blob: 34baa1be2c7dfb81da0e31ce2e44d661a69b203b [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +01001/* BEGIN_HEADER */
itayzafrir3e02b3b2018-06-12 17:06:52 +03002#include <stdint.h>
mohammad160327010052018-07-03 13:16:15 +03003
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02004#include "mbedtls/asn1.h"
Gilles Peskine0b352bc2018-06-28 00:16:11 +02005#include "mbedtls/asn1write.h"
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02006#include "mbedtls/oid.h"
Gilles Peskine42649d92022-11-23 14:15:57 +01007#include "common.h"
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02008
Valerio Settibf999cb2023-12-28 17:48:13 +01009#include "mbedtls/psa_util.h"
10
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020011/* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random()
12 * uses mbedtls_ctr_drbg internally. */
13#include "mbedtls/ctr_drbg.h"
14
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020015#include "psa/crypto.h"
Ronald Cron41841072020-09-17 15:28:26 +020016#include "psa_crypto_slot_management.h"
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020017
Manuel Pégourié-Gonnard7abdf7e2023-03-09 11:17:43 +010018/* For psa_can_do_hash() */
19#include "psa_crypto_core.h"
20
Gilles Peskine8e94efe2021-02-13 00:25:53 +010021#include "test/asn1_helpers.h"
Ronald Cron28a45ed2021-02-09 20:35:42 +010022#include "test/psa_crypto_helpers.h"
Gilles Peskinee78b0022021-02-13 00:41:11 +010023#include "test/psa_exercise_key.h"
Archana4d7ae1d2021-07-07 02:50:22 +053024#if defined(PSA_CRYPTO_DRIVER_TEST)
25#include "test/drivers/test_driver.h"
Archana8a180362021-07-05 02:18:48 +053026#define TEST_DRIVER_LOCATION PSA_CRYPTO_TEST_DRIVER_LOCATION
27#else
28#define TEST_DRIVER_LOCATION 0x7fffff
Archana4d7ae1d2021-07-07 02:50:22 +053029#endif
Ronald Cron28a45ed2021-02-09 20:35:42 +010030
Gilles Peskine4023c012021-05-27 13:21:20 +020031/* If this comes up, it's a bug in the test code or in the test data. */
32#define UNUSED 0xdeadbeef
33
Dave Rodgman647791d2021-06-23 12:49:59 +010034/* Assert that an operation is (not) active.
35 * This serves as a proxy for checking if the operation is aborted. */
Gilles Peskine449bd832023-01-11 14:50:10 +010036#define ASSERT_OPERATION_IS_ACTIVE(operation) TEST_ASSERT(operation.id != 0)
37#define ASSERT_OPERATION_IS_INACTIVE(operation) TEST_ASSERT(operation.id == 0)
Gilles Peskinef426e0f2019-02-25 17:42:03 +010038
Przemek Stekiel7c795482022-11-15 22:26:12 +010039#if defined(PSA_WANT_ALG_JPAKE)
Gilles Peskine449bd832023-01-11 14:50:10 +010040int ecjpake_operation_setup(psa_pake_operation_t *operation,
41 psa_pake_cipher_suite_t *cipher_suite,
42 psa_pake_role_t role,
43 mbedtls_svc_key_id_t key,
44 size_t key_available)
Przemek Stekiel7c795482022-11-15 22:26:12 +010045{
Gilles Peskine449bd832023-01-11 14:50:10 +010046 PSA_ASSERT(psa_pake_abort(operation));
Przemek Stekiel7c795482022-11-15 22:26:12 +010047
Gilles Peskine449bd832023-01-11 14:50:10 +010048 PSA_ASSERT(psa_pake_setup(operation, cipher_suite));
Przemek Stekiel7c795482022-11-15 22:26:12 +010049
Gilles Peskine449bd832023-01-11 14:50:10 +010050 PSA_ASSERT(psa_pake_set_role(operation, role));
Przemek Stekiel7c795482022-11-15 22:26:12 +010051
Gilles Peskine449bd832023-01-11 14:50:10 +010052 if (key_available) {
53 PSA_ASSERT(psa_pake_set_password_key(operation, key));
54 }
Przemek Stekielf82effa2022-11-21 15:10:32 +010055 return 0;
Przemek Stekiel7c795482022-11-15 22:26:12 +010056exit:
Przemek Stekielf82effa2022-11-21 15:10:32 +010057 return 1;
Przemek Stekiel7c795482022-11-15 22:26:12 +010058}
59#endif
60
Jaeden Amerof24c7f82018-06-27 17:20:43 +010061/** An invalid export length that will never be set by psa_export_key(). */
62static const size_t INVALID_EXPORT_LENGTH = ~0U;
63
Gilles Peskinea7aa4422018-08-14 15:17:54 +020064/** Test if a buffer contains a constant byte value.
65 *
66 * `mem_is_char(buffer, c, size)` is true after `memset(buffer, c, size)`.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020067 *
68 * \param buffer Pointer to the beginning of the buffer.
Gilles Peskinea7aa4422018-08-14 15:17:54 +020069 * \param c Expected value of every byte.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020070 * \param size Size of the buffer in bytes.
71 *
Gilles Peskine3f669c32018-06-21 09:21:51 +020072 * \return 1 if the buffer is all-bits-zero.
73 * \return 0 if there is at least one nonzero byte.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020074 */
Gilles Peskine449bd832023-01-11 14:50:10 +010075static int mem_is_char(void *buffer, unsigned char c, size_t size)
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020076{
77 size_t i;
Gilles Peskine449bd832023-01-11 14:50:10 +010078 for (i = 0; i < size; i++) {
79 if (((unsigned char *) buffer)[i] != c) {
80 return 0;
81 }
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020082 }
Gilles Peskine449bd832023-01-11 14:50:10 +010083 return 1;
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020084}
Andrzej Kurek77b8e092022-01-17 15:29:38 +010085#if defined(MBEDTLS_ASN1_WRITE_C)
Gilles Peskine0b352bc2018-06-28 00:16:11 +020086/* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */
Gilles Peskine449bd832023-01-11 14:50:10 +010087static int asn1_write_10x(unsigned char **p,
88 unsigned char *start,
89 size_t bits,
90 unsigned char x)
Gilles Peskine0b352bc2018-06-28 00:16:11 +020091{
92 int ret;
93 int len = bits / 8 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +010094 if (bits == 0) {
95 return MBEDTLS_ERR_ASN1_INVALID_DATA;
96 }
97 if (bits <= 8 && x >= 1 << (bits - 1)) {
98 return MBEDTLS_ERR_ASN1_INVALID_DATA;
99 }
100 if (*p < start || *p - start < (ptrdiff_t) len) {
101 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
102 }
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200103 *p -= len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100104 (*p)[len-1] = x;
105 if (bits % 8 == 0) {
106 (*p)[1] |= 1;
107 } else {
108 (*p)[0] |= 1 << (bits % 8);
109 }
110 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
111 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
112 MBEDTLS_ASN1_INTEGER));
113 return len;
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200114}
115
Gilles Peskine449bd832023-01-11 14:50:10 +0100116static int construct_fake_rsa_key(unsigned char *buffer,
117 size_t buffer_size,
118 unsigned char **p,
119 size_t bits,
120 int keypair)
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200121{
Gilles Peskine449bd832023-01-11 14:50:10 +0100122 size_t half_bits = (bits + 1) / 2;
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200123 int ret;
124 int len = 0;
125 /* Construct something that looks like a DER encoding of
126 * as defined by PKCS#1 v2.2 (RFC 8017) section A.1.2:
127 * RSAPrivateKey ::= SEQUENCE {
128 * version Version,
129 * modulus INTEGER, -- n
130 * publicExponent INTEGER, -- e
131 * privateExponent INTEGER, -- d
132 * prime1 INTEGER, -- p
133 * prime2 INTEGER, -- q
134 * exponent1 INTEGER, -- d mod (p-1)
135 * exponent2 INTEGER, -- d mod (q-1)
136 * coefficient INTEGER, -- (inverse of q) mod p
137 * otherPrimeInfos OtherPrimeInfos OPTIONAL
138 * }
139 * Or, for a public key, the same structure with only
140 * version, modulus and publicExponent.
141 */
142 *p = buffer + buffer_size;
Gilles Peskine449bd832023-01-11 14:50:10 +0100143 if (keypair) {
144 MBEDTLS_ASN1_CHK_ADD(len, /* pq */
145 asn1_write_10x(p, buffer, half_bits, 1));
146 MBEDTLS_ASN1_CHK_ADD(len, /* dq */
147 asn1_write_10x(p, buffer, half_bits, 1));
148 MBEDTLS_ASN1_CHK_ADD(len, /* dp */
149 asn1_write_10x(p, buffer, half_bits, 1));
150 MBEDTLS_ASN1_CHK_ADD(len, /* q */
151 asn1_write_10x(p, buffer, half_bits, 1));
152 MBEDTLS_ASN1_CHK_ADD(len, /* p != q to pass mbedtls sanity checks */
153 asn1_write_10x(p, buffer, half_bits, 3));
154 MBEDTLS_ASN1_CHK_ADD(len, /* d */
155 asn1_write_10x(p, buffer, bits, 1));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200156 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100157 MBEDTLS_ASN1_CHK_ADD(len, /* e = 65537 */
158 asn1_write_10x(p, buffer, 17, 1));
159 MBEDTLS_ASN1_CHK_ADD(len, /* n */
160 asn1_write_10x(p, buffer, bits, 1));
161 if (keypair) {
162 MBEDTLS_ASN1_CHK_ADD(len, /* version = 0 */
163 mbedtls_asn1_write_int(p, buffer, 0));
164 }
165 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buffer, len));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200166 {
167 const unsigned char tag =
168 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100169 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buffer, tag));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200170 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100171 return len;
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200172}
Andrzej Kurek77b8e092022-01-17 15:29:38 +0100173#endif /* MBEDTLS_ASN1_WRITE_C */
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200174
Gilles Peskine449bd832023-01-11 14:50:10 +0100175int exercise_mac_setup(psa_key_type_t key_type,
176 const unsigned char *key_bytes,
177 size_t key_length,
178 psa_algorithm_t alg,
179 psa_mac_operation_t *operation,
180 psa_status_t *status)
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100181{
Ronald Cron5425a212020-08-04 14:58:35 +0200182 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +0200183 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100184
Gilles Peskine449bd832023-01-11 14:50:10 +0100185 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
186 psa_set_key_algorithm(&attributes, alg);
187 psa_set_key_type(&attributes, key_type);
188 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key));
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100189
Gilles Peskine449bd832023-01-11 14:50:10 +0100190 *status = psa_mac_sign_setup(operation, key, alg);
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100191 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100192 PSA_ASSERT(psa_mac_abort(operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100193 /* If setup failed, reproduce the failure, so that the caller can
194 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100195 if (*status != PSA_SUCCESS) {
196 TEST_EQUAL(psa_mac_sign_setup(operation, key, alg), *status);
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100197 }
198
Gilles Peskine449bd832023-01-11 14:50:10 +0100199 psa_destroy_key(key);
200 return 1;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100201
202exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100203 psa_destroy_key(key);
204 return 0;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100205}
206
Gilles Peskine449bd832023-01-11 14:50:10 +0100207int exercise_cipher_setup(psa_key_type_t key_type,
208 const unsigned char *key_bytes,
209 size_t key_length,
210 psa_algorithm_t alg,
211 psa_cipher_operation_t *operation,
212 psa_status_t *status)
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100213{
Ronald Cron5425a212020-08-04 14:58:35 +0200214 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +0200215 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100216
Gilles Peskine449bd832023-01-11 14:50:10 +0100217 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
218 psa_set_key_algorithm(&attributes, alg);
219 psa_set_key_type(&attributes, key_type);
220 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key));
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100221
Gilles Peskine449bd832023-01-11 14:50:10 +0100222 *status = psa_cipher_encrypt_setup(operation, key, alg);
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100223 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100224 PSA_ASSERT(psa_cipher_abort(operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100225 /* If setup failed, reproduce the failure, so that the caller can
226 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100227 if (*status != PSA_SUCCESS) {
228 TEST_EQUAL(psa_cipher_encrypt_setup(operation, key, alg),
229 *status);
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100230 }
231
Gilles Peskine449bd832023-01-11 14:50:10 +0100232 psa_destroy_key(key);
233 return 1;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100234
235exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100236 psa_destroy_key(key);
237 return 0;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100238}
239
Gilles Peskine449bd832023-01-11 14:50:10 +0100240static int test_operations_on_invalid_key(mbedtls_svc_key_id_t key)
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200241{
242 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100243 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 0x6964);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200244 uint8_t buffer[1];
245 size_t length;
246 int ok = 0;
247
Gilles Peskine449bd832023-01-11 14:50:10 +0100248 psa_set_key_id(&attributes, key_id);
249 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
250 psa_set_key_algorithm(&attributes, PSA_ALG_CTR);
251 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
252 TEST_EQUAL(psa_get_key_attributes(key, &attributes),
253 PSA_ERROR_INVALID_HANDLE);
Ronald Cronecfb2372020-07-23 17:13:42 +0200254 TEST_EQUAL(
Gilles Peskine449bd832023-01-11 14:50:10 +0100255 MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(&attributes)), 0);
Ronald Cronecfb2372020-07-23 17:13:42 +0200256 TEST_EQUAL(
Gilles Peskine449bd832023-01-11 14:50:10 +0100257 MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(psa_get_key_id(&attributes)), 0);
258 TEST_EQUAL(psa_get_key_lifetime(&attributes), 0);
259 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 0);
260 TEST_EQUAL(psa_get_key_algorithm(&attributes), 0);
261 TEST_EQUAL(psa_get_key_type(&attributes), 0);
262 TEST_EQUAL(psa_get_key_bits(&attributes), 0);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200263
Gilles Peskine449bd832023-01-11 14:50:10 +0100264 TEST_EQUAL(psa_export_key(key, buffer, sizeof(buffer), &length),
265 PSA_ERROR_INVALID_HANDLE);
266 TEST_EQUAL(psa_export_public_key(key,
267 buffer, sizeof(buffer), &length),
268 PSA_ERROR_INVALID_HANDLE);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200269
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200270 ok = 1;
271
272exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +0100273 /*
274 * Key attributes may have been returned by psa_get_key_attributes()
275 * thus reset them as required.
276 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100277 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +0100278
Gilles Peskine449bd832023-01-11 14:50:10 +0100279 return ok;
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200280}
281
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200282/* Assert that a key isn't reported as having a slot number. */
283#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100284#define ASSERT_NO_SLOT_NUMBER(attributes) \
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200285 do \
286 { \
287 psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \
Gilles Peskine449bd832023-01-11 14:50:10 +0100288 TEST_EQUAL(psa_get_key_slot_number( \
289 attributes, \
290 &ASSERT_NO_SLOT_NUMBER_slot_number), \
291 PSA_ERROR_INVALID_ARGUMENT); \
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200292 } \
Gilles Peskine449bd832023-01-11 14:50:10 +0100293 while (0)
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200294#else /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskine449bd832023-01-11 14:50:10 +0100295#define ASSERT_NO_SLOT_NUMBER(attributes) \
296 ((void) 0)
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200297#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
298
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +0530299#define INPUT_INTEGER 0x10000 /* Out of range of psa_key_type_t */
300
Gilles Peskinebdf309c2018-12-03 15:36:32 +0100301/* An overapproximation of the amount of storage needed for a key of the
302 * given type and with the given content. The API doesn't make it easy
303 * to find a good value for the size. The current implementation doesn't
304 * care about the value anyway. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100305#define KEY_BITS_FROM_DATA(type, data) \
306 (data)->len
Gilles Peskinebdf309c2018-12-03 15:36:32 +0100307
Darryl Green0c6575a2018-11-07 16:05:30 +0000308typedef enum {
309 IMPORT_KEY = 0,
310 GENERATE_KEY = 1,
311 DERIVE_KEY = 2
312} generate_method;
313
Gilles Peskine449bd832023-01-11 14:50:10 +0100314typedef enum {
Paul Elliott33746aa2021-09-15 16:40:40 +0100315 DO_NOT_SET_LENGTHS = 0,
316 SET_LENGTHS_BEFORE_NONCE = 1,
317 SET_LENGTHS_AFTER_NONCE = 2
Paul Elliottbb979e72021-09-22 12:54:42 +0100318} set_lengths_method_t;
Paul Elliott33746aa2021-09-15 16:40:40 +0100319
Gilles Peskine449bd832023-01-11 14:50:10 +0100320typedef enum {
Paul Elliott1c67e0b2021-09-19 13:11:50 +0100321 USE_NULL_TAG = 0,
322 USE_GIVEN_TAG = 1,
Paul Elliottbb979e72021-09-22 12:54:42 +0100323} tag_usage_method_t;
Paul Elliott1c67e0b2021-09-19 13:11:50 +0100324
Kusumit Ghoderaoa14ae5a2023-04-19 14:16:26 +0530325
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100326/*!
327 * \brief Internal Function for AEAD multipart tests.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100328 * \param key_type_arg Type of key passed in
329 * \param key_data The encryption / decryption key data
330 * \param alg_arg The type of algorithm used
331 * \param nonce Nonce data
332 * \param additional_data Additional data
Paul Elliott8eec8d42021-09-19 22:38:27 +0100333 * \param ad_part_len_arg If not -1, the length of chunks to
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100334 * feed additional data in to be encrypted /
335 * decrypted. If -1, no chunking.
336 * \param input_data Data to encrypt / decrypt
Paul Elliott8eec8d42021-09-19 22:38:27 +0100337 * \param data_part_len_arg If not -1, the length of chunks to feed
338 * the data in to be encrypted / decrypted. If
339 * -1, no chunking
Paul Elliottbb979e72021-09-22 12:54:42 +0100340 * \param set_lengths_method A member of the set_lengths_method_t enum is
Paul Elliott8eec8d42021-09-19 22:38:27 +0100341 * expected here, this controls whether or not
342 * to set lengths, and in what order with
343 * respect to set nonce.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100344 * \param expected_output Expected output
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100345 * \param is_encrypt If non-zero this is an encryption operation.
Paul Elliott41ffae12021-07-22 21:52:01 +0100346 * \param do_zero_parts If non-zero, interleave zero length chunks
Paul Elliott8eec8d42021-09-19 22:38:27 +0100347 * with normal length chunks.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100348 * \return int Zero on failure, non-zero on success.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100349 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100350static int aead_multipart_internal_func(int key_type_arg, data_t *key_data,
351 int alg_arg,
352 data_t *nonce,
353 data_t *additional_data,
354 int ad_part_len_arg,
355 data_t *input_data,
356 int data_part_len_arg,
357 set_lengths_method_t set_lengths_method,
358 data_t *expected_output,
359 int is_encrypt,
360 int do_zero_parts)
Paul Elliottd3f82412021-06-16 16:52:21 +0100361{
362 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
363 psa_key_type_t key_type = key_type_arg;
364 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +0100365 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliottd3f82412021-06-16 16:52:21 +0100366 unsigned char *output_data = NULL;
367 unsigned char *part_data = NULL;
368 unsigned char *final_data = NULL;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100369 size_t data_true_size = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100370 size_t part_data_size = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100371 size_t output_size = 0;
372 size_t final_output_size = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100373 size_t output_length = 0;
374 size_t key_bits = 0;
375 size_t tag_length = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100376 size_t part_offset = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100377 size_t part_length = 0;
378 size_t output_part_length = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100379 size_t tag_size = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100380 size_t ad_part_len = 0;
381 size_t data_part_len = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100382 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliottd3f82412021-06-16 16:52:21 +0100383 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
384 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
385
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100386 int test_ok = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100387 size_t part_count = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100388
Gilles Peskine449bd832023-01-11 14:50:10 +0100389 PSA_ASSERT(psa_crypto_init());
Paul Elliottd3f82412021-06-16 16:52:21 +0100390
Gilles Peskine449bd832023-01-11 14:50:10 +0100391 if (is_encrypt) {
392 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
393 } else {
394 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100395 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100396
397 psa_set_key_algorithm(&attributes, alg);
398 psa_set_key_type(&attributes, key_type);
399
400 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
401 &key));
402
403 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
404 key_bits = psa_get_key_bits(&attributes);
405
406 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg);
407
408 if (is_encrypt) {
409 /* Tag gets written at end of buffer. */
410 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
411 (input_data->len +
412 tag_length));
413 data_true_size = input_data->len;
414 } else {
415 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
416 (input_data->len -
417 tag_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100418
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100419 /* Do not want to attempt to decrypt tag. */
420 data_true_size = input_data->len - tag_length;
421 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100422
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100423 TEST_CALLOC(output_data, output_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100424
Gilles Peskine449bd832023-01-11 14:50:10 +0100425 if (is_encrypt) {
426 final_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
427 TEST_LE_U(final_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
428 } else {
429 final_output_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg);
430 TEST_LE_U(final_output_size, PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100431 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100432
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100433 TEST_CALLOC(final_data, final_output_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100434
Gilles Peskine449bd832023-01-11 14:50:10 +0100435 if (is_encrypt) {
436 status = psa_aead_encrypt_setup(&operation, key, alg);
437 } else {
438 status = psa_aead_decrypt_setup(&operation, key, alg);
439 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100440
441 /* If the operation is not supported, just skip and not fail in case the
442 * encryption involves a common limitation of cryptography hardwares and
443 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100444 if (status == PSA_ERROR_NOT_SUPPORTED) {
445 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
446 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliottd3f82412021-06-16 16:52:21 +0100447 }
448
Gilles Peskine449bd832023-01-11 14:50:10 +0100449 PSA_ASSERT(status);
Paul Elliottd3f82412021-06-16 16:52:21 +0100450
Gilles Peskine449bd832023-01-11 14:50:10 +0100451 if (set_lengths_method == DO_NOT_SET_LENGTHS) {
452 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
453 } else if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) {
454 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
455 data_true_size));
456 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
457 } else if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) {
458 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottebf91632021-07-22 17:54:42 +0100459
Gilles Peskine449bd832023-01-11 14:50:10 +0100460 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
461 data_true_size));
Paul Elliottd3f82412021-06-16 16:52:21 +0100462 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100463
Gilles Peskine449bd832023-01-11 14:50:10 +0100464 if (ad_part_len_arg != -1) {
Paul Elliottd3f82412021-06-16 16:52:21 +0100465 /* Pass additional data in parts */
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100466 ad_part_len = (size_t) ad_part_len_arg;
Paul Elliottd3f82412021-06-16 16:52:21 +0100467
Gilles Peskine449bd832023-01-11 14:50:10 +0100468 for (part_offset = 0, part_count = 0;
Paul Elliott4e4d71a2021-09-15 16:50:01 +0100469 part_offset < additional_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100470 part_offset += part_length, part_count++) {
471 if (do_zero_parts && (part_count & 0x01)) {
Paul Elliott329d5382021-07-22 17:10:45 +0100472 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100473 } else if (additional_data->len - part_offset < ad_part_len) {
Paul Elliotte49fe452021-09-15 16:52:11 +0100474 part_length = additional_data->len - part_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100475 } else {
Paul Elliotte49fe452021-09-15 16:52:11 +0100476 part_length = ad_part_len;
Paul Elliottd3f82412021-06-16 16:52:21 +0100477 }
478
Gilles Peskine449bd832023-01-11 14:50:10 +0100479 PSA_ASSERT(psa_aead_update_ad(&operation,
480 additional_data->x + part_offset,
481 part_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100482
Paul Elliottd3f82412021-06-16 16:52:21 +0100483 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100484 } else {
Paul Elliottd3f82412021-06-16 16:52:21 +0100485 /* Pass additional data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100486 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
487 additional_data->len));
Paul Elliottd3f82412021-06-16 16:52:21 +0100488 }
489
Gilles Peskine449bd832023-01-11 14:50:10 +0100490 if (data_part_len_arg != -1) {
Paul Elliottd3f82412021-06-16 16:52:21 +0100491 /* Pass data in parts */
Gilles Peskine449bd832023-01-11 14:50:10 +0100492 data_part_len = (size_t) data_part_len_arg;
493 part_data_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
494 (size_t) data_part_len);
Paul Elliottd3f82412021-06-16 16:52:21 +0100495
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100496 TEST_CALLOC(part_data, part_data_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100497
Gilles Peskine449bd832023-01-11 14:50:10 +0100498 for (part_offset = 0, part_count = 0;
Paul Elliott4e4d71a2021-09-15 16:50:01 +0100499 part_offset < data_true_size;
Gilles Peskine449bd832023-01-11 14:50:10 +0100500 part_offset += part_length, part_count++) {
501 if (do_zero_parts && (part_count & 0x01)) {
Paul Elliott329d5382021-07-22 17:10:45 +0100502 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100503 } else if ((data_true_size - part_offset) < data_part_len) {
504 part_length = (data_true_size - part_offset);
505 } else {
Paul Elliotte49fe452021-09-15 16:52:11 +0100506 part_length = data_part_len;
Paul Elliottd3f82412021-06-16 16:52:21 +0100507 }
508
Gilles Peskine449bd832023-01-11 14:50:10 +0100509 PSA_ASSERT(psa_aead_update(&operation,
510 (input_data->x + part_offset),
511 part_length, part_data,
512 part_data_size,
513 &output_part_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100514
Gilles Peskine449bd832023-01-11 14:50:10 +0100515 if (output_data && output_part_length) {
516 memcpy((output_data + output_length), part_data,
517 output_part_length);
Paul Elliottd3f82412021-06-16 16:52:21 +0100518 }
519
Paul Elliottd3f82412021-06-16 16:52:21 +0100520 output_length += output_part_length;
521 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100522 } else {
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100523 /* Pass all data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100524 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
525 data_true_size, output_data,
526 output_size, &output_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100527 }
528
Gilles Peskine449bd832023-01-11 14:50:10 +0100529 if (is_encrypt) {
530 PSA_ASSERT(psa_aead_finish(&operation, final_data,
531 final_output_size,
532 &output_part_length,
533 tag_buffer, tag_length,
534 &tag_size));
535 } else {
536 PSA_ASSERT(psa_aead_verify(&operation, final_data,
537 final_output_size,
538 &output_part_length,
539 (input_data->x + data_true_size),
540 tag_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100541 }
542
Gilles Peskine449bd832023-01-11 14:50:10 +0100543 if (output_data && output_part_length) {
544 memcpy((output_data + output_length), final_data,
545 output_part_length);
546 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100547
548 output_length += output_part_length;
549
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100550
551 /* For all currently defined algorithms, PSA_AEAD_xxx_OUTPUT_SIZE
552 * should be exact.*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100553 if (is_encrypt) {
554 TEST_EQUAL(tag_length, tag_size);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100555
Gilles Peskine449bd832023-01-11 14:50:10 +0100556 if (output_data && tag_length) {
557 memcpy((output_data + output_length), tag_buffer,
558 tag_length);
559 }
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100560
561 output_length += tag_length;
562
Gilles Peskine449bd832023-01-11 14:50:10 +0100563 TEST_EQUAL(output_length,
564 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg,
565 input_data->len));
566 TEST_LE_U(output_length,
567 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
568 } else {
569 TEST_EQUAL(output_length,
570 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg,
571 input_data->len));
572 TEST_LE_U(output_length,
573 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len));
Paul Elliottd3f82412021-06-16 16:52:21 +0100574 }
575
Paul Elliottd3f82412021-06-16 16:52:21 +0100576
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100577 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +0100578 output_data, output_length);
Paul Elliottd3f82412021-06-16 16:52:21 +0100579
Paul Elliottd3f82412021-06-16 16:52:21 +0100580
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100581 test_ok = 1;
Paul Elliottd3f82412021-06-16 16:52:21 +0100582
583exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100584 psa_destroy_key(key);
585 psa_aead_abort(&operation);
586 mbedtls_free(output_data);
587 mbedtls_free(part_data);
588 mbedtls_free(final_data);
589 PSA_DONE();
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100590
Gilles Peskine449bd832023-01-11 14:50:10 +0100591 return test_ok;
Paul Elliottd3f82412021-06-16 16:52:21 +0100592}
593
Neil Armstrong4766f992022-02-28 16:23:59 +0100594/*!
595 * \brief Internal Function for MAC multipart tests.
596 * \param key_type_arg Type of key passed in
597 * \param key_data The encryption / decryption key data
598 * \param alg_arg The type of algorithm used
599 * \param input_data Data to encrypt / decrypt
600 * \param data_part_len_arg If not -1, the length of chunks to feed
601 * the data in to be encrypted / decrypted. If
602 * -1, no chunking
603 * \param expected_output Expected output
Tom Cosgrove1797b052022-12-04 17:19:59 +0000604 * \param is_verify If non-zero this is a verify operation.
Neil Armstrong4766f992022-02-28 16:23:59 +0100605 * \param do_zero_parts If non-zero, interleave zero length chunks
606 * with normal length chunks.
607 * \return int Zero on failure, non-zero on success.
608 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100609static int mac_multipart_internal_func(int key_type_arg, data_t *key_data,
610 int alg_arg,
611 data_t *input_data,
612 int data_part_len_arg,
613 data_t *expected_output,
614 int is_verify,
615 int do_zero_parts)
Neil Armstrong4766f992022-02-28 16:23:59 +0100616{
617 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
618 psa_key_type_t key_type = key_type_arg;
619 psa_algorithm_t alg = alg_arg;
620 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
621 unsigned char mac[PSA_MAC_MAX_SIZE];
622 size_t part_offset = 0;
623 size_t part_length = 0;
624 size_t data_part_len = 0;
625 size_t mac_len = 0;
626 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
627 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
628
629 int test_ok = 0;
630 size_t part_count = 0;
631
Gilles Peskine449bd832023-01-11 14:50:10 +0100632 PSA_INIT();
Neil Armstrong4766f992022-02-28 16:23:59 +0100633
Gilles Peskine449bd832023-01-11 14:50:10 +0100634 if (is_verify) {
635 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
636 } else {
637 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
638 }
Neil Armstrong4766f992022-02-28 16:23:59 +0100639
Gilles Peskine449bd832023-01-11 14:50:10 +0100640 psa_set_key_algorithm(&attributes, alg);
641 psa_set_key_type(&attributes, key_type);
Neil Armstrong4766f992022-02-28 16:23:59 +0100642
Gilles Peskine449bd832023-01-11 14:50:10 +0100643 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
644 &key));
Neil Armstrong4766f992022-02-28 16:23:59 +0100645
Gilles Peskine449bd832023-01-11 14:50:10 +0100646 if (is_verify) {
647 status = psa_mac_verify_setup(&operation, key, alg);
648 } else {
649 status = psa_mac_sign_setup(&operation, key, alg);
650 }
Neil Armstrong4766f992022-02-28 16:23:59 +0100651
Gilles Peskine449bd832023-01-11 14:50:10 +0100652 PSA_ASSERT(status);
Neil Armstrong4766f992022-02-28 16:23:59 +0100653
Gilles Peskine449bd832023-01-11 14:50:10 +0100654 if (data_part_len_arg != -1) {
Neil Armstrong4766f992022-02-28 16:23:59 +0100655 /* Pass data in parts */
Gilles Peskine449bd832023-01-11 14:50:10 +0100656 data_part_len = (size_t) data_part_len_arg;
Neil Armstrong4766f992022-02-28 16:23:59 +0100657
Gilles Peskine449bd832023-01-11 14:50:10 +0100658 for (part_offset = 0, part_count = 0;
Neil Armstrong4766f992022-02-28 16:23:59 +0100659 part_offset < input_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100660 part_offset += part_length, part_count++) {
661 if (do_zero_parts && (part_count & 0x01)) {
Neil Armstrong4766f992022-02-28 16:23:59 +0100662 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100663 } else if ((input_data->len - part_offset) < data_part_len) {
664 part_length = (input_data->len - part_offset);
665 } else {
Neil Armstrong4766f992022-02-28 16:23:59 +0100666 part_length = data_part_len;
667 }
668
Gilles Peskine449bd832023-01-11 14:50:10 +0100669 PSA_ASSERT(psa_mac_update(&operation,
670 (input_data->x + part_offset),
671 part_length));
Neil Armstrong4766f992022-02-28 16:23:59 +0100672 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100673 } else {
Neil Armstrong4766f992022-02-28 16:23:59 +0100674 /* Pass all data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100675 PSA_ASSERT(psa_mac_update(&operation, input_data->x,
676 input_data->len));
Neil Armstrong4766f992022-02-28 16:23:59 +0100677 }
678
Gilles Peskine449bd832023-01-11 14:50:10 +0100679 if (is_verify) {
680 PSA_ASSERT(psa_mac_verify_finish(&operation, expected_output->x,
681 expected_output->len));
682 } else {
683 PSA_ASSERT(psa_mac_sign_finish(&operation, mac,
684 PSA_MAC_MAX_SIZE, &mac_len));
Neil Armstrong4766f992022-02-28 16:23:59 +0100685
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100686 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +0100687 mac, mac_len);
Neil Armstrong4766f992022-02-28 16:23:59 +0100688 }
689
690 test_ok = 1;
691
692exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100693 psa_destroy_key(key);
694 psa_mac_abort(&operation);
695 PSA_DONE();
Neil Armstrong4766f992022-02-28 16:23:59 +0100696
Gilles Peskine449bd832023-01-11 14:50:10 +0100697 return test_ok;
Neil Armstrong4766f992022-02-28 16:23:59 +0100698}
699
Neil Armstrong75673ab2022-06-15 17:39:01 +0200700#if defined(PSA_WANT_ALG_JPAKE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100701static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
702 psa_pake_operation_t *server,
703 psa_pake_operation_t *client,
704 int client_input_first,
705 int round, int inject_error)
Neil Armstrongf983caf2022-06-15 15:27:48 +0200706{
707 unsigned char *buffer0 = NULL, *buffer1 = NULL;
708 size_t buffer_length = (
709 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) +
710 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) +
711 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2;
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +0200712 /* The output should be exactly this size according to the spec */
713 const size_t expected_size_key_share =
714 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE);
715 /* The output should be exactly this size according to the spec */
716 const size_t expected_size_zk_public =
717 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC);
718 /* The output can be smaller: the spec allows stripping leading zeroes */
719 const size_t max_expected_size_zk_proof =
720 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200721 size_t buffer0_off = 0;
722 size_t buffer1_off = 0;
723 size_t s_g1_len, s_g2_len, s_a_len;
724 size_t s_g1_off, s_g2_off, s_a_off;
725 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len;
726 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off;
727 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len;
728 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off;
729 size_t c_g1_len, c_g2_len, c_a_len;
730 size_t c_g1_off, c_g2_off, c_a_off;
731 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len;
732 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off;
733 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len;
734 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off;
735 psa_status_t expected_status = PSA_SUCCESS;
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200736 psa_status_t status;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200737
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100738 TEST_CALLOC(buffer0, buffer_length);
739 TEST_CALLOC(buffer1, buffer_length);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200740
Gilles Peskine449bd832023-01-11 14:50:10 +0100741 switch (round) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200742 case 1:
743 /* Server first round Output */
Gilles Peskine449bd832023-01-11 14:50:10 +0100744 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
745 buffer0 + buffer0_off,
746 512 - buffer0_off, &s_g1_len));
747 TEST_EQUAL(s_g1_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200748 s_g1_off = buffer0_off;
749 buffer0_off += s_g1_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100750 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
751 buffer0 + buffer0_off,
752 512 - buffer0_off, &s_x1_pk_len));
753 TEST_EQUAL(s_x1_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200754 s_x1_pk_off = buffer0_off;
755 buffer0_off += s_x1_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100756 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
757 buffer0 + buffer0_off,
758 512 - buffer0_off, &s_x1_pr_len));
759 TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200760 s_x1_pr_off = buffer0_off;
761 buffer0_off += s_x1_pr_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100762 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
763 buffer0 + buffer0_off,
764 512 - buffer0_off, &s_g2_len));
765 TEST_EQUAL(s_g2_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200766 s_g2_off = buffer0_off;
767 buffer0_off += s_g2_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100768 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
769 buffer0 + buffer0_off,
770 512 - buffer0_off, &s_x2_pk_len));
771 TEST_EQUAL(s_x2_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200772 s_x2_pk_off = buffer0_off;
773 buffer0_off += s_x2_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100774 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
775 buffer0 + buffer0_off,
776 512 - buffer0_off, &s_x2_pr_len));
777 TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200778 s_x2_pr_off = buffer0_off;
779 buffer0_off += s_x2_pr_len;
780
Gilles Peskine449bd832023-01-11 14:50:10 +0100781 if (inject_error == 1) {
Andrzej Kurekc0182042022-11-08 08:12:56 -0500782 buffer0[s_x1_pr_off + 8] ^= 1;
783 buffer0[s_x2_pr_off + 7] ^= 1;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200784 expected_status = PSA_ERROR_DATA_INVALID;
785 }
786
Neil Armstrong51009d72022-09-05 17:59:54 +0200787 /*
788 * When injecting errors in inputs, the implementation is
789 * free to detect it right away of with a delay.
790 * This permits delaying the error until the end of the input
791 * sequence, if no error appears then, this will be treated
792 * as an error.
793 */
794
Gilles Peskine449bd832023-01-11 14:50:10 +0100795 if (client_input_first == 1) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200796 /* Client first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100797 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
798 buffer0 + s_g1_off, s_g1_len);
799 if (inject_error == 1 && status != PSA_SUCCESS) {
800 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200801 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100802 } else {
803 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200804 }
805
Gilles Peskine449bd832023-01-11 14:50:10 +0100806 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
807 buffer0 + s_x1_pk_off,
808 s_x1_pk_len);
809 if (inject_error == 1 && status != PSA_SUCCESS) {
810 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200811 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100812 } else {
813 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200814 }
815
Gilles Peskine449bd832023-01-11 14:50:10 +0100816 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
817 buffer0 + s_x1_pr_off,
818 s_x1_pr_len);
819 if (inject_error == 1 && status != PSA_SUCCESS) {
820 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200821 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100822 } else {
823 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200824 }
825
Gilles Peskine449bd832023-01-11 14:50:10 +0100826 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
827 buffer0 + s_g2_off,
828 s_g2_len);
829 if (inject_error == 1 && status != PSA_SUCCESS) {
830 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200831 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100832 } else {
833 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200834 }
835
Gilles Peskine449bd832023-01-11 14:50:10 +0100836 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
837 buffer0 + s_x2_pk_off,
838 s_x2_pk_len);
839 if (inject_error == 1 && status != PSA_SUCCESS) {
840 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200841 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100842 } else {
843 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200844 }
845
Gilles Peskine449bd832023-01-11 14:50:10 +0100846 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
847 buffer0 + s_x2_pr_off,
848 s_x2_pr_len);
849 if (inject_error == 1 && status != PSA_SUCCESS) {
850 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200851 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100852 } else {
853 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200854 }
855
Neil Armstrong78c4e8e2022-09-05 18:08:13 +0200856 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +0100857 if (inject_error == 1) {
858 TEST_ASSERT(
859 !"One of the last psa_pake_input() calls should have returned the expected error.");
860 }
Neil Armstrongf983caf2022-06-15 15:27:48 +0200861 }
862
863 /* Client first round Output */
Gilles Peskine449bd832023-01-11 14:50:10 +0100864 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
865 buffer1 + buffer1_off,
866 512 - buffer1_off, &c_g1_len));
867 TEST_EQUAL(c_g1_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200868 c_g1_off = buffer1_off;
869 buffer1_off += c_g1_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100870 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
871 buffer1 + buffer1_off,
872 512 - buffer1_off, &c_x1_pk_len));
873 TEST_EQUAL(c_x1_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200874 c_x1_pk_off = buffer1_off;
875 buffer1_off += c_x1_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100876 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
877 buffer1 + buffer1_off,
878 512 - buffer1_off, &c_x1_pr_len));
879 TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200880 c_x1_pr_off = buffer1_off;
881 buffer1_off += c_x1_pr_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100882 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
883 buffer1 + buffer1_off,
884 512 - buffer1_off, &c_g2_len));
885 TEST_EQUAL(c_g2_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200886 c_g2_off = buffer1_off;
887 buffer1_off += c_g2_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100888 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
889 buffer1 + buffer1_off,
890 512 - buffer1_off, &c_x2_pk_len));
891 TEST_EQUAL(c_x2_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200892 c_x2_pk_off = buffer1_off;
893 buffer1_off += c_x2_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100894 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
895 buffer1 + buffer1_off,
896 512 - buffer1_off, &c_x2_pr_len));
897 TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200898 c_x2_pr_off = buffer1_off;
899 buffer1_off += c_x2_pr_len;
900
Gilles Peskine449bd832023-01-11 14:50:10 +0100901 if (client_input_first == 0) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200902 /* Client first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100903 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
904 buffer0 + s_g1_off, s_g1_len);
905 if (inject_error == 1 && status != PSA_SUCCESS) {
906 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200907 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100908 } else {
909 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200910 }
911
Gilles Peskine449bd832023-01-11 14:50:10 +0100912 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
913 buffer0 + s_x1_pk_off,
914 s_x1_pk_len);
915 if (inject_error == 1 && status != PSA_SUCCESS) {
916 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200917 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100918 } else {
919 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200920 }
921
Gilles Peskine449bd832023-01-11 14:50:10 +0100922 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
923 buffer0 + s_x1_pr_off,
924 s_x1_pr_len);
925 if (inject_error == 1 && status != PSA_SUCCESS) {
926 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200927 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100928 } else {
929 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200930 }
931
Gilles Peskine449bd832023-01-11 14:50:10 +0100932 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
933 buffer0 + s_g2_off,
934 s_g2_len);
935 if (inject_error == 1 && status != PSA_SUCCESS) {
936 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200937 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100938 } else {
939 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200940 }
941
Gilles Peskine449bd832023-01-11 14:50:10 +0100942 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
943 buffer0 + s_x2_pk_off,
944 s_x2_pk_len);
945 if (inject_error == 1 && status != PSA_SUCCESS) {
946 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200947 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100948 } else {
949 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200950 }
951
Gilles Peskine449bd832023-01-11 14:50:10 +0100952 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
953 buffer0 + s_x2_pr_off,
954 s_x2_pr_len);
955 if (inject_error == 1 && status != PSA_SUCCESS) {
956 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200957 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100958 } else {
959 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200960 }
961
Neil Armstrong78c4e8e2022-09-05 18:08:13 +0200962 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +0100963 if (inject_error == 1) {
964 TEST_ASSERT(
965 !"One of the last psa_pake_input() calls should have returned the expected error.");
966 }
Neil Armstrongf983caf2022-06-15 15:27:48 +0200967 }
968
Gilles Peskine449bd832023-01-11 14:50:10 +0100969 if (inject_error == 2) {
Andrzej Kurekc0182042022-11-08 08:12:56 -0500970 buffer1[c_x1_pr_off + 12] ^= 1;
971 buffer1[c_x2_pr_off + 7] ^= 1;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200972 expected_status = PSA_ERROR_DATA_INVALID;
973 }
974
975 /* Server first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100976 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
977 buffer1 + c_g1_off, c_g1_len);
978 if (inject_error == 2 && status != PSA_SUCCESS) {
979 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200980 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100981 } else {
982 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200983 }
984
Gilles Peskine449bd832023-01-11 14:50:10 +0100985 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
986 buffer1 + c_x1_pk_off, c_x1_pk_len);
987 if (inject_error == 2 && status != PSA_SUCCESS) {
988 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200989 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100990 } else {
991 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200992 }
993
Gilles Peskine449bd832023-01-11 14:50:10 +0100994 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
995 buffer1 + c_x1_pr_off, c_x1_pr_len);
996 if (inject_error == 2 && status != PSA_SUCCESS) {
997 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200998 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100999 } else {
1000 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001001 }
1002
Gilles Peskine449bd832023-01-11 14:50:10 +01001003 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
1004 buffer1 + c_g2_off, c_g2_len);
1005 if (inject_error == 2 && status != PSA_SUCCESS) {
1006 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001007 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001008 } else {
1009 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001010 }
1011
Gilles Peskine449bd832023-01-11 14:50:10 +01001012 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
1013 buffer1 + c_x2_pk_off, c_x2_pk_len);
1014 if (inject_error == 2 && status != PSA_SUCCESS) {
1015 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001016 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001017 } else {
1018 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001019 }
1020
Gilles Peskine449bd832023-01-11 14:50:10 +01001021 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
1022 buffer1 + c_x2_pr_off, c_x2_pr_len);
1023 if (inject_error == 2 && status != PSA_SUCCESS) {
1024 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001025 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001026 } else {
1027 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001028 }
1029
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001030 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001031 if (inject_error == 2) {
1032 TEST_ASSERT(
1033 !"One of the last psa_pake_input() calls should have returned the expected error.");
1034 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001035
1036 break;
1037
1038 case 2:
1039 /* Server second round Output */
1040 buffer0_off = 0;
1041
Gilles Peskine449bd832023-01-11 14:50:10 +01001042 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
1043 buffer0 + buffer0_off,
1044 512 - buffer0_off, &s_a_len));
1045 TEST_EQUAL(s_a_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001046 s_a_off = buffer0_off;
1047 buffer0_off += s_a_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001048 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
1049 buffer0 + buffer0_off,
1050 512 - buffer0_off, &s_x2s_pk_len));
1051 TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001052 s_x2s_pk_off = buffer0_off;
1053 buffer0_off += s_x2s_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001054 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
1055 buffer0 + buffer0_off,
1056 512 - buffer0_off, &s_x2s_pr_len));
1057 TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001058 s_x2s_pr_off = buffer0_off;
1059 buffer0_off += s_x2s_pr_len;
1060
Gilles Peskine449bd832023-01-11 14:50:10 +01001061 if (inject_error == 3) {
Neil Armstrongeae1dfc2022-06-21 13:37:06 +02001062 buffer0[s_x2s_pk_off + 12] += 0x33;
Neil Armstrongf983caf2022-06-15 15:27:48 +02001063 expected_status = PSA_ERROR_DATA_INVALID;
1064 }
1065
Gilles Peskine449bd832023-01-11 14:50:10 +01001066 if (client_input_first == 1) {
Neil Armstrongf983caf2022-06-15 15:27:48 +02001067 /* Client second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001068 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
1069 buffer0 + s_a_off, s_a_len);
1070 if (inject_error == 3 && status != PSA_SUCCESS) {
1071 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001072 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001073 } else {
1074 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001075 }
1076
Gilles Peskine449bd832023-01-11 14:50:10 +01001077 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
1078 buffer0 + s_x2s_pk_off,
1079 s_x2s_pk_len);
1080 if (inject_error == 3 && status != PSA_SUCCESS) {
1081 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001082 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001083 } else {
1084 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001085 }
1086
Gilles Peskine449bd832023-01-11 14:50:10 +01001087 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
1088 buffer0 + s_x2s_pr_off,
1089 s_x2s_pr_len);
1090 if (inject_error == 3 && status != PSA_SUCCESS) {
1091 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001092 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001093 } else {
1094 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001095 }
1096
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001097 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001098 if (inject_error == 3) {
1099 TEST_ASSERT(
1100 !"One of the last psa_pake_input() calls should have returned the expected error.");
1101 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001102 }
1103
1104 /* Client second round Output */
1105 buffer1_off = 0;
1106
Gilles Peskine449bd832023-01-11 14:50:10 +01001107 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
1108 buffer1 + buffer1_off,
1109 512 - buffer1_off, &c_a_len));
1110 TEST_EQUAL(c_a_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001111 c_a_off = buffer1_off;
1112 buffer1_off += c_a_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001113 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
1114 buffer1 + buffer1_off,
1115 512 - buffer1_off, &c_x2s_pk_len));
1116 TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001117 c_x2s_pk_off = buffer1_off;
1118 buffer1_off += c_x2s_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001119 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
1120 buffer1 + buffer1_off,
1121 512 - buffer1_off, &c_x2s_pr_len));
1122 TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001123 c_x2s_pr_off = buffer1_off;
1124 buffer1_off += c_x2s_pr_len;
1125
Gilles Peskine449bd832023-01-11 14:50:10 +01001126 if (client_input_first == 0) {
Neil Armstrongf983caf2022-06-15 15:27:48 +02001127 /* Client second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001128 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
1129 buffer0 + s_a_off, s_a_len);
1130 if (inject_error == 3 && status != PSA_SUCCESS) {
1131 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001132 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001133 } else {
1134 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001135 }
1136
Gilles Peskine449bd832023-01-11 14:50:10 +01001137 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
1138 buffer0 + s_x2s_pk_off,
1139 s_x2s_pk_len);
1140 if (inject_error == 3 && status != PSA_SUCCESS) {
1141 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001142 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001143 } else {
1144 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001145 }
1146
Gilles Peskine449bd832023-01-11 14:50:10 +01001147 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
1148 buffer0 + s_x2s_pr_off,
1149 s_x2s_pr_len);
1150 if (inject_error == 3 && status != PSA_SUCCESS) {
1151 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001152 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001153 } else {
1154 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001155 }
1156
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001157 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001158 if (inject_error == 3) {
1159 TEST_ASSERT(
1160 !"One of the last psa_pake_input() calls should have returned the expected error.");
1161 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001162 }
1163
Gilles Peskine449bd832023-01-11 14:50:10 +01001164 if (inject_error == 4) {
Neil Armstrongeae1dfc2022-06-21 13:37:06 +02001165 buffer1[c_x2s_pk_off + 7] += 0x28;
Neil Armstrongf983caf2022-06-15 15:27:48 +02001166 expected_status = PSA_ERROR_DATA_INVALID;
1167 }
1168
1169 /* Server second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001170 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
1171 buffer1 + c_a_off, c_a_len);
1172 if (inject_error == 4 && status != PSA_SUCCESS) {
1173 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001174 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001175 } else {
1176 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001177 }
1178
Gilles Peskine449bd832023-01-11 14:50:10 +01001179 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
1180 buffer1 + c_x2s_pk_off, c_x2s_pk_len);
1181 if (inject_error == 4 && status != PSA_SUCCESS) {
1182 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001183 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001184 } else {
1185 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001186 }
1187
Gilles Peskine449bd832023-01-11 14:50:10 +01001188 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
1189 buffer1 + c_x2s_pr_off, c_x2s_pr_len);
1190 if (inject_error == 4 && status != PSA_SUCCESS) {
1191 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001192 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001193 } else {
1194 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001195 }
1196
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001197 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001198 if (inject_error == 4) {
1199 TEST_ASSERT(
1200 !"One of the last psa_pake_input() calls should have returned the expected error.");
1201 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001202
1203 break;
1204
1205 }
1206
Neil Armstrongf983caf2022-06-15 15:27:48 +02001207exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001208 mbedtls_free(buffer0);
1209 mbedtls_free(buffer1);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001210}
Neil Armstrong75673ab2022-06-15 17:39:01 +02001211#endif /* PSA_WANT_ALG_JPAKE */
Neil Armstrongf983caf2022-06-15 15:27:48 +02001212
Gilles Peskine449bd832023-01-11 14:50:10 +01001213typedef enum {
Valerio Setti1070aed2022-11-11 19:37:31 +01001214 INJECT_ERR_NONE = 0,
1215 INJECT_ERR_UNINITIALIZED_ACCESS,
1216 INJECT_ERR_DUPLICATE_SETUP,
1217 INJECT_ERR_INVALID_USER,
1218 INJECT_ERR_INVALID_PEER,
1219 INJECT_ERR_SET_USER,
1220 INJECT_ERR_SET_PEER,
1221 INJECT_EMPTY_IO_BUFFER,
1222 INJECT_UNKNOWN_STEP,
1223 INJECT_INVALID_FIRST_STEP,
1224 INJECT_WRONG_BUFFER_SIZE,
1225 INJECT_VALID_OPERATION_AFTER_FAILURE,
1226 INJECT_ANTICIPATE_KEY_DERIVATION_1,
1227 INJECT_ANTICIPATE_KEY_DERIVATION_2,
1228} ecjpake_injected_failure_t;
1229
Paul Elliott01885fa2023-02-09 12:07:30 +00001230#if defined(MBEDTLS_ECP_RESTARTABLE)
Paul Elliott1243f932023-02-07 11:21:10 +00001231
Paul Elliott6f600372023-02-06 18:41:05 +00001232static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
1233 psa_status_t expected_status,
1234 size_t *min_completes,
1235 size_t *max_completes)
1236{
1237
1238 /* This is slightly contrived, but we only really know that with a minimum
1239 value of max_ops that a successful operation should take more than one op
1240 to complete, and likewise that with a max_ops of
1241 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */
1242 if (max_ops == 0 || max_ops == 1) {
Paul Elliottc86d45e2023-02-15 17:38:05 +00001243
Paul Elliott6f600372023-02-06 18:41:05 +00001244 if (expected_status == PSA_SUCCESS) {
1245 *min_completes = 2;
1246 } else {
1247 *min_completes = 1;
1248 }
1249
1250 *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
1251 } else {
1252 *min_completes = 1;
1253 *max_completes = 1;
1254 }
1255}
Paul Elliott01885fa2023-02-09 12:07:30 +00001256#endif /* MBEDTLS_ECP_RESTARTABLE */
Paul Elliott6f600372023-02-06 18:41:05 +00001257
Gilles Peskine1d25a0a2024-02-12 16:40:04 +01001258#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
1259static int rsa_test_e(mbedtls_svc_key_id_t key,
1260 size_t bits,
1261 const data_t *e_arg)
1262{
1263 uint8_t *exported = NULL;
1264 size_t exported_size =
1265 PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits);
1266 size_t exported_length = SIZE_MAX;
1267 int ok = 0;
1268
1269 TEST_CALLOC(exported, exported_size);
1270 PSA_ASSERT(psa_export_public_key(key,
1271 exported, exported_size,
1272 &exported_length));
1273 uint8_t *p = exported;
1274 uint8_t *end = exported + exported_length;
1275 size_t len;
1276 /* RSAPublicKey ::= SEQUENCE {
1277 * modulus INTEGER, -- n
1278 * publicExponent INTEGER } -- e
1279 */
1280 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
1281 MBEDTLS_ASN1_SEQUENCE |
1282 MBEDTLS_ASN1_CONSTRUCTED));
1283 TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1));
1284 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
1285 MBEDTLS_ASN1_INTEGER));
1286 if (len >= 1 && p[0] == 0) {
1287 ++p;
1288 --len;
1289 }
1290 if (e_arg->len == 0) {
1291 TEST_EQUAL(len, 3);
1292 TEST_EQUAL(p[0], 1);
1293 TEST_EQUAL(p[1], 0);
1294 TEST_EQUAL(p[2], 1);
1295 } else {
Gilles Peskine7a18f962024-02-12 16:48:11 +01001296 const uint8_t *expected = e_arg->x;
1297 size_t expected_len = e_arg->len;
1298 while (expected_len > 0 && *expected == 0) {
1299 ++expected;
1300 --expected_len;
1301 }
1302 TEST_MEMORY_COMPARE(p, len, expected, expected_len);
Gilles Peskine1d25a0a2024-02-12 16:40:04 +01001303 }
1304 ok = 1;
1305
1306exit:
1307 mbedtls_free(exported);
1308 return ok;
1309}
1310#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
1311
Gilles Peskinef0765fa2024-02-12 16:46:16 +01001312static int setup_key_generation_method(psa_key_generation_method_t **method,
1313 size_t *method_length,
1314 int64_t flags_arg,
1315 const data_t *method_data)
1316{
1317 if (flags_arg >= 0) {
1318 *method_length = sizeof(**method) + method_data->len;
1319 *method = mbedtls_calloc(1, *method_length);
1320 TEST_ASSERT(*method != NULL);
1321 (*method)->flags = (uint32_t) flags_arg;
1322 memcpy((*method)->data, method_data->x, method_data->len);
1323 } else if (sizeof(**method) + flags_arg > 0) {
1324 *method_length = sizeof(**method) + flags_arg;
1325 *method = mbedtls_calloc(1, *method_length);
1326 TEST_ASSERT(*method != NULL);
1327 }
1328 return 1;
1329exit:
1330 return 0;
1331}
1332
Gilles Peskinee59236f2018-01-27 23:32:46 +01001333/* END_HEADER */
1334
1335/* BEGIN_DEPENDENCIES
1336 * depends_on:MBEDTLS_PSA_CRYPTO_C
1337 * END_DEPENDENCIES
1338 */
1339
1340/* BEGIN_CASE */
Manuel Pégourié-Gonnard7abdf7e2023-03-09 11:17:43 +01001341void psa_can_do_hash()
1342{
1343 /* We can't test that this is specific to drivers until partial init has
1344 * been implemented, but we can at least test before/after full init. */
1345 TEST_EQUAL(0, psa_can_do_hash(PSA_ALG_NONE));
1346 PSA_INIT();
1347 TEST_EQUAL(1, psa_can_do_hash(PSA_ALG_NONE));
1348 PSA_DONE();
1349}
1350/* END_CASE */
1351
1352/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001353void static_checks()
Gilles Peskinee1f2d7d2018-08-21 14:54:54 +02001354{
1355 size_t max_truncated_mac_size =
1356 PSA_ALG_MAC_TRUNCATION_MASK >> PSA_MAC_TRUNCATION_OFFSET;
1357
1358 /* Check that the length for a truncated MAC always fits in the algorithm
1359 * encoding. The shifted mask is the maximum truncated value. The
1360 * untruncated algorithm may be one byte larger. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001361 TEST_LE_U(PSA_MAC_MAX_SIZE, 1 + max_truncated_mac_size);
Gilles Peskinee1f2d7d2018-08-21 14:54:54 +02001362}
1363/* END_CASE */
1364
1365/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001366void import_with_policy(int type_arg,
1367 int usage_arg, int alg_arg,
1368 int expected_status_arg)
Gilles Peskine6edfa292019-07-31 15:53:45 +02001369{
1370 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1371 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02001372 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine6edfa292019-07-31 15:53:45 +02001373 psa_key_type_t type = type_arg;
1374 psa_key_usage_t usage = usage_arg;
1375 psa_algorithm_t alg = alg_arg;
1376 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01001377 const uint8_t key_material[16] = { 0 };
Gilles Peskine6edfa292019-07-31 15:53:45 +02001378 psa_status_t status;
1379
Gilles Peskine449bd832023-01-11 14:50:10 +01001380 PSA_ASSERT(psa_crypto_init());
Gilles Peskine6edfa292019-07-31 15:53:45 +02001381
Gilles Peskine449bd832023-01-11 14:50:10 +01001382 psa_set_key_type(&attributes, type);
1383 psa_set_key_usage_flags(&attributes, usage);
1384 psa_set_key_algorithm(&attributes, alg);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001385
Gilles Peskine449bd832023-01-11 14:50:10 +01001386 status = psa_import_key(&attributes,
1387 key_material, sizeof(key_material),
1388 &key);
1389 TEST_EQUAL(status, expected_status);
1390 if (status != PSA_SUCCESS) {
Gilles Peskine6edfa292019-07-31 15:53:45 +02001391 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001392 }
Gilles Peskine6edfa292019-07-31 15:53:45 +02001393
Gilles Peskine449bd832023-01-11 14:50:10 +01001394 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1395 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1396 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes),
1397 mbedtls_test_update_key_usage_flags(usage));
1398 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg);
1399 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001400
Gilles Peskine449bd832023-01-11 14:50:10 +01001401 PSA_ASSERT(psa_destroy_key(key));
1402 test_operations_on_invalid_key(key);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001403
1404exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001405 /*
1406 * Key attributes may have been returned by psa_get_key_attributes()
1407 * thus reset them as required.
1408 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001409 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001410
Gilles Peskine449bd832023-01-11 14:50:10 +01001411 psa_destroy_key(key);
1412 PSA_DONE();
Gilles Peskine6edfa292019-07-31 15:53:45 +02001413}
1414/* END_CASE */
1415
1416/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001417void import_with_data(data_t *data, int type_arg,
1418 int attr_bits_arg,
1419 int expected_status_arg)
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001420{
1421 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1422 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02001423 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001424 psa_key_type_t type = type_arg;
Gilles Peskine8fb3a9e2019-05-03 16:59:21 +02001425 size_t attr_bits = attr_bits_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001426 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001427 psa_status_t status;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001428
Gilles Peskine449bd832023-01-11 14:50:10 +01001429 PSA_ASSERT(psa_crypto_init());
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001430
Gilles Peskine449bd832023-01-11 14:50:10 +01001431 psa_set_key_type(&attributes, type);
1432 psa_set_key_bits(&attributes, attr_bits);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001433
Gilles Peskine449bd832023-01-11 14:50:10 +01001434 status = psa_import_key(&attributes, data->x, data->len, &key);
Manuel Pégourié-Gonnard0509b582023-08-08 12:47:56 +02001435 /* When expecting INVALID_ARGUMENT, also accept NOT_SUPPORTED.
1436 *
1437 * This can happen with a type supported only by a driver:
1438 * - the driver sees the invalid data (for example wrong size) and thinks
1439 * "well perhaps this is a key size I don't support" so it returns
1440 * NOT_SUPPORTED which is correct at this point;
1441 * - we fallback to built-ins, which don't support this type, so return
1442 * NOT_SUPPORTED which again is correct at this point.
1443 */
1444 if (expected_status == PSA_ERROR_INVALID_ARGUMENT &&
1445 status == PSA_ERROR_NOT_SUPPORTED) {
1446 ; // OK
1447 } else {
1448 TEST_EQUAL(status, expected_status);
1449 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001450 if (status != PSA_SUCCESS) {
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001451 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001452 }
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001453
Gilles Peskine449bd832023-01-11 14:50:10 +01001454 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1455 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1456 if (attr_bits != 0) {
1457 TEST_EQUAL(attr_bits, psa_get_key_bits(&got_attributes));
1458 }
1459 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001460
Gilles Peskine449bd832023-01-11 14:50:10 +01001461 PSA_ASSERT(psa_destroy_key(key));
1462 test_operations_on_invalid_key(key);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001463
1464exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001465 /*
1466 * Key attributes may have been returned by psa_get_key_attributes()
1467 * thus reset them as required.
1468 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001469 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001470
Gilles Peskine449bd832023-01-11 14:50:10 +01001471 psa_destroy_key(key);
1472 PSA_DONE();
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001473}
1474/* END_CASE */
1475
1476/* BEGIN_CASE */
Gilles Peskine07510f52022-11-11 16:37:16 +01001477/* Construct and attempt to import a large unstructured key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001478void import_large_key(int type_arg, int byte_size_arg,
1479 int expected_status_arg)
Gilles Peskinec744d992019-07-30 17:26:54 +02001480{
1481 psa_key_type_t type = type_arg;
1482 size_t byte_size = byte_size_arg;
1483 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1484 psa_status_t expected_status = expected_status_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02001485 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinec744d992019-07-30 17:26:54 +02001486 psa_status_t status;
1487 uint8_t *buffer = NULL;
1488 size_t buffer_size = byte_size + 1;
1489 size_t n;
1490
Steven Cooreman69967ce2021-01-18 18:01:08 +01001491 /* Skip the test case if the target running the test cannot
Shaun Case8b0ecbc2021-12-20 21:14:10 -08001492 * accommodate large keys due to heap size constraints */
Tom Cosgrove412a8132023-07-20 16:55:14 +01001493 TEST_CALLOC_OR_SKIP(buffer, buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001494 memset(buffer, 'K', byte_size);
Gilles Peskinec744d992019-07-30 17:26:54 +02001495
Gilles Peskine449bd832023-01-11 14:50:10 +01001496 PSA_ASSERT(psa_crypto_init());
Gilles Peskinec744d992019-07-30 17:26:54 +02001497
1498 /* Try importing the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001499 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
1500 psa_set_key_type(&attributes, type);
1501 status = psa_import_key(&attributes, buffer, byte_size, &key);
1502 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
1503 TEST_EQUAL(status, expected_status);
Gilles Peskinec744d992019-07-30 17:26:54 +02001504
Gilles Peskine449bd832023-01-11 14:50:10 +01001505 if (status == PSA_SUCCESS) {
1506 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
1507 TEST_EQUAL(psa_get_key_type(&attributes), type);
1508 TEST_EQUAL(psa_get_key_bits(&attributes),
1509 PSA_BYTES_TO_BITS(byte_size));
1510 ASSERT_NO_SLOT_NUMBER(&attributes);
1511 memset(buffer, 0, byte_size + 1);
1512 PSA_ASSERT(psa_export_key(key, buffer, byte_size, &n));
1513 for (n = 0; n < byte_size; n++) {
1514 TEST_EQUAL(buffer[n], 'K');
1515 }
1516 for (n = byte_size; n < buffer_size; n++) {
1517 TEST_EQUAL(buffer[n], 0);
1518 }
Gilles Peskinec744d992019-07-30 17:26:54 +02001519 }
1520
1521exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001522 /*
1523 * Key attributes may have been returned by psa_get_key_attributes()
1524 * thus reset them as required.
1525 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001526 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001527
Gilles Peskine449bd832023-01-11 14:50:10 +01001528 psa_destroy_key(key);
1529 PSA_DONE();
1530 mbedtls_free(buffer);
Gilles Peskinec744d992019-07-30 17:26:54 +02001531}
1532/* END_CASE */
1533
Andrzej Kurek77b8e092022-01-17 15:29:38 +01001534/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */
Gilles Peskine07510f52022-11-11 16:37:16 +01001535/* Import an RSA key with a valid structure (but not valid numbers
1536 * inside, beyond having sensible size and parity). This is expected to
1537 * fail for large keys. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001538void import_rsa_made_up(int bits_arg, int keypair, int expected_status_arg)
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001539{
Ronald Cron5425a212020-08-04 14:58:35 +02001540 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001541 size_t bits = bits_arg;
1542 psa_status_t expected_status = expected_status_arg;
1543 psa_status_t status;
1544 psa_key_type_t type =
Gilles Peskinec93b80c2019-05-16 19:39:54 +02001545 keypair ? PSA_KEY_TYPE_RSA_KEY_PAIR : PSA_KEY_TYPE_RSA_PUBLIC_KEY;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001546 size_t buffer_size = /* Slight overapproximations */
Gilles Peskine449bd832023-01-11 14:50:10 +01001547 keypair ? bits * 9 / 16 + 80 : bits / 8 + 20;
Gilles Peskine8cebbba2018-09-27 13:54:18 +02001548 unsigned char *buffer = NULL;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001549 unsigned char *p;
1550 int ret;
1551 size_t length;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02001552 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001553
Gilles Peskine449bd832023-01-11 14:50:10 +01001554 PSA_ASSERT(psa_crypto_init());
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001555 TEST_CALLOC(buffer, buffer_size);
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001556
Gilles Peskine449bd832023-01-11 14:50:10 +01001557 TEST_ASSERT((ret = construct_fake_rsa_key(buffer, buffer_size, &p,
1558 bits, keypair)) >= 0);
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001559 length = ret;
1560
1561 /* Try importing the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001562 psa_set_key_type(&attributes, type);
1563 status = psa_import_key(&attributes, p, length, &key);
1564 TEST_EQUAL(status, expected_status);
Gilles Peskine76b29a72019-05-28 14:08:50 +02001565
Gilles Peskine449bd832023-01-11 14:50:10 +01001566 if (status == PSA_SUCCESS) {
1567 PSA_ASSERT(psa_destroy_key(key));
1568 }
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001569
1570exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001571 mbedtls_free(buffer);
1572 PSA_DONE();
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001573}
1574/* END_CASE */
1575
1576/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001577void import_export(data_t *data,
1578 int type_arg,
1579 int usage_arg, int alg_arg,
1580 int lifetime_arg,
1581 int expected_bits,
1582 int export_size_delta,
1583 int expected_export_status_arg,
1584 /*whether reexport must give the original input exactly*/
1585 int canonical_input)
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001586{
Ronald Cron5425a212020-08-04 14:58:35 +02001587 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001588 psa_key_type_t type = type_arg;
Gilles Peskine4abf7412018-06-18 16:35:34 +02001589 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001590 psa_status_t expected_export_status = expected_export_status_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001591 psa_status_t status;
Archana4d7ae1d2021-07-07 02:50:22 +05301592 psa_key_lifetime_t lifetime = lifetime_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001593 unsigned char *exported = NULL;
1594 unsigned char *reexported = NULL;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001595 size_t export_size;
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001596 size_t exported_length = INVALID_EXPORT_LENGTH;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001597 size_t reexported_length;
Gilles Peskine4747d192019-04-17 15:05:45 +02001598 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001599 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001600
Moran Pekercb088e72018-07-17 17:36:59 +03001601 export_size = (ptrdiff_t) data->len + export_size_delta;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001602 TEST_CALLOC(exported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001603 if (!canonical_input) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001604 TEST_CALLOC(reexported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001605 }
1606 PSA_ASSERT(psa_crypto_init());
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001607
Gilles Peskine449bd832023-01-11 14:50:10 +01001608 psa_set_key_lifetime(&attributes, lifetime);
1609 psa_set_key_usage_flags(&attributes, usage_arg);
1610 psa_set_key_algorithm(&attributes, alg);
1611 psa_set_key_type(&attributes, type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07001612
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001613 if (PSA_KEY_TYPE_IS_DH(type) &&
1614 expected_export_status == PSA_ERROR_BUFFER_TOO_SMALL) {
Przemek Stekiel654bef02022-12-15 13:28:02 +01001615 /* Simulate that buffer is too small, by decreasing its size by 1 byte. */
1616 export_size -= 1;
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001617 }
1618
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001619 /* Import the key */
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001620 TEST_EQUAL(psa_import_key(&attributes, data->x, data->len, &key),
Przemek Stekiel2e7c33d2023-04-27 12:29:45 +02001621 PSA_SUCCESS);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001622
1623 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01001624 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1625 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1626 TEST_EQUAL(psa_get_key_bits(&got_attributes), (size_t) expected_bits);
1627 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001628
1629 /* Export the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001630 status = psa_export_key(key, exported, export_size, &exported_length);
1631 TEST_EQUAL(status, expected_export_status);
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001632
1633 /* The exported length must be set by psa_export_key() to a value between 0
1634 * and export_size. On errors, the exported length must be 0. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001635 TEST_ASSERT(exported_length != INVALID_EXPORT_LENGTH);
1636 TEST_ASSERT(status == PSA_SUCCESS || exported_length == 0);
1637 TEST_LE_U(exported_length, export_size);
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001638
Gilles Peskine449bd832023-01-11 14:50:10 +01001639 TEST_ASSERT(mem_is_char(exported + exported_length, 0,
1640 export_size - exported_length));
1641 if (status != PSA_SUCCESS) {
1642 TEST_EQUAL(exported_length, 0);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001643 goto destroy;
Gilles Peskinee66ca3b2018-06-20 00:11:45 +02001644 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001645
Gilles Peskineea38a922021-02-13 00:05:16 +01001646 /* Run sanity checks on the exported key. For non-canonical inputs,
1647 * this validates the canonical representations. For canonical inputs,
1648 * this doesn't directly validate the implementation, but it still helps
1649 * by cross-validating the test data with the sanity check code. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001650 if (!psa_key_lifetime_is_external(lifetime)) {
1651 if (!mbedtls_test_psa_exercise_key(key, usage_arg, 0)) {
Archana4d7ae1d2021-07-07 02:50:22 +05301652 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001653 }
Archana4d7ae1d2021-07-07 02:50:22 +05301654 }
Gilles Peskine8f609232018-08-11 01:24:55 +02001655
Gilles Peskine449bd832023-01-11 14:50:10 +01001656 if (canonical_input) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001657 TEST_MEMORY_COMPARE(data->x, data->len, exported, exported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01001658 } else {
Ronald Cron5425a212020-08-04 14:58:35 +02001659 mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +01001660 PSA_ASSERT(psa_import_key(&attributes, exported, exported_length,
1661 &key2));
1662 PSA_ASSERT(psa_export_key(key2,
1663 reexported,
1664 export_size,
1665 &reexported_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001666 TEST_MEMORY_COMPARE(exported, exported_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01001667 reexported, reexported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01001668 PSA_ASSERT(psa_destroy_key(key2));
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001669 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001670 TEST_LE_U(exported_length,
1671 PSA_EXPORT_KEY_OUTPUT_SIZE(type,
1672 psa_get_key_bits(&got_attributes)));
Valerio Setti1eacae82023-07-28 16:07:03 +02001673 if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
1674 TEST_LE_U(exported_length, PSA_EXPORT_KEY_PAIR_MAX_SIZE);
1675 } else if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
1676 TEST_LE_U(exported_length, PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
1677 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001678
1679destroy:
1680 /* Destroy the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001681 PSA_ASSERT(psa_destroy_key(key));
1682 test_operations_on_invalid_key(key);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001683
1684exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001685 /*
1686 * Key attributes may have been returned by psa_get_key_attributes()
1687 * thus reset them as required.
1688 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001689 psa_reset_key_attributes(&got_attributes);
1690 psa_destroy_key(key);
1691 mbedtls_free(exported);
1692 mbedtls_free(reexported);
1693 PSA_DONE();
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001694}
1695/* END_CASE */
Gilles Peskine20035e32018-02-03 22:44:14 +01001696
Moran Pekerf709f4a2018-06-06 17:26:04 +03001697/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001698void import_export_public_key(data_t *data,
1699 int type_arg, // key pair or public key
1700 int alg_arg,
1701 int lifetime_arg,
1702 int export_size_delta,
1703 int expected_export_status_arg,
1704 data_t *expected_public_key)
Moran Pekerf709f4a2018-06-06 17:26:04 +03001705{
Ronald Cron5425a212020-08-04 14:58:35 +02001706 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001707 psa_key_type_t type = type_arg;
Gilles Peskine4abf7412018-06-18 16:35:34 +02001708 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001709 psa_status_t expected_export_status = expected_export_status_arg;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001710 psa_status_t status;
Archana4d7ae1d2021-07-07 02:50:22 +05301711 psa_key_lifetime_t lifetime = lifetime_arg;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001712 unsigned char *exported = NULL;
Gilles Peskine49c25912018-10-29 15:15:31 +01001713 size_t export_size = expected_public_key->len + export_size_delta;
Jaeden Amero2a671e92018-06-27 17:47:40 +01001714 size_t exported_length = INVALID_EXPORT_LENGTH;
Gilles Peskine4747d192019-04-17 15:05:45 +02001715 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001716
Gilles Peskine449bd832023-01-11 14:50:10 +01001717 PSA_ASSERT(psa_crypto_init());
Moran Pekerf709f4a2018-06-06 17:26:04 +03001718
Gilles Peskine449bd832023-01-11 14:50:10 +01001719 psa_set_key_lifetime(&attributes, lifetime);
1720 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
1721 psa_set_key_algorithm(&attributes, alg);
1722 psa_set_key_type(&attributes, type);
Moran Pekerf709f4a2018-06-06 17:26:04 +03001723
1724 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001725 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key));
Moran Pekerf709f4a2018-06-06 17:26:04 +03001726
Gilles Peskine49c25912018-10-29 15:15:31 +01001727 /* Export the public key */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001728 TEST_CALLOC(exported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001729 status = psa_export_public_key(key,
1730 exported, export_size,
1731 &exported_length);
1732 TEST_EQUAL(status, expected_export_status);
1733 if (status == PSA_SUCCESS) {
1734 psa_key_type_t public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type);
Gilles Peskined8b7d4f2018-10-29 15:18:41 +01001735 size_t bits;
Gilles Peskine449bd832023-01-11 14:50:10 +01001736 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
1737 bits = psa_get_key_bits(&attributes);
1738 TEST_LE_U(expected_public_key->len,
1739 PSA_EXPORT_KEY_OUTPUT_SIZE(public_type, bits));
1740 TEST_LE_U(expected_public_key->len,
1741 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(public_type, bits));
1742 TEST_LE_U(expected_public_key->len,
1743 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001744 TEST_MEMORY_COMPARE(expected_public_key->x, expected_public_key->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01001745 exported, exported_length);
Gilles Peskined8b7d4f2018-10-29 15:18:41 +01001746 }
Moran Pekerf709f4a2018-06-06 17:26:04 +03001747exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001748 /*
1749 * Key attributes may have been returned by psa_get_key_attributes()
1750 * thus reset them as required.
1751 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001752 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001753
Gilles Peskine449bd832023-01-11 14:50:10 +01001754 mbedtls_free(exported);
1755 psa_destroy_key(key);
1756 PSA_DONE();
Moran Pekerf709f4a2018-06-06 17:26:04 +03001757}
1758/* END_CASE */
1759
Gilles Peskine20035e32018-02-03 22:44:14 +01001760/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001761void import_and_exercise_key(data_t *data,
1762 int type_arg,
1763 int bits_arg,
1764 int alg_arg)
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001765{
Ronald Cron5425a212020-08-04 14:58:35 +02001766 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001767 psa_key_type_t type = type_arg;
1768 size_t bits = bits_arg;
1769 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01001770 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(type, alg);
Gilles Peskine4747d192019-04-17 15:05:45 +02001771 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001772 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001773
Gilles Peskine449bd832023-01-11 14:50:10 +01001774 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001775
Gilles Peskine449bd832023-01-11 14:50:10 +01001776 psa_set_key_usage_flags(&attributes, usage);
1777 psa_set_key_algorithm(&attributes, alg);
1778 psa_set_key_type(&attributes, type);
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001779
1780 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001781 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key));
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001782
1783 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01001784 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1785 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1786 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001787
1788 /* Do something with the key according to its type and permitted usage. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001789 if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
Gilles Peskine02b75072018-07-01 22:31:34 +02001790 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001791 }
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001792
Gilles Peskine449bd832023-01-11 14:50:10 +01001793 PSA_ASSERT(psa_destroy_key(key));
1794 test_operations_on_invalid_key(key);
Gilles Peskine4cf3a432019-04-18 22:28:52 +02001795
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001796exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001797 /*
1798 * Key attributes may have been returned by psa_get_key_attributes()
1799 * thus reset them as required.
1800 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001801 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001802
Gilles Peskine449bd832023-01-11 14:50:10 +01001803 psa_reset_key_attributes(&attributes);
1804 psa_destroy_key(key);
1805 PSA_DONE();
Gilles Peskinea680c7a2018-06-26 16:12:43 +02001806}
1807/* END_CASE */
1808
1809/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001810void effective_key_attributes(int type_arg, int expected_type_arg,
1811 int bits_arg, int expected_bits_arg,
1812 int usage_arg, int expected_usage_arg,
1813 int alg_arg, int expected_alg_arg)
Gilles Peskined5b33222018-06-18 22:20:03 +02001814{
Ronald Cron5425a212020-08-04 14:58:35 +02001815 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine1a960492019-11-26 17:12:21 +01001816 psa_key_type_t key_type = type_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01001817 psa_key_type_t expected_key_type = expected_type_arg;
Gilles Peskine1a960492019-11-26 17:12:21 +01001818 size_t bits = bits_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01001819 size_t expected_bits = expected_bits_arg;
Gilles Peskined5b33222018-06-18 22:20:03 +02001820 psa_algorithm_t alg = alg_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01001821 psa_algorithm_t expected_alg = expected_alg_arg;
Gilles Peskined5b33222018-06-18 22:20:03 +02001822 psa_key_usage_t usage = usage_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01001823 psa_key_usage_t expected_usage = expected_usage_arg;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001824 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskined5b33222018-06-18 22:20:03 +02001825
Gilles Peskine449bd832023-01-11 14:50:10 +01001826 PSA_ASSERT(psa_crypto_init());
Gilles Peskined5b33222018-06-18 22:20:03 +02001827
Gilles Peskine449bd832023-01-11 14:50:10 +01001828 psa_set_key_usage_flags(&attributes, usage);
1829 psa_set_key_algorithm(&attributes, alg);
1830 psa_set_key_type(&attributes, key_type);
1831 psa_set_key_bits(&attributes, bits);
Gilles Peskined5b33222018-06-18 22:20:03 +02001832
Gilles Peskine449bd832023-01-11 14:50:10 +01001833 PSA_ASSERT(psa_generate_key(&attributes, &key));
1834 psa_reset_key_attributes(&attributes);
Gilles Peskined5b33222018-06-18 22:20:03 +02001835
Gilles Peskine449bd832023-01-11 14:50:10 +01001836 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
1837 TEST_EQUAL(psa_get_key_type(&attributes), expected_key_type);
1838 TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits);
1839 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
1840 TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg);
Gilles Peskined5b33222018-06-18 22:20:03 +02001841
1842exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001843 /*
1844 * Key attributes may have been returned by psa_get_key_attributes()
1845 * thus reset them as required.
1846 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001847 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001848
Gilles Peskine449bd832023-01-11 14:50:10 +01001849 psa_destroy_key(key);
1850 PSA_DONE();
Gilles Peskined5b33222018-06-18 22:20:03 +02001851}
1852/* END_CASE */
1853
1854/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001855void check_key_policy(int type_arg, int bits_arg,
1856 int usage_arg, int alg_arg)
Gilles Peskine06c28892019-11-26 18:07:46 +01001857{
Gilles Peskine449bd832023-01-11 14:50:10 +01001858 test_effective_key_attributes(type_arg, type_arg, bits_arg, bits_arg,
1859 usage_arg,
1860 mbedtls_test_update_key_usage_flags(usage_arg),
1861 alg_arg, alg_arg);
Gilles Peskine06c28892019-11-26 18:07:46 +01001862 goto exit;
1863}
1864/* END_CASE */
1865
1866/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001867void key_attributes_init()
Jaeden Amero70261c52019-01-04 11:47:20 +00001868{
1869 /* Test each valid way of initializing the object, except for `= {0}`, as
1870 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
1871 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08001872 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001873 psa_key_attributes_t func = psa_key_attributes_init();
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02001874 psa_key_attributes_t init = PSA_KEY_ATTRIBUTES_INIT;
1875 psa_key_attributes_t zero;
Jaeden Amero70261c52019-01-04 11:47:20 +00001876
Gilles Peskine449bd832023-01-11 14:50:10 +01001877 memset(&zero, 0, sizeof(zero));
Jaeden Amero70261c52019-01-04 11:47:20 +00001878
Gilles Peskine449bd832023-01-11 14:50:10 +01001879 TEST_EQUAL(psa_get_key_lifetime(&func), PSA_KEY_LIFETIME_VOLATILE);
1880 TEST_EQUAL(psa_get_key_lifetime(&init), PSA_KEY_LIFETIME_VOLATILE);
1881 TEST_EQUAL(psa_get_key_lifetime(&zero), PSA_KEY_LIFETIME_VOLATILE);
Jaeden Amero5229bbb2019-02-07 16:33:37 +00001882
Gilles Peskine449bd832023-01-11 14:50:10 +01001883 TEST_EQUAL(psa_get_key_type(&func), 0);
1884 TEST_EQUAL(psa_get_key_type(&init), 0);
1885 TEST_EQUAL(psa_get_key_type(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02001886
Gilles Peskine449bd832023-01-11 14:50:10 +01001887 TEST_EQUAL(psa_get_key_bits(&func), 0);
1888 TEST_EQUAL(psa_get_key_bits(&init), 0);
1889 TEST_EQUAL(psa_get_key_bits(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02001890
Gilles Peskine449bd832023-01-11 14:50:10 +01001891 TEST_EQUAL(psa_get_key_usage_flags(&func), 0);
1892 TEST_EQUAL(psa_get_key_usage_flags(&init), 0);
1893 TEST_EQUAL(psa_get_key_usage_flags(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02001894
Gilles Peskine449bd832023-01-11 14:50:10 +01001895 TEST_EQUAL(psa_get_key_algorithm(&func), 0);
1896 TEST_EQUAL(psa_get_key_algorithm(&init), 0);
1897 TEST_EQUAL(psa_get_key_algorithm(&zero), 0);
Jaeden Amero70261c52019-01-04 11:47:20 +00001898}
1899/* END_CASE */
1900
1901/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001902void mac_key_policy(int policy_usage_arg,
1903 int policy_alg_arg,
1904 int key_type_arg,
1905 data_t *key_data,
1906 int exercise_alg_arg,
1907 int expected_status_sign_arg,
1908 int expected_status_verify_arg)
Gilles Peskined5b33222018-06-18 22:20:03 +02001909{
Ronald Cron5425a212020-08-04 14:58:35 +02001910 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02001911 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero769ce272019-01-04 11:48:03 +00001912 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02001913 psa_key_type_t key_type = key_type_arg;
1914 psa_algorithm_t policy_alg = policy_alg_arg;
1915 psa_algorithm_t exercise_alg = exercise_alg_arg;
1916 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02001917 psa_status_t status;
Mateusz Starzykd07f4fc2021-08-24 11:01:23 +02001918 psa_status_t expected_status_sign = expected_status_sign_arg;
1919 psa_status_t expected_status_verify = expected_status_verify_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02001920 unsigned char mac[PSA_MAC_MAX_SIZE];
Gilles Peskined5b33222018-06-18 22:20:03 +02001921
Gilles Peskine449bd832023-01-11 14:50:10 +01001922 PSA_ASSERT(psa_crypto_init());
Gilles Peskined5b33222018-06-18 22:20:03 +02001923
Gilles Peskine449bd832023-01-11 14:50:10 +01001924 psa_set_key_usage_flags(&attributes, policy_usage);
1925 psa_set_key_algorithm(&attributes, policy_alg);
1926 psa_set_key_type(&attributes, key_type);
Gilles Peskined5b33222018-06-18 22:20:03 +02001927
Gilles Peskine449bd832023-01-11 14:50:10 +01001928 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
1929 &key));
Gilles Peskined5b33222018-06-18 22:20:03 +02001930
Gilles Peskine449bd832023-01-11 14:50:10 +01001931 TEST_EQUAL(psa_get_key_usage_flags(&attributes),
1932 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02001933
Gilles Peskine449bd832023-01-11 14:50:10 +01001934 status = psa_mac_sign_setup(&operation, key, exercise_alg);
1935 TEST_EQUAL(status, expected_status_sign);
Steven Cooremanb3ce8152021-02-18 12:03:50 +01001936
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02001937 /* Calculate the MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001938 uint8_t input[128] = { 0 };
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02001939 size_t mac_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001940 TEST_EQUAL(psa_mac_compute(key, exercise_alg,
1941 input, 128,
1942 mac, PSA_MAC_MAX_SIZE, &mac_len),
1943 expected_status_sign);
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02001944
Neil Armstrong3af9b972022-02-07 12:20:21 +01001945 /* Calculate the MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001946 PSA_ASSERT(psa_mac_abort(&operation));
1947 status = psa_mac_sign_setup(&operation, key, exercise_alg);
1948 if (status == PSA_SUCCESS) {
1949 status = psa_mac_update(&operation, input, 128);
1950 if (status == PSA_SUCCESS) {
1951 TEST_EQUAL(psa_mac_sign_finish(&operation, mac, PSA_MAC_MAX_SIZE,
1952 &mac_len),
1953 expected_status_sign);
1954 } else {
1955 TEST_EQUAL(status, expected_status_sign);
1956 }
1957 } else {
1958 TEST_EQUAL(status, expected_status_sign);
Neil Armstrong3af9b972022-02-07 12:20:21 +01001959 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001960 PSA_ASSERT(psa_mac_abort(&operation));
Neil Armstrong3af9b972022-02-07 12:20:21 +01001961
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02001962 /* Verify correct MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001963 status = psa_mac_verify(key, exercise_alg, input, 128,
1964 mac, mac_len);
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02001965
Gilles Peskine449bd832023-01-11 14:50:10 +01001966 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) {
1967 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
1968 } else {
1969 TEST_EQUAL(status, expected_status_verify);
1970 }
Gilles Peskinefe11b722018-12-18 00:24:04 +01001971
Neil Armstrong3af9b972022-02-07 12:20:21 +01001972 /* Verify correct MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001973 status = psa_mac_verify_setup(&operation, key, exercise_alg);
1974 if (status == PSA_SUCCESS) {
1975 status = psa_mac_update(&operation, input, 128);
1976 if (status == PSA_SUCCESS) {
1977 status = psa_mac_verify_finish(&operation, mac, mac_len);
1978 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) {
1979 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
1980 } else {
1981 TEST_EQUAL(status, expected_status_verify);
1982 }
1983 } else {
1984 TEST_EQUAL(status, expected_status_verify);
Neil Armstrong3af9b972022-02-07 12:20:21 +01001985 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001986 } else {
1987 TEST_EQUAL(status, expected_status_verify);
Neil Armstrong3af9b972022-02-07 12:20:21 +01001988 }
1989
Gilles Peskine449bd832023-01-11 14:50:10 +01001990 psa_mac_abort(&operation);
Gilles Peskined5b33222018-06-18 22:20:03 +02001991
Gilles Peskine449bd832023-01-11 14:50:10 +01001992 memset(mac, 0, sizeof(mac));
1993 status = psa_mac_verify_setup(&operation, key, exercise_alg);
1994 TEST_EQUAL(status, expected_status_verify);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02001995
1996exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001997 psa_mac_abort(&operation);
1998 psa_destroy_key(key);
1999 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002000}
2001/* END_CASE */
2002
2003/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002004void cipher_key_policy(int policy_usage_arg,
2005 int policy_alg,
2006 int key_type,
2007 data_t *key_data,
2008 int exercise_alg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002009{
Ronald Cron5425a212020-08-04 14:58:35 +02002010 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002011 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero5bae2272019-01-04 11:48:27 +00002012 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002013 psa_key_usage_t policy_usage = policy_usage_arg;
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002014 size_t output_buffer_size = 0;
2015 size_t input_buffer_size = 0;
2016 size_t output_length = 0;
2017 uint8_t *output = NULL;
2018 uint8_t *input = NULL;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002019 psa_status_t status;
2020
Gilles Peskine449bd832023-01-11 14:50:10 +01002021 input_buffer_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(exercise_alg);
2022 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, exercise_alg,
2023 input_buffer_size);
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002024
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002025 TEST_CALLOC(input, input_buffer_size);
2026 TEST_CALLOC(output, output_buffer_size);
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002027
Gilles Peskine449bd832023-01-11 14:50:10 +01002028 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002029
Gilles Peskine449bd832023-01-11 14:50:10 +01002030 psa_set_key_usage_flags(&attributes, policy_usage);
2031 psa_set_key_algorithm(&attributes, policy_alg);
2032 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002033
Gilles Peskine449bd832023-01-11 14:50:10 +01002034 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2035 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002036
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002037 /* Check if no key usage flag implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002038 TEST_EQUAL(policy_usage,
2039 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002040
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002041 /* Encrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002042 status = psa_cipher_encrypt(key, exercise_alg, input, input_buffer_size,
2043 output, output_buffer_size,
2044 &output_length);
2045 if (policy_alg == exercise_alg &&
2046 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2047 PSA_ASSERT(status);
2048 } else {
2049 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2050 }
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002051
2052 /* Encrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002053 status = psa_cipher_encrypt_setup(&operation, key, exercise_alg);
2054 if (policy_alg == exercise_alg &&
2055 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2056 PSA_ASSERT(status);
2057 } else {
2058 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2059 }
2060 psa_cipher_abort(&operation);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002061
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002062 /* Decrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002063 status = psa_cipher_decrypt(key, exercise_alg, output, output_buffer_size,
2064 input, input_buffer_size,
2065 &output_length);
2066 if (policy_alg == exercise_alg &&
2067 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2068 PSA_ASSERT(status);
2069 } else {
2070 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2071 }
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002072
2073 /* Decrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002074 status = psa_cipher_decrypt_setup(&operation, key, exercise_alg);
2075 if (policy_alg == exercise_alg &&
2076 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2077 PSA_ASSERT(status);
2078 } else {
2079 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2080 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002081
2082exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002083 psa_cipher_abort(&operation);
2084 mbedtls_free(input);
2085 mbedtls_free(output);
2086 psa_destroy_key(key);
2087 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002088}
2089/* END_CASE */
2090
2091/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002092void aead_key_policy(int policy_usage_arg,
2093 int policy_alg,
2094 int key_type,
2095 data_t *key_data,
2096 int nonce_length_arg,
2097 int tag_length_arg,
2098 int exercise_alg,
2099 int expected_status_arg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002100{
Ronald Cron5425a212020-08-04 14:58:35 +02002101 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002102 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Neil Armstrong752d8112022-02-07 14:51:11 +01002103 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002104 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002105 psa_status_t status;
Steven Cooremanb3ce8152021-02-18 12:03:50 +01002106 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01002107 unsigned char nonce[16] = { 0 };
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002108 size_t nonce_length = nonce_length_arg;
2109 unsigned char tag[16];
2110 size_t tag_length = tag_length_arg;
2111 size_t output_length;
2112
Gilles Peskine449bd832023-01-11 14:50:10 +01002113 TEST_LE_U(nonce_length, sizeof(nonce));
2114 TEST_LE_U(tag_length, sizeof(tag));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002115
Gilles Peskine449bd832023-01-11 14:50:10 +01002116 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002117
Gilles Peskine449bd832023-01-11 14:50:10 +01002118 psa_set_key_usage_flags(&attributes, policy_usage);
2119 psa_set_key_algorithm(&attributes, policy_alg);
2120 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002121
Gilles Peskine449bd832023-01-11 14:50:10 +01002122 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2123 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002124
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002125 /* Check if no key usage implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002126 TEST_EQUAL(policy_usage,
2127 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002128
Neil Armstrong752d8112022-02-07 14:51:11 +01002129 /* Encrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002130 status = psa_aead_encrypt(key, exercise_alg,
2131 nonce, nonce_length,
2132 NULL, 0,
2133 NULL, 0,
2134 tag, tag_length,
2135 &output_length);
2136 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2137 TEST_EQUAL(status, expected_status);
2138 } else {
2139 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2140 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002141
Neil Armstrong752d8112022-02-07 14:51:11 +01002142 /* Encrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002143 status = psa_aead_encrypt_setup(&operation, key, exercise_alg);
2144 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2145 TEST_EQUAL(status, expected_status);
2146 } else {
2147 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2148 }
Neil Armstrong752d8112022-02-07 14:51:11 +01002149
2150 /* Decrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002151 memset(tag, 0, sizeof(tag));
2152 status = psa_aead_decrypt(key, exercise_alg,
2153 nonce, nonce_length,
2154 NULL, 0,
2155 tag, tag_length,
2156 NULL, 0,
2157 &output_length);
2158 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) {
2159 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2160 } else if (expected_status == PSA_SUCCESS) {
2161 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2162 } else {
2163 TEST_EQUAL(status, expected_status);
2164 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002165
Neil Armstrong752d8112022-02-07 14:51:11 +01002166 /* Decrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002167 PSA_ASSERT(psa_aead_abort(&operation));
2168 status = psa_aead_decrypt_setup(&operation, key, exercise_alg);
2169 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) {
2170 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2171 } else {
2172 TEST_EQUAL(status, expected_status);
2173 }
Neil Armstrong752d8112022-02-07 14:51:11 +01002174
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002175exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002176 PSA_ASSERT(psa_aead_abort(&operation));
2177 psa_destroy_key(key);
2178 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002179}
2180/* END_CASE */
2181
2182/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002183void asymmetric_encryption_key_policy(int policy_usage_arg,
2184 int policy_alg,
2185 int key_type,
2186 data_t *key_data,
Valerio Settif202c292024-01-15 10:42:37 +01002187 int exercise_alg,
2188 int use_opaque_key)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002189{
Ronald Cron5425a212020-08-04 14:58:35 +02002190 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002191 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002192 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002193 psa_status_t status;
2194 size_t key_bits;
2195 size_t buffer_length;
2196 unsigned char *buffer = NULL;
2197 size_t output_length;
2198
Gilles Peskine449bd832023-01-11 14:50:10 +01002199 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002200
Gilles Peskine449bd832023-01-11 14:50:10 +01002201 psa_set_key_usage_flags(&attributes, policy_usage);
2202 psa_set_key_algorithm(&attributes, policy_alg);
2203 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002204
Valerio Settif202c292024-01-15 10:42:37 +01002205 if (use_opaque_key) {
2206 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
2207 PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION));
2208 }
2209
Gilles Peskine449bd832023-01-11 14:50:10 +01002210 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2211 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002212
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002213 /* Check if no key usage implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002214 TEST_EQUAL(policy_usage,
2215 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002216
Gilles Peskine449bd832023-01-11 14:50:10 +01002217 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
2218 key_bits = psa_get_key_bits(&attributes);
2219 buffer_length = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits,
2220 exercise_alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002221 TEST_CALLOC(buffer, buffer_length);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002222
Gilles Peskine449bd832023-01-11 14:50:10 +01002223 status = psa_asymmetric_encrypt(key, exercise_alg,
2224 NULL, 0,
2225 NULL, 0,
2226 buffer, buffer_length,
2227 &output_length);
2228 if (policy_alg == exercise_alg &&
2229 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2230 PSA_ASSERT(status);
2231 } else {
2232 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2233 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002234
Gilles Peskine449bd832023-01-11 14:50:10 +01002235 if (buffer_length != 0) {
2236 memset(buffer, 0, buffer_length);
2237 }
2238 status = psa_asymmetric_decrypt(key, exercise_alg,
2239 buffer, buffer_length,
2240 NULL, 0,
2241 buffer, buffer_length,
2242 &output_length);
2243 if (policy_alg == exercise_alg &&
2244 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2245 TEST_EQUAL(status, PSA_ERROR_INVALID_PADDING);
2246 } else {
2247 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2248 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002249
2250exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002251 /*
2252 * Key attributes may have been returned by psa_get_key_attributes()
2253 * thus reset them as required.
2254 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002255 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002256
Gilles Peskine449bd832023-01-11 14:50:10 +01002257 psa_destroy_key(key);
2258 PSA_DONE();
2259 mbedtls_free(buffer);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002260}
2261/* END_CASE */
2262
2263/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002264void asymmetric_signature_key_policy(int policy_usage_arg,
2265 int policy_alg,
2266 int key_type,
2267 data_t *key_data,
2268 int exercise_alg,
2269 int payload_length_arg,
2270 int expected_usage_arg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002271{
Ronald Cron5425a212020-08-04 14:58:35 +02002272 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002273 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002274 psa_key_usage_t policy_usage = policy_usage_arg;
2275 psa_key_usage_t expected_usage = expected_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002276 psa_status_t status;
Gilles Peskine449bd832023-01-11 14:50:10 +01002277 unsigned char payload[PSA_HASH_MAX_SIZE] = { 1 };
Gilles Peskine30f77cd2019-01-14 16:06:39 +01002278 /* If `payload_length_arg > 0`, `exercise_alg` is supposed to be
2279 * compatible with the policy and `payload_length_arg` is supposed to be
2280 * a valid input length to sign. If `payload_length_arg <= 0`,
2281 * `exercise_alg` is supposed to be forbidden by the policy. */
2282 int compatible_alg = payload_length_arg > 0;
2283 size_t payload_length = compatible_alg ? payload_length_arg : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01002284 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = { 0 };
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002285 size_t signature_length;
2286
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002287 /* Check if all implicit usage flags are deployed
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002288 in the expected usage flags. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002289 TEST_EQUAL(expected_usage,
2290 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002291
Gilles Peskine449bd832023-01-11 14:50:10 +01002292 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002293
Gilles Peskine449bd832023-01-11 14:50:10 +01002294 psa_set_key_usage_flags(&attributes, policy_usage);
2295 psa_set_key_algorithm(&attributes, policy_alg);
2296 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002297
Gilles Peskine449bd832023-01-11 14:50:10 +01002298 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2299 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002300
Gilles Peskine449bd832023-01-11 14:50:10 +01002301 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002302
Gilles Peskine449bd832023-01-11 14:50:10 +01002303 status = psa_sign_hash(key, exercise_alg,
2304 payload, payload_length,
2305 signature, sizeof(signature),
2306 &signature_length);
2307 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_HASH) != 0) {
2308 PSA_ASSERT(status);
2309 } else {
2310 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2311 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002312
Gilles Peskine449bd832023-01-11 14:50:10 +01002313 memset(signature, 0, sizeof(signature));
2314 status = psa_verify_hash(key, exercise_alg,
2315 payload, payload_length,
2316 signature, sizeof(signature));
2317 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) != 0) {
2318 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2319 } else {
2320 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2321 }
Gilles Peskined5b33222018-06-18 22:20:03 +02002322
Gilles Peskine449bd832023-01-11 14:50:10 +01002323 if (PSA_ALG_IS_SIGN_HASH(exercise_alg) &&
2324 PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(exercise_alg))) {
2325 status = psa_sign_message(key, exercise_alg,
2326 payload, payload_length,
2327 signature, sizeof(signature),
2328 &signature_length);
2329 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) != 0) {
2330 PSA_ASSERT(status);
2331 } else {
2332 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2333 }
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002334
Gilles Peskine449bd832023-01-11 14:50:10 +01002335 memset(signature, 0, sizeof(signature));
2336 status = psa_verify_message(key, exercise_alg,
2337 payload, payload_length,
2338 signature, sizeof(signature));
2339 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_MESSAGE) != 0) {
2340 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2341 } else {
2342 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2343 }
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002344 }
2345
Gilles Peskined5b33222018-06-18 22:20:03 +02002346exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002347 psa_destroy_key(key);
2348 PSA_DONE();
Gilles Peskined5b33222018-06-18 22:20:03 +02002349}
2350/* END_CASE */
2351
Janos Follathba3fab92019-06-11 14:50:16 +01002352/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002353void derive_key_policy(int policy_usage,
2354 int policy_alg,
2355 int key_type,
2356 data_t *key_data,
2357 int exercise_alg)
Gilles Peskineea0fb492018-07-12 17:17:20 +02002358{
Ronald Cron5425a212020-08-04 14:58:35 +02002359 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002360 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002361 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineea0fb492018-07-12 17:17:20 +02002362 psa_status_t status;
2363
Gilles Peskine449bd832023-01-11 14:50:10 +01002364 PSA_ASSERT(psa_crypto_init());
Gilles Peskineea0fb492018-07-12 17:17:20 +02002365
Gilles Peskine449bd832023-01-11 14:50:10 +01002366 psa_set_key_usage_flags(&attributes, policy_usage);
2367 psa_set_key_algorithm(&attributes, policy_alg);
2368 psa_set_key_type(&attributes, key_type);
Gilles Peskineea0fb492018-07-12 17:17:20 +02002369
Gilles Peskine449bd832023-01-11 14:50:10 +01002370 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2371 &key));
Gilles Peskineea0fb492018-07-12 17:17:20 +02002372
Gilles Peskine449bd832023-01-11 14:50:10 +01002373 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg));
Janos Follathba3fab92019-06-11 14:50:16 +01002374
Gilles Peskine449bd832023-01-11 14:50:10 +01002375 if (PSA_ALG_IS_TLS12_PRF(exercise_alg) ||
2376 PSA_ALG_IS_TLS12_PSK_TO_MS(exercise_alg)) {
2377 PSA_ASSERT(psa_key_derivation_input_bytes(
2378 &operation,
2379 PSA_KEY_DERIVATION_INPUT_SEED,
2380 (const uint8_t *) "", 0));
Janos Follath0c1ed842019-06-28 13:35:36 +01002381 }
Janos Follathba3fab92019-06-11 14:50:16 +01002382
Gilles Peskine449bd832023-01-11 14:50:10 +01002383 status = psa_key_derivation_input_key(&operation,
2384 PSA_KEY_DERIVATION_INPUT_SECRET,
2385 key);
Janos Follathba3fab92019-06-11 14:50:16 +01002386
Gilles Peskine449bd832023-01-11 14:50:10 +01002387 if (policy_alg == exercise_alg &&
2388 (policy_usage & PSA_KEY_USAGE_DERIVE) != 0) {
2389 PSA_ASSERT(status);
2390 } else {
2391 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2392 }
Gilles Peskineea0fb492018-07-12 17:17:20 +02002393
2394exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002395 psa_key_derivation_abort(&operation);
2396 psa_destroy_key(key);
2397 PSA_DONE();
Gilles Peskineea0fb492018-07-12 17:17:20 +02002398}
2399/* END_CASE */
2400
2401/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002402void agreement_key_policy(int policy_usage,
2403 int policy_alg,
2404 int key_type_arg,
2405 data_t *key_data,
2406 int exercise_alg,
2407 int expected_status_arg)
Gilles Peskine01d718c2018-09-18 12:01:02 +02002408{
Ronald Cron5425a212020-08-04 14:58:35 +02002409 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002410 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002411 psa_key_type_t key_type = key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002412 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002413 psa_status_t status;
Steven Cooremance48e852020-10-05 16:02:45 +02002414 psa_status_t expected_status = expected_status_arg;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002415
Gilles Peskine449bd832023-01-11 14:50:10 +01002416 PSA_ASSERT(psa_crypto_init());
Gilles Peskine01d718c2018-09-18 12:01:02 +02002417
Gilles Peskine449bd832023-01-11 14:50:10 +01002418 psa_set_key_usage_flags(&attributes, policy_usage);
2419 psa_set_key_algorithm(&attributes, policy_alg);
2420 psa_set_key_type(&attributes, key_type);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002421
Gilles Peskine449bd832023-01-11 14:50:10 +01002422 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2423 &key));
Gilles Peskine01d718c2018-09-18 12:01:02 +02002424
Gilles Peskine449bd832023-01-11 14:50:10 +01002425 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg));
2426 status = mbedtls_test_psa_key_agreement_with_self(&operation, key);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002427
Gilles Peskine449bd832023-01-11 14:50:10 +01002428 TEST_EQUAL(status, expected_status);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002429
2430exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002431 psa_key_derivation_abort(&operation);
2432 psa_destroy_key(key);
2433 PSA_DONE();
Gilles Peskine01d718c2018-09-18 12:01:02 +02002434}
2435/* END_CASE */
2436
2437/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002438void key_policy_alg2(int key_type_arg, data_t *key_data,
2439 int usage_arg, int alg_arg, int alg2_arg)
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002440{
Ronald Cron5425a212020-08-04 14:58:35 +02002441 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002442 psa_key_type_t key_type = key_type_arg;
2443 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2444 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
2445 psa_key_usage_t usage = usage_arg;
2446 psa_algorithm_t alg = alg_arg;
2447 psa_algorithm_t alg2 = alg2_arg;
2448
Gilles Peskine449bd832023-01-11 14:50:10 +01002449 PSA_ASSERT(psa_crypto_init());
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002450
Gilles Peskine449bd832023-01-11 14:50:10 +01002451 psa_set_key_usage_flags(&attributes, usage);
2452 psa_set_key_algorithm(&attributes, alg);
2453 psa_set_key_enrollment_algorithm(&attributes, alg2);
2454 psa_set_key_type(&attributes, key_type);
2455 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2456 &key));
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002457
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002458 /* Update the usage flags to obtain implicit usage flags */
Gilles Peskine449bd832023-01-11 14:50:10 +01002459 usage = mbedtls_test_update_key_usage_flags(usage);
2460 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
2461 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes), usage);
2462 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg);
2463 TEST_EQUAL(psa_get_key_enrollment_algorithm(&got_attributes), alg2);
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002464
Gilles Peskine449bd832023-01-11 14:50:10 +01002465 if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002466 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002467 }
2468 if (!mbedtls_test_psa_exercise_key(key, usage, alg2)) {
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002469 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002470 }
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002471
2472exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002473 /*
2474 * Key attributes may have been returned by psa_get_key_attributes()
2475 * thus reset them as required.
2476 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002477 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002478
Gilles Peskine449bd832023-01-11 14:50:10 +01002479 psa_destroy_key(key);
2480 PSA_DONE();
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002481}
2482/* END_CASE */
2483
2484/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002485void raw_agreement_key_policy(int policy_usage,
2486 int policy_alg,
2487 int key_type_arg,
2488 data_t *key_data,
2489 int exercise_alg,
2490 int expected_status_arg)
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002491{
Ronald Cron5425a212020-08-04 14:58:35 +02002492 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002493 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002494 psa_key_type_t key_type = key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002495 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002496 psa_status_t status;
Steven Cooremance48e852020-10-05 16:02:45 +02002497 psa_status_t expected_status = expected_status_arg;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002498
Gilles Peskine449bd832023-01-11 14:50:10 +01002499 PSA_ASSERT(psa_crypto_init());
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002500
Gilles Peskine449bd832023-01-11 14:50:10 +01002501 psa_set_key_usage_flags(&attributes, policy_usage);
2502 psa_set_key_algorithm(&attributes, policy_alg);
2503 psa_set_key_type(&attributes, key_type);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002504
Gilles Peskine449bd832023-01-11 14:50:10 +01002505 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2506 &key));
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002507
Gilles Peskine449bd832023-01-11 14:50:10 +01002508 status = mbedtls_test_psa_raw_key_agreement_with_self(exercise_alg, key);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002509
Gilles Peskine449bd832023-01-11 14:50:10 +01002510 TEST_EQUAL(status, expected_status);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002511
2512exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002513 psa_key_derivation_abort(&operation);
2514 psa_destroy_key(key);
2515 PSA_DONE();
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002516}
2517/* END_CASE */
2518
2519/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002520void copy_success(int source_usage_arg,
2521 int source_alg_arg, int source_alg2_arg,
Gilles Peskine4ea4ad02022-12-04 15:11:00 +01002522 int source_lifetime_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01002523 int type_arg, data_t *material,
2524 int copy_attributes,
2525 int target_usage_arg,
2526 int target_alg_arg, int target_alg2_arg,
Gilles Peskine4ea4ad02022-12-04 15:11:00 +01002527 int target_lifetime_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01002528 int expected_usage_arg,
2529 int expected_alg_arg, int expected_alg2_arg)
Gilles Peskine57ab7212019-01-28 13:03:09 +01002530{
Gilles Peskineca25db92019-04-19 11:43:08 +02002531 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT;
2532 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine57ab7212019-01-28 13:03:09 +01002533 psa_key_usage_t expected_usage = expected_usage_arg;
2534 psa_algorithm_t expected_alg = expected_alg_arg;
Gilles Peskinebcdd44b2019-05-20 17:28:11 +02002535 psa_algorithm_t expected_alg2 = expected_alg2_arg;
Archana8a180362021-07-05 02:18:48 +05302536 psa_key_lifetime_t source_lifetime = source_lifetime_arg;
2537 psa_key_lifetime_t target_lifetime = target_lifetime_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02002538 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT;
2539 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine57ab7212019-01-28 13:03:09 +01002540 uint8_t *export_buffer = NULL;
2541
Gilles Peskine449bd832023-01-11 14:50:10 +01002542 PSA_ASSERT(psa_crypto_init());
Gilles Peskine57ab7212019-01-28 13:03:09 +01002543
Gilles Peskineca25db92019-04-19 11:43:08 +02002544 /* Prepare the source key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002545 psa_set_key_usage_flags(&source_attributes, source_usage_arg);
2546 psa_set_key_algorithm(&source_attributes, source_alg_arg);
2547 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg);
2548 psa_set_key_type(&source_attributes, type_arg);
2549 psa_set_key_lifetime(&source_attributes, source_lifetime);
2550 PSA_ASSERT(psa_import_key(&source_attributes,
2551 material->x, material->len,
2552 &source_key));
2553 PSA_ASSERT(psa_get_key_attributes(source_key, &source_attributes));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002554
Gilles Peskineca25db92019-04-19 11:43:08 +02002555 /* Prepare the target attributes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002556 if (copy_attributes) {
Gilles Peskineca25db92019-04-19 11:43:08 +02002557 target_attributes = source_attributes;
Ronald Cron65f38a32020-10-23 17:11:13 +02002558 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002559 psa_set_key_lifetime(&target_attributes, target_lifetime);
Ronald Cron65f38a32020-10-23 17:11:13 +02002560
Gilles Peskine449bd832023-01-11 14:50:10 +01002561 if (target_usage_arg != -1) {
2562 psa_set_key_usage_flags(&target_attributes, target_usage_arg);
2563 }
2564 if (target_alg_arg != -1) {
2565 psa_set_key_algorithm(&target_attributes, target_alg_arg);
2566 }
2567 if (target_alg2_arg != -1) {
2568 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg);
2569 }
Gilles Peskine57ab7212019-01-28 13:03:09 +01002570
Archana8a180362021-07-05 02:18:48 +05302571
Gilles Peskine57ab7212019-01-28 13:03:09 +01002572 /* Copy the key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002573 PSA_ASSERT(psa_copy_key(source_key,
2574 &target_attributes, &target_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002575
2576 /* Destroy the source to ensure that this doesn't affect the target. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002577 PSA_ASSERT(psa_destroy_key(source_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002578
2579 /* Test that the target slot has the expected content and policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002580 PSA_ASSERT(psa_get_key_attributes(target_key, &target_attributes));
2581 TEST_EQUAL(psa_get_key_type(&source_attributes),
2582 psa_get_key_type(&target_attributes));
2583 TEST_EQUAL(psa_get_key_bits(&source_attributes),
2584 psa_get_key_bits(&target_attributes));
2585 TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&target_attributes));
2586 TEST_EQUAL(expected_alg, psa_get_key_algorithm(&target_attributes));
2587 TEST_EQUAL(expected_alg2,
2588 psa_get_key_enrollment_algorithm(&target_attributes));
2589 if (expected_usage & PSA_KEY_USAGE_EXPORT) {
Gilles Peskine57ab7212019-01-28 13:03:09 +01002590 size_t length;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002591 TEST_CALLOC(export_buffer, material->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01002592 PSA_ASSERT(psa_export_key(target_key, export_buffer,
2593 material->len, &length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01002594 TEST_MEMORY_COMPARE(material->x, material->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01002595 export_buffer, length);
Gilles Peskine57ab7212019-01-28 13:03:09 +01002596 }
Steven Cooremanb3ce8152021-02-18 12:03:50 +01002597
Gilles Peskine449bd832023-01-11 14:50:10 +01002598 if (!psa_key_lifetime_is_external(target_lifetime)) {
2599 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg)) {
Archana8a180362021-07-05 02:18:48 +05302600 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002601 }
2602 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg2)) {
Archana8a180362021-07-05 02:18:48 +05302603 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002604 }
Archana8a180362021-07-05 02:18:48 +05302605 }
Gilles Peskine57ab7212019-01-28 13:03:09 +01002606
Gilles Peskine449bd832023-01-11 14:50:10 +01002607 PSA_ASSERT(psa_destroy_key(target_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002608
2609exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002610 /*
2611 * Source and target key attributes may have been returned by
2612 * psa_get_key_attributes() thus reset them as required.
2613 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002614 psa_reset_key_attributes(&source_attributes);
2615 psa_reset_key_attributes(&target_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002616
Gilles Peskine449bd832023-01-11 14:50:10 +01002617 PSA_DONE();
2618 mbedtls_free(export_buffer);
Gilles Peskine57ab7212019-01-28 13:03:09 +01002619}
2620/* END_CASE */
2621
2622/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002623void copy_fail(int source_usage_arg,
2624 int source_alg_arg, int source_alg2_arg,
2625 int source_lifetime_arg,
2626 int type_arg, data_t *material,
2627 int target_type_arg, int target_bits_arg,
2628 int target_usage_arg,
2629 int target_alg_arg, int target_alg2_arg,
2630 int target_id_arg, int target_lifetime_arg,
2631 int expected_status_arg)
Gilles Peskine4a644642019-05-03 17:14:08 +02002632{
2633 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT;
2634 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02002635 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT;
2636 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +01002637 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, target_id_arg);
Gilles Peskine4a644642019-05-03 17:14:08 +02002638
Gilles Peskine449bd832023-01-11 14:50:10 +01002639 PSA_ASSERT(psa_crypto_init());
Gilles Peskine4a644642019-05-03 17:14:08 +02002640
2641 /* Prepare the source key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002642 psa_set_key_usage_flags(&source_attributes, source_usage_arg);
2643 psa_set_key_algorithm(&source_attributes, source_alg_arg);
2644 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg);
2645 psa_set_key_type(&source_attributes, type_arg);
2646 psa_set_key_lifetime(&source_attributes, source_lifetime_arg);
2647 PSA_ASSERT(psa_import_key(&source_attributes,
2648 material->x, material->len,
2649 &source_key));
Gilles Peskine4a644642019-05-03 17:14:08 +02002650
2651 /* Prepare the target attributes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002652 psa_set_key_id(&target_attributes, key_id);
2653 psa_set_key_lifetime(&target_attributes, target_lifetime_arg);
2654 psa_set_key_type(&target_attributes, target_type_arg);
2655 psa_set_key_bits(&target_attributes, target_bits_arg);
2656 psa_set_key_usage_flags(&target_attributes, target_usage_arg);
2657 psa_set_key_algorithm(&target_attributes, target_alg_arg);
2658 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg);
Gilles Peskine4a644642019-05-03 17:14:08 +02002659
2660 /* Try to copy the key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002661 TEST_EQUAL(psa_copy_key(source_key,
2662 &target_attributes, &target_key),
2663 expected_status_arg);
Gilles Peskine76b29a72019-05-28 14:08:50 +02002664
Gilles Peskine449bd832023-01-11 14:50:10 +01002665 PSA_ASSERT(psa_destroy_key(source_key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02002666
Gilles Peskine4a644642019-05-03 17:14:08 +02002667exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002668 psa_reset_key_attributes(&source_attributes);
2669 psa_reset_key_attributes(&target_attributes);
2670 PSA_DONE();
Gilles Peskine4a644642019-05-03 17:14:08 +02002671}
2672/* END_CASE */
2673
2674/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002675void hash_operation_init()
Jaeden Amero6a25b412019-01-04 11:47:44 +00002676{
Jaeden Ameroa0f625a2019-02-15 13:52:25 +00002677 const uint8_t input[1] = { 0 };
Jaeden Amero6a25b412019-01-04 11:47:44 +00002678 /* Test each valid way of initializing the object, except for `= {0}`, as
2679 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
2680 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08002681 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002682 psa_hash_operation_t func = psa_hash_operation_init();
Jaeden Amero6a25b412019-01-04 11:47:44 +00002683 psa_hash_operation_t init = PSA_HASH_OPERATION_INIT;
2684 psa_hash_operation_t zero;
2685
Gilles Peskine449bd832023-01-11 14:50:10 +01002686 memset(&zero, 0, sizeof(zero));
Jaeden Amero6a25b412019-01-04 11:47:44 +00002687
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002688 /* A freshly-initialized hash operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002689 TEST_EQUAL(psa_hash_update(&func, input, sizeof(input)),
2690 PSA_ERROR_BAD_STATE);
2691 TEST_EQUAL(psa_hash_update(&init, input, sizeof(input)),
2692 PSA_ERROR_BAD_STATE);
2693 TEST_EQUAL(psa_hash_update(&zero, input, sizeof(input)),
2694 PSA_ERROR_BAD_STATE);
Jaeden Ameroa0f625a2019-02-15 13:52:25 +00002695
Jaeden Amero5229bbb2019-02-07 16:33:37 +00002696 /* A default hash operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002697 PSA_ASSERT(psa_hash_abort(&func));
2698 PSA_ASSERT(psa_hash_abort(&init));
2699 PSA_ASSERT(psa_hash_abort(&zero));
Jaeden Amero6a25b412019-01-04 11:47:44 +00002700}
2701/* END_CASE */
2702
2703/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002704void hash_setup(int alg_arg,
2705 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002706{
2707 psa_algorithm_t alg = alg_arg;
Neil Armstrongedb20862022-02-07 15:47:44 +01002708 uint8_t *output = NULL;
2709 size_t output_size = 0;
2710 size_t output_length = 0;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02002711 psa_status_t expected_status = expected_status_arg;
Jaeden Amero6a25b412019-01-04 11:47:44 +00002712 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002713 psa_status_t status;
2714
Gilles Peskine449bd832023-01-11 14:50:10 +01002715 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002716
Neil Armstrongedb20862022-02-07 15:47:44 +01002717 /* Hash Setup, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002718 output_size = PSA_HASH_LENGTH(alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002719 TEST_CALLOC(output, output_size);
Neil Armstrongedb20862022-02-07 15:47:44 +01002720
Gilles Peskine449bd832023-01-11 14:50:10 +01002721 status = psa_hash_compute(alg, NULL, 0,
2722 output, output_size, &output_length);
2723 TEST_EQUAL(status, expected_status);
Neil Armstrongedb20862022-02-07 15:47:44 +01002724
2725 /* Hash Setup, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002726 status = psa_hash_setup(&operation, alg);
2727 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002728
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002729 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002730 PSA_ASSERT(psa_hash_abort(&operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002731
2732 /* If setup failed, reproduce the failure, so as to
2733 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002734 if (status != PSA_SUCCESS) {
2735 TEST_EQUAL(psa_hash_setup(&operation, alg), status);
2736 }
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002737
Gilles Peskinef426e0f2019-02-25 17:42:03 +01002738 /* Now the operation object should be reusable. */
2739#if defined(KNOWN_SUPPORTED_HASH_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01002740 PSA_ASSERT(psa_hash_setup(&operation, KNOWN_SUPPORTED_HASH_ALG));
2741 PSA_ASSERT(psa_hash_abort(&operation));
Gilles Peskinef426e0f2019-02-25 17:42:03 +01002742#endif
2743
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002744exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002745 mbedtls_free(output);
2746 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002747}
2748/* END_CASE */
2749
2750/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002751void hash_compute_fail(int alg_arg, data_t *input,
2752 int output_size_arg, int expected_status_arg)
Gilles Peskine0a749c82019-11-28 19:33:58 +01002753{
2754 psa_algorithm_t alg = alg_arg;
2755 uint8_t *output = NULL;
2756 size_t output_size = output_size_arg;
2757 size_t output_length = INVALID_EXPORT_LENGTH;
Neil Armstrong161ec5c2022-02-07 11:18:45 +01002758 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine0a749c82019-11-28 19:33:58 +01002759 psa_status_t expected_status = expected_status_arg;
2760 psa_status_t status;
2761
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002762 TEST_CALLOC(output, output_size);
Gilles Peskine0a749c82019-11-28 19:33:58 +01002763
Gilles Peskine449bd832023-01-11 14:50:10 +01002764 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0a749c82019-11-28 19:33:58 +01002765
Neil Armstrong161ec5c2022-02-07 11:18:45 +01002766 /* Hash Compute, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002767 status = psa_hash_compute(alg, input->x, input->len,
2768 output, output_size, &output_length);
2769 TEST_EQUAL(status, expected_status);
2770 TEST_LE_U(output_length, output_size);
Gilles Peskine0a749c82019-11-28 19:33:58 +01002771
Neil Armstrong161ec5c2022-02-07 11:18:45 +01002772 /* Hash Compute, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002773 status = psa_hash_setup(&operation, alg);
2774 if (status == PSA_SUCCESS) {
2775 status = psa_hash_update(&operation, input->x, input->len);
2776 if (status == PSA_SUCCESS) {
2777 status = psa_hash_finish(&operation, output, output_size,
2778 &output_length);
2779 if (status == PSA_SUCCESS) {
2780 TEST_LE_U(output_length, output_size);
2781 } else {
2782 TEST_EQUAL(status, expected_status);
2783 }
2784 } else {
2785 TEST_EQUAL(status, expected_status);
Neil Armstrong161ec5c2022-02-07 11:18:45 +01002786 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002787 } else {
2788 TEST_EQUAL(status, expected_status);
Neil Armstrong161ec5c2022-02-07 11:18:45 +01002789 }
2790
Gilles Peskine0a749c82019-11-28 19:33:58 +01002791exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002792 PSA_ASSERT(psa_hash_abort(&operation));
2793 mbedtls_free(output);
2794 PSA_DONE();
Gilles Peskine0a749c82019-11-28 19:33:58 +01002795}
2796/* END_CASE */
2797
2798/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002799void hash_compare_fail(int alg_arg, data_t *input,
2800 data_t *reference_hash,
2801 int expected_status_arg)
Gilles Peskine88e08462020-01-28 20:43:00 +01002802{
2803 psa_algorithm_t alg = alg_arg;
2804 psa_status_t expected_status = expected_status_arg;
Neil Armstrong55a1be12022-02-07 11:23:20 +01002805 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine88e08462020-01-28 20:43:00 +01002806 psa_status_t status;
2807
Gilles Peskine449bd832023-01-11 14:50:10 +01002808 PSA_ASSERT(psa_crypto_init());
Gilles Peskine88e08462020-01-28 20:43:00 +01002809
Neil Armstrong55a1be12022-02-07 11:23:20 +01002810 /* Hash Compare, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002811 status = psa_hash_compare(alg, input->x, input->len,
2812 reference_hash->x, reference_hash->len);
2813 TEST_EQUAL(status, expected_status);
Gilles Peskine88e08462020-01-28 20:43:00 +01002814
Neil Armstrong55a1be12022-02-07 11:23:20 +01002815 /* Hash Compare, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002816 status = psa_hash_setup(&operation, alg);
2817 if (status == PSA_SUCCESS) {
2818 status = psa_hash_update(&operation, input->x, input->len);
2819 if (status == PSA_SUCCESS) {
2820 status = psa_hash_verify(&operation, reference_hash->x,
2821 reference_hash->len);
2822 TEST_EQUAL(status, expected_status);
2823 } else {
2824 TEST_EQUAL(status, expected_status);
Neil Armstrong55a1be12022-02-07 11:23:20 +01002825 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002826 } else {
2827 TEST_EQUAL(status, expected_status);
Neil Armstrong55a1be12022-02-07 11:23:20 +01002828 }
2829
Gilles Peskine88e08462020-01-28 20:43:00 +01002830exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002831 PSA_ASSERT(psa_hash_abort(&operation));
2832 PSA_DONE();
Gilles Peskine88e08462020-01-28 20:43:00 +01002833}
2834/* END_CASE */
2835
2836/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002837void hash_compute_compare(int alg_arg, data_t *input,
2838 data_t *expected_output)
Gilles Peskine0a749c82019-11-28 19:33:58 +01002839{
2840 psa_algorithm_t alg = alg_arg;
2841 uint8_t output[PSA_HASH_MAX_SIZE + 1];
2842 size_t output_length = INVALID_EXPORT_LENGTH;
Neil Armstrongca30a002022-02-07 11:40:23 +01002843 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine0a749c82019-11-28 19:33:58 +01002844 size_t i;
2845
Gilles Peskine449bd832023-01-11 14:50:10 +01002846 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0a749c82019-11-28 19:33:58 +01002847
Neil Armstrongca30a002022-02-07 11:40:23 +01002848 /* Compute with tight buffer, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002849 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len,
2850 output, PSA_HASH_LENGTH(alg),
2851 &output_length));
2852 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01002853 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01002854 expected_output->x, expected_output->len);
Gilles Peskine0a749c82019-11-28 19:33:58 +01002855
Neil Armstrongca30a002022-02-07 11:40:23 +01002856 /* Compute with tight buffer, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002857 PSA_ASSERT(psa_hash_setup(&operation, alg));
2858 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
2859 PSA_ASSERT(psa_hash_finish(&operation, output,
2860 PSA_HASH_LENGTH(alg),
2861 &output_length));
2862 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01002863 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01002864 expected_output->x, expected_output->len);
Neil Armstrongca30a002022-02-07 11:40:23 +01002865
2866 /* Compute with larger buffer, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002867 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len,
2868 output, sizeof(output),
2869 &output_length));
2870 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01002871 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01002872 expected_output->x, expected_output->len);
Gilles Peskine0a749c82019-11-28 19:33:58 +01002873
Neil Armstrongca30a002022-02-07 11:40:23 +01002874 /* Compute with larger buffer, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002875 PSA_ASSERT(psa_hash_setup(&operation, alg));
2876 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
2877 PSA_ASSERT(psa_hash_finish(&operation, output,
2878 sizeof(output), &output_length));
2879 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01002880 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01002881 expected_output->x, expected_output->len);
Neil Armstrongca30a002022-02-07 11:40:23 +01002882
2883 /* Compare with correct hash, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002884 PSA_ASSERT(psa_hash_compare(alg, input->x, input->len,
2885 output, output_length));
Gilles Peskine0a749c82019-11-28 19:33:58 +01002886
Neil Armstrongca30a002022-02-07 11:40:23 +01002887 /* Compare with correct hash, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002888 PSA_ASSERT(psa_hash_setup(&operation, alg));
2889 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
2890 PSA_ASSERT(psa_hash_verify(&operation, output,
2891 output_length));
Neil Armstrongca30a002022-02-07 11:40:23 +01002892
2893 /* Compare with trailing garbage, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002894 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
2895 output, output_length + 1),
2896 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine0a749c82019-11-28 19:33:58 +01002897
Neil Armstrongca30a002022-02-07 11:40:23 +01002898 /* Compare with trailing garbage, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002899 PSA_ASSERT(psa_hash_setup(&operation, alg));
2900 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
2901 TEST_EQUAL(psa_hash_verify(&operation, output, output_length + 1),
2902 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01002903
2904 /* Compare with truncated hash, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002905 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
2906 output, output_length - 1),
2907 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine0a749c82019-11-28 19:33:58 +01002908
Neil Armstrongca30a002022-02-07 11:40:23 +01002909 /* Compare with truncated hash, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002910 PSA_ASSERT(psa_hash_setup(&operation, alg));
2911 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
2912 TEST_EQUAL(psa_hash_verify(&operation, output, output_length - 1),
2913 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01002914
Gilles Peskine0a749c82019-11-28 19:33:58 +01002915 /* Compare with corrupted value */
Gilles Peskine449bd832023-01-11 14:50:10 +01002916 for (i = 0; i < output_length; i++) {
2917 mbedtls_test_set_step(i);
Gilles Peskine0a749c82019-11-28 19:33:58 +01002918 output[i] ^= 1;
Neil Armstrongca30a002022-02-07 11:40:23 +01002919
2920 /* One-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002921 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
2922 output, output_length),
2923 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01002924
2925 /* Multi-Part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002926 PSA_ASSERT(psa_hash_setup(&operation, alg));
2927 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
2928 TEST_EQUAL(psa_hash_verify(&operation, output, output_length),
2929 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01002930
Gilles Peskine0a749c82019-11-28 19:33:58 +01002931 output[i] ^= 1;
2932 }
2933
2934exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002935 PSA_ASSERT(psa_hash_abort(&operation));
2936 PSA_DONE();
Gilles Peskine0a749c82019-11-28 19:33:58 +01002937}
2938/* END_CASE */
2939
Gilles Peskined6dc40c2021-01-12 12:55:31 +01002940/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002941void hash_bad_order()
itayzafrirf86548d2018-11-01 10:44:32 +02002942{
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002943 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrirf86548d2018-11-01 10:44:32 +02002944 unsigned char input[] = "";
2945 /* SHA-256 hash of an empty string */
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002946 const unsigned char valid_hash[] = {
itayzafrirf86548d2018-11-01 10:44:32 +02002947 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8,
2948 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
Gilles Peskine449bd832023-01-11 14:50:10 +01002949 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
2950 };
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002951 unsigned char hash[sizeof(valid_hash)] = { 0 };
itayzafrirf86548d2018-11-01 10:44:32 +02002952 size_t hash_len;
Jaeden Amero6a25b412019-01-04 11:47:44 +00002953 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrirf86548d2018-11-01 10:44:32 +02002954
Gilles Peskine449bd832023-01-11 14:50:10 +01002955 PSA_ASSERT(psa_crypto_init());
itayzafrirf86548d2018-11-01 10:44:32 +02002956
Jaeden Amero36ee5d02019-02-19 09:25:10 +00002957 /* Call setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002958 PSA_ASSERT(psa_hash_setup(&operation, alg));
2959 ASSERT_OPERATION_IS_ACTIVE(operation);
2960 TEST_EQUAL(psa_hash_setup(&operation, alg),
2961 PSA_ERROR_BAD_STATE);
2962 ASSERT_OPERATION_IS_INACTIVE(operation);
2963 PSA_ASSERT(psa_hash_abort(&operation));
2964 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00002965
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002966 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002967 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
2968 PSA_ERROR_BAD_STATE);
2969 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02002970
Dave Rodgman5ae6f752021-06-24 11:36:14 +01002971 /* Check that update calls abort on error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002972 PSA_ASSERT(psa_hash_setup(&operation, alg));
Dave Rodgman6f710582021-06-24 18:14:52 +01002973 operation.id = UINT_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +01002974 ASSERT_OPERATION_IS_ACTIVE(operation);
2975 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
2976 PSA_ERROR_BAD_STATE);
2977 ASSERT_OPERATION_IS_INACTIVE(operation);
2978 PSA_ASSERT(psa_hash_abort(&operation));
2979 ASSERT_OPERATION_IS_INACTIVE(operation);
Dave Rodgman5ae6f752021-06-24 11:36:14 +01002980
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002981 /* Call update after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002982 PSA_ASSERT(psa_hash_setup(&operation, alg));
2983 PSA_ASSERT(psa_hash_finish(&operation,
2984 hash, sizeof(hash), &hash_len));
2985 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
2986 PSA_ERROR_BAD_STATE);
2987 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02002988
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002989 /* Call verify without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002990 TEST_EQUAL(psa_hash_verify(&operation,
2991 valid_hash, sizeof(valid_hash)),
2992 PSA_ERROR_BAD_STATE);
2993 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002994
2995 /* Call verify after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002996 PSA_ASSERT(psa_hash_setup(&operation, alg));
2997 PSA_ASSERT(psa_hash_finish(&operation,
2998 hash, sizeof(hash), &hash_len));
2999 TEST_EQUAL(psa_hash_verify(&operation,
3000 valid_hash, sizeof(valid_hash)),
3001 PSA_ERROR_BAD_STATE);
3002 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003003
3004 /* Call verify twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003005 PSA_ASSERT(psa_hash_setup(&operation, alg));
3006 ASSERT_OPERATION_IS_ACTIVE(operation);
3007 PSA_ASSERT(psa_hash_verify(&operation,
3008 valid_hash, sizeof(valid_hash)));
3009 ASSERT_OPERATION_IS_INACTIVE(operation);
3010 TEST_EQUAL(psa_hash_verify(&operation,
3011 valid_hash, sizeof(valid_hash)),
3012 PSA_ERROR_BAD_STATE);
3013 ASSERT_OPERATION_IS_INACTIVE(operation);
3014 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003015
3016 /* Call finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003017 TEST_EQUAL(psa_hash_finish(&operation,
3018 hash, sizeof(hash), &hash_len),
3019 PSA_ERROR_BAD_STATE);
3020 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003021
3022 /* Call finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003023 PSA_ASSERT(psa_hash_setup(&operation, alg));
3024 PSA_ASSERT(psa_hash_finish(&operation,
3025 hash, sizeof(hash), &hash_len));
3026 TEST_EQUAL(psa_hash_finish(&operation,
3027 hash, sizeof(hash), &hash_len),
3028 PSA_ERROR_BAD_STATE);
3029 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003030
3031 /* Call finish after calling verify. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003032 PSA_ASSERT(psa_hash_setup(&operation, alg));
3033 PSA_ASSERT(psa_hash_verify(&operation,
3034 valid_hash, sizeof(valid_hash)));
3035 TEST_EQUAL(psa_hash_finish(&operation,
3036 hash, sizeof(hash), &hash_len),
3037 PSA_ERROR_BAD_STATE);
3038 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02003039
3040exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003041 PSA_DONE();
itayzafrirf86548d2018-11-01 10:44:32 +02003042}
3043/* END_CASE */
3044
Gilles Peskined6dc40c2021-01-12 12:55:31 +01003045/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003046void hash_verify_bad_args()
itayzafrirec93d302018-10-18 18:01:10 +03003047{
3048 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrir27e69452018-11-01 14:26:34 +02003049 /* SHA-256 hash of an empty string with 2 extra bytes (0xaa and 0xbb)
3050 * appended to it */
3051 unsigned char hash[] = {
3052 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8,
3053 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
Gilles Peskine449bd832023-01-11 14:50:10 +01003054 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55, 0xaa, 0xbb
3055 };
3056 size_t expected_size = PSA_HASH_LENGTH(alg);
Jaeden Amero6a25b412019-01-04 11:47:44 +00003057 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrirec93d302018-10-18 18:01:10 +03003058
Gilles Peskine449bd832023-01-11 14:50:10 +01003059 PSA_ASSERT(psa_crypto_init());
itayzafrirec93d302018-10-18 18:01:10 +03003060
itayzafrir27e69452018-11-01 14:26:34 +02003061 /* psa_hash_verify with a smaller hash than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003062 PSA_ASSERT(psa_hash_setup(&operation, alg));
3063 ASSERT_OPERATION_IS_ACTIVE(operation);
3064 TEST_EQUAL(psa_hash_verify(&operation, hash, expected_size - 1),
3065 PSA_ERROR_INVALID_SIGNATURE);
3066 ASSERT_OPERATION_IS_INACTIVE(operation);
3067 PSA_ASSERT(psa_hash_abort(&operation));
3068 ASSERT_OPERATION_IS_INACTIVE(operation);
itayzafrirec93d302018-10-18 18:01:10 +03003069
itayzafrir27e69452018-11-01 14:26:34 +02003070 /* psa_hash_verify with a non-matching hash */
Gilles Peskine449bd832023-01-11 14:50:10 +01003071 PSA_ASSERT(psa_hash_setup(&operation, alg));
3072 TEST_EQUAL(psa_hash_verify(&operation, hash + 1, expected_size),
3073 PSA_ERROR_INVALID_SIGNATURE);
itayzafrirec93d302018-10-18 18:01:10 +03003074
itayzafrir27e69452018-11-01 14:26:34 +02003075 /* psa_hash_verify with a hash longer than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003076 PSA_ASSERT(psa_hash_setup(&operation, alg));
3077 TEST_EQUAL(psa_hash_verify(&operation, hash, sizeof(hash)),
3078 PSA_ERROR_INVALID_SIGNATURE);
itayzafrir4271df92018-10-24 18:16:19 +03003079
itayzafrirec93d302018-10-18 18:01:10 +03003080exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003081 PSA_DONE();
itayzafrirec93d302018-10-18 18:01:10 +03003082}
3083/* END_CASE */
3084
Ronald Cronee414c72021-03-18 18:50:08 +01003085/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003086void hash_finish_bad_args()
itayzafrir58028322018-10-25 10:22:01 +03003087{
3088 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrirb2dd5ed2018-11-01 11:58:59 +02003089 unsigned char hash[PSA_HASH_MAX_SIZE];
Gilles Peskine449bd832023-01-11 14:50:10 +01003090 size_t expected_size = PSA_HASH_LENGTH(alg);
Jaeden Amero6a25b412019-01-04 11:47:44 +00003091 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrir58028322018-10-25 10:22:01 +03003092 size_t hash_len;
3093
Gilles Peskine449bd832023-01-11 14:50:10 +01003094 PSA_ASSERT(psa_crypto_init());
itayzafrir58028322018-10-25 10:22:01 +03003095
itayzafrir58028322018-10-25 10:22:01 +03003096 /* psa_hash_finish with a smaller hash buffer than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003097 PSA_ASSERT(psa_hash_setup(&operation, alg));
3098 TEST_EQUAL(psa_hash_finish(&operation,
3099 hash, expected_size - 1, &hash_len),
3100 PSA_ERROR_BUFFER_TOO_SMALL);
itayzafrir58028322018-10-25 10:22:01 +03003101
3102exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003103 PSA_DONE();
itayzafrir58028322018-10-25 10:22:01 +03003104}
3105/* END_CASE */
3106
Ronald Cronee414c72021-03-18 18:50:08 +01003107/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003108void hash_clone_source_state()
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003109{
3110 psa_algorithm_t alg = PSA_ALG_SHA_256;
3111 unsigned char hash[PSA_HASH_MAX_SIZE];
3112 psa_hash_operation_t op_source = PSA_HASH_OPERATION_INIT;
3113 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT;
3114 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT;
3115 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT;
3116 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT;
3117 size_t hash_len;
3118
Gilles Peskine449bd832023-01-11 14:50:10 +01003119 PSA_ASSERT(psa_crypto_init());
3120 PSA_ASSERT(psa_hash_setup(&op_source, alg));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003121
Gilles Peskine449bd832023-01-11 14:50:10 +01003122 PSA_ASSERT(psa_hash_setup(&op_setup, alg));
3123 PSA_ASSERT(psa_hash_setup(&op_finished, alg));
3124 PSA_ASSERT(psa_hash_finish(&op_finished,
3125 hash, sizeof(hash), &hash_len));
3126 PSA_ASSERT(psa_hash_setup(&op_aborted, alg));
3127 PSA_ASSERT(psa_hash_abort(&op_aborted));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003128
Gilles Peskine449bd832023-01-11 14:50:10 +01003129 TEST_EQUAL(psa_hash_clone(&op_source, &op_setup),
3130 PSA_ERROR_BAD_STATE);
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003131
Gilles Peskine449bd832023-01-11 14:50:10 +01003132 PSA_ASSERT(psa_hash_clone(&op_source, &op_init));
3133 PSA_ASSERT(psa_hash_finish(&op_init,
3134 hash, sizeof(hash), &hash_len));
3135 PSA_ASSERT(psa_hash_clone(&op_source, &op_finished));
3136 PSA_ASSERT(psa_hash_finish(&op_finished,
3137 hash, sizeof(hash), &hash_len));
3138 PSA_ASSERT(psa_hash_clone(&op_source, &op_aborted));
3139 PSA_ASSERT(psa_hash_finish(&op_aborted,
3140 hash, sizeof(hash), &hash_len));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003141
3142exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003143 psa_hash_abort(&op_source);
3144 psa_hash_abort(&op_init);
3145 psa_hash_abort(&op_setup);
3146 psa_hash_abort(&op_finished);
3147 psa_hash_abort(&op_aborted);
3148 PSA_DONE();
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003149}
3150/* END_CASE */
3151
Ronald Cronee414c72021-03-18 18:50:08 +01003152/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003153void hash_clone_target_state()
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003154{
3155 psa_algorithm_t alg = PSA_ALG_SHA_256;
3156 unsigned char hash[PSA_HASH_MAX_SIZE];
3157 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT;
3158 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT;
3159 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT;
3160 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT;
3161 psa_hash_operation_t op_target = PSA_HASH_OPERATION_INIT;
3162 size_t hash_len;
3163
Gilles Peskine449bd832023-01-11 14:50:10 +01003164 PSA_ASSERT(psa_crypto_init());
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003165
Gilles Peskine449bd832023-01-11 14:50:10 +01003166 PSA_ASSERT(psa_hash_setup(&op_setup, alg));
3167 PSA_ASSERT(psa_hash_setup(&op_finished, alg));
3168 PSA_ASSERT(psa_hash_finish(&op_finished,
3169 hash, sizeof(hash), &hash_len));
3170 PSA_ASSERT(psa_hash_setup(&op_aborted, alg));
3171 PSA_ASSERT(psa_hash_abort(&op_aborted));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003172
Gilles Peskine449bd832023-01-11 14:50:10 +01003173 PSA_ASSERT(psa_hash_clone(&op_setup, &op_target));
3174 PSA_ASSERT(psa_hash_finish(&op_target,
3175 hash, sizeof(hash), &hash_len));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003176
Gilles Peskine449bd832023-01-11 14:50:10 +01003177 TEST_EQUAL(psa_hash_clone(&op_init, &op_target), PSA_ERROR_BAD_STATE);
3178 TEST_EQUAL(psa_hash_clone(&op_finished, &op_target),
3179 PSA_ERROR_BAD_STATE);
3180 TEST_EQUAL(psa_hash_clone(&op_aborted, &op_target),
3181 PSA_ERROR_BAD_STATE);
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003182
3183exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003184 psa_hash_abort(&op_target);
3185 psa_hash_abort(&op_init);
3186 psa_hash_abort(&op_setup);
3187 psa_hash_abort(&op_finished);
3188 psa_hash_abort(&op_aborted);
3189 PSA_DONE();
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003190}
3191/* END_CASE */
3192
itayzafrir58028322018-10-25 10:22:01 +03003193/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003194void mac_operation_init()
Jaeden Amero769ce272019-01-04 11:48:03 +00003195{
Jaeden Amero252ef282019-02-15 14:05:35 +00003196 const uint8_t input[1] = { 0 };
3197
Jaeden Amero769ce272019-01-04 11:48:03 +00003198 /* Test each valid way of initializing the object, except for `= {0}`, as
3199 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
3200 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08003201 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003202 psa_mac_operation_t func = psa_mac_operation_init();
Jaeden Amero769ce272019-01-04 11:48:03 +00003203 psa_mac_operation_t init = PSA_MAC_OPERATION_INIT;
3204 psa_mac_operation_t zero;
3205
Gilles Peskine449bd832023-01-11 14:50:10 +01003206 memset(&zero, 0, sizeof(zero));
Jaeden Amero769ce272019-01-04 11:48:03 +00003207
Jaeden Amero252ef282019-02-15 14:05:35 +00003208 /* A freshly-initialized MAC operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003209 TEST_EQUAL(psa_mac_update(&func,
3210 input, sizeof(input)),
3211 PSA_ERROR_BAD_STATE);
3212 TEST_EQUAL(psa_mac_update(&init,
3213 input, sizeof(input)),
3214 PSA_ERROR_BAD_STATE);
3215 TEST_EQUAL(psa_mac_update(&zero,
3216 input, sizeof(input)),
3217 PSA_ERROR_BAD_STATE);
Jaeden Amero252ef282019-02-15 14:05:35 +00003218
Jaeden Amero5229bbb2019-02-07 16:33:37 +00003219 /* A default MAC operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003220 PSA_ASSERT(psa_mac_abort(&func));
3221 PSA_ASSERT(psa_mac_abort(&init));
3222 PSA_ASSERT(psa_mac_abort(&zero));
Jaeden Amero769ce272019-01-04 11:48:03 +00003223}
3224/* END_CASE */
3225
3226/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003227void mac_setup(int key_type_arg,
3228 data_t *key,
3229 int alg_arg,
3230 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003231{
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003232 psa_key_type_t key_type = key_type_arg;
3233 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02003234 psa_status_t expected_status = expected_status_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003235 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003236 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3237#if defined(KNOWN_SUPPORTED_MAC_ALG)
3238 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk";
3239#endif
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003240
Gilles Peskine449bd832023-01-11 14:50:10 +01003241 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003242
Gilles Peskine449bd832023-01-11 14:50:10 +01003243 if (!exercise_mac_setup(key_type, key->x, key->len, alg,
3244 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003245 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003246 }
3247 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003248
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003249 /* The operation object should be reusable. */
3250#if defined(KNOWN_SUPPORTED_MAC_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01003251 if (!exercise_mac_setup(KNOWN_SUPPORTED_MAC_KEY_TYPE,
3252 smoke_test_key_data,
3253 sizeof(smoke_test_key_data),
3254 KNOWN_SUPPORTED_MAC_ALG,
3255 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003256 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003257 }
3258 TEST_EQUAL(status, PSA_SUCCESS);
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003259#endif
3260
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003261exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003262 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003263}
3264/* END_CASE */
3265
Gilles Peskined6dc40c2021-01-12 12:55:31 +01003266/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_HMAC:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003267void mac_bad_order()
Jaeden Amero252ef282019-02-15 14:05:35 +00003268{
Ronald Cron5425a212020-08-04 14:58:35 +02003269 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Jaeden Amero252ef282019-02-15 14:05:35 +00003270 psa_key_type_t key_type = PSA_KEY_TYPE_HMAC;
3271 psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256);
Ronald Cron5425a212020-08-04 14:58:35 +02003272 const uint8_t key_data[] = {
Jaeden Amero252ef282019-02-15 14:05:35 +00003273 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
3274 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
Gilles Peskine449bd832023-01-11 14:50:10 +01003275 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
3276 };
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003277 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero252ef282019-02-15 14:05:35 +00003278 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
3279 uint8_t sign_mac[PSA_MAC_MAX_SIZE + 10] = { 0 };
3280 size_t sign_mac_length = 0;
3281 const uint8_t input[] = { 0xbb, 0xbb, 0xbb, 0xbb };
3282 const uint8_t verify_mac[] = {
3283 0x74, 0x65, 0x93, 0x8c, 0xeb, 0x1d, 0xb3, 0x76, 0x5a, 0x38, 0xe7, 0xdd,
3284 0x85, 0xc5, 0xad, 0x4f, 0x07, 0xe7, 0xd5, 0xb2, 0x64, 0xf0, 0x1a, 0x1a,
Gilles Peskine449bd832023-01-11 14:50:10 +01003285 0x2c, 0xf9, 0x18, 0xca, 0x59, 0x7e, 0x5d, 0xf6
3286 };
Jaeden Amero252ef282019-02-15 14:05:35 +00003287
Gilles Peskine449bd832023-01-11 14:50:10 +01003288 PSA_ASSERT(psa_crypto_init());
3289 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
3290 psa_set_key_algorithm(&attributes, alg);
3291 psa_set_key_type(&attributes, key_type);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003292
Gilles Peskine449bd832023-01-11 14:50:10 +01003293 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data),
3294 &key));
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003295
Jaeden Amero252ef282019-02-15 14:05:35 +00003296 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003297 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3298 PSA_ERROR_BAD_STATE);
3299 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003300
3301 /* Call sign finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003302 TEST_EQUAL(psa_mac_sign_finish(&operation, sign_mac, sizeof(sign_mac),
3303 &sign_mac_length),
3304 PSA_ERROR_BAD_STATE);
3305 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003306
3307 /* Call verify finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003308 TEST_EQUAL(psa_mac_verify_finish(&operation,
3309 verify_mac, sizeof(verify_mac)),
3310 PSA_ERROR_BAD_STATE);
3311 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003312
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003313 /* Call setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003314 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3315 ASSERT_OPERATION_IS_ACTIVE(operation);
3316 TEST_EQUAL(psa_mac_sign_setup(&operation, key, alg),
3317 PSA_ERROR_BAD_STATE);
3318 ASSERT_OPERATION_IS_INACTIVE(operation);
3319 PSA_ASSERT(psa_mac_abort(&operation));
3320 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003321
Jaeden Amero252ef282019-02-15 14:05:35 +00003322 /* Call update after sign finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003323 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3324 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3325 PSA_ASSERT(psa_mac_sign_finish(&operation,
3326 sign_mac, sizeof(sign_mac),
3327 &sign_mac_length));
3328 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3329 PSA_ERROR_BAD_STATE);
3330 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003331
3332 /* Call update after verify finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003333 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3334 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3335 PSA_ASSERT(psa_mac_verify_finish(&operation,
3336 verify_mac, sizeof(verify_mac)));
3337 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3338 PSA_ERROR_BAD_STATE);
3339 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003340
3341 /* Call sign finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003342 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3343 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3344 PSA_ASSERT(psa_mac_sign_finish(&operation,
3345 sign_mac, sizeof(sign_mac),
3346 &sign_mac_length));
3347 TEST_EQUAL(psa_mac_sign_finish(&operation,
3348 sign_mac, sizeof(sign_mac),
3349 &sign_mac_length),
3350 PSA_ERROR_BAD_STATE);
3351 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003352
3353 /* Call verify finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003354 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3355 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3356 PSA_ASSERT(psa_mac_verify_finish(&operation,
3357 verify_mac, sizeof(verify_mac)));
3358 TEST_EQUAL(psa_mac_verify_finish(&operation,
3359 verify_mac, sizeof(verify_mac)),
3360 PSA_ERROR_BAD_STATE);
3361 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003362
3363 /* Setup sign but try verify. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003364 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3365 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3366 ASSERT_OPERATION_IS_ACTIVE(operation);
3367 TEST_EQUAL(psa_mac_verify_finish(&operation,
3368 verify_mac, sizeof(verify_mac)),
3369 PSA_ERROR_BAD_STATE);
3370 ASSERT_OPERATION_IS_INACTIVE(operation);
3371 PSA_ASSERT(psa_mac_abort(&operation));
3372 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero252ef282019-02-15 14:05:35 +00003373
3374 /* Setup verify but try sign. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003375 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3376 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3377 ASSERT_OPERATION_IS_ACTIVE(operation);
3378 TEST_EQUAL(psa_mac_sign_finish(&operation,
3379 sign_mac, sizeof(sign_mac),
3380 &sign_mac_length),
3381 PSA_ERROR_BAD_STATE);
3382 ASSERT_OPERATION_IS_INACTIVE(operation);
3383 PSA_ASSERT(psa_mac_abort(&operation));
3384 ASSERT_OPERATION_IS_INACTIVE(operation);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003385
Gilles Peskine449bd832023-01-11 14:50:10 +01003386 PSA_ASSERT(psa_destroy_key(key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02003387
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003388exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003389 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003390}
3391/* END_CASE */
3392
3393/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003394void mac_sign_verify_multi(int key_type_arg,
3395 data_t *key_data,
3396 int alg_arg,
3397 data_t *input,
3398 int is_verify,
3399 data_t *expected_mac)
Neil Armstrong4766f992022-02-28 16:23:59 +01003400{
3401 size_t data_part_len = 0;
3402
Gilles Peskine449bd832023-01-11 14:50:10 +01003403 for (data_part_len = 1; data_part_len <= input->len; data_part_len++) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003404 /* Split data into length(data_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003405 mbedtls_test_set_step(2000 + data_part_len);
Neil Armstrong4766f992022-02-28 16:23:59 +01003406
Gilles Peskine449bd832023-01-11 14:50:10 +01003407 if (mac_multipart_internal_func(key_type_arg, key_data,
3408 alg_arg,
3409 input, data_part_len,
3410 expected_mac,
3411 is_verify, 0) == 0) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003412 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01003413 }
Neil Armstrong4766f992022-02-28 16:23:59 +01003414
3415 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01003416 mbedtls_test_set_step(3000 + data_part_len);
Neil Armstrong4766f992022-02-28 16:23:59 +01003417
Gilles Peskine449bd832023-01-11 14:50:10 +01003418 if (mac_multipart_internal_func(key_type_arg, key_data,
3419 alg_arg,
3420 input, data_part_len,
3421 expected_mac,
3422 is_verify, 1) == 0) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003423 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01003424 }
Neil Armstrong4766f992022-02-28 16:23:59 +01003425 }
3426
3427 /* Goto is required to silence warnings about unused labels, as we
3428 * don't actually do any test assertions in this function. */
3429 goto exit;
3430}
3431/* END_CASE */
3432
3433/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003434void mac_sign(int key_type_arg,
3435 data_t *key_data,
3436 int alg_arg,
3437 data_t *input,
3438 data_t *expected_mac)
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003439{
Ronald Cron5425a212020-08-04 14:58:35 +02003440 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003441 psa_key_type_t key_type = key_type_arg;
3442 psa_algorithm_t alg = alg_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003443 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003444 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine5e65cec2020-08-25 23:38:39 +02003445 uint8_t *actual_mac = NULL;
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003446 size_t mac_buffer_size =
Gilles Peskine449bd832023-01-11 14:50:10 +01003447 PSA_MAC_LENGTH(key_type, PSA_BYTES_TO_BITS(key_data->len), alg);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003448 size_t mac_length = 0;
Gilles Peskine8b356b52020-08-25 23:44:59 +02003449 const size_t output_sizes_to_test[] = {
3450 0,
3451 1,
3452 expected_mac->len - 1,
3453 expected_mac->len,
3454 expected_mac->len + 1,
3455 };
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003456
Gilles Peskine449bd832023-01-11 14:50:10 +01003457 TEST_LE_U(mac_buffer_size, PSA_MAC_MAX_SIZE);
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003458 /* We expect PSA_MAC_LENGTH to be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003459 TEST_ASSERT(expected_mac->len == mac_buffer_size);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003460
Gilles Peskine449bd832023-01-11 14:50:10 +01003461 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003462
Gilles Peskine449bd832023-01-11 14:50:10 +01003463 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
3464 psa_set_key_algorithm(&attributes, alg);
3465 psa_set_key_type(&attributes, key_type);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003466
Gilles Peskine449bd832023-01-11 14:50:10 +01003467 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
3468 &key));
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003469
Gilles Peskine449bd832023-01-11 14:50:10 +01003470 for (size_t i = 0; i < ARRAY_LENGTH(output_sizes_to_test); i++) {
Gilles Peskine8b356b52020-08-25 23:44:59 +02003471 const size_t output_size = output_sizes_to_test[i];
3472 psa_status_t expected_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01003473 (output_size >= expected_mac->len ? PSA_SUCCESS :
3474 PSA_ERROR_BUFFER_TOO_SMALL);
Gilles Peskine5e65cec2020-08-25 23:38:39 +02003475
Gilles Peskine449bd832023-01-11 14:50:10 +01003476 mbedtls_test_set_step(output_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003477 TEST_CALLOC(actual_mac, output_size);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003478
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003479 /* Calculate the MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003480 TEST_EQUAL(psa_mac_compute(key, alg,
3481 input->x, input->len,
3482 actual_mac, output_size, &mac_length),
3483 expected_status);
3484 if (expected_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003485 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003486 actual_mac, mac_length);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003487 }
3488
Gilles Peskine449bd832023-01-11 14:50:10 +01003489 if (output_size > 0) {
3490 memset(actual_mac, 0, output_size);
3491 }
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003492
3493 /* Calculate the MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003494 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3495 PSA_ASSERT(psa_mac_update(&operation,
3496 input->x, input->len));
3497 TEST_EQUAL(psa_mac_sign_finish(&operation,
3498 actual_mac, output_size,
3499 &mac_length),
3500 expected_status);
3501 PSA_ASSERT(psa_mac_abort(&operation));
Gilles Peskine8b356b52020-08-25 23:44:59 +02003502
Gilles Peskine449bd832023-01-11 14:50:10 +01003503 if (expected_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003504 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003505 actual_mac, mac_length);
Gilles Peskine8b356b52020-08-25 23:44:59 +02003506 }
Gilles Peskine449bd832023-01-11 14:50:10 +01003507 mbedtls_free(actual_mac);
Gilles Peskine8b356b52020-08-25 23:44:59 +02003508 actual_mac = NULL;
3509 }
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003510
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003511exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003512 psa_mac_abort(&operation);
3513 psa_destroy_key(key);
3514 PSA_DONE();
3515 mbedtls_free(actual_mac);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003516}
3517/* END_CASE */
3518
3519/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003520void mac_verify(int key_type_arg,
3521 data_t *key_data,
3522 int alg_arg,
3523 data_t *input,
3524 data_t *expected_mac)
Gilles Peskine8c9def32018-02-08 10:02:12 +01003525{
Ronald Cron5425a212020-08-04 14:58:35 +02003526 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine8c9def32018-02-08 10:02:12 +01003527 psa_key_type_t key_type = key_type_arg;
3528 psa_algorithm_t alg = alg_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003529 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003530 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003531 uint8_t *perturbed_mac = NULL;
Gilles Peskine8c9def32018-02-08 10:02:12 +01003532
Gilles Peskine449bd832023-01-11 14:50:10 +01003533 TEST_LE_U(expected_mac->len, PSA_MAC_MAX_SIZE);
Gilles Peskine69c12672018-06-28 00:07:19 +02003534
Gilles Peskine449bd832023-01-11 14:50:10 +01003535 PSA_ASSERT(psa_crypto_init());
Gilles Peskine8c9def32018-02-08 10:02:12 +01003536
Gilles Peskine449bd832023-01-11 14:50:10 +01003537 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
3538 psa_set_key_algorithm(&attributes, alg);
3539 psa_set_key_type(&attributes, key_type);
mohammad16036df908f2018-04-02 08:34:15 -07003540
Gilles Peskine449bd832023-01-11 14:50:10 +01003541 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
3542 &key));
Gilles Peskinec0ec9722018-06-18 17:03:37 +02003543
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003544 /* Verify correct MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003545 PSA_ASSERT(psa_mac_verify(key, alg, input->x, input->len,
3546 expected_mac->x, expected_mac->len));
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003547
3548 /* Verify correct MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003549 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3550 PSA_ASSERT(psa_mac_update(&operation,
3551 input->x, input->len));
3552 PSA_ASSERT(psa_mac_verify_finish(&operation,
3553 expected_mac->x,
3554 expected_mac->len));
Gilles Peskine8c9def32018-02-08 10:02:12 +01003555
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003556 /* Test a MAC that's too short, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003557 TEST_EQUAL(psa_mac_verify(key, alg,
3558 input->x, input->len,
3559 expected_mac->x,
3560 expected_mac->len - 1),
3561 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003562
3563 /* Test a MAC that's too short, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003564 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3565 PSA_ASSERT(psa_mac_update(&operation,
3566 input->x, input->len));
3567 TEST_EQUAL(psa_mac_verify_finish(&operation,
3568 expected_mac->x,
3569 expected_mac->len - 1),
3570 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003571
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003572 /* Test a MAC that's too long, one-shot case. */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003573 TEST_CALLOC(perturbed_mac, expected_mac->len + 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01003574 memcpy(perturbed_mac, expected_mac->x, expected_mac->len);
3575 TEST_EQUAL(psa_mac_verify(key, alg,
3576 input->x, input->len,
3577 perturbed_mac, expected_mac->len + 1),
3578 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003579
3580 /* Test a MAC that's too long, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003581 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3582 PSA_ASSERT(psa_mac_update(&operation,
3583 input->x, input->len));
3584 TEST_EQUAL(psa_mac_verify_finish(&operation,
3585 perturbed_mac,
3586 expected_mac->len + 1),
3587 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003588
3589 /* Test changing one byte. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003590 for (size_t i = 0; i < expected_mac->len; i++) {
3591 mbedtls_test_set_step(i);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003592 perturbed_mac[i] ^= 1;
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003593
Gilles Peskine449bd832023-01-11 14:50:10 +01003594 TEST_EQUAL(psa_mac_verify(key, alg,
3595 input->x, input->len,
3596 perturbed_mac, expected_mac->len),
3597 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003598
Gilles Peskine449bd832023-01-11 14:50:10 +01003599 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3600 PSA_ASSERT(psa_mac_update(&operation,
3601 input->x, input->len));
3602 TEST_EQUAL(psa_mac_verify_finish(&operation,
3603 perturbed_mac,
3604 expected_mac->len),
3605 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003606 perturbed_mac[i] ^= 1;
3607 }
3608
Gilles Peskine8c9def32018-02-08 10:02:12 +01003609exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003610 psa_mac_abort(&operation);
3611 psa_destroy_key(key);
3612 PSA_DONE();
3613 mbedtls_free(perturbed_mac);
Gilles Peskine8c9def32018-02-08 10:02:12 +01003614}
3615/* END_CASE */
3616
3617/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003618void cipher_operation_init()
Jaeden Amero5bae2272019-01-04 11:48:27 +00003619{
Jaeden Ameroab439972019-02-15 14:12:05 +00003620 const uint8_t input[1] = { 0 };
3621 unsigned char output[1] = { 0 };
3622 size_t output_length;
Jaeden Amero5bae2272019-01-04 11:48:27 +00003623 /* Test each valid way of initializing the object, except for `= {0}`, as
3624 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
3625 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08003626 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003627 psa_cipher_operation_t func = psa_cipher_operation_init();
Jaeden Amero5bae2272019-01-04 11:48:27 +00003628 psa_cipher_operation_t init = PSA_CIPHER_OPERATION_INIT;
3629 psa_cipher_operation_t zero;
3630
Gilles Peskine449bd832023-01-11 14:50:10 +01003631 memset(&zero, 0, sizeof(zero));
Jaeden Amero5bae2272019-01-04 11:48:27 +00003632
Jaeden Ameroab439972019-02-15 14:12:05 +00003633 /* A freshly-initialized cipher operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003634 TEST_EQUAL(psa_cipher_update(&func,
3635 input, sizeof(input),
3636 output, sizeof(output),
3637 &output_length),
3638 PSA_ERROR_BAD_STATE);
3639 TEST_EQUAL(psa_cipher_update(&init,
3640 input, sizeof(input),
3641 output, sizeof(output),
3642 &output_length),
3643 PSA_ERROR_BAD_STATE);
3644 TEST_EQUAL(psa_cipher_update(&zero,
3645 input, sizeof(input),
3646 output, sizeof(output),
3647 &output_length),
3648 PSA_ERROR_BAD_STATE);
Jaeden Ameroab439972019-02-15 14:12:05 +00003649
Jaeden Amero5229bbb2019-02-07 16:33:37 +00003650 /* A default cipher operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003651 PSA_ASSERT(psa_cipher_abort(&func));
3652 PSA_ASSERT(psa_cipher_abort(&init));
3653 PSA_ASSERT(psa_cipher_abort(&zero));
Jaeden Amero5bae2272019-01-04 11:48:27 +00003654}
3655/* END_CASE */
3656
3657/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003658void cipher_setup(int key_type_arg,
3659 data_t *key,
3660 int alg_arg,
3661 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003662{
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003663 psa_key_type_t key_type = key_type_arg;
3664 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02003665 psa_status_t expected_status = expected_status_arg;
Jaeden Amero5bae2272019-01-04 11:48:27 +00003666 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003667 psa_status_t status;
Gilles Peskine612ffd22021-01-20 18:51:00 +01003668#if defined(KNOWN_SUPPORTED_CIPHER_ALG)
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003669 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk";
3670#endif
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003671
Gilles Peskine449bd832023-01-11 14:50:10 +01003672 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003673
Gilles Peskine449bd832023-01-11 14:50:10 +01003674 if (!exercise_cipher_setup(key_type, key->x, key->len, alg,
3675 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003676 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003677 }
3678 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003679
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003680 /* The operation object should be reusable. */
3681#if defined(KNOWN_SUPPORTED_CIPHER_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01003682 if (!exercise_cipher_setup(KNOWN_SUPPORTED_CIPHER_KEY_TYPE,
3683 smoke_test_key_data,
3684 sizeof(smoke_test_key_data),
3685 KNOWN_SUPPORTED_CIPHER_ALG,
3686 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003687 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003688 }
3689 TEST_EQUAL(status, PSA_SUCCESS);
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003690#endif
3691
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003692exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003693 psa_cipher_abort(&operation);
3694 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003695}
3696/* END_CASE */
3697
Ronald Cronee414c72021-03-18 18:50:08 +01003698/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_PKCS7 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003699void cipher_bad_order()
Jaeden Ameroab439972019-02-15 14:12:05 +00003700{
Ronald Cron5425a212020-08-04 14:58:35 +02003701 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Jaeden Ameroab439972019-02-15 14:12:05 +00003702 psa_key_type_t key_type = PSA_KEY_TYPE_AES;
3703 psa_algorithm_t alg = PSA_ALG_CBC_PKCS7;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003704 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Ameroab439972019-02-15 14:12:05 +00003705 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003706 unsigned char iv[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 };
Ronald Cron5425a212020-08-04 14:58:35 +02003707 const uint8_t key_data[] = {
Jaeden Ameroab439972019-02-15 14:12:05 +00003708 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
Gilles Peskine449bd832023-01-11 14:50:10 +01003709 0xaa, 0xaa, 0xaa, 0xaa
3710 };
Jaeden Ameroab439972019-02-15 14:12:05 +00003711 const uint8_t text[] = {
3712 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb,
Gilles Peskine449bd832023-01-11 14:50:10 +01003713 0xbb, 0xbb, 0xbb, 0xbb
3714 };
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003715 uint8_t buffer[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 };
Jaeden Ameroab439972019-02-15 14:12:05 +00003716 size_t length = 0;
3717
Gilles Peskine449bd832023-01-11 14:50:10 +01003718 PSA_ASSERT(psa_crypto_init());
3719 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
3720 psa_set_key_algorithm(&attributes, alg);
3721 psa_set_key_type(&attributes, key_type);
3722 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data),
3723 &key));
Jaeden Ameroab439972019-02-15 14:12:05 +00003724
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003725 /* Call encrypt setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003726 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3727 ASSERT_OPERATION_IS_ACTIVE(operation);
3728 TEST_EQUAL(psa_cipher_encrypt_setup(&operation, key, alg),
3729 PSA_ERROR_BAD_STATE);
3730 ASSERT_OPERATION_IS_INACTIVE(operation);
3731 PSA_ASSERT(psa_cipher_abort(&operation));
3732 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003733
3734 /* Call decrypt setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003735 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
3736 ASSERT_OPERATION_IS_ACTIVE(operation);
3737 TEST_EQUAL(psa_cipher_decrypt_setup(&operation, key, alg),
3738 PSA_ERROR_BAD_STATE);
3739 ASSERT_OPERATION_IS_INACTIVE(operation);
3740 PSA_ASSERT(psa_cipher_abort(&operation));
3741 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003742
Jaeden Ameroab439972019-02-15 14:12:05 +00003743 /* Generate an IV without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003744 TEST_EQUAL(psa_cipher_generate_iv(&operation,
3745 buffer, sizeof(buffer),
3746 &length),
3747 PSA_ERROR_BAD_STATE);
3748 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003749
3750 /* Generate an IV twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003751 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3752 PSA_ASSERT(psa_cipher_generate_iv(&operation,
3753 buffer, sizeof(buffer),
3754 &length));
3755 ASSERT_OPERATION_IS_ACTIVE(operation);
3756 TEST_EQUAL(psa_cipher_generate_iv(&operation,
3757 buffer, sizeof(buffer),
3758 &length),
3759 PSA_ERROR_BAD_STATE);
3760 ASSERT_OPERATION_IS_INACTIVE(operation);
3761 PSA_ASSERT(psa_cipher_abort(&operation));
3762 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00003763
3764 /* Generate an IV after it's already set. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003765 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3766 PSA_ASSERT(psa_cipher_set_iv(&operation,
3767 iv, sizeof(iv)));
3768 TEST_EQUAL(psa_cipher_generate_iv(&operation,
3769 buffer, sizeof(buffer),
3770 &length),
3771 PSA_ERROR_BAD_STATE);
3772 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003773
3774 /* Set an IV without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003775 TEST_EQUAL(psa_cipher_set_iv(&operation,
3776 iv, sizeof(iv)),
3777 PSA_ERROR_BAD_STATE);
3778 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003779
3780 /* Set an IV after it's already set. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003781 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3782 PSA_ASSERT(psa_cipher_set_iv(&operation,
3783 iv, sizeof(iv)));
3784 ASSERT_OPERATION_IS_ACTIVE(operation);
3785 TEST_EQUAL(psa_cipher_set_iv(&operation,
3786 iv, sizeof(iv)),
3787 PSA_ERROR_BAD_STATE);
3788 ASSERT_OPERATION_IS_INACTIVE(operation);
3789 PSA_ASSERT(psa_cipher_abort(&operation));
3790 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00003791
3792 /* Set an IV after it's already generated. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003793 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3794 PSA_ASSERT(psa_cipher_generate_iv(&operation,
3795 buffer, sizeof(buffer),
3796 &length));
3797 TEST_EQUAL(psa_cipher_set_iv(&operation,
3798 iv, sizeof(iv)),
3799 PSA_ERROR_BAD_STATE);
3800 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003801
3802 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003803 TEST_EQUAL(psa_cipher_update(&operation,
3804 text, sizeof(text),
3805 buffer, sizeof(buffer),
3806 &length),
3807 PSA_ERROR_BAD_STATE);
3808 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003809
3810 /* Call update without an IV where an IV is required. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003811 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3812 ASSERT_OPERATION_IS_ACTIVE(operation);
3813 TEST_EQUAL(psa_cipher_update(&operation,
3814 text, sizeof(text),
3815 buffer, sizeof(buffer),
3816 &length),
3817 PSA_ERROR_BAD_STATE);
3818 ASSERT_OPERATION_IS_INACTIVE(operation);
3819 PSA_ASSERT(psa_cipher_abort(&operation));
3820 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00003821
3822 /* Call update after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003823 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3824 PSA_ASSERT(psa_cipher_set_iv(&operation,
3825 iv, sizeof(iv)));
3826 PSA_ASSERT(psa_cipher_finish(&operation,
3827 buffer, sizeof(buffer), &length));
3828 TEST_EQUAL(psa_cipher_update(&operation,
3829 text, sizeof(text),
3830 buffer, sizeof(buffer),
3831 &length),
3832 PSA_ERROR_BAD_STATE);
3833 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003834
3835 /* Call finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003836 TEST_EQUAL(psa_cipher_finish(&operation,
3837 buffer, sizeof(buffer), &length),
3838 PSA_ERROR_BAD_STATE);
3839 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003840
3841 /* Call finish without an IV where an IV is required. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003842 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Jaeden Ameroab439972019-02-15 14:12:05 +00003843 /* Not calling update means we are encrypting an empty buffer, which is OK
3844 * for cipher modes with padding. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003845 ASSERT_OPERATION_IS_ACTIVE(operation);
3846 TEST_EQUAL(psa_cipher_finish(&operation,
3847 buffer, sizeof(buffer), &length),
3848 PSA_ERROR_BAD_STATE);
3849 ASSERT_OPERATION_IS_INACTIVE(operation);
3850 PSA_ASSERT(psa_cipher_abort(&operation));
3851 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00003852
3853 /* Call finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003854 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3855 PSA_ASSERT(psa_cipher_set_iv(&operation,
3856 iv, sizeof(iv)));
3857 PSA_ASSERT(psa_cipher_finish(&operation,
3858 buffer, sizeof(buffer), &length));
3859 TEST_EQUAL(psa_cipher_finish(&operation,
3860 buffer, sizeof(buffer), &length),
3861 PSA_ERROR_BAD_STATE);
3862 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003863
Gilles Peskine449bd832023-01-11 14:50:10 +01003864 PSA_ASSERT(psa_destroy_key(key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02003865
Jaeden Ameroab439972019-02-15 14:12:05 +00003866exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003867 psa_cipher_abort(&operation);
3868 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003869}
3870/* END_CASE */
3871
3872/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003873void cipher_encrypt_fail(int alg_arg,
3874 int key_type_arg,
3875 data_t *key_data,
3876 data_t *input,
3877 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02003878{
Ronald Cron5425a212020-08-04 14:58:35 +02003879 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02003880 psa_status_t status;
3881 psa_key_type_t key_type = key_type_arg;
3882 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02003883 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01003884 unsigned char iv[PSA_CIPHER_IV_MAX_SIZE] = { 0 };
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003885 size_t iv_size = PSA_CIPHER_IV_MAX_SIZE;
3886 size_t iv_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03003887 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02003888 size_t output_buffer_size = 0;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003889 size_t output_length = 0;
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003890 size_t function_output_length;
3891 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003892 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
3893
Gilles Peskine449bd832023-01-11 14:50:10 +01003894 if (PSA_ERROR_BAD_STATE != expected_status) {
3895 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003896
Gilles Peskine449bd832023-01-11 14:50:10 +01003897 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
3898 psa_set_key_algorithm(&attributes, alg);
3899 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003900
Gilles Peskine449bd832023-01-11 14:50:10 +01003901 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg,
3902 input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003903 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003904
Gilles Peskine449bd832023-01-11 14:50:10 +01003905 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
3906 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003907 }
3908
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003909 /* Encrypt, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003910 status = psa_cipher_encrypt(key, alg, input->x, input->len, output,
3911 output_buffer_size, &output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003912
Gilles Peskine449bd832023-01-11 14:50:10 +01003913 TEST_EQUAL(status, expected_status);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003914
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003915 /* Encrypt, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003916 status = psa_cipher_encrypt_setup(&operation, key, alg);
3917 if (status == PSA_SUCCESS) {
3918 if (alg != PSA_ALG_ECB_NO_PADDING) {
3919 PSA_ASSERT(psa_cipher_generate_iv(&operation,
3920 iv, iv_size,
3921 &iv_length));
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003922 }
3923
Gilles Peskine449bd832023-01-11 14:50:10 +01003924 status = psa_cipher_update(&operation, input->x, input->len,
3925 output, output_buffer_size,
3926 &function_output_length);
3927 if (status == PSA_SUCCESS) {
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003928 output_length += function_output_length;
3929
Gilles Peskine449bd832023-01-11 14:50:10 +01003930 status = psa_cipher_finish(&operation, output + output_length,
3931 output_buffer_size - output_length,
3932 &function_output_length);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003933
Gilles Peskine449bd832023-01-11 14:50:10 +01003934 TEST_EQUAL(status, expected_status);
3935 } else {
3936 TEST_EQUAL(status, expected_status);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003937 }
Gilles Peskine449bd832023-01-11 14:50:10 +01003938 } else {
3939 TEST_EQUAL(status, expected_status);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01003940 }
3941
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003942exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003943 psa_cipher_abort(&operation);
3944 mbedtls_free(output);
3945 psa_destroy_key(key);
3946 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003947}
3948/* END_CASE */
3949
3950/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003951void cipher_encrypt_validate_iv_length(int alg, int key_type, data_t *key_data,
3952 data_t *input, int iv_length,
3953 int expected_result)
Mateusz Starzyked71e922021-10-21 10:04:57 +02003954{
3955 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
3956 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
3957 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
3958 size_t output_buffer_size = 0;
3959 unsigned char *output = NULL;
3960
Gilles Peskine449bd832023-01-11 14:50:10 +01003961 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003962 TEST_CALLOC(output, output_buffer_size);
Mateusz Starzyked71e922021-10-21 10:04:57 +02003963
Gilles Peskine449bd832023-01-11 14:50:10 +01003964 PSA_ASSERT(psa_crypto_init());
Mateusz Starzyked71e922021-10-21 10:04:57 +02003965
Gilles Peskine449bd832023-01-11 14:50:10 +01003966 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
3967 psa_set_key_algorithm(&attributes, alg);
3968 psa_set_key_type(&attributes, key_type);
Mateusz Starzyked71e922021-10-21 10:04:57 +02003969
Gilles Peskine449bd832023-01-11 14:50:10 +01003970 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
3971 &key));
3972 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3973 TEST_EQUAL(expected_result, psa_cipher_set_iv(&operation, output,
3974 iv_length));
Mateusz Starzyked71e922021-10-21 10:04:57 +02003975
3976exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003977 psa_cipher_abort(&operation);
3978 mbedtls_free(output);
3979 psa_destroy_key(key);
3980 PSA_DONE();
Mateusz Starzyked71e922021-10-21 10:04:57 +02003981}
3982/* END_CASE */
3983
3984/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003985void cipher_alg_without_iv(int alg_arg, int key_type_arg, data_t *key_data,
3986 data_t *plaintext, data_t *ciphertext)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003987{
3988 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
3989 psa_key_type_t key_type = key_type_arg;
3990 psa_algorithm_t alg = alg_arg;
Ronald Cron6c9bb0f2021-07-15 09:38:11 +02003991 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
3992 uint8_t iv[1] = { 0x5a };
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003993 unsigned char *output = NULL;
3994 size_t output_buffer_size = 0;
Gilles Peskine286c3142022-04-20 17:09:38 +02003995 size_t output_length, length;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003996 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
3997
Gilles Peskine449bd832023-01-11 14:50:10 +01003998 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01003999
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004000 /* Validate size macros */
Gilles Peskine449bd832023-01-11 14:50:10 +01004001 TEST_LE_U(ciphertext->len,
4002 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len));
4003 TEST_LE_U(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len),
4004 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(plaintext->len));
4005 TEST_LE_U(plaintext->len,
4006 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len));
4007 TEST_LE_U(PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len),
4008 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(ciphertext->len));
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004009
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004010
4011 /* Set up key and output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +01004012 psa_set_key_usage_flags(&attributes,
4013 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4014 psa_set_key_algorithm(&attributes, alg);
4015 psa_set_key_type(&attributes, key_type);
4016 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4017 &key));
4018 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg,
4019 plaintext->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004020 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004021
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004022 /* set_iv() is not allowed */
Gilles Peskine449bd832023-01-11 14:50:10 +01004023 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4024 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)),
4025 PSA_ERROR_BAD_STATE);
4026 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
4027 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)),
4028 PSA_ERROR_BAD_STATE);
Ronald Cron6c9bb0f2021-07-15 09:38:11 +02004029
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004030 /* generate_iv() is not allowed */
Gilles Peskine449bd832023-01-11 14:50:10 +01004031 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4032 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv),
4033 &length),
4034 PSA_ERROR_BAD_STATE);
4035 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
4036 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv),
4037 &length),
4038 PSA_ERROR_BAD_STATE);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004039
Gilles Peskine286c3142022-04-20 17:09:38 +02004040 /* Multipart encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +01004041 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Gilles Peskine286c3142022-04-20 17:09:38 +02004042 output_length = 0;
4043 length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004044 PSA_ASSERT(psa_cipher_update(&operation,
4045 plaintext->x, plaintext->len,
4046 output, output_buffer_size,
4047 &length));
4048 TEST_LE_U(length, output_buffer_size);
Gilles Peskine286c3142022-04-20 17:09:38 +02004049 output_length += length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004050 PSA_ASSERT(psa_cipher_finish(&operation,
4051 mbedtls_buffer_offset(output, output_length),
4052 output_buffer_size - output_length,
4053 &length));
Gilles Peskine286c3142022-04-20 17:09:38 +02004054 output_length += length;
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004055 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004056 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004057
Gilles Peskine286c3142022-04-20 17:09:38 +02004058 /* Multipart encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +01004059 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
Gilles Peskine286c3142022-04-20 17:09:38 +02004060 output_length = 0;
4061 length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004062 PSA_ASSERT(psa_cipher_update(&operation,
4063 ciphertext->x, ciphertext->len,
4064 output, output_buffer_size,
4065 &length));
4066 TEST_LE_U(length, output_buffer_size);
Gilles Peskine286c3142022-04-20 17:09:38 +02004067 output_length += length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004068 PSA_ASSERT(psa_cipher_finish(&operation,
4069 mbedtls_buffer_offset(output, output_length),
4070 output_buffer_size - output_length,
4071 &length));
Gilles Peskine286c3142022-04-20 17:09:38 +02004072 output_length += length;
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004073 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004074 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004075
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004076 /* One-shot encryption */
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004077 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004078 PSA_ASSERT(psa_cipher_encrypt(key, alg, plaintext->x, plaintext->len,
4079 output, output_buffer_size,
4080 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004081 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004082 output, output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004083
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004084 /* One-shot decryption */
4085 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004086 PSA_ASSERT(psa_cipher_decrypt(key, alg, ciphertext->x, ciphertext->len,
4087 output, output_buffer_size,
4088 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004089 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004090 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004091
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004092exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004093 PSA_ASSERT(psa_cipher_abort(&operation));
4094 mbedtls_free(output);
4095 psa_cipher_abort(&operation);
4096 psa_destroy_key(key);
4097 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004098}
4099/* END_CASE */
4100
4101/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004102void cipher_bad_key(int alg_arg, int key_type_arg, data_t *key_data)
Paul Elliotta417f562021-07-14 12:31:21 +01004103{
4104 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4105 psa_algorithm_t alg = alg_arg;
4106 psa_key_type_t key_type = key_type_arg;
4107 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4108 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
4109 psa_status_t status;
4110
Gilles Peskine449bd832023-01-11 14:50:10 +01004111 PSA_ASSERT(psa_crypto_init());
Paul Elliotta417f562021-07-14 12:31:21 +01004112
Gilles Peskine449bd832023-01-11 14:50:10 +01004113 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4114 psa_set_key_algorithm(&attributes, alg);
4115 psa_set_key_type(&attributes, key_type);
Paul Elliotta417f562021-07-14 12:31:21 +01004116
4117 /* Usage of either of these two size macros would cause divide by zero
4118 * with incorrect key types previously. Input length should be irrelevant
4119 * here. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004120 TEST_EQUAL(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 16),
4121 0);
4122 TEST_EQUAL(PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, 16), 0);
Paul Elliotta417f562021-07-14 12:31:21 +01004123
4124
Gilles Peskine449bd832023-01-11 14:50:10 +01004125 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4126 &key));
Paul Elliotta417f562021-07-14 12:31:21 +01004127
4128 /* Should fail due to invalid alg type (to support invalid key type).
4129 * Encrypt or decrypt will end up in the same place. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004130 status = psa_cipher_encrypt_setup(&operation, key, alg);
Paul Elliotta417f562021-07-14 12:31:21 +01004131
Gilles Peskine449bd832023-01-11 14:50:10 +01004132 TEST_EQUAL(status, PSA_ERROR_INVALID_ARGUMENT);
Paul Elliotta417f562021-07-14 12:31:21 +01004133
4134exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004135 psa_cipher_abort(&operation);
4136 psa_destroy_key(key);
4137 PSA_DONE();
Paul Elliotta417f562021-07-14 12:31:21 +01004138}
4139/* END_CASE */
4140
4141/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004142void cipher_encrypt_validation(int alg_arg,
4143 int key_type_arg,
4144 data_t *key_data,
4145 data_t *input)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004146{
4147 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4148 psa_key_type_t key_type = key_type_arg;
4149 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01004150 size_t iv_size = PSA_CIPHER_IV_LENGTH(key_type, alg);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004151 unsigned char *output1 = NULL;
4152 size_t output1_buffer_size = 0;
4153 size_t output1_length = 0;
4154 unsigned char *output2 = NULL;
4155 size_t output2_buffer_size = 0;
4156 size_t output2_length = 0;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004157 size_t function_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004158 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004159 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004160
Gilles Peskine449bd832023-01-11 14:50:10 +01004161 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004162
Gilles Peskine449bd832023-01-11 14:50:10 +01004163 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4164 psa_set_key_algorithm(&attributes, alg);
4165 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004166
Gilles Peskine449bd832023-01-11 14:50:10 +01004167 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
4168 output2_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4169 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004170 TEST_CALLOC(output1, output1_buffer_size);
4171 TEST_CALLOC(output2, output2_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004172
Gilles Peskine449bd832023-01-11 14:50:10 +01004173 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4174 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004175
gabor-mezei-arm50c86cf2021-06-25 15:47:50 +02004176 /* The one-shot cipher encryption uses generated iv so validating
4177 the output is not possible. Validating with multipart encryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004178 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len, output1,
4179 output1_buffer_size, &output1_length));
4180 TEST_LE_U(output1_length,
4181 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len));
4182 TEST_LE_U(output1_length,
4183 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004184
Gilles Peskine449bd832023-01-11 14:50:10 +01004185 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4186 PSA_ASSERT(psa_cipher_set_iv(&operation, output1, iv_size));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004187
Gilles Peskine449bd832023-01-11 14:50:10 +01004188 PSA_ASSERT(psa_cipher_update(&operation,
4189 input->x, input->len,
4190 output2, output2_buffer_size,
4191 &function_output_length));
4192 TEST_LE_U(function_output_length,
4193 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len));
4194 TEST_LE_U(function_output_length,
4195 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004196 output2_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004197
Gilles Peskine449bd832023-01-11 14:50:10 +01004198 PSA_ASSERT(psa_cipher_finish(&operation,
4199 output2 + output2_length,
4200 output2_buffer_size - output2_length,
4201 &function_output_length));
4202 TEST_LE_U(function_output_length,
4203 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4204 TEST_LE_U(function_output_length,
4205 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004206 output2_length += function_output_length;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004207
Gilles Peskine449bd832023-01-11 14:50:10 +01004208 PSA_ASSERT(psa_cipher_abort(&operation));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004209 TEST_MEMORY_COMPARE(output1 + iv_size, output1_length - iv_size,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004210 output2, output2_length);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004211
Gilles Peskine50e586b2018-06-08 14:28:46 +02004212exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004213 psa_cipher_abort(&operation);
4214 mbedtls_free(output1);
4215 mbedtls_free(output2);
4216 psa_destroy_key(key);
4217 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004218}
4219/* END_CASE */
4220
4221/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004222void cipher_encrypt_multipart(int alg_arg, int key_type_arg,
4223 data_t *key_data, data_t *iv,
4224 data_t *input,
4225 int first_part_size_arg,
4226 int output1_length_arg, int output2_length_arg,
4227 data_t *expected_output,
4228 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02004229{
Ronald Cron5425a212020-08-04 14:58:35 +02004230 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004231 psa_key_type_t key_type = key_type_arg;
4232 psa_algorithm_t alg = alg_arg;
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004233 psa_status_t status;
4234 psa_status_t expected_status = expected_status_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004235 size_t first_part_size = first_part_size_arg;
4236 size_t output1_length = output1_length_arg;
4237 size_t output2_length = output2_length_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004238 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004239 size_t output_buffer_size = 0;
4240 size_t function_output_length = 0;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004241 size_t total_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004242 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004243 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004244
Gilles Peskine449bd832023-01-11 14:50:10 +01004245 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004246
Gilles Peskine449bd832023-01-11 14:50:10 +01004247 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4248 psa_set_key_algorithm(&attributes, alg);
4249 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004250
Gilles Peskine449bd832023-01-11 14:50:10 +01004251 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4252 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004253
Gilles Peskine449bd832023-01-11 14:50:10 +01004254 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004255
Gilles Peskine449bd832023-01-11 14:50:10 +01004256 if (iv->len > 0) {
4257 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004258 }
4259
Gilles Peskine449bd832023-01-11 14:50:10 +01004260 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4261 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004262 TEST_CALLOC(output, output_buffer_size);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004263
Gilles Peskine449bd832023-01-11 14:50:10 +01004264 TEST_LE_U(first_part_size, input->len);
4265 PSA_ASSERT(psa_cipher_update(&operation, input->x, first_part_size,
4266 output, output_buffer_size,
4267 &function_output_length));
4268 TEST_ASSERT(function_output_length == output1_length);
4269 TEST_LE_U(function_output_length,
4270 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4271 TEST_LE_U(function_output_length,
4272 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004273 total_output_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004274
Gilles Peskine449bd832023-01-11 14:50:10 +01004275 if (first_part_size < input->len) {
4276 PSA_ASSERT(psa_cipher_update(&operation,
4277 input->x + first_part_size,
4278 input->len - first_part_size,
4279 (output_buffer_size == 0 ? NULL :
4280 output + total_output_length),
4281 output_buffer_size - total_output_length,
4282 &function_output_length));
4283 TEST_ASSERT(function_output_length == output2_length);
4284 TEST_LE_U(function_output_length,
4285 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4286 alg,
4287 input->len - first_part_size));
4288 TEST_LE_U(function_output_length,
4289 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004290 total_output_length += function_output_length;
4291 }
gabor-mezei-armceface22021-01-21 12:26:17 +01004292
Gilles Peskine449bd832023-01-11 14:50:10 +01004293 status = psa_cipher_finish(&operation,
4294 (output_buffer_size == 0 ? NULL :
4295 output + total_output_length),
4296 output_buffer_size - total_output_length,
4297 &function_output_length);
4298 TEST_LE_U(function_output_length,
4299 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4300 TEST_LE_U(function_output_length,
4301 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004302 total_output_length += function_output_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004303 TEST_EQUAL(status, expected_status);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004304
Gilles Peskine449bd832023-01-11 14:50:10 +01004305 if (expected_status == PSA_SUCCESS) {
4306 PSA_ASSERT(psa_cipher_abort(&operation));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004307
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004308 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004309 output, total_output_length);
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004310 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004311
4312exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004313 psa_cipher_abort(&operation);
4314 mbedtls_free(output);
4315 psa_destroy_key(key);
4316 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004317}
4318/* END_CASE */
4319
4320/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004321void cipher_decrypt_multipart(int alg_arg, int key_type_arg,
4322 data_t *key_data, data_t *iv,
4323 data_t *input,
4324 int first_part_size_arg,
4325 int output1_length_arg, int output2_length_arg,
4326 data_t *expected_output,
4327 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02004328{
Ronald Cron5425a212020-08-04 14:58:35 +02004329 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004330 psa_key_type_t key_type = key_type_arg;
4331 psa_algorithm_t alg = alg_arg;
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004332 psa_status_t status;
4333 psa_status_t expected_status = expected_status_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004334 size_t first_part_size = first_part_size_arg;
4335 size_t output1_length = output1_length_arg;
4336 size_t output2_length = output2_length_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004337 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004338 size_t output_buffer_size = 0;
4339 size_t function_output_length = 0;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004340 size_t total_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004341 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004342 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004343
Gilles Peskine449bd832023-01-11 14:50:10 +01004344 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004345
Gilles Peskine449bd832023-01-11 14:50:10 +01004346 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4347 psa_set_key_algorithm(&attributes, alg);
4348 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004349
Gilles Peskine449bd832023-01-11 14:50:10 +01004350 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4351 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004352
Gilles Peskine449bd832023-01-11 14:50:10 +01004353 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004354
Gilles Peskine449bd832023-01-11 14:50:10 +01004355 if (iv->len > 0) {
4356 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004357 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004358
Gilles Peskine449bd832023-01-11 14:50:10 +01004359 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4360 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004361 TEST_CALLOC(output, output_buffer_size);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004362
Gilles Peskine449bd832023-01-11 14:50:10 +01004363 TEST_LE_U(first_part_size, input->len);
4364 PSA_ASSERT(psa_cipher_update(&operation,
4365 input->x, first_part_size,
4366 output, output_buffer_size,
4367 &function_output_length));
4368 TEST_ASSERT(function_output_length == output1_length);
4369 TEST_LE_U(function_output_length,
4370 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4371 TEST_LE_U(function_output_length,
4372 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004373 total_output_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004374
Gilles Peskine449bd832023-01-11 14:50:10 +01004375 if (first_part_size < input->len) {
4376 PSA_ASSERT(psa_cipher_update(&operation,
4377 input->x + first_part_size,
4378 input->len - first_part_size,
4379 (output_buffer_size == 0 ? NULL :
4380 output + total_output_length),
4381 output_buffer_size - total_output_length,
4382 &function_output_length));
4383 TEST_ASSERT(function_output_length == output2_length);
4384 TEST_LE_U(function_output_length,
4385 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4386 alg,
4387 input->len - first_part_size));
4388 TEST_LE_U(function_output_length,
4389 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004390 total_output_length += function_output_length;
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004391 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004392
Gilles Peskine449bd832023-01-11 14:50:10 +01004393 status = psa_cipher_finish(&operation,
4394 (output_buffer_size == 0 ? NULL :
4395 output + total_output_length),
4396 output_buffer_size - total_output_length,
4397 &function_output_length);
4398 TEST_LE_U(function_output_length,
4399 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4400 TEST_LE_U(function_output_length,
4401 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004402 total_output_length += function_output_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004403 TEST_EQUAL(status, expected_status);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004404
Gilles Peskine449bd832023-01-11 14:50:10 +01004405 if (expected_status == PSA_SUCCESS) {
4406 PSA_ASSERT(psa_cipher_abort(&operation));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004407
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004408 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004409 output, total_output_length);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004410 }
4411
Gilles Peskine50e586b2018-06-08 14:28:46 +02004412exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004413 psa_cipher_abort(&operation);
4414 mbedtls_free(output);
4415 psa_destroy_key(key);
4416 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004417}
4418/* END_CASE */
4419
Gilles Peskine50e586b2018-06-08 14:28:46 +02004420/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004421void cipher_decrypt_fail(int alg_arg,
4422 int key_type_arg,
4423 data_t *key_data,
4424 data_t *iv,
4425 data_t *input_arg,
4426 int expected_status_arg)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004427{
4428 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4429 psa_status_t status;
4430 psa_key_type_t key_type = key_type_arg;
4431 psa_algorithm_t alg = alg_arg;
4432 psa_status_t expected_status = expected_status_arg;
4433 unsigned char *input = NULL;
4434 size_t input_buffer_size = 0;
4435 unsigned char *output = NULL;
Neil Armstrong66a479f2022-02-07 15:41:19 +01004436 unsigned char *output_multi = NULL;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004437 size_t output_buffer_size = 0;
4438 size_t output_length = 0;
Neil Armstrong66a479f2022-02-07 15:41:19 +01004439 size_t function_output_length;
4440 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004441 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4442
Gilles Peskine449bd832023-01-11 14:50:10 +01004443 if (PSA_ERROR_BAD_STATE != expected_status) {
4444 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004445
Gilles Peskine449bd832023-01-11 14:50:10 +01004446 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4447 psa_set_key_algorithm(&attributes, alg);
4448 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004449
Gilles Peskine449bd832023-01-11 14:50:10 +01004450 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4451 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004452 }
4453
4454 /* Allocate input buffer and copy the iv and the plaintext */
Gilles Peskine449bd832023-01-11 14:50:10 +01004455 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len);
4456 if (input_buffer_size > 0) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004457 TEST_CALLOC(input, input_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01004458 memcpy(input, iv->x, iv->len);
4459 memcpy(input + iv->len, input_arg->x, input_arg->len);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004460 }
4461
Gilles Peskine449bd832023-01-11 14:50:10 +01004462 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004463 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004464
Neil Armstrong66a479f2022-02-07 15:41:19 +01004465 /* Decrypt, one-short */
Gilles Peskine449bd832023-01-11 14:50:10 +01004466 status = psa_cipher_decrypt(key, alg, input, input_buffer_size, output,
4467 output_buffer_size, &output_length);
4468 TEST_EQUAL(status, expected_status);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004469
Neil Armstrong66a479f2022-02-07 15:41:19 +01004470 /* Decrypt, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01004471 status = psa_cipher_decrypt_setup(&operation, key, alg);
4472 if (status == PSA_SUCCESS) {
4473 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg,
4474 input_arg->len) +
4475 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004476 TEST_CALLOC(output_multi, output_buffer_size);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004477
Gilles Peskine449bd832023-01-11 14:50:10 +01004478 if (iv->len > 0) {
4479 status = psa_cipher_set_iv(&operation, iv->x, iv->len);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004480
Gilles Peskine449bd832023-01-11 14:50:10 +01004481 if (status != PSA_SUCCESS) {
4482 TEST_EQUAL(status, expected_status);
4483 }
Neil Armstrong66a479f2022-02-07 15:41:19 +01004484 }
4485
Gilles Peskine449bd832023-01-11 14:50:10 +01004486 if (status == PSA_SUCCESS) {
4487 status = psa_cipher_update(&operation,
4488 input_arg->x, input_arg->len,
4489 output_multi, output_buffer_size,
4490 &function_output_length);
4491 if (status == PSA_SUCCESS) {
Neil Armstrong66a479f2022-02-07 15:41:19 +01004492 output_length = function_output_length;
4493
Gilles Peskine449bd832023-01-11 14:50:10 +01004494 status = psa_cipher_finish(&operation,
4495 output_multi + output_length,
4496 output_buffer_size - output_length,
4497 &function_output_length);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004498
Gilles Peskine449bd832023-01-11 14:50:10 +01004499 TEST_EQUAL(status, expected_status);
4500 } else {
4501 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004502 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004503 } else {
4504 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004505 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004506 } else {
4507 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004508 }
4509
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004510exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004511 psa_cipher_abort(&operation);
4512 mbedtls_free(input);
4513 mbedtls_free(output);
4514 mbedtls_free(output_multi);
4515 psa_destroy_key(key);
4516 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004517}
4518/* END_CASE */
4519
4520/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004521void cipher_decrypt(int alg_arg,
4522 int key_type_arg,
4523 data_t *key_data,
4524 data_t *iv,
4525 data_t *input_arg,
4526 data_t *expected_output)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004527{
4528 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4529 psa_key_type_t key_type = key_type_arg;
4530 psa_algorithm_t alg = alg_arg;
4531 unsigned char *input = NULL;
4532 size_t input_buffer_size = 0;
4533 unsigned char *output = NULL;
4534 size_t output_buffer_size = 0;
4535 size_t output_length = 0;
4536 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4537
Gilles Peskine449bd832023-01-11 14:50:10 +01004538 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004539
Gilles Peskine449bd832023-01-11 14:50:10 +01004540 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4541 psa_set_key_algorithm(&attributes, alg);
4542 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004543
4544 /* Allocate input buffer and copy the iv and the plaintext */
Gilles Peskine449bd832023-01-11 14:50:10 +01004545 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len);
4546 if (input_buffer_size > 0) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004547 TEST_CALLOC(input, input_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01004548 memcpy(input, iv->x, iv->len);
4549 memcpy(input + iv->len, input_arg->x, input_arg->len);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004550 }
4551
Gilles Peskine449bd832023-01-11 14:50:10 +01004552 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004553 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004554
Gilles Peskine449bd832023-01-11 14:50:10 +01004555 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4556 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004557
Gilles Peskine449bd832023-01-11 14:50:10 +01004558 PSA_ASSERT(psa_cipher_decrypt(key, alg, input, input_buffer_size, output,
4559 output_buffer_size, &output_length));
4560 TEST_LE_U(output_length,
4561 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size));
4562 TEST_LE_U(output_length,
4563 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_buffer_size));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004564
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004565 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004566 output, output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004567exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004568 mbedtls_free(input);
4569 mbedtls_free(output);
4570 psa_destroy_key(key);
4571 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004572}
4573/* END_CASE */
4574
4575/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004576void cipher_verify_output(int alg_arg,
4577 int key_type_arg,
4578 data_t *key_data,
4579 data_t *input)
mohammad1603d7d7ba52018-03-12 18:51:53 +02004580{
Ronald Cron5425a212020-08-04 14:58:35 +02004581 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004582 psa_key_type_t key_type = key_type_arg;
4583 psa_algorithm_t alg = alg_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004584 unsigned char *output1 = NULL;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004585 size_t output1_size = 0;
4586 size_t output1_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004587 unsigned char *output2 = NULL;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004588 size_t output2_size = 0;
4589 size_t output2_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004590 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004591
Gilles Peskine449bd832023-01-11 14:50:10 +01004592 PSA_ASSERT(psa_crypto_init());
mohammad1603d7d7ba52018-03-12 18:51:53 +02004593
Gilles Peskine449bd832023-01-11 14:50:10 +01004594 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4595 psa_set_key_algorithm(&attributes, alg);
4596 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004597
Gilles Peskine449bd832023-01-11 14:50:10 +01004598 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4599 &key));
4600 output1_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004601 TEST_CALLOC(output1, output1_size);
Moran Pekerded84402018-06-06 16:36:50 +03004602
Gilles Peskine449bd832023-01-11 14:50:10 +01004603 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len,
4604 output1, output1_size,
4605 &output1_length));
4606 TEST_LE_U(output1_length,
4607 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len));
4608 TEST_LE_U(output1_length,
4609 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
Moran Pekerded84402018-06-06 16:36:50 +03004610
4611 output2_size = output1_length;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004612 TEST_CALLOC(output2, output2_size);
Moran Pekerded84402018-06-06 16:36:50 +03004613
Gilles Peskine449bd832023-01-11 14:50:10 +01004614 PSA_ASSERT(psa_cipher_decrypt(key, alg, output1, output1_length,
4615 output2, output2_size,
4616 &output2_length));
4617 TEST_LE_U(output2_length,
4618 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length));
4619 TEST_LE_U(output2_length,
4620 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length));
Moran Pekerded84402018-06-06 16:36:50 +03004621
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004622 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length);
Moran Pekerded84402018-06-06 16:36:50 +03004623
4624exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004625 mbedtls_free(output1);
4626 mbedtls_free(output2);
4627 psa_destroy_key(key);
4628 PSA_DONE();
Moran Pekerded84402018-06-06 16:36:50 +03004629}
4630/* END_CASE */
4631
4632/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004633void cipher_verify_output_multipart(int alg_arg,
4634 int key_type_arg,
4635 data_t *key_data,
4636 data_t *input,
4637 int first_part_size_arg)
Moran Pekerded84402018-06-06 16:36:50 +03004638{
Ronald Cron5425a212020-08-04 14:58:35 +02004639 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Moran Pekerded84402018-06-06 16:36:50 +03004640 psa_key_type_t key_type = key_type_arg;
4641 psa_algorithm_t alg = alg_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004642 size_t first_part_size = first_part_size_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01004643 unsigned char iv[16] = { 0 };
Moran Pekerded84402018-06-06 16:36:50 +03004644 size_t iv_size = 16;
4645 size_t iv_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004646 unsigned char *output1 = NULL;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004647 size_t output1_buffer_size = 0;
Moran Pekerded84402018-06-06 16:36:50 +03004648 size_t output1_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004649 unsigned char *output2 = NULL;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004650 size_t output2_buffer_size = 0;
Moran Pekerded84402018-06-06 16:36:50 +03004651 size_t output2_length = 0;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004652 size_t function_output_length;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004653 psa_cipher_operation_t operation1 = PSA_CIPHER_OPERATION_INIT;
4654 psa_cipher_operation_t operation2 = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004655 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Moran Pekerded84402018-06-06 16:36:50 +03004656
Gilles Peskine449bd832023-01-11 14:50:10 +01004657 PSA_ASSERT(psa_crypto_init());
Moran Pekerded84402018-06-06 16:36:50 +03004658
Gilles Peskine449bd832023-01-11 14:50:10 +01004659 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4660 psa_set_key_algorithm(&attributes, alg);
4661 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004662
Gilles Peskine449bd832023-01-11 14:50:10 +01004663 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4664 &key));
Moran Pekerded84402018-06-06 16:36:50 +03004665
Gilles Peskine449bd832023-01-11 14:50:10 +01004666 PSA_ASSERT(psa_cipher_encrypt_setup(&operation1, key, alg));
4667 PSA_ASSERT(psa_cipher_decrypt_setup(&operation2, key, alg));
Moran Pekerded84402018-06-06 16:36:50 +03004668
Gilles Peskine449bd832023-01-11 14:50:10 +01004669 if (alg != PSA_ALG_ECB_NO_PADDING) {
4670 PSA_ASSERT(psa_cipher_generate_iv(&operation1,
4671 iv, iv_size,
4672 &iv_length));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004673 }
4674
Gilles Peskine449bd832023-01-11 14:50:10 +01004675 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
4676 TEST_LE_U(output1_buffer_size,
4677 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004678 TEST_CALLOC(output1, output1_buffer_size);
Moran Pekerded84402018-06-06 16:36:50 +03004679
Gilles Peskine449bd832023-01-11 14:50:10 +01004680 TEST_LE_U(first_part_size, input->len);
Gilles Peskine4ca9c3f2018-06-06 18:44:09 +02004681
Gilles Peskine449bd832023-01-11 14:50:10 +01004682 PSA_ASSERT(psa_cipher_update(&operation1, input->x, first_part_size,
4683 output1, output1_buffer_size,
4684 &function_output_length));
4685 TEST_LE_U(function_output_length,
4686 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4687 TEST_LE_U(function_output_length,
4688 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004689 output1_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004690
Gilles Peskine449bd832023-01-11 14:50:10 +01004691 PSA_ASSERT(psa_cipher_update(&operation1,
4692 input->x + first_part_size,
4693 input->len - first_part_size,
4694 output1, output1_buffer_size,
4695 &function_output_length));
4696 TEST_LE_U(function_output_length,
4697 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4698 alg,
4699 input->len - first_part_size));
4700 TEST_LE_U(function_output_length,
4701 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len - first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004702 output1_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004703
Gilles Peskine449bd832023-01-11 14:50:10 +01004704 PSA_ASSERT(psa_cipher_finish(&operation1,
4705 output1 + output1_length,
4706 output1_buffer_size - output1_length,
4707 &function_output_length));
4708 TEST_LE_U(function_output_length,
4709 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4710 TEST_LE_U(function_output_length,
4711 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskine048b7f02018-06-08 14:20:49 +02004712 output1_length += function_output_length;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004713
Gilles Peskine449bd832023-01-11 14:50:10 +01004714 PSA_ASSERT(psa_cipher_abort(&operation1));
mohammad1603d7d7ba52018-03-12 18:51:53 +02004715
Gilles Peskine048b7f02018-06-08 14:20:49 +02004716 output2_buffer_size = output1_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004717 TEST_LE_U(output2_buffer_size,
4718 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length));
4719 TEST_LE_U(output2_buffer_size,
4720 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004721 TEST_CALLOC(output2, output2_buffer_size);
mohammad1603d7d7ba52018-03-12 18:51:53 +02004722
Gilles Peskine449bd832023-01-11 14:50:10 +01004723 if (iv_length > 0) {
4724 PSA_ASSERT(psa_cipher_set_iv(&operation2,
4725 iv, iv_length));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004726 }
Moran Pekerded84402018-06-06 16:36:50 +03004727
Gilles Peskine449bd832023-01-11 14:50:10 +01004728 PSA_ASSERT(psa_cipher_update(&operation2, output1, first_part_size,
4729 output2, output2_buffer_size,
4730 &function_output_length));
4731 TEST_LE_U(function_output_length,
4732 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4733 TEST_LE_U(function_output_length,
4734 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004735 output2_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004736
Gilles Peskine449bd832023-01-11 14:50:10 +01004737 PSA_ASSERT(psa_cipher_update(&operation2,
4738 output1 + first_part_size,
4739 output1_length - first_part_size,
4740 output2, output2_buffer_size,
4741 &function_output_length));
4742 TEST_LE_U(function_output_length,
4743 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4744 alg,
4745 output1_length - first_part_size));
4746 TEST_LE_U(function_output_length,
4747 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(output1_length - first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004748 output2_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004749
Gilles Peskine449bd832023-01-11 14:50:10 +01004750 PSA_ASSERT(psa_cipher_finish(&operation2,
4751 output2 + output2_length,
4752 output2_buffer_size - output2_length,
4753 &function_output_length));
4754 TEST_LE_U(function_output_length,
4755 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4756 TEST_LE_U(function_output_length,
4757 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskine048b7f02018-06-08 14:20:49 +02004758 output2_length += function_output_length;
Gilles Peskine4ca9c3f2018-06-06 18:44:09 +02004759
Gilles Peskine449bd832023-01-11 14:50:10 +01004760 PSA_ASSERT(psa_cipher_abort(&operation2));
mohammad1603d7d7ba52018-03-12 18:51:53 +02004761
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004762 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length);
mohammad1603d7d7ba52018-03-12 18:51:53 +02004763
4764exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004765 psa_cipher_abort(&operation1);
4766 psa_cipher_abort(&operation2);
4767 mbedtls_free(output1);
4768 mbedtls_free(output2);
4769 psa_destroy_key(key);
4770 PSA_DONE();
mohammad1603d7d7ba52018-03-12 18:51:53 +02004771}
4772/* END_CASE */
Gilles Peskine7268afc2018-06-06 15:19:24 +02004773
Gilles Peskine20035e32018-02-03 22:44:14 +01004774/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004775void aead_encrypt_decrypt(int key_type_arg, data_t *key_data,
4776 int alg_arg,
4777 data_t *nonce,
4778 data_t *additional_data,
4779 data_t *input_data,
4780 int expected_result_arg)
Gilles Peskinea1cac842018-06-11 19:33:02 +02004781{
Ronald Cron5425a212020-08-04 14:58:35 +02004782 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004783 psa_key_type_t key_type = key_type_arg;
4784 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01004785 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004786 unsigned char *output_data = NULL;
4787 size_t output_size = 0;
4788 size_t output_length = 0;
4789 unsigned char *output_data2 = NULL;
4790 size_t output_length2 = 0;
Steven Cooremanf49478b2021-02-15 15:19:25 +01004791 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskine4abf7412018-06-18 16:35:34 +02004792 psa_status_t expected_result = expected_result_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004793 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004794
Gilles Peskine449bd832023-01-11 14:50:10 +01004795 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02004796
Gilles Peskine449bd832023-01-11 14:50:10 +01004797 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4798 psa_set_key_algorithm(&attributes, alg);
4799 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004800
Gilles Peskine449bd832023-01-11 14:50:10 +01004801 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4802 &key));
4803 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
4804 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01004805
Gilles Peskine449bd832023-01-11 14:50:10 +01004806 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits,
4807 alg);
Bence Szépkútiec174e22021-03-19 18:46:15 +01004808 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE
4809 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004810 if (expected_result != PSA_ERROR_INVALID_ARGUMENT &&
4811 expected_result != PSA_ERROR_NOT_SUPPORTED) {
4812 TEST_EQUAL(output_size,
4813 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
4814 TEST_LE_U(output_size,
4815 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
Bence Szépkútiec174e22021-03-19 18:46:15 +01004816 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004817 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004818
Gilles Peskine449bd832023-01-11 14:50:10 +01004819 status = psa_aead_encrypt(key, alg,
4820 nonce->x, nonce->len,
4821 additional_data->x,
4822 additional_data->len,
4823 input_data->x, input_data->len,
4824 output_data, output_size,
4825 &output_length);
Steven Cooremanf49478b2021-02-15 15:19:25 +01004826
4827 /* If the operation is not supported, just skip and not fail in case the
4828 * encryption involves a common limitation of cryptography hardwares and
4829 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004830 if (status == PSA_ERROR_NOT_SUPPORTED) {
4831 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
4832 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremanf49478b2021-02-15 15:19:25 +01004833 }
4834
Gilles Peskine449bd832023-01-11 14:50:10 +01004835 TEST_EQUAL(status, expected_result);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004836
Gilles Peskine449bd832023-01-11 14:50:10 +01004837 if (PSA_SUCCESS == expected_result) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004838 TEST_CALLOC(output_data2, output_length);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004839
Gilles Peskine003a4a92019-05-14 16:09:40 +02004840 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE
4841 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004842 TEST_EQUAL(input_data->len,
4843 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, output_length));
Gilles Peskine003a4a92019-05-14 16:09:40 +02004844
Gilles Peskine449bd832023-01-11 14:50:10 +01004845 TEST_LE_U(input_data->len,
4846 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(output_length));
gabor-mezei-armceface22021-01-21 12:26:17 +01004847
Gilles Peskine449bd832023-01-11 14:50:10 +01004848 TEST_EQUAL(psa_aead_decrypt(key, alg,
4849 nonce->x, nonce->len,
4850 additional_data->x,
4851 additional_data->len,
4852 output_data, output_length,
4853 output_data2, output_length,
4854 &output_length2),
4855 expected_result);
Gilles Peskine2d277862018-06-18 15:41:12 +02004856
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004857 TEST_MEMORY_COMPARE(input_data->x, input_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004858 output_data2, output_length2);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004859 }
Gilles Peskine2d277862018-06-18 15:41:12 +02004860
Gilles Peskinea1cac842018-06-11 19:33:02 +02004861exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004862 psa_destroy_key(key);
4863 mbedtls_free(output_data);
4864 mbedtls_free(output_data2);
4865 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02004866}
4867/* END_CASE */
4868
4869/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004870void aead_encrypt(int key_type_arg, data_t *key_data,
4871 int alg_arg,
4872 data_t *nonce,
4873 data_t *additional_data,
4874 data_t *input_data,
4875 data_t *expected_result)
Gilles Peskinea1cac842018-06-11 19:33:02 +02004876{
Ronald Cron5425a212020-08-04 14:58:35 +02004877 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004878 psa_key_type_t key_type = key_type_arg;
4879 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01004880 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004881 unsigned char *output_data = NULL;
4882 size_t output_size = 0;
4883 size_t output_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004884 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Steven Cooremand588ea12021-01-11 19:36:04 +01004885 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004886
Gilles Peskine449bd832023-01-11 14:50:10 +01004887 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02004888
Gilles Peskine449bd832023-01-11 14:50:10 +01004889 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4890 psa_set_key_algorithm(&attributes, alg);
4891 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004892
Gilles Peskine449bd832023-01-11 14:50:10 +01004893 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4894 &key));
4895 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
4896 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01004897
Gilles Peskine449bd832023-01-11 14:50:10 +01004898 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits,
4899 alg);
Bence Szépkútiec174e22021-03-19 18:46:15 +01004900 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE
4901 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004902 TEST_EQUAL(output_size,
4903 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
4904 TEST_LE_U(output_size,
4905 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004906 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004907
Gilles Peskine449bd832023-01-11 14:50:10 +01004908 status = psa_aead_encrypt(key, alg,
4909 nonce->x, nonce->len,
4910 additional_data->x, additional_data->len,
4911 input_data->x, input_data->len,
4912 output_data, output_size,
4913 &output_length);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004914
Ronald Cron28a45ed2021-02-09 20:35:42 +01004915 /* If the operation is not supported, just skip and not fail in case the
4916 * encryption involves a common limitation of cryptography hardwares and
4917 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004918 if (status == PSA_ERROR_NOT_SUPPORTED) {
4919 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
4920 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremand588ea12021-01-11 19:36:04 +01004921 }
Steven Cooremand588ea12021-01-11 19:36:04 +01004922
Gilles Peskine449bd832023-01-11 14:50:10 +01004923 PSA_ASSERT(status);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004924 TEST_MEMORY_COMPARE(expected_result->x, expected_result->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004925 output_data, output_length);
Gilles Peskine2d277862018-06-18 15:41:12 +02004926
Gilles Peskinea1cac842018-06-11 19:33:02 +02004927exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004928 psa_destroy_key(key);
4929 mbedtls_free(output_data);
4930 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02004931}
4932/* END_CASE */
4933
4934/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004935void aead_decrypt(int key_type_arg, data_t *key_data,
4936 int alg_arg,
4937 data_t *nonce,
4938 data_t *additional_data,
4939 data_t *input_data,
4940 data_t *expected_data,
4941 int expected_result_arg)
Gilles Peskinea1cac842018-06-11 19:33:02 +02004942{
Ronald Cron5425a212020-08-04 14:58:35 +02004943 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004944 psa_key_type_t key_type = key_type_arg;
4945 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01004946 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004947 unsigned char *output_data = NULL;
4948 size_t output_size = 0;
4949 size_t output_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004950 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine4abf7412018-06-18 16:35:34 +02004951 psa_status_t expected_result = expected_result_arg;
Steven Cooremand588ea12021-01-11 19:36:04 +01004952 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskinea1cac842018-06-11 19:33:02 +02004953
Gilles Peskine449bd832023-01-11 14:50:10 +01004954 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02004955
Gilles Peskine449bd832023-01-11 14:50:10 +01004956 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4957 psa_set_key_algorithm(&attributes, alg);
4958 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004959
Gilles Peskine449bd832023-01-11 14:50:10 +01004960 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4961 &key));
4962 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
4963 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01004964
Gilles Peskine449bd832023-01-11 14:50:10 +01004965 output_size = input_data->len - PSA_AEAD_TAG_LENGTH(key_type, key_bits,
4966 alg);
4967 if (expected_result != PSA_ERROR_INVALID_ARGUMENT &&
4968 expected_result != PSA_ERROR_NOT_SUPPORTED) {
Bence Szépkútiec174e22021-03-19 18:46:15 +01004969 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE
4970 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004971 TEST_EQUAL(output_size,
4972 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
4973 TEST_LE_U(output_size,
4974 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len));
Bence Szépkútiec174e22021-03-19 18:46:15 +01004975 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004976 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004977
Gilles Peskine449bd832023-01-11 14:50:10 +01004978 status = psa_aead_decrypt(key, alg,
4979 nonce->x, nonce->len,
4980 additional_data->x,
4981 additional_data->len,
4982 input_data->x, input_data->len,
4983 output_data, output_size,
4984 &output_length);
Steven Cooremand588ea12021-01-11 19:36:04 +01004985
Ronald Cron28a45ed2021-02-09 20:35:42 +01004986 /* If the operation is not supported, just skip and not fail in case the
4987 * decryption involves a common limitation of cryptography hardwares and
4988 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004989 if (status == PSA_ERROR_NOT_SUPPORTED) {
4990 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
4991 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremand588ea12021-01-11 19:36:04 +01004992 }
Steven Cooremand588ea12021-01-11 19:36:04 +01004993
Gilles Peskine449bd832023-01-11 14:50:10 +01004994 TEST_EQUAL(status, expected_result);
Gilles Peskinea1cac842018-06-11 19:33:02 +02004995
Gilles Peskine449bd832023-01-11 14:50:10 +01004996 if (expected_result == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004997 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004998 output_data, output_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01004999 }
Gilles Peskinea1cac842018-06-11 19:33:02 +02005000
Gilles Peskinea1cac842018-06-11 19:33:02 +02005001exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005002 psa_destroy_key(key);
5003 mbedtls_free(output_data);
5004 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02005005}
5006/* END_CASE */
5007
5008/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005009void aead_multipart_encrypt(int key_type_arg, data_t *key_data,
5010 int alg_arg,
5011 data_t *nonce,
5012 data_t *additional_data,
5013 data_t *input_data,
5014 int do_set_lengths,
5015 data_t *expected_output)
Paul Elliott0023e0a2021-04-27 10:06:22 +01005016{
Paul Elliottd3f82412021-06-16 16:52:21 +01005017 size_t ad_part_len = 0;
5018 size_t data_part_len = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005019 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005020
Gilles Peskine449bd832023-01-11 14:50:10 +01005021 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) {
5022 mbedtls_test_set_step(ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005023
Gilles Peskine449bd832023-01-11 14:50:10 +01005024 if (do_set_lengths) {
5025 if (ad_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005026 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005027 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005028 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005029 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005030 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005031
5032 /* Split ad into length(ad_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005033 if (!aead_multipart_internal_func(key_type_arg, key_data,
5034 alg_arg, nonce,
5035 additional_data,
5036 ad_part_len,
5037 input_data, -1,
5038 set_lengths_method,
5039 expected_output,
5040 1, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005041 break;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005042 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005043
Gilles Peskine449bd832023-01-11 14:50:10 +01005044 /* length(0) part, length(ad_part_len) part, length(0) part... */
5045 mbedtls_test_set_step(1000 + ad_part_len);
5046
5047 if (!aead_multipart_internal_func(key_type_arg, key_data,
5048 alg_arg, nonce,
5049 additional_data,
5050 ad_part_len,
5051 input_data, -1,
5052 set_lengths_method,
5053 expected_output,
5054 1, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005055 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005056 }
5057 }
5058
5059 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) {
5060 /* Split data into length(data_part_len) parts. */
5061 mbedtls_test_set_step(2000 + data_part_len);
5062
5063 if (do_set_lengths) {
5064 if (data_part_len & 0x01) {
5065 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
5066 } else {
5067 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
5068 }
5069 }
5070
5071 if (!aead_multipart_internal_func(key_type_arg, key_data,
5072 alg_arg, nonce,
5073 additional_data, -1,
5074 input_data, data_part_len,
5075 set_lengths_method,
5076 expected_output,
5077 1, 0)) {
5078 break;
5079 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005080
5081 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005082 mbedtls_test_set_step(3000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005083
Gilles Peskine449bd832023-01-11 14:50:10 +01005084 if (!aead_multipart_internal_func(key_type_arg, key_data,
5085 alg_arg, nonce,
5086 additional_data, -1,
5087 input_data, data_part_len,
5088 set_lengths_method,
5089 expected_output,
5090 1, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005091 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005092 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005093 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005094
Paul Elliott8fc45162021-06-23 16:06:01 +01005095 /* Goto is required to silence warnings about unused labels, as we
5096 * don't actually do any test assertions in this function. */
5097 goto exit;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005098}
5099/* END_CASE */
5100
5101/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005102void aead_multipart_decrypt(int key_type_arg, data_t *key_data,
5103 int alg_arg,
5104 data_t *nonce,
5105 data_t *additional_data,
5106 data_t *input_data,
5107 int do_set_lengths,
5108 data_t *expected_output)
Paul Elliott0023e0a2021-04-27 10:06:22 +01005109{
Paul Elliottd3f82412021-06-16 16:52:21 +01005110 size_t ad_part_len = 0;
5111 size_t data_part_len = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005112 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005113
Gilles Peskine449bd832023-01-11 14:50:10 +01005114 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005115 /* Split ad into length(ad_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005116 mbedtls_test_set_step(ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005117
Gilles Peskine449bd832023-01-11 14:50:10 +01005118 if (do_set_lengths) {
5119 if (ad_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005120 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005121 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005122 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005123 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005124 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005125
Gilles Peskine449bd832023-01-11 14:50:10 +01005126 if (!aead_multipart_internal_func(key_type_arg, key_data,
5127 alg_arg, nonce,
5128 additional_data,
5129 ad_part_len,
5130 input_data, -1,
5131 set_lengths_method,
5132 expected_output,
5133 0, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005134 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005135 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005136
5137 /* length(0) part, length(ad_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005138 mbedtls_test_set_step(1000 + ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005139
Gilles Peskine449bd832023-01-11 14:50:10 +01005140 if (!aead_multipart_internal_func(key_type_arg, key_data,
5141 alg_arg, nonce,
5142 additional_data,
5143 ad_part_len,
5144 input_data, -1,
5145 set_lengths_method,
5146 expected_output,
5147 0, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005148 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005149 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005150 }
5151
Gilles Peskine449bd832023-01-11 14:50:10 +01005152 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005153 /* Split data into length(data_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005154 mbedtls_test_set_step(2000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005155
Gilles Peskine449bd832023-01-11 14:50:10 +01005156 if (do_set_lengths) {
5157 if (data_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005158 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005159 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005160 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005161 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005162 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005163
Gilles Peskine449bd832023-01-11 14:50:10 +01005164 if (!aead_multipart_internal_func(key_type_arg, key_data,
5165 alg_arg, nonce,
5166 additional_data, -1,
5167 input_data, data_part_len,
5168 set_lengths_method,
5169 expected_output,
5170 0, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005171 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005172 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005173
5174 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005175 mbedtls_test_set_step(3000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005176
Gilles Peskine449bd832023-01-11 14:50:10 +01005177 if (!aead_multipart_internal_func(key_type_arg, key_data,
5178 alg_arg, nonce,
5179 additional_data, -1,
5180 input_data, data_part_len,
5181 set_lengths_method,
5182 expected_output,
5183 0, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005184 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005185 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005186 }
5187
Paul Elliott8fc45162021-06-23 16:06:01 +01005188 /* Goto is required to silence warnings about unused labels, as we
5189 * don't actually do any test assertions in this function. */
Paul Elliottd3f82412021-06-16 16:52:21 +01005190 goto exit;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005191}
5192/* END_CASE */
5193
5194/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005195void aead_multipart_generate_nonce(int key_type_arg, data_t *key_data,
5196 int alg_arg,
5197 int nonce_length,
5198 int expected_nonce_length_arg,
5199 data_t *additional_data,
5200 data_t *input_data,
5201 int expected_status_arg)
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005202{
5203
5204 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5205 psa_key_type_t key_type = key_type_arg;
5206 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005207 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005208 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE];
5209 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5210 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Paul Elliott693bf312021-07-23 17:40:41 +01005211 psa_status_t expected_status = expected_status_arg;
Paul Elliottf1277632021-08-24 18:11:37 +01005212 size_t actual_nonce_length = 0;
5213 size_t expected_nonce_length = expected_nonce_length_arg;
5214 unsigned char *output = NULL;
5215 unsigned char *ciphertext = NULL;
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005216 size_t output_size = 0;
Paul Elliottf1277632021-08-24 18:11:37 +01005217 size_t ciphertext_size = 0;
5218 size_t ciphertext_length = 0;
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005219 size_t tag_length = 0;
5220 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005221
Gilles Peskine449bd832023-01-11 14:50:10 +01005222 PSA_ASSERT(psa_crypto_init());
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005223
Gilles Peskine449bd832023-01-11 14:50:10 +01005224 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5225 psa_set_key_algorithm(&attributes, alg);
5226 psa_set_key_type(&attributes, key_type);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005227
Gilles Peskine449bd832023-01-11 14:50:10 +01005228 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5229 &key));
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005230
Gilles Peskine449bd832023-01-11 14:50:10 +01005231 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005232
Gilles Peskine449bd832023-01-11 14:50:10 +01005233 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005234
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005235 TEST_CALLOC(output, output_size);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005236
Gilles Peskine449bd832023-01-11 14:50:10 +01005237 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005238
Gilles Peskine449bd832023-01-11 14:50:10 +01005239 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005240
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005241 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005242
Gilles Peskine449bd832023-01-11 14:50:10 +01005243 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005244
5245 /* If the operation is not supported, just skip and not fail in case the
5246 * encryption involves a common limitation of cryptography hardwares and
5247 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005248 if (status == PSA_ERROR_NOT_SUPPORTED) {
5249 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5250 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005251 }
5252
Gilles Peskine449bd832023-01-11 14:50:10 +01005253 PSA_ASSERT(status);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005254
Gilles Peskine449bd832023-01-11 14:50:10 +01005255 status = psa_aead_generate_nonce(&operation, nonce_buffer,
5256 nonce_length,
5257 &actual_nonce_length);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005258
Gilles Peskine449bd832023-01-11 14:50:10 +01005259 TEST_EQUAL(status, expected_status);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005260
Gilles Peskine449bd832023-01-11 14:50:10 +01005261 TEST_EQUAL(actual_nonce_length, expected_nonce_length);
Paul Elliottd85f5472021-07-16 18:20:16 +01005262
Gilles Peskine449bd832023-01-11 14:50:10 +01005263 if (expected_status == PSA_SUCCESS) {
5264 TEST_EQUAL(actual_nonce_length, PSA_AEAD_NONCE_LENGTH(key_type,
5265 alg));
5266 }
Paul Elliott88ecbe12021-09-22 17:23:03 +01005267
Gilles Peskine449bd832023-01-11 14:50:10 +01005268 TEST_LE_U(actual_nonce_length, PSA_AEAD_NONCE_MAX_SIZE);
Paul Elliotte0fcb3b2021-07-16 18:52:03 +01005269
Gilles Peskine449bd832023-01-11 14:50:10 +01005270 if (expected_status == PSA_SUCCESS) {
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005271 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005272 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5273 input_data->len));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005274
Gilles Peskine449bd832023-01-11 14:50:10 +01005275 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5276 additional_data->len));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005277
Gilles Peskine449bd832023-01-11 14:50:10 +01005278 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len,
5279 output, output_size,
5280 &ciphertext_length));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005281
Gilles Peskine449bd832023-01-11 14:50:10 +01005282 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5283 &ciphertext_length, tag_buffer,
5284 PSA_AEAD_TAG_MAX_SIZE, &tag_length));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005285 }
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005286
5287exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005288 psa_destroy_key(key);
5289 mbedtls_free(output);
5290 mbedtls_free(ciphertext);
5291 psa_aead_abort(&operation);
5292 PSA_DONE();
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005293}
5294/* END_CASE */
5295
5296/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005297void aead_multipart_set_nonce(int key_type_arg, data_t *key_data,
5298 int alg_arg,
5299 int nonce_length_arg,
5300 int set_lengths_method_arg,
5301 data_t *additional_data,
5302 data_t *input_data,
5303 int expected_status_arg)
Paul Elliott863864a2021-07-23 17:28:31 +01005304{
5305
5306 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5307 psa_key_type_t key_type = key_type_arg;
5308 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005309 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott863864a2021-07-23 17:28:31 +01005310 uint8_t *nonce_buffer = NULL;
5311 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5312 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5313 psa_status_t expected_status = expected_status_arg;
Paul Elliott6f0e7202021-08-25 12:57:18 +01005314 unsigned char *output = NULL;
5315 unsigned char *ciphertext = NULL;
Paul Elliott4023ffd2021-09-10 16:21:22 +01005316 size_t nonce_length;
Paul Elliott863864a2021-07-23 17:28:31 +01005317 size_t output_size = 0;
Paul Elliott6f0e7202021-08-25 12:57:18 +01005318 size_t ciphertext_size = 0;
5319 size_t ciphertext_length = 0;
Paul Elliott863864a2021-07-23 17:28:31 +01005320 size_t tag_length = 0;
5321 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliott4023ffd2021-09-10 16:21:22 +01005322 size_t index = 0;
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005323 set_lengths_method_t set_lengths_method = set_lengths_method_arg;
Paul Elliott863864a2021-07-23 17:28:31 +01005324
Gilles Peskine449bd832023-01-11 14:50:10 +01005325 PSA_ASSERT(psa_crypto_init());
Paul Elliott863864a2021-07-23 17:28:31 +01005326
Gilles Peskine449bd832023-01-11 14:50:10 +01005327 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5328 psa_set_key_algorithm(&attributes, alg);
5329 psa_set_key_type(&attributes, key_type);
Paul Elliott863864a2021-07-23 17:28:31 +01005330
Gilles Peskine449bd832023-01-11 14:50:10 +01005331 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5332 &key));
Paul Elliott863864a2021-07-23 17:28:31 +01005333
Gilles Peskine449bd832023-01-11 14:50:10 +01005334 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott863864a2021-07-23 17:28:31 +01005335
Gilles Peskine449bd832023-01-11 14:50:10 +01005336 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott863864a2021-07-23 17:28:31 +01005337
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005338 TEST_CALLOC(output, output_size);
Paul Elliott863864a2021-07-23 17:28:31 +01005339
Gilles Peskine449bd832023-01-11 14:50:10 +01005340 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott863864a2021-07-23 17:28:31 +01005341
Gilles Peskine449bd832023-01-11 14:50:10 +01005342 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliott863864a2021-07-23 17:28:31 +01005343
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005344 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott863864a2021-07-23 17:28:31 +01005345
Gilles Peskine449bd832023-01-11 14:50:10 +01005346 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott863864a2021-07-23 17:28:31 +01005347
5348 /* If the operation is not supported, just skip and not fail in case the
5349 * encryption involves a common limitation of cryptography hardwares and
5350 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005351 if (status == PSA_ERROR_NOT_SUPPORTED) {
5352 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5353 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length_arg);
Paul Elliott863864a2021-07-23 17:28:31 +01005354 }
5355
Gilles Peskine449bd832023-01-11 14:50:10 +01005356 PSA_ASSERT(status);
Paul Elliott863864a2021-07-23 17:28:31 +01005357
Paul Elliott4023ffd2021-09-10 16:21:22 +01005358 /* -1 == zero length and valid buffer, 0 = zero length and NULL buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005359 if (nonce_length_arg == -1) {
5360 /* Arbitrary size buffer, to test zero length valid buffer. */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005361 TEST_CALLOC(nonce_buffer, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +01005362 nonce_length = 0;
5363 } else {
Paul Elliott4023ffd2021-09-10 16:21:22 +01005364 /* If length is zero, then this will return NULL. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005365 nonce_length = (size_t) nonce_length_arg;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005366 TEST_CALLOC(nonce_buffer, nonce_length);
Paul Elliott66696b52021-08-16 18:42:41 +01005367
Gilles Peskine449bd832023-01-11 14:50:10 +01005368 if (nonce_buffer) {
5369 for (index = 0; index < nonce_length - 1; ++index) {
Paul Elliott4023ffd2021-09-10 16:21:22 +01005370 nonce_buffer[index] = 'a' + index;
5371 }
Paul Elliott66696b52021-08-16 18:42:41 +01005372 }
Paul Elliott863864a2021-07-23 17:28:31 +01005373 }
5374
Gilles Peskine449bd832023-01-11 14:50:10 +01005375 if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) {
5376 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5377 input_data->len));
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005378 }
5379
Gilles Peskine449bd832023-01-11 14:50:10 +01005380 status = psa_aead_set_nonce(&operation, nonce_buffer, nonce_length);
Paul Elliott863864a2021-07-23 17:28:31 +01005381
Gilles Peskine449bd832023-01-11 14:50:10 +01005382 TEST_EQUAL(status, expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005383
Gilles Peskine449bd832023-01-11 14:50:10 +01005384 if (expected_status == PSA_SUCCESS) {
5385 if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) {
5386 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5387 input_data->len));
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005388 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005389 if (operation.alg == PSA_ALG_CCM && set_lengths_method == DO_NOT_SET_LENGTHS) {
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005390 expected_status = PSA_ERROR_BAD_STATE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005391 }
Paul Elliott863864a2021-07-23 17:28:31 +01005392
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005393 /* Ensure we can still complete operation, unless it's CCM and we didn't set lengths. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005394 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
5395 additional_data->len),
5396 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005397
Gilles Peskine449bd832023-01-11 14:50:10 +01005398 TEST_EQUAL(psa_aead_update(&operation, input_data->x, input_data->len,
5399 output, output_size,
5400 &ciphertext_length),
5401 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005402
Gilles Peskine449bd832023-01-11 14:50:10 +01005403 TEST_EQUAL(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5404 &ciphertext_length, tag_buffer,
5405 PSA_AEAD_TAG_MAX_SIZE, &tag_length),
5406 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005407 }
5408
5409exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005410 psa_destroy_key(key);
5411 mbedtls_free(output);
5412 mbedtls_free(ciphertext);
5413 mbedtls_free(nonce_buffer);
5414 psa_aead_abort(&operation);
5415 PSA_DONE();
Paul Elliott863864a2021-07-23 17:28:31 +01005416}
5417/* END_CASE */
5418
5419/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005420void aead_multipart_update_buffer_test(int key_type_arg, data_t *key_data,
Paul Elliott43fbda62021-07-23 18:30:59 +01005421 int alg_arg,
Paul Elliottc6d11d02021-09-01 12:04:23 +01005422 int output_size_arg,
Paul Elliott43fbda62021-07-23 18:30:59 +01005423 data_t *nonce,
5424 data_t *additional_data,
5425 data_t *input_data,
Gilles Peskine449bd832023-01-11 14:50:10 +01005426 int expected_status_arg)
Paul Elliott43fbda62021-07-23 18:30:59 +01005427{
5428
5429 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5430 psa_key_type_t key_type = key_type_arg;
5431 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005432 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott43fbda62021-07-23 18:30:59 +01005433 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5434 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5435 psa_status_t expected_status = expected_status_arg;
Paul Elliottc6d11d02021-09-01 12:04:23 +01005436 unsigned char *output = NULL;
5437 unsigned char *ciphertext = NULL;
5438 size_t output_size = output_size_arg;
5439 size_t ciphertext_size = 0;
5440 size_t ciphertext_length = 0;
Paul Elliott43fbda62021-07-23 18:30:59 +01005441 size_t tag_length = 0;
5442 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
5443
Gilles Peskine449bd832023-01-11 14:50:10 +01005444 PSA_ASSERT(psa_crypto_init());
Paul Elliott43fbda62021-07-23 18:30:59 +01005445
Gilles Peskine449bd832023-01-11 14:50:10 +01005446 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5447 psa_set_key_algorithm(&attributes, alg);
5448 psa_set_key_type(&attributes, key_type);
Paul Elliott43fbda62021-07-23 18:30:59 +01005449
Gilles Peskine449bd832023-01-11 14:50:10 +01005450 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5451 &key));
Paul Elliott43fbda62021-07-23 18:30:59 +01005452
Gilles Peskine449bd832023-01-11 14:50:10 +01005453 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott43fbda62021-07-23 18:30:59 +01005454
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005455 TEST_CALLOC(output, output_size);
Paul Elliott43fbda62021-07-23 18:30:59 +01005456
Gilles Peskine449bd832023-01-11 14:50:10 +01005457 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott43fbda62021-07-23 18:30:59 +01005458
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005459 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott43fbda62021-07-23 18:30:59 +01005460
Gilles Peskine449bd832023-01-11 14:50:10 +01005461 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott43fbda62021-07-23 18:30:59 +01005462
5463 /* If the operation is not supported, just skip and not fail in case the
5464 * encryption involves a common limitation of cryptography hardwares and
5465 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005466 if (status == PSA_ERROR_NOT_SUPPORTED) {
5467 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5468 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott43fbda62021-07-23 18:30:59 +01005469 }
5470
Gilles Peskine449bd832023-01-11 14:50:10 +01005471 PSA_ASSERT(status);
Paul Elliott43fbda62021-07-23 18:30:59 +01005472
Gilles Peskine449bd832023-01-11 14:50:10 +01005473 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5474 input_data->len));
Paul Elliott47b9a142021-10-07 15:04:57 +01005475
Gilles Peskine449bd832023-01-11 14:50:10 +01005476 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott43fbda62021-07-23 18:30:59 +01005477
Gilles Peskine449bd832023-01-11 14:50:10 +01005478 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5479 additional_data->len));
Paul Elliott43fbda62021-07-23 18:30:59 +01005480
Gilles Peskine449bd832023-01-11 14:50:10 +01005481 status = psa_aead_update(&operation, input_data->x, input_data->len,
5482 output, output_size, &ciphertext_length);
Paul Elliott43fbda62021-07-23 18:30:59 +01005483
Gilles Peskine449bd832023-01-11 14:50:10 +01005484 TEST_EQUAL(status, expected_status);
Paul Elliott43fbda62021-07-23 18:30:59 +01005485
Gilles Peskine449bd832023-01-11 14:50:10 +01005486 if (expected_status == PSA_SUCCESS) {
Paul Elliott43fbda62021-07-23 18:30:59 +01005487 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005488 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5489 &ciphertext_length, tag_buffer,
5490 PSA_AEAD_TAG_MAX_SIZE, &tag_length));
Paul Elliott43fbda62021-07-23 18:30:59 +01005491 }
5492
5493exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005494 psa_destroy_key(key);
5495 mbedtls_free(output);
5496 mbedtls_free(ciphertext);
5497 psa_aead_abort(&operation);
5498 PSA_DONE();
Paul Elliott43fbda62021-07-23 18:30:59 +01005499}
5500/* END_CASE */
5501
Paul Elliott91b021e2021-07-23 18:52:31 +01005502/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005503void aead_multipart_finish_buffer_test(int key_type_arg, data_t *key_data,
5504 int alg_arg,
5505 int finish_ciphertext_size_arg,
5506 int tag_size_arg,
5507 data_t *nonce,
5508 data_t *additional_data,
5509 data_t *input_data,
5510 int expected_status_arg)
Paul Elliott91b021e2021-07-23 18:52:31 +01005511{
5512
5513 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5514 psa_key_type_t key_type = key_type_arg;
5515 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005516 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott91b021e2021-07-23 18:52:31 +01005517 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5518 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5519 psa_status_t expected_status = expected_status_arg;
Paul Elliotte58cb1e2021-09-10 18:36:00 +01005520 unsigned char *ciphertext = NULL;
5521 unsigned char *finish_ciphertext = NULL;
Paul Elliott719c1322021-09-13 18:27:22 +01005522 unsigned char *tag_buffer = NULL;
Paul Elliotte58cb1e2021-09-10 18:36:00 +01005523 size_t ciphertext_size = 0;
5524 size_t ciphertext_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01005525 size_t finish_ciphertext_size = (size_t) finish_ciphertext_size_arg;
5526 size_t tag_size = (size_t) tag_size_arg;
Paul Elliott91b021e2021-07-23 18:52:31 +01005527 size_t tag_length = 0;
Paul Elliott91b021e2021-07-23 18:52:31 +01005528
Gilles Peskine449bd832023-01-11 14:50:10 +01005529 PSA_ASSERT(psa_crypto_init());
Paul Elliott91b021e2021-07-23 18:52:31 +01005530
Gilles Peskine449bd832023-01-11 14:50:10 +01005531 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5532 psa_set_key_algorithm(&attributes, alg);
5533 psa_set_key_type(&attributes, key_type);
Paul Elliott91b021e2021-07-23 18:52:31 +01005534
Gilles Peskine449bd832023-01-11 14:50:10 +01005535 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5536 &key));
Paul Elliott91b021e2021-07-23 18:52:31 +01005537
Gilles Peskine449bd832023-01-11 14:50:10 +01005538 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott91b021e2021-07-23 18:52:31 +01005539
Gilles Peskine449bd832023-01-11 14:50:10 +01005540 ciphertext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott91b021e2021-07-23 18:52:31 +01005541
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005542 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott91b021e2021-07-23 18:52:31 +01005543
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005544 TEST_CALLOC(finish_ciphertext, finish_ciphertext_size);
Paul Elliott91b021e2021-07-23 18:52:31 +01005545
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005546 TEST_CALLOC(tag_buffer, tag_size);
Paul Elliott719c1322021-09-13 18:27:22 +01005547
Gilles Peskine449bd832023-01-11 14:50:10 +01005548 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott91b021e2021-07-23 18:52:31 +01005549
5550 /* If the operation is not supported, just skip and not fail in case the
5551 * encryption involves a common limitation of cryptography hardwares and
5552 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005553 if (status == PSA_ERROR_NOT_SUPPORTED) {
5554 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5555 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott91b021e2021-07-23 18:52:31 +01005556 }
5557
Gilles Peskine449bd832023-01-11 14:50:10 +01005558 PSA_ASSERT(status);
Paul Elliott91b021e2021-07-23 18:52:31 +01005559
Gilles Peskine449bd832023-01-11 14:50:10 +01005560 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott91b021e2021-07-23 18:52:31 +01005561
Gilles Peskine449bd832023-01-11 14:50:10 +01005562 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5563 input_data->len));
Paul Elliott76bda482021-10-07 17:07:23 +01005564
Gilles Peskine449bd832023-01-11 14:50:10 +01005565 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5566 additional_data->len));
Paul Elliott91b021e2021-07-23 18:52:31 +01005567
Gilles Peskine449bd832023-01-11 14:50:10 +01005568 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len,
5569 ciphertext, ciphertext_size, &ciphertext_length));
Paul Elliott91b021e2021-07-23 18:52:31 +01005570
5571 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005572 status = psa_aead_finish(&operation, finish_ciphertext,
5573 finish_ciphertext_size,
5574 &ciphertext_length, tag_buffer,
5575 tag_size, &tag_length);
Paul Elliott91b021e2021-07-23 18:52:31 +01005576
Gilles Peskine449bd832023-01-11 14:50:10 +01005577 TEST_EQUAL(status, expected_status);
Paul Elliott91b021e2021-07-23 18:52:31 +01005578
5579exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005580 psa_destroy_key(key);
5581 mbedtls_free(ciphertext);
5582 mbedtls_free(finish_ciphertext);
5583 mbedtls_free(tag_buffer);
5584 psa_aead_abort(&operation);
5585 PSA_DONE();
Paul Elliott91b021e2021-07-23 18:52:31 +01005586}
5587/* END_CASE */
Paul Elliott43fbda62021-07-23 18:30:59 +01005588
5589/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005590void aead_multipart_verify(int key_type_arg, data_t *key_data,
5591 int alg_arg,
5592 data_t *nonce,
5593 data_t *additional_data,
5594 data_t *input_data,
5595 data_t *tag,
5596 int tag_usage_arg,
5597 int expected_setup_status_arg,
5598 int expected_status_arg)
Paul Elliott9961a662021-09-17 19:19:02 +01005599{
5600 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5601 psa_key_type_t key_type = key_type_arg;
5602 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005603 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott9961a662021-09-17 19:19:02 +01005604 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5605 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5606 psa_status_t expected_status = expected_status_arg;
Andrzej Kurekf8816012021-12-19 17:00:12 +01005607 psa_status_t expected_setup_status = expected_setup_status_arg;
Paul Elliott9961a662021-09-17 19:19:02 +01005608 unsigned char *plaintext = NULL;
5609 unsigned char *finish_plaintext = NULL;
5610 size_t plaintext_size = 0;
5611 size_t plaintext_length = 0;
5612 size_t verify_plaintext_size = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005613 tag_usage_method_t tag_usage = tag_usage_arg;
Paul Elliott1c67e0b2021-09-19 13:11:50 +01005614 unsigned char *tag_buffer = NULL;
5615 size_t tag_size = 0;
Paul Elliott9961a662021-09-17 19:19:02 +01005616
Gilles Peskine449bd832023-01-11 14:50:10 +01005617 PSA_ASSERT(psa_crypto_init());
Paul Elliott9961a662021-09-17 19:19:02 +01005618
Gilles Peskine449bd832023-01-11 14:50:10 +01005619 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
5620 psa_set_key_algorithm(&attributes, alg);
5621 psa_set_key_type(&attributes, key_type);
Paul Elliott9961a662021-09-17 19:19:02 +01005622
Gilles Peskine449bd832023-01-11 14:50:10 +01005623 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5624 &key));
Paul Elliott9961a662021-09-17 19:19:02 +01005625
Gilles Peskine449bd832023-01-11 14:50:10 +01005626 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott9961a662021-09-17 19:19:02 +01005627
Gilles Peskine449bd832023-01-11 14:50:10 +01005628 plaintext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
5629 input_data->len);
Paul Elliott9961a662021-09-17 19:19:02 +01005630
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005631 TEST_CALLOC(plaintext, plaintext_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005632
Gilles Peskine449bd832023-01-11 14:50:10 +01005633 verify_plaintext_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg);
Paul Elliott9961a662021-09-17 19:19:02 +01005634
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005635 TEST_CALLOC(finish_plaintext, verify_plaintext_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005636
Gilles Peskine449bd832023-01-11 14:50:10 +01005637 status = psa_aead_decrypt_setup(&operation, key, alg);
Paul Elliott9961a662021-09-17 19:19:02 +01005638
5639 /* If the operation is not supported, just skip and not fail in case the
5640 * encryption involves a common limitation of cryptography hardwares and
5641 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005642 if (status == PSA_ERROR_NOT_SUPPORTED) {
5643 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5644 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott9961a662021-09-17 19:19:02 +01005645 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005646 TEST_EQUAL(status, expected_setup_status);
Andrzej Kurekf8816012021-12-19 17:00:12 +01005647
Gilles Peskine449bd832023-01-11 14:50:10 +01005648 if (status != PSA_SUCCESS) {
Andrzej Kurekf8816012021-12-19 17:00:12 +01005649 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01005650 }
Paul Elliott9961a662021-09-17 19:19:02 +01005651
Gilles Peskine449bd832023-01-11 14:50:10 +01005652 PSA_ASSERT(status);
Paul Elliott9961a662021-09-17 19:19:02 +01005653
Gilles Peskine449bd832023-01-11 14:50:10 +01005654 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott9961a662021-09-17 19:19:02 +01005655
Gilles Peskine449bd832023-01-11 14:50:10 +01005656 status = psa_aead_set_lengths(&operation, additional_data->len,
5657 input_data->len);
5658 PSA_ASSERT(status);
Paul Elliottfec6f372021-10-06 17:15:02 +01005659
Gilles Peskine449bd832023-01-11 14:50:10 +01005660 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5661 additional_data->len));
Paul Elliott9961a662021-09-17 19:19:02 +01005662
Gilles Peskine449bd832023-01-11 14:50:10 +01005663 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
5664 input_data->len,
5665 plaintext, plaintext_size,
5666 &plaintext_length));
Paul Elliott9961a662021-09-17 19:19:02 +01005667
Gilles Peskine449bd832023-01-11 14:50:10 +01005668 if (tag_usage == USE_GIVEN_TAG) {
Paul Elliott1c67e0b2021-09-19 13:11:50 +01005669 tag_buffer = tag->x;
5670 tag_size = tag->len;
5671 }
5672
Gilles Peskine449bd832023-01-11 14:50:10 +01005673 status = psa_aead_verify(&operation, finish_plaintext,
5674 verify_plaintext_size,
5675 &plaintext_length,
5676 tag_buffer, tag_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005677
Gilles Peskine449bd832023-01-11 14:50:10 +01005678 TEST_EQUAL(status, expected_status);
Paul Elliott9961a662021-09-17 19:19:02 +01005679
5680exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005681 psa_destroy_key(key);
5682 mbedtls_free(plaintext);
5683 mbedtls_free(finish_plaintext);
5684 psa_aead_abort(&operation);
5685 PSA_DONE();
Paul Elliott9961a662021-09-17 19:19:02 +01005686}
5687/* END_CASE */
5688
Paul Elliott9961a662021-09-17 19:19:02 +01005689/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005690void aead_multipart_setup(int key_type_arg, data_t *key_data,
5691 int alg_arg, int expected_status_arg)
Paul Elliott5221ef62021-09-19 17:33:03 +01005692{
5693 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5694 psa_key_type_t key_type = key_type_arg;
5695 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005696 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott5221ef62021-09-19 17:33:03 +01005697 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5698 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5699 psa_status_t expected_status = expected_status_arg;
5700
Gilles Peskine449bd832023-01-11 14:50:10 +01005701 PSA_ASSERT(psa_crypto_init());
Paul Elliott5221ef62021-09-19 17:33:03 +01005702
Gilles Peskine449bd832023-01-11 14:50:10 +01005703 psa_set_key_usage_flags(&attributes,
5704 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
5705 psa_set_key_algorithm(&attributes, alg);
5706 psa_set_key_type(&attributes, key_type);
Paul Elliott5221ef62021-09-19 17:33:03 +01005707
Gilles Peskine449bd832023-01-11 14:50:10 +01005708 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5709 &key));
Paul Elliott5221ef62021-09-19 17:33:03 +01005710
Gilles Peskine449bd832023-01-11 14:50:10 +01005711 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott5221ef62021-09-19 17:33:03 +01005712
Gilles Peskine449bd832023-01-11 14:50:10 +01005713 TEST_EQUAL(status, expected_status);
Paul Elliott5221ef62021-09-19 17:33:03 +01005714
Gilles Peskine449bd832023-01-11 14:50:10 +01005715 psa_aead_abort(&operation);
Paul Elliott5221ef62021-09-19 17:33:03 +01005716
Gilles Peskine449bd832023-01-11 14:50:10 +01005717 status = psa_aead_decrypt_setup(&operation, key, alg);
Paul Elliott5221ef62021-09-19 17:33:03 +01005718
Gilles Peskine449bd832023-01-11 14:50:10 +01005719 TEST_EQUAL(status, expected_status);
Paul Elliott5221ef62021-09-19 17:33:03 +01005720
5721exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005722 psa_destroy_key(key);
5723 psa_aead_abort(&operation);
5724 PSA_DONE();
Paul Elliott5221ef62021-09-19 17:33:03 +01005725}
5726/* END_CASE */
5727
5728/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005729void aead_multipart_state_test(int key_type_arg, data_t *key_data,
5730 int alg_arg,
5731 data_t *nonce,
5732 data_t *additional_data,
5733 data_t *input_data)
Paul Elliottc23a9a02021-06-21 18:32:46 +01005734{
5735 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5736 psa_key_type_t key_type = key_type_arg;
5737 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005738 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliottc23a9a02021-06-21 18:32:46 +01005739 unsigned char *output_data = NULL;
5740 unsigned char *final_data = NULL;
5741 size_t output_size = 0;
5742 size_t finish_output_size = 0;
5743 size_t output_length = 0;
5744 size_t key_bits = 0;
5745 size_t tag_length = 0;
5746 size_t tag_size = 0;
5747 size_t nonce_length = 0;
5748 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE];
5749 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
5750 size_t output_part_length = 0;
5751 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5752
Gilles Peskine449bd832023-01-11 14:50:10 +01005753 PSA_ASSERT(psa_crypto_init());
Paul Elliottc23a9a02021-06-21 18:32:46 +01005754
Gilles Peskine449bd832023-01-11 14:50:10 +01005755 psa_set_key_usage_flags(&attributes,
5756 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
5757 psa_set_key_algorithm(&attributes, alg);
5758 psa_set_key_type(&attributes, key_type);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005759
Gilles Peskine449bd832023-01-11 14:50:10 +01005760 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5761 &key));
Paul Elliottc23a9a02021-06-21 18:32:46 +01005762
Gilles Peskine449bd832023-01-11 14:50:10 +01005763 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
5764 key_bits = psa_get_key_bits(&attributes);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005765
Gilles Peskine449bd832023-01-11 14:50:10 +01005766 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005767
Gilles Peskine449bd832023-01-11 14:50:10 +01005768 TEST_LE_U(tag_length, PSA_AEAD_TAG_MAX_SIZE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005769
Gilles Peskine449bd832023-01-11 14:50:10 +01005770 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005771
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005772 TEST_CALLOC(output_data, output_size);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005773
Gilles Peskine449bd832023-01-11 14:50:10 +01005774 finish_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005775
Gilles Peskine449bd832023-01-11 14:50:10 +01005776 TEST_LE_U(finish_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005777
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005778 TEST_CALLOC(final_data, finish_output_size);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005779
5780 /* Test all operations error without calling setup first. */
5781
Gilles Peskine449bd832023-01-11 14:50:10 +01005782 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
5783 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005784
Gilles Peskine449bd832023-01-11 14:50:10 +01005785 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005786
Gilles Peskine449bd832023-01-11 14:50:10 +01005787 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
5788 PSA_AEAD_NONCE_MAX_SIZE,
5789 &nonce_length),
5790 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005791
Gilles Peskine449bd832023-01-11 14:50:10 +01005792 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005793
Paul Elliott481be342021-07-16 17:38:47 +01005794 /* ------------------------------------------------------- */
5795
Gilles Peskine449bd832023-01-11 14:50:10 +01005796 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
5797 input_data->len),
5798 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005799
Gilles Peskine449bd832023-01-11 14:50:10 +01005800 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005801
Paul Elliott481be342021-07-16 17:38:47 +01005802 /* ------------------------------------------------------- */
5803
Gilles Peskine449bd832023-01-11 14:50:10 +01005804 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
5805 additional_data->len),
5806 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005807
Gilles Peskine449bd832023-01-11 14:50:10 +01005808 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005809
Paul Elliott481be342021-07-16 17:38:47 +01005810 /* ------------------------------------------------------- */
5811
Gilles Peskine449bd832023-01-11 14:50:10 +01005812 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
5813 input_data->len, output_data,
5814 output_size, &output_length),
5815 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005816
Gilles Peskine449bd832023-01-11 14:50:10 +01005817 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005818
Paul Elliott481be342021-07-16 17:38:47 +01005819 /* ------------------------------------------------------- */
5820
Gilles Peskine449bd832023-01-11 14:50:10 +01005821 TEST_EQUAL(psa_aead_finish(&operation, final_data,
5822 finish_output_size,
5823 &output_part_length,
5824 tag_buffer, tag_length,
5825 &tag_size),
5826 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005827
Gilles Peskine449bd832023-01-11 14:50:10 +01005828 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005829
Paul Elliott481be342021-07-16 17:38:47 +01005830 /* ------------------------------------------------------- */
5831
Gilles Peskine449bd832023-01-11 14:50:10 +01005832 TEST_EQUAL(psa_aead_verify(&operation, final_data,
5833 finish_output_size,
5834 &output_part_length,
5835 tag_buffer,
5836 tag_length),
5837 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005838
Gilles Peskine449bd832023-01-11 14:50:10 +01005839 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005840
5841 /* Test for double setups. */
5842
Gilles Peskine449bd832023-01-11 14:50:10 +01005843 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01005844
Gilles Peskine449bd832023-01-11 14:50:10 +01005845 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg),
5846 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005847
Gilles Peskine449bd832023-01-11 14:50:10 +01005848 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005849
Paul Elliott481be342021-07-16 17:38:47 +01005850 /* ------------------------------------------------------- */
5851
Gilles Peskine449bd832023-01-11 14:50:10 +01005852 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01005853
Gilles Peskine449bd832023-01-11 14:50:10 +01005854 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg),
5855 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005856
Gilles Peskine449bd832023-01-11 14:50:10 +01005857 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005858
Paul Elliott374a2be2021-07-16 17:53:40 +01005859 /* ------------------------------------------------------- */
5860
Gilles Peskine449bd832023-01-11 14:50:10 +01005861 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01005862
Gilles Peskine449bd832023-01-11 14:50:10 +01005863 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg),
5864 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01005865
Gilles Peskine449bd832023-01-11 14:50:10 +01005866 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01005867
5868 /* ------------------------------------------------------- */
5869
Gilles Peskine449bd832023-01-11 14:50:10 +01005870 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01005871
Gilles Peskine449bd832023-01-11 14:50:10 +01005872 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg),
5873 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01005874
Gilles Peskine449bd832023-01-11 14:50:10 +01005875 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01005876
Paul Elliottc23a9a02021-06-21 18:32:46 +01005877 /* Test for not setting a nonce. */
5878
Gilles Peskine449bd832023-01-11 14:50:10 +01005879 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01005880
Gilles Peskine449bd832023-01-11 14:50:10 +01005881 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
5882 additional_data->len),
5883 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005884
Gilles Peskine449bd832023-01-11 14:50:10 +01005885 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005886
Paul Elliott7f628422021-09-01 12:08:29 +01005887 /* ------------------------------------------------------- */
5888
Gilles Peskine449bd832023-01-11 14:50:10 +01005889 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott7f628422021-09-01 12:08:29 +01005890
Gilles Peskine449bd832023-01-11 14:50:10 +01005891 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
5892 input_data->len, output_data,
5893 output_size, &output_length),
5894 PSA_ERROR_BAD_STATE);
Paul Elliott7f628422021-09-01 12:08:29 +01005895
Gilles Peskine449bd832023-01-11 14:50:10 +01005896 psa_aead_abort(&operation);
Paul Elliott7f628422021-09-01 12:08:29 +01005897
Paul Elliottbdc2c682021-09-21 18:37:10 +01005898 /* ------------------------------------------------------- */
5899
Gilles Peskine449bd832023-01-11 14:50:10 +01005900 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottbdc2c682021-09-21 18:37:10 +01005901
Gilles Peskine449bd832023-01-11 14:50:10 +01005902 TEST_EQUAL(psa_aead_finish(&operation, final_data,
5903 finish_output_size,
5904 &output_part_length,
5905 tag_buffer, tag_length,
5906 &tag_size),
5907 PSA_ERROR_BAD_STATE);
Paul Elliottbdc2c682021-09-21 18:37:10 +01005908
Gilles Peskine449bd832023-01-11 14:50:10 +01005909 psa_aead_abort(&operation);
Paul Elliottbdc2c682021-09-21 18:37:10 +01005910
5911 /* ------------------------------------------------------- */
5912
Gilles Peskine449bd832023-01-11 14:50:10 +01005913 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottbdc2c682021-09-21 18:37:10 +01005914
Gilles Peskine449bd832023-01-11 14:50:10 +01005915 TEST_EQUAL(psa_aead_verify(&operation, final_data,
5916 finish_output_size,
5917 &output_part_length,
5918 tag_buffer,
5919 tag_length),
5920 PSA_ERROR_BAD_STATE);
Paul Elliottbdc2c682021-09-21 18:37:10 +01005921
Gilles Peskine449bd832023-01-11 14:50:10 +01005922 psa_aead_abort(&operation);
Paul Elliottbdc2c682021-09-21 18:37:10 +01005923
Paul Elliottc23a9a02021-06-21 18:32:46 +01005924 /* Test for double setting nonce. */
5925
Gilles Peskine449bd832023-01-11 14:50:10 +01005926 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01005927
Gilles Peskine449bd832023-01-11 14:50:10 +01005928 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01005929
Gilles Peskine449bd832023-01-11 14:50:10 +01005930 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
5931 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005932
Gilles Peskine449bd832023-01-11 14:50:10 +01005933 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01005934
Paul Elliott374a2be2021-07-16 17:53:40 +01005935 /* Test for double generating nonce. */
5936
Gilles Peskine449bd832023-01-11 14:50:10 +01005937 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01005938
Gilles Peskine449bd832023-01-11 14:50:10 +01005939 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
5940 PSA_AEAD_NONCE_MAX_SIZE,
5941 &nonce_length));
Paul Elliott374a2be2021-07-16 17:53:40 +01005942
Gilles Peskine449bd832023-01-11 14:50:10 +01005943 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
5944 PSA_AEAD_NONCE_MAX_SIZE,
5945 &nonce_length),
5946 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01005947
5948
Gilles Peskine449bd832023-01-11 14:50:10 +01005949 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01005950
5951 /* Test for generate nonce then set and vice versa */
5952
Gilles Peskine449bd832023-01-11 14:50:10 +01005953 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01005954
Gilles Peskine449bd832023-01-11 14:50:10 +01005955 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
5956 PSA_AEAD_NONCE_MAX_SIZE,
5957 &nonce_length));
Paul Elliott374a2be2021-07-16 17:53:40 +01005958
Gilles Peskine449bd832023-01-11 14:50:10 +01005959 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
5960 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01005961
Gilles Peskine449bd832023-01-11 14:50:10 +01005962 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01005963
Andrzej Kurekad837522021-12-15 15:28:49 +01005964 /* Test for generating nonce after calling set lengths */
5965
Gilles Peskine449bd832023-01-11 14:50:10 +01005966 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01005967
Gilles Peskine449bd832023-01-11 14:50:10 +01005968 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5969 input_data->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01005970
Gilles Peskine449bd832023-01-11 14:50:10 +01005971 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
5972 PSA_AEAD_NONCE_MAX_SIZE,
5973 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01005974
Gilles Peskine449bd832023-01-11 14:50:10 +01005975 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01005976
Andrzej Kurek031df4a2022-01-19 12:44:49 -05005977 /* Test for generating nonce after calling set lengths with UINT32_MAX ad_data length */
Andrzej Kurekad837522021-12-15 15:28:49 +01005978
Gilles Peskine449bd832023-01-11 14:50:10 +01005979 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01005980
Gilles Peskine449bd832023-01-11 14:50:10 +01005981 if (operation.alg == PSA_ALG_CCM) {
5982 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
5983 input_data->len),
5984 PSA_ERROR_INVALID_ARGUMENT);
5985 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
5986 PSA_AEAD_NONCE_MAX_SIZE,
5987 &nonce_length),
5988 PSA_ERROR_BAD_STATE);
5989 } else {
5990 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
5991 input_data->len));
5992 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
5993 PSA_AEAD_NONCE_MAX_SIZE,
5994 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01005995 }
5996
Gilles Peskine449bd832023-01-11 14:50:10 +01005997 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01005998
Andrzej Kurek031df4a2022-01-19 12:44:49 -05005999 /* Test for generating nonce after calling set lengths with SIZE_MAX ad_data length */
Dave Rodgmand26d7442023-02-11 17:14:54 +00006000#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006001 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006002
Gilles Peskine449bd832023-01-11 14:50:10 +01006003 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) {
6004 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX,
6005 input_data->len),
6006 PSA_ERROR_INVALID_ARGUMENT);
6007 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6008 PSA_AEAD_NONCE_MAX_SIZE,
6009 &nonce_length),
6010 PSA_ERROR_BAD_STATE);
6011 } else {
6012 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX,
6013 input_data->len));
6014 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6015 PSA_AEAD_NONCE_MAX_SIZE,
6016 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006017 }
6018
Gilles Peskine449bd832023-01-11 14:50:10 +01006019 psa_aead_abort(&operation);
Dave Rodgmand26d7442023-02-11 17:14:54 +00006020#endif
Andrzej Kurekad837522021-12-15 15:28:49 +01006021
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006022 /* Test for calling set lengths with a UINT32_MAX ad_data length, after generating nonce */
Andrzej Kurekad837522021-12-15 15:28:49 +01006023
Gilles Peskine449bd832023-01-11 14:50:10 +01006024 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006025
Gilles Peskine449bd832023-01-11 14:50:10 +01006026 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6027 PSA_AEAD_NONCE_MAX_SIZE,
6028 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006029
Gilles Peskine449bd832023-01-11 14:50:10 +01006030 if (operation.alg == PSA_ALG_CCM) {
6031 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6032 input_data->len),
6033 PSA_ERROR_INVALID_ARGUMENT);
6034 } else {
6035 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6036 input_data->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01006037 }
6038
Gilles Peskine449bd832023-01-11 14:50:10 +01006039 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006040
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006041 /* ------------------------------------------------------- */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006042 /* Test for setting nonce after calling set lengths */
6043
Gilles Peskine449bd832023-01-11 14:50:10 +01006044 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006045
Gilles Peskine449bd832023-01-11 14:50:10 +01006046 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6047 input_data->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006048
Gilles Peskine449bd832023-01-11 14:50:10 +01006049 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006050
Gilles Peskine449bd832023-01-11 14:50:10 +01006051 psa_aead_abort(&operation);
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006052
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006053 /* Test for setting nonce after calling set lengths with UINT32_MAX ad_data length */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006054
Gilles Peskine449bd832023-01-11 14:50:10 +01006055 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006056
Gilles Peskine449bd832023-01-11 14:50:10 +01006057 if (operation.alg == PSA_ALG_CCM) {
6058 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6059 input_data->len),
6060 PSA_ERROR_INVALID_ARGUMENT);
6061 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6062 PSA_ERROR_BAD_STATE);
6063 } else {
6064 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6065 input_data->len));
6066 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006067 }
6068
Gilles Peskine449bd832023-01-11 14:50:10 +01006069 psa_aead_abort(&operation);
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006070
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006071 /* Test for setting nonce after calling set lengths with SIZE_MAX ad_data length */
Dave Rodgmana4763632023-02-11 18:36:23 +00006072#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006073 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006074
Gilles Peskine449bd832023-01-11 14:50:10 +01006075 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) {
6076 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX,
6077 input_data->len),
6078 PSA_ERROR_INVALID_ARGUMENT);
6079 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6080 PSA_ERROR_BAD_STATE);
6081 } else {
6082 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX,
6083 input_data->len));
6084 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006085 }
6086
Gilles Peskine449bd832023-01-11 14:50:10 +01006087 psa_aead_abort(&operation);
Dave Rodgmana4763632023-02-11 18:36:23 +00006088#endif
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006089
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006090 /* Test for calling set lengths with an ad_data length of UINT32_MAX, after setting nonce */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006091
Gilles Peskine449bd832023-01-11 14:50:10 +01006092 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006093
Gilles Peskine449bd832023-01-11 14:50:10 +01006094 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006095
Gilles Peskine449bd832023-01-11 14:50:10 +01006096 if (operation.alg == PSA_ALG_CCM) {
6097 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6098 input_data->len),
6099 PSA_ERROR_INVALID_ARGUMENT);
6100 } else {
6101 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6102 input_data->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006103 }
6104
Gilles Peskine449bd832023-01-11 14:50:10 +01006105 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006106
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006107 /* Test for setting nonce after calling set lengths with plaintext length of SIZE_MAX */
Dave Rodgman91e83212023-02-11 20:07:43 +00006108#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006109 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006110
Gilles Peskine449bd832023-01-11 14:50:10 +01006111 if (operation.alg == PSA_ALG_GCM) {
6112 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6113 SIZE_MAX),
6114 PSA_ERROR_INVALID_ARGUMENT);
6115 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6116 PSA_ERROR_BAD_STATE);
6117 } else if (operation.alg != PSA_ALG_CCM) {
6118 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6119 SIZE_MAX));
6120 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006121 }
6122
Gilles Peskine449bd832023-01-11 14:50:10 +01006123 psa_aead_abort(&operation);
Dave Rodgman91e83212023-02-11 20:07:43 +00006124#endif
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006125
Tom Cosgrove1797b052022-12-04 17:19:59 +00006126 /* Test for calling set lengths with a plaintext length of SIZE_MAX, after setting nonce */
Dave Rodgman641288b2023-02-11 22:02:04 +00006127#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006128 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006129
Gilles Peskine449bd832023-01-11 14:50:10 +01006130 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006131
Gilles Peskine449bd832023-01-11 14:50:10 +01006132 if (operation.alg == PSA_ALG_GCM) {
6133 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6134 SIZE_MAX),
6135 PSA_ERROR_INVALID_ARGUMENT);
6136 } else if (operation.alg != PSA_ALG_CCM) {
6137 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6138 SIZE_MAX));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006139 }
6140
Gilles Peskine449bd832023-01-11 14:50:10 +01006141 psa_aead_abort(&operation);
Dave Rodgman641288b2023-02-11 22:02:04 +00006142#endif
Paul Elliott374a2be2021-07-16 17:53:40 +01006143
6144 /* ------------------------------------------------------- */
6145
Gilles Peskine449bd832023-01-11 14:50:10 +01006146 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006147
Gilles Peskine449bd832023-01-11 14:50:10 +01006148 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott374a2be2021-07-16 17:53:40 +01006149
Gilles Peskine449bd832023-01-11 14:50:10 +01006150 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6151 PSA_AEAD_NONCE_MAX_SIZE,
6152 &nonce_length),
6153 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006154
Gilles Peskine449bd832023-01-11 14:50:10 +01006155 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006156
Paul Elliott7220cae2021-06-22 17:25:57 +01006157 /* Test for generating nonce in decrypt setup. */
6158
Gilles Peskine449bd832023-01-11 14:50:10 +01006159 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott7220cae2021-06-22 17:25:57 +01006160
Gilles Peskine449bd832023-01-11 14:50:10 +01006161 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6162 PSA_AEAD_NONCE_MAX_SIZE,
6163 &nonce_length),
6164 PSA_ERROR_BAD_STATE);
Paul Elliott7220cae2021-06-22 17:25:57 +01006165
Gilles Peskine449bd832023-01-11 14:50:10 +01006166 psa_aead_abort(&operation);
Paul Elliott7220cae2021-06-22 17:25:57 +01006167
Paul Elliottc23a9a02021-06-21 18:32:46 +01006168 /* Test for setting lengths twice. */
6169
Gilles Peskine449bd832023-01-11 14:50:10 +01006170 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006171
Gilles Peskine449bd832023-01-11 14:50:10 +01006172 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006173
Gilles Peskine449bd832023-01-11 14:50:10 +01006174 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6175 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006176
Gilles Peskine449bd832023-01-11 14:50:10 +01006177 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6178 input_data->len),
6179 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006180
Gilles Peskine449bd832023-01-11 14:50:10 +01006181 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006182
Andrzej Kurekad837522021-12-15 15:28:49 +01006183 /* Test for setting lengths after setting nonce + already starting data. */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006184
Gilles Peskine449bd832023-01-11 14:50:10 +01006185 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006186
Gilles Peskine449bd832023-01-11 14:50:10 +01006187 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006188
Gilles Peskine449bd832023-01-11 14:50:10 +01006189 if (operation.alg == PSA_ALG_CCM) {
Paul Elliottf94bd992021-09-19 18:15:59 +01006190
Gilles Peskine449bd832023-01-11 14:50:10 +01006191 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6192 additional_data->len),
6193 PSA_ERROR_BAD_STATE);
6194 } else {
6195 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6196 additional_data->len));
6197
6198 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6199 input_data->len),
6200 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006201 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006202 psa_aead_abort(&operation);
Paul Elliottf94bd992021-09-19 18:15:59 +01006203
6204 /* ------------------------------------------------------- */
6205
Gilles Peskine449bd832023-01-11 14:50:10 +01006206 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottf94bd992021-09-19 18:15:59 +01006207
Gilles Peskine449bd832023-01-11 14:50:10 +01006208 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006209
Gilles Peskine449bd832023-01-11 14:50:10 +01006210 if (operation.alg == PSA_ALG_CCM) {
6211 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6212 input_data->len, output_data,
6213 output_size, &output_length),
6214 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006215
Gilles Peskine449bd832023-01-11 14:50:10 +01006216 } else {
6217 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6218 input_data->len, output_data,
6219 output_size, &output_length));
6220
6221 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6222 input_data->len),
6223 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006224 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006225 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006226
6227 /* ------------------------------------------------------- */
6228
Gilles Peskine449bd832023-01-11 14:50:10 +01006229 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006230
Gilles Peskine449bd832023-01-11 14:50:10 +01006231 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01006232
Gilles Peskine449bd832023-01-11 14:50:10 +01006233 if (operation.alg == PSA_ALG_CCM) {
6234 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6235 finish_output_size,
6236 &output_part_length,
6237 tag_buffer, tag_length,
6238 &tag_size));
6239 } else {
6240 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6241 finish_output_size,
6242 &output_part_length,
6243 tag_buffer, tag_length,
6244 &tag_size));
6245
6246 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6247 input_data->len),
6248 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006249 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006250 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006251
6252 /* Test for setting lengths after generating nonce + already starting data. */
6253
Gilles Peskine449bd832023-01-11 14:50:10 +01006254 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006255
Gilles Peskine449bd832023-01-11 14:50:10 +01006256 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6257 PSA_AEAD_NONCE_MAX_SIZE,
6258 &nonce_length));
6259 if (operation.alg == PSA_ALG_CCM) {
Andrzej Kurekad837522021-12-15 15:28:49 +01006260
Gilles Peskine449bd832023-01-11 14:50:10 +01006261 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6262 additional_data->len),
6263 PSA_ERROR_BAD_STATE);
6264 } else {
6265 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6266 additional_data->len));
6267
6268 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6269 input_data->len),
6270 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006271 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006272 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006273
6274 /* ------------------------------------------------------- */
6275
Gilles Peskine449bd832023-01-11 14:50:10 +01006276 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006277
Gilles Peskine449bd832023-01-11 14:50:10 +01006278 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6279 PSA_AEAD_NONCE_MAX_SIZE,
6280 &nonce_length));
6281 if (operation.alg == PSA_ALG_CCM) {
6282 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6283 input_data->len, output_data,
6284 output_size, &output_length),
6285 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006286
Gilles Peskine449bd832023-01-11 14:50:10 +01006287 } else {
6288 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6289 input_data->len, output_data,
6290 output_size, &output_length));
6291
6292 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6293 input_data->len),
6294 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006295 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006296 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006297
6298 /* ------------------------------------------------------- */
6299
Gilles Peskine449bd832023-01-11 14:50:10 +01006300 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006301
Gilles Peskine449bd832023-01-11 14:50:10 +01006302 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6303 PSA_AEAD_NONCE_MAX_SIZE,
6304 &nonce_length));
6305 if (operation.alg == PSA_ALG_CCM) {
6306 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6307 finish_output_size,
6308 &output_part_length,
6309 tag_buffer, tag_length,
6310 &tag_size));
6311 } else {
6312 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6313 finish_output_size,
6314 &output_part_length,
6315 tag_buffer, tag_length,
6316 &tag_size));
Andrzej Kurekad837522021-12-15 15:28:49 +01006317
Gilles Peskine449bd832023-01-11 14:50:10 +01006318 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6319 input_data->len),
6320 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006321 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006322 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006323
Paul Elliott243080c2021-07-21 19:01:17 +01006324 /* Test for not sending any additional data or data after setting non zero
6325 * lengths for them. (encrypt) */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006326
Gilles Peskine449bd832023-01-11 14:50:10 +01006327 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006328
Gilles Peskine449bd832023-01-11 14:50:10 +01006329 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006330
Gilles Peskine449bd832023-01-11 14:50:10 +01006331 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6332 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006333
Gilles Peskine449bd832023-01-11 14:50:10 +01006334 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6335 finish_output_size,
6336 &output_part_length,
6337 tag_buffer, tag_length,
6338 &tag_size),
6339 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006340
Gilles Peskine449bd832023-01-11 14:50:10 +01006341 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006342
Paul Elliott243080c2021-07-21 19:01:17 +01006343 /* Test for not sending any additional data or data after setting non-zero
6344 * lengths for them. (decrypt) */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006345
Gilles Peskine449bd832023-01-11 14:50:10 +01006346 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006347
Gilles Peskine449bd832023-01-11 14:50:10 +01006348 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006349
Gilles Peskine449bd832023-01-11 14:50:10 +01006350 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6351 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006352
Gilles Peskine449bd832023-01-11 14:50:10 +01006353 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6354 finish_output_size,
6355 &output_part_length,
6356 tag_buffer,
6357 tag_length),
6358 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006359
Gilles Peskine449bd832023-01-11 14:50:10 +01006360 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006361
Paul Elliott243080c2021-07-21 19:01:17 +01006362 /* Test for not sending any additional data after setting a non-zero length
6363 * for it. */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006364
Gilles Peskine449bd832023-01-11 14:50:10 +01006365 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006366
Gilles Peskine449bd832023-01-11 14:50:10 +01006367 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006368
Gilles Peskine449bd832023-01-11 14:50:10 +01006369 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6370 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006371
Gilles Peskine449bd832023-01-11 14:50:10 +01006372 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6373 input_data->len, output_data,
6374 output_size, &output_length),
6375 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006376
Gilles Peskine449bd832023-01-11 14:50:10 +01006377 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006378
Paul Elliottf94bd992021-09-19 18:15:59 +01006379 /* Test for not sending any data after setting a non-zero length for it.*/
6380
Gilles Peskine449bd832023-01-11 14:50:10 +01006381 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottf94bd992021-09-19 18:15:59 +01006382
Gilles Peskine449bd832023-01-11 14:50:10 +01006383 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006384
Gilles Peskine449bd832023-01-11 14:50:10 +01006385 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6386 input_data->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006387
Gilles Peskine449bd832023-01-11 14:50:10 +01006388 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6389 additional_data->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006390
Gilles Peskine449bd832023-01-11 14:50:10 +01006391 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6392 finish_output_size,
6393 &output_part_length,
6394 tag_buffer, tag_length,
6395 &tag_size),
6396 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottf94bd992021-09-19 18:15:59 +01006397
Gilles Peskine449bd832023-01-11 14:50:10 +01006398 psa_aead_abort(&operation);
Paul Elliottf94bd992021-09-19 18:15:59 +01006399
Paul Elliottb0450fe2021-09-01 15:06:26 +01006400 /* Test for sending too much additional data after setting lengths. */
6401
Gilles Peskine449bd832023-01-11 14:50:10 +01006402 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006403
Gilles Peskine449bd832023-01-11 14:50:10 +01006404 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006405
Gilles Peskine449bd832023-01-11 14:50:10 +01006406 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006407
6408
Gilles Peskine449bd832023-01-11 14:50:10 +01006409 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6410 additional_data->len),
6411 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006412
Gilles Peskine449bd832023-01-11 14:50:10 +01006413 psa_aead_abort(&operation);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006414
Paul Elliotta2a09b02021-09-22 14:56:40 +01006415 /* ------------------------------------------------------- */
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006416
Gilles Peskine449bd832023-01-11 14:50:10 +01006417 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006418
Gilles Peskine449bd832023-01-11 14:50:10 +01006419 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006420
Gilles Peskine449bd832023-01-11 14:50:10 +01006421 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6422 input_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006423
Gilles Peskine449bd832023-01-11 14:50:10 +01006424 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6425 additional_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006426
Gilles Peskine449bd832023-01-11 14:50:10 +01006427 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6428 1),
6429 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006430
Gilles Peskine449bd832023-01-11 14:50:10 +01006431 psa_aead_abort(&operation);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006432
Paul Elliottb0450fe2021-09-01 15:06:26 +01006433 /* Test for sending too much data after setting lengths. */
6434
Gilles Peskine449bd832023-01-11 14:50:10 +01006435 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006436
Gilles Peskine449bd832023-01-11 14:50:10 +01006437 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006438
Gilles Peskine449bd832023-01-11 14:50:10 +01006439 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006440
Gilles Peskine449bd832023-01-11 14:50:10 +01006441 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6442 input_data->len, output_data,
6443 output_size, &output_length),
6444 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006445
Gilles Peskine449bd832023-01-11 14:50:10 +01006446 psa_aead_abort(&operation);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006447
Paul Elliotta2a09b02021-09-22 14:56:40 +01006448 /* ------------------------------------------------------- */
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006449
Gilles Peskine449bd832023-01-11 14:50:10 +01006450 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006451
Gilles Peskine449bd832023-01-11 14:50:10 +01006452 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006453
Gilles Peskine449bd832023-01-11 14:50:10 +01006454 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6455 input_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006456
Gilles Peskine449bd832023-01-11 14:50:10 +01006457 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6458 additional_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006459
Gilles Peskine449bd832023-01-11 14:50:10 +01006460 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6461 input_data->len, output_data,
6462 output_size, &output_length));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006463
Gilles Peskine449bd832023-01-11 14:50:10 +01006464 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6465 1, output_data,
6466 output_size, &output_length),
6467 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006468
Gilles Peskine449bd832023-01-11 14:50:10 +01006469 psa_aead_abort(&operation);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006470
Paul Elliottc23a9a02021-06-21 18:32:46 +01006471 /* Test sending additional data after data. */
6472
Gilles Peskine449bd832023-01-11 14:50:10 +01006473 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006474
Gilles Peskine449bd832023-01-11 14:50:10 +01006475 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006476
Gilles Peskine449bd832023-01-11 14:50:10 +01006477 if (operation.alg != PSA_ALG_CCM) {
6478 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6479 input_data->len, output_data,
6480 output_size, &output_length));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006481
Gilles Peskine449bd832023-01-11 14:50:10 +01006482 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6483 additional_data->len),
6484 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006485 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006486 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006487
Paul Elliott534d0b42021-06-22 19:15:20 +01006488 /* Test calling finish on decryption. */
6489
Gilles Peskine449bd832023-01-11 14:50:10 +01006490 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott534d0b42021-06-22 19:15:20 +01006491
Gilles Peskine449bd832023-01-11 14:50:10 +01006492 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott534d0b42021-06-22 19:15:20 +01006493
Gilles Peskine449bd832023-01-11 14:50:10 +01006494 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6495 finish_output_size,
6496 &output_part_length,
6497 tag_buffer, tag_length,
6498 &tag_size),
6499 PSA_ERROR_BAD_STATE);
Paul Elliott534d0b42021-06-22 19:15:20 +01006500
Gilles Peskine449bd832023-01-11 14:50:10 +01006501 psa_aead_abort(&operation);
Paul Elliott534d0b42021-06-22 19:15:20 +01006502
6503 /* Test calling verify on encryption. */
6504
Gilles Peskine449bd832023-01-11 14:50:10 +01006505 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott534d0b42021-06-22 19:15:20 +01006506
Gilles Peskine449bd832023-01-11 14:50:10 +01006507 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott534d0b42021-06-22 19:15:20 +01006508
Gilles Peskine449bd832023-01-11 14:50:10 +01006509 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6510 finish_output_size,
6511 &output_part_length,
6512 tag_buffer,
6513 tag_length),
6514 PSA_ERROR_BAD_STATE);
Paul Elliott534d0b42021-06-22 19:15:20 +01006515
Gilles Peskine449bd832023-01-11 14:50:10 +01006516 psa_aead_abort(&operation);
Paul Elliott534d0b42021-06-22 19:15:20 +01006517
6518
Paul Elliottc23a9a02021-06-21 18:32:46 +01006519exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01006520 psa_destroy_key(key);
6521 psa_aead_abort(&operation);
6522 mbedtls_free(output_data);
6523 mbedtls_free(final_data);
6524 PSA_DONE();
Paul Elliottc23a9a02021-06-21 18:32:46 +01006525}
6526/* END_CASE */
6527
6528/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006529void signature_size(int type_arg,
6530 int bits,
6531 int alg_arg,
6532 int expected_size_arg)
Gilles Peskinee59236f2018-01-27 23:32:46 +01006533{
6534 psa_key_type_t type = type_arg;
6535 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01006536 size_t actual_size = PSA_SIGN_OUTPUT_SIZE(type, bits, alg);
Gilles Peskine841b14b2019-11-26 17:37:37 +01006537
Gilles Peskine449bd832023-01-11 14:50:10 +01006538 TEST_EQUAL(actual_size, (size_t) expected_size_arg);
Gilles Peskine841b14b2019-11-26 17:37:37 +01006539
Gilles Peskinee59236f2018-01-27 23:32:46 +01006540exit:
6541 ;
6542}
6543/* END_CASE */
6544
6545/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006546void sign_hash_deterministic(int key_type_arg, data_t *key_data,
6547 int alg_arg, data_t *input_data,
6548 data_t *output_data)
Gilles Peskinee59236f2018-01-27 23:32:46 +01006549{
Ronald Cron5425a212020-08-04 14:58:35 +02006550 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinee59236f2018-01-27 23:32:46 +01006551 psa_key_type_t key_type = key_type_arg;
6552 psa_algorithm_t alg = alg_arg;
Gilles Peskine20035e32018-02-03 22:44:14 +01006553 size_t key_bits;
Gilles Peskine20035e32018-02-03 22:44:14 +01006554 unsigned char *signature = NULL;
6555 size_t signature_size;
6556 size_t signature_length = 0xdeadbeef;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02006557 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01006558
Gilles Peskine449bd832023-01-11 14:50:10 +01006559 PSA_ASSERT(psa_crypto_init());
Gilles Peskine20035e32018-02-03 22:44:14 +01006560
Gilles Peskine449bd832023-01-11 14:50:10 +01006561 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6562 psa_set_key_algorithm(&attributes, alg);
6563 psa_set_key_type(&attributes, key_type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07006564
Gilles Peskine449bd832023-01-11 14:50:10 +01006565 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6566 &key));
6567 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6568 key_bits = psa_get_key_bits(&attributes);
Gilles Peskine20035e32018-02-03 22:44:14 +01006569
Shaun Case8b0ecbc2021-12-20 21:14:10 -08006570 /* Allocate a buffer which has the size advertised by the
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006571 * library. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006572 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
6573 key_bits, alg);
6574 TEST_ASSERT(signature_size != 0);
6575 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006576 TEST_CALLOC(signature, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01006577
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006578 /* Perform the signature. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006579 PSA_ASSERT(psa_sign_hash(key, alg,
6580 input_data->x, input_data->len,
6581 signature, signature_size,
6582 &signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02006583 /* Verify that the signature is what is expected. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01006584 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01006585 signature, signature_length);
Gilles Peskine20035e32018-02-03 22:44:14 +01006586
6587exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01006588 /*
6589 * Key attributes may have been returned by psa_get_key_attributes()
6590 * thus reset them as required.
6591 */
Gilles Peskine449bd832023-01-11 14:50:10 +01006592 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01006593
Gilles Peskine449bd832023-01-11 14:50:10 +01006594 psa_destroy_key(key);
6595 mbedtls_free(signature);
6596 PSA_DONE();
Gilles Peskine20035e32018-02-03 22:44:14 +01006597}
6598/* END_CASE */
6599
Paul Elliott712d5122022-12-07 14:03:10 +00006600/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00006601/**
6602 * sign_hash_interruptible() test intentions:
6603 *
6604 * Note: This test can currently only handle ECDSA.
6605 *
6606 * 1. Test interruptible sign hash with known outcomes (deterministic ECDSA
Paul Elliott8c092052023-03-06 17:49:14 +00006607 * and private keys / keypairs only).
Paul Elliottc7f68822023-02-24 17:37:04 +00006608 *
6609 * 2. Test the number of calls to psa_sign_hash_complete() required are as
6610 * expected for different max_ops values.
6611 *
6612 * 3. Test that the number of ops done prior to start and after abort is zero
6613 * and that each successful stage completes some ops (this is not mandated by
6614 * the PSA specification, but is currently the case).
6615 *
6616 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between
6617 * complete() calls does not alter the number of ops returned.
6618 */
Paul Elliott712d5122022-12-07 14:03:10 +00006619void sign_hash_interruptible(int key_type_arg, data_t *key_data,
6620 int alg_arg, data_t *input_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00006621 data_t *output_data, int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00006622{
6623 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
6624 psa_key_type_t key_type = key_type_arg;
6625 psa_algorithm_t alg = alg_arg;
6626 size_t key_bits;
6627 unsigned char *signature = NULL;
6628 size_t signature_size;
6629 size_t signature_length = 0xdeadbeef;
6630 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
6631 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00006632 uint32_t num_ops = 0;
6633 uint32_t max_ops = max_ops_arg;
Paul Elliott712d5122022-12-07 14:03:10 +00006634 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00006635 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00006636 size_t min_completes = 0;
6637 size_t max_completes = 0;
Paul Elliottab7c5c82023-02-03 15:49:42 +00006638
Paul Elliott712d5122022-12-07 14:03:10 +00006639 psa_sign_hash_interruptible_operation_t operation =
6640 psa_sign_hash_interruptible_operation_init();
6641
6642 PSA_ASSERT(psa_crypto_init());
6643
6644 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6645 psa_set_key_algorithm(&attributes, alg);
6646 psa_set_key_type(&attributes, key_type);
6647
6648 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6649 &key));
6650 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6651 key_bits = psa_get_key_bits(&attributes);
6652
6653 /* Allocate a buffer which has the size advertised by the
6654 * library. */
6655 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
6656 key_bits, alg);
6657 TEST_ASSERT(signature_size != 0);
6658 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006659 TEST_CALLOC(signature, signature_size);
Paul Elliott712d5122022-12-07 14:03:10 +00006660
Paul Elliott0c683352022-12-16 19:16:56 +00006661 psa_interruptible_set_max_ops(max_ops);
6662
Paul Elliott6f600372023-02-06 18:41:05 +00006663 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
6664 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00006665
Paul Elliott712d5122022-12-07 14:03:10 +00006666 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
6667 TEST_ASSERT(num_ops_prior == 0);
6668
6669 /* Start performing the signature. */
6670 PSA_ASSERT(psa_sign_hash_start(&operation, key, alg,
6671 input_data->x, input_data->len));
6672
6673 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
6674 TEST_ASSERT(num_ops_prior == 0);
6675
6676 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00006677 do {
Paul Elliott712d5122022-12-07 14:03:10 +00006678 status = psa_sign_hash_complete(&operation, signature, signature_size,
6679 &signature_length);
6680
Paul Elliott0c683352022-12-16 19:16:56 +00006681 num_completes++;
6682
Paul Elliott712d5122022-12-07 14:03:10 +00006683 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
6684 num_ops = psa_sign_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00006685 /* We are asserting here that every complete makes progress
6686 * (completes some ops), which is true of the internal
6687 * implementation and probably any implementation, however this is
6688 * not mandated by the PSA specification. */
Paul Elliott712d5122022-12-07 14:03:10 +00006689 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00006690
Paul Elliott712d5122022-12-07 14:03:10 +00006691 num_ops_prior = num_ops;
Paul Elliottf8e5b562023-02-19 18:43:45 +00006692
6693 /* Ensure calling get_num_ops() twice still returns the same
6694 * number of ops as previously reported. */
6695 num_ops = psa_sign_hash_get_num_ops(&operation);
6696
6697 TEST_EQUAL(num_ops, num_ops_prior);
Paul Elliott712d5122022-12-07 14:03:10 +00006698 }
Paul Elliottedfc8832023-01-20 17:13:10 +00006699 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00006700
6701 TEST_ASSERT(status == PSA_SUCCESS);
6702
Paul Elliott0c683352022-12-16 19:16:56 +00006703 TEST_LE_U(min_completes, num_completes);
6704 TEST_LE_U(num_completes, max_completes);
6705
Paul Elliott712d5122022-12-07 14:03:10 +00006706 /* Verify that the signature is what is expected. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01006707 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01006708 signature, signature_length);
Paul Elliott712d5122022-12-07 14:03:10 +00006709
6710 PSA_ASSERT(psa_sign_hash_abort(&operation));
6711
Paul Elliott59ad9452022-12-18 15:09:02 +00006712 num_ops = psa_sign_hash_get_num_ops(&operation);
6713 TEST_ASSERT(num_ops == 0);
6714
Paul Elliott712d5122022-12-07 14:03:10 +00006715exit:
6716
6717 /*
6718 * Key attributes may have been returned by psa_get_key_attributes()
6719 * thus reset them as required.
6720 */
6721 psa_reset_key_attributes(&attributes);
6722
6723 psa_destroy_key(key);
6724 mbedtls_free(signature);
6725 PSA_DONE();
6726}
6727/* END_CASE */
6728
Gilles Peskine20035e32018-02-03 22:44:14 +01006729/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006730void sign_hash_fail(int key_type_arg, data_t *key_data,
6731 int alg_arg, data_t *input_data,
6732 int signature_size_arg, int expected_status_arg)
Gilles Peskine20035e32018-02-03 22:44:14 +01006733{
Ronald Cron5425a212020-08-04 14:58:35 +02006734 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01006735 psa_key_type_t key_type = key_type_arg;
6736 psa_algorithm_t alg = alg_arg;
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006737 size_t signature_size = signature_size_arg;
Gilles Peskine20035e32018-02-03 22:44:14 +01006738 psa_status_t actual_status;
6739 psa_status_t expected_status = expected_status_arg;
Gilles Peskine40f68b92018-03-07 16:43:36 +01006740 unsigned char *signature = NULL;
Gilles Peskine93aa0332018-02-03 23:58:03 +01006741 size_t signature_length = 0xdeadbeef;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02006742 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01006743
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006744 TEST_CALLOC(signature, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01006745
Gilles Peskine449bd832023-01-11 14:50:10 +01006746 PSA_ASSERT(psa_crypto_init());
Gilles Peskine20035e32018-02-03 22:44:14 +01006747
Gilles Peskine449bd832023-01-11 14:50:10 +01006748 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6749 psa_set_key_algorithm(&attributes, alg);
6750 psa_set_key_type(&attributes, key_type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07006751
Gilles Peskine449bd832023-01-11 14:50:10 +01006752 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6753 &key));
Gilles Peskine20035e32018-02-03 22:44:14 +01006754
Gilles Peskine449bd832023-01-11 14:50:10 +01006755 actual_status = psa_sign_hash(key, alg,
6756 input_data->x, input_data->len,
6757 signature, signature_size,
6758 &signature_length);
6759 TEST_EQUAL(actual_status, expected_status);
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006760 /* The value of *signature_length is unspecified on error, but
6761 * whatever it is, it should be less than signature_size, so that
6762 * if the caller tries to read *signature_length bytes without
6763 * checking the error code then they don't overflow a buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006764 TEST_LE_U(signature_length, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01006765
6766exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01006767 psa_reset_key_attributes(&attributes);
6768 psa_destroy_key(key);
6769 mbedtls_free(signature);
6770 PSA_DONE();
Gilles Peskine20035e32018-02-03 22:44:14 +01006771}
6772/* END_CASE */
mohammad16038cc1cee2018-03-28 01:21:33 +03006773
Paul Elliott91007972022-12-16 12:21:24 +00006774/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00006775/**
6776 * sign_hash_fail_interruptible() test intentions:
6777 *
6778 * Note: This test can currently only handle ECDSA.
6779 *
6780 * 1. Test that various failure cases for interruptible sign hash fail with the
6781 * correct error codes, and at the correct point (at start or during
6782 * complete).
6783 *
6784 * 2. Test the number of calls to psa_sign_hash_complete() required are as
6785 * expected for different max_ops values.
6786 *
6787 * 3. Test that the number of ops done prior to start and after abort is zero
6788 * and that each successful stage completes some ops (this is not mandated by
6789 * the PSA specification, but is currently the case).
Paul Elliott587e7802023-02-27 09:53:08 +00006790 *
6791 * 4. Check that calling complete() when start() fails and complete()
6792 * after completion results in a BAD_STATE error.
6793 *
6794 * 5. Check that calling start() again after start fails results in a BAD_STATE
6795 * error.
Paul Elliottc7f68822023-02-24 17:37:04 +00006796 */
Paul Elliott91007972022-12-16 12:21:24 +00006797void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
6798 int alg_arg, data_t *input_data,
6799 int signature_size_arg,
6800 int expected_start_status_arg,
Paul Elliott0c683352022-12-16 19:16:56 +00006801 int expected_complete_status_arg,
Paul Elliottab7c5c82023-02-03 15:49:42 +00006802 int max_ops_arg)
Paul Elliott91007972022-12-16 12:21:24 +00006803{
6804 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
6805 psa_key_type_t key_type = key_type_arg;
6806 psa_algorithm_t alg = alg_arg;
6807 size_t signature_size = signature_size_arg;
6808 psa_status_t actual_status;
6809 psa_status_t expected_start_status = expected_start_status_arg;
6810 psa_status_t expected_complete_status = expected_complete_status_arg;
6811 unsigned char *signature = NULL;
6812 size_t signature_length = 0xdeadbeef;
Paul Elliottab7c5c82023-02-03 15:49:42 +00006813 uint32_t num_ops = 0;
6814 uint32_t max_ops = max_ops_arg;
Paul Elliott91007972022-12-16 12:21:24 +00006815 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00006816 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00006817 size_t min_completes = 0;
6818 size_t max_completes = 0;
6819
Paul Elliott91007972022-12-16 12:21:24 +00006820 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
6821 psa_sign_hash_interruptible_operation_t operation =
6822 psa_sign_hash_interruptible_operation_init();
6823
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006824 TEST_CALLOC(signature, signature_size);
Paul Elliott91007972022-12-16 12:21:24 +00006825
6826 PSA_ASSERT(psa_crypto_init());
6827
6828 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6829 psa_set_key_algorithm(&attributes, alg);
6830 psa_set_key_type(&attributes, key_type);
6831
6832 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6833 &key));
6834
Paul Elliott0c683352022-12-16 19:16:56 +00006835 psa_interruptible_set_max_ops(max_ops);
6836
Paul Elliott6f600372023-02-06 18:41:05 +00006837 interruptible_signverify_get_minmax_completes(max_ops,
6838 expected_complete_status,
6839 &min_completes,
6840 &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00006841
Paul Elliott91007972022-12-16 12:21:24 +00006842 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
6843 TEST_ASSERT(num_ops_prior == 0);
6844
6845 /* Start performing the signature. */
6846 actual_status = psa_sign_hash_start(&operation, key, alg,
6847 input_data->x, input_data->len);
6848
6849 TEST_EQUAL(actual_status, expected_start_status);
6850
Paul Elliottc9774412023-02-06 15:14:07 +00006851 if (expected_start_status != PSA_SUCCESS) {
Paul Elliottde7c31e2023-03-01 14:37:48 +00006852 /* Emulate poor application code, and call complete anyway, even though
Paul Elliott587e7802023-02-27 09:53:08 +00006853 * start failed. */
6854 actual_status = psa_sign_hash_complete(&operation, signature,
6855 signature_size,
6856 &signature_length);
6857
6858 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
6859
6860 /* Test that calling start again after failure also causes BAD_STATE. */
Paul Elliottc9774412023-02-06 15:14:07 +00006861 actual_status = psa_sign_hash_start(&operation, key, alg,
6862 input_data->x, input_data->len);
6863
6864 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
6865 }
6866
Paul Elliott91007972022-12-16 12:21:24 +00006867 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
6868 TEST_ASSERT(num_ops_prior == 0);
6869
Paul Elliott91007972022-12-16 12:21:24 +00006870 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00006871 do {
Paul Elliott91007972022-12-16 12:21:24 +00006872 actual_status = psa_sign_hash_complete(&operation, signature,
6873 signature_size,
6874 &signature_length);
6875
Paul Elliott0c683352022-12-16 19:16:56 +00006876 num_completes++;
6877
Paul Elliott334d7262023-01-20 17:29:41 +00006878 if (actual_status == PSA_SUCCESS ||
6879 actual_status == PSA_OPERATION_INCOMPLETE) {
Paul Elliott91007972022-12-16 12:21:24 +00006880 num_ops = psa_sign_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00006881 /* We are asserting here that every complete makes progress
6882 * (completes some ops), which is true of the internal
6883 * implementation and probably any implementation, however this is
6884 * not mandated by the PSA specification. */
Paul Elliott91007972022-12-16 12:21:24 +00006885 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00006886
Paul Elliott91007972022-12-16 12:21:24 +00006887 num_ops_prior = num_ops;
6888 }
Paul Elliottedfc8832023-01-20 17:13:10 +00006889 } while (actual_status == PSA_OPERATION_INCOMPLETE);
Paul Elliott91007972022-12-16 12:21:24 +00006890
Paul Elliottc9774412023-02-06 15:14:07 +00006891 TEST_EQUAL(actual_status, expected_complete_status);
6892
Paul Elliottefebad02023-02-15 16:56:45 +00006893 /* Check that another complete returns BAD_STATE. */
6894 actual_status = psa_sign_hash_complete(&operation, signature,
6895 signature_size,
6896 &signature_length);
Paul Elliottc9774412023-02-06 15:14:07 +00006897
Paul Elliottefebad02023-02-15 16:56:45 +00006898 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
Paul Elliott334d7262023-01-20 17:29:41 +00006899
Paul Elliott91007972022-12-16 12:21:24 +00006900 PSA_ASSERT(psa_sign_hash_abort(&operation));
6901
Paul Elliott59ad9452022-12-18 15:09:02 +00006902 num_ops = psa_sign_hash_get_num_ops(&operation);
6903 TEST_ASSERT(num_ops == 0);
6904
Paul Elliott91007972022-12-16 12:21:24 +00006905 /* The value of *signature_length is unspecified on error, but
6906 * whatever it is, it should be less than signature_size, so that
6907 * if the caller tries to read *signature_length bytes without
6908 * checking the error code then they don't overflow a buffer. */
6909 TEST_LE_U(signature_length, signature_size);
6910
Paul Elliott0c683352022-12-16 19:16:56 +00006911 TEST_LE_U(min_completes, num_completes);
6912 TEST_LE_U(num_completes, max_completes);
6913
Paul Elliott91007972022-12-16 12:21:24 +00006914exit:
6915 psa_reset_key_attributes(&attributes);
6916 psa_destroy_key(key);
6917 mbedtls_free(signature);
6918 PSA_DONE();
6919}
6920/* END_CASE */
6921
mohammad16038cc1cee2018-03-28 01:21:33 +03006922/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006923void sign_verify_hash(int key_type_arg, data_t *key_data,
6924 int alg_arg, data_t *input_data)
Gilles Peskine9911b022018-06-29 17:30:48 +02006925{
Ronald Cron5425a212020-08-04 14:58:35 +02006926 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine9911b022018-06-29 17:30:48 +02006927 psa_key_type_t key_type = key_type_arg;
6928 psa_algorithm_t alg = alg_arg;
6929 size_t key_bits;
6930 unsigned char *signature = NULL;
6931 size_t signature_size;
6932 size_t signature_length = 0xdeadbeef;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02006933 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine9911b022018-06-29 17:30:48 +02006934
Gilles Peskine449bd832023-01-11 14:50:10 +01006935 PSA_ASSERT(psa_crypto_init());
Gilles Peskine9911b022018-06-29 17:30:48 +02006936
Gilles Peskine449bd832023-01-11 14:50:10 +01006937 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
6938 psa_set_key_algorithm(&attributes, alg);
6939 psa_set_key_type(&attributes, key_type);
Gilles Peskine9911b022018-06-29 17:30:48 +02006940
Gilles Peskine449bd832023-01-11 14:50:10 +01006941 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6942 &key));
6943 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6944 key_bits = psa_get_key_bits(&attributes);
Gilles Peskine9911b022018-06-29 17:30:48 +02006945
Shaun Case8b0ecbc2021-12-20 21:14:10 -08006946 /* Allocate a buffer which has the size advertised by the
Gilles Peskine9911b022018-06-29 17:30:48 +02006947 * library. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006948 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
6949 key_bits, alg);
6950 TEST_ASSERT(signature_size != 0);
6951 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006952 TEST_CALLOC(signature, signature_size);
Gilles Peskine9911b022018-06-29 17:30:48 +02006953
6954 /* Perform the signature. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006955 PSA_ASSERT(psa_sign_hash(key, alg,
6956 input_data->x, input_data->len,
6957 signature, signature_size,
6958 &signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02006959 /* Check that the signature length looks sensible. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006960 TEST_LE_U(signature_length, signature_size);
6961 TEST_ASSERT(signature_length > 0);
Gilles Peskine9911b022018-06-29 17:30:48 +02006962
6963 /* Use the library to verify that the signature is correct. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006964 PSA_ASSERT(psa_verify_hash(key, alg,
6965 input_data->x, input_data->len,
6966 signature, signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02006967
Gilles Peskine449bd832023-01-11 14:50:10 +01006968 if (input_data->len != 0) {
Gilles Peskine9911b022018-06-29 17:30:48 +02006969 /* Flip a bit in the input and verify that the signature is now
6970 * detected as invalid. Flip a bit at the beginning, not at the end,
6971 * because ECDSA may ignore the last few bits of the input. */
6972 input_data->x[0] ^= 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01006973 TEST_EQUAL(psa_verify_hash(key, alg,
6974 input_data->x, input_data->len,
6975 signature, signature_length),
6976 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine9911b022018-06-29 17:30:48 +02006977 }
6978
6979exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01006980 /*
6981 * Key attributes may have been returned by psa_get_key_attributes()
6982 * thus reset them as required.
6983 */
Gilles Peskine449bd832023-01-11 14:50:10 +01006984 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01006985
Gilles Peskine449bd832023-01-11 14:50:10 +01006986 psa_destroy_key(key);
6987 mbedtls_free(signature);
6988 PSA_DONE();
Gilles Peskine9911b022018-06-29 17:30:48 +02006989}
6990/* END_CASE */
6991
Paul Elliott712d5122022-12-07 14:03:10 +00006992/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00006993/**
6994 * sign_verify_hash_interruptible() test intentions:
6995 *
6996 * Note: This test can currently only handle ECDSA.
6997 *
Paul Elliott8c092052023-03-06 17:49:14 +00006998 * 1. Test that we can sign an input hash with the given keypair and then
6999 * afterwards verify that signature. This is currently the only way to test
7000 * non deterministic ECDSA, but this test can also handle deterministic.
Paul Elliottc7f68822023-02-24 17:37:04 +00007001 *
7002 * 2. Test that after corrupting the hash, the verification detects an invalid
7003 * signature.
7004 *
7005 * 3. Test the number of calls to psa_sign_hash_complete() required are as
7006 * expected for different max_ops values.
Paul Elliott7c173082023-02-26 18:44:45 +00007007 *
7008 * 4. Test that the number of ops done prior to starting signing and after abort
7009 * is zero and that each successful signing stage completes some ops (this is
7010 * not mandated by the PSA specification, but is currently the case).
Paul Elliottc7f68822023-02-24 17:37:04 +00007011 */
Paul Elliott712d5122022-12-07 14:03:10 +00007012void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
Paul Elliott0c683352022-12-16 19:16:56 +00007013 int alg_arg, data_t *input_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007014 int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00007015{
7016 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7017 psa_key_type_t key_type = key_type_arg;
7018 psa_algorithm_t alg = alg_arg;
7019 size_t key_bits;
7020 unsigned char *signature = NULL;
7021 size_t signature_size;
7022 size_t signature_length = 0xdeadbeef;
7023 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7024 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007025 uint32_t max_ops = max_ops_arg;
Paul Elliott7c173082023-02-26 18:44:45 +00007026 uint32_t num_ops = 0;
7027 uint32_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007028 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007029 size_t min_completes = 0;
7030 size_t max_completes = 0;
7031
Paul Elliott712d5122022-12-07 14:03:10 +00007032 psa_sign_hash_interruptible_operation_t sign_operation =
7033 psa_sign_hash_interruptible_operation_init();
7034 psa_verify_hash_interruptible_operation_t verify_operation =
7035 psa_verify_hash_interruptible_operation_init();
7036
7037 PSA_ASSERT(psa_crypto_init());
7038
Paul Elliott0c683352022-12-16 19:16:56 +00007039 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7040 PSA_KEY_USAGE_VERIFY_HASH);
Paul Elliott712d5122022-12-07 14:03:10 +00007041 psa_set_key_algorithm(&attributes, alg);
7042 psa_set_key_type(&attributes, key_type);
7043
7044 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7045 &key));
7046 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7047 key_bits = psa_get_key_bits(&attributes);
7048
7049 /* Allocate a buffer which has the size advertised by the
7050 * library. */
7051 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7052 key_bits, alg);
7053 TEST_ASSERT(signature_size != 0);
7054 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007055 TEST_CALLOC(signature, signature_size);
Paul Elliott712d5122022-12-07 14:03:10 +00007056
Paul Elliott0c683352022-12-16 19:16:56 +00007057 psa_interruptible_set_max_ops(max_ops);
7058
Paul Elliott6f600372023-02-06 18:41:05 +00007059 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
7060 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007061
Paul Elliott7c173082023-02-26 18:44:45 +00007062 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation);
7063 TEST_ASSERT(num_ops_prior == 0);
7064
Paul Elliott712d5122022-12-07 14:03:10 +00007065 /* Start performing the signature. */
7066 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7067 input_data->x, input_data->len));
7068
Paul Elliott7c173082023-02-26 18:44:45 +00007069 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation);
7070 TEST_ASSERT(num_ops_prior == 0);
7071
Paul Elliott712d5122022-12-07 14:03:10 +00007072 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007073 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007074
Paul Elliott0c683352022-12-16 19:16:56 +00007075 status = psa_sign_hash_complete(&sign_operation, signature,
7076 signature_size,
Paul Elliott712d5122022-12-07 14:03:10 +00007077 &signature_length);
Paul Elliott0c683352022-12-16 19:16:56 +00007078
7079 num_completes++;
Paul Elliott7c173082023-02-26 18:44:45 +00007080
7081 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
7082 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
7083 /* We are asserting here that every complete makes progress
7084 * (completes some ops), which is true of the internal
7085 * implementation and probably any implementation, however this is
7086 * not mandated by the PSA specification. */
7087 TEST_ASSERT(num_ops > num_ops_prior);
7088
7089 num_ops_prior = num_ops;
7090 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007091 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007092
7093 TEST_ASSERT(status == PSA_SUCCESS);
7094
Paul Elliott0c683352022-12-16 19:16:56 +00007095 TEST_LE_U(min_completes, num_completes);
7096 TEST_LE_U(num_completes, max_completes);
7097
Paul Elliott712d5122022-12-07 14:03:10 +00007098 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7099
Paul Elliott7c173082023-02-26 18:44:45 +00007100 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
7101 TEST_ASSERT(num_ops == 0);
7102
Paul Elliott712d5122022-12-07 14:03:10 +00007103 /* Check that the signature length looks sensible. */
7104 TEST_LE_U(signature_length, signature_size);
7105 TEST_ASSERT(signature_length > 0);
7106
Paul Elliott0c683352022-12-16 19:16:56 +00007107 num_completes = 0;
Paul Elliott712d5122022-12-07 14:03:10 +00007108
7109 /* Start verification. */
7110 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7111 input_data->x, input_data->len,
7112 signature, signature_length));
7113
7114 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007115 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007116 status = psa_verify_hash_complete(&verify_operation);
Paul Elliott0c683352022-12-16 19:16:56 +00007117
7118 num_completes++;
Paul Elliottedfc8832023-01-20 17:13:10 +00007119 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007120
7121 TEST_ASSERT(status == PSA_SUCCESS);
7122
Paul Elliott0c683352022-12-16 19:16:56 +00007123 TEST_LE_U(min_completes, num_completes);
7124 TEST_LE_U(num_completes, max_completes);
7125
Paul Elliott712d5122022-12-07 14:03:10 +00007126 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7127
7128 verify_operation = psa_verify_hash_interruptible_operation_init();
7129
7130 if (input_data->len != 0) {
7131 /* Flip a bit in the input and verify that the signature is now
7132 * detected as invalid. Flip a bit at the beginning, not at the end,
7133 * because ECDSA may ignore the last few bits of the input. */
7134 input_data->x[0] ^= 1;
7135
Paul Elliott712d5122022-12-07 14:03:10 +00007136 /* Start verification. */
7137 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7138 input_data->x, input_data->len,
7139 signature, signature_length));
7140
7141 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007142 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007143 status = psa_verify_hash_complete(&verify_operation);
Paul Elliottedfc8832023-01-20 17:13:10 +00007144 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007145
7146 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE);
7147 }
7148
7149 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7150
7151exit:
7152 /*
7153 * Key attributes may have been returned by psa_get_key_attributes()
7154 * thus reset them as required.
7155 */
7156 psa_reset_key_attributes(&attributes);
7157
7158 psa_destroy_key(key);
7159 mbedtls_free(signature);
7160 PSA_DONE();
7161}
7162/* END_CASE */
7163
Gilles Peskine9911b022018-06-29 17:30:48 +02007164/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007165void verify_hash(int key_type_arg, data_t *key_data,
7166 int alg_arg, data_t *hash_data,
7167 data_t *signature_data)
itayzafrir5c753392018-05-08 11:18:38 +03007168{
Ronald Cron5425a212020-08-04 14:58:35 +02007169 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
itayzafrir5c753392018-05-08 11:18:38 +03007170 psa_key_type_t key_type = key_type_arg;
7171 psa_algorithm_t alg = alg_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02007172 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
itayzafrir5c753392018-05-08 11:18:38 +03007173
Gilles Peskine449bd832023-01-11 14:50:10 +01007174 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
Gilles Peskine69c12672018-06-28 00:07:19 +02007175
Gilles Peskine449bd832023-01-11 14:50:10 +01007176 PSA_ASSERT(psa_crypto_init());
itayzafrir5c753392018-05-08 11:18:38 +03007177
Gilles Peskine449bd832023-01-11 14:50:10 +01007178 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7179 psa_set_key_algorithm(&attributes, alg);
7180 psa_set_key_type(&attributes, key_type);
itayzafrir5c753392018-05-08 11:18:38 +03007181
Gilles Peskine449bd832023-01-11 14:50:10 +01007182 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7183 &key));
itayzafrir5c753392018-05-08 11:18:38 +03007184
Gilles Peskine449bd832023-01-11 14:50:10 +01007185 PSA_ASSERT(psa_verify_hash(key, alg,
7186 hash_data->x, hash_data->len,
7187 signature_data->x, signature_data->len));
Gilles Peskine0627f982019-11-26 19:12:16 +01007188
itayzafrir5c753392018-05-08 11:18:38 +03007189exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007190 psa_reset_key_attributes(&attributes);
7191 psa_destroy_key(key);
7192 PSA_DONE();
itayzafrir5c753392018-05-08 11:18:38 +03007193}
7194/* END_CASE */
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007195
Paul Elliott712d5122022-12-07 14:03:10 +00007196/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007197/**
7198 * verify_hash_interruptible() test intentions:
7199 *
7200 * Note: This test can currently only handle ECDSA.
7201 *
7202 * 1. Test interruptible verify hash with known outcomes (deterministic ECDSA
Paul Elliott8c092052023-03-06 17:49:14 +00007203 * only). Given this test only does verification it can accept public keys as
7204 * well as private keys / keypairs.
Paul Elliottc7f68822023-02-24 17:37:04 +00007205 *
7206 * 2. Test the number of calls to psa_verify_hash_complete() required are as
7207 * expected for different max_ops values.
7208 *
7209 * 3. Test that the number of ops done prior to start and after abort is zero
7210 * and that each successful stage completes some ops (this is not mandated by
7211 * the PSA specification, but is currently the case).
Paul Elliott8359c142023-02-24 18:40:10 +00007212 *
7213 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between
7214 * complete() calls does not alter the number of ops returned.
7215 *
7216 * 5. Test that after corrupting the hash, the verification detects an invalid
7217 * signature.
Paul Elliottc7f68822023-02-24 17:37:04 +00007218 */
Paul Elliott712d5122022-12-07 14:03:10 +00007219void verify_hash_interruptible(int key_type_arg, data_t *key_data,
7220 int alg_arg, data_t *hash_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007221 data_t *signature_data, int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00007222{
7223 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7224 psa_key_type_t key_type = key_type_arg;
7225 psa_algorithm_t alg = alg_arg;
7226 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7227 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007228 uint32_t num_ops = 0;
7229 uint32_t max_ops = max_ops_arg;
Paul Elliott712d5122022-12-07 14:03:10 +00007230 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007231 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007232 size_t min_completes = 0;
7233 size_t max_completes = 0;
7234
Paul Elliott712d5122022-12-07 14:03:10 +00007235 psa_verify_hash_interruptible_operation_t operation =
7236 psa_verify_hash_interruptible_operation_init();
7237
7238 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
7239
7240 PSA_ASSERT(psa_crypto_init());
7241
7242 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7243 psa_set_key_algorithm(&attributes, alg);
7244 psa_set_key_type(&attributes, key_type);
7245
7246 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7247 &key));
7248
Paul Elliott0c683352022-12-16 19:16:56 +00007249 psa_interruptible_set_max_ops(max_ops);
7250
Paul Elliott6f600372023-02-06 18:41:05 +00007251 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
7252 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007253
Paul Elliott712d5122022-12-07 14:03:10 +00007254 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7255
7256 TEST_ASSERT(num_ops_prior == 0);
7257
7258 /* Start verification. */
7259 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
7260 hash_data->x, hash_data->len,
7261 signature_data->x, signature_data->len)
7262 );
7263
7264 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7265
7266 TEST_ASSERT(num_ops_prior == 0);
7267
7268 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007269 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007270 status = psa_verify_hash_complete(&operation);
7271
Paul Elliott0c683352022-12-16 19:16:56 +00007272 num_completes++;
7273
Paul Elliott712d5122022-12-07 14:03:10 +00007274 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
7275 num_ops = psa_verify_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00007276 /* We are asserting here that every complete makes progress
7277 * (completes some ops), which is true of the internal
7278 * implementation and probably any implementation, however this is
7279 * not mandated by the PSA specification. */
Paul Elliott712d5122022-12-07 14:03:10 +00007280 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00007281
Paul Elliott712d5122022-12-07 14:03:10 +00007282 num_ops_prior = num_ops;
Paul Elliottf8e5b562023-02-19 18:43:45 +00007283
7284 /* Ensure calling get_num_ops() twice still returns the same
7285 * number of ops as previously reported. */
7286 num_ops = psa_verify_hash_get_num_ops(&operation);
7287
7288 TEST_EQUAL(num_ops, num_ops_prior);
Paul Elliott712d5122022-12-07 14:03:10 +00007289 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007290 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007291
7292 TEST_ASSERT(status == PSA_SUCCESS);
7293
Paul Elliott0c683352022-12-16 19:16:56 +00007294 TEST_LE_U(min_completes, num_completes);
7295 TEST_LE_U(num_completes, max_completes);
7296
Paul Elliott712d5122022-12-07 14:03:10 +00007297 PSA_ASSERT(psa_verify_hash_abort(&operation));
7298
Paul Elliott59ad9452022-12-18 15:09:02 +00007299 num_ops = psa_verify_hash_get_num_ops(&operation);
7300 TEST_ASSERT(num_ops == 0);
7301
Paul Elliott8359c142023-02-24 18:40:10 +00007302 if (hash_data->len != 0) {
7303 /* Flip a bit in the hash and verify that the signature is now detected
7304 * as invalid. Flip a bit at the beginning, not at the end, because
7305 * ECDSA may ignore the last few bits of the input. */
7306 hash_data->x[0] ^= 1;
7307
7308 /* Start verification. */
7309 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
7310 hash_data->x, hash_data->len,
7311 signature_data->x, signature_data->len));
7312
7313 /* Continue performing the signature until complete. */
7314 do {
7315 status = psa_verify_hash_complete(&operation);
7316 } while (status == PSA_OPERATION_INCOMPLETE);
7317
7318 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE);
7319 }
7320
Paul Elliott712d5122022-12-07 14:03:10 +00007321exit:
7322 psa_reset_key_attributes(&attributes);
7323 psa_destroy_key(key);
7324 PSA_DONE();
7325}
7326/* END_CASE */
7327
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007328/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007329void verify_hash_fail(int key_type_arg, data_t *key_data,
7330 int alg_arg, data_t *hash_data,
7331 data_t *signature_data,
7332 int expected_status_arg)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007333{
Ronald Cron5425a212020-08-04 14:58:35 +02007334 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007335 psa_key_type_t key_type = key_type_arg;
7336 psa_algorithm_t alg = alg_arg;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007337 psa_status_t actual_status;
7338 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02007339 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007340
Gilles Peskine449bd832023-01-11 14:50:10 +01007341 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007342
Gilles Peskine449bd832023-01-11 14:50:10 +01007343 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7344 psa_set_key_algorithm(&attributes, alg);
7345 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03007346
Gilles Peskine449bd832023-01-11 14:50:10 +01007347 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7348 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007349
Gilles Peskine449bd832023-01-11 14:50:10 +01007350 actual_status = psa_verify_hash(key, alg,
7351 hash_data->x, hash_data->len,
7352 signature_data->x, signature_data->len);
7353 TEST_EQUAL(actual_status, expected_status);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007354
7355exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007356 psa_reset_key_attributes(&attributes);
7357 psa_destroy_key(key);
7358 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007359}
7360/* END_CASE */
7361
Paul Elliott91007972022-12-16 12:21:24 +00007362/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007363/**
7364 * verify_hash_fail_interruptible() test intentions:
7365 *
7366 * Note: This test can currently only handle ECDSA.
7367 *
7368 * 1. Test that various failure cases for interruptible verify hash fail with
7369 * the correct error codes, and at the correct point (at start or during
7370 * complete).
7371 *
7372 * 2. Test the number of calls to psa_verify_hash_complete() required are as
7373 * expected for different max_ops values.
7374 *
7375 * 3. Test that the number of ops done prior to start and after abort is zero
7376 * and that each successful stage completes some ops (this is not mandated by
7377 * the PSA specification, but is currently the case).
Paul Elliott587e7802023-02-27 09:53:08 +00007378 *
7379 * 4. Check that calling complete() when start() fails and complete()
7380 * after completion results in a BAD_STATE error.
7381 *
7382 * 5. Check that calling start() again after start fails results in a BAD_STATE
7383 * error.
Paul Elliottc7f68822023-02-24 17:37:04 +00007384 */
Paul Elliott91007972022-12-16 12:21:24 +00007385void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
7386 int alg_arg, data_t *hash_data,
7387 data_t *signature_data,
7388 int expected_start_status_arg,
Paul Elliott0c683352022-12-16 19:16:56 +00007389 int expected_complete_status_arg,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007390 int max_ops_arg)
Paul Elliott91007972022-12-16 12:21:24 +00007391{
7392 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7393 psa_key_type_t key_type = key_type_arg;
7394 psa_algorithm_t alg = alg_arg;
7395 psa_status_t actual_status;
7396 psa_status_t expected_start_status = expected_start_status_arg;
7397 psa_status_t expected_complete_status = expected_complete_status_arg;
7398 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007399 uint32_t num_ops = 0;
7400 uint32_t max_ops = max_ops_arg;
Paul Elliott91007972022-12-16 12:21:24 +00007401 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007402 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007403 size_t min_completes = 0;
7404 size_t max_completes = 0;
Paul Elliott91007972022-12-16 12:21:24 +00007405 psa_verify_hash_interruptible_operation_t operation =
7406 psa_verify_hash_interruptible_operation_init();
7407
7408 PSA_ASSERT(psa_crypto_init());
7409
7410 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7411 psa_set_key_algorithm(&attributes, alg);
7412 psa_set_key_type(&attributes, key_type);
7413
7414 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7415 &key));
7416
Paul Elliott0c683352022-12-16 19:16:56 +00007417 psa_interruptible_set_max_ops(max_ops);
7418
Paul Elliott6f600372023-02-06 18:41:05 +00007419 interruptible_signverify_get_minmax_completes(max_ops,
7420 expected_complete_status,
7421 &min_completes,
7422 &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007423
Paul Elliott91007972022-12-16 12:21:24 +00007424 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7425 TEST_ASSERT(num_ops_prior == 0);
7426
7427 /* Start verification. */
7428 actual_status = psa_verify_hash_start(&operation, key, alg,
7429 hash_data->x, hash_data->len,
7430 signature_data->x,
7431 signature_data->len);
7432
7433 TEST_EQUAL(actual_status, expected_start_status);
7434
Paul Elliottc9774412023-02-06 15:14:07 +00007435 if (expected_start_status != PSA_SUCCESS) {
Paul Elliottde7c31e2023-03-01 14:37:48 +00007436 /* Emulate poor application code, and call complete anyway, even though
Paul Elliott587e7802023-02-27 09:53:08 +00007437 * start failed. */
7438 actual_status = psa_verify_hash_complete(&operation);
7439
7440 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7441
7442 /* Test that calling start again after failure also causes BAD_STATE. */
Paul Elliottc9774412023-02-06 15:14:07 +00007443 actual_status = psa_verify_hash_start(&operation, key, alg,
7444 hash_data->x, hash_data->len,
7445 signature_data->x,
7446 signature_data->len);
7447
7448 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7449 }
7450
Paul Elliott91007972022-12-16 12:21:24 +00007451 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7452 TEST_ASSERT(num_ops_prior == 0);
7453
Paul Elliott91007972022-12-16 12:21:24 +00007454 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007455 do {
Paul Elliott91007972022-12-16 12:21:24 +00007456 actual_status = psa_verify_hash_complete(&operation);
7457
Paul Elliott0c683352022-12-16 19:16:56 +00007458 num_completes++;
7459
Paul Elliott334d7262023-01-20 17:29:41 +00007460 if (actual_status == PSA_SUCCESS ||
7461 actual_status == PSA_OPERATION_INCOMPLETE) {
Paul Elliott91007972022-12-16 12:21:24 +00007462 num_ops = psa_verify_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00007463 /* We are asserting here that every complete makes progress
7464 * (completes some ops), which is true of the internal
7465 * implementation and probably any implementation, however this is
7466 * not mandated by the PSA specification. */
Paul Elliott91007972022-12-16 12:21:24 +00007467 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00007468
Paul Elliott91007972022-12-16 12:21:24 +00007469 num_ops_prior = num_ops;
7470 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007471 } while (actual_status == PSA_OPERATION_INCOMPLETE);
Paul Elliott91007972022-12-16 12:21:24 +00007472
Paul Elliottc9774412023-02-06 15:14:07 +00007473 TEST_EQUAL(actual_status, expected_complete_status);
7474
Paul Elliottefebad02023-02-15 16:56:45 +00007475 /* Check that another complete returns BAD_STATE. */
7476 actual_status = psa_verify_hash_complete(&operation);
7477 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
Paul Elliott334d7262023-01-20 17:29:41 +00007478
Paul Elliott0c683352022-12-16 19:16:56 +00007479 TEST_LE_U(min_completes, num_completes);
7480 TEST_LE_U(num_completes, max_completes);
7481
Paul Elliott91007972022-12-16 12:21:24 +00007482 PSA_ASSERT(psa_verify_hash_abort(&operation));
7483
Paul Elliott59ad9452022-12-18 15:09:02 +00007484 num_ops = psa_verify_hash_get_num_ops(&operation);
7485 TEST_ASSERT(num_ops == 0);
7486
Paul Elliott91007972022-12-16 12:21:24 +00007487exit:
7488 psa_reset_key_attributes(&attributes);
7489 psa_destroy_key(key);
7490 PSA_DONE();
7491}
7492/* END_CASE */
7493
Paul Elliott20a36062022-12-18 13:21:25 +00007494/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007495/**
7496 * interruptible_signverify_hash_state_test() test intentions:
7497 *
7498 * Note: This test can currently only handle ECDSA.
7499 *
7500 * 1. Test that calling the various interruptible sign and verify hash functions
7501 * in incorrect orders returns BAD_STATE errors.
7502 */
Paul Elliott76d671a2023-02-07 17:45:18 +00007503void interruptible_signverify_hash_state_test(int key_type_arg,
7504 data_t *key_data, int alg_arg, data_t *input_data)
Paul Elliott20a36062022-12-18 13:21:25 +00007505{
7506 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7507 psa_key_type_t key_type = key_type_arg;
7508 psa_algorithm_t alg = alg_arg;
7509 size_t key_bits;
7510 unsigned char *signature = NULL;
7511 size_t signature_size;
7512 size_t signature_length = 0xdeadbeef;
7513 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7514 psa_sign_hash_interruptible_operation_t sign_operation =
7515 psa_sign_hash_interruptible_operation_init();
7516 psa_verify_hash_interruptible_operation_t verify_operation =
7517 psa_verify_hash_interruptible_operation_init();
7518
7519 PSA_ASSERT(psa_crypto_init());
7520
7521 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7522 PSA_KEY_USAGE_VERIFY_HASH);
7523 psa_set_key_algorithm(&attributes, alg);
7524 psa_set_key_type(&attributes, key_type);
7525
7526 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7527 &key));
7528 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7529 key_bits = psa_get_key_bits(&attributes);
7530
7531 /* Allocate a buffer which has the size advertised by the
7532 * library. */
7533 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7534 key_bits, alg);
7535 TEST_ASSERT(signature_size != 0);
7536 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007537 TEST_CALLOC(signature, signature_size);
Paul Elliott20a36062022-12-18 13:21:25 +00007538
7539 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7540
7541 /* --- Attempt completes prior to starts --- */
7542 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7543 signature_size,
7544 &signature_length),
7545 PSA_ERROR_BAD_STATE);
7546
7547 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7548
7549 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
7550 PSA_ERROR_BAD_STATE);
7551
7552 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7553
7554 /* --- Aborts in all other places. --- */
7555 psa_sign_hash_abort(&sign_operation);
7556
7557 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7558 input_data->x, input_data->len));
7559
7560 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7561
7562 psa_interruptible_set_max_ops(1);
7563
7564 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7565 input_data->x, input_data->len));
7566
7567 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7568 signature_size,
7569 &signature_length),
7570 PSA_OPERATION_INCOMPLETE);
7571
7572 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7573
7574 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7575
7576 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7577 input_data->x, input_data->len));
7578
7579 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
7580 signature_size,
7581 &signature_length));
7582
7583 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7584
7585 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7586
7587 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7588 input_data->x, input_data->len,
7589 signature, signature_length));
7590
7591 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7592
7593 psa_interruptible_set_max_ops(1);
7594
7595 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7596 input_data->x, input_data->len,
7597 signature, signature_length));
7598
7599 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
7600 PSA_OPERATION_INCOMPLETE);
7601
7602 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7603
7604 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7605
7606 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7607 input_data->x, input_data->len,
7608 signature, signature_length));
7609
7610 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
7611
7612 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7613
7614 /* --- Attempt double starts. --- */
7615
7616 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7617 input_data->x, input_data->len));
7618
7619 TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg,
7620 input_data->x, input_data->len),
7621 PSA_ERROR_BAD_STATE);
7622
7623 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7624
7625 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7626 input_data->x, input_data->len,
7627 signature, signature_length));
7628
7629 TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg,
7630 input_data->x, input_data->len,
7631 signature, signature_length),
7632 PSA_ERROR_BAD_STATE);
7633
7634 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7635
Paul Elliott76d671a2023-02-07 17:45:18 +00007636exit:
7637 /*
7638 * Key attributes may have been returned by psa_get_key_attributes()
7639 * thus reset them as required.
7640 */
7641 psa_reset_key_attributes(&attributes);
7642
7643 psa_destroy_key(key);
7644 mbedtls_free(signature);
7645 PSA_DONE();
7646}
7647/* END_CASE */
7648
7649/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007650/**
Paul Elliottc2033502023-02-26 17:09:14 +00007651 * interruptible_signverify_hash_edgecase_tests() test intentions:
Paul Elliottc7f68822023-02-24 17:37:04 +00007652 *
7653 * Note: This test can currently only handle ECDSA.
7654 *
7655 * 1. Test various edge cases in the interruptible sign and verify hash
7656 * interfaces.
7657 */
Paul Elliottc2033502023-02-26 17:09:14 +00007658void interruptible_signverify_hash_edgecase_tests(int key_type_arg,
Paul Elliott76d671a2023-02-07 17:45:18 +00007659 data_t *key_data, int alg_arg, data_t *input_data)
7660{
7661 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7662 psa_key_type_t key_type = key_type_arg;
7663 psa_algorithm_t alg = alg_arg;
7664 size_t key_bits;
7665 unsigned char *signature = NULL;
7666 size_t signature_size;
7667 size_t signature_length = 0xdeadbeef;
7668 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7669 uint8_t *input_buffer = NULL;
7670 psa_sign_hash_interruptible_operation_t sign_operation =
7671 psa_sign_hash_interruptible_operation_init();
7672 psa_verify_hash_interruptible_operation_t verify_operation =
7673 psa_verify_hash_interruptible_operation_init();
7674
7675 PSA_ASSERT(psa_crypto_init());
7676
7677 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7678 PSA_KEY_USAGE_VERIFY_HASH);
7679 psa_set_key_algorithm(&attributes, alg);
7680 psa_set_key_type(&attributes, key_type);
7681
7682 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7683 &key));
7684 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7685 key_bits = psa_get_key_bits(&attributes);
7686
7687 /* Allocate a buffer which has the size advertised by the
7688 * library. */
7689 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7690 key_bits, alg);
7691 TEST_ASSERT(signature_size != 0);
7692 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007693 TEST_CALLOC(signature, signature_size);
Paul Elliott76d671a2023-02-07 17:45:18 +00007694
Paul Elliott20a36062022-12-18 13:21:25 +00007695 /* --- Change function inputs mid run, to cause an error (sign only,
7696 * verify passes all inputs to start. --- */
7697
7698 psa_interruptible_set_max_ops(1);
7699
7700 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7701 input_data->x, input_data->len));
7702
7703 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7704 signature_size,
7705 &signature_length),
7706 PSA_OPERATION_INCOMPLETE);
7707
7708 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7709 0,
7710 &signature_length),
7711 PSA_ERROR_BUFFER_TOO_SMALL);
7712
Paul Elliottc9774412023-02-06 15:14:07 +00007713 /* And test that this invalidates the operation. */
7714 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7715 0,
7716 &signature_length),
7717 PSA_ERROR_BAD_STATE);
7718
Paul Elliott20a36062022-12-18 13:21:25 +00007719 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7720
Paul Elliottf9c91a72023-02-05 18:06:38 +00007721 /* Trash the hash buffer in between start and complete, to ensure
7722 * no reliance on external buffers. */
7723 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7724
Paul Elliott6c68df42023-10-23 15:33:37 +01007725 TEST_CALLOC(input_buffer, input_data->len);
Paul Elliottf9c91a72023-02-05 18:06:38 +00007726
7727 memcpy(input_buffer, input_data->x, input_data->len);
7728
7729 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7730 input_buffer, input_data->len));
7731
7732 memset(input_buffer, '!', input_data->len);
7733 mbedtls_free(input_buffer);
7734 input_buffer = NULL;
7735
7736 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
7737 signature_size,
7738 &signature_length));
7739
7740 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7741
Paul Elliott6c68df42023-10-23 15:33:37 +01007742 TEST_CALLOC(input_buffer, input_data->len);
Paul Elliottf9c91a72023-02-05 18:06:38 +00007743
7744 memcpy(input_buffer, input_data->x, input_data->len);
7745
7746 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7747 input_buffer, input_data->len,
7748 signature, signature_length));
7749
7750 memset(input_buffer, '!', input_data->len);
7751 mbedtls_free(input_buffer);
7752 input_buffer = NULL;
7753
7754 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
7755
7756 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7757
Paul Elliott20a36062022-12-18 13:21:25 +00007758exit:
7759 /*
7760 * Key attributes may have been returned by psa_get_key_attributes()
7761 * thus reset them as required.
7762 */
7763 psa_reset_key_attributes(&attributes);
7764
7765 psa_destroy_key(key);
7766 mbedtls_free(signature);
Paul Elliott6c68df42023-10-23 15:33:37 +01007767 mbedtls_free(input_buffer);
Paul Elliott20a36062022-12-18 13:21:25 +00007768 PSA_DONE();
7769}
7770/* END_CASE */
7771
Paul Elliotta4cb9092023-02-07 18:01:55 +00007772/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007773/**
Paul Elliott57702242023-02-26 20:36:10 +00007774 * interruptible_signverify_hash_ops_tests() test intentions:
Paul Elliottc7f68822023-02-24 17:37:04 +00007775 *
7776 * Note: This test can currently only handle ECDSA.
7777 *
7778 * 1. Test that setting max ops is reflected in both interruptible sign and
7779 * verify hash
Paul Elliott9e8819f2023-02-26 19:01:35 +00007780 * 2. Test that changing the value of max_ops to unlimited during an operation
7781 * causes that operation to complete in the next call.
Paul Elliottc1e04002023-02-26 20:27:23 +00007782 *
7783 * 3. Test that calling get_num_ops() between complete calls gives the same
7784 * result as calling get_num_ops() once at the end of the operation.
Paul Elliottc7f68822023-02-24 17:37:04 +00007785 */
Paul Elliott57702242023-02-26 20:36:10 +00007786void interruptible_signverify_hash_ops_tests(int key_type_arg,
7787 data_t *key_data, int alg_arg,
7788 data_t *input_data)
Paul Elliotta4cb9092023-02-07 18:01:55 +00007789{
7790 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7791 psa_key_type_t key_type = key_type_arg;
7792 psa_algorithm_t alg = alg_arg;
7793 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Paul Elliottf1743e22023-02-15 18:44:16 +00007794 size_t key_bits;
7795 unsigned char *signature = NULL;
7796 size_t signature_size;
Paul Elliott9e8819f2023-02-26 19:01:35 +00007797 size_t signature_length = 0xdeadbeef;
Paul Elliottc1e04002023-02-26 20:27:23 +00007798 uint32_t num_ops = 0;
7799 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7800
Paul Elliotta4cb9092023-02-07 18:01:55 +00007801 psa_sign_hash_interruptible_operation_t sign_operation =
7802 psa_sign_hash_interruptible_operation_init();
Paul Elliottf1743e22023-02-15 18:44:16 +00007803 psa_verify_hash_interruptible_operation_t verify_operation =
7804 psa_verify_hash_interruptible_operation_init();
Paul Elliotta4cb9092023-02-07 18:01:55 +00007805
7806 PSA_ASSERT(psa_crypto_init());
7807
7808 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7809 PSA_KEY_USAGE_VERIFY_HASH);
7810 psa_set_key_algorithm(&attributes, alg);
7811 psa_set_key_type(&attributes, key_type);
7812
Paul Elliottf1743e22023-02-15 18:44:16 +00007813 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key));
7814 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7815 key_bits = psa_get_key_bits(&attributes);
7816
7817 /* Allocate a buffer which has the size advertised by the
7818 * library. */
7819 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
7820
7821 TEST_ASSERT(signature_size != 0);
7822 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007823 TEST_CALLOC(signature, signature_size);
Paul Elliotta4cb9092023-02-07 18:01:55 +00007824
7825 /* Check that default max ops gets set if we don't set it. */
7826 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7827 input_data->x, input_data->len));
7828
7829 TEST_EQUAL(psa_interruptible_get_max_ops(),
7830 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7831
7832 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7833
Paul Elliottf1743e22023-02-15 18:44:16 +00007834 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7835 input_data->x, input_data->len,
7836 signature, signature_size));
7837
7838 TEST_EQUAL(psa_interruptible_get_max_ops(),
7839 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7840
7841 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7842
Paul Elliotta4cb9092023-02-07 18:01:55 +00007843 /* Check that max ops gets set properly. */
7844
7845 psa_interruptible_set_max_ops(0xbeef);
7846
Paul Elliottf1743e22023-02-15 18:44:16 +00007847 TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef);
Paul Elliotta4cb9092023-02-07 18:01:55 +00007848
Paul Elliott9e8819f2023-02-26 19:01:35 +00007849 /* --- Ensure changing the max ops mid operation works (operation should
7850 * complete successfully after setting max ops to unlimited --- */
7851 psa_interruptible_set_max_ops(1);
7852
7853 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7854 input_data->x, input_data->len));
7855
7856 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7857 signature_size,
7858 &signature_length),
7859 PSA_OPERATION_INCOMPLETE);
7860
7861 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7862
7863 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
7864 signature_size,
7865 &signature_length));
7866
7867 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7868
7869 psa_interruptible_set_max_ops(1);
7870
7871 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7872 input_data->x, input_data->len,
7873 signature, signature_length));
7874
7875 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
7876 PSA_OPERATION_INCOMPLETE);
7877
7878 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7879
7880 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
7881
7882 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7883
Paul Elliottc1e04002023-02-26 20:27:23 +00007884 /* --- Test that not calling get_num_ops inbetween complete calls does not
7885 * result in lost ops. ---*/
7886
7887 psa_interruptible_set_max_ops(1);
7888
7889 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7890 input_data->x, input_data->len));
7891
7892 /* Continue performing the signature until complete. */
7893 do {
7894 status = psa_sign_hash_complete(&sign_operation, signature,
7895 signature_size,
7896 &signature_length);
7897
7898 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
7899
7900 } while (status == PSA_OPERATION_INCOMPLETE);
7901
7902 PSA_ASSERT(status);
7903
7904 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7905
7906 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7907 input_data->x, input_data->len));
7908
7909 /* Continue performing the signature until complete. */
7910 do {
7911 status = psa_sign_hash_complete(&sign_operation, signature,
7912 signature_size,
7913 &signature_length);
7914 } while (status == PSA_OPERATION_INCOMPLETE);
7915
7916 PSA_ASSERT(status);
7917
7918 TEST_EQUAL(num_ops, psa_sign_hash_get_num_ops(&sign_operation));
7919
7920 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7921
7922 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7923 input_data->x, input_data->len,
7924 signature, signature_length));
7925
7926 /* Continue performing the verification until complete. */
7927 do {
7928 status = psa_verify_hash_complete(&verify_operation);
7929
7930 num_ops = psa_verify_hash_get_num_ops(&verify_operation);
7931
7932 } while (status == PSA_OPERATION_INCOMPLETE);
7933
7934 PSA_ASSERT(status);
7935
7936 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7937
7938 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7939 input_data->x, input_data->len,
7940 signature, signature_length));
7941
7942 /* Continue performing the verification until complete. */
7943 do {
7944 status = psa_verify_hash_complete(&verify_operation);
7945
7946 } while (status == PSA_OPERATION_INCOMPLETE);
7947
7948 PSA_ASSERT(status);
7949
7950 TEST_EQUAL(num_ops, psa_verify_hash_get_num_ops(&verify_operation));
7951
7952 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7953
Paul Elliotta4cb9092023-02-07 18:01:55 +00007954exit:
7955 /*
7956 * Key attributes may have been returned by psa_get_key_attributes()
7957 * thus reset them as required.
7958 */
7959 psa_reset_key_attributes(&attributes);
7960
7961 psa_destroy_key(key);
Paul Elliottf1743e22023-02-15 18:44:16 +00007962 mbedtls_free(signature);
Paul Elliotta4cb9092023-02-07 18:01:55 +00007963 PSA_DONE();
7964}
7965/* END_CASE */
Paul Elliott76d671a2023-02-07 17:45:18 +00007966
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007967/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007968void sign_message_deterministic(int key_type_arg,
7969 data_t *key_data,
7970 int alg_arg,
7971 data_t *input_data,
7972 data_t *output_data)
gabor-mezei-arm53028482021-04-15 18:19:50 +02007973{
7974 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7975 psa_key_type_t key_type = key_type_arg;
7976 psa_algorithm_t alg = alg_arg;
7977 size_t key_bits;
7978 unsigned char *signature = NULL;
7979 size_t signature_size;
7980 size_t signature_length = 0xdeadbeef;
7981 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7982
Gilles Peskine449bd832023-01-11 14:50:10 +01007983 PSA_ASSERT(psa_crypto_init());
gabor-mezei-arm53028482021-04-15 18:19:50 +02007984
Gilles Peskine449bd832023-01-11 14:50:10 +01007985 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
7986 psa_set_key_algorithm(&attributes, alg);
7987 psa_set_key_type(&attributes, key_type);
gabor-mezei-arm53028482021-04-15 18:19:50 +02007988
Gilles Peskine449bd832023-01-11 14:50:10 +01007989 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7990 &key));
7991 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7992 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-arm53028482021-04-15 18:19:50 +02007993
Gilles Peskine449bd832023-01-11 14:50:10 +01007994 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
7995 TEST_ASSERT(signature_size != 0);
7996 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007997 TEST_CALLOC(signature, signature_size);
gabor-mezei-arm53028482021-04-15 18:19:50 +02007998
Gilles Peskine449bd832023-01-11 14:50:10 +01007999 PSA_ASSERT(psa_sign_message(key, alg,
8000 input_data->x, input_data->len,
8001 signature, signature_size,
8002 &signature_length));
gabor-mezei-arm53028482021-04-15 18:19:50 +02008003
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008004 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008005 signature, signature_length);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008006
8007exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008008 psa_reset_key_attributes(&attributes);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008009
Gilles Peskine449bd832023-01-11 14:50:10 +01008010 psa_destroy_key(key);
8011 mbedtls_free(signature);
8012 PSA_DONE();
gabor-mezei-arm53028482021-04-15 18:19:50 +02008013
8014}
8015/* END_CASE */
8016
8017/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008018void sign_message_fail(int key_type_arg,
8019 data_t *key_data,
8020 int alg_arg,
8021 data_t *input_data,
8022 int signature_size_arg,
8023 int expected_status_arg)
8024{
8025 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8026 psa_key_type_t key_type = key_type_arg;
8027 psa_algorithm_t alg = alg_arg;
8028 size_t signature_size = signature_size_arg;
8029 psa_status_t actual_status;
8030 psa_status_t expected_status = expected_status_arg;
8031 unsigned char *signature = NULL;
8032 size_t signature_length = 0xdeadbeef;
8033 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8034
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008035 TEST_CALLOC(signature, signature_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01008036
8037 PSA_ASSERT(psa_crypto_init());
8038
8039 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8040 psa_set_key_algorithm(&attributes, alg);
8041 psa_set_key_type(&attributes, key_type);
8042
8043 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8044 &key));
8045
8046 actual_status = psa_sign_message(key, alg,
8047 input_data->x, input_data->len,
8048 signature, signature_size,
8049 &signature_length);
8050 TEST_EQUAL(actual_status, expected_status);
8051 /* The value of *signature_length is unspecified on error, but
8052 * whatever it is, it should be less than signature_size, so that
8053 * if the caller tries to read *signature_length bytes without
8054 * checking the error code then they don't overflow a buffer. */
8055 TEST_LE_U(signature_length, signature_size);
8056
8057exit:
8058 psa_reset_key_attributes(&attributes);
8059 psa_destroy_key(key);
8060 mbedtls_free(signature);
8061 PSA_DONE();
8062}
8063/* END_CASE */
8064
8065/* BEGIN_CASE */
8066void sign_verify_message(int key_type_arg,
8067 data_t *key_data,
8068 int alg_arg,
8069 data_t *input_data)
8070{
8071 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8072 psa_key_type_t key_type = key_type_arg;
8073 psa_algorithm_t alg = alg_arg;
8074 size_t key_bits;
8075 unsigned char *signature = NULL;
8076 size_t signature_size;
8077 size_t signature_length = 0xdeadbeef;
8078 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8079
8080 PSA_ASSERT(psa_crypto_init());
8081
8082 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE |
8083 PSA_KEY_USAGE_VERIFY_MESSAGE);
8084 psa_set_key_algorithm(&attributes, alg);
8085 psa_set_key_type(&attributes, key_type);
8086
8087 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8088 &key));
8089 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8090 key_bits = psa_get_key_bits(&attributes);
8091
8092 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
8093 TEST_ASSERT(signature_size != 0);
8094 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008095 TEST_CALLOC(signature, signature_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01008096
8097 PSA_ASSERT(psa_sign_message(key, alg,
8098 input_data->x, input_data->len,
8099 signature, signature_size,
8100 &signature_length));
8101 TEST_LE_U(signature_length, signature_size);
8102 TEST_ASSERT(signature_length > 0);
8103
8104 PSA_ASSERT(psa_verify_message(key, alg,
8105 input_data->x, input_data->len,
8106 signature, signature_length));
8107
8108 if (input_data->len != 0) {
8109 /* Flip a bit in the input and verify that the signature is now
8110 * detected as invalid. Flip a bit at the beginning, not at the end,
8111 * because ECDSA may ignore the last few bits of the input. */
8112 input_data->x[0] ^= 1;
8113 TEST_EQUAL(psa_verify_message(key, alg,
8114 input_data->x, input_data->len,
8115 signature, signature_length),
8116 PSA_ERROR_INVALID_SIGNATURE);
8117 }
8118
8119exit:
8120 psa_reset_key_attributes(&attributes);
8121
8122 psa_destroy_key(key);
8123 mbedtls_free(signature);
8124 PSA_DONE();
8125}
8126/* END_CASE */
8127
8128/* BEGIN_CASE */
8129void verify_message(int key_type_arg,
8130 data_t *key_data,
8131 int alg_arg,
8132 data_t *input_data,
8133 data_t *signature_data)
8134{
8135 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8136 psa_key_type_t key_type = key_type_arg;
8137 psa_algorithm_t alg = alg_arg;
8138 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8139
8140 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
8141
8142 PSA_ASSERT(psa_crypto_init());
8143
8144 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);
8145 psa_set_key_algorithm(&attributes, alg);
8146 psa_set_key_type(&attributes, key_type);
8147
8148 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8149 &key));
8150
8151 PSA_ASSERT(psa_verify_message(key, alg,
8152 input_data->x, input_data->len,
8153 signature_data->x, signature_data->len));
8154
8155exit:
8156 psa_reset_key_attributes(&attributes);
8157 psa_destroy_key(key);
8158 PSA_DONE();
8159}
8160/* END_CASE */
8161
8162/* BEGIN_CASE */
8163void verify_message_fail(int key_type_arg,
8164 data_t *key_data,
8165 int alg_arg,
8166 data_t *hash_data,
8167 data_t *signature_data,
8168 int expected_status_arg)
8169{
8170 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8171 psa_key_type_t key_type = key_type_arg;
8172 psa_algorithm_t alg = alg_arg;
8173 psa_status_t actual_status;
8174 psa_status_t expected_status = expected_status_arg;
8175 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8176
8177 PSA_ASSERT(psa_crypto_init());
8178
8179 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);
8180 psa_set_key_algorithm(&attributes, alg);
8181 psa_set_key_type(&attributes, key_type);
8182
8183 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8184 &key));
8185
8186 actual_status = psa_verify_message(key, alg,
8187 hash_data->x, hash_data->len,
8188 signature_data->x,
8189 signature_data->len);
8190 TEST_EQUAL(actual_status, expected_status);
8191
8192exit:
8193 psa_reset_key_attributes(&attributes);
8194 psa_destroy_key(key);
8195 PSA_DONE();
8196}
8197/* END_CASE */
8198
8199/* BEGIN_CASE */
8200void asymmetric_encrypt(int key_type_arg,
gabor-mezei-arm53028482021-04-15 18:19:50 +02008201 data_t *key_data,
8202 int alg_arg,
8203 data_t *input_data,
Gilles Peskine449bd832023-01-11 14:50:10 +01008204 data_t *label,
8205 int expected_output_length_arg,
8206 int expected_status_arg)
Gilles Peskine656896e2018-06-29 19:12:28 +02008207{
Ronald Cron5425a212020-08-04 14:58:35 +02008208 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine656896e2018-06-29 19:12:28 +02008209 psa_key_type_t key_type = key_type_arg;
8210 psa_algorithm_t alg = alg_arg;
8211 size_t expected_output_length = expected_output_length_arg;
8212 size_t key_bits;
8213 unsigned char *output = NULL;
8214 size_t output_size;
8215 size_t output_length = ~0;
8216 psa_status_t actual_status;
8217 psa_status_t expected_status = expected_status_arg;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02008218 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine656896e2018-06-29 19:12:28 +02008219
Gilles Peskine449bd832023-01-11 14:50:10 +01008220 PSA_ASSERT(psa_crypto_init());
Gilles Peskinebdf309c2018-12-03 15:36:32 +01008221
Gilles Peskine656896e2018-06-29 19:12:28 +02008222 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01008223 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8224 psa_set_key_algorithm(&attributes, alg);
8225 psa_set_key_type(&attributes, key_type);
8226 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8227 &key));
Gilles Peskine656896e2018-06-29 19:12:28 +02008228
8229 /* Determine the maximum output length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008230 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8231 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008232
Gilles Peskine449bd832023-01-11 14:50:10 +01008233 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8234 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008235 TEST_CALLOC(output, output_size);
Gilles Peskine656896e2018-06-29 19:12:28 +02008236
8237 /* Encrypt the input */
Gilles Peskine449bd832023-01-11 14:50:10 +01008238 actual_status = psa_asymmetric_encrypt(key, alg,
8239 input_data->x, input_data->len,
8240 label->x, label->len,
8241 output, output_size,
8242 &output_length);
8243 TEST_EQUAL(actual_status, expected_status);
oberon-sk10c0f772023-02-13 13:42:02 +01008244 if (actual_status == PSA_SUCCESS) {
8245 TEST_EQUAL(output_length, expected_output_length);
Stephan Koch5819d2c2023-02-22 13:39:21 +01008246 } else {
8247 TEST_LE_U(output_length, output_size);
oberon-sk10c0f772023-02-13 13:42:02 +01008248 }
Gilles Peskine656896e2018-06-29 19:12:28 +02008249
Gilles Peskine68428122018-06-30 18:42:41 +02008250 /* If the label is empty, the test framework puts a non-null pointer
8251 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008252 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008253 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008254 if (output_size != 0) {
8255 memset(output, 0, output_size);
8256 }
8257 actual_status = psa_asymmetric_encrypt(key, alg,
8258 input_data->x, input_data->len,
8259 NULL, label->len,
8260 output, output_size,
8261 &output_length);
8262 TEST_EQUAL(actual_status, expected_status);
oberon-sk10c0f772023-02-13 13:42:02 +01008263 if (actual_status == PSA_SUCCESS) {
8264 TEST_EQUAL(output_length, expected_output_length);
Stephan Koch5819d2c2023-02-22 13:39:21 +01008265 } else {
8266 TEST_LE_U(output_length, output_size);
oberon-sk10c0f772023-02-13 13:42:02 +01008267 }
Gilles Peskine68428122018-06-30 18:42:41 +02008268 }
8269
Gilles Peskine656896e2018-06-29 19:12:28 +02008270exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008271 /*
8272 * Key attributes may have been returned by psa_get_key_attributes()
8273 * thus reset them as required.
8274 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008275 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008276
Gilles Peskine449bd832023-01-11 14:50:10 +01008277 psa_destroy_key(key);
8278 mbedtls_free(output);
8279 PSA_DONE();
Gilles Peskine656896e2018-06-29 19:12:28 +02008280}
8281/* END_CASE */
8282
8283/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008284void asymmetric_encrypt_decrypt(int key_type_arg,
8285 data_t *key_data,
8286 int alg_arg,
8287 data_t *input_data,
8288 data_t *label)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008289{
Ronald Cron5425a212020-08-04 14:58:35 +02008290 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008291 psa_key_type_t key_type = key_type_arg;
8292 psa_algorithm_t alg = alg_arg;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008293 size_t key_bits;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008294 unsigned char *output = NULL;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008295 size_t output_size;
8296 size_t output_length = ~0;
Nir Sonnenschein0f3bdbd2018-05-02 23:56:12 +03008297 unsigned char *output2 = NULL;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008298 size_t output2_size;
8299 size_t output2_length = ~0;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02008300 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008301
Gilles Peskine449bd832023-01-11 14:50:10 +01008302 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008303
Gilles Peskine449bd832023-01-11 14:50:10 +01008304 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
8305 psa_set_key_algorithm(&attributes, alg);
8306 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008307
Gilles Peskine449bd832023-01-11 14:50:10 +01008308 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8309 &key));
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008310
8311 /* Determine the maximum ciphertext length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008312 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8313 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008314
Gilles Peskine449bd832023-01-11 14:50:10 +01008315 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8316 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008317 TEST_CALLOC(output, output_size);
gabor-mezei-armceface22021-01-21 12:26:17 +01008318
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008319 output2_size = input_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +01008320 TEST_LE_U(output2_size,
8321 PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg));
8322 TEST_LE_U(output2_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008323 TEST_CALLOC(output2, output2_size);
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008324
Gilles Peskineeebd7382018-06-08 18:11:54 +02008325 /* We test encryption by checking that encrypt-then-decrypt gives back
8326 * the original plaintext because of the non-optional random
8327 * part of encryption process which prevents using fixed vectors. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008328 PSA_ASSERT(psa_asymmetric_encrypt(key, alg,
8329 input_data->x, input_data->len,
8330 label->x, label->len,
8331 output, output_size,
8332 &output_length));
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008333 /* We don't know what ciphertext length to expect, but check that
8334 * it looks sensible. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008335 TEST_LE_U(output_length, output_size);
Nir Sonnenschein0f3bdbd2018-05-02 23:56:12 +03008336
Gilles Peskine449bd832023-01-11 14:50:10 +01008337 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8338 output, output_length,
8339 label->x, label->len,
8340 output2, output2_size,
8341 &output2_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008342 TEST_MEMORY_COMPARE(input_data->x, input_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008343 output2, output2_length);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008344
8345exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008346 /*
8347 * Key attributes may have been returned by psa_get_key_attributes()
8348 * thus reset them as required.
8349 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008350 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008351
Gilles Peskine449bd832023-01-11 14:50:10 +01008352 psa_destroy_key(key);
8353 mbedtls_free(output);
8354 mbedtls_free(output2);
8355 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008356}
8357/* END_CASE */
8358
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008359/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008360void asymmetric_decrypt(int key_type_arg,
8361 data_t *key_data,
8362 int alg_arg,
8363 data_t *input_data,
8364 data_t *label,
8365 data_t *expected_data)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008366{
Ronald Cron5425a212020-08-04 14:58:35 +02008367 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008368 psa_key_type_t key_type = key_type_arg;
8369 psa_algorithm_t alg = alg_arg;
gabor-mezei-armceface22021-01-21 12:26:17 +01008370 size_t key_bits;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008371 unsigned char *output = NULL;
Nir Sonnenscheind70bc482018-06-04 16:31:13 +03008372 size_t output_size = 0;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008373 size_t output_length = ~0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008374 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008375
Gilles Peskine449bd832023-01-11 14:50:10 +01008376 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008377
Gilles Peskine449bd832023-01-11 14:50:10 +01008378 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8379 psa_set_key_algorithm(&attributes, alg);
8380 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008381
Gilles Peskine449bd832023-01-11 14:50:10 +01008382 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8383 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008384
Gilles Peskine449bd832023-01-11 14:50:10 +01008385 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8386 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008387
8388 /* Determine the maximum ciphertext length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008389 output_size = PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8390 TEST_LE_U(output_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008391 TEST_CALLOC(output, output_size);
gabor-mezei-armceface22021-01-21 12:26:17 +01008392
Gilles Peskine449bd832023-01-11 14:50:10 +01008393 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8394 input_data->x, input_data->len,
8395 label->x, label->len,
8396 output,
8397 output_size,
8398 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008399 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008400 output, output_length);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008401
Gilles Peskine68428122018-06-30 18:42:41 +02008402 /* If the label is empty, the test framework puts a non-null pointer
8403 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008404 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008405 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008406 if (output_size != 0) {
8407 memset(output, 0, output_size);
8408 }
8409 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8410 input_data->x, input_data->len,
8411 NULL, label->len,
8412 output,
8413 output_size,
8414 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008415 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008416 output, output_length);
Gilles Peskine68428122018-06-30 18:42:41 +02008417 }
8418
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008419exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008420 psa_reset_key_attributes(&attributes);
8421 psa_destroy_key(key);
8422 mbedtls_free(output);
8423 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008424}
8425/* END_CASE */
8426
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008427/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008428void asymmetric_decrypt_fail(int key_type_arg,
8429 data_t *key_data,
8430 int alg_arg,
8431 data_t *input_data,
8432 data_t *label,
8433 int output_size_arg,
8434 int expected_status_arg)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008435{
Ronald Cron5425a212020-08-04 14:58:35 +02008436 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008437 psa_key_type_t key_type = key_type_arg;
8438 psa_algorithm_t alg = alg_arg;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008439 unsigned char *output = NULL;
Jaeden Amerof8daab72019-02-06 12:57:46 +00008440 size_t output_size = output_size_arg;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008441 size_t output_length = ~0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008442 psa_status_t actual_status;
8443 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008444 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008445
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008446 TEST_CALLOC(output, output_size);
Gilles Peskine5b051bc2018-05-31 13:25:48 +02008447
Gilles Peskine449bd832023-01-11 14:50:10 +01008448 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008449
Gilles Peskine449bd832023-01-11 14:50:10 +01008450 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8451 psa_set_key_algorithm(&attributes, alg);
8452 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008453
Gilles Peskine449bd832023-01-11 14:50:10 +01008454 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8455 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008456
Gilles Peskine449bd832023-01-11 14:50:10 +01008457 actual_status = psa_asymmetric_decrypt(key, alg,
8458 input_data->x, input_data->len,
8459 label->x, label->len,
8460 output, output_size,
8461 &output_length);
8462 TEST_EQUAL(actual_status, expected_status);
8463 TEST_LE_U(output_length, output_size);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008464
Gilles Peskine68428122018-06-30 18:42:41 +02008465 /* If the label is empty, the test framework puts a non-null pointer
8466 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008467 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008468 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008469 if (output_size != 0) {
8470 memset(output, 0, output_size);
8471 }
8472 actual_status = psa_asymmetric_decrypt(key, alg,
8473 input_data->x, input_data->len,
8474 NULL, label->len,
8475 output, output_size,
8476 &output_length);
8477 TEST_EQUAL(actual_status, expected_status);
8478 TEST_LE_U(output_length, output_size);
Gilles Peskine68428122018-06-30 18:42:41 +02008479 }
8480
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008481exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008482 psa_reset_key_attributes(&attributes);
8483 psa_destroy_key(key);
8484 mbedtls_free(output);
8485 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008486}
Gilles Peskine5b051bc2018-05-31 13:25:48 +02008487/* END_CASE */
Gilles Peskine05d69892018-06-19 22:00:52 +02008488
8489/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008490void key_derivation_init()
Jaeden Amerod94d6712019-01-04 14:11:48 +00008491{
8492 /* Test each valid way of initializing the object, except for `= {0}`, as
8493 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
8494 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08008495 * to suppress the Clang warning for the test. */
Jaeden Amero5229bbb2019-02-07 16:33:37 +00008496 size_t capacity;
Gilles Peskine449bd832023-01-11 14:50:10 +01008497 psa_key_derivation_operation_t func = psa_key_derivation_operation_init();
Gilles Peskinea99d3fb2019-05-16 15:28:51 +02008498 psa_key_derivation_operation_t init = PSA_KEY_DERIVATION_OPERATION_INIT;
8499 psa_key_derivation_operation_t zero;
Jaeden Amerod94d6712019-01-04 14:11:48 +00008500
Gilles Peskine449bd832023-01-11 14:50:10 +01008501 memset(&zero, 0, sizeof(zero));
Jaeden Amerod94d6712019-01-04 14:11:48 +00008502
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008503 /* A default operation should not be able to report its capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008504 TEST_EQUAL(psa_key_derivation_get_capacity(&func, &capacity),
8505 PSA_ERROR_BAD_STATE);
8506 TEST_EQUAL(psa_key_derivation_get_capacity(&init, &capacity),
8507 PSA_ERROR_BAD_STATE);
8508 TEST_EQUAL(psa_key_derivation_get_capacity(&zero, &capacity),
8509 PSA_ERROR_BAD_STATE);
Jaeden Amero5229bbb2019-02-07 16:33:37 +00008510
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008511 /* A default operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008512 PSA_ASSERT(psa_key_derivation_abort(&func));
8513 PSA_ASSERT(psa_key_derivation_abort(&init));
8514 PSA_ASSERT(psa_key_derivation_abort(&zero));
Jaeden Amerod94d6712019-01-04 14:11:48 +00008515}
8516/* END_CASE */
8517
Janos Follath16de4a42019-06-13 16:32:24 +01008518/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008519void derive_setup(int alg_arg, int expected_status_arg)
Gilles Peskineea0fb492018-07-12 17:17:20 +02008520{
Gilles Peskineea0fb492018-07-12 17:17:20 +02008521 psa_algorithm_t alg = alg_arg;
Gilles Peskineea0fb492018-07-12 17:17:20 +02008522 psa_status_t expected_status = expected_status_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008523 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineea0fb492018-07-12 17:17:20 +02008524
Gilles Peskine449bd832023-01-11 14:50:10 +01008525 PSA_ASSERT(psa_crypto_init());
Gilles Peskineea0fb492018-07-12 17:17:20 +02008526
Gilles Peskine449bd832023-01-11 14:50:10 +01008527 TEST_EQUAL(psa_key_derivation_setup(&operation, alg),
8528 expected_status);
Gilles Peskineea0fb492018-07-12 17:17:20 +02008529
8530exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008531 psa_key_derivation_abort(&operation);
8532 PSA_DONE();
Gilles Peskineea0fb492018-07-12 17:17:20 +02008533}
8534/* END_CASE */
8535
Janos Follathaf3c2a02019-06-12 12:34:34 +01008536/* BEGIN_CASE */
Kusumit Ghoderao9ffd3972023-12-01 16:40:13 +05308537void derive_set_capacity(int alg_arg, int64_t capacity_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01008538 int expected_status_arg)
Janos Follatha27c9272019-06-14 09:59:36 +01008539{
8540 psa_algorithm_t alg = alg_arg;
8541 size_t capacity = capacity_arg;
8542 psa_status_t expected_status = expected_status_arg;
8543 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8544
Gilles Peskine449bd832023-01-11 14:50:10 +01008545 PSA_ASSERT(psa_crypto_init());
Janos Follatha27c9272019-06-14 09:59:36 +01008546
Gilles Peskine449bd832023-01-11 14:50:10 +01008547 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
Janos Follatha27c9272019-06-14 09:59:36 +01008548
Gilles Peskine449bd832023-01-11 14:50:10 +01008549 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity),
8550 expected_status);
Janos Follatha27c9272019-06-14 09:59:36 +01008551
8552exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008553 psa_key_derivation_abort(&operation);
8554 PSA_DONE();
Janos Follatha27c9272019-06-14 09:59:36 +01008555}
8556/* END_CASE */
8557
8558/* BEGIN_CASE */
Kusumit Ghoderaod60dfc02023-05-01 17:39:27 +05308559void parse_binary_string_test(data_t *input, int output)
8560{
8561 uint64_t value;
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05308562 value = mbedtls_test_parse_binary_string(input);
Kusumit Ghoderaod60dfc02023-05-01 17:39:27 +05308563 TEST_EQUAL(value, output);
8564}
8565/* END_CASE */
8566
8567/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008568void derive_input(int alg_arg,
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308569 int step_arg1, int key_type_arg1, data_t *input1,
8570 int expected_status_arg1,
8571 int step_arg2, int key_type_arg2, data_t *input2,
8572 int expected_status_arg2,
8573 int step_arg3, int key_type_arg3, data_t *input3,
8574 int expected_status_arg3,
Gilles Peskine449bd832023-01-11 14:50:10 +01008575 int output_key_type_arg, int expected_output_status_arg)
Janos Follathaf3c2a02019-06-12 12:34:34 +01008576{
8577 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01008578 psa_key_derivation_step_t steps[] = { step_arg1, step_arg2, step_arg3 };
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308579 uint32_t key_types[] = { key_type_arg1, key_type_arg2, key_type_arg3 };
Gilles Peskine449bd832023-01-11 14:50:10 +01008580 psa_status_t expected_statuses[] = { expected_status_arg1,
8581 expected_status_arg2,
8582 expected_status_arg3 };
8583 data_t *inputs[] = { input1, input2, input3 };
Ronald Cron5425a212020-08-04 14:58:35 +02008584 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT,
8585 MBEDTLS_SVC_KEY_ID_INIT,
8586 MBEDTLS_SVC_KEY_ID_INIT };
Janos Follathaf3c2a02019-06-12 12:34:34 +01008587 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8588 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8589 size_t i;
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008590 psa_key_type_t output_key_type = output_key_type_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02008591 mbedtls_svc_key_id_t output_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008592 psa_status_t expected_output_status = expected_output_status_arg;
8593 psa_status_t actual_output_status;
Janos Follathaf3c2a02019-06-12 12:34:34 +01008594
Gilles Peskine449bd832023-01-11 14:50:10 +01008595 PSA_ASSERT(psa_crypto_init());
Janos Follathaf3c2a02019-06-12 12:34:34 +01008596
Gilles Peskine449bd832023-01-11 14:50:10 +01008597 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
8598 psa_set_key_algorithm(&attributes, alg);
Janos Follathaf3c2a02019-06-12 12:34:34 +01008599
Gilles Peskine449bd832023-01-11 14:50:10 +01008600 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
Janos Follathaf3c2a02019-06-12 12:34:34 +01008601
Gilles Peskine449bd832023-01-11 14:50:10 +01008602 for (i = 0; i < ARRAY_LENGTH(steps); i++) {
8603 mbedtls_test_set_step(i);
8604 if (steps[i] == 0) {
Gilles Peskine4023c012021-05-27 13:21:20 +02008605 /* Skip this step */
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308606 } else if (((psa_key_type_t) key_types[i]) != PSA_KEY_TYPE_NONE &&
8607 key_types[i] != INPUT_INTEGER) {
8608 psa_set_key_type(&attributes, ((psa_key_type_t) key_types[i]));
Gilles Peskine449bd832023-01-11 14:50:10 +01008609 PSA_ASSERT(psa_import_key(&attributes,
8610 inputs[i]->x, inputs[i]->len,
8611 &keys[i]));
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308612 if (PSA_KEY_TYPE_IS_KEY_PAIR((psa_key_type_t) key_types[i]) &&
Gilles Peskine449bd832023-01-11 14:50:10 +01008613 steps[i] == PSA_KEY_DERIVATION_INPUT_SECRET) {
Steven Cooreman0ee0d522020-10-05 16:03:42 +02008614 // When taking a private key as secret input, use key agreement
8615 // to add the shared secret to the derivation
Gilles Peskine449bd832023-01-11 14:50:10 +01008616 TEST_EQUAL(mbedtls_test_psa_key_agreement_with_self(
8617 &operation, keys[i]),
8618 expected_statuses[i]);
8619 } else {
8620 TEST_EQUAL(psa_key_derivation_input_key(&operation, steps[i],
8621 keys[i]),
8622 expected_statuses[i]);
Steven Cooreman0ee0d522020-10-05 16:03:42 +02008623 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008624 } else {
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308625 if (key_types[i] == INPUT_INTEGER) {
8626 TEST_EQUAL(psa_key_derivation_input_integer(
8627 &operation, steps[i],
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05308628 mbedtls_test_parse_binary_string(inputs[i])),
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308629 expected_statuses[i]);
8630 } else {
Kusumit Ghoderao02326d52023-04-06 17:47:59 +05308631 TEST_EQUAL(psa_key_derivation_input_bytes(
8632 &operation, steps[i],
8633 inputs[i]->x, inputs[i]->len),
8634 expected_statuses[i]);
Kusumit Ghoderao02326d52023-04-06 17:47:59 +05308635 }
Janos Follathaf3c2a02019-06-12 12:34:34 +01008636 }
8637 }
8638
Gilles Peskine449bd832023-01-11 14:50:10 +01008639 if (output_key_type != PSA_KEY_TYPE_NONE) {
8640 psa_reset_key_attributes(&attributes);
8641 psa_set_key_type(&attributes, output_key_type);
8642 psa_set_key_bits(&attributes, 8);
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008643 actual_output_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01008644 psa_key_derivation_output_key(&attributes, &operation,
8645 &output_key);
8646 } else {
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008647 uint8_t buffer[1];
8648 actual_output_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01008649 psa_key_derivation_output_bytes(&operation,
8650 buffer, sizeof(buffer));
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008651 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008652 TEST_EQUAL(actual_output_status, expected_output_status);
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008653
Janos Follathaf3c2a02019-06-12 12:34:34 +01008654exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008655 psa_key_derivation_abort(&operation);
8656 for (i = 0; i < ARRAY_LENGTH(keys); i++) {
8657 psa_destroy_key(keys[i]);
8658 }
8659 psa_destroy_key(output_key);
8660 PSA_DONE();
Janos Follathaf3c2a02019-06-12 12:34:34 +01008661}
8662/* END_CASE */
8663
Kusumit Ghoderao42b02b92023-06-06 16:48:46 +05308664/* BEGIN_CASE*/
8665void derive_input_invalid_cost(int alg_arg, int64_t cost)
8666{
8667 psa_algorithm_t alg = alg_arg;
8668 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8669
8670 PSA_ASSERT(psa_crypto_init());
8671 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
8672
8673 TEST_EQUAL(psa_key_derivation_input_integer(&operation,
8674 PSA_KEY_DERIVATION_INPUT_COST,
8675 cost),
8676 PSA_ERROR_NOT_SUPPORTED);
8677
8678exit:
8679 psa_key_derivation_abort(&operation);
8680 PSA_DONE();
8681}
8682/* END_CASE*/
8683
Janos Follathd958bb72019-07-03 15:02:16 +01008684/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008685void derive_over_capacity(int alg_arg)
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03008686{
Janos Follathd958bb72019-07-03 15:02:16 +01008687 psa_algorithm_t alg = alg_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02008688 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein4eda37b2018-10-31 12:15:58 +02008689 size_t key_type = PSA_KEY_TYPE_DERIVE;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008690 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Janos Follathd958bb72019-07-03 15:02:16 +01008691 unsigned char input1[] = "Input 1";
Gilles Peskine449bd832023-01-11 14:50:10 +01008692 size_t input1_length = sizeof(input1);
Janos Follathd958bb72019-07-03 15:02:16 +01008693 unsigned char input2[] = "Input 2";
Gilles Peskine449bd832023-01-11 14:50:10 +01008694 size_t input2_length = sizeof(input2);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008695 uint8_t buffer[42];
Gilles Peskine449bd832023-01-11 14:50:10 +01008696 size_t capacity = sizeof(buffer);
Nir Sonnenscheindd69d8b2018-11-01 12:24:23 +02008697 const uint8_t key_data[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
8698 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
Gilles Peskine449bd832023-01-11 14:50:10 +01008699 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008700 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03008701
Gilles Peskine449bd832023-01-11 14:50:10 +01008702 PSA_ASSERT(psa_crypto_init());
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008703
Gilles Peskine449bd832023-01-11 14:50:10 +01008704 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
8705 psa_set_key_algorithm(&attributes, alg);
8706 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008707
Gilles Peskine449bd832023-01-11 14:50:10 +01008708 PSA_ASSERT(psa_import_key(&attributes,
8709 key_data, sizeof(key_data),
8710 &key));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008711
8712 /* valid key derivation */
Gilles Peskine449bd832023-01-11 14:50:10 +01008713 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
8714 input1, input1_length,
8715 input2, input2_length,
8716 capacity)) {
Janos Follathd958bb72019-07-03 15:02:16 +01008717 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01008718 }
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008719
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008720 /* state of operation shouldn't allow additional generation */
Gilles Peskine449bd832023-01-11 14:50:10 +01008721 TEST_EQUAL(psa_key_derivation_setup(&operation, alg),
8722 PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008723
Gilles Peskine449bd832023-01-11 14:50:10 +01008724 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, buffer, capacity));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008725
Gilles Peskine449bd832023-01-11 14:50:10 +01008726 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, buffer, capacity),
8727 PSA_ERROR_INSUFFICIENT_DATA);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008728
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008729exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008730 psa_key_derivation_abort(&operation);
8731 psa_destroy_key(key);
8732 PSA_DONE();
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008733}
8734/* END_CASE */
8735
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008736/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008737void derive_actions_without_setup()
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008738{
8739 uint8_t output_buffer[16];
8740 size_t buffer_size = 16;
8741 size_t capacity = 0;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008742 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008743
Gilles Peskine449bd832023-01-11 14:50:10 +01008744 TEST_ASSERT(psa_key_derivation_output_bytes(&operation,
8745 output_buffer, buffer_size)
8746 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008747
Gilles Peskine449bd832023-01-11 14:50:10 +01008748 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity)
8749 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008750
Gilles Peskine449bd832023-01-11 14:50:10 +01008751 PSA_ASSERT(psa_key_derivation_abort(&operation));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008752
Gilles Peskine449bd832023-01-11 14:50:10 +01008753 TEST_ASSERT(psa_key_derivation_output_bytes(&operation,
8754 output_buffer, buffer_size)
8755 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008756
Gilles Peskine449bd832023-01-11 14:50:10 +01008757 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity)
8758 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008759
8760exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008761 psa_key_derivation_abort(&operation);
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03008762}
8763/* END_CASE */
8764
8765/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008766void derive_output(int alg_arg,
8767 int step1_arg, data_t *input1, int expected_status_arg1,
8768 int step2_arg, data_t *input2, int expected_status_arg2,
8769 int step3_arg, data_t *input3, int expected_status_arg3,
8770 int step4_arg, data_t *input4, int expected_status_arg4,
8771 data_t *key_agreement_peer_key,
8772 int requested_capacity_arg,
8773 data_t *expected_output1,
8774 data_t *expected_output2,
8775 int other_key_input_type,
8776 int key_input_type,
8777 int derive_type)
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008778{
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008779 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01008780 psa_key_derivation_step_t steps[] = { step1_arg, step2_arg, step3_arg, step4_arg };
8781 data_t *inputs[] = { input1, input2, input3, input4 };
8782 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT,
8783 MBEDTLS_SVC_KEY_ID_INIT,
8784 MBEDTLS_SVC_KEY_ID_INIT,
8785 MBEDTLS_SVC_KEY_ID_INIT };
8786 psa_status_t statuses[] = { expected_status_arg1, expected_status_arg2,
8787 expected_status_arg3, expected_status_arg4 };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008788 size_t requested_capacity = requested_capacity_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008789 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008790 uint8_t *expected_outputs[2] =
Gilles Peskine449bd832023-01-11 14:50:10 +01008791 { expected_output1->x, expected_output2->x };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008792 size_t output_sizes[2] =
Gilles Peskine449bd832023-01-11 14:50:10 +01008793 { expected_output1->len, expected_output2->len };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008794 size_t output_buffer_size = 0;
8795 uint8_t *output_buffer = NULL;
8796 size_t expected_capacity;
8797 size_t current_capacity;
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008798 psa_key_attributes_t attributes1 = PSA_KEY_ATTRIBUTES_INIT;
8799 psa_key_attributes_t attributes2 = PSA_KEY_ATTRIBUTES_INIT;
8800 psa_key_attributes_t attributes3 = PSA_KEY_ATTRIBUTES_INIT;
8801 psa_key_attributes_t attributes4 = PSA_KEY_ATTRIBUTES_INIT;
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02008802 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008803 psa_status_t status;
Gilles Peskine1468da72019-05-29 17:35:49 +02008804 size_t i;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008805
Gilles Peskine449bd832023-01-11 14:50:10 +01008806 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) {
8807 if (output_sizes[i] > output_buffer_size) {
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008808 output_buffer_size = output_sizes[i];
Gilles Peskine449bd832023-01-11 14:50:10 +01008809 }
8810 if (output_sizes[i] == 0) {
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008811 expected_outputs[i] = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01008812 }
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008813 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008814 TEST_CALLOC(output_buffer, output_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01008815 PSA_ASSERT(psa_crypto_init());
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008816
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008817 /* Extraction phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008818 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
8819 PSA_ASSERT(psa_key_derivation_set_capacity(&operation,
8820 requested_capacity));
8821 for (i = 0; i < ARRAY_LENGTH(steps); i++) {
8822 switch (steps[i]) {
Gilles Peskine1468da72019-05-29 17:35:49 +02008823 case 0:
8824 break;
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05308825 case PSA_KEY_DERIVATION_INPUT_COST:
8826 TEST_EQUAL(psa_key_derivation_input_integer(
Kusumit Ghoderaof28e0f52023-06-06 15:03:22 +05308827 &operation, steps[i],
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05308828 mbedtls_test_parse_binary_string(inputs[i])),
Kusumit Ghoderaof28e0f52023-06-06 15:03:22 +05308829 statuses[i]);
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05308830 if (statuses[i] != PSA_SUCCESS) {
8831 goto exit;
8832 }
8833 break;
8834 case PSA_KEY_DERIVATION_INPUT_PASSWORD:
Gilles Peskine1468da72019-05-29 17:35:49 +02008835 case PSA_KEY_DERIVATION_INPUT_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +01008836 switch (key_input_type) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008837 case 0: // input bytes
Gilles Peskine449bd832023-01-11 14:50:10 +01008838 TEST_EQUAL(psa_key_derivation_input_bytes(
8839 &operation, steps[i],
8840 inputs[i]->x, inputs[i]->len),
8841 statuses[i]);
Przemek Stekielfcdd0232022-05-19 10:28:58 +02008842
Gilles Peskine449bd832023-01-11 14:50:10 +01008843 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielfcdd0232022-05-19 10:28:58 +02008844 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01008845 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008846 break;
8847 case 1: // input key
Gilles Peskine449bd832023-01-11 14:50:10 +01008848 psa_set_key_usage_flags(&attributes1, PSA_KEY_USAGE_DERIVE);
8849 psa_set_key_algorithm(&attributes1, alg);
8850 psa_set_key_type(&attributes1, PSA_KEY_TYPE_DERIVE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008851
Gilles Peskine449bd832023-01-11 14:50:10 +01008852 PSA_ASSERT(psa_import_key(&attributes1,
8853 inputs[i]->x, inputs[i]->len,
8854 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008855
Gilles Peskine449bd832023-01-11 14:50:10 +01008856 if (PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
8857 PSA_ASSERT(psa_get_key_attributes(keys[i], &attributes1));
8858 TEST_LE_U(PSA_BITS_TO_BYTES(psa_get_key_bits(&attributes1)),
8859 PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008860 }
8861
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05308862 TEST_EQUAL(psa_key_derivation_input_key(&operation,
Gilles Peskine449bd832023-01-11 14:50:10 +01008863 steps[i],
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05308864 keys[i]),
8865 statuses[i]);
8866
8867 if (statuses[i] != PSA_SUCCESS) {
8868 goto exit;
8869 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008870 break;
8871 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +01008872 TEST_FAIL("default case not supported");
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008873 break;
8874 }
8875 break;
8876 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +01008877 switch (other_key_input_type) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008878 case 0: // input bytes
Gilles Peskine449bd832023-01-11 14:50:10 +01008879 TEST_EQUAL(psa_key_derivation_input_bytes(&operation,
8880 steps[i],
8881 inputs[i]->x,
8882 inputs[i]->len),
8883 statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008884 break;
Przemek Stekiele6654662022-04-20 09:14:51 +02008885 case 1: // input key, type DERIVE
8886 case 11: // input key, type RAW
Gilles Peskine449bd832023-01-11 14:50:10 +01008887 psa_set_key_usage_flags(&attributes2, PSA_KEY_USAGE_DERIVE);
8888 psa_set_key_algorithm(&attributes2, alg);
8889 psa_set_key_type(&attributes2, PSA_KEY_TYPE_DERIVE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008890
8891 // other secret of type RAW_DATA passed with input_key
Gilles Peskine449bd832023-01-11 14:50:10 +01008892 if (other_key_input_type == 11) {
8893 psa_set_key_type(&attributes2, PSA_KEY_TYPE_RAW_DATA);
8894 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008895
Gilles Peskine449bd832023-01-11 14:50:10 +01008896 PSA_ASSERT(psa_import_key(&attributes2,
8897 inputs[i]->x, inputs[i]->len,
8898 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008899
Gilles Peskine449bd832023-01-11 14:50:10 +01008900 TEST_EQUAL(psa_key_derivation_input_key(&operation,
8901 steps[i],
8902 keys[i]),
8903 statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008904 break;
8905 case 2: // key agreement
Gilles Peskine449bd832023-01-11 14:50:10 +01008906 psa_set_key_usage_flags(&attributes3, PSA_KEY_USAGE_DERIVE);
8907 psa_set_key_algorithm(&attributes3, alg);
8908 psa_set_key_type(&attributes3,
8909 PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008910
Gilles Peskine449bd832023-01-11 14:50:10 +01008911 PSA_ASSERT(psa_import_key(&attributes3,
8912 inputs[i]->x, inputs[i]->len,
8913 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008914
Gilles Peskine449bd832023-01-11 14:50:10 +01008915 TEST_EQUAL(psa_key_derivation_key_agreement(
8916 &operation,
8917 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
8918 keys[i], key_agreement_peer_key->x,
8919 key_agreement_peer_key->len), statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008920 break;
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008921 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +01008922 TEST_FAIL("default case not supported");
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008923 break;
gabor-mezei-armceface22021-01-21 12:26:17 +01008924 }
8925
Gilles Peskine449bd832023-01-11 14:50:10 +01008926 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008927 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01008928 }
Gilles Peskine1468da72019-05-29 17:35:49 +02008929 break;
8930 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01008931 TEST_EQUAL(psa_key_derivation_input_bytes(
8932 &operation, steps[i],
8933 inputs[i]->x, inputs[i]->len), statuses[i]);
Przemek Stekielead1bb92022-05-11 12:22:57 +02008934
Gilles Peskine449bd832023-01-11 14:50:10 +01008935 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielead1bb92022-05-11 12:22:57 +02008936 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01008937 }
Gilles Peskine1468da72019-05-29 17:35:49 +02008938 break;
8939 }
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01008940 }
Gilles Peskine1468da72019-05-29 17:35:49 +02008941
Gilles Peskine449bd832023-01-11 14:50:10 +01008942 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
8943 &current_capacity));
8944 TEST_EQUAL(current_capacity, requested_capacity);
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008945 expected_capacity = requested_capacity;
8946
Gilles Peskine449bd832023-01-11 14:50:10 +01008947 if (derive_type == 1) { // output key
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02008948 psa_status_t expected_status = PSA_ERROR_NOT_PERMITTED;
8949
8950 /* For output key derivation secret must be provided using
8951 input key, otherwise operation is not permitted. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008952 if (key_input_type == 1) {
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02008953 expected_status = PSA_SUCCESS;
Gilles Peskine449bd832023-01-11 14:50:10 +01008954 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008955
Gilles Peskine449bd832023-01-11 14:50:10 +01008956 psa_set_key_usage_flags(&attributes4, PSA_KEY_USAGE_EXPORT);
8957 psa_set_key_algorithm(&attributes4, alg);
8958 psa_set_key_type(&attributes4, PSA_KEY_TYPE_DERIVE);
8959 psa_set_key_bits(&attributes4, PSA_BYTES_TO_BITS(requested_capacity));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008960
Gilles Peskine449bd832023-01-11 14:50:10 +01008961 TEST_EQUAL(psa_key_derivation_output_key(&attributes4, &operation,
8962 &derived_key), expected_status);
8963 } else { // output bytes
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008964 /* Expansion phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008965 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008966 /* Read some bytes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008967 status = psa_key_derivation_output_bytes(&operation,
8968 output_buffer, output_sizes[i]);
8969 if (expected_capacity == 0 && output_sizes[i] == 0) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008970 /* Reading 0 bytes when 0 bytes are available can go either way. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008971 TEST_ASSERT(status == PSA_SUCCESS ||
8972 status == PSA_ERROR_INSUFFICIENT_DATA);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008973 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01008974 } else if (expected_capacity == 0 ||
8975 output_sizes[i] > expected_capacity) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008976 /* Capacity exceeded. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008977 TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_DATA);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008978 expected_capacity = 0;
8979 continue;
8980 }
8981 /* Success. Check the read data. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008982 PSA_ASSERT(status);
8983 if (output_sizes[i] != 0) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008984 TEST_MEMORY_COMPARE(output_buffer, output_sizes[i],
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008985 expected_outputs[i], output_sizes[i]);
Gilles Peskine449bd832023-01-11 14:50:10 +01008986 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02008987 /* Check the operation status. */
8988 expected_capacity -= output_sizes[i];
Gilles Peskine449bd832023-01-11 14:50:10 +01008989 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
8990 &current_capacity));
8991 TEST_EQUAL(expected_capacity, current_capacity);
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008992 }
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008993 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008994 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskine96ee5c72018-07-12 17:24:54 +02008995
8996exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008997 mbedtls_free(output_buffer);
8998 psa_key_derivation_abort(&operation);
8999 for (i = 0; i < ARRAY_LENGTH(keys); i++) {
9000 psa_destroy_key(keys[i]);
9001 }
9002 psa_destroy_key(derived_key);
9003 PSA_DONE();
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009004}
9005/* END_CASE */
9006
9007/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009008void derive_full(int alg_arg,
9009 data_t *key_data,
9010 data_t *input1,
9011 data_t *input2,
9012 int requested_capacity_arg)
Gilles Peskined54931c2018-07-17 21:06:59 +02009013{
Ronald Cron5425a212020-08-04 14:58:35 +02009014 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskined54931c2018-07-17 21:06:59 +02009015 psa_algorithm_t alg = alg_arg;
9016 size_t requested_capacity = requested_capacity_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009017 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Kusumit Ghoderao9ffd3972023-12-01 16:40:13 +05309018 unsigned char output_buffer[32];
Gilles Peskined54931c2018-07-17 21:06:59 +02009019 size_t expected_capacity = requested_capacity;
9020 size_t current_capacity;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009021 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskined54931c2018-07-17 21:06:59 +02009022
Gilles Peskine449bd832023-01-11 14:50:10 +01009023 PSA_ASSERT(psa_crypto_init());
Gilles Peskined54931c2018-07-17 21:06:59 +02009024
Gilles Peskine449bd832023-01-11 14:50:10 +01009025 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9026 psa_set_key_algorithm(&attributes, alg);
9027 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
Gilles Peskined54931c2018-07-17 21:06:59 +02009028
Gilles Peskine449bd832023-01-11 14:50:10 +01009029 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
9030 &key));
Gilles Peskined54931c2018-07-17 21:06:59 +02009031
Gilles Peskine449bd832023-01-11 14:50:10 +01009032 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
9033 input1->x, input1->len,
9034 input2->x, input2->len,
9035 requested_capacity)) {
Janos Follathf2815ea2019-07-03 12:41:36 +01009036 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009037 }
Janos Follath47f27ed2019-06-25 13:24:52 +01009038
Gilles Peskine449bd832023-01-11 14:50:10 +01009039 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9040 &current_capacity));
9041 TEST_EQUAL(current_capacity, expected_capacity);
Gilles Peskined54931c2018-07-17 21:06:59 +02009042
9043 /* Expansion phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009044 while (current_capacity > 0) {
9045 size_t read_size = sizeof(output_buffer);
9046 if (read_size > current_capacity) {
Gilles Peskined54931c2018-07-17 21:06:59 +02009047 read_size = current_capacity;
Gilles Peskine449bd832023-01-11 14:50:10 +01009048 }
9049 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9050 output_buffer,
9051 read_size));
Gilles Peskined54931c2018-07-17 21:06:59 +02009052 expected_capacity -= read_size;
Gilles Peskine449bd832023-01-11 14:50:10 +01009053 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9054 &current_capacity));
9055 TEST_EQUAL(current_capacity, expected_capacity);
Gilles Peskined54931c2018-07-17 21:06:59 +02009056 }
9057
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009058 /* Check that the operation refuses to go over capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009059 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output_buffer, 1),
9060 PSA_ERROR_INSUFFICIENT_DATA);
Gilles Peskined54931c2018-07-17 21:06:59 +02009061
Gilles Peskine449bd832023-01-11 14:50:10 +01009062 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskined54931c2018-07-17 21:06:59 +02009063
9064exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009065 psa_key_derivation_abort(&operation);
9066 psa_destroy_key(key);
9067 PSA_DONE();
Gilles Peskined54931c2018-07-17 21:06:59 +02009068}
9069/* END_CASE */
9070
Stephan Koch78109f52023-04-12 14:19:36 +02009071/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */
Gilles Peskine449bd832023-01-11 14:50:10 +01009072void derive_ecjpake_to_pms(data_t *input, int expected_input_status_arg,
9073 int derivation_step,
9074 int capacity, int expected_capacity_status_arg,
9075 data_t *expected_output,
9076 int expected_output_status_arg)
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009077{
9078 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
9079 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Andrzej Kurekd3785042022-09-16 06:45:44 -04009080 psa_key_derivation_step_t step = (psa_key_derivation_step_t) derivation_step;
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009081 uint8_t *output_buffer = NULL;
9082 psa_status_t status;
Andrzej Kurek3539f2c2022-09-26 10:56:02 -04009083 psa_status_t expected_input_status = (psa_status_t) expected_input_status_arg;
9084 psa_status_t expected_capacity_status = (psa_status_t) expected_capacity_status_arg;
9085 psa_status_t expected_output_status = (psa_status_t) expected_output_status_arg;
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009086
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009087 TEST_CALLOC(output_buffer, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009088 PSA_ASSERT(psa_crypto_init());
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009089
Gilles Peskine449bd832023-01-11 14:50:10 +01009090 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9091 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity),
9092 expected_capacity_status);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009093
Gilles Peskine449bd832023-01-11 14:50:10 +01009094 TEST_EQUAL(psa_key_derivation_input_bytes(&operation,
9095 step, input->x, input->len),
9096 expected_input_status);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009097
Gilles Peskine449bd832023-01-11 14:50:10 +01009098 if (((psa_status_t) expected_input_status) != PSA_SUCCESS) {
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009099 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009100 }
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009101
Gilles Peskine449bd832023-01-11 14:50:10 +01009102 status = psa_key_derivation_output_bytes(&operation, output_buffer,
9103 expected_output->len);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009104
Gilles Peskine449bd832023-01-11 14:50:10 +01009105 TEST_EQUAL(status, expected_output_status);
9106 if (expected_output->len != 0 && expected_output_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009107 TEST_MEMORY_COMPARE(output_buffer, expected_output->len, expected_output->x,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009108 expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009109 }
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009110
9111exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009112 mbedtls_free(output_buffer);
9113 psa_key_derivation_abort(&operation);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009114 PSA_DONE();
9115}
9116/* END_CASE */
9117
Janos Follathe60c9052019-07-03 13:51:30 +01009118/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009119void derive_key_exercise(int alg_arg,
9120 data_t *key_data,
9121 data_t *input1,
9122 data_t *input2,
9123 int derived_type_arg,
9124 int derived_bits_arg,
9125 int derived_usage_arg,
9126 int derived_alg_arg)
Gilles Peskine0386fba2018-07-12 17:29:22 +02009127{
Ronald Cron5425a212020-08-04 14:58:35 +02009128 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9129 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009130 psa_algorithm_t alg = alg_arg;
9131 psa_key_type_t derived_type = derived_type_arg;
9132 size_t derived_bits = derived_bits_arg;
9133 psa_key_usage_t derived_usage = derived_usage_arg;
9134 psa_algorithm_t derived_alg = derived_alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01009135 size_t capacity = PSA_BITS_TO_BYTES(derived_bits);
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009136 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009137 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02009138 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009139
Gilles Peskine449bd832023-01-11 14:50:10 +01009140 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0386fba2018-07-12 17:29:22 +02009141
Gilles Peskine449bd832023-01-11 14:50:10 +01009142 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9143 psa_set_key_algorithm(&attributes, alg);
9144 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
9145 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
9146 &base_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009147
9148 /* Derive a key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009149 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9150 input1->x, input1->len,
9151 input2->x, input2->len,
9152 capacity)) {
Janos Follathe60c9052019-07-03 13:51:30 +01009153 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009154 }
Janos Follathe60c9052019-07-03 13:51:30 +01009155
Gilles Peskine449bd832023-01-11 14:50:10 +01009156 psa_set_key_usage_flags(&attributes, derived_usage);
9157 psa_set_key_algorithm(&attributes, derived_alg);
9158 psa_set_key_type(&attributes, derived_type);
9159 psa_set_key_bits(&attributes, derived_bits);
9160 PSA_ASSERT(psa_key_derivation_output_key(&attributes, &operation,
9161 &derived_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009162
9163 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01009164 PSA_ASSERT(psa_get_key_attributes(derived_key, &got_attributes));
9165 TEST_EQUAL(psa_get_key_type(&got_attributes), derived_type);
9166 TEST_EQUAL(psa_get_key_bits(&got_attributes), derived_bits);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009167
9168 /* Exercise the derived key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009169 if (!mbedtls_test_psa_exercise_key(derived_key, derived_usage, derived_alg)) {
Gilles Peskine0386fba2018-07-12 17:29:22 +02009170 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009171 }
Gilles Peskine0386fba2018-07-12 17:29:22 +02009172
9173exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009174 /*
9175 * Key attributes may have been returned by psa_get_key_attributes()
9176 * thus reset them as required.
9177 */
Gilles Peskine449bd832023-01-11 14:50:10 +01009178 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009179
Gilles Peskine449bd832023-01-11 14:50:10 +01009180 psa_key_derivation_abort(&operation);
9181 psa_destroy_key(base_key);
9182 psa_destroy_key(derived_key);
9183 PSA_DONE();
Gilles Peskine0386fba2018-07-12 17:29:22 +02009184}
9185/* END_CASE */
9186
Janos Follath42fd8882019-07-03 14:17:09 +01009187/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009188void derive_key_export(int alg_arg,
9189 data_t *key_data,
9190 data_t *input1,
9191 data_t *input2,
9192 int bytes1_arg,
9193 int bytes2_arg)
Gilles Peskine0386fba2018-07-12 17:29:22 +02009194{
Ronald Cron5425a212020-08-04 14:58:35 +02009195 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9196 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009197 psa_algorithm_t alg = alg_arg;
9198 size_t bytes1 = bytes1_arg;
9199 size_t bytes2 = bytes2_arg;
9200 size_t capacity = bytes1 + bytes2;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009201 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine8cebbba2018-09-27 13:54:18 +02009202 uint8_t *output_buffer = NULL;
9203 uint8_t *export_buffer = NULL;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009204 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9205 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009206 size_t length;
9207
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009208 TEST_CALLOC(output_buffer, capacity);
9209 TEST_CALLOC(export_buffer, capacity);
Gilles Peskine449bd832023-01-11 14:50:10 +01009210 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0386fba2018-07-12 17:29:22 +02009211
Gilles Peskine449bd832023-01-11 14:50:10 +01009212 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9213 psa_set_key_algorithm(&base_attributes, alg);
9214 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9215 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9216 &base_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009217
9218 /* Derive some material and output it. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009219 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9220 input1->x, input1->len,
9221 input2->x, input2->len,
9222 capacity)) {
Janos Follath42fd8882019-07-03 14:17:09 +01009223 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009224 }
Janos Follath42fd8882019-07-03 14:17:09 +01009225
Gilles Peskine449bd832023-01-11 14:50:10 +01009226 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9227 output_buffer,
9228 capacity));
9229 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009230
9231 /* Derive the same output again, but this time store it in key objects. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009232 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9233 input1->x, input1->len,
9234 input2->x, input2->len,
9235 capacity)) {
Janos Follath42fd8882019-07-03 14:17:09 +01009236 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009237 }
Janos Follath42fd8882019-07-03 14:17:09 +01009238
Gilles Peskine449bd832023-01-11 14:50:10 +01009239 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9240 psa_set_key_algorithm(&derived_attributes, 0);
9241 psa_set_key_type(&derived_attributes, PSA_KEY_TYPE_RAW_DATA);
9242 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes1));
9243 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9244 &derived_key));
9245 PSA_ASSERT(psa_export_key(derived_key,
9246 export_buffer, bytes1,
9247 &length));
9248 TEST_EQUAL(length, bytes1);
9249 PSA_ASSERT(psa_destroy_key(derived_key));
9250 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes2));
9251 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9252 &derived_key));
9253 PSA_ASSERT(psa_export_key(derived_key,
9254 export_buffer + bytes1, bytes2,
9255 &length));
9256 TEST_EQUAL(length, bytes2);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009257
9258 /* Compare the outputs from the two runs. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009259 TEST_MEMORY_COMPARE(output_buffer, bytes1 + bytes2,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009260 export_buffer, capacity);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009261
9262exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009263 mbedtls_free(output_buffer);
9264 mbedtls_free(export_buffer);
9265 psa_key_derivation_abort(&operation);
9266 psa_destroy_key(base_key);
9267 psa_destroy_key(derived_key);
9268 PSA_DONE();
Gilles Peskine0386fba2018-07-12 17:29:22 +02009269}
9270/* END_CASE */
9271
9272/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009273void derive_key_type(int alg_arg,
9274 data_t *key_data,
9275 data_t *input1,
9276 data_t *input2,
9277 int key_type_arg, int bits_arg,
9278 data_t *expected_export)
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009279{
9280 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9281 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
9282 const psa_algorithm_t alg = alg_arg;
9283 const psa_key_type_t key_type = key_type_arg;
9284 const size_t bits = bits_arg;
9285 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9286 const size_t export_buffer_size =
Gilles Peskine449bd832023-01-11 14:50:10 +01009287 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009288 uint8_t *export_buffer = NULL;
9289 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9290 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9291 size_t export_length;
9292
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009293 TEST_CALLOC(export_buffer, export_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01009294 PSA_ASSERT(psa_crypto_init());
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009295
Gilles Peskine449bd832023-01-11 14:50:10 +01009296 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9297 psa_set_key_algorithm(&base_attributes, alg);
9298 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9299 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9300 &base_key));
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009301
Gilles Peskine449bd832023-01-11 14:50:10 +01009302 if (mbedtls_test_psa_setup_key_derivation_wrap(
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009303 &operation, base_key, alg,
9304 input1->x, input1->len,
9305 input2->x, input2->len,
Gilles Peskine449bd832023-01-11 14:50:10 +01009306 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY) == 0) {
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009307 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009308 }
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009309
Gilles Peskine449bd832023-01-11 14:50:10 +01009310 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9311 psa_set_key_algorithm(&derived_attributes, 0);
9312 psa_set_key_type(&derived_attributes, key_type);
9313 psa_set_key_bits(&derived_attributes, bits);
9314 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9315 &derived_key));
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009316
Gilles Peskine449bd832023-01-11 14:50:10 +01009317 PSA_ASSERT(psa_export_key(derived_key,
9318 export_buffer, export_buffer_size,
9319 &export_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009320 TEST_MEMORY_COMPARE(export_buffer, export_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009321 expected_export->x, expected_export->len);
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009322
9323exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009324 mbedtls_free(export_buffer);
9325 psa_key_derivation_abort(&operation);
9326 psa_destroy_key(base_key);
9327 psa_destroy_key(derived_key);
9328 PSA_DONE();
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009329}
9330/* END_CASE */
9331
9332/* BEGIN_CASE */
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009333void derive_key_ext(int alg_arg,
9334 data_t *key_data,
9335 data_t *input1,
9336 data_t *input2,
9337 int key_type_arg, int bits_arg,
9338 int64_t flags_arg, /*negative for truncated method*/
9339 data_t *method_data,
9340 psa_status_t expected_status,
9341 data_t *expected_export)
9342{
9343 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9344 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
9345 const psa_algorithm_t alg = alg_arg;
9346 const psa_key_type_t key_type = key_type_arg;
9347 const size_t bits = bits_arg;
9348 psa_key_generation_method_t *method = NULL;
9349 size_t method_length = 0;
9350 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9351 const size_t export_buffer_size =
9352 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
9353 uint8_t *export_buffer = NULL;
9354 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9355 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9356 size_t export_length;
9357
9358 TEST_CALLOC(export_buffer, export_buffer_size);
9359 PSA_ASSERT(psa_crypto_init());
9360
9361 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9362 psa_set_key_algorithm(&base_attributes, alg);
9363 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9364 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9365 &base_key));
9366
9367 if (mbedtls_test_psa_setup_key_derivation_wrap(
9368 &operation, base_key, alg,
9369 input1->x, input1->len,
9370 input2->x, input2->len,
9371 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY) == 0) {
9372 goto exit;
9373 }
9374
9375 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9376 psa_set_key_algorithm(&derived_attributes, 0);
9377 psa_set_key_type(&derived_attributes, key_type);
9378 psa_set_key_bits(&derived_attributes, bits);
9379 if (!setup_key_generation_method(&method, &method_length,
9380 flags_arg, method_data)) {
9381 goto exit;
9382 }
9383
9384 TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation,
9385 method, method_length,
9386 &derived_key),
9387 expected_status);
9388
9389 if (expected_status == PSA_SUCCESS) {
9390 PSA_ASSERT(psa_export_key(derived_key,
9391 export_buffer, export_buffer_size,
9392 &export_length));
9393 TEST_MEMORY_COMPARE(export_buffer, export_length,
9394 expected_export->x, expected_export->len);
9395 }
9396
9397exit:
9398 mbedtls_free(export_buffer);
9399 mbedtls_free(method);
9400 psa_key_derivation_abort(&operation);
9401 psa_destroy_key(base_key);
9402 psa_destroy_key(derived_key);
9403 PSA_DONE();
9404}
9405/* END_CASE */
9406
9407/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009408void derive_key(int alg_arg,
9409 data_t *key_data, data_t *input1, data_t *input2,
9410 int type_arg, int bits_arg,
9411 int expected_status_arg,
9412 int is_large_output)
Gilles Peskinec744d992019-07-30 17:26:54 +02009413{
Ronald Cron5425a212020-08-04 14:58:35 +02009414 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9415 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinec744d992019-07-30 17:26:54 +02009416 psa_algorithm_t alg = alg_arg;
Gilles Peskine7c227ae2019-07-31 15:14:44 +02009417 psa_key_type_t type = type_arg;
Gilles Peskinec744d992019-07-30 17:26:54 +02009418 size_t bits = bits_arg;
9419 psa_status_t expected_status = expected_status_arg;
9420 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9421 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9422 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9423
Gilles Peskine449bd832023-01-11 14:50:10 +01009424 PSA_ASSERT(psa_crypto_init());
Gilles Peskinec744d992019-07-30 17:26:54 +02009425
Gilles Peskine449bd832023-01-11 14:50:10 +01009426 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9427 psa_set_key_algorithm(&base_attributes, alg);
9428 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9429 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9430 &base_key));
Gilles Peskinec744d992019-07-30 17:26:54 +02009431
Gilles Peskine449bd832023-01-11 14:50:10 +01009432 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9433 input1->x, input1->len,
9434 input2->x, input2->len,
9435 SIZE_MAX)) {
Gilles Peskinec744d992019-07-30 17:26:54 +02009436 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009437 }
Gilles Peskinec744d992019-07-30 17:26:54 +02009438
Gilles Peskine449bd832023-01-11 14:50:10 +01009439 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9440 psa_set_key_algorithm(&derived_attributes, 0);
9441 psa_set_key_type(&derived_attributes, type);
9442 psa_set_key_bits(&derived_attributes, bits);
Steven Cooreman83fdb702021-01-21 14:24:39 +01009443
9444 psa_status_t status =
Gilles Peskine449bd832023-01-11 14:50:10 +01009445 psa_key_derivation_output_key(&derived_attributes,
9446 &operation,
9447 &derived_key);
9448 if (is_large_output > 0) {
9449 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
9450 }
9451 TEST_EQUAL(status, expected_status);
Gilles Peskinec744d992019-07-30 17:26:54 +02009452
9453exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009454 psa_key_derivation_abort(&operation);
9455 psa_destroy_key(base_key);
9456 psa_destroy_key(derived_key);
9457 PSA_DONE();
Gilles Peskinec744d992019-07-30 17:26:54 +02009458}
9459/* END_CASE */
9460
9461/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009462void key_agreement_setup(int alg_arg,
9463 int our_key_type_arg, int our_key_alg_arg,
9464 data_t *our_key_data, data_t *peer_key_data,
9465 int expected_status_arg)
Gilles Peskine01d718c2018-09-18 12:01:02 +02009466{
Ronald Cron5425a212020-08-04 14:58:35 +02009467 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009468 psa_algorithm_t alg = alg_arg;
Steven Cooremanfa5e6312020-10-15 17:07:12 +02009469 psa_algorithm_t our_key_alg = our_key_alg_arg;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009470 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009471 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009472 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine77f40d82019-04-11 21:27:06 +02009473 psa_status_t expected_status = expected_status_arg;
9474 psa_status_t status;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009475
Gilles Peskine449bd832023-01-11 14:50:10 +01009476 PSA_ASSERT(psa_crypto_init());
Gilles Peskine01d718c2018-09-18 12:01:02 +02009477
Gilles Peskine449bd832023-01-11 14:50:10 +01009478 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9479 psa_set_key_algorithm(&attributes, our_key_alg);
9480 psa_set_key_type(&attributes, our_key_type);
9481 PSA_ASSERT(psa_import_key(&attributes,
9482 our_key_data->x, our_key_data->len,
9483 &our_key));
Gilles Peskine01d718c2018-09-18 12:01:02 +02009484
Gilles Peskine77f40d82019-04-11 21:27:06 +02009485 /* The tests currently include inputs that should fail at either step.
9486 * Test cases that fail at the setup step should be changed to call
9487 * key_derivation_setup instead, and this function should be renamed
9488 * to key_agreement_fail. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009489 status = psa_key_derivation_setup(&operation, alg);
9490 if (status == PSA_SUCCESS) {
9491 TEST_EQUAL(psa_key_derivation_key_agreement(
9492 &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
9493 our_key,
9494 peer_key_data->x, peer_key_data->len),
9495 expected_status);
9496 } else {
9497 TEST_ASSERT(status == expected_status);
Gilles Peskine77f40d82019-04-11 21:27:06 +02009498 }
Gilles Peskine01d718c2018-09-18 12:01:02 +02009499
9500exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009501 psa_key_derivation_abort(&operation);
9502 psa_destroy_key(our_key);
9503 PSA_DONE();
Gilles Peskine01d718c2018-09-18 12:01:02 +02009504}
9505/* END_CASE */
9506
9507/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009508void raw_key_agreement(int alg_arg,
9509 int our_key_type_arg, data_t *our_key_data,
9510 data_t *peer_key_data,
9511 data_t *expected_output)
Gilles Peskinef0cba732019-04-11 22:12:38 +02009512{
Ronald Cron5425a212020-08-04 14:58:35 +02009513 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009514 psa_algorithm_t alg = alg_arg;
9515 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009516 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009517 unsigned char *output = NULL;
9518 size_t output_length = ~0;
gabor-mezei-armceface22021-01-21 12:26:17 +01009519 size_t key_bits;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009520
Gilles Peskine449bd832023-01-11 14:50:10 +01009521 PSA_ASSERT(psa_crypto_init());
Gilles Peskinef0cba732019-04-11 22:12:38 +02009522
Gilles Peskine449bd832023-01-11 14:50:10 +01009523 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9524 psa_set_key_algorithm(&attributes, alg);
9525 psa_set_key_type(&attributes, our_key_type);
9526 PSA_ASSERT(psa_import_key(&attributes,
9527 our_key_data->x, our_key_data->len,
9528 &our_key));
Gilles Peskinef0cba732019-04-11 22:12:38 +02009529
Gilles Peskine449bd832023-01-11 14:50:10 +01009530 PSA_ASSERT(psa_get_key_attributes(our_key, &attributes));
9531 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01009532
Gilles Peskine992bee82022-04-13 23:25:52 +02009533 /* Validate size macros */
Gilles Peskine449bd832023-01-11 14:50:10 +01009534 TEST_LE_U(expected_output->len,
9535 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits));
9536 TEST_LE_U(PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits),
9537 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE);
Gilles Peskine992bee82022-04-13 23:25:52 +02009538
9539 /* Good case with exact output size */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009540 TEST_CALLOC(output, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009541 PSA_ASSERT(psa_raw_key_agreement(alg, our_key,
9542 peer_key_data->x, peer_key_data->len,
9543 output, expected_output->len,
9544 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009545 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009546 expected_output->x, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009547 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009548 output = NULL;
9549 output_length = ~0;
9550
9551 /* Larger buffer */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009552 TEST_CALLOC(output, expected_output->len + 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01009553 PSA_ASSERT(psa_raw_key_agreement(alg, our_key,
9554 peer_key_data->x, peer_key_data->len,
9555 output, expected_output->len + 1,
9556 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009557 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009558 expected_output->x, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009559 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009560 output = NULL;
9561 output_length = ~0;
9562
9563 /* Buffer too small */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009564 TEST_CALLOC(output, expected_output->len - 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01009565 TEST_EQUAL(psa_raw_key_agreement(alg, our_key,
9566 peer_key_data->x, peer_key_data->len,
9567 output, expected_output->len - 1,
9568 &output_length),
9569 PSA_ERROR_BUFFER_TOO_SMALL);
Gilles Peskine992bee82022-04-13 23:25:52 +02009570 /* Not required by the spec, but good robustness */
Gilles Peskine449bd832023-01-11 14:50:10 +01009571 TEST_LE_U(output_length, expected_output->len - 1);
9572 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009573 output = NULL;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009574
9575exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009576 mbedtls_free(output);
9577 psa_destroy_key(our_key);
9578 PSA_DONE();
Gilles Peskinef0cba732019-04-11 22:12:38 +02009579}
9580/* END_CASE */
9581
9582/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009583void key_agreement_capacity(int alg_arg,
9584 int our_key_type_arg, data_t *our_key_data,
9585 data_t *peer_key_data,
9586 int expected_capacity_arg)
Gilles Peskine59685592018-09-18 12:11:34 +02009587{
Ronald Cron5425a212020-08-04 14:58:35 +02009588 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +02009589 psa_algorithm_t alg = alg_arg;
9590 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009591 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009592 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +02009593 size_t actual_capacity;
Gilles Peskinebf491972018-10-25 22:36:12 +02009594 unsigned char output[16];
Gilles Peskine59685592018-09-18 12:11:34 +02009595
Gilles Peskine449bd832023-01-11 14:50:10 +01009596 PSA_ASSERT(psa_crypto_init());
Gilles Peskine59685592018-09-18 12:11:34 +02009597
Gilles Peskine449bd832023-01-11 14:50:10 +01009598 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9599 psa_set_key_algorithm(&attributes, alg);
9600 psa_set_key_type(&attributes, our_key_type);
9601 PSA_ASSERT(psa_import_key(&attributes,
9602 our_key_data->x, our_key_data->len,
9603 &our_key));
Gilles Peskine59685592018-09-18 12:11:34 +02009604
Gilles Peskine449bd832023-01-11 14:50:10 +01009605 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9606 PSA_ASSERT(psa_key_derivation_key_agreement(
9607 &operation,
9608 PSA_KEY_DERIVATION_INPUT_SECRET, our_key,
9609 peer_key_data->x, peer_key_data->len));
9610 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) {
Gilles Peskinef8a9d942019-04-11 22:13:20 +02009611 /* The test data is for info="" */
Gilles Peskine449bd832023-01-11 14:50:10 +01009612 PSA_ASSERT(psa_key_derivation_input_bytes(&operation,
9613 PSA_KEY_DERIVATION_INPUT_INFO,
9614 NULL, 0));
Gilles Peskinef8a9d942019-04-11 22:13:20 +02009615 }
Gilles Peskine59685592018-09-18 12:11:34 +02009616
Shaun Case8b0ecbc2021-12-20 21:14:10 -08009617 /* Test the advertised capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009618 PSA_ASSERT(psa_key_derivation_get_capacity(
9619 &operation, &actual_capacity));
9620 TEST_EQUAL(actual_capacity, (size_t) expected_capacity_arg);
Gilles Peskine59685592018-09-18 12:11:34 +02009621
Gilles Peskinebf491972018-10-25 22:36:12 +02009622 /* Test the actual capacity by reading the output. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009623 while (actual_capacity > sizeof(output)) {
9624 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9625 output, sizeof(output)));
9626 actual_capacity -= sizeof(output);
Gilles Peskinebf491972018-10-25 22:36:12 +02009627 }
Gilles Peskine449bd832023-01-11 14:50:10 +01009628 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9629 output, actual_capacity));
9630 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output, 1),
9631 PSA_ERROR_INSUFFICIENT_DATA);
Gilles Peskinebf491972018-10-25 22:36:12 +02009632
Gilles Peskine59685592018-09-18 12:11:34 +02009633exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009634 psa_key_derivation_abort(&operation);
9635 psa_destroy_key(our_key);
9636 PSA_DONE();
Gilles Peskine59685592018-09-18 12:11:34 +02009637}
9638/* END_CASE */
9639
Valerio Settiad819672023-12-29 12:14:41 +01009640/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
9641void ecc_conversion_functions(int grp_id_arg, int psa_family_arg, int bits_arg)
Valerio Settibf999cb2023-12-28 17:48:13 +01009642{
9643 mbedtls_ecp_group_id grp_id = grp_id_arg;
Valerio Settiad819672023-12-29 12:14:41 +01009644 psa_ecc_family_t ecc_family = psa_family_arg;
9645 size_t bits = bits_arg;
9646 size_t bits_tmp;
Valerio Settibf999cb2023-12-28 17:48:13 +01009647
Valerio Settiad819672023-12-29 12:14:41 +01009648 TEST_EQUAL(ecc_family, mbedtls_ecc_group_to_psa(grp_id, &bits_tmp));
9649 TEST_EQUAL(bits, bits_tmp);
Valerio Settiac739522024-01-04 10:22:01 +01009650 TEST_EQUAL(grp_id, mbedtls_ecc_group_from_psa(ecc_family, bits));
Valerio Settibf999cb2023-12-28 17:48:13 +01009651}
9652/* END_CASE */
9653
Valerio Settiac739522024-01-04 10:22:01 +01009654/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
9655void ecc_conversion_functions_fail()
9656{
9657 size_t bits;
9658
Valerio Settidb6e0292024-01-05 10:15:45 +01009659 /* Invalid legacy curve identifiers. */
9660 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_MAX, &bits));
9661 TEST_EQUAL(0, bits);
Valerio Settiac739522024-01-04 10:22:01 +01009662 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_NONE, &bits));
9663 TEST_EQUAL(0, bits);
9664
9665 /* Invalid PSA EC family. */
9666 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(0, 192));
9667 /* Invalid bit-size for a valid EC family. */
9668 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_SECP_R1, 512));
9669
9670 /* Twisted-Edward curves are not supported yet. */
9671 TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
9672 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 255));
9673 TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
9674 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 448));
9675}
9676/* END_CASE */
9677
9678
Valerio Settibf999cb2023-12-28 17:48:13 +01009679/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009680void key_agreement_output(int alg_arg,
9681 int our_key_type_arg, data_t *our_key_data,
9682 data_t *peer_key_data,
9683 data_t *expected_output1, data_t *expected_output2)
Gilles Peskine59685592018-09-18 12:11:34 +02009684{
Ronald Cron5425a212020-08-04 14:58:35 +02009685 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +02009686 psa_algorithm_t alg = alg_arg;
9687 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009688 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009689 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine3ec8ed82018-10-25 22:37:15 +02009690 uint8_t *actual_output = NULL;
Gilles Peskine59685592018-09-18 12:11:34 +02009691
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009692 TEST_CALLOC(actual_output, MAX(expected_output1->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009693 expected_output2->len));
Gilles Peskine59685592018-09-18 12:11:34 +02009694
Gilles Peskine449bd832023-01-11 14:50:10 +01009695 PSA_ASSERT(psa_crypto_init());
Gilles Peskine59685592018-09-18 12:11:34 +02009696
Gilles Peskine449bd832023-01-11 14:50:10 +01009697 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9698 psa_set_key_algorithm(&attributes, alg);
9699 psa_set_key_type(&attributes, our_key_type);
9700 PSA_ASSERT(psa_import_key(&attributes,
9701 our_key_data->x, our_key_data->len,
9702 &our_key));
Gilles Peskine59685592018-09-18 12:11:34 +02009703
Gilles Peskine449bd832023-01-11 14:50:10 +01009704 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9705 PSA_ASSERT(psa_key_derivation_key_agreement(
9706 &operation,
9707 PSA_KEY_DERIVATION_INPUT_SECRET, our_key,
9708 peer_key_data->x, peer_key_data->len));
9709 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) {
Gilles Peskinef8a9d942019-04-11 22:13:20 +02009710 /* The test data is for info="" */
Gilles Peskine449bd832023-01-11 14:50:10 +01009711 PSA_ASSERT(psa_key_derivation_input_bytes(&operation,
9712 PSA_KEY_DERIVATION_INPUT_INFO,
9713 NULL, 0));
Gilles Peskinef8a9d942019-04-11 22:13:20 +02009714 }
Gilles Peskine59685592018-09-18 12:11:34 +02009715
Gilles Peskine449bd832023-01-11 14:50:10 +01009716 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9717 actual_output,
9718 expected_output1->len));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009719 TEST_MEMORY_COMPARE(actual_output, expected_output1->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009720 expected_output1->x, expected_output1->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009721 if (expected_output2->len != 0) {
9722 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9723 actual_output,
9724 expected_output2->len));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009725 TEST_MEMORY_COMPARE(actual_output, expected_output2->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009726 expected_output2->x, expected_output2->len);
Gilles Peskine3ec8ed82018-10-25 22:37:15 +02009727 }
Gilles Peskine59685592018-09-18 12:11:34 +02009728
9729exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009730 psa_key_derivation_abort(&operation);
9731 psa_destroy_key(our_key);
9732 PSA_DONE();
9733 mbedtls_free(actual_output);
Gilles Peskine59685592018-09-18 12:11:34 +02009734}
9735/* END_CASE */
9736
9737/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009738void generate_random(int bytes_arg)
Gilles Peskine05d69892018-06-19 22:00:52 +02009739{
Gilles Peskinea50d7392018-06-21 10:22:13 +02009740 size_t bytes = bytes_arg;
Gilles Peskine8cebbba2018-09-27 13:54:18 +02009741 unsigned char *output = NULL;
9742 unsigned char *changed = NULL;
Gilles Peskinea50d7392018-06-21 10:22:13 +02009743 size_t i;
9744 unsigned run;
Gilles Peskine05d69892018-06-19 22:00:52 +02009745
Gilles Peskine449bd832023-01-11 14:50:10 +01009746 TEST_ASSERT(bytes_arg >= 0);
Simon Butcher49f8e312020-03-03 15:51:50 +00009747
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009748 TEST_CALLOC(output, bytes);
9749 TEST_CALLOC(changed, bytes);
Gilles Peskine05d69892018-06-19 22:00:52 +02009750
Gilles Peskine449bd832023-01-11 14:50:10 +01009751 PSA_ASSERT(psa_crypto_init());
Gilles Peskine05d69892018-06-19 22:00:52 +02009752
Gilles Peskinea50d7392018-06-21 10:22:13 +02009753 /* Run several times, to ensure that every output byte will be
9754 * nonzero at least once with overwhelming probability
9755 * (2^(-8*number_of_runs)). */
Gilles Peskine449bd832023-01-11 14:50:10 +01009756 for (run = 0; run < 10; run++) {
9757 if (bytes != 0) {
9758 memset(output, 0, bytes);
9759 }
9760 PSA_ASSERT(psa_generate_random(output, bytes));
Gilles Peskinea50d7392018-06-21 10:22:13 +02009761
Gilles Peskine449bd832023-01-11 14:50:10 +01009762 for (i = 0; i < bytes; i++) {
9763 if (output[i] != 0) {
Gilles Peskinea50d7392018-06-21 10:22:13 +02009764 ++changed[i];
Gilles Peskine449bd832023-01-11 14:50:10 +01009765 }
Gilles Peskinea50d7392018-06-21 10:22:13 +02009766 }
Gilles Peskine05d69892018-06-19 22:00:52 +02009767 }
Gilles Peskinea50d7392018-06-21 10:22:13 +02009768
9769 /* Check that every byte was changed to nonzero at least once. This
9770 * validates that psa_generate_random is overwriting every byte of
9771 * the output buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009772 for (i = 0; i < bytes; i++) {
9773 TEST_ASSERT(changed[i] != 0);
Gilles Peskinea50d7392018-06-21 10:22:13 +02009774 }
Gilles Peskine05d69892018-06-19 22:00:52 +02009775
9776exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009777 PSA_DONE();
9778 mbedtls_free(output);
9779 mbedtls_free(changed);
Gilles Peskine05d69892018-06-19 22:00:52 +02009780}
9781/* END_CASE */
Gilles Peskine12313cd2018-06-20 00:20:32 +02009782
9783/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009784void generate_key(int type_arg,
9785 int bits_arg,
9786 int usage_arg,
9787 int alg_arg,
9788 int expected_status_arg,
9789 int is_large_key)
Gilles Peskine12313cd2018-06-20 00:20:32 +02009790{
Ronald Cron5425a212020-08-04 14:58:35 +02009791 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine12313cd2018-06-20 00:20:32 +02009792 psa_key_type_t type = type_arg;
9793 psa_key_usage_t usage = usage_arg;
9794 size_t bits = bits_arg;
9795 psa_algorithm_t alg = alg_arg;
9796 psa_status_t expected_status = expected_status_arg;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009797 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02009798 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine12313cd2018-06-20 00:20:32 +02009799
Gilles Peskine449bd832023-01-11 14:50:10 +01009800 PSA_ASSERT(psa_crypto_init());
Gilles Peskine12313cd2018-06-20 00:20:32 +02009801
Gilles Peskine449bd832023-01-11 14:50:10 +01009802 psa_set_key_usage_flags(&attributes, usage);
9803 psa_set_key_algorithm(&attributes, alg);
9804 psa_set_key_type(&attributes, type);
9805 psa_set_key_bits(&attributes, bits);
Gilles Peskine12313cd2018-06-20 00:20:32 +02009806
9807 /* Generate a key */
Gilles Peskine449bd832023-01-11 14:50:10 +01009808 psa_status_t status = psa_generate_key(&attributes, &key);
Steven Cooreman83fdb702021-01-21 14:24:39 +01009809
Gilles Peskine449bd832023-01-11 14:50:10 +01009810 if (is_large_key > 0) {
9811 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
9812 }
9813 TEST_EQUAL(status, expected_status);
9814 if (expected_status != PSA_SUCCESS) {
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009815 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009816 }
Gilles Peskine12313cd2018-06-20 00:20:32 +02009817
9818 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01009819 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
9820 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
9821 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
Gilles Peskine12313cd2018-06-20 00:20:32 +02009822
Gilles Peskine818ca122018-06-20 18:16:48 +02009823 /* Do something with the key according to its type and permitted usage. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009824 if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
Gilles Peskine02b75072018-07-01 22:31:34 +02009825 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009826 }
Gilles Peskine12313cd2018-06-20 00:20:32 +02009827
9828exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009829 /*
9830 * Key attributes may have been returned by psa_get_key_attributes()
9831 * thus reset them as required.
9832 */
Gilles Peskine449bd832023-01-11 14:50:10 +01009833 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009834
Gilles Peskine449bd832023-01-11 14:50:10 +01009835 psa_destroy_key(key);
9836 PSA_DONE();
Gilles Peskine12313cd2018-06-20 00:20:32 +02009837}
9838/* END_CASE */
itayzafrir0adf0fc2018-09-06 16:24:41 +03009839
Valerio Setti19fec542023-07-25 12:31:50 +02009840/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
Gilles Peskine449bd832023-01-11 14:50:10 +01009841void generate_key_rsa(int bits_arg,
9842 data_t *e_arg,
9843 int expected_status_arg)
Gilles Peskinee56e8782019-04-26 17:34:02 +02009844{
Ronald Cron5425a212020-08-04 14:58:35 +02009845 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinec93b80c2019-05-16 19:39:54 +02009846 psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR;
Gilles Peskinee56e8782019-04-26 17:34:02 +02009847 size_t bits = bits_arg;
9848 psa_key_usage_t usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT;
9849 psa_algorithm_t alg = PSA_ALG_RSA_PKCS1V15_SIGN_RAW;
9850 psa_status_t expected_status = expected_status_arg;
9851 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinee56e8782019-04-26 17:34:02 +02009852 uint8_t *e_read_buffer = NULL;
9853 int is_default_public_exponent = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01009854 size_t e_read_size = PSA_KEY_DOMAIN_PARAMETERS_SIZE(type, bits);
Gilles Peskinee56e8782019-04-26 17:34:02 +02009855 size_t e_read_length = SIZE_MAX;
9856
Gilles Peskine449bd832023-01-11 14:50:10 +01009857 if (e_arg->len == 0 ||
9858 (e_arg->len == 3 &&
9859 e_arg->x[0] == 1 && e_arg->x[1] == 0 && e_arg->x[2] == 1)) {
Gilles Peskinee56e8782019-04-26 17:34:02 +02009860 is_default_public_exponent = 1;
9861 e_read_size = 0;
9862 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009863 TEST_CALLOC(e_read_buffer, e_read_size);
Gilles Peskinee56e8782019-04-26 17:34:02 +02009864
Gilles Peskine449bd832023-01-11 14:50:10 +01009865 PSA_ASSERT(psa_crypto_init());
Gilles Peskinee56e8782019-04-26 17:34:02 +02009866
Gilles Peskine449bd832023-01-11 14:50:10 +01009867 psa_set_key_usage_flags(&attributes, usage);
9868 psa_set_key_algorithm(&attributes, alg);
9869 PSA_ASSERT(psa_set_key_domain_parameters(&attributes, type,
9870 e_arg->x, e_arg->len));
9871 psa_set_key_bits(&attributes, bits);
Gilles Peskinee56e8782019-04-26 17:34:02 +02009872
9873 /* Generate a key */
Gilles Peskine449bd832023-01-11 14:50:10 +01009874 TEST_EQUAL(psa_generate_key(&attributes, &key), expected_status);
9875 if (expected_status != PSA_SUCCESS) {
Gilles Peskinee56e8782019-04-26 17:34:02 +02009876 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009877 }
Gilles Peskinee56e8782019-04-26 17:34:02 +02009878
9879 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01009880 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
9881 TEST_EQUAL(psa_get_key_type(&attributes), type);
9882 TEST_EQUAL(psa_get_key_bits(&attributes), bits);
Pengyu Lvd90fbf72023-12-08 17:13:22 +08009883 psa_status_t status = psa_get_key_domain_parameters(&attributes,
9884 e_read_buffer, e_read_size,
9885 &e_read_length);
9886
9887
9888#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
9889 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
9890 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
Gilles Peskine449bd832023-01-11 14:50:10 +01009891 if (is_default_public_exponent) {
9892 TEST_EQUAL(e_read_length, 0);
9893 } else {
Pengyu Lvd90fbf72023-12-08 17:13:22 +08009894 TEST_EQUAL(status, PSA_SUCCESS);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009895 TEST_MEMORY_COMPARE(e_read_buffer, e_read_length, e_arg->x, e_arg->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009896 }
Pengyu Lv9e976f32023-12-06 16:58:05 +08009897#else
Pengyu Lv9e976f32023-12-06 16:58:05 +08009898 (void) is_default_public_exponent;
Pengyu Lvd90fbf72023-12-08 17:13:22 +08009899 TEST_EQUAL(status, PSA_ERROR_NOT_SUPPORTED);
Pengyu Lv9e976f32023-12-06 16:58:05 +08009900#endif
Gilles Peskinee56e8782019-04-26 17:34:02 +02009901
9902 /* Do something with the key according to its type and permitted usage. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009903 if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
Gilles Peskinee56e8782019-04-26 17:34:02 +02009904 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009905 }
Gilles Peskinee56e8782019-04-26 17:34:02 +02009906
Gilles Peskine1d25a0a2024-02-12 16:40:04 +01009907 TEST_ASSERT(rsa_test_e(key, bits, e_arg));
Gilles Peskinee56e8782019-04-26 17:34:02 +02009908
9909exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009910 /*
9911 * Key attributes may have been returned by psa_get_key_attributes() or
9912 * set by psa_set_key_domain_parameters() thus reset them as required.
9913 */
Gilles Peskine449bd832023-01-11 14:50:10 +01009914 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009915
Gilles Peskine449bd832023-01-11 14:50:10 +01009916 psa_destroy_key(key);
9917 PSA_DONE();
9918 mbedtls_free(e_read_buffer);
Gilles Peskinee56e8782019-04-26 17:34:02 +02009919}
9920/* END_CASE */
9921
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009922/* BEGIN_CASE */
9923void generate_key_ext(int type_arg,
9924 int bits_arg,
9925 int usage_arg,
9926 int alg_arg,
9927 int64_t flags_arg, /*negative for truncated method*/
9928 data_t *method_data,
9929 int expected_status_arg)
9930{
9931 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
9932 psa_key_type_t type = type_arg;
9933 psa_key_usage_t usage = usage_arg;
9934 size_t bits = bits_arg;
9935 psa_algorithm_t alg = alg_arg;
9936 psa_status_t expected_status = expected_status_arg;
9937 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
9938 psa_key_generation_method_t *method = NULL;
9939 size_t method_length = 0;
9940 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
9941
9942 PSA_ASSERT(psa_crypto_init());
9943
9944 psa_set_key_usage_flags(&attributes, usage);
9945 psa_set_key_algorithm(&attributes, alg);
9946 psa_set_key_type(&attributes, type);
9947 psa_set_key_bits(&attributes, bits);
9948
9949 if (!setup_key_generation_method(&method, &method_length,
9950 flags_arg, method_data)) {
9951 goto exit;
9952 }
9953
9954 /* Generate a key */
9955 psa_status_t status = psa_generate_key_ext(&attributes,
9956 method, method_length,
9957 &key);
9958
9959 TEST_EQUAL(status, expected_status);
9960 if (expected_status != PSA_SUCCESS) {
9961 goto exit;
9962 }
9963
9964 /* Test the key information */
9965 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
9966 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
9967 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
9968
Gilles Peskine7a18f962024-02-12 16:48:11 +01009969#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
9970 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
9971 TEST_ASSERT(rsa_test_e(key, bits, method_data));
9972 }
9973#endif
9974
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009975 /* Do something with the key according to its type and permitted usage. */
9976 if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
9977 goto exit;
9978 }
9979
9980exit:
9981 /*
9982 * Key attributes may have been returned by psa_get_key_attributes()
9983 * thus reset them as required.
9984 */
9985 psa_reset_key_attributes(&got_attributes);
9986 mbedtls_free(method);
9987 psa_destroy_key(key);
9988 PSA_DONE();
9989}
9990/* END_CASE */
9991
9992/* BEGIN_CASE */
9993void key_generation_method_init()
9994{
9995 psa_key_generation_method_t func = psa_key_generation_method_init();
9996 psa_key_generation_method_t init = PSA_KEY_GENERATION_METHOD_INIT;
9997 psa_key_generation_method_t zero;
9998 memset(&zero, 0, sizeof(zero));
9999
10000 /* In order for sizeof(psa_key_generation_method_t) to mean
10001 * empty data, there must not be any padding in the structure:
10002 * the size of the structure must be the offset of the data field. */
10003 TEST_EQUAL(sizeof(zero), offsetof(psa_key_generation_method_t, data));
10004
10005 TEST_EQUAL(func.flags, 0);
10006 TEST_EQUAL(init.flags, 0);
10007 TEST_EQUAL(zero.flags, 0);
10008}
10009/* END_CASE */
10010
Darryl Greend49a4992018-06-18 17:27:26 +010010011/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */
Gilles Peskine449bd832023-01-11 14:50:10 +010010012void persistent_key_load_key_from_storage(data_t *data,
10013 int type_arg, int bits_arg,
10014 int usage_flags_arg, int alg_arg,
10015 int generation_method)
Darryl Greend49a4992018-06-18 17:27:26 +010010016{
Gilles Peskine449bd832023-01-11 14:50:10 +010010017 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1);
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010018 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +020010019 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10020 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010021 psa_key_type_t type = type_arg;
10022 size_t bits = bits_arg;
10023 psa_key_usage_t usage_flags = usage_flags_arg;
10024 psa_algorithm_t alg = alg_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +020010025 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Darryl Greend49a4992018-06-18 17:27:26 +010010026 unsigned char *first_export = NULL;
10027 unsigned char *second_export = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +010010028 size_t export_size = PSA_EXPORT_KEY_OUTPUT_SIZE(type, bits);
Sergeybef1f632023-03-06 15:25:06 -070010029 size_t first_exported_length = 0;
Darryl Greend49a4992018-06-18 17:27:26 +010010030 size_t second_exported_length;
10031
Gilles Peskine449bd832023-01-11 14:50:10 +010010032 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010033 TEST_CALLOC(first_export, export_size);
10034 TEST_CALLOC(second_export, export_size);
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010035 }
Darryl Greend49a4992018-06-18 17:27:26 +010010036
Gilles Peskine449bd832023-01-11 14:50:10 +010010037 PSA_ASSERT(psa_crypto_init());
Darryl Greend49a4992018-06-18 17:27:26 +010010038
Gilles Peskine449bd832023-01-11 14:50:10 +010010039 psa_set_key_id(&attributes, key_id);
10040 psa_set_key_usage_flags(&attributes, usage_flags);
10041 psa_set_key_algorithm(&attributes, alg);
10042 psa_set_key_type(&attributes, type);
10043 psa_set_key_bits(&attributes, bits);
Darryl Greend49a4992018-06-18 17:27:26 +010010044
Gilles Peskine449bd832023-01-11 14:50:10 +010010045 switch (generation_method) {
Darryl Green0c6575a2018-11-07 16:05:30 +000010046 case IMPORT_KEY:
10047 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010048 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len,
10049 &key));
Darryl Green0c6575a2018-11-07 16:05:30 +000010050 break;
Darryl Greend49a4992018-06-18 17:27:26 +010010051
Darryl Green0c6575a2018-11-07 16:05:30 +000010052 case GENERATE_KEY:
10053 /* Generate a key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010054 PSA_ASSERT(psa_generate_key(&attributes, &key));
Darryl Green0c6575a2018-11-07 16:05:30 +000010055 break;
10056
10057 case DERIVE_KEY:
Steven Cooreman70f654a2021-02-15 10:51:43 +010010058#if defined(PSA_WANT_ALG_HKDF) && defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +010010059 {
10060 /* Create base key */
10061 psa_algorithm_t derive_alg = PSA_ALG_HKDF(PSA_ALG_SHA_256);
10062 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
10063 psa_set_key_usage_flags(&base_attributes,
10064 PSA_KEY_USAGE_DERIVE);
10065 psa_set_key_algorithm(&base_attributes, derive_alg);
10066 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
10067 PSA_ASSERT(psa_import_key(&base_attributes,
10068 data->x, data->len,
10069 &base_key));
10070 /* Derive a key. */
10071 PSA_ASSERT(psa_key_derivation_setup(&operation, derive_alg));
10072 PSA_ASSERT(psa_key_derivation_input_key(
10073 &operation,
10074 PSA_KEY_DERIVATION_INPUT_SECRET, base_key));
10075 PSA_ASSERT(psa_key_derivation_input_bytes(
10076 &operation, PSA_KEY_DERIVATION_INPUT_INFO,
10077 NULL, 0));
10078 PSA_ASSERT(psa_key_derivation_output_key(&attributes,
10079 &operation,
10080 &key));
10081 PSA_ASSERT(psa_key_derivation_abort(&operation));
10082 PSA_ASSERT(psa_destroy_key(base_key));
10083 base_key = MBEDTLS_SVC_KEY_ID_INIT;
10084 }
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010085#else
Gilles Peskine449bd832023-01-11 14:50:10 +010010086 TEST_ASSUME(!"KDF not supported in this configuration");
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010087#endif
10088 break;
10089
10090 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +010010091 TEST_FAIL("generation_method not implemented in test");
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010092 break;
Darryl Green0c6575a2018-11-07 16:05:30 +000010093 }
Gilles Peskine449bd832023-01-11 14:50:10 +010010094 psa_reset_key_attributes(&attributes);
Darryl Greend49a4992018-06-18 17:27:26 +010010095
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010096 /* Export the key if permitted by the key policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010097 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
10098 PSA_ASSERT(psa_export_key(key,
10099 first_export, export_size,
10100 &first_exported_length));
10101 if (generation_method == IMPORT_KEY) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010102 TEST_MEMORY_COMPARE(data->x, data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010103 first_export, first_exported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +010010104 }
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010105 }
Darryl Greend49a4992018-06-18 17:27:26 +010010106
10107 /* Shutdown and restart */
Gilles Peskine449bd832023-01-11 14:50:10 +010010108 PSA_ASSERT(psa_purge_key(key));
Gilles Peskine1153e7b2019-05-28 15:10:21 +020010109 PSA_DONE();
Gilles Peskine449bd832023-01-11 14:50:10 +010010110 PSA_ASSERT(psa_crypto_init());
Darryl Greend49a4992018-06-18 17:27:26 +010010111
Darryl Greend49a4992018-06-18 17:27:26 +010010112 /* Check key slot still contains key data */
Gilles Peskine449bd832023-01-11 14:50:10 +010010113 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
10114 TEST_ASSERT(mbedtls_svc_key_id_equal(
10115 psa_get_key_id(&attributes), key_id));
10116 TEST_EQUAL(psa_get_key_lifetime(&attributes),
10117 PSA_KEY_LIFETIME_PERSISTENT);
10118 TEST_EQUAL(psa_get_key_type(&attributes), type);
10119 TEST_EQUAL(psa_get_key_bits(&attributes), bits);
10120 TEST_EQUAL(psa_get_key_usage_flags(&attributes),
10121 mbedtls_test_update_key_usage_flags(usage_flags));
10122 TEST_EQUAL(psa_get_key_algorithm(&attributes), alg);
Darryl Greend49a4992018-06-18 17:27:26 +010010123
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010124 /* Export the key again if permitted by the key policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010125 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
10126 PSA_ASSERT(psa_export_key(key,
10127 second_export, export_size,
10128 &second_exported_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010129 TEST_MEMORY_COMPARE(first_export, first_exported_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010130 second_export, second_exported_length);
Darryl Green0c6575a2018-11-07 16:05:30 +000010131 }
10132
10133 /* Do something with the key according to its type and permitted usage. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010134 if (!mbedtls_test_psa_exercise_key(key, usage_flags, alg)) {
Darryl Green0c6575a2018-11-07 16:05:30 +000010135 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010136 }
Darryl Greend49a4992018-06-18 17:27:26 +010010137
10138exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010139 /*
10140 * Key attributes may have been returned by psa_get_key_attributes()
10141 * thus reset them as required.
10142 */
Gilles Peskine449bd832023-01-11 14:50:10 +010010143 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010144
Gilles Peskine449bd832023-01-11 14:50:10 +010010145 mbedtls_free(first_export);
10146 mbedtls_free(second_export);
10147 psa_key_derivation_abort(&operation);
10148 psa_destroy_key(base_key);
10149 psa_destroy_key(key);
Gilles Peskine1153e7b2019-05-28 15:10:21 +020010150 PSA_DONE();
Darryl Greend49a4992018-06-18 17:27:26 +010010151}
10152/* END_CASE */
Neil Armstrongd597bc72022-05-25 11:28:39 +020010153
Neil Armstronga557cb82022-06-10 08:58:32 +020010154/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010155void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
10156 int primitive_arg, int hash_arg, int role_arg,
10157 int test_input, data_t *pw_data,
10158 int inj_err_type_arg,
10159 int expected_error_arg)
Neil Armstrongd597bc72022-05-25 11:28:39 +020010160{
10161 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10162 psa_pake_operation_t operation = psa_pake_operation_init();
10163 psa_algorithm_t alg = alg_arg;
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010164 psa_pake_primitive_t primitive = primitive_arg;
Neil Armstrong2a73f212022-09-06 11:34:54 +020010165 psa_key_type_t key_type_pw = key_type_pw_arg;
10166 psa_key_usage_t key_usage_pw = key_usage_pw_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010167 psa_algorithm_t hash_alg = hash_arg;
10168 psa_pake_role_t role = role_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010169 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10170 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Setti1070aed2022-11-11 19:37:31 +010010171 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg;
10172 psa_status_t expected_error = expected_error_arg;
10173 psa_status_t status;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010174 unsigned char *output_buffer = NULL;
10175 size_t output_len = 0;
10176
Gilles Peskine449bd832023-01-11 14:50:10 +010010177 PSA_INIT();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010178
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010179 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +010010180 PSA_PAKE_STEP_KEY_SHARE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010181 TEST_CALLOC(output_buffer, buf_size);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010182
Gilles Peskine449bd832023-01-11 14:50:10 +010010183 if (pw_data->len > 0) {
10184 psa_set_key_usage_flags(&attributes, key_usage_pw);
10185 psa_set_key_algorithm(&attributes, alg);
10186 psa_set_key_type(&attributes, key_type_pw);
10187 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10188 &key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010189 }
10190
Gilles Peskine449bd832023-01-11 14:50:10 +010010191 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10192 psa_pake_cs_set_primitive(&cipher_suite, primitive);
10193 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010194
Gilles Peskine449bd832023-01-11 14:50:10 +010010195 PSA_ASSERT(psa_pake_abort(&operation));
Neil Armstrong645cccd2022-06-08 17:36:23 +020010196
Gilles Peskine449bd832023-01-11 14:50:10 +010010197 if (inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS) {
10198 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0),
10199 expected_error);
10200 PSA_ASSERT(psa_pake_abort(&operation));
10201 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0),
10202 expected_error);
10203 PSA_ASSERT(psa_pake_abort(&operation));
10204 TEST_EQUAL(psa_pake_set_password_key(&operation, key),
10205 expected_error);
10206 PSA_ASSERT(psa_pake_abort(&operation));
10207 TEST_EQUAL(psa_pake_set_role(&operation, role),
10208 expected_error);
10209 PSA_ASSERT(psa_pake_abort(&operation));
10210 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE,
10211 NULL, 0, NULL),
10212 expected_error);
10213 PSA_ASSERT(psa_pake_abort(&operation));
10214 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0),
10215 expected_error);
10216 PSA_ASSERT(psa_pake_abort(&operation));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010217 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010218 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010219
Gilles Peskine449bd832023-01-11 14:50:10 +010010220 status = psa_pake_setup(&operation, &cipher_suite);
10221 if (status != PSA_SUCCESS) {
10222 TEST_EQUAL(status, expected_error);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010223 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010224 }
10225
Gilles Peskine449bd832023-01-11 14:50:10 +010010226 if (inj_err_type == INJECT_ERR_DUPLICATE_SETUP) {
10227 TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite),
10228 expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010229 goto exit;
10230 }
10231
Gilles Peskine449bd832023-01-11 14:50:10 +010010232 status = psa_pake_set_role(&operation, role);
10233 if (status != PSA_SUCCESS) {
10234 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010235 goto exit;
10236 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010237
Gilles Peskine449bd832023-01-11 14:50:10 +010010238 if (pw_data->len > 0) {
10239 status = psa_pake_set_password_key(&operation, key);
10240 if (status != PSA_SUCCESS) {
10241 TEST_EQUAL(status, expected_error);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010242 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010243 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010244 }
10245
Gilles Peskine449bd832023-01-11 14:50:10 +010010246 if (inj_err_type == INJECT_ERR_INVALID_USER) {
10247 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0),
10248 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010249 goto exit;
10250 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010251
Gilles Peskine449bd832023-01-11 14:50:10 +010010252 if (inj_err_type == INJECT_ERR_INVALID_PEER) {
10253 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0),
10254 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010255 goto exit;
10256 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010257
Gilles Peskine449bd832023-01-11 14:50:10 +010010258 if (inj_err_type == INJECT_ERR_SET_USER) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010259 const uint8_t unsupported_id[] = "abcd";
Gilles Peskine449bd832023-01-11 14:50:10 +010010260 TEST_EQUAL(psa_pake_set_user(&operation, unsupported_id, 4),
10261 PSA_ERROR_NOT_SUPPORTED);
Valerio Setti1070aed2022-11-11 19:37:31 +010010262 goto exit;
10263 }
10264
Gilles Peskine449bd832023-01-11 14:50:10 +010010265 if (inj_err_type == INJECT_ERR_SET_PEER) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010266 const uint8_t unsupported_id[] = "abcd";
Gilles Peskine449bd832023-01-11 14:50:10 +010010267 TEST_EQUAL(psa_pake_set_peer(&operation, unsupported_id, 4),
10268 PSA_ERROR_NOT_SUPPORTED);
Valerio Setti1070aed2022-11-11 19:37:31 +010010269 goto exit;
10270 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010271
Gilles Peskine449bd832023-01-11 14:50:10 +010010272 const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive,
10273 PSA_PAKE_STEP_KEY_SHARE);
10274 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE(alg, primitive,
10275 PSA_PAKE_STEP_ZK_PUBLIC);
10276 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE(alg, primitive,
10277 PSA_PAKE_STEP_ZK_PROOF);
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010278
Gilles Peskine449bd832023-01-11 14:50:10 +010010279 if (test_input) {
10280 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) {
10281 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0),
10282 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010283 goto exit;
10284 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010285
Gilles Peskine449bd832023-01-11 14:50:10 +010010286 if (inj_err_type == INJECT_UNKNOWN_STEP) {
10287 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF + 10,
10288 output_buffer, size_zk_proof),
10289 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010290 goto exit;
10291 }
10292
Gilles Peskine449bd832023-01-11 14:50:10 +010010293 if (inj_err_type == INJECT_INVALID_FIRST_STEP) {
10294 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF,
10295 output_buffer, size_zk_proof),
10296 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010297 goto exit;
10298 }
10299
Gilles Peskine449bd832023-01-11 14:50:10 +010010300 status = psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE,
10301 output_buffer, size_key_share);
10302 if (status != PSA_SUCCESS) {
10303 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010304 goto exit;
10305 }
10306
Gilles Peskine449bd832023-01-11 14:50:10 +010010307 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) {
10308 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10309 output_buffer, size_zk_public + 1),
10310 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010311 goto exit;
10312 }
10313
Gilles Peskine449bd832023-01-11 14:50:10 +010010314 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010315 // Just trigger any kind of error. We don't care about the result here
Gilles Peskine449bd832023-01-11 14:50:10 +010010316 psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10317 output_buffer, size_zk_public + 1);
10318 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10319 output_buffer, size_zk_public),
10320 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010321 goto exit;
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010322 }
Valerio Setti1070aed2022-11-11 19:37:31 +010010323 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +010010324 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) {
10325 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF,
10326 NULL, 0, NULL),
10327 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010328 goto exit;
10329 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010330
Gilles Peskine449bd832023-01-11 14:50:10 +010010331 if (inj_err_type == INJECT_UNKNOWN_STEP) {
10332 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF + 10,
10333 output_buffer, buf_size, &output_len),
10334 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010335 goto exit;
10336 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010337
Gilles Peskine449bd832023-01-11 14:50:10 +010010338 if (inj_err_type == INJECT_INVALID_FIRST_STEP) {
10339 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF,
10340 output_buffer, buf_size, &output_len),
10341 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010342 goto exit;
10343 }
10344
Gilles Peskine449bd832023-01-11 14:50:10 +010010345 status = psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE,
10346 output_buffer, buf_size, &output_len);
10347 if (status != PSA_SUCCESS) {
10348 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010349 goto exit;
10350 }
10351
Gilles Peskine449bd832023-01-11 14:50:10 +010010352 TEST_ASSERT(output_len > 0);
Valerio Setti1070aed2022-11-11 19:37:31 +010010353
Gilles Peskine449bd832023-01-11 14:50:10 +010010354 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) {
10355 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10356 output_buffer, size_zk_public - 1, &output_len),
10357 PSA_ERROR_BUFFER_TOO_SMALL);
Valerio Setti1070aed2022-11-11 19:37:31 +010010358 goto exit;
10359 }
10360
Gilles Peskine449bd832023-01-11 14:50:10 +010010361 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010362 // Just trigger any kind of error. We don't care about the result here
Gilles Peskine449bd832023-01-11 14:50:10 +010010363 psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10364 output_buffer, size_zk_public - 1, &output_len);
10365 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10366 output_buffer, buf_size, &output_len),
10367 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010368 goto exit;
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010369 }
10370 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010371
10372exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010373 PSA_ASSERT(psa_destroy_key(key));
10374 PSA_ASSERT(psa_pake_abort(&operation));
10375 mbedtls_free(output_buffer);
10376 PSA_DONE();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010377}
10378/* END_CASE */
10379
Neil Armstronga557cb82022-06-10 08:58:32 +020010380/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010381void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg,
10382 int client_input_first, int inject_error,
10383 data_t *pw_data)
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010384{
10385 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10386 psa_pake_operation_t server = psa_pake_operation_init();
10387 psa_pake_operation_t client = psa_pake_operation_init();
10388 psa_algorithm_t alg = alg_arg;
10389 psa_algorithm_t hash_alg = hash_arg;
10390 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10391 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10392
Gilles Peskine449bd832023-01-11 14:50:10 +010010393 PSA_INIT();
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010394
Gilles Peskine449bd832023-01-11 14:50:10 +010010395 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
10396 psa_set_key_algorithm(&attributes, alg);
10397 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
10398 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10399 &key));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010400
Gilles Peskine449bd832023-01-11 14:50:10 +010010401 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10402 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg);
10403 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010404
10405
Gilles Peskine449bd832023-01-11 14:50:10 +010010406 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite));
10407 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010408
Gilles Peskine449bd832023-01-11 14:50:10 +010010409 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER));
10410 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010411
Gilles Peskine449bd832023-01-11 14:50:10 +010010412 PSA_ASSERT(psa_pake_set_password_key(&server, key));
10413 PSA_ASSERT(psa_pake_set_password_key(&client, key));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010414
Gilles Peskine449bd832023-01-11 14:50:10 +010010415 ecjpake_do_round(alg, primitive_arg, &server, &client,
10416 client_input_first, 1, inject_error);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010417
Gilles Peskine449bd832023-01-11 14:50:10 +010010418 if (inject_error == 1 || inject_error == 2) {
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010419 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010420 }
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010421
Gilles Peskine449bd832023-01-11 14:50:10 +010010422 ecjpake_do_round(alg, primitive_arg, &server, &client,
10423 client_input_first, 2, inject_error);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010424
10425exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010426 psa_destroy_key(key);
10427 psa_pake_abort(&server);
10428 psa_pake_abort(&client);
10429 PSA_DONE();
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010430}
10431/* END_CASE */
10432
10433/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010434void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg,
10435 int derive_alg_arg, data_t *pw_data,
10436 int client_input_first, int inj_err_type_arg)
Neil Armstrongd597bc72022-05-25 11:28:39 +020010437{
10438 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10439 psa_pake_operation_t server = psa_pake_operation_init();
10440 psa_pake_operation_t client = psa_pake_operation_init();
10441 psa_algorithm_t alg = alg_arg;
10442 psa_algorithm_t hash_alg = hash_arg;
10443 psa_algorithm_t derive_alg = derive_alg_arg;
10444 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10445 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10446 psa_key_derivation_operation_t server_derive =
Gilles Peskine449bd832023-01-11 14:50:10 +010010447 PSA_KEY_DERIVATION_OPERATION_INIT;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010448 psa_key_derivation_operation_t client_derive =
Gilles Peskine449bd832023-01-11 14:50:10 +010010449 PSA_KEY_DERIVATION_OPERATION_INIT;
Valerio Setti1070aed2022-11-11 19:37:31 +010010450 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010451
Gilles Peskine449bd832023-01-11 14:50:10 +010010452 PSA_INIT();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010453
Gilles Peskine449bd832023-01-11 14:50:10 +010010454 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
10455 psa_set_key_algorithm(&attributes, alg);
10456 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
10457 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10458 &key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010459
Gilles Peskine449bd832023-01-11 14:50:10 +010010460 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10461 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg);
10462 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010463
Neil Armstrong1e855602022-06-15 11:32:11 +020010464 /* Get shared key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010465 PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg));
10466 PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg));
Neil Armstrong1e855602022-06-15 11:32:11 +020010467
Gilles Peskine449bd832023-01-11 14:50:10 +010010468 if (PSA_ALG_IS_TLS12_PRF(derive_alg) ||
10469 PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) {
10470 PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive,
10471 PSA_KEY_DERIVATION_INPUT_SEED,
10472 (const uint8_t *) "", 0));
10473 PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive,
10474 PSA_KEY_DERIVATION_INPUT_SEED,
10475 (const uint8_t *) "", 0));
Neil Armstrong1e855602022-06-15 11:32:11 +020010476 }
10477
Gilles Peskine449bd832023-01-11 14:50:10 +010010478 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite));
10479 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010480
Gilles Peskine449bd832023-01-11 14:50:10 +010010481 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER));
10482 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010483
Gilles Peskine449bd832023-01-11 14:50:10 +010010484 PSA_ASSERT(psa_pake_set_password_key(&server, key));
10485 PSA_ASSERT(psa_pake_set_password_key(&client, key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010486
Gilles Peskine449bd832023-01-11 14:50:10 +010010487 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1) {
10488 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive),
10489 PSA_ERROR_BAD_STATE);
10490 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive),
10491 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010492 goto exit;
10493 }
Neil Armstrong1e855602022-06-15 11:32:11 +020010494
Neil Armstrongf983caf2022-06-15 15:27:48 +020010495 /* First round */
Gilles Peskine449bd832023-01-11 14:50:10 +010010496 ecjpake_do_round(alg, primitive_arg, &server, &client,
10497 client_input_first, 1, 0);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010498
Gilles Peskine449bd832023-01-11 14:50:10 +010010499 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2) {
10500 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive),
10501 PSA_ERROR_BAD_STATE);
10502 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive),
10503 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010504 goto exit;
10505 }
Neil Armstrong1e855602022-06-15 11:32:11 +020010506
Neil Armstrongf983caf2022-06-15 15:27:48 +020010507 /* Second round */
Gilles Peskine449bd832023-01-11 14:50:10 +010010508 ecjpake_do_round(alg, primitive_arg, &server, &client,
10509 client_input_first, 2, 0);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010510
Gilles Peskine449bd832023-01-11 14:50:10 +010010511 PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive));
10512 PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010513
10514exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010515 psa_key_derivation_abort(&server_derive);
10516 psa_key_derivation_abort(&client_derive);
10517 psa_destroy_key(key);
10518 psa_pake_abort(&server);
10519 psa_pake_abort(&client);
10520 PSA_DONE();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010521}
10522/* END_CASE */
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010523
10524/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010525void ecjpake_size_macros()
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010526{
10527 const psa_algorithm_t alg = PSA_ALG_JPAKE;
10528 const size_t bits = 256;
10529 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE(
Gilles Peskine449bd832023-01-11 14:50:10 +010010530 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010531 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(
Gilles Peskine449bd832023-01-11 14:50:10 +010010532 PSA_ECC_FAMILY_SECP_R1);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010533
10534 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types
10535 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010536 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10537 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits));
10538 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10539 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010540 /* The output for ZK_PROOF is the same bitsize as the curve */
Gilles Peskine449bd832023-01-11 14:50:10 +010010541 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10542 PSA_BITS_TO_BYTES(bits));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010543
10544 /* Input sizes are the same as output sizes */
Gilles Peskine449bd832023-01-11 14:50:10 +010010545 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10546 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE));
10547 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10548 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC));
10549 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10550 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010551
10552 /* These inequalities will always hold even when other PAKEs are added */
Gilles Peskine449bd832023-01-11 14:50:10 +010010553 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10554 PSA_PAKE_OUTPUT_MAX_SIZE);
10555 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10556 PSA_PAKE_OUTPUT_MAX_SIZE);
10557 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10558 PSA_PAKE_OUTPUT_MAX_SIZE);
10559 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10560 PSA_PAKE_INPUT_MAX_SIZE);
10561 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10562 PSA_PAKE_INPUT_MAX_SIZE);
10563 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10564 PSA_PAKE_INPUT_MAX_SIZE);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010565}
10566/* END_CASE */