1/* BEGIN_HEADER */ 2#include <stdint.h> 3 4#include "psa/crypto.h" 5#include "psa/crypto_extra.h" 6 7typedef enum { 8 ERR_NONE = 0, 9 /* errors forced internally in the code */ 10 ERR_INJECT_UNINITIALIZED_ACCESS, 11 ERR_INJECT_DUPLICATE_SETUP, 12 ERR_INJECT_SET_USER, 13 ERR_INJECT_SET_PEER, 14 ERR_INJECT_SET_ROLE, 15 ERR_DUPLICATE_SET_USER, 16 ERR_DUPLICATE_SET_PEER, 17 ERR_INJECT_EMPTY_IO_BUFFER, 18 ERR_INJECT_UNKNOWN_STEP, 19 ERR_INJECT_INVALID_FIRST_STEP, 20 ERR_INJECT_WRONG_BUFFER_SIZE, 21 ERR_INJECT_WRONG_BUFFER_SIZE_2, 22 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE, 23 ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1, 24 ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2, 25 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1, 26 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1, 27 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1, 28 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2, 29 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2, 30 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2, 31 ERR_INJECT_ROUND2_CLIENT_KEY_SHARE, 32 ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC, 33 ERR_INJECT_ROUND2_CLIENT_ZK_PROOF, 34 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1, 35 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1, 36 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1, 37 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2, 38 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2, 39 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2, 40 ERR_INJECT_ROUND2_SERVER_KEY_SHARE, 41 ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC, 42 ERR_INJECT_ROUND2_SERVER_ZK_PROOF, 43 ERR_INJECT_EXTRA_OUTPUT, 44 ERR_INJECT_EXTRA_INPUT, 45 ERR_INJECT_EXTRA_OUTPUT_AT_END, 46 ERR_INJECT_EXTRA_INPUT_AT_END, 47 /* errors issued from the .data file */ 48 ERR_IN_SETUP, 49 ERR_IN_SET_USER, 50 ERR_IN_SET_PEER, 51 ERR_IN_SET_ROLE, 52 ERR_IN_SET_PASSWORD_KEY, 53 ERR_IN_INPUT, 54 ERR_IN_OUTPUT, 55} ecjpake_error_stage_t; 56 57typedef enum { 58 PAKE_ROUND_ONE, 59 PAKE_ROUND_TWO 60} pake_round_t; 61 62#if defined(PSA_WANT_ALG_JPAKE) 63/* The only two JPAKE user/peer identifiers supported for the time being. */ 64static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 65static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; 66#endif 67 68/* 69 * Inject an error on the specified buffer ONLY it this is the correct stage. 70 * Offset 7 is arbitrary, but chosen because it's "in the middle" of the part 71 * we're corrupting. 72 */ 73#define DO_ROUND_CONDITIONAL_INJECT(this_stage, buf) \ 74 if (this_stage == err_stage) \ 75 { \ 76 *(buf + 7) ^= 1; \ 77 } 78 79#define DO_ROUND_CONDITIONAL_CHECK_FAILURE(this_stage, function) \ 80 if (this_stage == err_stage) \ 81 { \ 82 TEST_EQUAL(function, expected_error_arg); \ 83 break; \ 84 } 85 86#define DO_ROUND_UPDATE_OFFSETS(main_buf_offset, step_offset, step_size) \ 87 { \ 88 step_offset = main_buf_offset; \ 89 main_buf_offset += step_size; \ 90 } 91 92#define DO_ROUND_CHECK_FAILURE() \ 93 if (err_stage != ERR_NONE && status != PSA_SUCCESS) \ 94 { \ 95 TEST_EQUAL(status, expected_error_arg); \ 96 break; \ 97 } \ 98 else \ 99 { \ 100 TEST_EQUAL(status, PSA_SUCCESS); \ 101 } 102 103#if defined(PSA_WANT_ALG_JPAKE) 104static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, 105 psa_pake_operation_t *server, 106 psa_pake_operation_t *client, 107 int client_input_first, 108 pake_round_t round, 109 ecjpake_error_stage_t err_stage, 110 int expected_error_arg) 111{ 112 unsigned char *buffer0 = NULL, *buffer1 = NULL; 113 size_t buffer_length = ( 114 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + 115 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + 116 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; 117 /* The output should be exactly this size according to the spec */ 118 const size_t expected_size_key_share = 119 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); 120 /* The output should be exactly this size according to the spec */ 121 const size_t expected_size_zk_public = 122 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); 123 /* The output can be smaller: the spec allows stripping leading zeroes */ 124 const size_t max_expected_size_zk_proof = 125 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); 126 size_t buffer0_off = 0; 127 size_t buffer1_off = 0; 128 size_t s_g1_len, s_g2_len, s_a_len; 129 size_t s_g1_off, s_g2_off, s_a_off; 130 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len; 131 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off; 132 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len; 133 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off; 134 size_t c_g1_len, c_g2_len, c_a_len; 135 size_t c_g1_off, c_g2_off, c_a_off; 136 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len; 137 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; 138 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; 139 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; 140 psa_status_t status; 141 142 TEST_CALLOC(buffer0, buffer_length); 143 TEST_CALLOC(buffer1, buffer_length); 144 145 switch (round) { 146 case PAKE_ROUND_ONE: 147 /* Server first round Output */ 148 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 149 buffer0 + buffer0_off, 150 buffer_length - buffer0_off, &s_g1_len)); 151 TEST_EQUAL(s_g1_len, expected_size_key_share); 152 DO_ROUND_CONDITIONAL_INJECT( 153 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1, 154 buffer0 + buffer0_off); 155 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_g1_off, s_g1_len); 156 157 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 158 buffer0 + buffer0_off, 159 buffer_length - buffer0_off, &s_x1_pk_len)); 160 TEST_EQUAL(s_x1_pk_len, expected_size_zk_public); 161 DO_ROUND_CONDITIONAL_INJECT( 162 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1, 163 buffer0 + buffer0_off); 164 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x1_pk_off, s_x1_pk_len); 165 166 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 167 buffer0 + buffer0_off, 168 buffer_length - buffer0_off, &s_x1_pr_len)); 169 TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof); 170 DO_ROUND_CONDITIONAL_INJECT( 171 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1, 172 buffer0 + buffer0_off); 173 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x1_pr_off, s_x1_pr_len); 174 175 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 176 buffer0 + buffer0_off, 177 buffer_length - buffer0_off, &s_g2_len)); 178 TEST_EQUAL(s_g2_len, expected_size_key_share); 179 DO_ROUND_CONDITIONAL_INJECT( 180 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2, 181 buffer0 + buffer0_off); 182 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_g2_off, s_g2_len); 183 184 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 185 buffer0 + buffer0_off, 186 buffer_length - buffer0_off, &s_x2_pk_len)); 187 TEST_EQUAL(s_x2_pk_len, expected_size_zk_public); 188 DO_ROUND_CONDITIONAL_INJECT( 189 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2, 190 buffer0 + buffer0_off); 191 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2_pk_off, s_x2_pk_len); 192 193 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 194 buffer0 + buffer0_off, 195 buffer_length - buffer0_off, &s_x2_pr_len)); 196 TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof); 197 DO_ROUND_CONDITIONAL_INJECT( 198 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2, 199 buffer0 + buffer0_off); 200 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2_pr_off, s_x2_pr_len); 201 202 size_t extra_output_len; 203 DO_ROUND_CONDITIONAL_CHECK_FAILURE( 204 ERR_INJECT_EXTRA_OUTPUT, 205 psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 206 buffer0 + s_g2_off, buffer_length - s_g2_off, &extra_output_len)); 207 (void) extra_output_len; 208 /* 209 * When injecting errors in inputs, the implementation is 210 * free to detect it right away of with a delay. 211 * This permits delaying the error until the end of the input 212 * sequence, if no error appears then, this will be treated 213 * as an error. 214 */ 215 if (client_input_first == 1) { 216 /* Client first round Input */ 217 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 218 buffer0 + s_g1_off, s_g1_len); 219 DO_ROUND_CHECK_FAILURE(); 220 221 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 222 buffer0 + s_x1_pk_off, 223 s_x1_pk_len); 224 DO_ROUND_CHECK_FAILURE(); 225 226 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 227 buffer0 + s_x1_pr_off, 228 s_x1_pr_len); 229 DO_ROUND_CHECK_FAILURE(); 230 231 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 232 buffer0 + s_g2_off, 233 s_g2_len); 234 DO_ROUND_CHECK_FAILURE(); 235 236 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 237 buffer0 + s_x2_pk_off, 238 s_x2_pk_len); 239 DO_ROUND_CHECK_FAILURE(); 240 241 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 242 buffer0 + s_x2_pr_off, 243 s_x2_pr_len); 244 DO_ROUND_CHECK_FAILURE(); 245 246 /* Note: Must have client_input_first == 1 to inject extra input */ 247 DO_ROUND_CONDITIONAL_CHECK_FAILURE( 248 ERR_INJECT_EXTRA_INPUT, 249 psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 250 buffer0 + s_g2_off, s_g2_len)); 251 252 /* Error didn't trigger, make test fail */ 253 if ((err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1) && 254 (err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2)) { 255 TEST_ASSERT( 256 !"One of the last psa_pake_input() calls should have returned the expected error."); 257 } 258 } 259 260 /* Client first round Output */ 261 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 262 buffer1 + buffer1_off, 263 buffer_length - buffer1_off, &c_g1_len)); 264 TEST_EQUAL(c_g1_len, expected_size_key_share); 265 DO_ROUND_CONDITIONAL_INJECT( 266 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1, 267 buffer1 + buffer1_off); 268 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_g1_off, c_g1_len); 269 270 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 271 buffer1 + buffer1_off, 272 buffer_length - buffer1_off, &c_x1_pk_len)); 273 TEST_EQUAL(c_x1_pk_len, expected_size_zk_public); 274 DO_ROUND_CONDITIONAL_INJECT( 275 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1, 276 buffer1 + buffer1_off); 277 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x1_pk_off, c_x1_pk_len); 278 279 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 280 buffer1 + buffer1_off, 281 buffer_length - buffer1_off, &c_x1_pr_len)); 282 TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof); 283 DO_ROUND_CONDITIONAL_INJECT( 284 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1, 285 buffer1 + buffer1_off); 286 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x1_pr_off, c_x1_pr_len); 287 288 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 289 buffer1 + buffer1_off, 290 buffer_length - buffer1_off, &c_g2_len)); 291 TEST_EQUAL(c_g2_len, expected_size_key_share); 292 DO_ROUND_CONDITIONAL_INJECT( 293 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2, 294 buffer1 + buffer1_off); 295 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_g2_off, c_g2_len); 296 297 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 298 buffer1 + buffer1_off, 299 buffer_length - buffer1_off, &c_x2_pk_len)); 300 TEST_EQUAL(c_x2_pk_len, expected_size_zk_public); 301 DO_ROUND_CONDITIONAL_INJECT( 302 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2, 303 buffer1 + buffer1_off); 304 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2_pk_off, c_x2_pk_len); 305 306 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 307 buffer1 + buffer1_off, 308 buffer_length - buffer1_off, &c_x2_pr_len)); 309 TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof); 310 DO_ROUND_CONDITIONAL_INJECT( 311 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2, 312 buffer1 + buffer1_off); 313 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2_pr_off, buffer1_off); 314 315 if (client_input_first == 0) { 316 /* Client first round Input */ 317 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 318 buffer0 + s_g1_off, s_g1_len); 319 DO_ROUND_CHECK_FAILURE(); 320 321 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 322 buffer0 + s_x1_pk_off, 323 s_x1_pk_len); 324 DO_ROUND_CHECK_FAILURE(); 325 326 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 327 buffer0 + s_x1_pr_off, 328 s_x1_pr_len); 329 DO_ROUND_CHECK_FAILURE(); 330 331 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 332 buffer0 + s_g2_off, 333 s_g2_len); 334 DO_ROUND_CHECK_FAILURE(); 335 336 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 337 buffer0 + s_x2_pk_off, 338 s_x2_pk_len); 339 DO_ROUND_CHECK_FAILURE(); 340 341 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 342 buffer0 + s_x2_pr_off, 343 s_x2_pr_len); 344 DO_ROUND_CHECK_FAILURE(); 345 346 /* Error didn't trigger, make test fail */ 347 if ((err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1) && 348 (err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2)) { 349 TEST_ASSERT( 350 !"One of the last psa_pake_input() calls should have returned the expected error."); 351 } 352 } 353 354 /* Server first round Input */ 355 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 356 buffer1 + c_g1_off, c_g1_len); 357 DO_ROUND_CHECK_FAILURE(); 358 359 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 360 buffer1 + c_x1_pk_off, c_x1_pk_len); 361 DO_ROUND_CHECK_FAILURE(); 362 363 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 364 buffer1 + c_x1_pr_off, c_x1_pr_len); 365 DO_ROUND_CHECK_FAILURE(); 366 367 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 368 buffer1 + c_g2_off, c_g2_len); 369 DO_ROUND_CHECK_FAILURE(); 370 371 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 372 buffer1 + c_x2_pk_off, c_x2_pk_len); 373 DO_ROUND_CHECK_FAILURE(); 374 375 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 376 buffer1 + c_x2_pr_off, c_x2_pr_len); 377 DO_ROUND_CHECK_FAILURE(); 378 379 /* Error didn't trigger, make test fail */ 380 if ((err_stage >= ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1) && 381 (err_stage <= ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2)) { 382 TEST_ASSERT( 383 !"One of the last psa_pake_input() calls should have returned the expected error."); 384 } 385 386 break; 387 388 case PAKE_ROUND_TWO: 389 /* Server second round Output */ 390 buffer0_off = 0; 391 392 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 393 buffer0 + buffer0_off, 394 buffer_length - buffer0_off, &s_a_len)); 395 TEST_EQUAL(s_a_len, expected_size_key_share); 396 DO_ROUND_CONDITIONAL_INJECT( 397 ERR_INJECT_ROUND2_SERVER_KEY_SHARE, 398 buffer0 + buffer0_off); 399 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_a_off, s_a_len); 400 401 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 402 buffer0 + buffer0_off, 403 buffer_length - buffer0_off, &s_x2s_pk_len)); 404 TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public); 405 DO_ROUND_CONDITIONAL_INJECT( 406 ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC, 407 buffer0 + buffer0_off); 408 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2s_pk_off, s_x2s_pk_len); 409 410 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 411 buffer0 + buffer0_off, 412 buffer_length - buffer0_off, &s_x2s_pr_len)); 413 TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof); 414 DO_ROUND_CONDITIONAL_INJECT( 415 ERR_INJECT_ROUND2_SERVER_ZK_PROOF, 416 buffer0 + buffer0_off); 417 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2s_pr_off, s_x2s_pr_len); 418 419 if (client_input_first == 1) { 420 /* Client second round Input */ 421 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 422 buffer0 + s_a_off, s_a_len); 423 DO_ROUND_CHECK_FAILURE(); 424 425 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 426 buffer0 + s_x2s_pk_off, 427 s_x2s_pk_len); 428 DO_ROUND_CHECK_FAILURE(); 429 430 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 431 buffer0 + s_x2s_pr_off, 432 s_x2s_pr_len); 433 DO_ROUND_CHECK_FAILURE(); 434 435 /* Error didn't trigger, make test fail */ 436 if ((err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE) && 437 (err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF)) { 438 TEST_ASSERT( 439 !"One of the last psa_pake_input() calls should have returned the expected error."); 440 } 441 } 442 443 /* Client second round Output */ 444 buffer1_off = 0; 445 446 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 447 buffer1 + buffer1_off, 448 buffer_length - buffer1_off, &c_a_len)); 449 TEST_EQUAL(c_a_len, expected_size_key_share); 450 DO_ROUND_CONDITIONAL_INJECT( 451 ERR_INJECT_ROUND2_CLIENT_KEY_SHARE, 452 buffer1 + buffer1_off); 453 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_a_off, c_a_len); 454 455 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 456 buffer1 + buffer1_off, 457 buffer_length - buffer1_off, &c_x2s_pk_len)); 458 TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public); 459 DO_ROUND_CONDITIONAL_INJECT( 460 ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC, 461 buffer1 + buffer1_off); 462 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2s_pk_off, c_x2s_pk_len); 463 464 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 465 buffer1 + buffer1_off, 466 buffer_length - buffer1_off, &c_x2s_pr_len)); 467 TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof); 468 DO_ROUND_CONDITIONAL_INJECT( 469 ERR_INJECT_ROUND2_CLIENT_ZK_PROOF, 470 buffer1 + buffer1_off); 471 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2s_pr_off, c_x2s_pr_len); 472 473 if (client_input_first == 1) { 474 size_t extra_output_at_end_len; 475 DO_ROUND_CONDITIONAL_CHECK_FAILURE( 476 ERR_INJECT_EXTRA_OUTPUT_AT_END, 477 psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 478 buffer1 + c_a_off, buffer_length - c_a_off, 479 &extra_output_at_end_len)); 480 (void) extra_output_at_end_len; 481 } 482 483 if (client_input_first == 0) { 484 /* Client second round Input */ 485 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 486 buffer0 + s_a_off, s_a_len); 487 DO_ROUND_CHECK_FAILURE(); 488 489 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 490 buffer0 + s_x2s_pk_off, 491 s_x2s_pk_len); 492 DO_ROUND_CHECK_FAILURE(); 493 494 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 495 buffer0 + s_x2s_pr_off, 496 s_x2s_pr_len); 497 DO_ROUND_CHECK_FAILURE(); 498 499 /* Error didn't trigger, make test fail */ 500 if ((err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE) && 501 (err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF)) { 502 TEST_ASSERT( 503 !"One of the last psa_pake_input() calls should have returned the expected error."); 504 } 505 } 506 507 /* Server second round Input */ 508 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 509 buffer1 + c_a_off, c_a_len); 510 DO_ROUND_CHECK_FAILURE(); 511 512 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 513 buffer1 + c_x2s_pk_off, c_x2s_pk_len); 514 DO_ROUND_CHECK_FAILURE(); 515 516 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 517 buffer1 + c_x2s_pr_off, c_x2s_pr_len); 518 DO_ROUND_CHECK_FAILURE(); 519 520 DO_ROUND_CONDITIONAL_CHECK_FAILURE( 521 ERR_INJECT_EXTRA_INPUT_AT_END, 522 psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 523 buffer1 + c_a_off, c_a_len)); 524 525 526 /* Error didn't trigger, make test fail */ 527 if ((err_stage >= ERR_INJECT_ROUND2_CLIENT_KEY_SHARE) && 528 (err_stage <= ERR_INJECT_ROUND2_CLIENT_ZK_PROOF)) { 529 TEST_ASSERT( 530 !"One of the last psa_pake_input() calls should have returned the expected error."); 531 } 532 533 break; 534 535 } 536 537exit: 538 mbedtls_free(buffer0); 539 mbedtls_free(buffer1); 540} 541#endif /* PSA_WANT_ALG_JPAKE */ 542 543/* 544 * This check is used for functions that might either succeed or fail depending 545 * on the parameters that are passed in from the *.data file: 546 * - in case of success following functions depend on the current one 547 * - in case of failure the test is always terminated. There are two options 548 * here 549 * - terminated successfully if this exact error was expected at this stage 550 * - terminated with failure otherwise (either no error was expected at this 551 * stage or a different error code was expected) 552 */ 553#define SETUP_ALWAYS_CHECK_STEP(test_function, this_check_err_stage) \ 554 status = test_function; \ 555 if (err_stage != this_check_err_stage) \ 556 { \ 557 PSA_ASSERT(status); \ 558 } \ 559 else \ 560 { \ 561 TEST_EQUAL(status, expected_error); \ 562 goto exit; \ 563 } 564 565/* 566 * This check is used for failures that are injected at code level. There's only 567 * 1 input parameter that is relevant in this case and it's the stage at which 568 * the error should be injected. 569 * The check is conditional in this case because, once the error is triggered, 570 * the pake's context structure is compromised and the setup function cannot 571 * proceed further. As a consequence the test is terminated. 572 * The test succeeds if the returned error is exactly the expected one, 573 * otherwise it fails. 574 */ 575#define SETUP_CONDITIONAL_CHECK_STEP(test_function, this_check_err_stage) \ 576 if (err_stage == this_check_err_stage) \ 577 { \ 578 TEST_EQUAL(test_function, expected_error); \ 579 goto exit; \ 580 } 581/* END_HEADER */ 582 583/* BEGIN_DEPENDENCIES 584 * depends_on:MBEDTLS_PSA_CRYPTO_C 585 * END_DEPENDENCIES 586 */ 587 588/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 589void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, 590 int primitive_arg, int hash_arg, char *user_arg, char *peer_arg, 591 int test_input, 592 int err_stage_arg, 593 int expected_error_arg) 594{ 595 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 596 psa_pake_operation_t operation = psa_pake_operation_init(); 597 psa_algorithm_t alg = alg_arg; 598 psa_pake_primitive_t primitive = primitive_arg; 599 psa_key_type_t key_type_pw = key_type_pw_arg; 600 psa_key_usage_t key_usage_pw = key_usage_pw_arg; 601 psa_algorithm_t hash_alg = hash_arg; 602 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 603 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 604 ecjpake_error_stage_t err_stage = err_stage_arg; 605 psa_status_t expected_error = expected_error_arg; 606 psa_status_t status; 607 unsigned char *output_buffer = NULL; 608 size_t output_len = 0; 609 const uint8_t password[] = "abcd"; 610 uint8_t *user = (uint8_t *) user_arg; 611 uint8_t *peer = (uint8_t *) peer_arg; 612 size_t user_len = strlen(user_arg); 613 size_t peer_len = strlen(peer_arg); 614 615 psa_key_derivation_operation_t key_derivation = 616 PSA_KEY_DERIVATION_OPERATION_INIT; 617 618 PSA_INIT(); 619 620 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, 621 PSA_PAKE_STEP_KEY_SHARE); 622 TEST_CALLOC(output_buffer, buf_size); 623 624 psa_set_key_usage_flags(&attributes, key_usage_pw); 625 psa_set_key_algorithm(&attributes, alg); 626 psa_set_key_type(&attributes, key_type_pw); 627 PSA_ASSERT(psa_import_key(&attributes, password, sizeof(password), 628 &key)); 629 630 psa_pake_cs_set_algorithm(&cipher_suite, alg); 631 psa_pake_cs_set_primitive(&cipher_suite, primitive); 632 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 633 634 PSA_ASSERT(psa_pake_abort(&operation)); 635 636 if (err_stage == ERR_INJECT_UNINITIALIZED_ACCESS) { 637 TEST_EQUAL(psa_pake_set_user(&operation, user, user_len), 638 expected_error); 639 TEST_EQUAL(psa_pake_set_peer(&operation, peer, peer_len), 640 expected_error); 641 TEST_EQUAL(psa_pake_set_password_key(&operation, key), 642 expected_error); 643 TEST_EQUAL(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), 644 expected_error); 645 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, 646 output_buffer, 0, &output_len), 647 expected_error); 648 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, 649 output_buffer, 0), 650 expected_error); 651 TEST_EQUAL(psa_pake_get_implicit_key(&operation, &key_derivation), 652 expected_error); 653 goto exit; 654 } 655 656 SETUP_ALWAYS_CHECK_STEP(psa_pake_setup(&operation, &cipher_suite), 657 ERR_IN_SETUP); 658 659 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_setup(&operation, &cipher_suite), 660 ERR_INJECT_DUPLICATE_SETUP); 661 662 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), 663 ERR_INJECT_SET_ROLE); 664 665 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_role(&operation, PSA_PAKE_ROLE_NONE), 666 ERR_IN_SET_ROLE); 667 668 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_user(&operation, user, user_len), 669 ERR_IN_SET_USER); 670 671 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_peer(&operation, peer, peer_len), 672 ERR_IN_SET_PEER); 673 674 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_user(&operation, user, user_len), 675 ERR_DUPLICATE_SET_USER); 676 677 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_peer(&operation, peer, peer_len), 678 ERR_DUPLICATE_SET_PEER); 679 680 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_password_key(&operation, key), 681 ERR_IN_SET_PASSWORD_KEY); 682 683 const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive, 684 PSA_PAKE_STEP_KEY_SHARE); 685 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE(alg, primitive, 686 PSA_PAKE_STEP_ZK_PUBLIC); 687 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE(alg, primitive, 688 PSA_PAKE_STEP_ZK_PROOF); 689 690 if (test_input) { 691 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 692 PSA_PAKE_STEP_ZK_PROOF, 693 output_buffer, 0), 694 ERR_INJECT_EMPTY_IO_BUFFER); 695 696 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 697 PSA_PAKE_STEP_ZK_PROOF + 10, 698 output_buffer, size_zk_proof), 699 ERR_INJECT_UNKNOWN_STEP); 700 701 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 702 PSA_PAKE_STEP_ZK_PROOF, 703 output_buffer, size_zk_proof), 704 ERR_INJECT_INVALID_FIRST_STEP) 705 706 SETUP_ALWAYS_CHECK_STEP(psa_pake_input(&operation, 707 PSA_PAKE_STEP_KEY_SHARE, 708 output_buffer, size_key_share), 709 ERR_IN_INPUT); 710 711 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 712 PSA_PAKE_STEP_ZK_PUBLIC, 713 output_buffer, size_zk_public + 1), 714 ERR_INJECT_WRONG_BUFFER_SIZE); 715 716 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 717 PSA_PAKE_STEP_ZK_PROOF, 718 output_buffer, size_zk_proof + 1), 719 ERR_INJECT_WRONG_BUFFER_SIZE_2); 720 721 SETUP_CONDITIONAL_CHECK_STEP( 722 (psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 723 output_buffer, size_zk_public + 1), 724 psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 725 output_buffer, size_zk_public)), 726 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE); 727 } else { 728 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 729 PSA_PAKE_STEP_ZK_PROOF, 730 output_buffer, 0, 731 &output_len), 732 ERR_INJECT_EMPTY_IO_BUFFER); 733 734 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 735 PSA_PAKE_STEP_ZK_PROOF + 10, 736 output_buffer, buf_size, &output_len), 737 ERR_INJECT_UNKNOWN_STEP); 738 739 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 740 PSA_PAKE_STEP_ZK_PROOF, 741 output_buffer, buf_size, &output_len), 742 ERR_INJECT_INVALID_FIRST_STEP); 743 744 SETUP_ALWAYS_CHECK_STEP(psa_pake_output(&operation, 745 PSA_PAKE_STEP_KEY_SHARE, 746 output_buffer, buf_size, &output_len), 747 ERR_IN_OUTPUT); 748 749 TEST_ASSERT(output_len > 0); 750 751 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 752 PSA_PAKE_STEP_ZK_PUBLIC, 753 output_buffer, size_zk_public - 1, 754 &output_len), 755 ERR_INJECT_WRONG_BUFFER_SIZE); 756 757 SETUP_CONDITIONAL_CHECK_STEP( 758 (psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 759 output_buffer, size_zk_public - 1, &output_len), 760 psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 761 output_buffer, buf_size, &output_len)), 762 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE); 763 } 764 765exit: 766 PSA_ASSERT(psa_destroy_key(key)); 767 PSA_ASSERT(psa_pake_abort(&operation)); 768 mbedtls_free(output_buffer); 769 PSA_DONE(); 770} 771/* END_CASE */ 772 773/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 774void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg, 775 int client_input_first, 776 data_t *pw_data, 777 int err_stage_arg, 778 int expected_error_arg, 779 int inject_in_second_round) 780{ 781 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 782 psa_pake_operation_t server = psa_pake_operation_init(); 783 psa_pake_operation_t client = psa_pake_operation_init(); 784 psa_algorithm_t alg = alg_arg; 785 psa_algorithm_t hash_alg = hash_arg; 786 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 787 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 788 ecjpake_error_stage_t err_stage = err_stage_arg; 789 790 PSA_INIT(); 791 792 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 793 psa_set_key_algorithm(&attributes, alg); 794 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 795 796 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 797 &key)); 798 799 psa_pake_cs_set_algorithm(&cipher_suite, alg); 800 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 801 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 802 803 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 804 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 805 806 PSA_ASSERT(psa_pake_set_user(&server, jpake_server_id, sizeof(jpake_server_id))); 807 PSA_ASSERT(psa_pake_set_peer(&server, jpake_client_id, sizeof(jpake_client_id))); 808 PSA_ASSERT(psa_pake_set_user(&client, jpake_client_id, sizeof(jpake_client_id))); 809 PSA_ASSERT(psa_pake_set_peer(&client, jpake_server_id, sizeof(jpake_server_id))); 810 811 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 812 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 813 814 ecjpake_do_round(alg, primitive_arg, &server, &client, 815 client_input_first, PAKE_ROUND_ONE, 816 inject_in_second_round ? ERR_NONE : err_stage, 817 expected_error_arg); 818 819 if (!inject_in_second_round && err_stage != ERR_NONE) { 820 goto exit; 821 } 822 823 ecjpake_do_round(alg, primitive_arg, &server, &client, 824 client_input_first, PAKE_ROUND_TWO, 825 err_stage, expected_error_arg); 826 827exit: 828 psa_destroy_key(key); 829 psa_pake_abort(&server); 830 psa_pake_abort(&client); 831 PSA_DONE(); 832} 833/* END_CASE */ 834 835/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 836void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, 837 int derive_alg_arg, data_t *pw_data, 838 int client_input_first, int destroy_key, 839 int err_stage_arg) 840{ 841 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 842 psa_pake_operation_t server = psa_pake_operation_init(); 843 psa_pake_operation_t client = psa_pake_operation_init(); 844 psa_algorithm_t alg = alg_arg; 845 psa_algorithm_t hash_alg = hash_arg; 846 psa_algorithm_t derive_alg = derive_alg_arg; 847 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 848 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 849 psa_key_derivation_operation_t server_derive = 850 PSA_KEY_DERIVATION_OPERATION_INIT; 851 psa_key_derivation_operation_t client_derive = 852 PSA_KEY_DERIVATION_OPERATION_INIT; 853 ecjpake_error_stage_t err_stage = err_stage_arg; 854 855 PSA_INIT(); 856 857 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 858 psa_set_key_algorithm(&attributes, alg); 859 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 860 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 861 &key)); 862 863 psa_pake_cs_set_algorithm(&cipher_suite, alg); 864 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 865 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 866 867 /* Get shared key */ 868 PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg)); 869 PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg)); 870 871 if (PSA_ALG_IS_TLS12_PRF(derive_alg) || 872 PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) { 873 PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive, 874 PSA_KEY_DERIVATION_INPUT_SEED, 875 (const uint8_t *) "", 0)); 876 PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive, 877 PSA_KEY_DERIVATION_INPUT_SEED, 878 (const uint8_t *) "", 0)); 879 } 880 881 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 882 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 883 884 PSA_ASSERT(psa_pake_set_user(&server, jpake_server_id, sizeof(jpake_server_id))); 885 PSA_ASSERT(psa_pake_set_peer(&server, jpake_client_id, sizeof(jpake_client_id))); 886 PSA_ASSERT(psa_pake_set_user(&client, jpake_client_id, sizeof(jpake_client_id))); 887 PSA_ASSERT(psa_pake_set_peer(&client, jpake_server_id, sizeof(jpake_server_id))); 888 889 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 890 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 891 892 if (destroy_key == 1) { 893 psa_destroy_key(key); 894 } 895 896 if (err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1) { 897 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 898 PSA_ERROR_BAD_STATE); 899 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 900 PSA_ERROR_BAD_STATE); 901 goto exit; 902 } 903 904 /* First round */ 905 ecjpake_do_round(alg, primitive_arg, &server, &client, 906 client_input_first, PAKE_ROUND_ONE, 907 ERR_NONE, PSA_SUCCESS); 908 909 if (err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2) { 910 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 911 PSA_ERROR_BAD_STATE); 912 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 913 PSA_ERROR_BAD_STATE); 914 goto exit; 915 } 916 917 /* Second round */ 918 ecjpake_do_round(alg, primitive_arg, &server, &client, 919 client_input_first, PAKE_ROUND_TWO, 920 ERR_NONE, PSA_SUCCESS); 921 922 PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive)); 923 PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive)); 924 925exit: 926 psa_key_derivation_abort(&server_derive); 927 psa_key_derivation_abort(&client_derive); 928 psa_destroy_key(key); 929 psa_pake_abort(&server); 930 psa_pake_abort(&client); 931 PSA_DONE(); 932} 933/* END_CASE */ 934 935/* BEGIN_CASE */ 936void ecjpake_size_macros() 937{ 938 const psa_algorithm_t alg = PSA_ALG_JPAKE; 939 const size_t bits = 256; 940 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( 941 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits); 942 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( 943 PSA_ECC_FAMILY_SECP_R1); 944 945 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types 946 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */ 947 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 948 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 949 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 950 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 951 /* The output for ZK_PROOF is the same bitsize as the curve */ 952 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 953 PSA_BITS_TO_BYTES(bits)); 954 955 /* Input sizes are the same as output sizes */ 956 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 957 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE)); 958 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 959 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC)); 960 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 961 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF)); 962 963 /* These inequalities will always hold even when other PAKEs are added */ 964 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 965 PSA_PAKE_OUTPUT_MAX_SIZE); 966 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 967 PSA_PAKE_OUTPUT_MAX_SIZE); 968 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 969 PSA_PAKE_OUTPUT_MAX_SIZE); 970 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 971 PSA_PAKE_INPUT_MAX_SIZE); 972 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 973 PSA_PAKE_INPUT_MAX_SIZE); 974 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 975 PSA_PAKE_INPUT_MAX_SIZE); 976} 977/* END_CASE */ 978 979/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 980void pake_input_getters_password() 981{ 982 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 983 psa_pake_operation_t operation = psa_pake_operation_init(); 984 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 985 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 986 const char *password = "password"; 987 uint8_t password_ret[20] = { 0 }; // max key length is 20 bytes 988 size_t password_len_ret = 0; 989 size_t buffer_len_ret = 0; 990 991 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 992 PSA_PAKE_PRIMITIVE_TYPE_ECC, 993 PSA_ECC_FAMILY_SECP_R1, 256); 994 995 PSA_INIT(); 996 997 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 998 psa_pake_cs_set_primitive(&cipher_suite, primitive); 999 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1000 1001 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 1002 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 1003 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 1004 1005 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1006 1007 PSA_ASSERT(psa_import_key(&attributes, (uint8_t *) password, strlen(password), &key)); 1008 1009 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 1010 (uint8_t *) &password_ret, 1011 10, &buffer_len_ret), 1012 PSA_ERROR_BAD_STATE); 1013 1014 TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), 1015 PSA_ERROR_BAD_STATE); 1016 1017 PSA_ASSERT(psa_pake_set_password_key(&operation, key)); 1018 1019 TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), 1020 PSA_SUCCESS); 1021 1022 TEST_EQUAL(password_len_ret, strlen(password)); 1023 1024 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 1025 (uint8_t *) &password_ret, 1026 password_len_ret - 1, 1027 &buffer_len_ret), 1028 PSA_ERROR_BUFFER_TOO_SMALL); 1029 1030 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 1031 (uint8_t *) &password_ret, 1032 password_len_ret, 1033 &buffer_len_ret), 1034 PSA_SUCCESS); 1035 1036 TEST_MEMORY_COMPARE(password_ret, buffer_len_ret, password, strlen(password)); 1037exit: 1038 PSA_ASSERT(psa_destroy_key(key)); 1039 PSA_ASSERT(psa_pake_abort(&operation)); 1040 PSA_DONE(); 1041} 1042/* END_CASE */ 1043 1044/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1045void pake_input_getters_cipher_suite() 1046{ 1047 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1048 psa_pake_operation_t operation = psa_pake_operation_init(); 1049 psa_pake_cipher_suite_t cipher_suite_ret = psa_pake_cipher_suite_init(); 1050 1051 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1052 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1053 PSA_ECC_FAMILY_SECP_R1, 256); 1054 1055 PSA_INIT(); 1056 1057 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1058 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1059 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1060 1061 TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), 1062 PSA_ERROR_BAD_STATE); 1063 1064 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1065 1066 TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), 1067 PSA_SUCCESS); 1068 1069 TEST_MEMORY_COMPARE(&cipher_suite_ret, sizeof(cipher_suite_ret), 1070 &cipher_suite, sizeof(cipher_suite)); 1071 1072exit: 1073 PSA_ASSERT(psa_pake_abort(&operation)); 1074 PSA_DONE(); 1075} 1076/* END_CASE */ 1077 1078/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1079void pake_input_getters_user() 1080{ 1081 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1082 psa_pake_operation_t operation = psa_pake_operation_init(); 1083 const char *users[] = { "client", "server", "other" }; 1084 uint8_t user_ret[20] = { 0 }; // max user length is 20 bytes 1085 size_t user_len_ret = 0; 1086 size_t buffer_len_ret = 0; 1087 1088 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1089 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1090 PSA_ECC_FAMILY_SECP_R1, 256); 1091 1092 PSA_INIT(); 1093 1094 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1095 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1096 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1097 1098 for (size_t i = 0; i < ARRAY_LENGTH(users); i++) { 1099 uint8_t *user = (uint8_t *) users[i]; 1100 uint8_t user_len = strlen(users[i]); 1101 1102 PSA_ASSERT(psa_pake_abort(&operation)); 1103 1104 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1105 1106 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1107 (uint8_t *) &user_ret, 1108 10, &buffer_len_ret), 1109 PSA_ERROR_BAD_STATE); 1110 1111 TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret), 1112 PSA_ERROR_BAD_STATE); 1113 1114 PSA_ASSERT(psa_pake_set_user(&operation, user, user_len)); 1115 1116 TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret), 1117 PSA_SUCCESS); 1118 1119 TEST_EQUAL(user_len_ret, user_len); 1120 1121 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1122 (uint8_t *) &user_ret, 1123 user_len_ret - 1, 1124 &buffer_len_ret), 1125 PSA_ERROR_BUFFER_TOO_SMALL); 1126 1127 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1128 (uint8_t *) &user_ret, 1129 user_len_ret, 1130 &buffer_len_ret), 1131 PSA_SUCCESS); 1132 1133 TEST_MEMORY_COMPARE(user_ret, buffer_len_ret, user, user_len); 1134 } 1135exit: 1136 PSA_ASSERT(psa_pake_abort(&operation)); 1137 PSA_DONE(); 1138} 1139/* END_CASE */ 1140 1141/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1142void pake_input_getters_peer() 1143{ 1144 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1145 psa_pake_operation_t operation = psa_pake_operation_init(); 1146 const char *peers[] = { "client", "server", "other" }; 1147 uint8_t peer_ret[20] = { 0 }; // max peer length is 20 bytes 1148 size_t peer_len_ret = 0; 1149 size_t buffer_len_ret = 0; 1150 1151 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1152 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1153 PSA_ECC_FAMILY_SECP_R1, 256); 1154 1155 PSA_INIT(); 1156 1157 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1158 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1159 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1160 1161 for (size_t i = 0; i < ARRAY_LENGTH(peers); i++) { 1162 uint8_t *peer = (uint8_t *) peers[i]; 1163 uint8_t peer_len = strlen(peers[i]); 1164 1165 PSA_ASSERT(psa_pake_abort(&operation)); 1166 1167 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1168 1169 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1170 (uint8_t *) &peer_ret, 1171 10, &buffer_len_ret), 1172 PSA_ERROR_BAD_STATE); 1173 1174 TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret), 1175 PSA_ERROR_BAD_STATE); 1176 1177 PSA_ASSERT(psa_pake_set_peer(&operation, peer, peer_len)); 1178 1179 TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret), 1180 PSA_SUCCESS); 1181 1182 TEST_EQUAL(peer_len_ret, peer_len); 1183 1184 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1185 (uint8_t *) &peer_ret, 1186 peer_len_ret - 1, 1187 &buffer_len_ret), 1188 PSA_ERROR_BUFFER_TOO_SMALL); 1189 1190 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1191 (uint8_t *) &peer_ret, 1192 peer_len_ret, 1193 &buffer_len_ret), 1194 PSA_SUCCESS); 1195 1196 TEST_MEMORY_COMPARE(peer_ret, buffer_len_ret, peer, peer_len); 1197 } 1198exit: 1199 PSA_ASSERT(psa_pake_abort(&operation)); 1200 PSA_DONE(); 1201} 1202/* END_CASE */ 1203
