7011 mbedtls_free(signature); 7012 PSA_DONE(); 7013} 7014/* END_CASE */ 7015 7016/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7017/** 7018 * sign_hash_fail_interruptible() test intentions: 7019 * 7020 * Note: This test can currently only handle ECDSA. 7021 * 7022 * 1. Test that various failure cases for interruptible sign hash fail with the 7023 * correct error codes, and at the correct point (at start or during 7024 * complete). 7025 * 7026 * 2. Test the number of calls to psa_sign_hash_complete() required are as 7027 * expected for different max_ops values. 7028 * 7029 * 3. Test that the number of ops done prior to start and after abort is zero 7030 * and that each successful stage completes some ops (this is not mandated by 7031 * the PSA specification, but is currently the case). 7032 * 7033 * 4. Check that calling complete() when start() fails and complete() 7034 * after completion results in a BAD_STATE error. 7035 * 7036 * 5. Check that calling start() again after start fails results in a BAD_STATE 7037 * error. 7038 */ 7039void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, 7040 int alg_arg, data_t *input_data, 7041 int signature_size_arg, 7042 int expected_start_status_arg, 7043 int expected_complete_status_arg, 7044 int max_ops_arg) 7045{ 7046 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7047 psa_key_type_t key_type = key_type_arg; 7048 psa_algorithm_t alg = alg_arg; 7049 size_t signature_size = signature_size_arg; 7050 psa_status_t actual_status; 7051 psa_status_t expected_start_status = expected_start_status_arg; 7052 psa_status_t expected_complete_status = expected_complete_status_arg; 7053 unsigned char *signature = NULL; 7054 size_t signature_length = 0xdeadbeef; 7055 uint32_t num_ops = 0; 7056 uint32_t max_ops = max_ops_arg; 7057 size_t num_ops_prior = 0; 7058 size_t num_completes = 0; 7059 size_t min_completes = 0; 7060 size_t max_completes = 0; 7061 7062 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7063 psa_sign_hash_interruptible_operation_t operation = 7064 psa_sign_hash_interruptible_operation_init(); 7065 7066 TEST_CALLOC(signature, signature_size); 7067 7068 PSA_ASSERT(psa_crypto_init()); 7069 7070 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 7071 psa_set_key_algorithm(&attributes, alg); 7072 psa_set_key_type(&attributes, key_type); 7073 7074 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7075 &key)); 7076 7077 psa_interruptible_set_max_ops(max_ops); 7078 7079 interruptible_signverify_get_minmax_completes(max_ops, 7080 expected_complete_status, 7081 &min_completes, 7082 &max_completes); 7083 7084 num_ops_prior = psa_sign_hash_get_num_ops(&operation); 7085 TEST_ASSERT(num_ops_prior == 0); 7086 7087 /* Start performing the signature. */ 7088 actual_status = psa_sign_hash_start(&operation, key, alg, 7089 input_data->x, input_data->len); 7090 7091 TEST_EQUAL(actual_status, expected_start_status); 7092 7093 if (expected_start_status != PSA_SUCCESS) { 7094 /* Emulate poor application code, and call complete anyway, even though 7095 * start failed. */ 7096 actual_status = psa_sign_hash_complete(&operation, signature, 7097 signature_size, 7098 &signature_length); 7099 7100 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7101 7102 /* Test that calling start again after failure also causes BAD_STATE. */ 7103 actual_status = psa_sign_hash_start(&operation, key, alg, 7104 input_data->x, input_data->len); 7105 7106 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7107 } 7108 7109 num_ops_prior = psa_sign_hash_get_num_ops(&operation); 7110 TEST_ASSERT(num_ops_prior == 0); 7111 7112 /* Continue performing the signature until complete. */ 7113 do { 7114 actual_status = psa_sign_hash_complete(&operation, signature, 7115 signature_size, 7116 &signature_length); 7117 7118 num_completes++; 7119 7120 if (actual_status == PSA_SUCCESS || 7121 actual_status == PSA_OPERATION_INCOMPLETE) { 7122 num_ops = psa_sign_hash_get_num_ops(&operation); 7123 /* We are asserting here that every complete makes progress 7124 * (completes some ops), which is true of the internal 7125 * implementation and probably any implementation, however this is 7126 * not mandated by the PSA specification. */ 7127 TEST_ASSERT(num_ops > num_ops_prior); 7128 7129 num_ops_prior = num_ops; 7130 } 7131 } while (actual_status == PSA_OPERATION_INCOMPLETE); 7132 7133 TEST_EQUAL(actual_status, expected_complete_status); 7134 7135 /* Check that another complete returns BAD_STATE. */ 7136 actual_status = psa_sign_hash_complete(&operation, signature, 7137 signature_size, 7138 &signature_length); 7139 7140 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7141 7142 PSA_ASSERT(psa_sign_hash_abort(&operation)); 7143 7144 num_ops = psa_sign_hash_get_num_ops(&operation); 7145 TEST_ASSERT(num_ops == 0); 7146 7147 /* The value of *signature_length is unspecified on error, but 7148 * whatever it is, it should be less than signature_size, so that 7149 * if the caller tries to read *signature_length bytes without 7150 * checking the error code then they don't overflow a buffer. */ 7151 TEST_LE_U(signature_length, signature_size); 7152 7153 TEST_LE_U(min_completes, num_completes); 7154 TEST_LE_U(num_completes, max_completes); 7155 7156exit: 7157 psa_reset_key_attributes(&attributes); 7158 psa_destroy_key(key); 7159 mbedtls_free(signature); 7160 PSA_DONE(); 7161} 7162/* END_CASE */ 7163 7164/* BEGIN_CASE */ 7165void sign_verify_hash(int key_type_arg, data_t *key_data, 7166 int alg_arg, data_t *input_data) 7167{ 7168 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7169 psa_key_type_t key_type = key_type_arg; 7170 psa_algorithm_t alg = alg_arg; 7171 size_t key_bits; 7172 unsigned char *signature = NULL; 7173 size_t signature_size; 7174 size_t signature_length = 0xdeadbeef; 7175 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7176 7177 PSA_ASSERT(psa_crypto_init()); 7178 7179 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); 7180 psa_set_key_algorithm(&attributes, alg); 7181 psa_set_key_type(&attributes, key_type); 7182 7183 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7184 &key)); 7185 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 7186 key_bits = psa_get_key_bits(&attributes); 7187 7188 /* Allocate a buffer which has the size advertised by the 7189 * library. */ 7190 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 7191 key_bits, alg); 7192 TEST_ASSERT(signature_size != 0); 7193 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 7194 TEST_CALLOC(signature, signature_size); 7195 7196 /* Perform the signature. */ 7197 PSA_ASSERT(psa_sign_hash(key, alg, 7198 input_data->x, input_data->len, 7199 signature, signature_size, 7200 &signature_length)); 7201 /* Check that the signature length looks sensible. */ 7202 TEST_LE_U(signature_length, signature_size); 7203 TEST_ASSERT(signature_length > 0); 7204 7205 /* Use the library to verify that the signature is correct. */ 7206 PSA_ASSERT(psa_verify_hash(key, alg, 7207 input_data->x, input_data->len, 7208 signature, signature_length)); 7209 7210 if (input_data->len != 0) { 7211 /* Flip a bit in the input and verify that the signature is now 7212 * detected as invalid. Flip a bit at the beginning, not at the end, 7213 * because ECDSA may ignore the last few bits of the input. */ 7214 input_data->x[0] ^= 1; 7215 TEST_EQUAL(psa_verify_hash(key, alg, 7216 input_data->x, input_data->len, 7217 signature, signature_length), 7218 PSA_ERROR_INVALID_SIGNATURE); 7219 } 7220 7221exit: 7222 /* 7223 * Key attributes may have been returned by psa_get_key_attributes() 7224 * thus reset them as required. 7225 */ 7226 psa_reset_key_attributes(&attributes); 7227 7228 psa_destroy_key(key); 7229 mbedtls_free(signature); 7230 PSA_DONE(); 7231} 7232/* END_CASE */ 7233 7234/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7235/** 7236 * sign_verify_hash_interruptible() test intentions: 7237 * 7238 * Note: This test can currently only handle ECDSA. 7239 * 7240 * 1. Test that we can sign an input hash with the given keypair and then 7241 * afterwards verify that signature. This is currently the only way to test 7242 * non deterministic ECDSA, but this test can also handle deterministic. 7243 * 7244 * 2. Test that after corrupting the hash, the verification detects an invalid 7245 * signature. 7246 * 7247 * 3. Test the number of calls to psa_sign_hash_complete() required are as 7248 * expected for different max_ops values. 7249 * 7250 * 4. Test that the number of ops done prior to starting signing and after abort 7251 * is zero and that each successful signing stage completes some ops (this is 7252 * not mandated by the PSA specification, but is currently the case). 7253 */ 7254void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, 7255 int alg_arg, data_t *input_data, 7256 int max_ops_arg) 7257{ 7258 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7259 psa_key_type_t key_type = key_type_arg; 7260 psa_algorithm_t alg = alg_arg; 7261 size_t key_bits; 7262 unsigned char *signature = NULL; 7263 size_t signature_size; 7264 size_t signature_length = 0xdeadbeef; 7265 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7266 psa_status_t status = PSA_OPERATION_INCOMPLETE; 7267 uint32_t max_ops = max_ops_arg; 7268 uint32_t num_ops = 0; 7269 uint32_t num_ops_prior = 0; 7270 size_t num_completes = 0; 7271 size_t min_completes = 0; 7272 size_t max_completes = 0; 7273 7274 psa_sign_hash_interruptible_operation_t sign_operation = 7275 psa_sign_hash_interruptible_operation_init(); 7276 psa_verify_hash_interruptible_operation_t verify_operation = 7277 psa_verify_hash_interruptible_operation_init(); 7278 7279 PSA_ASSERT(psa_crypto_init()); 7280 7281 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | 7282 PSA_KEY_USAGE_VERIFY_HASH); 7283 psa_set_key_algorithm(&attributes, alg); 7284 psa_set_key_type(&attributes, key_type); 7285 7286 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7287 &key)); 7288 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 7289 key_bits = psa_get_key_bits(&attributes); 7290 7291 /* Allocate a buffer which has the size advertised by the 7292 * library. */ 7293 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 7294 key_bits, alg); 7295 TEST_ASSERT(signature_size != 0); 7296 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 7297 TEST_CALLOC(signature, signature_size); 7298 7299 psa_interruptible_set_max_ops(max_ops); 7300 7301 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, 7302 &min_completes, &max_completes); 7303 7304 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation); 7305 TEST_ASSERT(num_ops_prior == 0); 7306 7307 /* Start performing the signature. */ 7308 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7309 input_data->x, input_data->len)); 7310 7311 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation); 7312 TEST_ASSERT(num_ops_prior == 0); 7313 7314 /* Continue performing the signature until complete. */ 7315 do { 7316 7317 status = psa_sign_hash_complete(&sign_operation, signature, 7318 signature_size, 7319 &signature_length); 7320 7321 num_completes++; 7322 7323 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { 7324 num_ops = psa_sign_hash_get_num_ops(&sign_operation); 7325 /* We are asserting here that every complete makes progress 7326 * (completes some ops), which is true of the internal 7327 * implementation and probably any implementation, however this is 7328 * not mandated by the PSA specification. */ 7329 TEST_ASSERT(num_ops > num_ops_prior); 7330 7331 num_ops_prior = num_ops; 7332 } 7333 } while (status == PSA_OPERATION_INCOMPLETE); 7334 7335 TEST_ASSERT(status == PSA_SUCCESS); 7336 7337 TEST_LE_U(min_completes, num_completes); 7338 TEST_LE_U(num_completes, max_completes); 7339 7340 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7341 7342 num_ops = psa_sign_hash_get_num_ops(&sign_operation); 7343 TEST_ASSERT(num_ops == 0); 7344 7345 /* Check that the signature length looks sensible. */ 7346 TEST_LE_U(signature_length, signature_size); 7347 TEST_ASSERT(signature_length > 0); 7348 7349 num_completes = 0; 7350 7351 /* Start verification. */ 7352 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7353 input_data->x, input_data->len, 7354 signature, signature_length)); 7355 7356 /* Continue performing the signature until complete. */ 7357 do { 7358 status = psa_verify_hash_complete(&verify_operation); 7359 7360 num_completes++; 7361 } while (status == PSA_OPERATION_INCOMPLETE); 7362 7363 TEST_ASSERT(status == PSA_SUCCESS); 7364 7365 TEST_LE_U(min_completes, num_completes); 7366 TEST_LE_U(num_completes, max_completes); 7367 7368 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7369 7370 verify_operation = psa_verify_hash_interruptible_operation_init(); 7371 7372 if (input_data->len != 0) { 7373 /* Flip a bit in the input and verify that the signature is now 7374 * detected as invalid. Flip a bit at the beginning, not at the end, 7375 * because ECDSA may ignore the last few bits of the input. */ 7376 input_data->x[0] ^= 1; 7377 7378 /* Start verification. */ 7379 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7380 input_data->x, input_data->len, 7381 signature, signature_length)); 7382 7383 /* Continue performing the signature until complete. */ 7384 do { 7385 status = psa_verify_hash_complete(&verify_operation); 7386 } while (status == PSA_OPERATION_INCOMPLETE); 7387 7388 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE); 7389 } 7390 7391 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7392 7393exit: 7394 /* 7395 * Key attributes may have been returned by psa_get_key_attributes() 7396 * thus reset them as required. 7397 */ 7398 psa_reset_key_attributes(&attributes); 7399 7400 psa_destroy_key(key); 7401 mbedtls_free(signature); 7402 PSA_DONE(); 7403} 7404/* END_CASE */ 7405 7406/* BEGIN_CASE */ 7407void verify_hash(int key_type_arg, data_t *key_data, 7408 int alg_arg, data_t *hash_data, 7409 data_t *signature_data) 7410{ 7411 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7412 psa_key_type_t key_type = key_type_arg; 7413 psa_algorithm_t alg = alg_arg; 7414 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7415 7416 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE); 7417 7418 PSA_ASSERT(psa_crypto_init()); 7419 7420 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 7421 psa_set_key_algorithm(&attributes, alg); 7422 psa_set_key_type(&attributes, key_type); 7423 7424 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7425 &key)); 7426 7427 PSA_ASSERT(psa_verify_hash(key, alg, 7428 hash_data->x, hash_data->len, 7429 signature_data->x, signature_data->len)); 7430 7431exit: 7432 psa_reset_key_attributes(&attributes); 7433 psa_destroy_key(key); 7434 PSA_DONE(); 7435} 7436/* END_CASE */ 7437 7438/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7439/** 7440 * verify_hash_interruptible() test intentions: 7441 * 7442 * Note: This test can currently only handle ECDSA. 7443 * 7444 * 1. Test interruptible verify hash with known outcomes (deterministic ECDSA 7445 * only). Given this test only does verification it can accept public keys as 7446 * well as private keys / keypairs. 7447 * 7448 * 2. Test the number of calls to psa_verify_hash_complete() required are as 7449 * expected for different max_ops values. 7450 * 7451 * 3. Test that the number of ops done prior to start and after abort is zero 7452 * and that each successful stage completes some ops (this is not mandated by 7453 * the PSA specification, but is currently the case). 7454 * 7455 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between 7456 * complete() calls does not alter the number of ops returned. 7457 * 7458 * 5. Test that after corrupting the hash, the verification detects an invalid 7459 * signature. 7460 */ 7461void verify_hash_interruptible(int key_type_arg, data_t *key_data, 7462 int alg_arg, data_t *hash_data, 7463 data_t *signature_data, int max_ops_arg) 7464{ 7465 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7466 psa_key_type_t key_type = key_type_arg; 7467 psa_algorithm_t alg = alg_arg; 7468 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7469 psa_status_t status = PSA_OPERATION_INCOMPLETE; 7470 uint32_t num_ops = 0; 7471 uint32_t max_ops = max_ops_arg; 7472 size_t num_ops_prior = 0; 7473 size_t num_completes = 0; 7474 size_t min_completes = 0; 7475 size_t max_completes = 0; 7476 7477 psa_verify_hash_interruptible_operation_t operation = 7478 psa_verify_hash_interruptible_operation_init(); 7479 7480 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE); 7481 7482 PSA_ASSERT(psa_crypto_init()); 7483 7484 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 7485 psa_set_key_algorithm(&attributes, alg); 7486 psa_set_key_type(&attributes, key_type); 7487 7488 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7489 &key)); 7490 7491 psa_interruptible_set_max_ops(max_ops); 7492 7493 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, 7494 &min_completes, &max_completes); 7495 7496 num_ops_prior = psa_verify_hash_get_num_ops(&operation); 7497 7498 TEST_ASSERT(num_ops_prior == 0); 7499 7500 /* Start verification. */ 7501 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg, 7502 hash_data->x, hash_data->len, 7503 signature_data->x, signature_data->len) 7504 ); 7505 7506 num_ops_prior = psa_verify_hash_get_num_ops(&operation); 7507 7508 TEST_ASSERT(num_ops_prior == 0); 7509 7510 /* Continue performing the signature until complete. */ 7511 do { 7512 status = psa_verify_hash_complete(&operation); 7513 7514 num_completes++; 7515 7516 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { 7517 num_ops = psa_verify_hash_get_num_ops(&operation); 7518 /* We are asserting here that every complete makes progress 7519 * (completes some ops), which is true of the internal 7520 * implementation and probably any implementation, however this is 7521 * not mandated by the PSA specification. */ 7522 TEST_ASSERT(num_ops > num_ops_prior); 7523 7524 num_ops_prior = num_ops; 7525 7526 /* Ensure calling get_num_ops() twice still returns the same 7527 * number of ops as previously reported. */ 7528 num_ops = psa_verify_hash_get_num_ops(&operation); 7529 7530 TEST_EQUAL(num_ops, num_ops_prior); 7531 } 7532 } while (status == PSA_OPERATION_INCOMPLETE); 7533 7534 TEST_ASSERT(status == PSA_SUCCESS); 7535 7536 TEST_LE_U(min_completes, num_completes); 7537 TEST_LE_U(num_completes, max_completes); 7538 7539 PSA_ASSERT(psa_verify_hash_abort(&operation)); 7540 7541 num_ops = psa_verify_hash_get_num_ops(&operation); 7542 TEST_ASSERT(num_ops == 0); 7543 7544 if (hash_data->len != 0) { 7545 /* Flip a bit in the hash and verify that the signature is now detected 7546 * as invalid. Flip a bit at the beginning, not at the end, because 7547 * ECDSA may ignore the last few bits of the input. */ 7548 hash_data->x[0] ^= 1; 7549 7550 /* Start verification. */ 7551 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg, 7552 hash_data->x, hash_data->len, 7553 signature_data->x, signature_data->len)); 7554 7555 /* Continue performing the signature until complete. */ 7556 do { 7557 status = psa_verify_hash_complete(&operation); 7558 } while (status == PSA_OPERATION_INCOMPLETE); 7559 7560 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE); 7561 } 7562 7563exit: 7564 psa_reset_key_attributes(&attributes); 7565 psa_destroy_key(key); 7566 PSA_DONE(); 7567} 7568/* END_CASE */ 7569 7570/* BEGIN_CASE */ 7571void verify_hash_fail(int key_type_arg, data_t *key_data, 7572 int alg_arg, data_t *hash_data, 7573 data_t *signature_data, 7574 int expected_status_arg) 7575{ 7576 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7577 psa_key_type_t key_type = key_type_arg; 7578 psa_algorithm_t alg = alg_arg; 7579 psa_status_t actual_status; 7580 psa_status_t expected_status = expected_status_arg; 7581 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7582 7583 PSA_ASSERT(psa_crypto_init()); 7584 7585 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 7586 psa_set_key_algorithm(&attributes, alg); 7587 psa_set_key_type(&attributes, key_type); 7588 7589 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7590 &key)); 7591 7592 actual_status = psa_verify_hash(key, alg, 7593 hash_data->x, hash_data->len, 7594 signature_data->x, signature_data->len); 7595 TEST_EQUAL(actual_status, expected_status); 7596 7597exit: 7598 psa_reset_key_attributes(&attributes); 7599 psa_destroy_key(key); 7600 PSA_DONE(); 7601} 7602/* END_CASE */ 7603 7604/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7605/** 7606 * verify_hash_fail_interruptible() test intentions: 7607 * 7608 * Note: This test can currently only handle ECDSA. 7609 * 7610 * 1. Test that various failure cases for interruptible verify hash fail with 7611 * the correct error codes, and at the correct point (at start or during 7612 * complete). 7613 * 7614 * 2. Test the number of calls to psa_verify_hash_complete() required are as 7615 * expected for different max_ops values. 7616 * 7617 * 3. Test that the number of ops done prior to start and after abort is zero 7618 * and that each successful stage completes some ops (this is not mandated by 7619 * the PSA specification, but is currently the case). 7620 * 7621 * 4. Check that calling complete() when start() fails and complete() 7622 * after completion results in a BAD_STATE error. 7623 * 7624 * 5. Check that calling start() again after start fails results in a BAD_STATE 7625 * error. 7626 */ 7627void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, 7628 int alg_arg, data_t *hash_data, 7629 data_t *signature_data, 7630 int expected_start_status_arg, 7631 int expected_complete_status_arg, 7632 int max_ops_arg) 7633{ 7634 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7635 psa_key_type_t key_type = key_type_arg; 7636 psa_algorithm_t alg = alg_arg; 7637 psa_status_t actual_status; 7638 psa_status_t expected_start_status = expected_start_status_arg; 7639 psa_status_t expected_complete_status = expected_complete_status_arg; 7640 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7641 uint32_t num_ops = 0; 7642 uint32_t max_ops = max_ops_arg; 7643 size_t num_ops_prior = 0; 7644 size_t num_completes = 0; 7645 size_t min_completes = 0; 7646 size_t max_completes = 0; 7647 psa_verify_hash_interruptible_operation_t operation = 7648 psa_verify_hash_interruptible_operation_init(); 7649 7650 PSA_ASSERT(psa_crypto_init()); 7651 7652 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 7653 psa_set_key_algorithm(&attributes, alg); 7654 psa_set_key_type(&attributes, key_type); 7655 7656 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7657 &key)); 7658 7659 psa_interruptible_set_max_ops(max_ops); 7660 7661 interruptible_signverify_get_minmax_completes(max_ops, 7662 expected_complete_status, 7663 &min_completes, 7664 &max_completes); 7665 7666 num_ops_prior = psa_verify_hash_get_num_ops(&operation); 7667 TEST_ASSERT(num_ops_prior == 0); 7668 7669 /* Start verification. */ 7670 actual_status = psa_verify_hash_start(&operation, key, alg, 7671 hash_data->x, hash_data->len, 7672 signature_data->x, 7673 signature_data->len); 7674 7675 TEST_EQUAL(actual_status, expected_start_status); 7676 7677 if (expected_start_status != PSA_SUCCESS) { 7678 /* Emulate poor application code, and call complete anyway, even though 7679 * start failed. */ 7680 actual_status = psa_verify_hash_complete(&operation); 7681 7682 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7683 7684 /* Test that calling start again after failure also causes BAD_STATE. */ 7685 actual_status = psa_verify_hash_start(&operation, key, alg, 7686 hash_data->x, hash_data->len, 7687 signature_data->x, 7688 signature_data->len); 7689 7690 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7691 } 7692 7693 num_ops_prior = psa_verify_hash_get_num_ops(&operation); 7694 TEST_ASSERT(num_ops_prior == 0); 7695 7696 /* Continue performing the signature until complete. */ 7697 do { 7698 actual_status = psa_verify_hash_complete(&operation); 7699 7700 num_completes++; 7701 7702 if (actual_status == PSA_SUCCESS || 7703 actual_status == PSA_OPERATION_INCOMPLETE) { 7704 num_ops = psa_verify_hash_get_num_ops(&operation); 7705 /* We are asserting here that every complete makes progress 7706 * (completes some ops), which is true of the internal 7707 * implementation and probably any implementation, however this is 7708 * not mandated by the PSA specification. */ 7709 TEST_ASSERT(num_ops > num_ops_prior); 7710 7711 num_ops_prior = num_ops; 7712 } 7713 } while (actual_status == PSA_OPERATION_INCOMPLETE); 7714 7715 TEST_EQUAL(actual_status, expected_complete_status); 7716 7717 /* Check that another complete returns BAD_STATE. */ 7718 actual_status = psa_verify_hash_complete(&operation); 7719 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); 7720 7721 TEST_LE_U(min_completes, num_completes); 7722 TEST_LE_U(num_completes, max_completes); 7723 7724 PSA_ASSERT(psa_verify_hash_abort(&operation)); 7725 7726 num_ops = psa_verify_hash_get_num_ops(&operation); 7727 TEST_ASSERT(num_ops == 0); 7728 7729exit: 7730 psa_reset_key_attributes(&attributes); 7731 psa_destroy_key(key); 7732 PSA_DONE(); 7733} 7734/* END_CASE */ 7735 7736/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7737/** 7738 * interruptible_signverify_hash_state_test() test intentions: 7739 * 7740 * Note: This test can currently only handle ECDSA. 7741 * 7742 * 1. Test that calling the various interruptible sign and verify hash functions 7743 * in incorrect orders returns BAD_STATE errors. 7744 */ 7745void interruptible_signverify_hash_state_test(int key_type_arg, 7746 data_t *key_data, int alg_arg, data_t *input_data) 7747{ 7748 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7749 psa_key_type_t key_type = key_type_arg; 7750 psa_algorithm_t alg = alg_arg; 7751 size_t key_bits; 7752 unsigned char *signature = NULL; 7753 size_t signature_size; 7754 size_t signature_length = 0xdeadbeef; 7755 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7756 psa_sign_hash_interruptible_operation_t sign_operation = 7757 psa_sign_hash_interruptible_operation_init(); 7758 psa_verify_hash_interruptible_operation_t verify_operation = 7759 psa_verify_hash_interruptible_operation_init(); 7760 7761 PSA_ASSERT(psa_crypto_init()); 7762 7763 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | 7764 PSA_KEY_USAGE_VERIFY_HASH); 7765 psa_set_key_algorithm(&attributes, alg); 7766 psa_set_key_type(&attributes, key_type); 7767 7768 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7769 &key)); 7770 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 7771 key_bits = psa_get_key_bits(&attributes); 7772 7773 /* Allocate a buffer which has the size advertised by the 7774 * library. */ 7775 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 7776 key_bits, alg); 7777 TEST_ASSERT(signature_size != 0); 7778 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 7779 TEST_CALLOC(signature, signature_size); 7780 7781 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 7782 7783 /* --- Attempt completes prior to starts --- */ 7784 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7785 signature_size, 7786 &signature_length), 7787 PSA_ERROR_BAD_STATE); 7788 7789 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7790 7791 TEST_EQUAL(psa_verify_hash_complete(&verify_operation), 7792 PSA_ERROR_BAD_STATE); 7793 7794 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7795 7796 /* --- Aborts in all other places. --- */ 7797 psa_sign_hash_abort(&sign_operation); 7798 7799 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7800 input_data->x, input_data->len)); 7801 7802 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7803 7804 psa_interruptible_set_max_ops(1); 7805 7806 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7807 input_data->x, input_data->len)); 7808 7809 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7810 signature_size, 7811 &signature_length), 7812 PSA_OPERATION_INCOMPLETE); 7813 7814 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7815 7816 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 7817 7818 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7819 input_data->x, input_data->len)); 7820 7821 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, 7822 signature_size, 7823 &signature_length)); 7824 7825 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7826 7827 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7828 7829 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7830 input_data->x, input_data->len, 7831 signature, signature_length)); 7832 7833 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7834 7835 psa_interruptible_set_max_ops(1); 7836 7837 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7838 input_data->x, input_data->len, 7839 signature, signature_length)); 7840 7841 TEST_EQUAL(psa_verify_hash_complete(&verify_operation), 7842 PSA_OPERATION_INCOMPLETE); 7843 7844 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7845 7846 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 7847 7848 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7849 input_data->x, input_data->len, 7850 signature, signature_length)); 7851 7852 PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); 7853 7854 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7855 7856 /* --- Attempt double starts. --- */ 7857 7858 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7859 input_data->x, input_data->len)); 7860 7861 TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg, 7862 input_data->x, input_data->len), 7863 PSA_ERROR_BAD_STATE); 7864 7865 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7866 7867 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7868 input_data->x, input_data->len, 7869 signature, signature_length)); 7870 7871 TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg, 7872 input_data->x, input_data->len, 7873 signature, signature_length), 7874 PSA_ERROR_BAD_STATE); 7875 7876 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7877 7878exit: 7879 /* 7880 * Key attributes may have been returned by psa_get_key_attributes() 7881 * thus reset them as required. 7882 */ 7883 psa_reset_key_attributes(&attributes); 7884 7885 psa_destroy_key(key); 7886 mbedtls_free(signature); 7887 PSA_DONE(); 7888} 7889/* END_CASE */ 7890 7891/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 7892/** 7893 * interruptible_signverify_hash_edgecase_tests() test intentions: 7894 * 7895 * Note: This test can currently only handle ECDSA. 7896 * 7897 * 1. Test various edge cases in the interruptible sign and verify hash 7898 * interfaces. 7899 */ 7900void interruptible_signverify_hash_edgecase_tests(int key_type_arg, 7901 data_t *key_data, int alg_arg, data_t *input_data) 7902{ 7903 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7904 psa_key_type_t key_type = key_type_arg; 7905 psa_algorithm_t alg = alg_arg; 7906 size_t key_bits; 7907 unsigned char *signature = NULL; 7908 size_t signature_size; 7909 size_t signature_length = 0xdeadbeef; 7910 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7911 uint8_t *input_buffer = NULL; 7912 psa_sign_hash_interruptible_operation_t sign_operation = 7913 psa_sign_hash_interruptible_operation_init(); 7914 psa_verify_hash_interruptible_operation_t verify_operation = 7915 psa_verify_hash_interruptible_operation_init(); 7916 7917 PSA_ASSERT(psa_crypto_init()); 7918 7919 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | 7920 PSA_KEY_USAGE_VERIFY_HASH); 7921 psa_set_key_algorithm(&attributes, alg); 7922 psa_set_key_type(&attributes, key_type); 7923 7924 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 7925 &key)); 7926 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 7927 key_bits = psa_get_key_bits(&attributes); 7928 7929 /* Allocate a buffer which has the size advertised by the 7930 * library. */ 7931 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, 7932 key_bits, alg); 7933 TEST_ASSERT(signature_size != 0); 7934 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 7935 TEST_CALLOC(signature, signature_size); 7936 7937 /* --- Change function inputs mid run, to cause an error (sign only, 7938 * verify passes all inputs to start. --- */ 7939 7940 psa_interruptible_set_max_ops(1); 7941 7942 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7943 input_data->x, input_data->len)); 7944 7945 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7946 signature_size, 7947 &signature_length), 7948 PSA_OPERATION_INCOMPLETE); 7949 7950 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7951 0, 7952 &signature_length), 7953 PSA_ERROR_BUFFER_TOO_SMALL); 7954 7955 /* And test that this invalidates the operation. */ 7956 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 7957 0, 7958 &signature_length), 7959 PSA_ERROR_BAD_STATE); 7960 7961 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7962 7963 /* Trash the hash buffer in between start and complete, to ensure 7964 * no reliance on external buffers. */ 7965 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 7966 7967 TEST_CALLOC(input_buffer, input_data->len); 7968 7969 memcpy(input_buffer, input_data->x, input_data->len); 7970 7971 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 7972 input_buffer, input_data->len)); 7973 7974 memset(input_buffer, '!', input_data->len); 7975 mbedtls_free(input_buffer); 7976 input_buffer = NULL; 7977 7978 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, 7979 signature_size, 7980 &signature_length)); 7981 7982 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 7983 7984 TEST_CALLOC(input_buffer, input_data->len); 7985 7986 memcpy(input_buffer, input_data->x, input_data->len); 7987 7988 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 7989 input_buffer, input_data->len, 7990 signature, signature_length)); 7991 7992 memset(input_buffer, '!', input_data->len); 7993 mbedtls_free(input_buffer); 7994 input_buffer = NULL; 7995 7996 PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); 7997 7998 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 7999 8000exit: 8001 /* 8002 * Key attributes may have been returned by psa_get_key_attributes() 8003 * thus reset them as required. 8004 */ 8005 psa_reset_key_attributes(&attributes); 8006 8007 psa_destroy_key(key); 8008 mbedtls_free(signature); 8009 mbedtls_free(input_buffer); 8010 PSA_DONE(); 8011} 8012/* END_CASE */ 8013 8014/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ 8015/** 8016 * interruptible_signverify_hash_ops_tests() test intentions: 8017 * 8018 * Note: This test can currently only handle ECDSA. 8019 * 8020 * 1. Test that setting max ops is reflected in both interruptible sign and 8021 * verify hash 8022 * 2. Test that changing the value of max_ops to unlimited during an operation 8023 * causes that operation to complete in the next call. 8024 * 8025 * 3. Test that calling get_num_ops() between complete calls gives the same 8026 * result as calling get_num_ops() once at the end of the operation. 8027 */ 8028void interruptible_signverify_hash_ops_tests(int key_type_arg, 8029 data_t *key_data, int alg_arg, 8030 data_t *input_data) 8031{ 8032 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8033 psa_key_type_t key_type = key_type_arg; 8034 psa_algorithm_t alg = alg_arg; 8035 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8036 size_t key_bits; 8037 unsigned char *signature = NULL; 8038 size_t signature_size; 8039 size_t signature_length = 0xdeadbeef; 8040 uint32_t num_ops = 0; 8041 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8042 8043 psa_sign_hash_interruptible_operation_t sign_operation = 8044 psa_sign_hash_interruptible_operation_init(); 8045 psa_verify_hash_interruptible_operation_t verify_operation = 8046 psa_verify_hash_interruptible_operation_init(); 8047 8048 PSA_ASSERT(psa_crypto_init()); 8049 8050 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | 8051 PSA_KEY_USAGE_VERIFY_HASH); 8052 psa_set_key_algorithm(&attributes, alg); 8053 psa_set_key_type(&attributes, key_type); 8054 8055 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key)); 8056 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8057 key_bits = psa_get_key_bits(&attributes); 8058 8059 /* Allocate a buffer which has the size advertised by the 8060 * library. */ 8061 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg); 8062 8063 TEST_ASSERT(signature_size != 0); 8064 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 8065 TEST_CALLOC(signature, signature_size); 8066 8067 /* Check that default max ops gets set if we don't set it. */ 8068 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 8069 input_data->x, input_data->len)); 8070 8071 TEST_EQUAL(psa_interruptible_get_max_ops(), 8072 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 8073 8074 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8075 8076 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8077 input_data->x, input_data->len, 8078 signature, signature_size)); 8079 8080 TEST_EQUAL(psa_interruptible_get_max_ops(), 8081 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 8082 8083 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8084 8085 /* Check that max ops gets set properly. */ 8086 8087 psa_interruptible_set_max_ops(0xbeef); 8088 8089 TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef); 8090 8091 /* --- Ensure changing the max ops mid operation works (operation should 8092 * complete successfully after setting max ops to unlimited --- */ 8093 psa_interruptible_set_max_ops(1); 8094 8095 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 8096 input_data->x, input_data->len)); 8097 8098 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, 8099 signature_size, 8100 &signature_length), 8101 PSA_OPERATION_INCOMPLETE); 8102 8103 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 8104 8105 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, 8106 signature_size, 8107 &signature_length)); 8108 8109 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8110 8111 psa_interruptible_set_max_ops(1); 8112 8113 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8114 input_data->x, input_data->len, 8115 signature, signature_length)); 8116 8117 TEST_EQUAL(psa_verify_hash_complete(&verify_operation), 8118 PSA_OPERATION_INCOMPLETE); 8119 8120 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); 8121 8122 PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); 8123 8124 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8125 8126 /* --- Test that not calling get_num_ops inbetween complete calls does not 8127 * result in lost ops. ---*/ 8128 8129 psa_interruptible_set_max_ops(1); 8130 8131 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 8132 input_data->x, input_data->len)); 8133 8134 /* Continue performing the signature until complete. */ 8135 do { 8136 status = psa_sign_hash_complete(&sign_operation, signature, 8137 signature_size, 8138 &signature_length); 8139 8140 num_ops = psa_sign_hash_get_num_ops(&sign_operation); 8141 8142 } while (status == PSA_OPERATION_INCOMPLETE); 8143 8144 PSA_ASSERT(status); 8145 8146 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8147 8148 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, 8149 input_data->x, input_data->len)); 8150 8151 /* Continue performing the signature until complete. */ 8152 do { 8153 status = psa_sign_hash_complete(&sign_operation, signature, 8154 signature_size, 8155 &signature_length); 8156 } while (status == PSA_OPERATION_INCOMPLETE); 8157 8158 PSA_ASSERT(status); 8159 8160 TEST_EQUAL(num_ops, psa_sign_hash_get_num_ops(&sign_operation)); 8161 8162 PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); 8163 8164 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8165 input_data->x, input_data->len, 8166 signature, signature_length)); 8167 8168 /* Continue performing the verification until complete. */ 8169 do { 8170 status = psa_verify_hash_complete(&verify_operation); 8171 8172 num_ops = psa_verify_hash_get_num_ops(&verify_operation); 8173 8174 } while (status == PSA_OPERATION_INCOMPLETE); 8175 8176 PSA_ASSERT(status); 8177 8178 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8179 8180 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, 8181 input_data->x, input_data->len, 8182 signature, signature_length)); 8183 8184 /* Continue performing the verification until complete. */ 8185 do { 8186 status = psa_verify_hash_complete(&verify_operation); 8187 8188 } while (status == PSA_OPERATION_INCOMPLETE); 8189 8190 PSA_ASSERT(status); 8191 8192 TEST_EQUAL(num_ops, psa_verify_hash_get_num_ops(&verify_operation)); 8193 8194 PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); 8195 8196exit: 8197 /* 8198 * Key attributes may have been returned by psa_get_key_attributes() 8199 * thus reset them as required. 8200 */ 8201 psa_reset_key_attributes(&attributes); 8202 8203 psa_destroy_key(key); 8204 mbedtls_free(signature); 8205 PSA_DONE(); 8206} 8207/* END_CASE */ 8208 8209/* BEGIN_CASE */ 8210void sign_message_deterministic(int key_type_arg, 8211 data_t *key_data, 8212 int alg_arg, 8213 data_t *input_data, 8214 data_t *output_data) 8215{ 8216 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8217 psa_key_type_t key_type = key_type_arg; 8218 psa_algorithm_t alg = alg_arg; 8219 size_t key_bits; 8220 unsigned char *signature = NULL; 8221 size_t signature_size; 8222 size_t signature_length = 0xdeadbeef; 8223 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8224 8225 PSA_ASSERT(psa_crypto_init()); 8226 8227 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 8228 psa_set_key_algorithm(&attributes, alg); 8229 psa_set_key_type(&attributes, key_type); 8230 8231 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8232 &key)); 8233 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8234 key_bits = psa_get_key_bits(&attributes); 8235 8236 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg); 8237 TEST_ASSERT(signature_size != 0); 8238 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 8239 TEST_CALLOC(signature, signature_size); 8240 8241 PSA_ASSERT(psa_sign_message(key, alg, 8242 input_data->x, input_data->len, 8243 signature, signature_size, 8244 &signature_length)); 8245 8246 TEST_MEMORY_COMPARE(output_data->x, output_data->len, 8247 signature, signature_length); 8248 8249exit: 8250 psa_reset_key_attributes(&attributes); 8251 8252 psa_destroy_key(key); 8253 mbedtls_free(signature); 8254 PSA_DONE(); 8255 8256} 8257/* END_CASE */ 8258 8259/* BEGIN_CASE */ 8260void sign_message_fail(int key_type_arg, 8261 data_t *key_data, 8262 int alg_arg, 8263 data_t *input_data, 8264 int signature_size_arg, 8265 int expected_status_arg) 8266{ 8267 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8268 psa_key_type_t key_type = key_type_arg; 8269 psa_algorithm_t alg = alg_arg; 8270 size_t signature_size = signature_size_arg; 8271 psa_status_t actual_status; 8272 psa_status_t expected_status = expected_status_arg; 8273 unsigned char *signature = NULL; 8274 size_t signature_length = 0xdeadbeef; 8275 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8276 8277 TEST_CALLOC(signature, signature_size); 8278 8279 PSA_ASSERT(psa_crypto_init()); 8280 8281 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 8282 psa_set_key_algorithm(&attributes, alg); 8283 psa_set_key_type(&attributes, key_type); 8284 8285 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8286 &key)); 8287 8288 actual_status = psa_sign_message(key, alg, 8289 input_data->x, input_data->len, 8290 signature, signature_size, 8291 &signature_length); 8292 TEST_EQUAL(actual_status, expected_status); 8293 /* The value of *signature_length is unspecified on error, but 8294 * whatever it is, it should be less than signature_size, so that 8295 * if the caller tries to read *signature_length bytes without 8296 * checking the error code then they don't overflow a buffer. */ 8297 TEST_LE_U(signature_length, signature_size); 8298 8299exit: 8300 psa_reset_key_attributes(&attributes); 8301 psa_destroy_key(key); 8302 mbedtls_free(signature); 8303 PSA_DONE(); 8304} 8305/* END_CASE */ 8306 8307/* BEGIN_CASE */ 8308void sign_verify_message(int key_type_arg, 8309 data_t *key_data, 8310 int alg_arg, 8311 data_t *input_data) 8312{ 8313 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8314 psa_key_type_t key_type = key_type_arg; 8315 psa_algorithm_t alg = alg_arg; 8316 size_t key_bits; 8317 unsigned char *signature = NULL; 8318 size_t signature_size; 8319 size_t signature_length = 0xdeadbeef; 8320 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8321 8322 PSA_ASSERT(psa_crypto_init()); 8323 8324 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE | 8325 PSA_KEY_USAGE_VERIFY_MESSAGE); 8326 psa_set_key_algorithm(&attributes, alg); 8327 psa_set_key_type(&attributes, key_type); 8328 8329 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8330 &key)); 8331 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8332 key_bits = psa_get_key_bits(&attributes); 8333 8334 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg); 8335 TEST_ASSERT(signature_size != 0); 8336 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); 8337 TEST_CALLOC(signature, signature_size); 8338 8339 PSA_ASSERT(psa_sign_message(key, alg, 8340 input_data->x, input_data->len, 8341 signature, signature_size, 8342 &signature_length)); 8343 TEST_LE_U(signature_length, signature_size); 8344 TEST_ASSERT(signature_length > 0); 8345 8346 PSA_ASSERT(psa_verify_message(key, alg, 8347 input_data->x, input_data->len, 8348 signature, signature_length)); 8349 8350 if (input_data->len != 0) { 8351 /* Flip a bit in the input and verify that the signature is now 8352 * detected as invalid. Flip a bit at the beginning, not at the end, 8353 * because ECDSA may ignore the last few bits of the input. */ 8354 input_data->x[0] ^= 1; 8355 TEST_EQUAL(psa_verify_message(key, alg, 8356 input_data->x, input_data->len, 8357 signature, signature_length), 8358 PSA_ERROR_INVALID_SIGNATURE); 8359 } 8360 8361exit: 8362 psa_reset_key_attributes(&attributes); 8363 8364 psa_destroy_key(key); 8365 mbedtls_free(signature); 8366 PSA_DONE(); 8367} 8368/* END_CASE */ 8369 8370/* BEGIN_CASE */ 8371void verify_message(int key_type_arg, 8372 data_t *key_data, 8373 int alg_arg, 8374 data_t *input_data, 8375 data_t *signature_data) 8376{ 8377 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8378 psa_key_type_t key_type = key_type_arg; 8379 psa_algorithm_t alg = alg_arg; 8380 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8381 8382 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE); 8383 8384 PSA_ASSERT(psa_crypto_init()); 8385 8386 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE); 8387 psa_set_key_algorithm(&attributes, alg); 8388 psa_set_key_type(&attributes, key_type); 8389 8390 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8391 &key)); 8392 8393 PSA_ASSERT(psa_verify_message(key, alg, 8394 input_data->x, input_data->len, 8395 signature_data->x, signature_data->len)); 8396 8397exit: 8398 psa_reset_key_attributes(&attributes); 8399 psa_destroy_key(key); 8400 PSA_DONE(); 8401} 8402/* END_CASE */ 8403 8404/* BEGIN_CASE */ 8405void verify_message_fail(int key_type_arg, 8406 data_t *key_data, 8407 int alg_arg, 8408 data_t *hash_data, 8409 data_t *signature_data, 8410 int expected_status_arg) 8411{ 8412 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8413 psa_key_type_t key_type = key_type_arg; 8414 psa_algorithm_t alg = alg_arg; 8415 psa_status_t actual_status; 8416 psa_status_t expected_status = expected_status_arg; 8417 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8418 8419 PSA_ASSERT(psa_crypto_init()); 8420 8421 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE); 8422 psa_set_key_algorithm(&attributes, alg); 8423 psa_set_key_type(&attributes, key_type); 8424 8425 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8426 &key)); 8427 8428 actual_status = psa_verify_message(key, alg, 8429 hash_data->x, hash_data->len, 8430 signature_data->x, 8431 signature_data->len); 8432 TEST_EQUAL(actual_status, expected_status); 8433 8434exit: 8435 psa_reset_key_attributes(&attributes); 8436 psa_destroy_key(key); 8437 PSA_DONE(); 8438} 8439/* END_CASE */ 8440 8441/* BEGIN_CASE */ 8442void asymmetric_encrypt(int key_type_arg, 8443 data_t *key_data, 8444 int alg_arg, 8445 data_t *input_data, 8446 data_t *label, 8447 int expected_output_length_arg, 8448 int expected_status_arg) 8449{ 8450 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8451 psa_key_type_t key_type = key_type_arg; 8452 psa_algorithm_t alg = alg_arg; 8453 size_t expected_output_length = expected_output_length_arg; 8454 size_t key_bits; 8455 unsigned char *output = NULL; 8456 size_t output_size; 8457 size_t output_length = ~0; 8458 psa_status_t actual_status; 8459 psa_status_t expected_status = expected_status_arg; 8460 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8461 8462 PSA_ASSERT(psa_crypto_init()); 8463 8464 /* Import the key */ 8465 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 8466 psa_set_key_algorithm(&attributes, alg); 8467 psa_set_key_type(&attributes, key_type); 8468 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8469 &key)); 8470 8471 /* Determine the maximum output length */ 8472 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8473 key_bits = psa_get_key_bits(&attributes); 8474 8475 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg); 8476 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE); 8477 TEST_CALLOC(output, output_size); 8478 8479 /* Encrypt the input */ 8480 actual_status = psa_asymmetric_encrypt(key, alg, 8481 input_data->x, input_data->len, 8482 label->x, label->len, 8483 output, output_size, 8484 &output_length); 8485 TEST_EQUAL(actual_status, expected_status); 8486 if (actual_status == PSA_SUCCESS) { 8487 TEST_EQUAL(output_length, expected_output_length); 8488 } else { 8489 TEST_LE_U(output_length, output_size); 8490 } 8491 8492 /* If the label is empty, the test framework puts a non-null pointer 8493 * in label->x. Test that a null pointer works as well. */ 8494 if (label->len == 0) { 8495 output_length = ~0; 8496 if (output_size != 0) { 8497 memset(output, 0, output_size); 8498 } 8499 actual_status = psa_asymmetric_encrypt(key, alg, 8500 input_data->x, input_data->len, 8501 NULL, label->len, 8502 output, output_size, 8503 &output_length); 8504 TEST_EQUAL(actual_status, expected_status); 8505 if (actual_status == PSA_SUCCESS) { 8506 TEST_EQUAL(output_length, expected_output_length); 8507 } else { 8508 TEST_LE_U(output_length, output_size); 8509 } 8510 } 8511 8512exit: 8513 /* 8514 * Key attributes may have been returned by psa_get_key_attributes() 8515 * thus reset them as required. 8516 */ 8517 psa_reset_key_attributes(&attributes); 8518 8519 psa_destroy_key(key); 8520 mbedtls_free(output); 8521 PSA_DONE(); 8522} 8523/* END_CASE */ 8524 8525/* BEGIN_CASE */ 8526void asymmetric_encrypt_decrypt(int key_type_arg, 8527 data_t *key_data, 8528 int alg_arg, 8529 data_t *input_data, 8530 data_t *label) 8531{ 8532 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8533 psa_key_type_t key_type = key_type_arg; 8534 psa_algorithm_t alg = alg_arg; 8535 size_t key_bits; 8536 unsigned char *output = NULL; 8537 size_t output_size; 8538 size_t output_length = ~0; 8539 unsigned char *output2 = NULL; 8540 size_t output2_size; 8541 size_t output2_length = ~0; 8542 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8543 8544 PSA_ASSERT(psa_crypto_init()); 8545 8546 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 8547 psa_set_key_algorithm(&attributes, alg); 8548 psa_set_key_type(&attributes, key_type); 8549 8550 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8551 &key)); 8552 8553 /* Determine the maximum ciphertext length */ 8554 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8555 key_bits = psa_get_key_bits(&attributes); 8556 8557 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg); 8558 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE); 8559 TEST_CALLOC(output, output_size); 8560 8561 output2_size = input_data->len; 8562 TEST_LE_U(output2_size, 8563 PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg)); 8564 TEST_LE_U(output2_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE); 8565 TEST_CALLOC(output2, output2_size); 8566 8567 /* We test encryption by checking that encrypt-then-decrypt gives back 8568 * the original plaintext because of the non-optional random 8569 * part of encryption process which prevents using fixed vectors. */ 8570 PSA_ASSERT(psa_asymmetric_encrypt(key, alg, 8571 input_data->x, input_data->len, 8572 label->x, label->len, 8573 output, output_size, 8574 &output_length)); 8575 /* We don't know what ciphertext length to expect, but check that 8576 * it looks sensible. */ 8577 TEST_LE_U(output_length, output_size); 8578 8579 PSA_ASSERT(psa_asymmetric_decrypt(key, alg, 8580 output, output_length, 8581 label->x, label->len, 8582 output2, output2_size, 8583 &output2_length)); 8584 TEST_MEMORY_COMPARE(input_data->x, input_data->len, 8585 output2, output2_length); 8586 8587exit: 8588 /* 8589 * Key attributes may have been returned by psa_get_key_attributes() 8590 * thus reset them as required. 8591 */ 8592 psa_reset_key_attributes(&attributes); 8593 8594 psa_destroy_key(key); 8595 mbedtls_free(output); 8596 mbedtls_free(output2); 8597 PSA_DONE(); 8598} 8599/* END_CASE */ 8600 8601/* BEGIN_CASE */ 8602void asymmetric_decrypt(int key_type_arg, 8603 data_t *key_data, 8604 int alg_arg, 8605 data_t *input_data, 8606 data_t *label, 8607 data_t *expected_data) 8608{ 8609 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8610 psa_key_type_t key_type = key_type_arg; 8611 psa_algorithm_t alg = alg_arg; 8612 size_t key_bits; 8613 unsigned char *output = NULL; 8614 size_t output_size = 0; 8615 size_t output_length = ~0; 8616 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8617 8618 PSA_ASSERT(psa_crypto_init()); 8619 8620 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 8621 psa_set_key_algorithm(&attributes, alg); 8622 psa_set_key_type(&attributes, key_type); 8623 8624 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8625 &key)); 8626 8627 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 8628 key_bits = psa_get_key_bits(&attributes); 8629 8630 /* Determine the maximum ciphertext length */ 8631 output_size = PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg); 8632 TEST_LE_U(output_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE); 8633 TEST_CALLOC(output, output_size); 8634 8635 PSA_ASSERT(psa_asymmetric_decrypt(key, alg, 8636 input_data->x, input_data->len, 8637 label->x, label->len, 8638 output, 8639 output_size, 8640 &output_length)); 8641 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len, 8642 output, output_length); 8643 8644 /* If the label is empty, the test framework puts a non-null pointer 8645 * in label->x. Test that a null pointer works as well. */ 8646 if (label->len == 0) { 8647 output_length = ~0; 8648 if (output_size != 0) { 8649 memset(output, 0, output_size); 8650 } 8651 PSA_ASSERT(psa_asymmetric_decrypt(key, alg, 8652 input_data->x, input_data->len, 8653 NULL, label->len, 8654 output, 8655 output_size, 8656 &output_length)); 8657 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len, 8658 output, output_length); 8659 } 8660 8661exit: 8662 psa_reset_key_attributes(&attributes); 8663 psa_destroy_key(key); 8664 mbedtls_free(output); 8665 PSA_DONE(); 8666} 8667/* END_CASE */ 8668 8669/* BEGIN_CASE */ 8670void asymmetric_decrypt_fail(int key_type_arg, 8671 data_t *key_data, 8672 int alg_arg, 8673 data_t *input_data, 8674 data_t *label, 8675 int output_size_arg, 8676 int expected_status_arg) 8677{ 8678 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8679 psa_key_type_t key_type = key_type_arg; 8680 psa_algorithm_t alg = alg_arg; 8681 unsigned char *output = NULL; 8682 size_t output_size = output_size_arg; 8683 size_t output_length = ~0; 8684 psa_status_t actual_status; 8685 psa_status_t expected_status = expected_status_arg; 8686 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8687 8688 TEST_CALLOC(output, output_size); 8689 8690 PSA_ASSERT(psa_crypto_init()); 8691 8692 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 8693 psa_set_key_algorithm(&attributes, alg); 8694 psa_set_key_type(&attributes, key_type); 8695 8696 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 8697 &key)); 8698 8699 actual_status = psa_asymmetric_decrypt(key, alg, 8700 input_data->x, input_data->len, 8701 label->x, label->len, 8702 output, output_size, 8703 &output_length); 8704 TEST_EQUAL(actual_status, expected_status); 8705 TEST_LE_U(output_length, output_size); 8706 8707 /* If the label is empty, the test framework puts a non-null pointer 8708 * in label->x. Test that a null pointer works as well. */ 8709 if (label->len == 0) { 8710 output_length = ~0; 8711 if (output_size != 0) { 8712 memset(output, 0, output_size); 8713 } 8714 actual_status = psa_asymmetric_decrypt(key, alg, 8715 input_data->x, input_data->len, 8716 NULL, label->len, 8717 output, output_size, 8718 &output_length); 8719 TEST_EQUAL(actual_status, expected_status); 8720 TEST_LE_U(output_length, output_size); 8721 } 8722 8723exit: 8724 psa_reset_key_attributes(&attributes); 8725 psa_destroy_key(key); 8726 mbedtls_free(output); 8727 PSA_DONE(); 8728} 8729/* END_CASE */ 8730 8731/* BEGIN_CASE */ 8732void key_derivation_init() 8733{ 8734 /* Test each valid way of initializing the object, except for `= {0}`, as 8735 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 8736 * though it's OK by the C standard. We could test for this, but we'd need 8737 * to suppress the Clang warning for the test. */ 8738 size_t capacity; 8739 psa_key_derivation_operation_t func = psa_key_derivation_operation_init(); 8740 psa_key_derivation_operation_t init = PSA_KEY_DERIVATION_OPERATION_INIT; 8741 psa_key_derivation_operation_t zero; 8742 8743 memset(&zero, 0, sizeof(zero)); 8744 8745 /* A default operation should not be able to report its capacity. */ 8746 TEST_EQUAL(psa_key_derivation_get_capacity(&func, &capacity), 8747 PSA_ERROR_BAD_STATE); 8748 TEST_EQUAL(psa_key_derivation_get_capacity(&init, &capacity), 8749 PSA_ERROR_BAD_STATE); 8750 TEST_EQUAL(psa_key_derivation_get_capacity(&zero, &capacity), 8751 PSA_ERROR_BAD_STATE); 8752 8753 /* A default operation should be abortable without error. */ 8754 PSA_ASSERT(psa_key_derivation_abort(&func)); 8755 PSA_ASSERT(psa_key_derivation_abort(&init)); 8756 PSA_ASSERT(psa_key_derivation_abort(&zero)); 8757} 8758/* END_CASE */ 8759 8760/* BEGIN_CASE */ 8761void derive_setup(int alg_arg, int expected_status_arg) 8762{ 8763 psa_algorithm_t alg = alg_arg; 8764 psa_status_t expected_status = expected_status_arg; 8765 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8766 8767 PSA_ASSERT(psa_crypto_init()); 8768 8769 TEST_EQUAL(psa_key_derivation_setup(&operation, alg), 8770 expected_status); 8771 8772exit: 8773 psa_key_derivation_abort(&operation); 8774 PSA_DONE(); 8775} 8776/* END_CASE */ 8777 8778/* BEGIN_CASE */ 8779void derive_set_capacity(int alg_arg, int64_t capacity_arg, 8780 int expected_status_arg) 8781{ 8782 psa_algorithm_t alg = alg_arg; 8783 size_t capacity = capacity_arg; 8784 psa_status_t expected_status = expected_status_arg; 8785 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8786 8787 PSA_ASSERT(psa_crypto_init()); 8788 8789 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 8790 8791 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity), 8792 expected_status); 8793 8794exit: 8795 psa_key_derivation_abort(&operation); 8796 PSA_DONE(); 8797} 8798/* END_CASE */ 8799 8800/* BEGIN_CASE */ 8801void parse_binary_string_test(data_t *input, int output) 8802{ 8803 uint64_t value; 8804 value = mbedtls_test_parse_binary_string(input); 8805 TEST_EQUAL(value, output); 8806} 8807/* END_CASE */ 8808 8809/* BEGIN_CASE */ 8810void derive_input(int alg_arg, 8811 int step_arg1, int key_type_arg1, data_t *input1, 8812 int expected_status_arg1, 8813 int step_arg2, int key_type_arg2, data_t *input2, 8814 int expected_status_arg2, 8815 int step_arg3, int key_type_arg3, data_t *input3, 8816 int expected_status_arg3, 8817 int output_key_type_arg, int expected_output_status_arg) 8818{ 8819 psa_algorithm_t alg = alg_arg; 8820 psa_key_derivation_step_t steps[] = { step_arg1, step_arg2, step_arg3 }; 8821 uint32_t key_types[] = { key_type_arg1, key_type_arg2, key_type_arg3 }; 8822 psa_status_t expected_statuses[] = { expected_status_arg1, 8823 expected_status_arg2, 8824 expected_status_arg3 }; 8825 data_t *inputs[] = { input1, input2, input3 }; 8826 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT, 8827 MBEDTLS_SVC_KEY_ID_INIT, 8828 MBEDTLS_SVC_KEY_ID_INIT }; 8829 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8830 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8831 size_t i; 8832 psa_key_type_t output_key_type = output_key_type_arg; 8833 mbedtls_svc_key_id_t output_key = MBEDTLS_SVC_KEY_ID_INIT; 8834 psa_status_t expected_output_status = expected_output_status_arg; 8835 psa_status_t actual_output_status; 8836 8837 PSA_ASSERT(psa_crypto_init()); 8838 8839 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 8840 psa_set_key_algorithm(&attributes, alg); 8841 8842 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 8843 8844 for (i = 0; i < ARRAY_LENGTH(steps); i++) { 8845 mbedtls_test_set_step(i); 8846 if (steps[i] == 0) { 8847 /* Skip this step */ 8848 } else if (((psa_key_type_t) key_types[i]) != PSA_KEY_TYPE_NONE && 8849 key_types[i] != INPUT_INTEGER) { 8850 psa_set_key_type(&attributes, ((psa_key_type_t) key_types[i])); 8851 PSA_ASSERT(psa_import_key(&attributes, 8852 inputs[i]->x, inputs[i]->len, 8853 &keys[i])); 8854 if (PSA_KEY_TYPE_IS_KEY_PAIR((psa_key_type_t) key_types[i]) && 8855 steps[i] == PSA_KEY_DERIVATION_INPUT_SECRET) { 8856 // When taking a private key as secret input, use key agreement 8857 // to add the shared secret to the derivation 8858 TEST_EQUAL(mbedtls_test_psa_key_agreement_with_self( 8859 &operation, keys[i], 0), 8860 expected_statuses[i]); 8861 } else { 8862 TEST_EQUAL(psa_key_derivation_input_key(&operation, steps[i], 8863 keys[i]), 8864 expected_statuses[i]); 8865 } 8866 } else { 8867 if (key_types[i] == INPUT_INTEGER) { 8868 TEST_EQUAL(psa_key_derivation_input_integer( 8869 &operation, steps[i], 8870 mbedtls_test_parse_binary_string(inputs[i])), 8871 expected_statuses[i]); 8872 } else { 8873 TEST_EQUAL(psa_key_derivation_input_bytes( 8874 &operation, steps[i], 8875 inputs[i]->x, inputs[i]->len), 8876 expected_statuses[i]); 8877 } 8878 } 8879 } 8880 8881 if (output_key_type != PSA_KEY_TYPE_NONE) { 8882 psa_reset_key_attributes(&attributes); 8883 psa_set_key_type(&attributes, output_key_type); 8884 psa_set_key_bits(&attributes, 8); 8885 actual_output_status = 8886 psa_key_derivation_output_key(&attributes, &operation, 8887 &output_key); 8888 } else { 8889 uint8_t buffer[1]; 8890 actual_output_status = 8891 psa_key_derivation_output_bytes(&operation, 8892 buffer, sizeof(buffer)); 8893 } 8894 TEST_EQUAL(actual_output_status, expected_output_status); 8895 8896exit: 8897 psa_key_derivation_abort(&operation); 8898 for (i = 0; i < ARRAY_LENGTH(keys); i++) { 8899 psa_destroy_key(keys[i]); 8900 } 8901 psa_destroy_key(output_key); 8902 PSA_DONE(); 8903} 8904/* END_CASE */ 8905 8906/* BEGIN_CASE*/ 8907void derive_input_invalid_cost(int alg_arg, int64_t cost) 8908{ 8909 psa_algorithm_t alg = alg_arg; 8910 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8911 8912 PSA_ASSERT(psa_crypto_init()); 8913 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 8914 8915 TEST_EQUAL(psa_key_derivation_input_integer(&operation, 8916 PSA_KEY_DERIVATION_INPUT_COST, 8917 cost), 8918 PSA_ERROR_NOT_SUPPORTED); 8919 8920exit: 8921 psa_key_derivation_abort(&operation); 8922 PSA_DONE(); 8923} 8924/* END_CASE*/ 8925 8926/* BEGIN_CASE */ 8927void derive_over_capacity(int alg_arg) 8928{ 8929 psa_algorithm_t alg = alg_arg; 8930 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8931 size_t key_type = PSA_KEY_TYPE_DERIVE; 8932 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8933 unsigned char input1[] = "Input 1"; 8934 size_t input1_length = sizeof(input1); 8935 unsigned char input2[] = "Input 2"; 8936 size_t input2_length = sizeof(input2); 8937 uint8_t buffer[42]; 8938 size_t capacity = sizeof(buffer); 8939 const uint8_t key_data[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 8940 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 8941 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b }; 8942 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8943 8944 PSA_ASSERT(psa_crypto_init()); 8945 8946 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 8947 psa_set_key_algorithm(&attributes, alg); 8948 psa_set_key_type(&attributes, key_type); 8949 8950 PSA_ASSERT(psa_import_key(&attributes, 8951 key_data, sizeof(key_data), 8952 &key)); 8953 8954 /* valid key derivation */ 8955 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg, 8956 input1, input1_length, 8957 input2, input2_length, 8958 capacity, 0)) { 8959 goto exit; 8960 } 8961 8962 /* state of operation shouldn't allow additional generation */ 8963 TEST_EQUAL(psa_key_derivation_setup(&operation, alg), 8964 PSA_ERROR_BAD_STATE); 8965 8966 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, buffer, capacity)); 8967 8968 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, buffer, capacity), 8969 PSA_ERROR_INSUFFICIENT_DATA); 8970 8971exit: 8972 psa_key_derivation_abort(&operation); 8973 psa_destroy_key(key); 8974 PSA_DONE(); 8975} 8976/* END_CASE */ 8977 8978/* BEGIN_CASE */ 8979void derive_actions_without_setup() 8980{ 8981 uint8_t output_buffer[16]; 8982 size_t buffer_size = 16; 8983 size_t capacity = 0; 8984 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8985 8986 TEST_ASSERT(psa_key_derivation_output_bytes(&operation, 8987 output_buffer, buffer_size) 8988 == PSA_ERROR_BAD_STATE); 8989 8990 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity) 8991 == PSA_ERROR_BAD_STATE); 8992 8993 PSA_ASSERT(psa_key_derivation_abort(&operation)); 8994 8995 TEST_ASSERT(psa_key_derivation_output_bytes(&operation, 8996 output_buffer, buffer_size) 8997 == PSA_ERROR_BAD_STATE); 8998 8999 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity) 9000 == PSA_ERROR_BAD_STATE); 9001 9002exit: 9003 psa_key_derivation_abort(&operation); 9004} 9005/* END_CASE */ 9006 9007/* BEGIN_CASE */ 9008void derive_output(int alg_arg, 9009 int step1_arg, data_t *input1, int expected_status_arg1, 9010 int step2_arg, data_t *input2, int expected_status_arg2, 9011 int step3_arg, data_t *input3, int expected_status_arg3, 9012 int step4_arg, data_t *input4, int expected_status_arg4, 9013 data_t *key_agreement_peer_key, 9014 int requested_capacity_arg, 9015 data_t *expected_output1, 9016 data_t *expected_output2, 9017 int other_key_input_type, 9018 int key_input_type, 9019 int derive_type) 9020{ 9021 psa_algorithm_t alg = alg_arg; 9022 psa_key_derivation_step_t steps[] = { step1_arg, step2_arg, step3_arg, step4_arg }; 9023 data_t *inputs[] = { input1, input2, input3, input4 }; 9024 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT, 9025 MBEDTLS_SVC_KEY_ID_INIT, 9026 MBEDTLS_SVC_KEY_ID_INIT, 9027 MBEDTLS_SVC_KEY_ID_INIT }; 9028 psa_status_t statuses[] = { expected_status_arg1, expected_status_arg2, 9029 expected_status_arg3, expected_status_arg4 }; 9030 size_t requested_capacity = requested_capacity_arg; 9031 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9032 uint8_t *expected_outputs[2] = 9033 { expected_output1->x, expected_output2->x }; 9034 size_t output_sizes[2] = 9035 { expected_output1->len, expected_output2->len }; 9036 size_t output_buffer_size = 0; 9037 uint8_t *output_buffer = NULL; 9038 size_t expected_capacity; 9039 size_t current_capacity; 9040 psa_key_attributes_t attributes1 = PSA_KEY_ATTRIBUTES_INIT; 9041 psa_key_attributes_t attributes2 = PSA_KEY_ATTRIBUTES_INIT; 9042 psa_key_attributes_t attributes3 = PSA_KEY_ATTRIBUTES_INIT; 9043 psa_key_attributes_t attributes4 = PSA_KEY_ATTRIBUTES_INIT; 9044 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9045 psa_status_t status; 9046 size_t i; 9047 9048 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) { 9049 if (output_sizes[i] > output_buffer_size) { 9050 output_buffer_size = output_sizes[i]; 9051 } 9052 if (output_sizes[i] == 0) { 9053 expected_outputs[i] = NULL; 9054 } 9055 } 9056 TEST_CALLOC(output_buffer, output_buffer_size); 9057 PSA_ASSERT(psa_crypto_init()); 9058 9059 /* Extraction phase. */ 9060 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 9061 PSA_ASSERT(psa_key_derivation_set_capacity(&operation, 9062 requested_capacity)); 9063 for (i = 0; i < ARRAY_LENGTH(steps); i++) { 9064 switch (steps[i]) { 9065 case 0: 9066 break; 9067 case PSA_KEY_DERIVATION_INPUT_COST: 9068 TEST_EQUAL(psa_key_derivation_input_integer( 9069 &operation, steps[i], 9070 mbedtls_test_parse_binary_string(inputs[i])), 9071 statuses[i]); 9072 if (statuses[i] != PSA_SUCCESS) { 9073 goto exit; 9074 } 9075 break; 9076 case PSA_KEY_DERIVATION_INPUT_PASSWORD: 9077 case PSA_KEY_DERIVATION_INPUT_SECRET: 9078 switch (key_input_type) { 9079 case 0: // input bytes 9080 TEST_EQUAL(psa_key_derivation_input_bytes( 9081 &operation, steps[i], 9082 inputs[i]->x, inputs[i]->len), 9083 statuses[i]); 9084 9085 if (statuses[i] != PSA_SUCCESS) { 9086 goto exit; 9087 } 9088 break; 9089 case 1: // input key 9090 psa_set_key_usage_flags(&attributes1, PSA_KEY_USAGE_DERIVE); 9091 psa_set_key_algorithm(&attributes1, alg); 9092 psa_set_key_type(&attributes1, PSA_KEY_TYPE_DERIVE); 9093 9094 PSA_ASSERT(psa_import_key(&attributes1, 9095 inputs[i]->x, inputs[i]->len, 9096 &keys[i])); 9097 9098 if (PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { 9099 PSA_ASSERT(psa_get_key_attributes(keys[i], &attributes1)); 9100 TEST_LE_U(PSA_BITS_TO_BYTES(psa_get_key_bits(&attributes1)), 9101 PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE); 9102 } 9103 9104 TEST_EQUAL(psa_key_derivation_input_key(&operation, 9105 steps[i], 9106 keys[i]), 9107 statuses[i]); 9108 9109 if (statuses[i] != PSA_SUCCESS) { 9110 goto exit; 9111 } 9112 break; 9113 default: 9114 TEST_FAIL("default case not supported"); 9115 break; 9116 } 9117 break; 9118 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET: 9119 switch (other_key_input_type) { 9120 case 0: // input bytes 9121 TEST_EQUAL(psa_key_derivation_input_bytes(&operation, 9122 steps[i], 9123 inputs[i]->x, 9124 inputs[i]->len), 9125 statuses[i]); 9126 break; 9127 case 1: // input key, type DERIVE 9128 case 11: // input key, type RAW 9129 psa_set_key_usage_flags(&attributes2, PSA_KEY_USAGE_DERIVE); 9130 psa_set_key_algorithm(&attributes2, alg); 9131 psa_set_key_type(&attributes2, PSA_KEY_TYPE_DERIVE); 9132 9133 // other secret of type RAW_DATA passed with input_key 9134 if (other_key_input_type == 11) { 9135 psa_set_key_type(&attributes2, PSA_KEY_TYPE_RAW_DATA); 9136 } 9137 9138 PSA_ASSERT(psa_import_key(&attributes2, 9139 inputs[i]->x, inputs[i]->len, 9140 &keys[i])); 9141 9142 TEST_EQUAL(psa_key_derivation_input_key(&operation, 9143 steps[i], 9144 keys[i]), 9145 statuses[i]); 9146 break; 9147 case 2: // key agreement 9148 psa_set_key_usage_flags(&attributes3, PSA_KEY_USAGE_DERIVE); 9149 psa_set_key_algorithm(&attributes3, alg); 9150 psa_set_key_type(&attributes3, 9151 PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); 9152 9153 PSA_ASSERT(psa_import_key(&attributes3, 9154 inputs[i]->x, inputs[i]->len, 9155 &keys[i])); 9156 9157 TEST_EQUAL(psa_key_derivation_key_agreement( 9158 &operation, 9159 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, 9160 keys[i], key_agreement_peer_key->x, 9161 key_agreement_peer_key->len), statuses[i]); 9162 break; 9163 default: 9164 TEST_FAIL("default case not supported"); 9165 break; 9166 } 9167 9168 if (statuses[i] != PSA_SUCCESS) { 9169 goto exit; 9170 } 9171 break; 9172 default: 9173 TEST_EQUAL(psa_key_derivation_input_bytes( 9174 &operation, steps[i], 9175 inputs[i]->x, inputs[i]->len), statuses[i]); 9176 9177 if (statuses[i] != PSA_SUCCESS) { 9178 goto exit; 9179 } 9180 break; 9181 } 9182 } 9183 9184 PSA_ASSERT(psa_key_derivation_get_capacity(&operation, 9185 ¤t_capacity)); 9186 TEST_EQUAL(current_capacity, requested_capacity); 9187 expected_capacity = requested_capacity; 9188 9189 if (derive_type == 1) { // output key 9190 psa_status_t expected_status = PSA_ERROR_NOT_PERMITTED; 9191 9192 /* For output key derivation secret must be provided using 9193 input key, otherwise operation is not permitted. */ 9194 if (key_input_type == 1) { 9195 expected_status = PSA_SUCCESS; 9196 } 9197 9198 psa_set_key_usage_flags(&attributes4, PSA_KEY_USAGE_EXPORT); 9199 psa_set_key_algorithm(&attributes4, alg); 9200 psa_set_key_type(&attributes4, PSA_KEY_TYPE_DERIVE); 9201 psa_set_key_bits(&attributes4, PSA_BYTES_TO_BITS(requested_capacity)); 9202 9203 TEST_EQUAL(psa_key_derivation_output_key(&attributes4, &operation, 9204 &derived_key), expected_status); 9205 } else { // output bytes 9206 /* Expansion phase. */ 9207 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) { 9208 /* Read some bytes. */ 9209 status = psa_key_derivation_output_bytes(&operation, 9210 output_buffer, output_sizes[i]); 9211 if (expected_capacity == 0 && output_sizes[i] == 0) { 9212 /* Reading 0 bytes when 0 bytes are available can go either way. */ 9213 TEST_ASSERT(status == PSA_SUCCESS || 9214 status == PSA_ERROR_INSUFFICIENT_DATA); 9215 continue; 9216 } else if (expected_capacity == 0 || 9217 output_sizes[i] > expected_capacity) { 9218 /* Capacity exceeded. */ 9219 TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_DATA); 9220 expected_capacity = 0; 9221 continue; 9222 } 9223 /* Success. Check the read data. */ 9224 PSA_ASSERT(status); 9225 if (output_sizes[i] != 0) { 9226 TEST_MEMORY_COMPARE(output_buffer, output_sizes[i], 9227 expected_outputs[i], output_sizes[i]); 9228 } 9229 /* Check the operation status. */ 9230 expected_capacity -= output_sizes[i]; 9231 PSA_ASSERT(psa_key_derivation_get_capacity(&operation, 9232 ¤t_capacity)); 9233 TEST_EQUAL(expected_capacity, current_capacity); 9234 } 9235 } 9236 PSA_ASSERT(psa_key_derivation_abort(&operation)); 9237 9238exit: 9239 mbedtls_free(output_buffer); 9240 psa_key_derivation_abort(&operation); 9241 for (i = 0; i < ARRAY_LENGTH(keys); i++) { 9242 psa_destroy_key(keys[i]); 9243 } 9244 psa_destroy_key(derived_key); 9245 PSA_DONE(); 9246} 9247/* END_CASE */ 9248 9249/* BEGIN_CASE */ 9250void derive_full(int alg_arg, 9251 data_t *key_data, 9252 data_t *input1, 9253 data_t *input2, 9254 int requested_capacity_arg) 9255{ 9256 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 9257 psa_algorithm_t alg = alg_arg; 9258 size_t requested_capacity = requested_capacity_arg; 9259 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9260 unsigned char output_buffer[32]; 9261 size_t expected_capacity = requested_capacity; 9262 size_t current_capacity; 9263 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9264 9265 PSA_ASSERT(psa_crypto_init()); 9266 9267 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9268 psa_set_key_algorithm(&attributes, alg); 9269 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE); 9270 9271 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 9272 &key)); 9273 9274 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg, 9275 input1->x, input1->len, 9276 input2->x, input2->len, 9277 requested_capacity, 0)) { 9278 goto exit; 9279 } 9280 9281 PSA_ASSERT(psa_key_derivation_get_capacity(&operation, 9282 ¤t_capacity)); 9283 TEST_EQUAL(current_capacity, expected_capacity); 9284 9285 /* Expansion phase. */ 9286 while (current_capacity > 0) { 9287 size_t read_size = sizeof(output_buffer); 9288 if (read_size > current_capacity) { 9289 read_size = current_capacity; 9290 } 9291 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 9292 output_buffer, 9293 read_size)); 9294 expected_capacity -= read_size; 9295 PSA_ASSERT(psa_key_derivation_get_capacity(&operation, 9296 ¤t_capacity)); 9297 TEST_EQUAL(current_capacity, expected_capacity); 9298 } 9299 9300 /* Check that the operation refuses to go over capacity. */ 9301 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output_buffer, 1), 9302 PSA_ERROR_INSUFFICIENT_DATA); 9303 9304 PSA_ASSERT(psa_key_derivation_abort(&operation)); 9305 9306exit: 9307 psa_key_derivation_abort(&operation); 9308 psa_destroy_key(key); 9309 PSA_DONE(); 9310} 9311/* END_CASE */ 9312 9313/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */ 9314void derive_ecjpake_to_pms(data_t *input, int expected_input_status_arg, 9315 int derivation_step, 9316 int capacity, int expected_capacity_status_arg, 9317 data_t *expected_output, 9318 int expected_output_status_arg) 9319{ 9320 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; 9321 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9322 psa_key_derivation_step_t step = (psa_key_derivation_step_t) derivation_step; 9323 uint8_t *output_buffer = NULL; 9324 psa_status_t status; 9325 psa_status_t expected_input_status = (psa_status_t) expected_input_status_arg; 9326 psa_status_t expected_capacity_status = (psa_status_t) expected_capacity_status_arg; 9327 psa_status_t expected_output_status = (psa_status_t) expected_output_status_arg; 9328 9329 TEST_CALLOC(output_buffer, expected_output->len); 9330 PSA_ASSERT(psa_crypto_init()); 9331 9332 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 9333 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity), 9334 expected_capacity_status); 9335 9336 TEST_EQUAL(psa_key_derivation_input_bytes(&operation, 9337 step, input->x, input->len), 9338 expected_input_status); 9339 9340 if (((psa_status_t) expected_input_status) != PSA_SUCCESS) { 9341 goto exit; 9342 } 9343 9344 status = psa_key_derivation_output_bytes(&operation, output_buffer, 9345 expected_output->len); 9346 9347 TEST_EQUAL(status, expected_output_status); 9348 if (expected_output->len != 0 && expected_output_status == PSA_SUCCESS) { 9349 TEST_MEMORY_COMPARE(output_buffer, expected_output->len, expected_output->x, 9350 expected_output->len); 9351 } 9352 9353exit: 9354 mbedtls_free(output_buffer); 9355 psa_key_derivation_abort(&operation); 9356 PSA_DONE(); 9357} 9358/* END_CASE */ 9359 9360/* BEGIN_CASE */ 9361void derive_key_exercise(int alg_arg, 9362 data_t *key_data, 9363 data_t *input1, 9364 data_t *input2, 9365 int derived_type_arg, 9366 int derived_bits_arg, 9367 int derived_usage_arg, 9368 int derived_alg_arg) 9369{ 9370 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9371 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9372 psa_algorithm_t alg = alg_arg; 9373 psa_key_type_t derived_type = derived_type_arg; 9374 size_t derived_bits = derived_bits_arg; 9375 psa_key_usage_t derived_usage = derived_usage_arg; 9376 psa_algorithm_t derived_alg = derived_alg_arg; 9377 size_t capacity = PSA_BITS_TO_BYTES(derived_bits); 9378 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9379 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9380 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 9381 9382 PSA_ASSERT(psa_crypto_init()); 9383 9384 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9385 psa_set_key_algorithm(&attributes, alg); 9386 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE); 9387 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, 9388 &base_key)); 9389 9390 /* Derive a key. */ 9391 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg, 9392 input1->x, input1->len, 9393 input2->x, input2->len, 9394 capacity, 0)) { 9395 goto exit; 9396 } 9397 9398 psa_set_key_usage_flags(&attributes, derived_usage); 9399 psa_set_key_algorithm(&attributes, derived_alg); 9400 psa_set_key_type(&attributes, derived_type); 9401 psa_set_key_bits(&attributes, derived_bits); 9402 PSA_ASSERT(psa_key_derivation_output_key(&attributes, &operation, 9403 &derived_key)); 9404 9405 /* Test the key information */ 9406 PSA_ASSERT(psa_get_key_attributes(derived_key, &got_attributes)); 9407 TEST_EQUAL(psa_get_key_type(&got_attributes), derived_type); 9408 TEST_EQUAL(psa_get_key_bits(&got_attributes), derived_bits); 9409 9410 /* Exercise the derived key. */ 9411 if (!mbedtls_test_psa_exercise_key(derived_key, derived_usage, derived_alg, 0)) { 9412 goto exit; 9413 } 9414 9415exit: 9416 /* 9417 * Key attributes may have been returned by psa_get_key_attributes() 9418 * thus reset them as required. 9419 */ 9420 psa_reset_key_attributes(&got_attributes); 9421 9422 psa_key_derivation_abort(&operation); 9423 psa_destroy_key(base_key); 9424 psa_destroy_key(derived_key); 9425 PSA_DONE(); 9426} 9427/* END_CASE */ 9428 9429/* BEGIN_CASE */ 9430void derive_key_export(int alg_arg, 9431 data_t *key_data, 9432 data_t *input1, 9433 data_t *input2, 9434 int bytes1_arg, 9435 int bytes2_arg) 9436{ 9437 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9438 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9439 psa_algorithm_t alg = alg_arg; 9440 size_t bytes1 = bytes1_arg; 9441 size_t bytes2 = bytes2_arg; 9442 size_t capacity = bytes1 + bytes2; 9443 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9444 uint8_t *output_buffer = NULL; 9445 uint8_t *export_buffer = NULL; 9446 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9447 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9448 size_t length; 9449 9450 TEST_CALLOC(output_buffer, capacity); 9451 TEST_CALLOC(export_buffer, capacity); 9452 PSA_ASSERT(psa_crypto_init()); 9453 9454 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9455 psa_set_key_algorithm(&base_attributes, alg); 9456 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9457 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9458 &base_key)); 9459 9460 /* Derive some material and output it. */ 9461 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg, 9462 input1->x, input1->len, 9463 input2->x, input2->len, 9464 capacity, 0)) { 9465 goto exit; 9466 } 9467 9468 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 9469 output_buffer, 9470 capacity)); 9471 PSA_ASSERT(psa_key_derivation_abort(&operation)); 9472 9473 /* Derive the same output again, but this time store it in key objects. */ 9474 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg, 9475 input1->x, input1->len, 9476 input2->x, input2->len, 9477 capacity, 0)) { 9478 goto exit; 9479 } 9480 9481 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9482 psa_set_key_algorithm(&derived_attributes, 0); 9483 psa_set_key_type(&derived_attributes, PSA_KEY_TYPE_RAW_DATA); 9484 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes1)); 9485 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation, 9486 &derived_key)); 9487 PSA_ASSERT(psa_export_key(derived_key, 9488 export_buffer, bytes1, 9489 &length)); 9490 TEST_EQUAL(length, bytes1); 9491 PSA_ASSERT(psa_destroy_key(derived_key)); 9492 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes2)); 9493 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation, 9494 &derived_key)); 9495 PSA_ASSERT(psa_export_key(derived_key, 9496 export_buffer + bytes1, bytes2, 9497 &length)); 9498 TEST_EQUAL(length, bytes2); 9499 9500 /* Compare the outputs from the two runs. */ 9501 TEST_MEMORY_COMPARE(output_buffer, bytes1 + bytes2, 9502 export_buffer, capacity); 9503 9504exit: 9505 mbedtls_free(output_buffer); 9506 mbedtls_free(export_buffer); 9507 psa_key_derivation_abort(&operation); 9508 psa_destroy_key(base_key); 9509 psa_destroy_key(derived_key); 9510 PSA_DONE(); 9511} 9512/* END_CASE */ 9513 9514/* BEGIN_CASE */ 9515void derive_key_type(int alg_arg, 9516 data_t *key_data, 9517 data_t *input1, 9518 data_t *input2, 9519 int key_type_arg, int bits_arg, 9520 data_t *expected_export) 9521{ 9522 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9523 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9524 const psa_algorithm_t alg = alg_arg; 9525 const psa_key_type_t key_type = key_type_arg; 9526 const size_t bits = bits_arg; 9527 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9528 const size_t export_buffer_size = 9529 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); 9530 uint8_t *export_buffer = NULL; 9531 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9532 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9533 size_t export_length; 9534 9535 TEST_CALLOC(export_buffer, export_buffer_size); 9536 PSA_ASSERT(psa_crypto_init()); 9537 9538 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9539 psa_set_key_algorithm(&base_attributes, alg); 9540 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9541 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9542 &base_key)); 9543 9544 if (mbedtls_test_psa_setup_key_derivation_wrap( 9545 &operation, base_key, alg, 9546 input1->x, input1->len, 9547 input2->x, input2->len, 9548 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) { 9549 goto exit; 9550 } 9551 9552 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9553 psa_set_key_algorithm(&derived_attributes, 0); 9554 psa_set_key_type(&derived_attributes, key_type); 9555 psa_set_key_bits(&derived_attributes, bits); 9556 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation, 9557 &derived_key)); 9558 9559 PSA_ASSERT(psa_export_key(derived_key, 9560 export_buffer, export_buffer_size, 9561 &export_length)); 9562 TEST_MEMORY_COMPARE(export_buffer, export_length, 9563 expected_export->x, expected_export->len); 9564 9565exit: 9566 mbedtls_free(export_buffer); 9567 psa_key_derivation_abort(&operation); 9568 psa_destroy_key(base_key); 9569 psa_destroy_key(derived_key); 9570 PSA_DONE(); 9571} 9572/* END_CASE */ 9573 9574/* BEGIN_CASE */ 9575void derive_key_custom(int alg_arg, 9576 data_t *key_data, 9577 data_t *input1, 9578 data_t *input2, 9579 int key_type_arg, int bits_arg, 9580 int flags_arg, 9581 data_t *custom_data, 9582 psa_status_t expected_status, 9583 data_t *expected_export) 9584{ 9585 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9586 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9587 const psa_algorithm_t alg = alg_arg; 9588 const psa_key_type_t key_type = key_type_arg; 9589 const size_t bits = bits_arg; 9590 psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT; 9591 custom.flags = flags_arg; 9592 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9593 const size_t export_buffer_size = 9594 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); 9595 uint8_t *export_buffer = NULL; 9596 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9597 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9598 size_t export_length; 9599 9600 TEST_CALLOC(export_buffer, export_buffer_size); 9601 PSA_ASSERT(psa_crypto_init()); 9602 9603 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9604 psa_set_key_algorithm(&base_attributes, alg); 9605 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9606 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9607 &base_key)); 9608 9609 if (mbedtls_test_psa_setup_key_derivation_wrap( 9610 &operation, base_key, alg, 9611 input1->x, input1->len, 9612 input2->x, input2->len, 9613 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) { 9614 goto exit; 9615 } 9616 9617 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9618 psa_set_key_algorithm(&derived_attributes, 0); 9619 psa_set_key_type(&derived_attributes, key_type); 9620 psa_set_key_bits(&derived_attributes, bits); 9621 9622 TEST_EQUAL(psa_key_derivation_output_key_custom( 9623 &derived_attributes, &operation, 9624 &custom, custom_data->x, custom_data->len, 9625 &derived_key), 9626 expected_status); 9627 9628 if (expected_status == PSA_SUCCESS) { 9629 PSA_ASSERT(psa_export_key(derived_key, 9630 export_buffer, export_buffer_size, 9631 &export_length)); 9632 TEST_MEMORY_COMPARE(export_buffer, export_length, 9633 expected_export->x, expected_export->len); 9634 } 9635 9636exit: 9637 mbedtls_free(export_buffer); 9638 psa_key_derivation_abort(&operation); 9639 psa_destroy_key(base_key); 9640 psa_destroy_key(derived_key); 9641 PSA_DONE(); 9642} 9643/* END_CASE */ 9644 9645/* BEGIN_CASE */ 9646void derive_key_ext(int alg_arg, 9647 data_t *key_data, 9648 data_t *input1, 9649 data_t *input2, 9650 int key_type_arg, int bits_arg, 9651 int flags_arg, 9652 data_t *params_data, 9653 psa_status_t expected_status, 9654 data_t *expected_export) 9655{ 9656 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9657 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9658 const psa_algorithm_t alg = alg_arg; 9659 const psa_key_type_t key_type = key_type_arg; 9660 const size_t bits = bits_arg; 9661 psa_key_production_parameters_t *params = NULL; 9662 size_t params_data_length = 0; 9663 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9664 const size_t export_buffer_size = 9665 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); 9666 uint8_t *export_buffer = NULL; 9667 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9668 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9669 size_t export_length; 9670 9671 TEST_CALLOC(export_buffer, export_buffer_size); 9672 PSA_ASSERT(psa_crypto_init()); 9673 9674 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9675 psa_set_key_algorithm(&base_attributes, alg); 9676 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9677 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9678 &base_key)); 9679 9680 if (mbedtls_test_psa_setup_key_derivation_wrap( 9681 &operation, base_key, alg, 9682 input1->x, input1->len, 9683 input2->x, input2->len, 9684 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) { 9685 goto exit; 9686 } 9687 9688 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9689 psa_set_key_algorithm(&derived_attributes, 0); 9690 psa_set_key_type(&derived_attributes, key_type); 9691 psa_set_key_bits(&derived_attributes, bits); 9692 if (!setup_key_production_parameters(¶ms, ¶ms_data_length, 9693 flags_arg, params_data)) { 9694 goto exit; 9695 } 9696 9697 TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation, 9698 params, params_data_length, 9699 &derived_key), 9700 expected_status); 9701 9702 if (expected_status == PSA_SUCCESS) { 9703 PSA_ASSERT(psa_export_key(derived_key, 9704 export_buffer, export_buffer_size, 9705 &export_length)); 9706 TEST_MEMORY_COMPARE(export_buffer, export_length, 9707 expected_export->x, expected_export->len); 9708 } 9709 9710exit: 9711 mbedtls_free(export_buffer); 9712 mbedtls_free(params); 9713 psa_key_derivation_abort(&operation); 9714 psa_destroy_key(base_key); 9715 psa_destroy_key(derived_key); 9716 PSA_DONE(); 9717} 9718/* END_CASE */ 9719 9720/* BEGIN_CASE */ 9721void derive_key(int alg_arg, 9722 data_t *key_data, data_t *input1, data_t *input2, 9723 int type_arg, int bits_arg, 9724 int expected_status_arg, 9725 int is_large_output) 9726{ 9727 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 9728 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 9729 psa_algorithm_t alg = alg_arg; 9730 psa_key_type_t type = type_arg; 9731 size_t bits = bits_arg; 9732 psa_status_t expected_status = expected_status_arg; 9733 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9734 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 9735 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 9736 9737 PSA_ASSERT(psa_crypto_init()); 9738 9739 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); 9740 psa_set_key_algorithm(&base_attributes, alg); 9741 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 9742 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, 9743 &base_key)); 9744 9745 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg, 9746 input1->x, input1->len, 9747 input2->x, input2->len, 9748 SIZE_MAX, 0)) { 9749 goto exit; 9750 } 9751 9752 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); 9753 psa_set_key_algorithm(&derived_attributes, 0); 9754 psa_set_key_type(&derived_attributes, type); 9755 psa_set_key_bits(&derived_attributes, bits); 9756 9757 psa_status_t status = 9758 psa_key_derivation_output_key(&derived_attributes, 9759 &operation, 9760 &derived_key); 9761 if (is_large_output > 0) { 9762 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); 9763 } 9764 TEST_EQUAL(status, expected_status); 9765 9766exit: 9767 psa_key_derivation_abort(&operation); 9768 psa_destroy_key(base_key); 9769 psa_destroy_key(derived_key); 9770 PSA_DONE(); 9771} 9772/* END_CASE */ 9773 9774/* BEGIN_CASE */ 9775void key_agreement_setup(int alg_arg, 9776 int our_key_type_arg, int our_key_alg_arg, 9777 data_t *our_key_data, data_t *peer_key_data, 9778 int expected_status_arg) 9779{ 9780 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 9781 psa_algorithm_t alg = alg_arg; 9782 psa_algorithm_t our_key_alg = our_key_alg_arg; 9783 psa_key_type_t our_key_type = our_key_type_arg; 9784 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9785 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9786 psa_status_t expected_status = expected_status_arg; 9787 psa_status_t status; 9788 9789 PSA_ASSERT(psa_crypto_init()); 9790 9791 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9792 psa_set_key_algorithm(&attributes, our_key_alg); 9793 psa_set_key_type(&attributes, our_key_type); 9794 PSA_ASSERT(psa_import_key(&attributes, 9795 our_key_data->x, our_key_data->len, 9796 &our_key)); 9797 9798 /* The tests currently include inputs that should fail at either step. 9799 * Test cases that fail at the setup step should be changed to call 9800 * key_derivation_setup instead, and this function should be renamed 9801 * to key_agreement_fail. */ 9802 status = psa_key_derivation_setup(&operation, alg); 9803 if (status == PSA_SUCCESS) { 9804 TEST_EQUAL(psa_key_derivation_key_agreement( 9805 &operation, PSA_KEY_DERIVATION_INPUT_SECRET, 9806 our_key, 9807 peer_key_data->x, peer_key_data->len), 9808 expected_status); 9809 } else { 9810 TEST_ASSERT(status == expected_status); 9811 } 9812 9813exit: 9814 psa_key_derivation_abort(&operation); 9815 psa_destroy_key(our_key); 9816 PSA_DONE(); 9817} 9818/* END_CASE */ 9819 9820/* BEGIN_CASE */ 9821void raw_key_agreement(int alg_arg, 9822 int our_key_type_arg, data_t *our_key_data, 9823 data_t *peer_key_data, 9824 data_t *expected_output) 9825{ 9826 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 9827 psa_algorithm_t alg = alg_arg; 9828 psa_key_type_t our_key_type = our_key_type_arg; 9829 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9830 unsigned char *output = NULL; 9831 size_t output_length = ~0; 9832 size_t key_bits; 9833 9834 PSA_ASSERT(psa_crypto_init()); 9835 9836 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9837 psa_set_key_algorithm(&attributes, alg); 9838 psa_set_key_type(&attributes, our_key_type); 9839 PSA_ASSERT(psa_import_key(&attributes, 9840 our_key_data->x, our_key_data->len, 9841 &our_key)); 9842 9843 PSA_ASSERT(psa_get_key_attributes(our_key, &attributes)); 9844 key_bits = psa_get_key_bits(&attributes); 9845 9846 /* Validate size macros */ 9847 TEST_LE_U(expected_output->len, 9848 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits)); 9849 TEST_LE_U(PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits), 9850 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE); 9851 9852 /* Good case with exact output size */ 9853 TEST_CALLOC(output, expected_output->len); 9854 PSA_ASSERT(psa_raw_key_agreement(alg, our_key, 9855 peer_key_data->x, peer_key_data->len, 9856 output, expected_output->len, 9857 &output_length)); 9858 TEST_MEMORY_COMPARE(output, output_length, 9859 expected_output->x, expected_output->len); 9860 mbedtls_free(output); 9861 output = NULL; 9862 output_length = ~0; 9863 9864 /* Larger buffer */ 9865 TEST_CALLOC(output, expected_output->len + 1); 9866 PSA_ASSERT(psa_raw_key_agreement(alg, our_key, 9867 peer_key_data->x, peer_key_data->len, 9868 output, expected_output->len + 1, 9869 &output_length)); 9870 TEST_MEMORY_COMPARE(output, output_length, 9871 expected_output->x, expected_output->len); 9872 mbedtls_free(output); 9873 output = NULL; 9874 output_length = ~0; 9875 9876 /* Buffer too small */ 9877 TEST_CALLOC(output, expected_output->len - 1); 9878 TEST_EQUAL(psa_raw_key_agreement(alg, our_key, 9879 peer_key_data->x, peer_key_data->len, 9880 output, expected_output->len - 1, 9881 &output_length), 9882 PSA_ERROR_BUFFER_TOO_SMALL); 9883 /* Not required by the spec, but good robustness */ 9884 TEST_LE_U(output_length, expected_output->len - 1); 9885 mbedtls_free(output); 9886 output = NULL; 9887 9888exit: 9889 mbedtls_free(output); 9890 psa_destroy_key(our_key); 9891 PSA_DONE(); 9892} 9893/* END_CASE */ 9894 9895/* BEGIN_CASE */ 9896void key_agreement_capacity(int alg_arg, 9897 int our_key_type_arg, data_t *our_key_data, 9898 data_t *peer_key_data, 9899 int expected_capacity_arg) 9900{ 9901 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 9902 psa_algorithm_t alg = alg_arg; 9903 psa_key_type_t our_key_type = our_key_type_arg; 9904 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 9905 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9906 size_t actual_capacity; 9907 unsigned char output[16]; 9908 9909 PSA_ASSERT(psa_crypto_init()); 9910 9911 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 9912 psa_set_key_algorithm(&attributes, alg); 9913 psa_set_key_type(&attributes, our_key_type); 9914 PSA_ASSERT(psa_import_key(&attributes, 9915 our_key_data->x, our_key_data->len, 9916 &our_key)); 9917 9918 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 9919 PSA_ASSERT(psa_key_derivation_key_agreement( 9920 &operation, 9921 PSA_KEY_DERIVATION_INPUT_SECRET, our_key, 9922 peer_key_data->x, peer_key_data->len)); 9923 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) { 9924 /* The test data is for info="" */ 9925 PSA_ASSERT(psa_key_derivation_input_bytes(&operation, 9926 PSA_KEY_DERIVATION_INPUT_INFO, 9927 NULL, 0)); 9928 } 9929 9930 /* Test the advertised capacity. */ 9931 PSA_ASSERT(psa_key_derivation_get_capacity( 9932 &operation, &actual_capacity)); 9933 TEST_EQUAL(actual_capacity, (size_t) expected_capacity_arg); 9934 9935 /* Test the actual capacity by reading the output. */ 9936 while (actual_capacity > sizeof(output)) { 9937 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 9938 output, sizeof(output))); 9939 actual_capacity -= sizeof(output); 9940 } 9941 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 9942 output, actual_capacity)); 9943 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output, 1), 9944 PSA_ERROR_INSUFFICIENT_DATA); 9945 9946exit: 9947 psa_key_derivation_abort(&operation); 9948 psa_destroy_key(our_key); 9949 PSA_DONE(); 9950} 9951/* END_CASE */ 9952 9953/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ 9954void ecc_conversion_functions(int grp_id_arg, int psa_family_arg, int bits_arg) 9955{ 9956 mbedtls_ecp_group_id grp_id = grp_id_arg; 9957 psa_ecc_family_t ecc_family = psa_family_arg; 9958 size_t bits = bits_arg; 9959 size_t bits_tmp; 9960 9961 TEST_EQUAL(ecc_family, mbedtls_ecc_group_to_psa(grp_id, &bits_tmp)); 9962 TEST_EQUAL(bits, bits_tmp); 9963 TEST_EQUAL(grp_id, mbedtls_ecc_group_from_psa(ecc_family, bits)); 9964} 9965/* END_CASE */ 9966 9967/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ 9968void ecc_conversion_functions_fail() 9969{ 9970 size_t bits; 9971 9972 /* Invalid legacy curve identifiers. */ 9973 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_MAX, &bits)); 9974 TEST_EQUAL(0, bits); 9975 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_NONE, &bits)); 9976 TEST_EQUAL(0, bits); 9977 9978 /* Invalid PSA EC family. */ 9979 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(0, 192)); 9980 /* Invalid bit-size for a valid EC family. */ 9981 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_SECP_R1, 512)); 9982 9983 /* Twisted-Edward curves are not supported yet. */ 9984 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, 9985 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 255)); 9986 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, 9987 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 448)); 9988} 9989/* END_CASE */ 9990 9991 9992/* BEGIN_CASE */ 9993void key_agreement_output(int alg_arg, 9994 int our_key_type_arg, data_t *our_key_data, 9995 data_t *peer_key_data, 9996 data_t *expected_output1, data_t *expected_output2) 9997{ 9998 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 9999 psa_algorithm_t alg = alg_arg; 10000 psa_key_type_t our_key_type = our_key_type_arg; 10001 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 10002 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10003 uint8_t *actual_output = NULL; 10004 10005 TEST_CALLOC(actual_output, MAX(expected_output1->len, 10006 expected_output2->len)); 10007 10008 PSA_ASSERT(psa_crypto_init()); 10009 10010 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 10011 psa_set_key_algorithm(&attributes, alg); 10012 psa_set_key_type(&attributes, our_key_type); 10013 PSA_ASSERT(psa_import_key(&attributes, 10014 our_key_data->x, our_key_data->len, 10015 &our_key)); 10016 10017 PSA_ASSERT(psa_key_derivation_setup(&operation, alg)); 10018 PSA_ASSERT(psa_key_derivation_key_agreement( 10019 &operation, 10020 PSA_KEY_DERIVATION_INPUT_SECRET, our_key, 10021 peer_key_data->x, peer_key_data->len)); 10022 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) { 10023 /* The test data is for info="" */ 10024 PSA_ASSERT(psa_key_derivation_input_bytes(&operation, 10025 PSA_KEY_DERIVATION_INPUT_INFO, 10026 NULL, 0)); 10027 } 10028 10029 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 10030 actual_output, 10031 expected_output1->len)); 10032 TEST_MEMORY_COMPARE(actual_output, expected_output1->len, 10033 expected_output1->x, expected_output1->len); 10034 if (expected_output2->len != 0) { 10035 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, 10036 actual_output, 10037 expected_output2->len)); 10038 TEST_MEMORY_COMPARE(actual_output, expected_output2->len, 10039 expected_output2->x, expected_output2->len); 10040 } 10041 10042exit: 10043 psa_key_derivation_abort(&operation); 10044 psa_destroy_key(our_key); 10045 PSA_DONE(); 10046 mbedtls_free(actual_output); 10047} 10048/* END_CASE */ 10049 10050/* BEGIN_CASE */ 10051void generate_random(int bytes_arg) 10052{ 10053 size_t bytes = bytes_arg; 10054 unsigned char *output = NULL; 10055 unsigned char *changed = NULL; 10056 size_t i; 10057 unsigned run; 10058 10059 TEST_ASSERT(bytes_arg >= 0); 10060 10061 TEST_CALLOC(output, bytes); 10062 TEST_CALLOC(changed, bytes); 10063 10064 PSA_ASSERT(psa_crypto_init()); 10065 10066 /* Run several times, to ensure that every output byte will be 10067 * nonzero at least once with overwhelming probability 10068 * (2^(-8*number_of_runs)). */ 10069 for (run = 0; run < 10; run++) { 10070 if (bytes != 0) { 10071 memset(output, 0, bytes); 10072 } 10073 PSA_ASSERT(psa_generate_random(output, bytes)); 10074 10075 for (i = 0; i < bytes; i++) { 10076 if (output[i] != 0) { 10077 ++changed[i]; 10078 } 10079 } 10080 } 10081 10082 /* Check that every byte was changed to nonzero at least once. This 10083 * validates that psa_generate_random is overwriting every byte of 10084 * the output buffer. */ 10085 for (i = 0; i < bytes; i++) { 10086 TEST_ASSERT(changed[i] != 0); 10087 } 10088 10089exit: 10090 PSA_DONE(); 10091 mbedtls_free(output); 10092 mbedtls_free(changed); 10093} 10094/* END_CASE */ 10095 10096#if defined MBEDTLS_THREADING_PTHREAD 10097 10098/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */ 10099void concurrently_generate_keys(int type_arg, 10100 int bits_arg, 10101 int usage_arg, 10102 int alg_arg, 10103 int expected_status_arg, 10104 int is_large_key_arg, 10105 int arg_thread_count, 10106 int reps_arg) 10107{ 10108 size_t thread_count = (size_t) arg_thread_count; 10109 mbedtls_test_thread_t *threads = NULL; 10110 generate_key_context gkc; 10111 gkc.type = type_arg; 10112 gkc.usage = usage_arg; 10113 gkc.bits = bits_arg; 10114 gkc.alg = alg_arg; 10115 gkc.expected_status = expected_status_arg; 10116 gkc.is_large_key = is_large_key_arg; 10117 gkc.reps = reps_arg; 10118 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10119 10120 PSA_ASSERT(psa_crypto_init()); 10121 10122 psa_set_key_usage_flags(&attributes, usage_arg); 10123 psa_set_key_algorithm(&attributes, alg_arg); 10124 psa_set_key_type(&attributes, type_arg); 10125 psa_set_key_bits(&attributes, bits_arg); 10126 gkc.attributes = &attributes; 10127 10128 TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count); 10129 10130 /* Split threads to generate key then destroy key. */ 10131 for (size_t i = 0; i < thread_count; i++) { 10132 TEST_EQUAL( 10133 mbedtls_test_thread_create(&threads[i], thread_generate_key, 10134 (void *) &gkc), 0); 10135 } 10136 10137 /* Join threads. */ 10138 for (size_t i = 0; i < thread_count; i++) { 10139 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0); 10140 } 10141 10142exit: 10143 mbedtls_free(threads); 10144 PSA_DONE(); 10145} 10146/* END_CASE */ 10147#endif 10148 10149/* BEGIN_CASE */ 10150void generate_key(int type_arg, 10151 int bits_arg, 10152 int usage_arg, 10153 int alg_arg, 10154 int expected_status_arg, 10155 int is_large_key) 10156{ 10157 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10158 psa_key_type_t type = type_arg; 10159 psa_key_usage_t usage = usage_arg; 10160 size_t bits = bits_arg; 10161 psa_algorithm_t alg = alg_arg; 10162 psa_status_t expected_status = expected_status_arg; 10163 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10164 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 10165 10166 PSA_ASSERT(psa_crypto_init()); 10167 10168 psa_set_key_usage_flags(&attributes, usage); 10169 psa_set_key_algorithm(&attributes, alg); 10170 psa_set_key_type(&attributes, type); 10171 psa_set_key_bits(&attributes, bits); 10172 10173 /* Generate a key */ 10174 psa_status_t status = psa_generate_key(&attributes, &key); 10175 10176 if (is_large_key > 0) { 10177 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY); 10178 } 10179 TEST_EQUAL(status, expected_status); 10180 if (expected_status != PSA_SUCCESS) { 10181 goto exit; 10182 } 10183 10184 /* Test the key information */ 10185 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 10186 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 10187 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); 10188 10189 /* Do something with the key according to its type and permitted usage. */ 10190 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 10191 goto exit; 10192 } 10193 10194exit: 10195 /* 10196 * Key attributes may have been returned by psa_get_key_attributes() 10197 * thus reset them as required. 10198 */ 10199 psa_reset_key_attributes(&got_attributes); 10200 10201 psa_destroy_key(key); 10202 PSA_DONE(); 10203} 10204/* END_CASE */ 10205 10206/* BEGIN_CASE */ 10207void generate_key_custom(int type_arg, 10208 int bits_arg, 10209 int usage_arg, 10210 int alg_arg, 10211 int flags_arg, 10212 data_t *custom_data, 10213 int expected_status_arg) 10214{ 10215 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10216 psa_key_type_t type = type_arg; 10217 psa_key_usage_t usage = usage_arg; 10218 size_t bits = bits_arg; 10219 psa_algorithm_t alg = alg_arg; 10220 psa_status_t expected_status = expected_status_arg; 10221 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10222 psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT; 10223 custom.flags = flags_arg; 10224 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 10225 10226 PSA_ASSERT(psa_crypto_init()); 10227 10228 psa_set_key_usage_flags(&attributes, usage); 10229 psa_set_key_algorithm(&attributes, alg); 10230 psa_set_key_type(&attributes, type); 10231 psa_set_key_bits(&attributes, bits); 10232 10233 /* Generate a key */ 10234 psa_status_t status = 10235 psa_generate_key_custom(&attributes, 10236 &custom, custom_data->x, custom_data->len, 10237 &key); 10238 10239 TEST_EQUAL(status, expected_status); 10240 if (expected_status != PSA_SUCCESS) { 10241 goto exit; 10242 } 10243 10244 /* Test the key information */ 10245 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 10246 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 10247 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); 10248 10249#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) 10250 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { 10251 TEST_ASSERT(rsa_test_e(key, bits, custom_data)); 10252 } 10253#endif 10254 10255 /* Do something with the key according to its type and permitted usage. */ 10256 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 10257 goto exit; 10258 } 10259 10260exit: 10261 /* 10262 * Key attributes may have been returned by psa_get_key_attributes() 10263 * thus reset them as required. 10264 */ 10265 psa_reset_key_attributes(&got_attributes); 10266 psa_destroy_key(key); 10267 PSA_DONE(); 10268} 10269/* END_CASE */ 10270 10271/* BEGIN_CASE */ 10272void generate_key_ext(int type_arg, 10273 int bits_arg, 10274 int usage_arg, 10275 int alg_arg, 10276 int flags_arg, 10277 data_t *params_data, 10278 int expected_status_arg) 10279{ 10280 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10281 psa_key_type_t type = type_arg; 10282 psa_key_usage_t usage = usage_arg; 10283 size_t bits = bits_arg; 10284 psa_algorithm_t alg = alg_arg; 10285 psa_status_t expected_status = expected_status_arg; 10286 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10287 psa_key_production_parameters_t *params = NULL; 10288 size_t params_data_length = 0; 10289 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 10290 10291 PSA_ASSERT(psa_crypto_init()); 10292 10293 psa_set_key_usage_flags(&attributes, usage); 10294 psa_set_key_algorithm(&attributes, alg); 10295 psa_set_key_type(&attributes, type); 10296 psa_set_key_bits(&attributes, bits); 10297 10298 if (!setup_key_production_parameters(¶ms, ¶ms_data_length, 10299 flags_arg, params_data)) { 10300 goto exit; 10301 } 10302 10303 /* Generate a key */ 10304 psa_status_t status = psa_generate_key_ext(&attributes, 10305 params, params_data_length, 10306 &key); 10307 10308 TEST_EQUAL(status, expected_status); 10309 if (expected_status != PSA_SUCCESS) { 10310 goto exit; 10311 } 10312 10313 /* Test the key information */ 10314 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); 10315 TEST_EQUAL(psa_get_key_type(&got_attributes), type); 10316 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); 10317 10318#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) 10319 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { 10320 TEST_ASSERT(rsa_test_e(key, bits, params_data)); 10321 } 10322#endif 10323 10324 /* Do something with the key according to its type and permitted usage. */ 10325 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { 10326 goto exit; 10327 } 10328 10329exit: 10330 /* 10331 * Key attributes may have been returned by psa_get_key_attributes() 10332 * thus reset them as required. 10333 */ 10334 psa_reset_key_attributes(&got_attributes); 10335 mbedtls_free(params); 10336 psa_destroy_key(key); 10337 PSA_DONE(); 10338} 10339/* END_CASE */ 10340 10341/* BEGIN_CASE */ 10342void key_production_parameters_init() 10343{ 10344 psa_key_production_parameters_t init = PSA_KEY_PRODUCTION_PARAMETERS_INIT; 10345 psa_key_production_parameters_t zero; 10346 memset(&zero, 0, sizeof(zero)); 10347 10348 TEST_EQUAL(init.flags, 0); 10349 TEST_EQUAL(zero.flags, 0); 10350} 10351/* END_CASE */ 10352 10353/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 10354void persistent_key_load_key_from_storage(data_t *data, 10355 int type_arg, int bits_arg, 10356 int usage_flags_arg, int alg_arg, 10357 int generation_method) 10358{ 10359 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1); 10360 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10361 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10362 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 10363 psa_key_type_t type = type_arg; 10364 size_t bits = bits_arg; 10365 psa_key_usage_t usage_flags = usage_flags_arg; 10366 psa_algorithm_t alg = alg_arg; 10367 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 10368 unsigned char *first_export = NULL; 10369 unsigned char *second_export = NULL; 10370 size_t export_size = PSA_EXPORT_KEY_OUTPUT_SIZE(type, bits); 10371 size_t first_exported_length = 0; 10372 size_t second_exported_length; 10373 10374 if (usage_flags & PSA_KEY_USAGE_EXPORT) { 10375 TEST_CALLOC(first_export, export_size); 10376 TEST_CALLOC(second_export, export_size); 10377 } 10378 10379 PSA_ASSERT(psa_crypto_init()); 10380 10381 psa_set_key_id(&attributes, key_id); 10382 psa_set_key_usage_flags(&attributes, usage_flags); 10383 psa_set_key_algorithm(&attributes, alg); 10384 psa_set_key_type(&attributes, type); 10385 psa_set_key_bits(&attributes, bits); 10386 10387 switch (generation_method) { 10388 case IMPORT_KEY: 10389 /* Import the key */ 10390 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, 10391 &key)); 10392 break; 10393 10394 case GENERATE_KEY: 10395 /* Generate a key */ 10396 PSA_ASSERT(psa_generate_key(&attributes, &key)); 10397 break; 10398 10399 case DERIVE_KEY: 10400#if defined(PSA_WANT_ALG_HKDF) && defined(PSA_WANT_ALG_SHA_256) 10401 { 10402 /* Create base key */ 10403 psa_algorithm_t derive_alg = PSA_ALG_HKDF(PSA_ALG_SHA_256); 10404 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 10405 psa_set_key_usage_flags(&base_attributes, 10406 PSA_KEY_USAGE_DERIVE); 10407 psa_set_key_algorithm(&base_attributes, derive_alg); 10408 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); 10409 PSA_ASSERT(psa_import_key(&base_attributes, 10410 data->x, data->len, 10411 &base_key)); 10412 /* Derive a key. */ 10413 PSA_ASSERT(psa_key_derivation_setup(&operation, derive_alg)); 10414 PSA_ASSERT(psa_key_derivation_input_key( 10415 &operation, 10416 PSA_KEY_DERIVATION_INPUT_SECRET, base_key)); 10417 PSA_ASSERT(psa_key_derivation_input_bytes( 10418 &operation, PSA_KEY_DERIVATION_INPUT_INFO, 10419 NULL, 0)); 10420 PSA_ASSERT(psa_key_derivation_output_key(&attributes, 10421 &operation, 10422 &key)); 10423 PSA_ASSERT(psa_key_derivation_abort(&operation)); 10424 PSA_ASSERT(psa_destroy_key(base_key)); 10425 base_key = MBEDTLS_SVC_KEY_ID_INIT; 10426 } 10427#else 10428 TEST_ASSUME(!"KDF not supported in this configuration"); 10429#endif 10430 break; 10431 10432 default: 10433 TEST_FAIL("generation_method not implemented in test"); 10434 break; 10435 } 10436 psa_reset_key_attributes(&attributes); 10437 10438 /* Export the key if permitted by the key policy. */ 10439 if (usage_flags & PSA_KEY_USAGE_EXPORT) { 10440 PSA_ASSERT(psa_export_key(key, 10441 first_export, export_size, 10442 &first_exported_length)); 10443 if (generation_method == IMPORT_KEY) { 10444 TEST_MEMORY_COMPARE(data->x, data->len, 10445 first_export, first_exported_length); 10446 } 10447 } 10448 10449 /* Shutdown and restart */ 10450 PSA_ASSERT(psa_purge_key(key)); 10451 PSA_DONE(); 10452 PSA_ASSERT(psa_crypto_init()); 10453 10454 /* Check key slot still contains key data */ 10455 PSA_ASSERT(psa_get_key_attributes(key, &attributes)); 10456 TEST_ASSERT(mbedtls_svc_key_id_equal( 10457 psa_get_key_id(&attributes), key_id)); 10458 TEST_EQUAL(psa_get_key_lifetime(&attributes), 10459 PSA_KEY_LIFETIME_PERSISTENT); 10460 TEST_EQUAL(psa_get_key_type(&attributes), type); 10461 TEST_EQUAL(psa_get_key_bits(&attributes), bits); 10462 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 10463 mbedtls_test_update_key_usage_flags(usage_flags)); 10464 TEST_EQUAL(psa_get_key_algorithm(&attributes), alg); 10465 10466 /* Export the key again if permitted by the key policy. */ 10467 if (usage_flags & PSA_KEY_USAGE_EXPORT) { 10468 PSA_ASSERT(psa_export_key(key, 10469 second_export, export_size, 10470 &second_exported_length)); 10471 TEST_MEMORY_COMPARE(first_export, first_exported_length, 10472 second_export, second_exported_length); 10473 } 10474 10475 /* Do something with the key according to its type and permitted usage. */ 10476 if (!mbedtls_test_psa_exercise_key(key, usage_flags, alg, 0)) { 10477 goto exit; 10478 } 10479 10480exit: 10481 /* 10482 * Key attributes may have been returned by psa_get_key_attributes() 10483 * thus reset them as required. 10484 */ 10485 psa_reset_key_attributes(&attributes); 10486 10487 mbedtls_free(first_export); 10488 mbedtls_free(second_export); 10489 psa_key_derivation_abort(&operation); 10490 psa_destroy_key(base_key); 10491 psa_destroy_key(key); 10492 PSA_DONE(); 10493} 10494/* END_CASE */ 10495 10496/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 10497void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, 10498 int primitive_arg, int hash_arg, int role_arg, 10499 int test_input, data_t *pw_data, 10500 int inj_err_type_arg, 10501 int expected_error_arg) 10502{ 10503 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 10504 psa_pake_operation_t operation = psa_pake_operation_init(); 10505 psa_algorithm_t alg = alg_arg; 10506 psa_pake_primitive_t primitive = primitive_arg; 10507 psa_key_type_t key_type_pw = key_type_pw_arg; 10508 psa_key_usage_t key_usage_pw = key_usage_pw_arg; 10509 psa_algorithm_t hash_alg = hash_arg; 10510 psa_pake_role_t role = role_arg; 10511 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10512 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10513 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; 10514 psa_status_t expected_error = expected_error_arg; 10515 psa_status_t status; 10516 unsigned char *output_buffer = NULL; 10517 size_t output_len = 0; 10518 10519 PSA_INIT(); 10520 10521 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, 10522 PSA_PAKE_STEP_KEY_SHARE); 10523 TEST_CALLOC(output_buffer, buf_size); 10524 10525 if (pw_data->len > 0) { 10526 psa_set_key_usage_flags(&attributes, key_usage_pw); 10527 psa_set_key_algorithm(&attributes, alg); 10528 psa_set_key_type(&attributes, key_type_pw); 10529 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 10530 &key)); 10531 } 10532 10533 psa_pake_cs_set_algorithm(&cipher_suite, alg); 10534 psa_pake_cs_set_primitive(&cipher_suite, primitive); 10535 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 10536 10537 PSA_ASSERT(psa_pake_abort(&operation)); 10538 10539 if (inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS) { 10540 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0), 10541 expected_error); 10542 PSA_ASSERT(psa_pake_abort(&operation)); 10543 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0), 10544 expected_error); 10545 PSA_ASSERT(psa_pake_abort(&operation)); 10546 TEST_EQUAL(psa_pake_set_password_key(&operation, key), 10547 expected_error); 10548 PSA_ASSERT(psa_pake_abort(&operation)); 10549 TEST_EQUAL(psa_pake_set_role(&operation, role), 10550 expected_error); 10551 PSA_ASSERT(psa_pake_abort(&operation)); 10552 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, 10553 NULL, 0, NULL), 10554 expected_error); 10555 PSA_ASSERT(psa_pake_abort(&operation)); 10556 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0), 10557 expected_error); 10558 PSA_ASSERT(psa_pake_abort(&operation)); 10559 goto exit; 10560 } 10561 10562 status = psa_pake_setup(&operation, &cipher_suite); 10563 if (status != PSA_SUCCESS) { 10564 TEST_EQUAL(status, expected_error); 10565 goto exit; 10566 } 10567 10568 if (inj_err_type == INJECT_ERR_DUPLICATE_SETUP) { 10569 TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite), 10570 expected_error); 10571 goto exit; 10572 } 10573 10574 status = psa_pake_set_role(&operation, role); 10575 if (status != PSA_SUCCESS) { 10576 TEST_EQUAL(status, expected_error); 10577 goto exit; 10578 } 10579 10580 if (pw_data->len > 0) { 10581 status = psa_pake_set_password_key(&operation, key); 10582 if (status != PSA_SUCCESS) { 10583 TEST_EQUAL(status, expected_error); 10584 goto exit; 10585 } 10586 } 10587 10588 if (inj_err_type == INJECT_ERR_INVALID_USER) { 10589 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0), 10590 PSA_ERROR_INVALID_ARGUMENT); 10591 goto exit; 10592 } 10593 10594 if (inj_err_type == INJECT_ERR_INVALID_PEER) { 10595 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0), 10596 PSA_ERROR_INVALID_ARGUMENT); 10597 goto exit; 10598 } 10599 10600 if (inj_err_type == INJECT_ERR_SET_USER) { 10601 const uint8_t unsupported_id[] = "abcd"; 10602 TEST_EQUAL(psa_pake_set_user(&operation, unsupported_id, 4), 10603 PSA_ERROR_NOT_SUPPORTED); 10604 goto exit; 10605 } 10606 10607 if (inj_err_type == INJECT_ERR_SET_PEER) { 10608 const uint8_t unsupported_id[] = "abcd"; 10609 TEST_EQUAL(psa_pake_set_peer(&operation, unsupported_id, 4), 10610 PSA_ERROR_NOT_SUPPORTED); 10611 goto exit; 10612 } 10613 10614 const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive, 10615 PSA_PAKE_STEP_KEY_SHARE); 10616 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE(alg, primitive, 10617 PSA_PAKE_STEP_ZK_PUBLIC); 10618 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE(alg, primitive, 10619 PSA_PAKE_STEP_ZK_PROOF); 10620 10621 if (test_input) { 10622 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) { 10623 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0), 10624 PSA_ERROR_INVALID_ARGUMENT); 10625 goto exit; 10626 } 10627 10628 if (inj_err_type == INJECT_UNKNOWN_STEP) { 10629 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF + 10, 10630 output_buffer, size_zk_proof), 10631 PSA_ERROR_INVALID_ARGUMENT); 10632 goto exit; 10633 } 10634 10635 if (inj_err_type == INJECT_INVALID_FIRST_STEP) { 10636 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF, 10637 output_buffer, size_zk_proof), 10638 PSA_ERROR_BAD_STATE); 10639 goto exit; 10640 } 10641 10642 status = psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, 10643 output_buffer, size_key_share); 10644 if (status != PSA_SUCCESS) { 10645 TEST_EQUAL(status, expected_error); 10646 goto exit; 10647 } 10648 10649 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) { 10650 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10651 output_buffer, size_zk_public + 1), 10652 PSA_ERROR_INVALID_ARGUMENT); 10653 goto exit; 10654 } 10655 10656 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) { 10657 // Just trigger any kind of error. We don't care about the result here 10658 psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10659 output_buffer, size_zk_public + 1); 10660 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10661 output_buffer, size_zk_public), 10662 PSA_ERROR_BAD_STATE); 10663 goto exit; 10664 } 10665 } else { 10666 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) { 10667 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF, 10668 NULL, 0, NULL), 10669 PSA_ERROR_INVALID_ARGUMENT); 10670 goto exit; 10671 } 10672 10673 if (inj_err_type == INJECT_UNKNOWN_STEP) { 10674 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF + 10, 10675 output_buffer, buf_size, &output_len), 10676 PSA_ERROR_INVALID_ARGUMENT); 10677 goto exit; 10678 } 10679 10680 if (inj_err_type == INJECT_INVALID_FIRST_STEP) { 10681 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF, 10682 output_buffer, buf_size, &output_len), 10683 PSA_ERROR_BAD_STATE); 10684 goto exit; 10685 } 10686 10687 status = psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, 10688 output_buffer, buf_size, &output_len); 10689 if (status != PSA_SUCCESS) { 10690 TEST_EQUAL(status, expected_error); 10691 goto exit; 10692 } 10693 10694 TEST_ASSERT(output_len > 0); 10695 10696 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) { 10697 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10698 output_buffer, size_zk_public - 1, &output_len), 10699 PSA_ERROR_BUFFER_TOO_SMALL); 10700 goto exit; 10701 } 10702 10703 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) { 10704 // Just trigger any kind of error. We don't care about the result here 10705 psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10706 output_buffer, size_zk_public - 1, &output_len); 10707 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 10708 output_buffer, buf_size, &output_len), 10709 PSA_ERROR_BAD_STATE); 10710 goto exit; 10711 } 10712 } 10713 10714exit: 10715 PSA_ASSERT(psa_destroy_key(key)); 10716 PSA_ASSERT(psa_pake_abort(&operation)); 10717 mbedtls_free(output_buffer); 10718 PSA_DONE(); 10719} 10720/* END_CASE */ 10721 10722/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 10723void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg, 10724 int client_input_first, int inject_error, 10725 data_t *pw_data) 10726{ 10727 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 10728 psa_pake_operation_t server = psa_pake_operation_init(); 10729 psa_pake_operation_t client = psa_pake_operation_init(); 10730 psa_algorithm_t alg = alg_arg; 10731 psa_algorithm_t hash_alg = hash_arg; 10732 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10733 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10734 10735 PSA_INIT(); 10736 10737 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 10738 psa_set_key_algorithm(&attributes, alg); 10739 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 10740 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 10741 &key)); 10742 10743 psa_pake_cs_set_algorithm(&cipher_suite, alg); 10744 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 10745 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 10746 10747 10748 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 10749 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 10750 10751 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER)); 10752 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT)); 10753 10754 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 10755 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 10756 10757 ecjpake_do_round(alg, primitive_arg, &server, &client, 10758 client_input_first, 1, inject_error); 10759 10760 if (inject_error == 1 || inject_error == 2) { 10761 goto exit; 10762 } 10763 10764 ecjpake_do_round(alg, primitive_arg, &server, &client, 10765 client_input_first, 2, inject_error); 10766 10767exit: 10768 psa_destroy_key(key); 10769 psa_pake_abort(&server); 10770 psa_pake_abort(&client); 10771 PSA_DONE(); 10772} 10773/* END_CASE */ 10774 10775/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 10776void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, 10777 int derive_alg_arg, data_t *pw_data, 10778 int client_input_first, int inj_err_type_arg) 10779{ 10780 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 10781 psa_pake_operation_t server = psa_pake_operation_init(); 10782 psa_pake_operation_t client = psa_pake_operation_init(); 10783 psa_algorithm_t alg = alg_arg; 10784 psa_algorithm_t hash_alg = hash_arg; 10785 psa_algorithm_t derive_alg = derive_alg_arg; 10786 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 10787 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 10788 psa_key_derivation_operation_t server_derive = 10789 PSA_KEY_DERIVATION_OPERATION_INIT; 10790 psa_key_derivation_operation_t client_derive = 10791 PSA_KEY_DERIVATION_OPERATION_INIT; 10792 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; 10793 10794 PSA_INIT(); 10795 10796 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 10797 psa_set_key_algorithm(&attributes, alg); 10798 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 10799 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 10800 &key)); 10801 10802 psa_pake_cs_set_algorithm(&cipher_suite, alg); 10803 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 10804 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 10805 10806 /* Get shared key */ 10807 PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg)); 10808 PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg)); 10809 10810 if (PSA_ALG_IS_TLS12_PRF(derive_alg) || 10811 PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) { 10812 PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive, 10813 PSA_KEY_DERIVATION_INPUT_SEED, 10814 (const uint8_t *) "", 0)); 10815 PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive, 10816 PSA_KEY_DERIVATION_INPUT_SEED, 10817 (const uint8_t *) "", 0)); 10818 } 10819 10820 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 10821 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 10822 10823 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER)); 10824 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT)); 10825 10826 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 10827 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 10828 10829 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1) { 10830 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 10831 PSA_ERROR_BAD_STATE); 10832 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 10833 PSA_ERROR_BAD_STATE); 10834 goto exit; 10835 } 10836 10837 /* First round */ 10838 ecjpake_do_round(alg, primitive_arg, &server, &client, 10839 client_input_first, 1, 0); 10840 10841 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2) { 10842 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 10843 PSA_ERROR_BAD_STATE); 10844 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 10845 PSA_ERROR_BAD_STATE); 10846 goto exit; 10847 } 10848 10849 /* Second round */ 10850 ecjpake_do_round(alg, primitive_arg, &server, &client, 10851 client_input_first, 2, 0); 10852 10853 PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive)); 10854 PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive)); 10855 10856exit: 10857 psa_key_derivation_abort(&server_derive); 10858 psa_key_derivation_abort(&client_derive); 10859 psa_destroy_key(key); 10860 psa_pake_abort(&server); 10861 psa_pake_abort(&client); 10862 PSA_DONE(); 10863} 10864/* END_CASE */ 10865 10866/* BEGIN_CASE */ 10867void ecjpake_size_macros() 10868{ 10869 const psa_algorithm_t alg = PSA_ALG_JPAKE; 10870 const size_t bits = 256; 10871 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( 10872 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits); 10873 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( 10874 PSA_ECC_FAMILY_SECP_R1); 10875 10876 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types 10877 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */ 10878 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 10879 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 10880 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 10881 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 10882 /* The output for ZK_PROOF is the same bitsize as the curve */ 10883 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 10884 PSA_BITS_TO_BYTES(bits)); 10885 10886 /* Input sizes are the same as output sizes */ 10887 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 10888 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE)); 10889 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 10890 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC)); 10891 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 10892 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF)); 10893 10894 /* These inequalities will always hold even when other PAKEs are added */ 10895 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 10896 PSA_PAKE_OUTPUT_MAX_SIZE); 10897 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 10898 PSA_PAKE_OUTPUT_MAX_SIZE); 10899 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 10900 PSA_PAKE_OUTPUT_MAX_SIZE); 10901 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 10902 PSA_PAKE_INPUT_MAX_SIZE); 10903 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 10904 PSA_PAKE_INPUT_MAX_SIZE); 10905 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 10906 PSA_PAKE_INPUT_MAX_SIZE); 10907} 10908/* END_CASE */ 10909
