Merge pull request #7793 from minosgalanakis/ecp/6025_fast_reduction_dispatch
[Bignum] Fast reduction dispatch
diff --git a/ChangeLog.d/fix-ilp32.txt b/ChangeLog.d/fix-ilp32.txt
new file mode 100644
index 0000000..3f18ac5
--- /dev/null
+++ b/ChangeLog.d/fix-ilp32.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix a compilation failure in the constant_time module when
+ building for arm64_32 (e.g., for watchos). Reported by Paulo
+ Coutinho in #7787.
diff --git a/ChangeLog.d/ssl_debug_helpers-stack_usage.txt b/ChangeLog.d/ssl_debug_helpers-stack_usage.txt
new file mode 100644
index 0000000..e2c2475
--- /dev/null
+++ b/ChangeLog.d/ssl_debug_helpers-stack_usage.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix very high stack usage in SSL debug code. Reported by Maximilian
+ Gerhardt in #7804.
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index 5529dd1..94def5c 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -1984,34 +1984,6 @@
psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite);
};
-typedef enum psa_jpake_step {
- PSA_PAKE_STEP_INVALID = 0,
- PSA_PAKE_STEP_X1_X2 = 1,
- PSA_PAKE_STEP_X2S = 2,
- PSA_PAKE_STEP_DERIVE = 3,
-} psa_jpake_step_t;
-
-typedef enum psa_jpake_state {
- PSA_PAKE_STATE_INVALID = 0,
- PSA_PAKE_STATE_SETUP = 1,
- PSA_PAKE_STATE_READY = 2,
- PSA_PAKE_OUTPUT_X1_X2 = 3,
- PSA_PAKE_OUTPUT_X2S = 4,
- PSA_PAKE_INPUT_X1_X2 = 5,
- PSA_PAKE_INPUT_X4S = 6,
-} psa_jpake_state_t;
-
-typedef enum psa_jpake_sequence {
- PSA_PAKE_SEQ_INVALID = 0,
- PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */
- PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */
- PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */
- PSA_PAKE_X2_STEP_KEY_SHARE = 4,
- PSA_PAKE_X2_STEP_ZK_PUBLIC = 5,
- PSA_PAKE_X2_STEP_ZK_PROOF = 6,
- PSA_PAKE_SEQ_END = 7,
-} psa_jpake_sequence_t;
-
typedef enum psa_crypto_driver_pake_step {
PSA_JPAKE_STEP_INVALID = 0, /* Invalid step */
PSA_JPAKE_X1_STEP_KEY_SHARE = 1, /* Round 1: input/output key share (for ephemeral private key X1).*/
@@ -2028,14 +2000,35 @@
PSA_JPAKE_X4S_STEP_ZK_PROOF = 12 /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */
} psa_crypto_driver_pake_step_t;
+typedef enum psa_jpake_round {
+ PSA_JPAKE_FIRST = 0,
+ PSA_JPAKE_SECOND = 1,
+ PSA_JPAKE_FINISHED = 2
+} psa_jpake_round_t;
+
+typedef enum psa_jpake_io_mode {
+ PSA_JPAKE_INPUT = 0,
+ PSA_JPAKE_OUTPUT = 1
+} psa_jpake_io_mode_t;
struct psa_jpake_computation_stage_s {
- psa_jpake_state_t MBEDTLS_PRIVATE(state);
- psa_jpake_sequence_t MBEDTLS_PRIVATE(sequence);
- psa_jpake_step_t MBEDTLS_PRIVATE(input_step);
- psa_jpake_step_t MBEDTLS_PRIVATE(output_step);
+ /* The J-PAKE round we are currently on */
+ psa_jpake_round_t MBEDTLS_PRIVATE(round);
+ /* The 'mode' we are currently in (inputting or outputting) */
+ psa_jpake_io_mode_t MBEDTLS_PRIVATE(io_mode);
+ /* The number of completed inputs so far this round */
+ uint8_t MBEDTLS_PRIVATE(inputs);
+ /* The number of completed outputs so far this round */
+ uint8_t MBEDTLS_PRIVATE(outputs);
+ /* The next expected step (KEY_SHARE, ZK_PUBLIC or ZK_PROOF) */
+ psa_pake_step_t MBEDTLS_PRIVATE(step);
};
+#define PSA_JPAKE_EXPECTED_INPUTS(round) ((round) == PSA_JPAKE_FINISHED ? 0 : \
+ ((round) == PSA_JPAKE_FIRST ? 2 : 1))
+#define PSA_JPAKE_EXPECTED_OUTPUTS(round) ((round) == PSA_JPAKE_FINISHED ? 0 : \
+ ((round) == PSA_JPAKE_FIRST ? 2 : 1))
+
struct psa_pake_operation_s {
/** Unique ID indicating which driver got assigned to do the
* operation. Since driver contexts are driver-specific, swapping
diff --git a/library/bn_mul.h b/library/bn_mul.h
index c5994f7..43dd5c2 100644
--- a/library/bn_mul.h
+++ b/library/bn_mul.h
@@ -248,27 +248,39 @@
#endif /* AMD64 */
-#if defined(__aarch64__)
+// The following assembly code assumes that a pointer will fit in a 64-bit register
+// (including ILP32 __aarch64__ ABIs such as on watchOS, hence the 2^32 - 1)
+#if defined(__aarch64__) && (UINTPTR_MAX == 0xfffffffful || UINTPTR_MAX == 0xfffffffffffffffful)
+/*
+ * There are some issues around different compilers requiring different constraint
+ * syntax for updating pointers from assembly code (see notes for
+ * MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT in common.h), especially on aarch64_32 (aka ILP32).
+ *
+ * For this reason we cast the pointers to/from uintptr_t here.
+ */
#define MULADDC_X1_INIT \
- asm(
+ do { uintptr_t muladdc_d = (uintptr_t) d, muladdc_s = (uintptr_t) s; asm(
#define MULADDC_X1_CORE \
- "ldr x4, [%2], #8 \n\t" \
- "ldr x5, [%1] \n\t" \
+ "ldr x4, [%x2], #8 \n\t" \
+ "ldr x5, [%x1] \n\t" \
"mul x6, x4, %4 \n\t" \
"umulh x7, x4, %4 \n\t" \
"adds x5, x5, x6 \n\t" \
"adc x7, x7, xzr \n\t" \
"adds x5, x5, %0 \n\t" \
"adc %0, x7, xzr \n\t" \
- "str x5, [%1], #8 \n\t"
+ "str x5, [%x1], #8 \n\t"
#define MULADDC_X1_STOP \
- : "+r" (c), "+r" (d), "+r" (s), "+m" (*(uint64_t (*)[16]) d) \
+ : "+r" (c), \
+ "+r" (muladdc_d), \
+ "+r" (muladdc_s), \
+ "+m" (*(uint64_t (*)[16]) d) \
: "r" (b), "m" (*(const uint64_t (*)[16]) s) \
: "x4", "x5", "x6", "x7", "cc" \
- );
+ ); d = (mbedtls_mpi_uint *)muladdc_d; s = (mbedtls_mpi_uint *)muladdc_s; } while (0);
#endif /* Aarch64 */
diff --git a/library/common.h b/library/common.h
index b48a1fc..97846c4 100644
--- a/library/common.h
+++ b/library/common.h
@@ -69,6 +69,44 @@
#define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST)
#endif /* defined(MBEDTLS_TEST_HOOKS) */
+/** \def ARRAY_LENGTH
+ * Return the number of elements of a static or stack array.
+ *
+ * \param array A value of array (not pointer) type.
+ *
+ * \return The number of elements of the array.
+ */
+/* A correct implementation of ARRAY_LENGTH, but which silently gives
+ * a nonsensical result if called with a pointer rather than an array. */
+#define ARRAY_LENGTH_UNSAFE(array) \
+ (sizeof(array) / sizeof(*(array)))
+
+#if defined(__GNUC__)
+/* Test if arg and &(arg)[0] have the same type. This is true if arg is
+ * an array but not if it's a pointer. */
+#define IS_ARRAY_NOT_POINTER(arg) \
+ (!__builtin_types_compatible_p(__typeof__(arg), \
+ __typeof__(&(arg)[0])))
+/* A compile-time constant with the value 0. If `const_expr` is not a
+ * compile-time constant with a nonzero value, cause a compile-time error. */
+#define STATIC_ASSERT_EXPR(const_expr) \
+ (0 && sizeof(struct { unsigned int STATIC_ASSERT : 1 - 2 * !(const_expr); }))
+
+/* Return the scalar value `value` (possibly promoted). This is a compile-time
+ * constant if `value` is. `condition` must be a compile-time constant.
+ * If `condition` is false, arrange to cause a compile-time error. */
+#define STATIC_ASSERT_THEN_RETURN(condition, value) \
+ (STATIC_ASSERT_EXPR(condition) ? 0 : (value))
+
+#define ARRAY_LENGTH(array) \
+ (STATIC_ASSERT_THEN_RETURN(IS_ARRAY_NOT_POINTER(array), \
+ ARRAY_LENGTH_UNSAFE(array)))
+
+#else
+/* If we aren't sure the compiler supports our non-standard tricks,
+ * fall back to the unsafe implementation. */
+#define ARRAY_LENGTH(array) ARRAY_LENGTH_UNSAFE(array)
+#endif
/** Allow library to access its structs' private members.
*
* Although structs defined in header files are publicly available,
@@ -169,6 +207,34 @@
#endif
/* *INDENT-ON* */
+/*
+ * Define the constraint used for read-only pointer operands to aarch64 asm.
+ *
+ * This is normally the usual "r", but for aarch64_32 (aka ILP32,
+ * as found in watchos), "p" is required to avoid warnings from clang.
+ *
+ * Note that clang does not recognise '+p' or '=p', and armclang
+ * does not recognise 'p' at all. Therefore, to update a pointer from
+ * aarch64 assembly, it is necessary to use something like:
+ *
+ * uintptr_t uptr = (uintptr_t) ptr;
+ * asm( "ldr x4, [%x0], #8" ... : "+r" (uptr) : : )
+ * ptr = (void*) uptr;
+ *
+ * Note that the "x" in "%x0" is neccessary; writing "%0" will cause warnings.
+ */
+#if defined(__aarch64__) && defined(MBEDTLS_HAVE_ASM)
+#if UINTPTR_MAX == 0xfffffffful
+/* ILP32: Specify the pointer operand slightly differently, as per #7787. */
+#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "p"
+#elif UINTPTR_MAX == 0xfffffffffffffffful
+/* Normal case (64-bit pointers): use "r" as the constraint for pointer operands to asm */
+#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "r"
+#else
+#error Unrecognised pointer size for aarch64
+#endif
+#endif
+
/* Always provide a static assert macro, so it can be used unconditionally.
* It will expand to nothing on some systems.
* Can be used outside functions (but don't add a trailing ';' in that case:
diff --git a/library/constant_time.c b/library/constant_time.c
index c823b78..5265005 100644
--- a/library/constant_time.c
+++ b/library/constant_time.c
@@ -46,10 +46,18 @@
#endif
#include <string.h>
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+#include "psa/crypto.h"
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
@@ -63,7 +71,9 @@
* only used here.
*/
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) && defined(MBEDTLS_HAVE_ASM)
-#if defined(__arm__) || defined(__thumb__) || defined(__thumb2__) || defined(__aarch64__)
+#if ((defined(__arm__) || defined(__thumb__) || defined(__thumb2__)) && \
+ (UINTPTR_MAX == 0xfffffffful)) || defined(__aarch64__)
+/* We check pointer sizes to avoid issues with them not matching register size requirements */
#define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS
#endif
#endif
@@ -79,7 +89,7 @@
#if defined(__arm__) || defined(__thumb__) || defined(__thumb2__)
asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :);
#elif defined(__aarch64__)
- asm volatile ("ldr %w0, [%1]" : "=r" (r) : "r" (p) :);
+ asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :);
#endif
return r;
}
diff --git a/library/lmots.c b/library/lmots.c
index 4061edd..4ef2c51 100644
--- a/library/lmots.c
+++ b/library/lmots.c
@@ -45,9 +45,15 @@
#include "psa/crypto.h"
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_lms_errors, \
- psa_generic_status_to_mbedtls)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_lms_errors,
+ ARRAY_LENGTH(psa_to_lms_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#define PUBLIC_KEY_TYPE_OFFSET (0)
#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
diff --git a/library/lms.c b/library/lms.c
index acc3523..823ce09 100644
--- a/library/lms.c
+++ b/library/lms.c
@@ -46,9 +46,15 @@
#include "mbedtls/platform.h"
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_lms_errors, \
- psa_generic_status_to_mbedtls)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_lms_errors,
+ ARRAY_LENGTH(psa_to_lms_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#define SIG_Q_LEAF_ID_OFFSET (0)
#define SIG_OTS_SIG_OFFSET (SIG_Q_LEAF_ID_OFFSET + \
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 2173483..ac6bd5b 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -84,8 +84,6 @@
#include "mbedtls/sha512.h"
#include "md_psa.h"
-#define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
-
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
@@ -7767,10 +7765,8 @@
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.jpake;
- computation_stage->state = PSA_PAKE_STATE_SETUP;
- computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
- computation_stage->input_step = PSA_PAKE_STEP_X1_X2;
- computation_stage->output_step = PSA_PAKE_STEP_X1_X2;
+ memset(computation_stage, 0, sizeof(*computation_stage));
+ computation_stage->step = PSA_PAKE_STEP_KEY_SHARE;
} else
#endif /* PSA_WANT_ALG_JPAKE */
{
@@ -7939,59 +7935,32 @@
return status;
}
-/* Auxiliary function to convert core computation stage(step, sequence, state) to single driver step. */
+/* Auxiliary function to convert core computation stage to single driver step. */
#if defined(PSA_WANT_ALG_JPAKE)
static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step(
psa_jpake_computation_stage_t *stage)
{
- switch (stage->state) {
- case PSA_PAKE_OUTPUT_X1_X2:
- case PSA_PAKE_INPUT_X1_X2:
- switch (stage->sequence) {
- case PSA_PAKE_X1_STEP_KEY_SHARE:
- return PSA_JPAKE_X1_STEP_KEY_SHARE;
- case PSA_PAKE_X1_STEP_ZK_PUBLIC:
- return PSA_JPAKE_X1_STEP_ZK_PUBLIC;
- case PSA_PAKE_X1_STEP_ZK_PROOF:
- return PSA_JPAKE_X1_STEP_ZK_PROOF;
- case PSA_PAKE_X2_STEP_KEY_SHARE:
- return PSA_JPAKE_X2_STEP_KEY_SHARE;
- case PSA_PAKE_X2_STEP_ZK_PUBLIC:
- return PSA_JPAKE_X2_STEP_ZK_PUBLIC;
- case PSA_PAKE_X2_STEP_ZK_PROOF:
- return PSA_JPAKE_X2_STEP_ZK_PROOF;
- default:
- return PSA_JPAKE_STEP_INVALID;
- }
- break;
- case PSA_PAKE_OUTPUT_X2S:
- switch (stage->sequence) {
- case PSA_PAKE_X1_STEP_KEY_SHARE:
- return PSA_JPAKE_X2S_STEP_KEY_SHARE;
- case PSA_PAKE_X1_STEP_ZK_PUBLIC:
- return PSA_JPAKE_X2S_STEP_ZK_PUBLIC;
- case PSA_PAKE_X1_STEP_ZK_PROOF:
- return PSA_JPAKE_X2S_STEP_ZK_PROOF;
- default:
- return PSA_JPAKE_STEP_INVALID;
- }
- break;
- case PSA_PAKE_INPUT_X4S:
- switch (stage->sequence) {
- case PSA_PAKE_X1_STEP_KEY_SHARE:
- return PSA_JPAKE_X4S_STEP_KEY_SHARE;
- case PSA_PAKE_X1_STEP_ZK_PUBLIC:
- return PSA_JPAKE_X4S_STEP_ZK_PUBLIC;
- case PSA_PAKE_X1_STEP_ZK_PROOF:
- return PSA_JPAKE_X4S_STEP_ZK_PROOF;
- default:
- return PSA_JPAKE_STEP_INVALID;
- }
- break;
- default:
- return PSA_JPAKE_STEP_INVALID;
+ psa_crypto_driver_pake_step_t key_share_step;
+ if (stage->round == PSA_JPAKE_FIRST) {
+ int is_x1;
+
+ if (stage->io_mode == PSA_JPAKE_OUTPUT) {
+ is_x1 = (stage->outputs < 1);
+ } else {
+ is_x1 = (stage->inputs < 1);
+ }
+
+ key_share_step = is_x1 ?
+ PSA_JPAKE_X1_STEP_KEY_SHARE :
+ PSA_JPAKE_X2_STEP_KEY_SHARE;
+ } else if (stage->round == PSA_JPAKE_SECOND) {
+ key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ?
+ PSA_JPAKE_X2S_STEP_KEY_SHARE :
+ PSA_JPAKE_X4S_STEP_KEY_SHARE;
+ } else {
+ return PSA_JPAKE_STEP_INVALID;
}
- return PSA_JPAKE_STEP_INVALID;
+ return key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE;
}
#endif /* PSA_WANT_ALG_JPAKE */
@@ -8030,12 +7999,6 @@
#if defined(PSA_WANT_ALG_JPAKE)
if (operation->alg == PSA_ALG_JPAKE) {
operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
- psa_jpake_computation_stage_t *computation_stage =
- &operation->computation_stage.jpake;
- computation_stage->state = PSA_PAKE_STATE_READY;
- computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
- computation_stage->input_step = PSA_PAKE_STEP_X1_X2;
- computation_stage->output_step = PSA_PAKE_STEP_X1_X2;
} else
#endif /* PSA_WANT_ALG_JPAKE */
{
@@ -8046,9 +8009,10 @@
}
#if defined(PSA_WANT_ALG_JPAKE)
-static psa_status_t psa_jpake_output_prologue(
+static psa_status_t psa_jpake_prologue(
psa_pake_operation_t *operation,
- psa_pake_step_t step)
+ psa_pake_step_t step,
+ psa_jpake_io_mode_t io_mode)
{
if (step != PSA_PAKE_STEP_KEY_SHARE &&
step != PSA_PAKE_STEP_ZK_PUBLIC &&
@@ -8059,84 +8023,66 @@
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.jpake;
- if (computation_stage->state == PSA_PAKE_STATE_INVALID) {
+ if (computation_stage->round != PSA_JPAKE_FIRST &&
+ computation_stage->round != PSA_JPAKE_SECOND) {
return PSA_ERROR_BAD_STATE;
}
- if (computation_stage->state != PSA_PAKE_STATE_READY &&
- computation_stage->state != PSA_PAKE_OUTPUT_X1_X2 &&
- computation_stage->state != PSA_PAKE_OUTPUT_X2S) {
+ /* Check that the step we are given is the one we were expecting */
+ if (step != computation_stage->step) {
return PSA_ERROR_BAD_STATE;
}
- if (computation_stage->state == PSA_PAKE_STATE_READY) {
- if (step != PSA_PAKE_STEP_KEY_SHARE) {
- return PSA_ERROR_BAD_STATE;
- }
-
- switch (computation_stage->output_step) {
- case PSA_PAKE_STEP_X1_X2:
- computation_stage->state = PSA_PAKE_OUTPUT_X1_X2;
- break;
- case PSA_PAKE_STEP_X2S:
- computation_stage->state = PSA_PAKE_OUTPUT_X2S;
- break;
- default:
- return PSA_ERROR_BAD_STATE;
- }
-
- computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
- }
-
- /* Check if step matches current sequence */
- switch (computation_stage->sequence) {
- case PSA_PAKE_X1_STEP_KEY_SHARE:
- case PSA_PAKE_X2_STEP_KEY_SHARE:
- if (step != PSA_PAKE_STEP_KEY_SHARE) {
- return PSA_ERROR_BAD_STATE;
- }
- break;
-
- case PSA_PAKE_X1_STEP_ZK_PUBLIC:
- case PSA_PAKE_X2_STEP_ZK_PUBLIC:
- if (step != PSA_PAKE_STEP_ZK_PUBLIC) {
- return PSA_ERROR_BAD_STATE;
- }
- break;
-
- case PSA_PAKE_X1_STEP_ZK_PROOF:
- case PSA_PAKE_X2_STEP_ZK_PROOF:
- if (step != PSA_PAKE_STEP_ZK_PROOF) {
- return PSA_ERROR_BAD_STATE;
- }
- break;
-
- default:
- return PSA_ERROR_BAD_STATE;
+ if (step == PSA_PAKE_STEP_KEY_SHARE &&
+ computation_stage->inputs == 0 &&
+ computation_stage->outputs == 0) {
+ /* Start of the round, so function decides whether we are inputting
+ * or outputting */
+ computation_stage->io_mode = io_mode;
+ } else if (computation_stage->io_mode != io_mode) {
+ /* Middle of the round so the mode we are in must match the function
+ * called by the user */
+ return PSA_ERROR_BAD_STATE;
}
return PSA_SUCCESS;
}
-static psa_status_t psa_jpake_output_epilogue(
- psa_pake_operation_t *operation)
+static psa_status_t psa_jpake_epilogue(
+ psa_pake_operation_t *operation,
+ psa_jpake_io_mode_t io_mode)
{
- psa_jpake_computation_stage_t *computation_stage =
+ psa_jpake_computation_stage_t *stage =
&operation->computation_stage.jpake;
- if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 &&
- computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) ||
- (computation_stage->state == PSA_PAKE_OUTPUT_X2S &&
- computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) {
- computation_stage->state = PSA_PAKE_STATE_READY;
- computation_stage->output_step++;
- computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
+ if (stage->step == PSA_PAKE_STEP_ZK_PROOF) {
+ /* End of an input/output */
+ if (io_mode == PSA_JPAKE_INPUT) {
+ stage->inputs++;
+ if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) {
+ stage->io_mode = PSA_JPAKE_OUTPUT;
+ }
+ }
+ if (io_mode == PSA_JPAKE_OUTPUT) {
+ stage->outputs++;
+ if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
+ stage->io_mode = PSA_JPAKE_INPUT;
+ }
+ }
+ if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) &&
+ stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
+ /* End of a round, move to the next round */
+ stage->inputs = 0;
+ stage->outputs = 0;
+ stage->round++;
+ }
+ stage->step = PSA_PAKE_STEP_KEY_SHARE;
} else {
- computation_stage->sequence++;
+ stage->step++;
}
-
return PSA_SUCCESS;
}
+
#endif /* PSA_WANT_ALG_JPAKE */
psa_status_t psa_pake_output(
@@ -8170,7 +8116,7 @@
switch (operation->alg) {
#if defined(PSA_WANT_ALG_JPAKE)
case PSA_ALG_JPAKE:
- status = psa_jpake_output_prologue(operation, step);
+ status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT);
if (status != PSA_SUCCESS) {
goto exit;
}
@@ -8194,7 +8140,7 @@
switch (operation->alg) {
#if defined(PSA_WANT_ALG_JPAKE)
case PSA_ALG_JPAKE:
- status = psa_jpake_output_epilogue(operation);
+ status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT);
if (status != PSA_SUCCESS) {
goto exit;
}
@@ -8211,100 +8157,6 @@
return status;
}
-#if defined(PSA_WANT_ALG_JPAKE)
-static psa_status_t psa_jpake_input_prologue(
- psa_pake_operation_t *operation,
- psa_pake_step_t step)
-{
- if (step != PSA_PAKE_STEP_KEY_SHARE &&
- step != PSA_PAKE_STEP_ZK_PUBLIC &&
- step != PSA_PAKE_STEP_ZK_PROOF) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- psa_jpake_computation_stage_t *computation_stage =
- &operation->computation_stage.jpake;
-
- if (computation_stage->state == PSA_PAKE_STATE_INVALID) {
- return PSA_ERROR_BAD_STATE;
- }
-
- if (computation_stage->state != PSA_PAKE_STATE_READY &&
- computation_stage->state != PSA_PAKE_INPUT_X1_X2 &&
- computation_stage->state != PSA_PAKE_INPUT_X4S) {
- return PSA_ERROR_BAD_STATE;
- }
-
- if (computation_stage->state == PSA_PAKE_STATE_READY) {
- if (step != PSA_PAKE_STEP_KEY_SHARE) {
- return PSA_ERROR_BAD_STATE;
- }
-
- switch (computation_stage->input_step) {
- case PSA_PAKE_STEP_X1_X2:
- computation_stage->state = PSA_PAKE_INPUT_X1_X2;
- break;
- case PSA_PAKE_STEP_X2S:
- computation_stage->state = PSA_PAKE_INPUT_X4S;
- break;
- default:
- return PSA_ERROR_BAD_STATE;
- }
-
- computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
- }
-
- /* Check if step matches current sequence */
- switch (computation_stage->sequence) {
- case PSA_PAKE_X1_STEP_KEY_SHARE:
- case PSA_PAKE_X2_STEP_KEY_SHARE:
- if (step != PSA_PAKE_STEP_KEY_SHARE) {
- return PSA_ERROR_BAD_STATE;
- }
- break;
-
- case PSA_PAKE_X1_STEP_ZK_PUBLIC:
- case PSA_PAKE_X2_STEP_ZK_PUBLIC:
- if (step != PSA_PAKE_STEP_ZK_PUBLIC) {
- return PSA_ERROR_BAD_STATE;
- }
- break;
-
- case PSA_PAKE_X1_STEP_ZK_PROOF:
- case PSA_PAKE_X2_STEP_ZK_PROOF:
- if (step != PSA_PAKE_STEP_ZK_PROOF) {
- return PSA_ERROR_BAD_STATE;
- }
- break;
-
- default:
- return PSA_ERROR_BAD_STATE;
- }
-
- return PSA_SUCCESS;
-}
-
-static psa_status_t psa_jpake_input_epilogue(
- psa_pake_operation_t *operation)
-{
- psa_jpake_computation_stage_t *computation_stage =
- &operation->computation_stage.jpake;
-
- if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 &&
- computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) ||
- (computation_stage->state == PSA_PAKE_INPUT_X4S &&
- computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) {
- computation_stage->state = PSA_PAKE_STATE_READY;
- computation_stage->input_step++;
- computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
- } else {
- computation_stage->sequence++;
- }
-
- return PSA_SUCCESS;
-}
-#endif /* PSA_WANT_ALG_JPAKE */
-
psa_status_t psa_pake_input(
psa_pake_operation_t *operation,
psa_pake_step_t step,
@@ -8337,7 +8189,7 @@
switch (operation->alg) {
#if defined(PSA_WANT_ALG_JPAKE)
case PSA_ALG_JPAKE:
- status = psa_jpake_input_prologue(operation, step);
+ status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT);
if (status != PSA_SUCCESS) {
goto exit;
}
@@ -8361,7 +8213,7 @@
switch (operation->alg) {
#if defined(PSA_WANT_ALG_JPAKE)
case PSA_ALG_JPAKE:
- status = psa_jpake_input_epilogue(operation);
+ status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT);
if (status != PSA_SUCCESS) {
goto exit;
}
@@ -8396,8 +8248,7 @@
if (operation->alg == PSA_ALG_JPAKE) {
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.jpake;
- if (computation_stage->input_step != PSA_PAKE_STEP_DERIVE ||
- computation_stage->output_step != PSA_PAKE_STEP_DERIVE) {
+ if (computation_stage->round != PSA_JPAKE_FINISHED) {
status = PSA_ERROR_BAD_STATE;
goto exit;
}
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index 4136614..e22bcf8 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -80,65 +80,37 @@
*/
/*
- * The first PAKE step shares the same sequences of the second PAKE step
- * but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs.
- * It's simpler to share the same sequences numbers of the first
- * set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs in both PAKE steps.
+ * Possible sequence of calls to implementation:
*
- * State sequence with step, state & sequence enums:
- * => Input & Output Step = PSA_PAKE_STEP_INVALID
- * => state = PSA_PAKE_STATE_INVALID
- * psa_pake_setup()
- * => Input & Output Step = PSA_PAKE_STEP_X1_X2
- * => state = PSA_PAKE_STATE_SETUP
- * => sequence = PSA_PAKE_SEQ_INVALID
- * |
- * |--- In any order: (First round input before or after first round output)
- * | | First call of psa_pake_output() or psa_pake_input() sets
- * | | state = PSA_PAKE_STATE_READY
- * | |
- * | |------ In Order: => state = PSA_PAKE_OUTPUT_X1_X2
- * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
- * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
- * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
- * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE
- * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC
- * | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF
- * | | | => state = PSA_PAKE_STATE_READY
- * | | | => sequence = PSA_PAKE_SEQ_INVALID
- * | | | => Output Step = PSA_PAKE_STEP_X2S
- * | |
- * | |------ In Order: => state = PSA_PAKE_INPUT_X1_X2
- * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
- * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
- * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
- * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE
- * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC
- * | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF
- * | | | => state = PSA_PAKE_STATE_READY
- * | | | => sequence = PSA_PAKE_SEQ_INVALID
- * | | | => Output Step = PSA_PAKE_INPUT_X4S
- * |
- * |--- In any order: (Second round input before or after second round output)
- * | |
- * | |------ In Order: => state = PSA_PAKE_OUTPUT_X2S
- * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
- * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
- * | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
- * | | | => state = PSA_PAKE_STATE_READY
- * | | | => sequence = PSA_PAKE_SEQ_INVALID
- * | | | => Output Step = PSA_PAKE_STEP_DERIVE
- * | |
- * | |------ In Order: => state = PSA_PAKE_INPUT_X4S
- * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
- * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
- * | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
- * | | | => state = PSA_PAKE_STATE_READY
- * | | | => sequence = PSA_PAKE_SEQ_INVALID
- * | | | => Output Step = PSA_PAKE_STEP_DERIVE
- * |
- * psa_pake_get_implicit_key()
- * => Input & Output Step = PSA_PAKE_STEP_INVALID
+ * |--- In any order:
+ * | |
+ * | |------ In Order
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_KEY_SHARE)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PROOF)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_KEY_SHARE)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PROOF)
+ * | |
+ * | |------ In Order:
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_KEY_SHARE)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PROOF)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_KEY_SHARE)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PROOF)
+ * |
+ * |--- In any order:
+ * | |
+ * | |------ In Order
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_KEY_SHARE)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PUBLIC)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PROOF)
+ * | |
+ * | |------ In Order:
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_KEY_SHARE)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PUBLIC)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PROOF)
*/
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index a7cb9b5..a10cb2b 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -36,8 +36,6 @@
#include <string.h>
#include "mbedtls/platform.h"
-#define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
-
typedef struct {
psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
unsigned key_slots_initialized : 1;
diff --git a/library/sha512.c b/library/sha512.c
index b8b2485..ff92a1b 100644
--- a/library/sha512.c
+++ b/library/sha512.c
@@ -1001,8 +1001,6 @@
};
#endif /* MBEDTLS_SHA512_C */
-#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
-
static int mbedtls_sha512_common_self_test(int verbose, int is384)
{
int i, buflen, ret = 0;
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index ae7a420..098aced 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -37,9 +37,15 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "md_psa.h"
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 18c19f9..e905023 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -49,9 +49,15 @@
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl);
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 7d07d19..1adaa07 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -31,9 +31,15 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f0067f4..bc9f4f8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -51,12 +51,15 @@
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
-#define PSA_TO_MD_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_md_errors, \
- psa_generic_status_to_mbedtls)
+/* Define local translating functions to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
#if defined(MBEDTLS_TEST_HOOKS)
@@ -748,8 +751,6 @@
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-#define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a)))
-
static const char *ticket_flag_name_table[] =
{
[0] = "ALLOW_PSK_RESUMPTION",
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index fc96dae..28f9cdb 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -33,9 +33,17 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
#include "psa/crypto.h"
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h>
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 26d570a..5060277 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -34,9 +34,18 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
#endif
#if defined(MBEDTLS_ECP_C)
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 3dffc1d..6ec3170 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -35,9 +35,17 @@
#include "ssl_debug_helpers.h"
#include "md_psa.h"
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+#if defined(PSA_WANT_ALG_ECDH)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
/* Write extensions */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a59f01c..fa193ff 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -39,9 +39,18 @@
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) || \
+ defined(PSA_WANT_ALG_ECDH)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 540f854..81daf0a 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -36,9 +36,15 @@
#include "psa/crypto.h"
#include "md_psa.h"
-#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_ssl_errors, \
- psa_generic_status_to_mbedtls)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
.name = string,
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 380b1fd..4508e50 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -106,7 +106,7 @@
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
0xFFFFFFF, /* Any PK alg */
-#if defined(MBEDTLS_ECP_LIGHT)
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/* Curves at or above 128-bit security level. Note that this selection
* should be aligned with ssl_preset_default_curves in ssl_tls.c. */
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
@@ -116,9 +116,9 @@
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
0,
-#else /* MBEDTLS_ECP_LIGHT */
+#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
0,
-#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
2048,
};
@@ -157,13 +157,13 @@
/* Only ECDSA */
MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECDSA) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECKEY),
-#if defined(MBEDTLS_ECP_LIGHT)
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/* Only NIST P-256 and P-384 */
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1),
-#else /* MBEDTLS_ECP_LIGHT */
+#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
0,
-#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
0,
};
@@ -233,7 +233,7 @@
}
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECP_LIGHT)
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (pk_alg == MBEDTLS_PK_ECDSA ||
pk_alg == MBEDTLS_PK_ECKEY ||
pk_alg == MBEDTLS_PK_ECKEY_DH) {
@@ -249,7 +249,7 @@
return -1;
}
-#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
return -1;
}
diff --git a/scripts/generate_ssl_debug_helpers.py b/scripts/generate_ssl_debug_helpers.py
index 3127afc..19be415 100755
--- a/scripts/generate_ssl_debug_helpers.py
+++ b/scripts/generate_ssl_debug_helpers.py
@@ -209,24 +209,18 @@
continue
member = field.strip().split()[0]
translation_table.append(
- '{space}[{member}] = "{member}",'.format(member=member,
- space=' '*8)
+ '{space}case {member}:\n{space} return "{member}";'
+ .format(member=member, space=' '*8)
)
body = textwrap.dedent('''\
const char *{name}_str( {prototype} in )
{{
- const char * in_to_str[]=
- {{
+ switch (in) {{
{translation_table}
- }};
-
- if( in > ( sizeof( in_to_str )/sizeof( in_to_str[0]) - 1 ) ||
- in_to_str[ in ] == NULL )
- {{
- return "UNKNOWN_VALUE";
+ default:
+ return "UNKNOWN_VALUE";
}}
- return in_to_str[ in ];
}}
''')
body = body.format(translation_table='\n'.join(translation_table),
diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h
index ab8260b..ae84ec2 100644
--- a/tests/include/test/macros.h
+++ b/tests/include/test/macros.h
@@ -33,6 +33,7 @@
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
#endif
+#include "common.h"
/**
* \brief This macro tests the expression passed to it as a test step or
@@ -196,45 +197,6 @@
mbedtls_exit(1); \
}
-/** \def ARRAY_LENGTH
- * Return the number of elements of a static or stack array.
- *
- * \param array A value of array (not pointer) type.
- *
- * \return The number of elements of the array.
- */
-/* A correct implementation of ARRAY_LENGTH, but which silently gives
- * a nonsensical result if called with a pointer rather than an array. */
-#define ARRAY_LENGTH_UNSAFE(array) \
- (sizeof(array) / sizeof(*(array)))
-
-#if defined(__GNUC__)
-/* Test if arg and &(arg)[0] have the same type. This is true if arg is
- * an array but not if it's a pointer. */
-#define IS_ARRAY_NOT_POINTER(arg) \
- (!__builtin_types_compatible_p(__typeof__(arg), \
- __typeof__(&(arg)[0])))
-/* A compile-time constant with the value 0. If `const_expr` is not a
- * compile-time constant with a nonzero value, cause a compile-time error. */
-#define STATIC_ASSERT_EXPR(const_expr) \
- (0 && sizeof(struct { unsigned int STATIC_ASSERT : 1 - 2 * !(const_expr); }))
-
-/* Return the scalar value `value` (possibly promoted). This is a compile-time
- * constant if `value` is. `condition` must be a compile-time constant.
- * If `condition` is false, arrange to cause a compile-time error. */
-#define STATIC_ASSERT_THEN_RETURN(condition, value) \
- (STATIC_ASSERT_EXPR(condition) ? 0 : (value))
-
-#define ARRAY_LENGTH(array) \
- (STATIC_ASSERT_THEN_RETURN(IS_ARRAY_NOT_POINTER(array), \
- ARRAY_LENGTH_UNSAFE(array)))
-
-#else
-/* If we aren't sure the compiler supports our non-standard tricks,
- * fall back to the unsafe implementation. */
-#define ARRAY_LENGTH(array) ARRAY_LENGTH_UNSAFE(array)
-#endif
-
/** Return the smaller of two values.
*
* \param x An integer-valued expression without side effects.
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 18c2593..45f7e98 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2418,9 +2418,17 @@
# on the ECP module.
config_psa_crypto_no_ecp_at_all () {
DRIVER_ONLY="$1"
- # start with crypto_full config for maximum coverage (also enables USE_PSA),
- # but excluding X509, TLS and key exchanges
- helper_libtestdriver1_adjust_config "crypto_full"
+ # start with full config for maximum coverage (also enables USE_PSA)
+ helper_libtestdriver1_adjust_config "full"
+
+ # keep excluding TLS and key exchanges (this will be removed in #7749)
+ # Note: key exchanges are not explicitly disabled here because they are
+ # auto-disabled in build_info.h as long as the following symbols
+ # are not enabled.
+ scripts/config.py unset MBEDTLS_SSL_TLS_C
+ scripts/config.py unset MBEDTLS_SSL_PROTO_DTLS
+ scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_2
+ scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# enable support for drivers and configuring PSA-only algorithms
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
@@ -2450,7 +2458,7 @@
#
# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all()
component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
- msg "build: crypto_full + accelerated EC algs + USE_PSA - ECP"
+ msg "build: full + accelerated EC algs + USE_PSA - TLS - KEY_EXCHANGE - ECP"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
@@ -2485,7 +2493,7 @@
# Run the tests
# -------------
- msg "test suites: crypto_full + accelerated EC algs + USE_PSA - ECP"
+ msg "test: full + accelerated EC algs + USE_PSA - TLS - KEY_EXCHANGE - ECP"
make test
}
@@ -2493,13 +2501,13 @@
# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all().
# Keep in sync with its accelerated counterpart.
component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () {
- msg "build: crypto_full + non accelerated EC algs + USE_PSA"
+ msg "build: full + non accelerated EC algs + USE_PSA - TLS - KEY_EXCHANGE"
config_psa_crypto_no_ecp_at_all 0
make
- msg "test suites: crypto_full + non accelerated EC algs + USE_PSA"
+ msg "test: crypto_full + non accelerated EC algs + USE_PSA - TLS - KEY_EXCHANGE"
make test
}
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
index b971f81..87f7b37 100644
--- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
@@ -3127,8 +3127,10 @@
PSA_SUCCESS);
/* Simulate that we are ready to get implicit key. */
- operation.computation_stage.jpake.input_step = PSA_PAKE_STEP_DERIVE;
- operation.computation_stage.jpake.output_step = PSA_PAKE_STEP_DERIVE;
+ operation.computation_stage.jpake.round = PSA_JPAKE_FINISHED;
+ operation.computation_stage.jpake.inputs = 0;
+ operation.computation_stage.jpake.outputs = 0;
+ operation.computation_stage.jpake.step = PSA_PAKE_STEP_KEY_SHARE;
/* --- psa_pake_get_implicit_key --- */
mbedtls_test_driver_pake_hooks.forced_status = forced_status;
diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data
index 9e1cc63..ea39ea4 100644
--- a/tests/suites/test_suite_psa_crypto_pake.data
+++ b/tests/suites/test_suite_psa_crypto_pake.data
@@ -132,83 +132,99 @@
PSA PAKE: no injected errors
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_NONE:PSA_SUCCESS
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_NONE:PSA_SUCCESS:0
PSA PAKE: no injected errors, client input first
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_NONE:PSA_SUCCESS
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_NONE:PSA_SUCCESS:0
PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2:PSA_ERROR_DATA_INVALID:0
PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_KEY_SHARE
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_KEY_SHARE:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_KEY_SHARE:PSA_ERROR_DATA_INVALID:1
PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC:PSA_ERROR_DATA_INVALID:1
PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PROOF
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PROOF:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PROOF:PSA_ERROR_DATA_INVALID:1
PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_KEY_SHARE
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_KEY_SHARE:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_KEY_SHARE:PSA_ERROR_DATA_INVALID:1
PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC:PSA_ERROR_DATA_INVALID:1
PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_ZK_PROOF
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PROOF:PSA_ERROR_DATA_INVALID
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PROOF:PSA_ERROR_DATA_INVALID:1
+
+PSA PAKE: inject ERR_INJECT_EXTRA_OUTPUT
+depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_EXTRA_OUTPUT:PSA_ERROR_BAD_STATE:0
+
+PSA PAKE: inject ERR_INJECT_EXTRA_INPUT
+depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_INJECT_EXTRA_INPUT:PSA_ERROR_BAD_STATE:0
+
+PSA PAKE: inject ERR_INJECT_EXTRA_OUTPUT_AT_END
+depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_INJECT_EXTRA_OUTPUT_AT_END:PSA_ERROR_BAD_STATE:1
+
+PSA PAKE: inject ERR_INJECT_EXTRA_INPUT_AT_END
+depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_EXTRA_INPUT_AT_END:PSA_ERROR_BAD_STATE:1
PSA PAKE: ecjpake size macros
depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_LEGACY:PSA_WANT_ECC_SECP_R1_256
diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function
index 52380de..f04d56f 100644
--- a/tests/suites/test_suite_psa_crypto_pake.function
+++ b/tests/suites/test_suite_psa_crypto_pake.function
@@ -2,6 +2,7 @@
#include <stdint.h>
#include "psa/crypto.h"
+#include "psa/crypto_extra.h"
typedef enum {
ERR_NONE = 0,
@@ -39,6 +40,10 @@
ERR_INJECT_ROUND2_SERVER_KEY_SHARE,
ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC,
ERR_INJECT_ROUND2_SERVER_ZK_PROOF,
+ ERR_INJECT_EXTRA_OUTPUT,
+ ERR_INJECT_EXTRA_INPUT,
+ ERR_INJECT_EXTRA_OUTPUT_AT_END,
+ ERR_INJECT_EXTRA_INPUT_AT_END,
/* erros issued from the .data file */
ERR_IN_SETUP,
ERR_IN_SET_USER,
@@ -69,6 +74,13 @@
*(buf + 7) ^= 1; \
}
+#define DO_ROUND_CONDITIONAL_CHECK_FAILURE(this_stage, function) \
+ if (this_stage == err_stage) \
+ { \
+ TEST_EQUAL(function, expected_error_arg); \
+ break; \
+ }
+
#define DO_ROUND_UPDATE_OFFSETS(main_buf_offset, step_offset, step_size) \
{ \
step_offset = main_buf_offset; \
@@ -185,6 +197,12 @@
buffer0 + buffer0_off);
DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2_pr_off, s_x2_pr_len);
+ size_t extra_output_len;
+ DO_ROUND_CONDITIONAL_CHECK_FAILURE(
+ ERR_INJECT_EXTRA_OUTPUT,
+ psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + s_g2_off, 512 - s_g2_off, &extra_output_len));
+ (void) extra_output_len;
/*
* When injecting errors in inputs, the implementation is
* free to detect it right away of with a delay.
@@ -223,6 +241,12 @@
s_x2_pr_len);
DO_ROUND_CHECK_FAILURE();
+ /* Note: Must have client_input_first == 1 to inject extra input */
+ DO_ROUND_CONDITIONAL_CHECK_FAILURE(
+ ERR_INJECT_EXTRA_INPUT,
+ psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + s_g2_off, s_g2_len));
+
/* Error didn't trigger, make test fail */
if ((err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1) &&
(err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2)) {
@@ -444,6 +468,16 @@
buffer1 + buffer1_off);
DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2s_pr_off, c_x2s_pr_len);
+ if (client_input_first == 1) {
+ size_t extra_output_at_end_len;
+ DO_ROUND_CONDITIONAL_CHECK_FAILURE(
+ ERR_INJECT_EXTRA_OUTPUT_AT_END,
+ psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer1 + c_a_off, 512 - c_a_off,
+ &extra_output_at_end_len));
+ (void) extra_output_at_end_len;
+ }
+
if (client_input_first == 0) {
/* Client second round Input */
status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
@@ -481,6 +515,12 @@
buffer1 + c_x2s_pr_off, c_x2s_pr_len);
DO_ROUND_CHECK_FAILURE();
+ DO_ROUND_CONDITIONAL_CHECK_FAILURE(
+ ERR_INJECT_EXTRA_INPUT_AT_END,
+ psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
+ buffer1 + c_a_off, c_a_len));
+
+
/* Error didn't trigger, make test fail */
if ((err_stage >= ERR_INJECT_ROUND2_CLIENT_KEY_SHARE) &&
(err_stage <= ERR_INJECT_ROUND2_CLIENT_ZK_PROOF)) {
@@ -733,7 +773,8 @@
int client_input_first,
data_t *pw_data,
int err_stage_arg,
- int expected_error_arg)
+ int expected_error_arg,
+ int inject_in_second_round)
{
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
psa_pake_operation_t server = psa_pake_operation_init();
@@ -770,9 +811,10 @@
ecjpake_do_round(alg, primitive_arg, &server, &client,
client_input_first, PAKE_ROUND_ONE,
- err_stage, expected_error_arg);
+ inject_in_second_round ? ERR_NONE : err_stage,
+ expected_error_arg);
- if (err_stage != ERR_NONE) {
+ if (!inject_in_second_round && err_stage != ERR_NONE) {
goto exit;
}
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index edb7824..1d6bc28 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -996,7 +996,7 @@
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all"
X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL"
X509 CRT verification #94 (Suite B invalid, RSA cert, EC CA)