blob: da6c1c454c4d8f0290fd7c9916b0a44a9f7509ed [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +01001/* BEGIN_HEADER */
itayzafrir3e02b3b2018-06-12 17:06:52 +03002#include <stdint.h>
mohammad160327010052018-07-03 13:16:15 +03003
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02004#include "mbedtls/asn1.h"
Gilles Peskine0b352bc2018-06-28 00:16:11 +02005#include "mbedtls/asn1write.h"
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02006#include "mbedtls/oid.h"
Gilles Peskine42649d92022-11-23 14:15:57 +01007#include "common.h"
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02008
Valerio Settibf999cb2023-12-28 17:48:13 +01009#include "mbedtls/psa_util.h"
10
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020011/* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random()
12 * uses mbedtls_ctr_drbg internally. */
13#include "mbedtls/ctr_drbg.h"
14
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020015#include "psa/crypto.h"
Ronald Cron41841072020-09-17 15:28:26 +020016#include "psa_crypto_slot_management.h"
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020017
Manuel Pégourié-Gonnard7abdf7e2023-03-09 11:17:43 +010018#include "psa_crypto_core.h"
19
Gilles Peskine8e94efe2021-02-13 00:25:53 +010020#include "test/asn1_helpers.h"
Ronald Cron28a45ed2021-02-09 20:35:42 +010021#include "test/psa_crypto_helpers.h"
Gilles Peskinee78b0022021-02-13 00:41:11 +010022#include "test/psa_exercise_key.h"
Archana4d7ae1d2021-07-07 02:50:22 +053023#if defined(PSA_CRYPTO_DRIVER_TEST)
24#include "test/drivers/test_driver.h"
Archana8a180362021-07-05 02:18:48 +053025#define TEST_DRIVER_LOCATION PSA_CRYPTO_TEST_DRIVER_LOCATION
26#else
27#define TEST_DRIVER_LOCATION 0x7fffff
Archana4d7ae1d2021-07-07 02:50:22 +053028#endif
Ronald Cron28a45ed2021-02-09 20:35:42 +010029
Ryan3a1b7862024-03-01 17:24:04 +000030#if defined(MBEDTLS_THREADING_PTHREAD)
31#include "mbedtls/threading.h"
32#endif
33
Gilles Peskine4023c012021-05-27 13:21:20 +020034/* If this comes up, it's a bug in the test code or in the test data. */
35#define UNUSED 0xdeadbeef
36
Dave Rodgman647791d2021-06-23 12:49:59 +010037/* Assert that an operation is (not) active.
38 * This serves as a proxy for checking if the operation is aborted. */
Gilles Peskine449bd832023-01-11 14:50:10 +010039#define ASSERT_OPERATION_IS_ACTIVE(operation) TEST_ASSERT(operation.id != 0)
40#define ASSERT_OPERATION_IS_INACTIVE(operation) TEST_ASSERT(operation.id == 0)
Gilles Peskinef426e0f2019-02-25 17:42:03 +010041
42/** An invalid export length that will never be set by psa_export_key(). */
43static const size_t INVALID_EXPORT_LENGTH = ~0U;
44
Gilles Peskinea7aa4422018-08-14 15:17:54 +020045/** Test if a buffer contains a constant byte value.
46 *
47 * `mem_is_char(buffer, c, size)` is true after `memset(buffer, c, size)`.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020048 *
49 * \param buffer Pointer to the beginning of the buffer.
Gilles Peskinea7aa4422018-08-14 15:17:54 +020050 * \param c Expected value of every byte.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020051 * \param size Size of the buffer in bytes.
52 *
Gilles Peskine3f669c32018-06-21 09:21:51 +020053 * \return 1 if the buffer is all-bits-zero.
54 * \return 0 if there is at least one nonzero byte.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020055 */
Gilles Peskine449bd832023-01-11 14:50:10 +010056static int mem_is_char(void *buffer, unsigned char c, size_t size)
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020057{
58 size_t i;
Gilles Peskine449bd832023-01-11 14:50:10 +010059 for (i = 0; i < size; i++) {
60 if (((unsigned char *) buffer)[i] != c) {
61 return 0;
62 }
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020063 }
Gilles Peskine449bd832023-01-11 14:50:10 +010064 return 1;
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020065}
Andrzej Kurek77b8e092022-01-17 15:29:38 +010066#if defined(MBEDTLS_ASN1_WRITE_C)
Gilles Peskine0b352bc2018-06-28 00:16:11 +020067/* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */
Gilles Peskine449bd832023-01-11 14:50:10 +010068static int asn1_write_10x(unsigned char **p,
69 unsigned char *start,
70 size_t bits,
71 unsigned char x)
Gilles Peskine0b352bc2018-06-28 00:16:11 +020072{
73 int ret;
74 int len = bits / 8 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +010075 if (bits == 0) {
76 return MBEDTLS_ERR_ASN1_INVALID_DATA;
77 }
78 if (bits <= 8 && x >= 1 << (bits - 1)) {
79 return MBEDTLS_ERR_ASN1_INVALID_DATA;
80 }
81 if (*p < start || *p - start < (ptrdiff_t) len) {
82 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
83 }
Gilles Peskine0b352bc2018-06-28 00:16:11 +020084 *p -= len;
Gilles Peskine449bd832023-01-11 14:50:10 +010085 (*p)[len-1] = x;
86 if (bits % 8 == 0) {
87 (*p)[1] |= 1;
88 } else {
89 (*p)[0] |= 1 << (bits % 8);
90 }
91 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
92 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
93 MBEDTLS_ASN1_INTEGER));
94 return len;
Gilles Peskine0b352bc2018-06-28 00:16:11 +020095}
96
Gilles Peskine449bd832023-01-11 14:50:10 +010097static int construct_fake_rsa_key(unsigned char *buffer,
98 size_t buffer_size,
99 unsigned char **p,
100 size_t bits,
101 int keypair)
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200102{
Gilles Peskine449bd832023-01-11 14:50:10 +0100103 size_t half_bits = (bits + 1) / 2;
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200104 int ret;
105 int len = 0;
106 /* Construct something that looks like a DER encoding of
107 * as defined by PKCS#1 v2.2 (RFC 8017) section A.1.2:
108 * RSAPrivateKey ::= SEQUENCE {
109 * version Version,
110 * modulus INTEGER, -- n
111 * publicExponent INTEGER, -- e
112 * privateExponent INTEGER, -- d
113 * prime1 INTEGER, -- p
114 * prime2 INTEGER, -- q
115 * exponent1 INTEGER, -- d mod (p-1)
116 * exponent2 INTEGER, -- d mod (q-1)
117 * coefficient INTEGER, -- (inverse of q) mod p
118 * otherPrimeInfos OtherPrimeInfos OPTIONAL
119 * }
120 * Or, for a public key, the same structure with only
121 * version, modulus and publicExponent.
122 */
123 *p = buffer + buffer_size;
Gilles Peskine449bd832023-01-11 14:50:10 +0100124 if (keypair) {
125 MBEDTLS_ASN1_CHK_ADD(len, /* pq */
126 asn1_write_10x(p, buffer, half_bits, 1));
127 MBEDTLS_ASN1_CHK_ADD(len, /* dq */
128 asn1_write_10x(p, buffer, half_bits, 1));
129 MBEDTLS_ASN1_CHK_ADD(len, /* dp */
130 asn1_write_10x(p, buffer, half_bits, 1));
131 MBEDTLS_ASN1_CHK_ADD(len, /* q */
132 asn1_write_10x(p, buffer, half_bits, 1));
133 MBEDTLS_ASN1_CHK_ADD(len, /* p != q to pass mbedtls sanity checks */
134 asn1_write_10x(p, buffer, half_bits, 3));
135 MBEDTLS_ASN1_CHK_ADD(len, /* d */
136 asn1_write_10x(p, buffer, bits, 1));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200137 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100138 MBEDTLS_ASN1_CHK_ADD(len, /* e = 65537 */
139 asn1_write_10x(p, buffer, 17, 1));
140 MBEDTLS_ASN1_CHK_ADD(len, /* n */
141 asn1_write_10x(p, buffer, bits, 1));
142 if (keypair) {
143 MBEDTLS_ASN1_CHK_ADD(len, /* version = 0 */
144 mbedtls_asn1_write_int(p, buffer, 0));
145 }
146 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buffer, len));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200147 {
148 const unsigned char tag =
149 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100150 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buffer, tag));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200151 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100152 return len;
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200153}
Andrzej Kurek77b8e092022-01-17 15:29:38 +0100154#endif /* MBEDTLS_ASN1_WRITE_C */
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200155
Michael Schusterb1e33fb2024-06-04 02:30:22 +0200156static int exercise_mac_setup(psa_key_type_t key_type,
Michael Schuster31b1cb82024-06-04 02:41:10 +0200157 const unsigned char *key_bytes,
158 size_t key_length,
159 psa_algorithm_t alg,
160 psa_mac_operation_t *operation,
161 psa_status_t *status)
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100162{
Ronald Cron5425a212020-08-04 14:58:35 +0200163 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +0200164 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100165
Gilles Peskine449bd832023-01-11 14:50:10 +0100166 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
167 psa_set_key_algorithm(&attributes, alg);
168 psa_set_key_type(&attributes, key_type);
169 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key));
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100170
Gilles Peskine449bd832023-01-11 14:50:10 +0100171 *status = psa_mac_sign_setup(operation, key, alg);
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100172 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100173 PSA_ASSERT(psa_mac_abort(operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100174 /* If setup failed, reproduce the failure, so that the caller can
175 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100176 if (*status != PSA_SUCCESS) {
177 TEST_EQUAL(psa_mac_sign_setup(operation, key, alg), *status);
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100178 }
179
Gilles Peskine449bd832023-01-11 14:50:10 +0100180 psa_destroy_key(key);
181 return 1;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100182
183exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100184 psa_destroy_key(key);
185 return 0;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100186}
187
Michael Schusterb1e33fb2024-06-04 02:30:22 +0200188static int exercise_cipher_setup(psa_key_type_t key_type,
Michael Schuster31b1cb82024-06-04 02:41:10 +0200189 const unsigned char *key_bytes,
190 size_t key_length,
191 psa_algorithm_t alg,
192 psa_cipher_operation_t *operation,
193 psa_status_t *status)
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100194{
Ronald Cron5425a212020-08-04 14:58:35 +0200195 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +0200196 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100197
Gilles Peskine449bd832023-01-11 14:50:10 +0100198 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
199 psa_set_key_algorithm(&attributes, alg);
200 psa_set_key_type(&attributes, key_type);
201 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key));
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100202
Gilles Peskine449bd832023-01-11 14:50:10 +0100203 *status = psa_cipher_encrypt_setup(operation, key, alg);
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100204 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100205 PSA_ASSERT(psa_cipher_abort(operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100206 /* If setup failed, reproduce the failure, so that the caller can
207 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100208 if (*status != PSA_SUCCESS) {
209 TEST_EQUAL(psa_cipher_encrypt_setup(operation, key, alg),
210 *status);
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100211 }
212
Gilles Peskine449bd832023-01-11 14:50:10 +0100213 psa_destroy_key(key);
214 return 1;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100215
216exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100217 psa_destroy_key(key);
218 return 0;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100219}
220
Gilles Peskine449bd832023-01-11 14:50:10 +0100221static int test_operations_on_invalid_key(mbedtls_svc_key_id_t key)
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200222{
223 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100224 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 0x6964);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200225 uint8_t buffer[1];
226 size_t length;
227 int ok = 0;
228
Gilles Peskine449bd832023-01-11 14:50:10 +0100229 psa_set_key_id(&attributes, key_id);
230 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
231 psa_set_key_algorithm(&attributes, PSA_ALG_CTR);
232 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
233 TEST_EQUAL(psa_get_key_attributes(key, &attributes),
234 PSA_ERROR_INVALID_HANDLE);
Ronald Cronecfb2372020-07-23 17:13:42 +0200235 TEST_EQUAL(
Gilles Peskine449bd832023-01-11 14:50:10 +0100236 MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(&attributes)), 0);
Ronald Cronecfb2372020-07-23 17:13:42 +0200237 TEST_EQUAL(
Gilles Peskine449bd832023-01-11 14:50:10 +0100238 MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(psa_get_key_id(&attributes)), 0);
239 TEST_EQUAL(psa_get_key_lifetime(&attributes), 0);
240 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 0);
241 TEST_EQUAL(psa_get_key_algorithm(&attributes), 0);
242 TEST_EQUAL(psa_get_key_type(&attributes), 0);
243 TEST_EQUAL(psa_get_key_bits(&attributes), 0);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200244
Gilles Peskine449bd832023-01-11 14:50:10 +0100245 TEST_EQUAL(psa_export_key(key, buffer, sizeof(buffer), &length),
246 PSA_ERROR_INVALID_HANDLE);
247 TEST_EQUAL(psa_export_public_key(key,
248 buffer, sizeof(buffer), &length),
249 PSA_ERROR_INVALID_HANDLE);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200250
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200251 ok = 1;
252
253exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +0100254 /*
255 * Key attributes may have been returned by psa_get_key_attributes()
256 * thus reset them as required.
257 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100258 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +0100259
Gilles Peskine449bd832023-01-11 14:50:10 +0100260 return ok;
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200261}
262
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200263/* Assert that a key isn't reported as having a slot number. */
264#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100265#define ASSERT_NO_SLOT_NUMBER(attributes) \
Michael Schuster31b1cb82024-06-04 02:41:10 +0200266 do \
267 { \
268 psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \
269 TEST_EQUAL(psa_get_key_slot_number( \
270 attributes, \
Gilles Peskine449bd832023-01-11 14:50:10 +0100271 &ASSERT_NO_SLOT_NUMBER_slot_number), \
272 PSA_ERROR_INVALID_ARGUMENT); \
Michael Schuster31b1cb82024-06-04 02:41:10 +0200273 } \
Gilles Peskine449bd832023-01-11 14:50:10 +0100274 while (0)
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200275#else /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskine449bd832023-01-11 14:50:10 +0100276#define ASSERT_NO_SLOT_NUMBER(attributes) \
277 ((void) 0)
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200278#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
279
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +0530280#define INPUT_INTEGER 0x10000 /* Out of range of psa_key_type_t */
281
Gilles Peskinebdf309c2018-12-03 15:36:32 +0100282/* An overapproximation of the amount of storage needed for a key of the
283 * given type and with the given content. The API doesn't make it easy
284 * to find a good value for the size. The current implementation doesn't
285 * care about the value anyway. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100286#define KEY_BITS_FROM_DATA(type, data) \
287 (data)->len
Gilles Peskinebdf309c2018-12-03 15:36:32 +0100288
Darryl Green0c6575a2018-11-07 16:05:30 +0000289typedef enum {
290 IMPORT_KEY = 0,
291 GENERATE_KEY = 1,
292 DERIVE_KEY = 2
293} generate_method;
294
Gilles Peskine449bd832023-01-11 14:50:10 +0100295typedef enum {
Paul Elliott33746aa2021-09-15 16:40:40 +0100296 DO_NOT_SET_LENGTHS = 0,
297 SET_LENGTHS_BEFORE_NONCE = 1,
298 SET_LENGTHS_AFTER_NONCE = 2
Paul Elliottbb979e72021-09-22 12:54:42 +0100299} set_lengths_method_t;
Paul Elliott33746aa2021-09-15 16:40:40 +0100300
Gilles Peskine449bd832023-01-11 14:50:10 +0100301typedef enum {
Paul Elliott1c67e0b2021-09-19 13:11:50 +0100302 USE_NULL_TAG = 0,
303 USE_GIVEN_TAG = 1,
Paul Elliottbb979e72021-09-22 12:54:42 +0100304} tag_usage_method_t;
Paul Elliott1c67e0b2021-09-19 13:11:50 +0100305
Kusumit Ghoderaoa14ae5a2023-04-19 14:16:26 +0530306
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100307/*!
308 * \brief Internal Function for AEAD multipart tests.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100309 * \param key_type_arg Type of key passed in
310 * \param key_data The encryption / decryption key data
311 * \param alg_arg The type of algorithm used
312 * \param nonce Nonce data
313 * \param additional_data Additional data
Paul Elliott8eec8d42021-09-19 22:38:27 +0100314 * \param ad_part_len_arg If not -1, the length of chunks to
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100315 * feed additional data in to be encrypted /
316 * decrypted. If -1, no chunking.
317 * \param input_data Data to encrypt / decrypt
Paul Elliott8eec8d42021-09-19 22:38:27 +0100318 * \param data_part_len_arg If not -1, the length of chunks to feed
319 * the data in to be encrypted / decrypted. If
320 * -1, no chunking
Paul Elliottbb979e72021-09-22 12:54:42 +0100321 * \param set_lengths_method A member of the set_lengths_method_t enum is
Paul Elliott8eec8d42021-09-19 22:38:27 +0100322 * expected here, this controls whether or not
323 * to set lengths, and in what order with
324 * respect to set nonce.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100325 * \param expected_output Expected output
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100326 * \param is_encrypt If non-zero this is an encryption operation.
Paul Elliott41ffae12021-07-22 21:52:01 +0100327 * \param do_zero_parts If non-zero, interleave zero length chunks
Paul Elliott8eec8d42021-09-19 22:38:27 +0100328 * with normal length chunks.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100329 * \return int Zero on failure, non-zero on success.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100330 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100331static int aead_multipart_internal_func(int key_type_arg, data_t *key_data,
332 int alg_arg,
333 data_t *nonce,
334 data_t *additional_data,
335 int ad_part_len_arg,
336 data_t *input_data,
337 int data_part_len_arg,
338 set_lengths_method_t set_lengths_method,
339 data_t *expected_output,
340 int is_encrypt,
341 int do_zero_parts)
Paul Elliottd3f82412021-06-16 16:52:21 +0100342{
343 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
344 psa_key_type_t key_type = key_type_arg;
345 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +0100346 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliottd3f82412021-06-16 16:52:21 +0100347 unsigned char *output_data = NULL;
348 unsigned char *part_data = NULL;
349 unsigned char *final_data = NULL;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100350 size_t data_true_size = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100351 size_t part_data_size = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100352 size_t output_size = 0;
353 size_t final_output_size = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100354 size_t output_length = 0;
355 size_t key_bits = 0;
356 size_t tag_length = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100357 size_t part_offset = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100358 size_t part_length = 0;
359 size_t output_part_length = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100360 size_t tag_size = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100361 size_t ad_part_len = 0;
362 size_t data_part_len = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100363 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliottd3f82412021-06-16 16:52:21 +0100364 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
365 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
366
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100367 int test_ok = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100368 size_t part_count = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100369
Gilles Peskine449bd832023-01-11 14:50:10 +0100370 PSA_ASSERT(psa_crypto_init());
Paul Elliottd3f82412021-06-16 16:52:21 +0100371
Gilles Peskine449bd832023-01-11 14:50:10 +0100372 if (is_encrypt) {
373 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
374 } else {
375 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100376 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100377
378 psa_set_key_algorithm(&attributes, alg);
379 psa_set_key_type(&attributes, key_type);
380
381 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
382 &key));
383
384 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
385 key_bits = psa_get_key_bits(&attributes);
386
387 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg);
388
389 if (is_encrypt) {
390 /* Tag gets written at end of buffer. */
391 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
392 (input_data->len +
393 tag_length));
394 data_true_size = input_data->len;
395 } else {
396 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
397 (input_data->len -
398 tag_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100399
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100400 /* Do not want to attempt to decrypt tag. */
401 data_true_size = input_data->len - tag_length;
402 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100403
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100404 TEST_CALLOC(output_data, output_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100405
Gilles Peskine449bd832023-01-11 14:50:10 +0100406 if (is_encrypt) {
407 final_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
408 TEST_LE_U(final_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
409 } else {
410 final_output_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg);
411 TEST_LE_U(final_output_size, PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100412 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100413
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100414 TEST_CALLOC(final_data, final_output_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100415
Gilles Peskine449bd832023-01-11 14:50:10 +0100416 if (is_encrypt) {
417 status = psa_aead_encrypt_setup(&operation, key, alg);
418 } else {
419 status = psa_aead_decrypt_setup(&operation, key, alg);
420 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100421
422 /* If the operation is not supported, just skip and not fail in case the
423 * encryption involves a common limitation of cryptography hardwares and
424 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100425 if (status == PSA_ERROR_NOT_SUPPORTED) {
426 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
427 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliottd3f82412021-06-16 16:52:21 +0100428 }
429
Gilles Peskine449bd832023-01-11 14:50:10 +0100430 PSA_ASSERT(status);
Paul Elliottd3f82412021-06-16 16:52:21 +0100431
Gilles Peskine449bd832023-01-11 14:50:10 +0100432 if (set_lengths_method == DO_NOT_SET_LENGTHS) {
433 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
434 } else if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) {
435 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
436 data_true_size));
437 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
438 } else if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) {
439 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottebf91632021-07-22 17:54:42 +0100440
Gilles Peskine449bd832023-01-11 14:50:10 +0100441 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
442 data_true_size));
Paul Elliottd3f82412021-06-16 16:52:21 +0100443 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100444
Gilles Peskine449bd832023-01-11 14:50:10 +0100445 if (ad_part_len_arg != -1) {
Paul Elliottd3f82412021-06-16 16:52:21 +0100446 /* Pass additional data in parts */
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100447 ad_part_len = (size_t) ad_part_len_arg;
Paul Elliottd3f82412021-06-16 16:52:21 +0100448
Gilles Peskine449bd832023-01-11 14:50:10 +0100449 for (part_offset = 0, part_count = 0;
Paul Elliott4e4d71a2021-09-15 16:50:01 +0100450 part_offset < additional_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100451 part_offset += part_length, part_count++) {
452 if (do_zero_parts && (part_count & 0x01)) {
Paul Elliott329d5382021-07-22 17:10:45 +0100453 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100454 } else if (additional_data->len - part_offset < ad_part_len) {
Paul Elliotte49fe452021-09-15 16:52:11 +0100455 part_length = additional_data->len - part_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100456 } else {
Paul Elliotte49fe452021-09-15 16:52:11 +0100457 part_length = ad_part_len;
Paul Elliottd3f82412021-06-16 16:52:21 +0100458 }
459
Gilles Peskine449bd832023-01-11 14:50:10 +0100460 PSA_ASSERT(psa_aead_update_ad(&operation,
461 additional_data->x + part_offset,
462 part_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100463
Paul Elliottd3f82412021-06-16 16:52:21 +0100464 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100465 } else {
Paul Elliottd3f82412021-06-16 16:52:21 +0100466 /* Pass additional data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100467 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
468 additional_data->len));
Paul Elliottd3f82412021-06-16 16:52:21 +0100469 }
470
Gilles Peskine449bd832023-01-11 14:50:10 +0100471 if (data_part_len_arg != -1) {
Paul Elliottd3f82412021-06-16 16:52:21 +0100472 /* Pass data in parts */
Gilles Peskine449bd832023-01-11 14:50:10 +0100473 data_part_len = (size_t) data_part_len_arg;
474 part_data_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
475 (size_t) data_part_len);
Paul Elliottd3f82412021-06-16 16:52:21 +0100476
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100477 TEST_CALLOC(part_data, part_data_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100478
Gilles Peskine449bd832023-01-11 14:50:10 +0100479 for (part_offset = 0, part_count = 0;
Paul Elliott4e4d71a2021-09-15 16:50:01 +0100480 part_offset < data_true_size;
Gilles Peskine449bd832023-01-11 14:50:10 +0100481 part_offset += part_length, part_count++) {
482 if (do_zero_parts && (part_count & 0x01)) {
Paul Elliott329d5382021-07-22 17:10:45 +0100483 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100484 } else if ((data_true_size - part_offset) < data_part_len) {
485 part_length = (data_true_size - part_offset);
486 } else {
Paul Elliotte49fe452021-09-15 16:52:11 +0100487 part_length = data_part_len;
Paul Elliottd3f82412021-06-16 16:52:21 +0100488 }
489
Gilles Peskine449bd832023-01-11 14:50:10 +0100490 PSA_ASSERT(psa_aead_update(&operation,
491 (input_data->x + part_offset),
492 part_length, part_data,
493 part_data_size,
494 &output_part_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100495
Gilles Peskine449bd832023-01-11 14:50:10 +0100496 if (output_data && output_part_length) {
497 memcpy((output_data + output_length), part_data,
498 output_part_length);
Paul Elliottd3f82412021-06-16 16:52:21 +0100499 }
500
Paul Elliottd3f82412021-06-16 16:52:21 +0100501 output_length += output_part_length;
502 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100503 } else {
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100504 /* Pass all data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100505 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
506 data_true_size, output_data,
507 output_size, &output_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100508 }
509
Gilles Peskine449bd832023-01-11 14:50:10 +0100510 if (is_encrypt) {
511 PSA_ASSERT(psa_aead_finish(&operation, final_data,
512 final_output_size,
513 &output_part_length,
514 tag_buffer, tag_length,
515 &tag_size));
516 } else {
517 PSA_ASSERT(psa_aead_verify(&operation, final_data,
518 final_output_size,
519 &output_part_length,
520 (input_data->x + data_true_size),
521 tag_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100522 }
523
Gilles Peskine449bd832023-01-11 14:50:10 +0100524 if (output_data && output_part_length) {
525 memcpy((output_data + output_length), final_data,
526 output_part_length);
527 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100528
529 output_length += output_part_length;
530
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100531
532 /* For all currently defined algorithms, PSA_AEAD_xxx_OUTPUT_SIZE
533 * should be exact.*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100534 if (is_encrypt) {
535 TEST_EQUAL(tag_length, tag_size);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100536
Gilles Peskine449bd832023-01-11 14:50:10 +0100537 if (output_data && tag_length) {
538 memcpy((output_data + output_length), tag_buffer,
539 tag_length);
540 }
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100541
542 output_length += tag_length;
543
Gilles Peskine449bd832023-01-11 14:50:10 +0100544 TEST_EQUAL(output_length,
545 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg,
546 input_data->len));
547 TEST_LE_U(output_length,
548 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
549 } else {
550 TEST_EQUAL(output_length,
551 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg,
552 input_data->len));
553 TEST_LE_U(output_length,
554 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len));
Paul Elliottd3f82412021-06-16 16:52:21 +0100555 }
556
Paul Elliottd3f82412021-06-16 16:52:21 +0100557
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100558 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +0100559 output_data, output_length);
Paul Elliottd3f82412021-06-16 16:52:21 +0100560
Paul Elliottd3f82412021-06-16 16:52:21 +0100561
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100562 test_ok = 1;
Paul Elliottd3f82412021-06-16 16:52:21 +0100563
564exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100565 psa_destroy_key(key);
566 psa_aead_abort(&operation);
567 mbedtls_free(output_data);
568 mbedtls_free(part_data);
569 mbedtls_free(final_data);
570 PSA_DONE();
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100571
Gilles Peskine449bd832023-01-11 14:50:10 +0100572 return test_ok;
Paul Elliottd3f82412021-06-16 16:52:21 +0100573}
574
Neil Armstrong4766f992022-02-28 16:23:59 +0100575/*!
576 * \brief Internal Function for MAC multipart tests.
577 * \param key_type_arg Type of key passed in
578 * \param key_data The encryption / decryption key data
579 * \param alg_arg The type of algorithm used
580 * \param input_data Data to encrypt / decrypt
581 * \param data_part_len_arg If not -1, the length of chunks to feed
582 * the data in to be encrypted / decrypted. If
583 * -1, no chunking
584 * \param expected_output Expected output
Tom Cosgrove1797b052022-12-04 17:19:59 +0000585 * \param is_verify If non-zero this is a verify operation.
Neil Armstrong4766f992022-02-28 16:23:59 +0100586 * \param do_zero_parts If non-zero, interleave zero length chunks
587 * with normal length chunks.
588 * \return int Zero on failure, non-zero on success.
589 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100590static int mac_multipart_internal_func(int key_type_arg, data_t *key_data,
591 int alg_arg,
592 data_t *input_data,
593 int data_part_len_arg,
594 data_t *expected_output,
595 int is_verify,
596 int do_zero_parts)
Neil Armstrong4766f992022-02-28 16:23:59 +0100597{
598 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
599 psa_key_type_t key_type = key_type_arg;
600 psa_algorithm_t alg = alg_arg;
601 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
602 unsigned char mac[PSA_MAC_MAX_SIZE];
603 size_t part_offset = 0;
604 size_t part_length = 0;
605 size_t data_part_len = 0;
606 size_t mac_len = 0;
607 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
608 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
609
610 int test_ok = 0;
611 size_t part_count = 0;
612
Gilles Peskine449bd832023-01-11 14:50:10 +0100613 PSA_INIT();
Neil Armstrong4766f992022-02-28 16:23:59 +0100614
Gilles Peskine449bd832023-01-11 14:50:10 +0100615 if (is_verify) {
616 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
617 } else {
618 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
619 }
Neil Armstrong4766f992022-02-28 16:23:59 +0100620
Gilles Peskine449bd832023-01-11 14:50:10 +0100621 psa_set_key_algorithm(&attributes, alg);
622 psa_set_key_type(&attributes, key_type);
Neil Armstrong4766f992022-02-28 16:23:59 +0100623
Gilles Peskine449bd832023-01-11 14:50:10 +0100624 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
625 &key));
Neil Armstrong4766f992022-02-28 16:23:59 +0100626
Gilles Peskine449bd832023-01-11 14:50:10 +0100627 if (is_verify) {
628 status = psa_mac_verify_setup(&operation, key, alg);
629 } else {
630 status = psa_mac_sign_setup(&operation, key, alg);
631 }
Neil Armstrong4766f992022-02-28 16:23:59 +0100632
Gilles Peskine449bd832023-01-11 14:50:10 +0100633 PSA_ASSERT(status);
Neil Armstrong4766f992022-02-28 16:23:59 +0100634
Gilles Peskine449bd832023-01-11 14:50:10 +0100635 if (data_part_len_arg != -1) {
Neil Armstrong4766f992022-02-28 16:23:59 +0100636 /* Pass data in parts */
Gilles Peskine449bd832023-01-11 14:50:10 +0100637 data_part_len = (size_t) data_part_len_arg;
Neil Armstrong4766f992022-02-28 16:23:59 +0100638
Gilles Peskine449bd832023-01-11 14:50:10 +0100639 for (part_offset = 0, part_count = 0;
Neil Armstrong4766f992022-02-28 16:23:59 +0100640 part_offset < input_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100641 part_offset += part_length, part_count++) {
642 if (do_zero_parts && (part_count & 0x01)) {
Neil Armstrong4766f992022-02-28 16:23:59 +0100643 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100644 } else if ((input_data->len - part_offset) < data_part_len) {
645 part_length = (input_data->len - part_offset);
646 } else {
Neil Armstrong4766f992022-02-28 16:23:59 +0100647 part_length = data_part_len;
648 }
649
Gilles Peskine449bd832023-01-11 14:50:10 +0100650 PSA_ASSERT(psa_mac_update(&operation,
651 (input_data->x + part_offset),
652 part_length));
Neil Armstrong4766f992022-02-28 16:23:59 +0100653 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100654 } else {
Neil Armstrong4766f992022-02-28 16:23:59 +0100655 /* Pass all data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100656 PSA_ASSERT(psa_mac_update(&operation, input_data->x,
657 input_data->len));
Neil Armstrong4766f992022-02-28 16:23:59 +0100658 }
659
Gilles Peskine449bd832023-01-11 14:50:10 +0100660 if (is_verify) {
661 PSA_ASSERT(psa_mac_verify_finish(&operation, expected_output->x,
662 expected_output->len));
663 } else {
664 PSA_ASSERT(psa_mac_sign_finish(&operation, mac,
665 PSA_MAC_MAX_SIZE, &mac_len));
Neil Armstrong4766f992022-02-28 16:23:59 +0100666
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100667 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +0100668 mac, mac_len);
Neil Armstrong4766f992022-02-28 16:23:59 +0100669 }
670
671 test_ok = 1;
672
673exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100674 psa_destroy_key(key);
675 psa_mac_abort(&operation);
676 PSA_DONE();
Neil Armstrong4766f992022-02-28 16:23:59 +0100677
Gilles Peskine449bd832023-01-11 14:50:10 +0100678 return test_ok;
Neil Armstrong4766f992022-02-28 16:23:59 +0100679}
680
Neil Armstrong75673ab2022-06-15 17:39:01 +0200681#if defined(PSA_WANT_ALG_JPAKE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100682static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
683 psa_pake_operation_t *server,
684 psa_pake_operation_t *client,
685 int client_input_first,
686 int round, int inject_error)
Neil Armstrongf983caf2022-06-15 15:27:48 +0200687{
688 unsigned char *buffer0 = NULL, *buffer1 = NULL;
689 size_t buffer_length = (
690 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) +
691 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) +
692 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2;
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +0200693 /* The output should be exactly this size according to the spec */
694 const size_t expected_size_key_share =
695 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE);
696 /* The output should be exactly this size according to the spec */
697 const size_t expected_size_zk_public =
698 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC);
699 /* The output can be smaller: the spec allows stripping leading zeroes */
700 const size_t max_expected_size_zk_proof =
701 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200702 size_t buffer0_off = 0;
703 size_t buffer1_off = 0;
704 size_t s_g1_len, s_g2_len, s_a_len;
705 size_t s_g1_off, s_g2_off, s_a_off;
706 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len;
707 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off;
708 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len;
709 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off;
710 size_t c_g1_len, c_g2_len, c_a_len;
711 size_t c_g1_off, c_g2_off, c_a_off;
712 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len;
713 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off;
714 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len;
715 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off;
716 psa_status_t expected_status = PSA_SUCCESS;
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200717 psa_status_t status;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200718
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100719 TEST_CALLOC(buffer0, buffer_length);
720 TEST_CALLOC(buffer1, buffer_length);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200721
Gilles Peskine449bd832023-01-11 14:50:10 +0100722 switch (round) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200723 case 1:
724 /* Server first round Output */
Gilles Peskine449bd832023-01-11 14:50:10 +0100725 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
726 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000727 buffer_length - buffer0_off, &s_g1_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100728 TEST_EQUAL(s_g1_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200729 s_g1_off = buffer0_off;
730 buffer0_off += s_g1_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100731 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
732 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000733 buffer_length - buffer0_off, &s_x1_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100734 TEST_EQUAL(s_x1_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200735 s_x1_pk_off = buffer0_off;
736 buffer0_off += s_x1_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100737 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
738 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000739 buffer_length - buffer0_off, &s_x1_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100740 TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200741 s_x1_pr_off = buffer0_off;
742 buffer0_off += s_x1_pr_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100743 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
744 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000745 buffer_length - buffer0_off, &s_g2_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100746 TEST_EQUAL(s_g2_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200747 s_g2_off = buffer0_off;
748 buffer0_off += s_g2_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100749 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
750 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000751 buffer_length - buffer0_off, &s_x2_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100752 TEST_EQUAL(s_x2_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200753 s_x2_pk_off = buffer0_off;
754 buffer0_off += s_x2_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100755 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
756 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000757 buffer_length - buffer0_off, &s_x2_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100758 TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200759 s_x2_pr_off = buffer0_off;
760 buffer0_off += s_x2_pr_len;
761
Gilles Peskine449bd832023-01-11 14:50:10 +0100762 if (inject_error == 1) {
Andrzej Kurekc0182042022-11-08 08:12:56 -0500763 buffer0[s_x1_pr_off + 8] ^= 1;
764 buffer0[s_x2_pr_off + 7] ^= 1;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200765 expected_status = PSA_ERROR_DATA_INVALID;
766 }
767
Neil Armstrong51009d72022-09-05 17:59:54 +0200768 /*
769 * When injecting errors in inputs, the implementation is
770 * free to detect it right away of with a delay.
771 * This permits delaying the error until the end of the input
772 * sequence, if no error appears then, this will be treated
773 * as an error.
774 */
775
Gilles Peskine449bd832023-01-11 14:50:10 +0100776 if (client_input_first == 1) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200777 /* Client first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100778 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
779 buffer0 + s_g1_off, s_g1_len);
780 if (inject_error == 1 && status != PSA_SUCCESS) {
781 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200782 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100783 } else {
784 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200785 }
786
Gilles Peskine449bd832023-01-11 14:50:10 +0100787 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
788 buffer0 + s_x1_pk_off,
789 s_x1_pk_len);
790 if (inject_error == 1 && status != PSA_SUCCESS) {
791 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200792 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100793 } else {
794 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200795 }
796
Gilles Peskine449bd832023-01-11 14:50:10 +0100797 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
798 buffer0 + s_x1_pr_off,
799 s_x1_pr_len);
800 if (inject_error == 1 && status != PSA_SUCCESS) {
801 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200802 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100803 } else {
804 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200805 }
806
Gilles Peskine449bd832023-01-11 14:50:10 +0100807 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
808 buffer0 + s_g2_off,
809 s_g2_len);
810 if (inject_error == 1 && status != PSA_SUCCESS) {
811 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200812 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100813 } else {
814 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200815 }
816
Gilles Peskine449bd832023-01-11 14:50:10 +0100817 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
818 buffer0 + s_x2_pk_off,
819 s_x2_pk_len);
820 if (inject_error == 1 && status != PSA_SUCCESS) {
821 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200822 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100823 } else {
824 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200825 }
826
Gilles Peskine449bd832023-01-11 14:50:10 +0100827 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
828 buffer0 + s_x2_pr_off,
829 s_x2_pr_len);
830 if (inject_error == 1 && status != PSA_SUCCESS) {
831 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200832 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100833 } else {
834 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200835 }
836
Neil Armstrong78c4e8e2022-09-05 18:08:13 +0200837 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +0100838 if (inject_error == 1) {
839 TEST_ASSERT(
840 !"One of the last psa_pake_input() calls should have returned the expected error.");
841 }
Neil Armstrongf983caf2022-06-15 15:27:48 +0200842 }
843
844 /* Client first round Output */
Gilles Peskine449bd832023-01-11 14:50:10 +0100845 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
846 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000847 buffer_length - buffer1_off, &c_g1_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100848 TEST_EQUAL(c_g1_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200849 c_g1_off = buffer1_off;
850 buffer1_off += c_g1_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100851 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
852 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000853 buffer_length - buffer1_off, &c_x1_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100854 TEST_EQUAL(c_x1_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200855 c_x1_pk_off = buffer1_off;
856 buffer1_off += c_x1_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100857 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
858 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000859 buffer_length - buffer1_off, &c_x1_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100860 TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200861 c_x1_pr_off = buffer1_off;
862 buffer1_off += c_x1_pr_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100863 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
864 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000865 buffer_length - buffer1_off, &c_g2_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100866 TEST_EQUAL(c_g2_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200867 c_g2_off = buffer1_off;
868 buffer1_off += c_g2_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100869 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
870 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000871 buffer_length - buffer1_off, &c_x2_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100872 TEST_EQUAL(c_x2_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200873 c_x2_pk_off = buffer1_off;
874 buffer1_off += c_x2_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100875 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
876 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000877 buffer_length - buffer1_off, &c_x2_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100878 TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200879 c_x2_pr_off = buffer1_off;
880 buffer1_off += c_x2_pr_len;
881
Gilles Peskine449bd832023-01-11 14:50:10 +0100882 if (client_input_first == 0) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200883 /* Client first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100884 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
885 buffer0 + s_g1_off, s_g1_len);
886 if (inject_error == 1 && status != PSA_SUCCESS) {
887 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200888 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100889 } else {
890 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200891 }
892
Gilles Peskine449bd832023-01-11 14:50:10 +0100893 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
894 buffer0 + s_x1_pk_off,
895 s_x1_pk_len);
896 if (inject_error == 1 && status != PSA_SUCCESS) {
897 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200898 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100899 } else {
900 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200901 }
902
Gilles Peskine449bd832023-01-11 14:50:10 +0100903 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
904 buffer0 + s_x1_pr_off,
905 s_x1_pr_len);
906 if (inject_error == 1 && status != PSA_SUCCESS) {
907 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200908 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100909 } else {
910 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200911 }
912
Gilles Peskine449bd832023-01-11 14:50:10 +0100913 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
914 buffer0 + s_g2_off,
915 s_g2_len);
916 if (inject_error == 1 && status != PSA_SUCCESS) {
917 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200918 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100919 } else {
920 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200921 }
922
Gilles Peskine449bd832023-01-11 14:50:10 +0100923 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
924 buffer0 + s_x2_pk_off,
925 s_x2_pk_len);
926 if (inject_error == 1 && status != PSA_SUCCESS) {
927 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200928 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100929 } else {
930 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200931 }
932
Gilles Peskine449bd832023-01-11 14:50:10 +0100933 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
934 buffer0 + s_x2_pr_off,
935 s_x2_pr_len);
936 if (inject_error == 1 && status != PSA_SUCCESS) {
937 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200938 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100939 } else {
940 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200941 }
942
Neil Armstrong78c4e8e2022-09-05 18:08:13 +0200943 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +0100944 if (inject_error == 1) {
945 TEST_ASSERT(
946 !"One of the last psa_pake_input() calls should have returned the expected error.");
947 }
Neil Armstrongf983caf2022-06-15 15:27:48 +0200948 }
949
Gilles Peskine449bd832023-01-11 14:50:10 +0100950 if (inject_error == 2) {
Andrzej Kurekc0182042022-11-08 08:12:56 -0500951 buffer1[c_x1_pr_off + 12] ^= 1;
952 buffer1[c_x2_pr_off + 7] ^= 1;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200953 expected_status = PSA_ERROR_DATA_INVALID;
954 }
955
956 /* Server first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100957 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
958 buffer1 + c_g1_off, c_g1_len);
959 if (inject_error == 2 && status != PSA_SUCCESS) {
960 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200961 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100962 } else {
963 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200964 }
965
Gilles Peskine449bd832023-01-11 14:50:10 +0100966 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
967 buffer1 + c_x1_pk_off, c_x1_pk_len);
968 if (inject_error == 2 && status != PSA_SUCCESS) {
969 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200970 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100971 } else {
972 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200973 }
974
Gilles Peskine449bd832023-01-11 14:50:10 +0100975 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
976 buffer1 + c_x1_pr_off, c_x1_pr_len);
977 if (inject_error == 2 && status != PSA_SUCCESS) {
978 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200979 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100980 } else {
981 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200982 }
983
Gilles Peskine449bd832023-01-11 14:50:10 +0100984 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
985 buffer1 + c_g2_off, c_g2_len);
986 if (inject_error == 2 && status != PSA_SUCCESS) {
987 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200988 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100989 } else {
990 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200991 }
992
Gilles Peskine449bd832023-01-11 14:50:10 +0100993 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
994 buffer1 + c_x2_pk_off, c_x2_pk_len);
995 if (inject_error == 2 && status != PSA_SUCCESS) {
996 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200997 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100998 } else {
999 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001000 }
1001
Gilles Peskine449bd832023-01-11 14:50:10 +01001002 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
1003 buffer1 + c_x2_pr_off, c_x2_pr_len);
1004 if (inject_error == 2 && status != PSA_SUCCESS) {
1005 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001006 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001007 } else {
1008 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001009 }
1010
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001011 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001012 if (inject_error == 2) {
1013 TEST_ASSERT(
1014 !"One of the last psa_pake_input() calls should have returned the expected error.");
1015 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001016
1017 break;
1018
1019 case 2:
1020 /* Server second round Output */
1021 buffer0_off = 0;
1022
Gilles Peskine449bd832023-01-11 14:50:10 +01001023 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
1024 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001025 buffer_length - buffer0_off, &s_a_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001026 TEST_EQUAL(s_a_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001027 s_a_off = buffer0_off;
1028 buffer0_off += s_a_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001029 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
1030 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001031 buffer_length - buffer0_off, &s_x2s_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001032 TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001033 s_x2s_pk_off = buffer0_off;
1034 buffer0_off += s_x2s_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001035 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
1036 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001037 buffer_length - buffer0_off, &s_x2s_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001038 TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001039 s_x2s_pr_off = buffer0_off;
1040 buffer0_off += s_x2s_pr_len;
1041
Gilles Peskine449bd832023-01-11 14:50:10 +01001042 if (inject_error == 3) {
Neil Armstrongeae1dfc2022-06-21 13:37:06 +02001043 buffer0[s_x2s_pk_off + 12] += 0x33;
Neil Armstrongf983caf2022-06-15 15:27:48 +02001044 expected_status = PSA_ERROR_DATA_INVALID;
1045 }
1046
Gilles Peskine449bd832023-01-11 14:50:10 +01001047 if (client_input_first == 1) {
Neil Armstrongf983caf2022-06-15 15:27:48 +02001048 /* Client second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001049 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
1050 buffer0 + s_a_off, s_a_len);
1051 if (inject_error == 3 && status != PSA_SUCCESS) {
1052 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001053 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001054 } else {
1055 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001056 }
1057
Gilles Peskine449bd832023-01-11 14:50:10 +01001058 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
1059 buffer0 + s_x2s_pk_off,
1060 s_x2s_pk_len);
1061 if (inject_error == 3 && status != PSA_SUCCESS) {
1062 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001063 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001064 } else {
1065 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001066 }
1067
Gilles Peskine449bd832023-01-11 14:50:10 +01001068 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
1069 buffer0 + s_x2s_pr_off,
1070 s_x2s_pr_len);
1071 if (inject_error == 3 && status != PSA_SUCCESS) {
1072 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001073 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001074 } else {
1075 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001076 }
1077
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001078 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001079 if (inject_error == 3) {
1080 TEST_ASSERT(
1081 !"One of the last psa_pake_input() calls should have returned the expected error.");
1082 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001083 }
1084
1085 /* Client second round Output */
1086 buffer1_off = 0;
1087
Gilles Peskine449bd832023-01-11 14:50:10 +01001088 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
1089 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001090 buffer_length - buffer1_off, &c_a_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001091 TEST_EQUAL(c_a_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001092 c_a_off = buffer1_off;
1093 buffer1_off += c_a_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001094 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
1095 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001096 buffer_length - buffer1_off, &c_x2s_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001097 TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001098 c_x2s_pk_off = buffer1_off;
1099 buffer1_off += c_x2s_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001100 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
1101 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001102 buffer_length - buffer1_off, &c_x2s_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001103 TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001104 c_x2s_pr_off = buffer1_off;
1105 buffer1_off += c_x2s_pr_len;
1106
Gilles Peskine449bd832023-01-11 14:50:10 +01001107 if (client_input_first == 0) {
Neil Armstrongf983caf2022-06-15 15:27:48 +02001108 /* Client second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001109 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
1110 buffer0 + s_a_off, s_a_len);
1111 if (inject_error == 3 && status != PSA_SUCCESS) {
1112 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001113 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001114 } else {
1115 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001116 }
1117
Gilles Peskine449bd832023-01-11 14:50:10 +01001118 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
1119 buffer0 + s_x2s_pk_off,
1120 s_x2s_pk_len);
1121 if (inject_error == 3 && status != PSA_SUCCESS) {
1122 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001123 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001124 } else {
1125 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001126 }
1127
Gilles Peskine449bd832023-01-11 14:50:10 +01001128 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
1129 buffer0 + s_x2s_pr_off,
1130 s_x2s_pr_len);
1131 if (inject_error == 3 && status != PSA_SUCCESS) {
1132 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001133 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001134 } else {
1135 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001136 }
1137
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001138 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001139 if (inject_error == 3) {
1140 TEST_ASSERT(
1141 !"One of the last psa_pake_input() calls should have returned the expected error.");
1142 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001143 }
1144
Gilles Peskine449bd832023-01-11 14:50:10 +01001145 if (inject_error == 4) {
Neil Armstrongeae1dfc2022-06-21 13:37:06 +02001146 buffer1[c_x2s_pk_off + 7] += 0x28;
Neil Armstrongf983caf2022-06-15 15:27:48 +02001147 expected_status = PSA_ERROR_DATA_INVALID;
1148 }
1149
1150 /* Server second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001151 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
1152 buffer1 + c_a_off, c_a_len);
1153 if (inject_error == 4 && status != PSA_SUCCESS) {
1154 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001155 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001156 } else {
1157 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001158 }
1159
Gilles Peskine449bd832023-01-11 14:50:10 +01001160 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
1161 buffer1 + c_x2s_pk_off, c_x2s_pk_len);
1162 if (inject_error == 4 && status != PSA_SUCCESS) {
1163 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001164 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001165 } else {
1166 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001167 }
1168
Gilles Peskine449bd832023-01-11 14:50:10 +01001169 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
1170 buffer1 + c_x2s_pr_off, c_x2s_pr_len);
1171 if (inject_error == 4 && status != PSA_SUCCESS) {
1172 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001173 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001174 } else {
1175 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001176 }
1177
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001178 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001179 if (inject_error == 4) {
1180 TEST_ASSERT(
1181 !"One of the last psa_pake_input() calls should have returned the expected error.");
1182 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001183
1184 break;
1185
1186 }
1187
Neil Armstrongf983caf2022-06-15 15:27:48 +02001188exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001189 mbedtls_free(buffer0);
1190 mbedtls_free(buffer1);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001191}
Neil Armstrong75673ab2022-06-15 17:39:01 +02001192#endif /* PSA_WANT_ALG_JPAKE */
Neil Armstrongf983caf2022-06-15 15:27:48 +02001193
Gilles Peskine449bd832023-01-11 14:50:10 +01001194typedef enum {
Valerio Setti1070aed2022-11-11 19:37:31 +01001195 INJECT_ERR_NONE = 0,
1196 INJECT_ERR_UNINITIALIZED_ACCESS,
1197 INJECT_ERR_DUPLICATE_SETUP,
1198 INJECT_ERR_INVALID_USER,
1199 INJECT_ERR_INVALID_PEER,
1200 INJECT_ERR_SET_USER,
1201 INJECT_ERR_SET_PEER,
1202 INJECT_EMPTY_IO_BUFFER,
1203 INJECT_UNKNOWN_STEP,
1204 INJECT_INVALID_FIRST_STEP,
1205 INJECT_WRONG_BUFFER_SIZE,
1206 INJECT_VALID_OPERATION_AFTER_FAILURE,
1207 INJECT_ANTICIPATE_KEY_DERIVATION_1,
1208 INJECT_ANTICIPATE_KEY_DERIVATION_2,
1209} ecjpake_injected_failure_t;
1210
Paul Elliott01885fa2023-02-09 12:07:30 +00001211#if defined(MBEDTLS_ECP_RESTARTABLE)
Paul Elliott1243f932023-02-07 11:21:10 +00001212
Paul Elliott6f600372023-02-06 18:41:05 +00001213static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
1214 psa_status_t expected_status,
1215 size_t *min_completes,
1216 size_t *max_completes)
1217{
1218
1219 /* This is slightly contrived, but we only really know that with a minimum
1220 value of max_ops that a successful operation should take more than one op
1221 to complete, and likewise that with a max_ops of
1222 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */
1223 if (max_ops == 0 || max_ops == 1) {
Paul Elliottc86d45e2023-02-15 17:38:05 +00001224
Paul Elliott6f600372023-02-06 18:41:05 +00001225 if (expected_status == PSA_SUCCESS) {
1226 *min_completes = 2;
1227 } else {
1228 *min_completes = 1;
1229 }
1230
1231 *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
1232 } else {
1233 *min_completes = 1;
1234 *max_completes = 1;
1235 }
1236}
Paul Elliott01885fa2023-02-09 12:07:30 +00001237#endif /* MBEDTLS_ECP_RESTARTABLE */
Paul Elliott6f600372023-02-06 18:41:05 +00001238
Valerio Settiefce6052024-06-25 18:31:36 +02001239#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) && defined(MBEDTLS_ASN1_PARSE_C)
Gilles Peskine1d25a0a2024-02-12 16:40:04 +01001240static int rsa_test_e(mbedtls_svc_key_id_t key,
1241 size_t bits,
1242 const data_t *e_arg)
1243{
1244 uint8_t *exported = NULL;
1245 size_t exported_size =
1246 PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits);
1247 size_t exported_length = SIZE_MAX;
1248 int ok = 0;
1249
1250 TEST_CALLOC(exported, exported_size);
1251 PSA_ASSERT(psa_export_public_key(key,
1252 exported, exported_size,
1253 &exported_length));
1254 uint8_t *p = exported;
1255 uint8_t *end = exported + exported_length;
1256 size_t len;
1257 /* RSAPublicKey ::= SEQUENCE {
1258 * modulus INTEGER, -- n
1259 * publicExponent INTEGER } -- e
1260 */
1261 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
1262 MBEDTLS_ASN1_SEQUENCE |
1263 MBEDTLS_ASN1_CONSTRUCTED));
1264 TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1));
1265 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
1266 MBEDTLS_ASN1_INTEGER));
1267 if (len >= 1 && p[0] == 0) {
1268 ++p;
1269 --len;
1270 }
1271 if (e_arg->len == 0) {
1272 TEST_EQUAL(len, 3);
1273 TEST_EQUAL(p[0], 1);
1274 TEST_EQUAL(p[1], 0);
1275 TEST_EQUAL(p[2], 1);
1276 } else {
Gilles Peskine7a18f962024-02-12 16:48:11 +01001277 const uint8_t *expected = e_arg->x;
1278 size_t expected_len = e_arg->len;
1279 while (expected_len > 0 && *expected == 0) {
1280 ++expected;
1281 --expected_len;
1282 }
1283 TEST_MEMORY_COMPARE(p, len, expected, expected_len);
Gilles Peskine1d25a0a2024-02-12 16:40:04 +01001284 }
1285 ok = 1;
1286
1287exit:
1288 mbedtls_free(exported);
1289 return ok;
1290}
1291#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
1292
Gilles Peskine092ce512024-02-20 12:31:24 +01001293static int setup_key_production_parameters(
1294 psa_key_production_parameters_t **params, size_t *params_data_length,
1295 int flags_arg, const data_t *params_data)
Gilles Peskinef0765fa2024-02-12 16:46:16 +01001296{
Gilles Peskine092ce512024-02-20 12:31:24 +01001297 *params_data_length = params_data->len;
Gilles Peskinec81393b2024-02-14 20:51:28 +01001298 /* If there are N bytes of padding at the end of
Gilles Peskine092ce512024-02-20 12:31:24 +01001299 * psa_key_production_parameters_t, then it's enough to allocate
1300 * MIN(sizeof(psa_key_production_parameters_t),
1301 * offsetof(psa_key_production_parameters_t, data) + params_data_length).
Gilles Peskinec81393b2024-02-14 20:51:28 +01001302 *
1303 * For simplicity, here, we allocate up to N more bytes than necessary.
Gilles Peskine092ce512024-02-20 12:31:24 +01001304 * In practice, the current layout of psa_key_production_parameters_t
Gilles Peskinec81393b2024-02-14 20:51:28 +01001305 * makes padding extremely unlikely, so we don't worry about testing
1306 * that the library code doesn't try to access these extra N bytes.
1307 */
Gilles Peskine092ce512024-02-20 12:31:24 +01001308 *params = mbedtls_calloc(1, sizeof(**params) + *params_data_length);
1309 TEST_ASSERT(*params != NULL);
1310 (*params)->flags = (uint32_t) flags_arg;
1311 memcpy((*params)->data, params_data->x, params_data->len);
Gilles Peskinef0765fa2024-02-12 16:46:16 +01001312 return 1;
1313exit:
1314 return 0;
1315}
1316
Ryan3a1b7862024-03-01 17:24:04 +00001317#if defined(MBEDTLS_THREADING_PTHREAD)
Ryan Everett50619992024-03-12 16:55:14 +00001318
Michael Schuster275b6982024-06-07 01:51:54 +02001319#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
Ryan Everett50619992024-03-12 16:55:14 +00001320typedef struct same_key_context {
1321 data_t *data;
1322 mbedtls_svc_key_id_t key;
1323 psa_key_attributes_t *attributes;
1324 int type;
1325 int bits;
1326 /* The following two parameters are used to ensure that when multiple
1327 * threads attempt to load/destroy the key, exactly one thread succeeds. */
1328 int key_loaded;
1329 mbedtls_threading_mutex_t MBEDTLS_PRIVATE(key_loaded_mutex);
1330}
1331same_key_context;
1332
1333/* Attempt to import the key in ctx. This handles any valid error codes
1334 * and reports an error for any invalid codes. This function also insures
1335 * that once imported by some thread, all threads can use the key. */
Michael Schusterb1e33fb2024-06-04 02:30:22 +02001336static void *thread_import_key(void *ctx)
Ryan Everett50619992024-03-12 16:55:14 +00001337{
1338 mbedtls_svc_key_id_t returned_key_id;
1339 same_key_context *skc = (struct same_key_context *) ctx;
1340 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
1341
Ryan Everett6c488702024-03-14 17:49:44 +00001342 /* Import the key, exactly one thread must succeed. */
Ryan Everett50619992024-03-12 16:55:14 +00001343 psa_status_t status = psa_import_key(skc->attributes, skc->data->x,
1344 skc->data->len, &returned_key_id);
1345 switch (status) {
1346 case PSA_SUCCESS:
1347 if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) {
1348 if (skc->key_loaded) {
1349 mbedtls_mutex_unlock(&skc->key_loaded_mutex);
1350 /* More than one thread has succeeded, report a failure. */
Ryan Everett3de040f2024-03-14 17:50:06 +00001351 TEST_FAIL("The same key has been loaded into the key store multiple times.");
Ryan Everett50619992024-03-12 16:55:14 +00001352 }
1353 skc->key_loaded = 1;
1354 mbedtls_mutex_unlock(&skc->key_loaded_mutex);
1355 }
1356 break;
1357 case PSA_ERROR_INSUFFICIENT_MEMORY:
1358 /* If all of the key slots are reserved when a thread
1359 * locks the mutex to reserve a new slot, it will return
1360 * PSA_ERROR_INSUFFICIENT_MEMORY; this is correct behaviour.
1361 * There is a chance for this to occur here when the number of
1362 * threads running this function is larger than the number of
1363 * free key slots. Each thread reserves an empty key slot,
1364 * unlocks the mutex, then relocks it to finalize key creation.
1365 * It is at that point where the thread sees that the key
1366 * already exists, releases the reserved slot,
1367 * and returns PSA_ERROR_ALREADY_EXISTS.
1368 * There is no guarantee that the key is loaded upon this return
1369 * code, so we can't test the key information. Just stop this
1370 * thread from executing, note that this is not an error. */
1371 goto exit;
1372 break;
1373 case PSA_ERROR_ALREADY_EXISTS:
1374 /* The key has been loaded by a different thread. */
1375 break;
1376 default:
1377 PSA_ASSERT(status);
1378 }
1379 /* At this point the key must exist, test the key information. */
1380 status = psa_get_key_attributes(skc->key, &got_attributes);
1381 if (status == PSA_ERROR_INSUFFICIENT_MEMORY) {
1382 /* This is not a test failure. The following sequence of events
1383 * causes this to occur:
1384 * 1: This thread successfuly imports a persistent key skc->key.
1385 * 2: N threads reserve an empty key slot in psa_import_key,
1386 * where N is equal to the number of free key slots.
1387 * 3: A final thread attempts to reserve an empty key slot, kicking
1388 * skc->key (which has no registered readers) out of its slot.
1389 * 4: This thread calls psa_get_key_attributes(skc->key,...):
1390 * it sees that skc->key is not in a slot, attempts to load it and
1391 * finds that there are no free slots.
1392 * This thread returns PSA_ERROR_INSUFFICIENT_MEMORY.
1393 *
1394 * The PSA spec allows this behaviour, it is an unavoidable consequence
1395 * of allowing persistent keys to be kicked out of the key store while
1396 * they are still valid. */
1397 goto exit;
1398 }
1399 PSA_ASSERT(status);
1400 TEST_EQUAL(psa_get_key_type(&got_attributes), skc->type);
1401 TEST_EQUAL(psa_get_key_bits(&got_attributes), skc->bits);
1402
1403exit:
1404 /* Key attributes may have been returned by psa_get_key_attributes(),
1405 * reset them as required. */
1406 psa_reset_key_attributes(&got_attributes);
1407 return NULL;
1408}
1409
Michael Schusterb1e33fb2024-06-04 02:30:22 +02001410static void *thread_use_and_destroy_key(void *ctx)
Ryan Everett50619992024-03-12 16:55:14 +00001411{
1412 same_key_context *skc = (struct same_key_context *) ctx;
1413
1414 /* Do something with the key according
1415 * to its type and permitted usage. */
1416 TEST_ASSERT(mbedtls_test_psa_exercise_key(skc->key,
1417 skc->attributes->policy.usage,
1418 skc->attributes->policy.alg, 1));
1419
1420 psa_status_t status = psa_destroy_key(skc->key);
1421 if (status == PSA_SUCCESS) {
1422 if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) {
1423 /* Ensure that we are the only thread to succeed. */
1424 if (skc->key_loaded != 1) {
1425 mbedtls_mutex_unlock(&skc->key_loaded_mutex);
Ryan Everett3de040f2024-03-14 17:50:06 +00001426 TEST_FAIL("The same key has been destroyed multiple times.");
Ryan Everett50619992024-03-12 16:55:14 +00001427 }
1428 skc->key_loaded = 0;
1429 mbedtls_mutex_unlock(&skc->key_loaded_mutex);
1430 }
1431 } else {
1432 TEST_EQUAL(status, PSA_ERROR_INVALID_HANDLE);
1433 }
1434
1435exit:
1436 return NULL;
1437}
Michael Schuster275b6982024-06-07 01:51:54 +02001438#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
Ryan Everett50619992024-03-12 16:55:14 +00001439
Ryan3a1b7862024-03-01 17:24:04 +00001440typedef struct generate_key_context {
1441 psa_key_type_t type;
1442 psa_key_usage_t usage;
1443 size_t bits;
1444 psa_algorithm_t alg;
1445 psa_status_t expected_status;
1446 psa_key_attributes_t *attributes;
1447 int is_large_key;
1448 int reps;
1449}
1450generate_key_context;
Michael Schusterb1e33fb2024-06-04 02:30:22 +02001451static void *thread_generate_key(void *ctx)
Ryan3a1b7862024-03-01 17:24:04 +00001452{
1453 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
1454 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
1455 generate_key_context *gkc = (struct generate_key_context *) ctx;
1456
1457 /* If there are race conditions, it is likely the case that they do not
1458 * arise every time the code runs. We repeat the code to increase the
1459 * chance that any race conditions will be hit. */
1460 for (int n = 0; n < gkc->reps; n++) {
1461 /* Generate a key */
1462 psa_status_t status = psa_generate_key(gkc->attributes, &key);
1463
1464 if (gkc->is_large_key > 0) {
1465 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
1466 }
1467
1468 TEST_EQUAL(status, gkc->expected_status);
1469 if (gkc->expected_status != PSA_SUCCESS) {
1470 PSA_ASSERT(psa_destroy_key(key));
1471 goto exit;
1472 }
1473
1474 /* Test the key information */
1475 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1476 TEST_EQUAL(psa_get_key_type(&got_attributes), gkc->type);
1477 TEST_EQUAL(psa_get_key_bits(&got_attributes), gkc->bits);
1478
1479 /* Do something with the key according
1480 * to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +00001481 if (!mbedtls_test_psa_exercise_key(key, gkc->usage, gkc->alg, 0)) {
Ryan3a1b7862024-03-01 17:24:04 +00001482 psa_destroy_key(key);
1483 goto exit;
1484 }
1485 psa_reset_key_attributes(&got_attributes);
1486
1487 PSA_ASSERT(psa_destroy_key(key));
1488 }
1489exit:
1490 /*
1491 * Key attributes may have been returned by psa_get_key_attributes()
1492 * thus reset them as required.
1493 */
1494 psa_reset_key_attributes(&got_attributes);
1495 return NULL;
1496}
1497#endif /* MBEDTLS_THREADING_PTHREAD */
1498
Gilles Peskinee59236f2018-01-27 23:32:46 +01001499/* END_HEADER */
1500
1501/* BEGIN_DEPENDENCIES
1502 * depends_on:MBEDTLS_PSA_CRYPTO_C
1503 * END_DEPENDENCIES
1504 */
1505
1506/* BEGIN_CASE */
Manuel Pégourié-Gonnard7abdf7e2023-03-09 11:17:43 +01001507void psa_can_do_hash()
1508{
1509 /* We can't test that this is specific to drivers until partial init has
1510 * been implemented, but we can at least test before/after full init. */
1511 TEST_EQUAL(0, psa_can_do_hash(PSA_ALG_NONE));
1512 PSA_INIT();
1513 TEST_EQUAL(1, psa_can_do_hash(PSA_ALG_NONE));
1514 PSA_DONE();
1515}
1516/* END_CASE */
1517
1518/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001519void static_checks()
Gilles Peskinee1f2d7d2018-08-21 14:54:54 +02001520{
1521 size_t max_truncated_mac_size =
1522 PSA_ALG_MAC_TRUNCATION_MASK >> PSA_MAC_TRUNCATION_OFFSET;
1523
1524 /* Check that the length for a truncated MAC always fits in the algorithm
1525 * encoding. The shifted mask is the maximum truncated value. The
1526 * untruncated algorithm may be one byte larger. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001527 TEST_LE_U(PSA_MAC_MAX_SIZE, 1 + max_truncated_mac_size);
Gilles Peskinee1f2d7d2018-08-21 14:54:54 +02001528}
1529/* END_CASE */
1530
1531/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001532void import_with_policy(int type_arg,
1533 int usage_arg, int alg_arg,
1534 int expected_status_arg)
Gilles Peskine6edfa292019-07-31 15:53:45 +02001535{
1536 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1537 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02001538 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine6edfa292019-07-31 15:53:45 +02001539 psa_key_type_t type = type_arg;
1540 psa_key_usage_t usage = usage_arg;
1541 psa_algorithm_t alg = alg_arg;
1542 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01001543 const uint8_t key_material[16] = { 0 };
Gilles Peskine6edfa292019-07-31 15:53:45 +02001544 psa_status_t status;
1545
Gilles Peskine449bd832023-01-11 14:50:10 +01001546 PSA_ASSERT(psa_crypto_init());
Gilles Peskine6edfa292019-07-31 15:53:45 +02001547
Gilles Peskine449bd832023-01-11 14:50:10 +01001548 psa_set_key_type(&attributes, type);
1549 psa_set_key_usage_flags(&attributes, usage);
1550 psa_set_key_algorithm(&attributes, alg);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001551
Gilles Peskine449bd832023-01-11 14:50:10 +01001552 status = psa_import_key(&attributes,
1553 key_material, sizeof(key_material),
1554 &key);
1555 TEST_EQUAL(status, expected_status);
1556 if (status != PSA_SUCCESS) {
Gilles Peskine6edfa292019-07-31 15:53:45 +02001557 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001558 }
Gilles Peskine6edfa292019-07-31 15:53:45 +02001559
Gilles Peskine449bd832023-01-11 14:50:10 +01001560 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1561 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1562 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes),
1563 mbedtls_test_update_key_usage_flags(usage));
1564 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg);
1565 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001566
Gilles Peskine449bd832023-01-11 14:50:10 +01001567 PSA_ASSERT(psa_destroy_key(key));
1568 test_operations_on_invalid_key(key);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001569
1570exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001571 /*
1572 * Key attributes may have been returned by psa_get_key_attributes()
1573 * thus reset them as required.
1574 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001575 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001576
Gilles Peskine449bd832023-01-11 14:50:10 +01001577 psa_destroy_key(key);
1578 PSA_DONE();
Gilles Peskine6edfa292019-07-31 15:53:45 +02001579}
1580/* END_CASE */
1581
1582/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001583void import_with_data(data_t *data, int type_arg,
1584 int attr_bits_arg,
1585 int expected_status_arg)
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001586{
1587 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1588 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02001589 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001590 psa_key_type_t type = type_arg;
Gilles Peskine8fb3a9e2019-05-03 16:59:21 +02001591 size_t attr_bits = attr_bits_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001592 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001593 psa_status_t status;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001594
Gilles Peskine449bd832023-01-11 14:50:10 +01001595 PSA_ASSERT(psa_crypto_init());
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001596
Gilles Peskine449bd832023-01-11 14:50:10 +01001597 psa_set_key_type(&attributes, type);
1598 psa_set_key_bits(&attributes, attr_bits);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001599
Gilles Peskine449bd832023-01-11 14:50:10 +01001600 status = psa_import_key(&attributes, data->x, data->len, &key);
Manuel Pégourié-Gonnard0509b582023-08-08 12:47:56 +02001601 /* When expecting INVALID_ARGUMENT, also accept NOT_SUPPORTED.
1602 *
1603 * This can happen with a type supported only by a driver:
1604 * - the driver sees the invalid data (for example wrong size) and thinks
1605 * "well perhaps this is a key size I don't support" so it returns
1606 * NOT_SUPPORTED which is correct at this point;
1607 * - we fallback to built-ins, which don't support this type, so return
1608 * NOT_SUPPORTED which again is correct at this point.
1609 */
1610 if (expected_status == PSA_ERROR_INVALID_ARGUMENT &&
1611 status == PSA_ERROR_NOT_SUPPORTED) {
1612 ; // OK
1613 } else {
1614 TEST_EQUAL(status, expected_status);
1615 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001616 if (status != PSA_SUCCESS) {
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001617 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001618 }
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001619
Gilles Peskine449bd832023-01-11 14:50:10 +01001620 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1621 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1622 if (attr_bits != 0) {
1623 TEST_EQUAL(attr_bits, psa_get_key_bits(&got_attributes));
1624 }
1625 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001626
Gilles Peskine449bd832023-01-11 14:50:10 +01001627 PSA_ASSERT(psa_destroy_key(key));
1628 test_operations_on_invalid_key(key);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001629
1630exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001631 /*
1632 * Key attributes may have been returned by psa_get_key_attributes()
1633 * thus reset them as required.
1634 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001635 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001636
Gilles Peskine449bd832023-01-11 14:50:10 +01001637 psa_destroy_key(key);
1638 PSA_DONE();
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001639}
1640/* END_CASE */
1641
Valerio Setti168d24a2024-06-20 14:40:54 +02001642/* BEGIN_CASE depends_on: !MBEDTLS_PSA_STATIC_KEY_SLOTS*/
Gilles Peskine07510f52022-11-11 16:37:16 +01001643/* Construct and attempt to import a large unstructured key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001644void import_large_key(int type_arg, int byte_size_arg,
1645 int expected_status_arg)
Gilles Peskinec744d992019-07-30 17:26:54 +02001646{
1647 psa_key_type_t type = type_arg;
1648 size_t byte_size = byte_size_arg;
1649 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1650 psa_status_t expected_status = expected_status_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02001651 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinec744d992019-07-30 17:26:54 +02001652 psa_status_t status;
1653 uint8_t *buffer = NULL;
1654 size_t buffer_size = byte_size + 1;
1655 size_t n;
1656
Steven Cooreman69967ce2021-01-18 18:01:08 +01001657 /* Skip the test case if the target running the test cannot
Shaun Case8b0ecbc2021-12-20 21:14:10 -08001658 * accommodate large keys due to heap size constraints */
Tom Cosgrove412a8132023-07-20 16:55:14 +01001659 TEST_CALLOC_OR_SKIP(buffer, buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001660 memset(buffer, 'K', byte_size);
Gilles Peskinec744d992019-07-30 17:26:54 +02001661
Gilles Peskine449bd832023-01-11 14:50:10 +01001662 PSA_ASSERT(psa_crypto_init());
Gilles Peskinec744d992019-07-30 17:26:54 +02001663
1664 /* Try importing the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001665 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
1666 psa_set_key_type(&attributes, type);
1667 status = psa_import_key(&attributes, buffer, byte_size, &key);
1668 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
1669 TEST_EQUAL(status, expected_status);
Gilles Peskinec744d992019-07-30 17:26:54 +02001670
Gilles Peskine449bd832023-01-11 14:50:10 +01001671 if (status == PSA_SUCCESS) {
1672 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
1673 TEST_EQUAL(psa_get_key_type(&attributes), type);
1674 TEST_EQUAL(psa_get_key_bits(&attributes),
1675 PSA_BYTES_TO_BITS(byte_size));
1676 ASSERT_NO_SLOT_NUMBER(&attributes);
1677 memset(buffer, 0, byte_size + 1);
1678 PSA_ASSERT(psa_export_key(key, buffer, byte_size, &n));
1679 for (n = 0; n < byte_size; n++) {
1680 TEST_EQUAL(buffer[n], 'K');
1681 }
1682 for (n = byte_size; n < buffer_size; n++) {
1683 TEST_EQUAL(buffer[n], 0);
1684 }
Gilles Peskinec744d992019-07-30 17:26:54 +02001685 }
1686
1687exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001688 /*
1689 * Key attributes may have been returned by psa_get_key_attributes()
1690 * thus reset them as required.
1691 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001692 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001693
Gilles Peskine449bd832023-01-11 14:50:10 +01001694 psa_destroy_key(key);
1695 PSA_DONE();
1696 mbedtls_free(buffer);
Gilles Peskinec744d992019-07-30 17:26:54 +02001697}
1698/* END_CASE */
1699
Andrzej Kurek77b8e092022-01-17 15:29:38 +01001700/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */
Gilles Peskine07510f52022-11-11 16:37:16 +01001701/* Import an RSA key with a valid structure (but not valid numbers
1702 * inside, beyond having sensible size and parity). This is expected to
1703 * fail for large keys. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001704void import_rsa_made_up(int bits_arg, int keypair, int expected_status_arg)
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001705{
Ronald Cron5425a212020-08-04 14:58:35 +02001706 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001707 size_t bits = bits_arg;
1708 psa_status_t expected_status = expected_status_arg;
1709 psa_status_t status;
1710 psa_key_type_t type =
Gilles Peskinec93b80c2019-05-16 19:39:54 +02001711 keypair ? PSA_KEY_TYPE_RSA_KEY_PAIR : PSA_KEY_TYPE_RSA_PUBLIC_KEY;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001712 size_t buffer_size = /* Slight overapproximations */
Gilles Peskine449bd832023-01-11 14:50:10 +01001713 keypair ? bits * 9 / 16 + 80 : bits / 8 + 20;
Gilles Peskine8cebbba2018-09-27 13:54:18 +02001714 unsigned char *buffer = NULL;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001715 unsigned char *p;
1716 int ret;
1717 size_t length;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02001718 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001719
Gilles Peskine449bd832023-01-11 14:50:10 +01001720 PSA_ASSERT(psa_crypto_init());
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001721 TEST_CALLOC(buffer, buffer_size);
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001722
Gilles Peskine449bd832023-01-11 14:50:10 +01001723 TEST_ASSERT((ret = construct_fake_rsa_key(buffer, buffer_size, &p,
1724 bits, keypair)) >= 0);
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001725 length = ret;
1726
1727 /* Try importing the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001728 psa_set_key_type(&attributes, type);
1729 status = psa_import_key(&attributes, p, length, &key);
1730 TEST_EQUAL(status, expected_status);
Gilles Peskine76b29a72019-05-28 14:08:50 +02001731
Gilles Peskine449bd832023-01-11 14:50:10 +01001732 if (status == PSA_SUCCESS) {
1733 PSA_ASSERT(psa_destroy_key(key));
1734 }
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001735
1736exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001737 mbedtls_free(buffer);
1738 PSA_DONE();
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001739}
1740/* END_CASE */
1741
1742/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001743void import_export(data_t *data,
1744 int type_arg,
1745 int usage_arg, int alg_arg,
1746 int lifetime_arg,
1747 int expected_bits,
1748 int export_size_delta,
1749 int expected_export_status_arg,
1750 /*whether reexport must give the original input exactly*/
1751 int canonical_input)
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001752{
Ronald Cron5425a212020-08-04 14:58:35 +02001753 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001754 psa_key_type_t type = type_arg;
Gilles Peskine4abf7412018-06-18 16:35:34 +02001755 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001756 psa_status_t expected_export_status = expected_export_status_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001757 psa_status_t status;
Archana4d7ae1d2021-07-07 02:50:22 +05301758 psa_key_lifetime_t lifetime = lifetime_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001759 unsigned char *exported = NULL;
1760 unsigned char *reexported = NULL;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001761 size_t export_size;
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001762 size_t exported_length = INVALID_EXPORT_LENGTH;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001763 size_t reexported_length;
Gilles Peskine4747d192019-04-17 15:05:45 +02001764 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001765 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001766
Moran Pekercb088e72018-07-17 17:36:59 +03001767 export_size = (ptrdiff_t) data->len + export_size_delta;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001768 TEST_CALLOC(exported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001769 if (!canonical_input) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001770 TEST_CALLOC(reexported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001771 }
1772 PSA_ASSERT(psa_crypto_init());
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001773
Gilles Peskine449bd832023-01-11 14:50:10 +01001774 psa_set_key_lifetime(&attributes, lifetime);
1775 psa_set_key_usage_flags(&attributes, usage_arg);
1776 psa_set_key_algorithm(&attributes, alg);
1777 psa_set_key_type(&attributes, type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07001778
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001779 if (PSA_KEY_TYPE_IS_DH(type) &&
1780 expected_export_status == PSA_ERROR_BUFFER_TOO_SMALL) {
Przemek Stekiel654bef02022-12-15 13:28:02 +01001781 /* Simulate that buffer is too small, by decreasing its size by 1 byte. */
1782 export_size -= 1;
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001783 }
1784
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001785 /* Import the key */
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001786 TEST_EQUAL(psa_import_key(&attributes, data->x, data->len, &key),
Przemek Stekiel2e7c33d2023-04-27 12:29:45 +02001787 PSA_SUCCESS);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001788
1789 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01001790 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1791 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1792 TEST_EQUAL(psa_get_key_bits(&got_attributes), (size_t) expected_bits);
1793 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001794
1795 /* Export the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001796 status = psa_export_key(key, exported, export_size, &exported_length);
1797 TEST_EQUAL(status, expected_export_status);
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001798
1799 /* The exported length must be set by psa_export_key() to a value between 0
1800 * and export_size. On errors, the exported length must be 0. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001801 TEST_ASSERT(exported_length != INVALID_EXPORT_LENGTH);
1802 TEST_ASSERT(status == PSA_SUCCESS || exported_length == 0);
1803 TEST_LE_U(exported_length, export_size);
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001804
Gilles Peskine449bd832023-01-11 14:50:10 +01001805 TEST_ASSERT(mem_is_char(exported + exported_length, 0,
1806 export_size - exported_length));
1807 if (status != PSA_SUCCESS) {
1808 TEST_EQUAL(exported_length, 0);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001809 goto destroy;
Gilles Peskinee66ca3b2018-06-20 00:11:45 +02001810 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001811
Gilles Peskineea38a922021-02-13 00:05:16 +01001812 /* Run sanity checks on the exported key. For non-canonical inputs,
1813 * this validates the canonical representations. For canonical inputs,
1814 * this doesn't directly validate the implementation, but it still helps
1815 * by cross-validating the test data with the sanity check code. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001816 if (!psa_key_lifetime_is_external(lifetime)) {
Ryan Everett0a271fd2024-03-12 16:34:02 +00001817 if (!mbedtls_test_psa_exercise_key(key, usage_arg, 0, 0)) {
Archana4d7ae1d2021-07-07 02:50:22 +05301818 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001819 }
Archana4d7ae1d2021-07-07 02:50:22 +05301820 }
Gilles Peskine8f609232018-08-11 01:24:55 +02001821
Gilles Peskine449bd832023-01-11 14:50:10 +01001822 if (canonical_input) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001823 TEST_MEMORY_COMPARE(data->x, data->len, exported, exported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01001824 } else {
Ronald Cron5425a212020-08-04 14:58:35 +02001825 mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +01001826 PSA_ASSERT(psa_import_key(&attributes, exported, exported_length,
1827 &key2));
1828 PSA_ASSERT(psa_export_key(key2,
1829 reexported,
1830 export_size,
1831 &reexported_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001832 TEST_MEMORY_COMPARE(exported, exported_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01001833 reexported, reexported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01001834 PSA_ASSERT(psa_destroy_key(key2));
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001835 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001836 TEST_LE_U(exported_length,
1837 PSA_EXPORT_KEY_OUTPUT_SIZE(type,
1838 psa_get_key_bits(&got_attributes)));
Valerio Setti1eacae82023-07-28 16:07:03 +02001839 if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
1840 TEST_LE_U(exported_length, PSA_EXPORT_KEY_PAIR_MAX_SIZE);
1841 } else if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
1842 TEST_LE_U(exported_length, PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
1843 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001844
1845destroy:
1846 /* Destroy the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001847 PSA_ASSERT(psa_destroy_key(key));
1848 test_operations_on_invalid_key(key);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001849
1850exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001851 /*
1852 * Key attributes may have been returned by psa_get_key_attributes()
1853 * thus reset them as required.
1854 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001855 psa_reset_key_attributes(&got_attributes);
1856 psa_destroy_key(key);
1857 mbedtls_free(exported);
1858 mbedtls_free(reexported);
1859 PSA_DONE();
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001860}
1861/* END_CASE */
Gilles Peskine20035e32018-02-03 22:44:14 +01001862
Moran Pekerf709f4a2018-06-06 17:26:04 +03001863/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001864void import_export_public_key(data_t *data,
1865 int type_arg, // key pair or public key
1866 int alg_arg,
1867 int lifetime_arg,
1868 int export_size_delta,
1869 int expected_export_status_arg,
1870 data_t *expected_public_key)
Moran Pekerf709f4a2018-06-06 17:26:04 +03001871{
Ronald Cron5425a212020-08-04 14:58:35 +02001872 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001873 psa_key_type_t type = type_arg;
Gilles Peskine4abf7412018-06-18 16:35:34 +02001874 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001875 psa_status_t expected_export_status = expected_export_status_arg;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001876 psa_status_t status;
Archana4d7ae1d2021-07-07 02:50:22 +05301877 psa_key_lifetime_t lifetime = lifetime_arg;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001878 unsigned char *exported = NULL;
Gilles Peskine49c25912018-10-29 15:15:31 +01001879 size_t export_size = expected_public_key->len + export_size_delta;
Jaeden Amero2a671e92018-06-27 17:47:40 +01001880 size_t exported_length = INVALID_EXPORT_LENGTH;
Gilles Peskine4747d192019-04-17 15:05:45 +02001881 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001882
Gilles Peskine449bd832023-01-11 14:50:10 +01001883 PSA_ASSERT(psa_crypto_init());
Moran Pekerf709f4a2018-06-06 17:26:04 +03001884
Gilles Peskine449bd832023-01-11 14:50:10 +01001885 psa_set_key_lifetime(&attributes, lifetime);
1886 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
1887 psa_set_key_algorithm(&attributes, alg);
1888 psa_set_key_type(&attributes, type);
Moran Pekerf709f4a2018-06-06 17:26:04 +03001889
1890 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001891 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key));
Moran Pekerf709f4a2018-06-06 17:26:04 +03001892
Gilles Peskine49c25912018-10-29 15:15:31 +01001893 /* Export the public key */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001894 TEST_CALLOC(exported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001895 status = psa_export_public_key(key,
1896 exported, export_size,
1897 &exported_length);
1898 TEST_EQUAL(status, expected_export_status);
1899 if (status == PSA_SUCCESS) {
1900 psa_key_type_t public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type);
Gilles Peskined8b7d4f2018-10-29 15:18:41 +01001901 size_t bits;
Gilles Peskine449bd832023-01-11 14:50:10 +01001902 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
1903 bits = psa_get_key_bits(&attributes);
1904 TEST_LE_U(expected_public_key->len,
1905 PSA_EXPORT_KEY_OUTPUT_SIZE(public_type, bits));
1906 TEST_LE_U(expected_public_key->len,
1907 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(public_type, bits));
1908 TEST_LE_U(expected_public_key->len,
1909 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001910 TEST_MEMORY_COMPARE(expected_public_key->x, expected_public_key->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01001911 exported, exported_length);
Gilles Peskined8b7d4f2018-10-29 15:18:41 +01001912 }
Moran Pekerf709f4a2018-06-06 17:26:04 +03001913exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001914 /*
1915 * Key attributes may have been returned by psa_get_key_attributes()
1916 * thus reset them as required.
1917 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001918 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001919
Gilles Peskine449bd832023-01-11 14:50:10 +01001920 mbedtls_free(exported);
1921 psa_destroy_key(key);
1922 PSA_DONE();
Moran Pekerf709f4a2018-06-06 17:26:04 +03001923}
1924/* END_CASE */
1925
Ryan Everett50619992024-03-12 16:55:14 +00001926
1927#if defined(MBEDTLS_THREADING_PTHREAD)
1928/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_PSA_CRYPTO_STORAGE_C */
1929void concurrently_use_same_persistent_key(data_t *data,
1930 int type_arg,
1931 int bits_arg,
1932 int alg_arg,
1933 int thread_count_arg)
1934{
1935 size_t thread_count = (size_t) thread_count_arg;
1936 mbedtls_test_thread_t *threads = NULL;
1937 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1);
1938 same_key_context skc;
1939 skc.data = data;
1940 skc.key = key_id;
1941 skc.type = type_arg;
1942 skc.bits = bits_arg;
1943 skc.key_loaded = 0;
1944 mbedtls_mutex_init(&skc.key_loaded_mutex);
1945 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(skc.type, alg_arg);
1946 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1947
1948 PSA_ASSERT(psa_crypto_init());
1949
1950 psa_set_key_id(&attributes, key_id);
1951 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_PERSISTENT);
1952 psa_set_key_usage_flags(&attributes, usage);
1953 psa_set_key_algorithm(&attributes, alg_arg);
1954 psa_set_key_type(&attributes, type_arg);
1955 psa_set_key_bits(&attributes, bits_arg);
1956 skc.attributes = &attributes;
1957
1958 TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
1959
1960 /* Test that when multiple threads import the same key,
1961 * exactly one thread succeeds and the rest fail with valid errors.
1962 * Also test that all threads can use the key as soon as it has been
1963 * imported. */
1964 for (size_t i = 0; i < thread_count; i++) {
1965 TEST_EQUAL(
1966 mbedtls_test_thread_create(&threads[i], thread_import_key,
1967 (void *) &skc), 0);
1968 }
1969
1970 /* Join threads. */
1971 for (size_t i = 0; i < thread_count; i++) {
1972 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
1973 }
1974
1975 /* Test that when multiple threads use and destroy a key no corruption
1976 * occurs, and exactly one thread succeeds when destroying the key. */
1977 for (size_t i = 0; i < thread_count; i++) {
1978 TEST_EQUAL(
1979 mbedtls_test_thread_create(&threads[i], thread_use_and_destroy_key,
1980 (void *) &skc), 0);
1981 }
1982
1983 /* Join threads. */
1984 for (size_t i = 0; i < thread_count; i++) {
1985 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
1986 }
1987 /* Ensure that one thread succeeded in destroying the key. */
1988 TEST_ASSERT(!skc.key_loaded);
1989exit:
1990 psa_reset_key_attributes(&attributes);
1991 mbedtls_mutex_free(&skc.key_loaded_mutex);
1992 mbedtls_free(threads);
1993 PSA_DONE();
1994}
1995/* END_CASE */
1996#endif
1997
Gilles Peskine20035e32018-02-03 22:44:14 +01001998/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001999void import_and_exercise_key(data_t *data,
2000 int type_arg,
2001 int bits_arg,
2002 int alg_arg)
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002003{
Ronald Cron5425a212020-08-04 14:58:35 +02002004 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002005 psa_key_type_t type = type_arg;
2006 size_t bits = bits_arg;
2007 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01002008 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(type, alg);
Gilles Peskine4747d192019-04-17 15:05:45 +02002009 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02002010 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002011
Gilles Peskine449bd832023-01-11 14:50:10 +01002012 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002013
Gilles Peskine449bd832023-01-11 14:50:10 +01002014 psa_set_key_usage_flags(&attributes, usage);
2015 psa_set_key_algorithm(&attributes, alg);
2016 psa_set_key_type(&attributes, type);
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002017
2018 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01002019 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key));
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002020
2021 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01002022 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
2023 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
2024 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002025
2026 /* Do something with the key according to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +00002027 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
Gilles Peskine02b75072018-07-01 22:31:34 +02002028 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002029 }
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002030
Gilles Peskine449bd832023-01-11 14:50:10 +01002031 PSA_ASSERT(psa_destroy_key(key));
2032 test_operations_on_invalid_key(key);
Gilles Peskine4cf3a432019-04-18 22:28:52 +02002033
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002034exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002035 /*
2036 * Key attributes may have been returned by psa_get_key_attributes()
2037 * thus reset them as required.
2038 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002039 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002040
Gilles Peskine449bd832023-01-11 14:50:10 +01002041 psa_reset_key_attributes(&attributes);
2042 psa_destroy_key(key);
2043 PSA_DONE();
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002044}
2045/* END_CASE */
2046
2047/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002048void effective_key_attributes(int type_arg, int expected_type_arg,
2049 int bits_arg, int expected_bits_arg,
2050 int usage_arg, int expected_usage_arg,
2051 int alg_arg, int expected_alg_arg)
Gilles Peskined5b33222018-06-18 22:20:03 +02002052{
Ronald Cron5425a212020-08-04 14:58:35 +02002053 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine1a960492019-11-26 17:12:21 +01002054 psa_key_type_t key_type = type_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01002055 psa_key_type_t expected_key_type = expected_type_arg;
Gilles Peskine1a960492019-11-26 17:12:21 +01002056 size_t bits = bits_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01002057 size_t expected_bits = expected_bits_arg;
Gilles Peskined5b33222018-06-18 22:20:03 +02002058 psa_algorithm_t alg = alg_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01002059 psa_algorithm_t expected_alg = expected_alg_arg;
Gilles Peskined5b33222018-06-18 22:20:03 +02002060 psa_key_usage_t usage = usage_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01002061 psa_key_usage_t expected_usage = expected_usage_arg;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02002062 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskined5b33222018-06-18 22:20:03 +02002063
Gilles Peskine449bd832023-01-11 14:50:10 +01002064 PSA_ASSERT(psa_crypto_init());
Gilles Peskined5b33222018-06-18 22:20:03 +02002065
Gilles Peskine449bd832023-01-11 14:50:10 +01002066 psa_set_key_usage_flags(&attributes, usage);
2067 psa_set_key_algorithm(&attributes, alg);
2068 psa_set_key_type(&attributes, key_type);
2069 psa_set_key_bits(&attributes, bits);
Gilles Peskined5b33222018-06-18 22:20:03 +02002070
Gilles Peskine449bd832023-01-11 14:50:10 +01002071 PSA_ASSERT(psa_generate_key(&attributes, &key));
2072 psa_reset_key_attributes(&attributes);
Gilles Peskined5b33222018-06-18 22:20:03 +02002073
Gilles Peskine449bd832023-01-11 14:50:10 +01002074 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
2075 TEST_EQUAL(psa_get_key_type(&attributes), expected_key_type);
2076 TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits);
2077 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
2078 TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg);
Gilles Peskined5b33222018-06-18 22:20:03 +02002079
2080exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002081 /*
2082 * Key attributes may have been returned by psa_get_key_attributes()
2083 * thus reset them as required.
2084 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002085 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002086
Gilles Peskine449bd832023-01-11 14:50:10 +01002087 psa_destroy_key(key);
2088 PSA_DONE();
Gilles Peskined5b33222018-06-18 22:20:03 +02002089}
2090/* END_CASE */
2091
2092/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002093void check_key_policy(int type_arg, int bits_arg,
2094 int usage_arg, int alg_arg)
Gilles Peskine06c28892019-11-26 18:07:46 +01002095{
Gilles Peskine449bd832023-01-11 14:50:10 +01002096 test_effective_key_attributes(type_arg, type_arg, bits_arg, bits_arg,
2097 usage_arg,
2098 mbedtls_test_update_key_usage_flags(usage_arg),
2099 alg_arg, alg_arg);
Gilles Peskine06c28892019-11-26 18:07:46 +01002100 goto exit;
2101}
2102/* END_CASE */
2103
2104/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002105void key_attributes_init()
Jaeden Amero70261c52019-01-04 11:47:20 +00002106{
2107 /* Test each valid way of initializing the object, except for `= {0}`, as
2108 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
2109 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08002110 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002111 psa_key_attributes_t func = psa_key_attributes_init();
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002112 psa_key_attributes_t init = PSA_KEY_ATTRIBUTES_INIT;
2113 psa_key_attributes_t zero;
Jaeden Amero70261c52019-01-04 11:47:20 +00002114
Gilles Peskine449bd832023-01-11 14:50:10 +01002115 memset(&zero, 0, sizeof(zero));
Jaeden Amero70261c52019-01-04 11:47:20 +00002116
Gilles Peskine449bd832023-01-11 14:50:10 +01002117 TEST_EQUAL(psa_get_key_lifetime(&func), PSA_KEY_LIFETIME_VOLATILE);
2118 TEST_EQUAL(psa_get_key_lifetime(&init), PSA_KEY_LIFETIME_VOLATILE);
2119 TEST_EQUAL(psa_get_key_lifetime(&zero), PSA_KEY_LIFETIME_VOLATILE);
Jaeden Amero5229bbb2019-02-07 16:33:37 +00002120
Gilles Peskine449bd832023-01-11 14:50:10 +01002121 TEST_EQUAL(psa_get_key_type(&func), 0);
2122 TEST_EQUAL(psa_get_key_type(&init), 0);
2123 TEST_EQUAL(psa_get_key_type(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002124
Gilles Peskine449bd832023-01-11 14:50:10 +01002125 TEST_EQUAL(psa_get_key_bits(&func), 0);
2126 TEST_EQUAL(psa_get_key_bits(&init), 0);
2127 TEST_EQUAL(psa_get_key_bits(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002128
Gilles Peskine449bd832023-01-11 14:50:10 +01002129 TEST_EQUAL(psa_get_key_usage_flags(&func), 0);
2130 TEST_EQUAL(psa_get_key_usage_flags(&init), 0);
2131 TEST_EQUAL(psa_get_key_usage_flags(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002132
Gilles Peskine449bd832023-01-11 14:50:10 +01002133 TEST_EQUAL(psa_get_key_algorithm(&func), 0);
2134 TEST_EQUAL(psa_get_key_algorithm(&init), 0);
2135 TEST_EQUAL(psa_get_key_algorithm(&zero), 0);
Jaeden Amero70261c52019-01-04 11:47:20 +00002136}
2137/* END_CASE */
2138
2139/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002140void mac_key_policy(int policy_usage_arg,
2141 int policy_alg_arg,
2142 int key_type_arg,
2143 data_t *key_data,
2144 int exercise_alg_arg,
2145 int expected_status_sign_arg,
2146 int expected_status_verify_arg)
Gilles Peskined5b33222018-06-18 22:20:03 +02002147{
Ronald Cron5425a212020-08-04 14:58:35 +02002148 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002149 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero769ce272019-01-04 11:48:03 +00002150 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002151 psa_key_type_t key_type = key_type_arg;
2152 psa_algorithm_t policy_alg = policy_alg_arg;
2153 psa_algorithm_t exercise_alg = exercise_alg_arg;
2154 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002155 psa_status_t status;
Mateusz Starzykd07f4fc2021-08-24 11:01:23 +02002156 psa_status_t expected_status_sign = expected_status_sign_arg;
2157 psa_status_t expected_status_verify = expected_status_verify_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002158 unsigned char mac[PSA_MAC_MAX_SIZE];
Gilles Peskined5b33222018-06-18 22:20:03 +02002159
Gilles Peskine449bd832023-01-11 14:50:10 +01002160 PSA_ASSERT(psa_crypto_init());
Gilles Peskined5b33222018-06-18 22:20:03 +02002161
Gilles Peskine449bd832023-01-11 14:50:10 +01002162 psa_set_key_usage_flags(&attributes, policy_usage);
2163 psa_set_key_algorithm(&attributes, policy_alg);
2164 psa_set_key_type(&attributes, key_type);
Gilles Peskined5b33222018-06-18 22:20:03 +02002165
Gilles Peskine449bd832023-01-11 14:50:10 +01002166 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2167 &key));
Gilles Peskined5b33222018-06-18 22:20:03 +02002168
Gilles Peskine449bd832023-01-11 14:50:10 +01002169 TEST_EQUAL(psa_get_key_usage_flags(&attributes),
2170 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002171
Gilles Peskine449bd832023-01-11 14:50:10 +01002172 status = psa_mac_sign_setup(&operation, key, exercise_alg);
2173 TEST_EQUAL(status, expected_status_sign);
Steven Cooremanb3ce8152021-02-18 12:03:50 +01002174
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002175 /* Calculate the MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002176 uint8_t input[128] = { 0 };
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002177 size_t mac_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01002178 TEST_EQUAL(psa_mac_compute(key, exercise_alg,
2179 input, 128,
2180 mac, PSA_MAC_MAX_SIZE, &mac_len),
2181 expected_status_sign);
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002182
Neil Armstrong3af9b972022-02-07 12:20:21 +01002183 /* Calculate the MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002184 PSA_ASSERT(psa_mac_abort(&operation));
2185 status = psa_mac_sign_setup(&operation, key, exercise_alg);
2186 if (status == PSA_SUCCESS) {
2187 status = psa_mac_update(&operation, input, 128);
2188 if (status == PSA_SUCCESS) {
2189 TEST_EQUAL(psa_mac_sign_finish(&operation, mac, PSA_MAC_MAX_SIZE,
2190 &mac_len),
2191 expected_status_sign);
2192 } else {
2193 TEST_EQUAL(status, expected_status_sign);
2194 }
2195 } else {
2196 TEST_EQUAL(status, expected_status_sign);
Neil Armstrong3af9b972022-02-07 12:20:21 +01002197 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002198 PSA_ASSERT(psa_mac_abort(&operation));
Neil Armstrong3af9b972022-02-07 12:20:21 +01002199
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002200 /* Verify correct MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002201 status = psa_mac_verify(key, exercise_alg, input, 128,
2202 mac, mac_len);
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002203
Gilles Peskine449bd832023-01-11 14:50:10 +01002204 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) {
2205 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2206 } else {
2207 TEST_EQUAL(status, expected_status_verify);
2208 }
Gilles Peskinefe11b722018-12-18 00:24:04 +01002209
Neil Armstrong3af9b972022-02-07 12:20:21 +01002210 /* Verify correct MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002211 status = psa_mac_verify_setup(&operation, key, exercise_alg);
2212 if (status == PSA_SUCCESS) {
2213 status = psa_mac_update(&operation, input, 128);
2214 if (status == PSA_SUCCESS) {
2215 status = psa_mac_verify_finish(&operation, mac, mac_len);
2216 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) {
2217 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2218 } else {
2219 TEST_EQUAL(status, expected_status_verify);
2220 }
2221 } else {
2222 TEST_EQUAL(status, expected_status_verify);
Neil Armstrong3af9b972022-02-07 12:20:21 +01002223 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002224 } else {
2225 TEST_EQUAL(status, expected_status_verify);
Neil Armstrong3af9b972022-02-07 12:20:21 +01002226 }
2227
Gilles Peskine449bd832023-01-11 14:50:10 +01002228 psa_mac_abort(&operation);
Gilles Peskined5b33222018-06-18 22:20:03 +02002229
Gilles Peskine449bd832023-01-11 14:50:10 +01002230 memset(mac, 0, sizeof(mac));
2231 status = psa_mac_verify_setup(&operation, key, exercise_alg);
2232 TEST_EQUAL(status, expected_status_verify);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002233
2234exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002235 psa_mac_abort(&operation);
2236 psa_destroy_key(key);
2237 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002238}
2239/* END_CASE */
2240
2241/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002242void cipher_key_policy(int policy_usage_arg,
2243 int policy_alg,
2244 int key_type,
2245 data_t *key_data,
2246 int exercise_alg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002247{
Ronald Cron5425a212020-08-04 14:58:35 +02002248 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002249 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero5bae2272019-01-04 11:48:27 +00002250 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002251 psa_key_usage_t policy_usage = policy_usage_arg;
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002252 size_t output_buffer_size = 0;
2253 size_t input_buffer_size = 0;
2254 size_t output_length = 0;
2255 uint8_t *output = NULL;
2256 uint8_t *input = NULL;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002257 psa_status_t status;
2258
Gilles Peskine449bd832023-01-11 14:50:10 +01002259 input_buffer_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(exercise_alg);
2260 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, exercise_alg,
2261 input_buffer_size);
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002262
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002263 TEST_CALLOC(input, input_buffer_size);
2264 TEST_CALLOC(output, output_buffer_size);
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002265
Gilles Peskine449bd832023-01-11 14:50:10 +01002266 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002267
Gilles Peskine449bd832023-01-11 14:50:10 +01002268 psa_set_key_usage_flags(&attributes, policy_usage);
2269 psa_set_key_algorithm(&attributes, policy_alg);
2270 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002271
Gilles Peskine449bd832023-01-11 14:50:10 +01002272 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2273 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002274
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002275 /* Check if no key usage flag implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002276 TEST_EQUAL(policy_usage,
2277 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002278
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002279 /* Encrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002280 status = psa_cipher_encrypt(key, exercise_alg, input, input_buffer_size,
2281 output, output_buffer_size,
2282 &output_length);
2283 if (policy_alg == exercise_alg &&
2284 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2285 PSA_ASSERT(status);
2286 } else {
2287 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2288 }
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002289
2290 /* Encrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002291 status = psa_cipher_encrypt_setup(&operation, key, exercise_alg);
2292 if (policy_alg == exercise_alg &&
2293 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2294 PSA_ASSERT(status);
2295 } else {
2296 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2297 }
2298 psa_cipher_abort(&operation);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002299
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002300 /* Decrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002301 status = psa_cipher_decrypt(key, exercise_alg, output, output_buffer_size,
2302 input, input_buffer_size,
2303 &output_length);
2304 if (policy_alg == exercise_alg &&
2305 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2306 PSA_ASSERT(status);
2307 } else {
2308 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2309 }
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002310
2311 /* Decrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002312 status = psa_cipher_decrypt_setup(&operation, key, exercise_alg);
2313 if (policy_alg == exercise_alg &&
2314 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2315 PSA_ASSERT(status);
2316 } else {
2317 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2318 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002319
2320exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002321 psa_cipher_abort(&operation);
2322 mbedtls_free(input);
2323 mbedtls_free(output);
2324 psa_destroy_key(key);
2325 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002326}
2327/* END_CASE */
2328
2329/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002330void aead_key_policy(int policy_usage_arg,
2331 int policy_alg,
2332 int key_type,
2333 data_t *key_data,
2334 int nonce_length_arg,
2335 int tag_length_arg,
2336 int exercise_alg,
2337 int expected_status_arg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002338{
Ronald Cron5425a212020-08-04 14:58:35 +02002339 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002340 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Neil Armstrong752d8112022-02-07 14:51:11 +01002341 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002342 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002343 psa_status_t status;
Steven Cooremanb3ce8152021-02-18 12:03:50 +01002344 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01002345 unsigned char nonce[16] = { 0 };
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002346 size_t nonce_length = nonce_length_arg;
2347 unsigned char tag[16];
2348 size_t tag_length = tag_length_arg;
2349 size_t output_length;
2350
Gilles Peskine449bd832023-01-11 14:50:10 +01002351 TEST_LE_U(nonce_length, sizeof(nonce));
2352 TEST_LE_U(tag_length, sizeof(tag));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002353
Gilles Peskine449bd832023-01-11 14:50:10 +01002354 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002355
Gilles Peskine449bd832023-01-11 14:50:10 +01002356 psa_set_key_usage_flags(&attributes, policy_usage);
2357 psa_set_key_algorithm(&attributes, policy_alg);
2358 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002359
Gilles Peskine449bd832023-01-11 14:50:10 +01002360 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2361 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002362
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002363 /* Check if no key usage implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002364 TEST_EQUAL(policy_usage,
2365 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002366
Neil Armstrong752d8112022-02-07 14:51:11 +01002367 /* Encrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002368 status = psa_aead_encrypt(key, exercise_alg,
2369 nonce, nonce_length,
2370 NULL, 0,
2371 NULL, 0,
2372 tag, tag_length,
2373 &output_length);
2374 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2375 TEST_EQUAL(status, expected_status);
2376 } else {
2377 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2378 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002379
Neil Armstrong752d8112022-02-07 14:51:11 +01002380 /* Encrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002381 status = psa_aead_encrypt_setup(&operation, key, exercise_alg);
2382 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2383 TEST_EQUAL(status, expected_status);
2384 } else {
2385 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2386 }
Neil Armstrong752d8112022-02-07 14:51:11 +01002387
2388 /* Decrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002389 memset(tag, 0, sizeof(tag));
2390 status = psa_aead_decrypt(key, exercise_alg,
2391 nonce, nonce_length,
2392 NULL, 0,
2393 tag, tag_length,
2394 NULL, 0,
2395 &output_length);
2396 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) {
2397 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2398 } else if (expected_status == PSA_SUCCESS) {
2399 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2400 } else {
2401 TEST_EQUAL(status, expected_status);
2402 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002403
Neil Armstrong752d8112022-02-07 14:51:11 +01002404 /* Decrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002405 PSA_ASSERT(psa_aead_abort(&operation));
2406 status = psa_aead_decrypt_setup(&operation, key, exercise_alg);
2407 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) {
2408 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2409 } else {
2410 TEST_EQUAL(status, expected_status);
2411 }
Neil Armstrong752d8112022-02-07 14:51:11 +01002412
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002413exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002414 PSA_ASSERT(psa_aead_abort(&operation));
2415 psa_destroy_key(key);
2416 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002417}
2418/* END_CASE */
2419
2420/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002421void asymmetric_encryption_key_policy(int policy_usage_arg,
2422 int policy_alg,
2423 int key_type,
2424 data_t *key_data,
Valerio Settif202c292024-01-15 10:42:37 +01002425 int exercise_alg,
2426 int use_opaque_key)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002427{
Ronald Cron5425a212020-08-04 14:58:35 +02002428 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002429 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002430 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002431 psa_status_t status;
2432 size_t key_bits;
2433 size_t buffer_length;
2434 unsigned char *buffer = NULL;
2435 size_t output_length;
2436
Gilles Peskine449bd832023-01-11 14:50:10 +01002437 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002438
Gilles Peskine449bd832023-01-11 14:50:10 +01002439 psa_set_key_usage_flags(&attributes, policy_usage);
2440 psa_set_key_algorithm(&attributes, policy_alg);
2441 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002442
Valerio Settif202c292024-01-15 10:42:37 +01002443 if (use_opaque_key) {
2444 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
2445 PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION));
2446 }
2447
Gilles Peskine449bd832023-01-11 14:50:10 +01002448 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2449 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002450
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002451 /* Check if no key usage implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002452 TEST_EQUAL(policy_usage,
2453 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002454
Gilles Peskine449bd832023-01-11 14:50:10 +01002455 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
2456 key_bits = psa_get_key_bits(&attributes);
2457 buffer_length = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits,
2458 exercise_alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002459 TEST_CALLOC(buffer, buffer_length);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002460
Gilles Peskine449bd832023-01-11 14:50:10 +01002461 status = psa_asymmetric_encrypt(key, exercise_alg,
2462 NULL, 0,
2463 NULL, 0,
2464 buffer, buffer_length,
2465 &output_length);
2466 if (policy_alg == exercise_alg &&
2467 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2468 PSA_ASSERT(status);
2469 } else {
2470 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2471 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002472
Gilles Peskine449bd832023-01-11 14:50:10 +01002473 if (buffer_length != 0) {
2474 memset(buffer, 0, buffer_length);
2475 }
2476 status = psa_asymmetric_decrypt(key, exercise_alg,
2477 buffer, buffer_length,
2478 NULL, 0,
2479 buffer, buffer_length,
2480 &output_length);
2481 if (policy_alg == exercise_alg &&
2482 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2483 TEST_EQUAL(status, PSA_ERROR_INVALID_PADDING);
2484 } else {
2485 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2486 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002487
2488exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002489 /*
2490 * Key attributes may have been returned by psa_get_key_attributes()
2491 * thus reset them as required.
2492 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002493 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002494
Gilles Peskine449bd832023-01-11 14:50:10 +01002495 psa_destroy_key(key);
2496 PSA_DONE();
2497 mbedtls_free(buffer);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002498}
2499/* END_CASE */
2500
2501/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002502void asymmetric_signature_key_policy(int policy_usage_arg,
2503 int policy_alg,
2504 int key_type,
2505 data_t *key_data,
2506 int exercise_alg,
2507 int payload_length_arg,
2508 int expected_usage_arg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002509{
Ronald Cron5425a212020-08-04 14:58:35 +02002510 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002511 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002512 psa_key_usage_t policy_usage = policy_usage_arg;
2513 psa_key_usage_t expected_usage = expected_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002514 psa_status_t status;
Gilles Peskine449bd832023-01-11 14:50:10 +01002515 unsigned char payload[PSA_HASH_MAX_SIZE] = { 1 };
Gilles Peskine30f77cd2019-01-14 16:06:39 +01002516 /* If `payload_length_arg > 0`, `exercise_alg` is supposed to be
2517 * compatible with the policy and `payload_length_arg` is supposed to be
2518 * a valid input length to sign. If `payload_length_arg <= 0`,
2519 * `exercise_alg` is supposed to be forbidden by the policy. */
2520 int compatible_alg = payload_length_arg > 0;
2521 size_t payload_length = compatible_alg ? payload_length_arg : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01002522 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = { 0 };
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002523 size_t signature_length;
2524
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002525 /* Check if all implicit usage flags are deployed
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002526 in the expected usage flags. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002527 TEST_EQUAL(expected_usage,
2528 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002529
Gilles Peskine449bd832023-01-11 14:50:10 +01002530 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002531
Gilles Peskine449bd832023-01-11 14:50:10 +01002532 psa_set_key_usage_flags(&attributes, policy_usage);
2533 psa_set_key_algorithm(&attributes, policy_alg);
2534 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002535
Gilles Peskine449bd832023-01-11 14:50:10 +01002536 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2537 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002538
Gilles Peskine449bd832023-01-11 14:50:10 +01002539 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002540
Gilles Peskine449bd832023-01-11 14:50:10 +01002541 status = psa_sign_hash(key, exercise_alg,
2542 payload, payload_length,
2543 signature, sizeof(signature),
2544 &signature_length);
2545 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_HASH) != 0) {
2546 PSA_ASSERT(status);
2547 } else {
2548 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2549 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002550
Gilles Peskine449bd832023-01-11 14:50:10 +01002551 memset(signature, 0, sizeof(signature));
2552 status = psa_verify_hash(key, exercise_alg,
2553 payload, payload_length,
2554 signature, sizeof(signature));
2555 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) != 0) {
2556 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2557 } else {
2558 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2559 }
Gilles Peskined5b33222018-06-18 22:20:03 +02002560
Gilles Peskine449bd832023-01-11 14:50:10 +01002561 if (PSA_ALG_IS_SIGN_HASH(exercise_alg) &&
2562 PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(exercise_alg))) {
2563 status = psa_sign_message(key, exercise_alg,
2564 payload, payload_length,
2565 signature, sizeof(signature),
2566 &signature_length);
2567 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) != 0) {
2568 PSA_ASSERT(status);
2569 } else {
2570 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2571 }
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002572
Gilles Peskine449bd832023-01-11 14:50:10 +01002573 memset(signature, 0, sizeof(signature));
2574 status = psa_verify_message(key, exercise_alg,
2575 payload, payload_length,
2576 signature, sizeof(signature));
2577 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_MESSAGE) != 0) {
2578 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2579 } else {
2580 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2581 }
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002582 }
2583
Gilles Peskined5b33222018-06-18 22:20:03 +02002584exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002585 psa_destroy_key(key);
2586 PSA_DONE();
Gilles Peskined5b33222018-06-18 22:20:03 +02002587}
2588/* END_CASE */
2589
Janos Follathba3fab92019-06-11 14:50:16 +01002590/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002591void derive_key_policy(int policy_usage,
2592 int policy_alg,
2593 int key_type,
2594 data_t *key_data,
2595 int exercise_alg)
Gilles Peskineea0fb492018-07-12 17:17:20 +02002596{
Ronald Cron5425a212020-08-04 14:58:35 +02002597 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002598 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002599 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineea0fb492018-07-12 17:17:20 +02002600 psa_status_t status;
2601
Gilles Peskine449bd832023-01-11 14:50:10 +01002602 PSA_ASSERT(psa_crypto_init());
Gilles Peskineea0fb492018-07-12 17:17:20 +02002603
Gilles Peskine449bd832023-01-11 14:50:10 +01002604 psa_set_key_usage_flags(&attributes, policy_usage);
2605 psa_set_key_algorithm(&attributes, policy_alg);
2606 psa_set_key_type(&attributes, key_type);
Gilles Peskineea0fb492018-07-12 17:17:20 +02002607
Gilles Peskine449bd832023-01-11 14:50:10 +01002608 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2609 &key));
Gilles Peskineea0fb492018-07-12 17:17:20 +02002610
Gilles Peskine449bd832023-01-11 14:50:10 +01002611 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg));
Janos Follathba3fab92019-06-11 14:50:16 +01002612
Gilles Peskine449bd832023-01-11 14:50:10 +01002613 if (PSA_ALG_IS_TLS12_PRF(exercise_alg) ||
2614 PSA_ALG_IS_TLS12_PSK_TO_MS(exercise_alg)) {
2615 PSA_ASSERT(psa_key_derivation_input_bytes(
2616 &operation,
2617 PSA_KEY_DERIVATION_INPUT_SEED,
2618 (const uint8_t *) "", 0));
Janos Follath0c1ed842019-06-28 13:35:36 +01002619 }
Janos Follathba3fab92019-06-11 14:50:16 +01002620
Gilles Peskine449bd832023-01-11 14:50:10 +01002621 status = psa_key_derivation_input_key(&operation,
2622 PSA_KEY_DERIVATION_INPUT_SECRET,
2623 key);
Janos Follathba3fab92019-06-11 14:50:16 +01002624
Gilles Peskine449bd832023-01-11 14:50:10 +01002625 if (policy_alg == exercise_alg &&
2626 (policy_usage & PSA_KEY_USAGE_DERIVE) != 0) {
2627 PSA_ASSERT(status);
2628 } else {
2629 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2630 }
Gilles Peskineea0fb492018-07-12 17:17:20 +02002631
2632exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002633 psa_key_derivation_abort(&operation);
2634 psa_destroy_key(key);
2635 PSA_DONE();
Gilles Peskineea0fb492018-07-12 17:17:20 +02002636}
2637/* END_CASE */
2638
2639/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002640void agreement_key_policy(int policy_usage,
2641 int policy_alg,
2642 int key_type_arg,
2643 data_t *key_data,
2644 int exercise_alg,
2645 int expected_status_arg)
Gilles Peskine01d718c2018-09-18 12:01:02 +02002646{
Ronald Cron5425a212020-08-04 14:58:35 +02002647 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002648 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002649 psa_key_type_t key_type = key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002650 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002651 psa_status_t status;
Steven Cooremance48e852020-10-05 16:02:45 +02002652 psa_status_t expected_status = expected_status_arg;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002653
Gilles Peskine449bd832023-01-11 14:50:10 +01002654 PSA_ASSERT(psa_crypto_init());
Gilles Peskine01d718c2018-09-18 12:01:02 +02002655
Gilles Peskine449bd832023-01-11 14:50:10 +01002656 psa_set_key_usage_flags(&attributes, policy_usage);
2657 psa_set_key_algorithm(&attributes, policy_alg);
2658 psa_set_key_type(&attributes, key_type);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002659
Gilles Peskine449bd832023-01-11 14:50:10 +01002660 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2661 &key));
Gilles Peskine01d718c2018-09-18 12:01:02 +02002662
Gilles Peskine449bd832023-01-11 14:50:10 +01002663 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg));
Ryan Everett73e4ea32024-03-12 16:29:55 +00002664 status = mbedtls_test_psa_key_agreement_with_self(&operation, key, 0);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002665
Gilles Peskine449bd832023-01-11 14:50:10 +01002666 TEST_EQUAL(status, expected_status);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002667
2668exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002669 psa_key_derivation_abort(&operation);
2670 psa_destroy_key(key);
2671 PSA_DONE();
Gilles Peskine01d718c2018-09-18 12:01:02 +02002672}
2673/* END_CASE */
2674
2675/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002676void key_policy_alg2(int key_type_arg, data_t *key_data,
2677 int usage_arg, int alg_arg, int alg2_arg)
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002678{
Ronald Cron5425a212020-08-04 14:58:35 +02002679 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002680 psa_key_type_t key_type = key_type_arg;
2681 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2682 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
2683 psa_key_usage_t usage = usage_arg;
2684 psa_algorithm_t alg = alg_arg;
2685 psa_algorithm_t alg2 = alg2_arg;
2686
Gilles Peskine449bd832023-01-11 14:50:10 +01002687 PSA_ASSERT(psa_crypto_init());
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002688
Gilles Peskine449bd832023-01-11 14:50:10 +01002689 psa_set_key_usage_flags(&attributes, usage);
2690 psa_set_key_algorithm(&attributes, alg);
2691 psa_set_key_enrollment_algorithm(&attributes, alg2);
2692 psa_set_key_type(&attributes, key_type);
2693 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2694 &key));
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002695
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002696 /* Update the usage flags to obtain implicit usage flags */
Gilles Peskine449bd832023-01-11 14:50:10 +01002697 usage = mbedtls_test_update_key_usage_flags(usage);
2698 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
2699 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes), usage);
2700 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg);
2701 TEST_EQUAL(psa_get_key_enrollment_algorithm(&got_attributes), alg2);
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002702
Ryan Everett0a271fd2024-03-12 16:34:02 +00002703 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002704 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002705 }
Ryan Everett0a271fd2024-03-12 16:34:02 +00002706 if (!mbedtls_test_psa_exercise_key(key, usage, alg2, 0)) {
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002707 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002708 }
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002709
2710exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002711 /*
2712 * Key attributes may have been returned by psa_get_key_attributes()
2713 * thus reset them as required.
2714 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002715 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002716
Gilles Peskine449bd832023-01-11 14:50:10 +01002717 psa_destroy_key(key);
2718 PSA_DONE();
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002719}
2720/* END_CASE */
2721
2722/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002723void raw_agreement_key_policy(int policy_usage,
2724 int policy_alg,
2725 int key_type_arg,
2726 data_t *key_data,
2727 int exercise_alg,
2728 int expected_status_arg)
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002729{
Ronald Cron5425a212020-08-04 14:58:35 +02002730 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002731 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002732 psa_key_type_t key_type = key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002733 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002734 psa_status_t status;
Steven Cooremance48e852020-10-05 16:02:45 +02002735 psa_status_t expected_status = expected_status_arg;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002736
Gilles Peskine449bd832023-01-11 14:50:10 +01002737 PSA_ASSERT(psa_crypto_init());
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002738
Gilles Peskine449bd832023-01-11 14:50:10 +01002739 psa_set_key_usage_flags(&attributes, policy_usage);
2740 psa_set_key_algorithm(&attributes, policy_alg);
2741 psa_set_key_type(&attributes, key_type);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002742
Gilles Peskine449bd832023-01-11 14:50:10 +01002743 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2744 &key));
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002745
Ryan Everett81630282024-03-12 16:21:12 +00002746 status = mbedtls_test_psa_raw_key_agreement_with_self(exercise_alg, key, 0);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002747
Gilles Peskine449bd832023-01-11 14:50:10 +01002748 TEST_EQUAL(status, expected_status);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002749
2750exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002751 psa_key_derivation_abort(&operation);
2752 psa_destroy_key(key);
2753 PSA_DONE();
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002754}
2755/* END_CASE */
2756
2757/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002758void copy_success(int source_usage_arg,
2759 int source_alg_arg, int source_alg2_arg,
Gilles Peskine4ea4ad02022-12-04 15:11:00 +01002760 int source_lifetime_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01002761 int type_arg, data_t *material,
2762 int copy_attributes,
2763 int target_usage_arg,
2764 int target_alg_arg, int target_alg2_arg,
Gilles Peskine4ea4ad02022-12-04 15:11:00 +01002765 int target_lifetime_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01002766 int expected_usage_arg,
2767 int expected_alg_arg, int expected_alg2_arg)
Gilles Peskine57ab7212019-01-28 13:03:09 +01002768{
Gilles Peskineca25db92019-04-19 11:43:08 +02002769 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT;
2770 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine57ab7212019-01-28 13:03:09 +01002771 psa_key_usage_t expected_usage = expected_usage_arg;
2772 psa_algorithm_t expected_alg = expected_alg_arg;
Gilles Peskinebcdd44b2019-05-20 17:28:11 +02002773 psa_algorithm_t expected_alg2 = expected_alg2_arg;
Archana8a180362021-07-05 02:18:48 +05302774 psa_key_lifetime_t source_lifetime = source_lifetime_arg;
2775 psa_key_lifetime_t target_lifetime = target_lifetime_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02002776 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT;
2777 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine57ab7212019-01-28 13:03:09 +01002778 uint8_t *export_buffer = NULL;
2779
Gilles Peskine449bd832023-01-11 14:50:10 +01002780 PSA_ASSERT(psa_crypto_init());
Gilles Peskine57ab7212019-01-28 13:03:09 +01002781
Gilles Peskineca25db92019-04-19 11:43:08 +02002782 /* Prepare the source key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002783 psa_set_key_usage_flags(&source_attributes, source_usage_arg);
2784 psa_set_key_algorithm(&source_attributes, source_alg_arg);
2785 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg);
2786 psa_set_key_type(&source_attributes, type_arg);
2787 psa_set_key_lifetime(&source_attributes, source_lifetime);
2788 PSA_ASSERT(psa_import_key(&source_attributes,
2789 material->x, material->len,
2790 &source_key));
2791 PSA_ASSERT(psa_get_key_attributes(source_key, &source_attributes));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002792
Gilles Peskineca25db92019-04-19 11:43:08 +02002793 /* Prepare the target attributes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002794 if (copy_attributes) {
Gilles Peskineca25db92019-04-19 11:43:08 +02002795 target_attributes = source_attributes;
Ronald Cron65f38a32020-10-23 17:11:13 +02002796 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002797 psa_set_key_lifetime(&target_attributes, target_lifetime);
Ronald Cron65f38a32020-10-23 17:11:13 +02002798
Gilles Peskine449bd832023-01-11 14:50:10 +01002799 if (target_usage_arg != -1) {
2800 psa_set_key_usage_flags(&target_attributes, target_usage_arg);
2801 }
2802 if (target_alg_arg != -1) {
2803 psa_set_key_algorithm(&target_attributes, target_alg_arg);
2804 }
2805 if (target_alg2_arg != -1) {
2806 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg);
2807 }
Gilles Peskine57ab7212019-01-28 13:03:09 +01002808
Archana8a180362021-07-05 02:18:48 +05302809
Gilles Peskine57ab7212019-01-28 13:03:09 +01002810 /* Copy the key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002811 PSA_ASSERT(psa_copy_key(source_key,
2812 &target_attributes, &target_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002813
2814 /* Destroy the source to ensure that this doesn't affect the target. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002815 PSA_ASSERT(psa_destroy_key(source_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002816
2817 /* Test that the target slot has the expected content and policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002818 PSA_ASSERT(psa_get_key_attributes(target_key, &target_attributes));
2819 TEST_EQUAL(psa_get_key_type(&source_attributes),
2820 psa_get_key_type(&target_attributes));
2821 TEST_EQUAL(psa_get_key_bits(&source_attributes),
2822 psa_get_key_bits(&target_attributes));
2823 TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&target_attributes));
2824 TEST_EQUAL(expected_alg, psa_get_key_algorithm(&target_attributes));
2825 TEST_EQUAL(expected_alg2,
2826 psa_get_key_enrollment_algorithm(&target_attributes));
2827 if (expected_usage & PSA_KEY_USAGE_EXPORT) {
Gilles Peskine57ab7212019-01-28 13:03:09 +01002828 size_t length;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002829 TEST_CALLOC(export_buffer, material->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01002830 PSA_ASSERT(psa_export_key(target_key, export_buffer,
2831 material->len, &length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01002832 TEST_MEMORY_COMPARE(material->x, material->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01002833 export_buffer, length);
Gilles Peskine57ab7212019-01-28 13:03:09 +01002834 }
Steven Cooremanb3ce8152021-02-18 12:03:50 +01002835
Gilles Peskine449bd832023-01-11 14:50:10 +01002836 if (!psa_key_lifetime_is_external(target_lifetime)) {
Ryan Everett0a271fd2024-03-12 16:34:02 +00002837 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg, 0)) {
Archana8a180362021-07-05 02:18:48 +05302838 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002839 }
Ryan Everett0a271fd2024-03-12 16:34:02 +00002840 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg2, 0)) {
Archana8a180362021-07-05 02:18:48 +05302841 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002842 }
Archana8a180362021-07-05 02:18:48 +05302843 }
Gilles Peskine57ab7212019-01-28 13:03:09 +01002844
Gilles Peskine449bd832023-01-11 14:50:10 +01002845 PSA_ASSERT(psa_destroy_key(target_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002846
2847exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002848 /*
2849 * Source and target key attributes may have been returned by
2850 * psa_get_key_attributes() thus reset them as required.
2851 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002852 psa_reset_key_attributes(&source_attributes);
2853 psa_reset_key_attributes(&target_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002854
Gilles Peskine449bd832023-01-11 14:50:10 +01002855 PSA_DONE();
2856 mbedtls_free(export_buffer);
Gilles Peskine57ab7212019-01-28 13:03:09 +01002857}
2858/* END_CASE */
2859
2860/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002861void copy_fail(int source_usage_arg,
2862 int source_alg_arg, int source_alg2_arg,
2863 int source_lifetime_arg,
2864 int type_arg, data_t *material,
2865 int target_type_arg, int target_bits_arg,
2866 int target_usage_arg,
2867 int target_alg_arg, int target_alg2_arg,
2868 int target_id_arg, int target_lifetime_arg,
2869 int expected_status_arg)
Gilles Peskine4a644642019-05-03 17:14:08 +02002870{
2871 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT;
2872 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02002873 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT;
2874 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +01002875 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, target_id_arg);
Gilles Peskine4a644642019-05-03 17:14:08 +02002876
Gilles Peskine449bd832023-01-11 14:50:10 +01002877 PSA_ASSERT(psa_crypto_init());
Gilles Peskine4a644642019-05-03 17:14:08 +02002878
2879 /* Prepare the source key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002880 psa_set_key_usage_flags(&source_attributes, source_usage_arg);
2881 psa_set_key_algorithm(&source_attributes, source_alg_arg);
2882 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg);
2883 psa_set_key_type(&source_attributes, type_arg);
2884 psa_set_key_lifetime(&source_attributes, source_lifetime_arg);
2885 PSA_ASSERT(psa_import_key(&source_attributes,
2886 material->x, material->len,
2887 &source_key));
Gilles Peskine4a644642019-05-03 17:14:08 +02002888
2889 /* Prepare the target attributes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002890 psa_set_key_id(&target_attributes, key_id);
2891 psa_set_key_lifetime(&target_attributes, target_lifetime_arg);
2892 psa_set_key_type(&target_attributes, target_type_arg);
2893 psa_set_key_bits(&target_attributes, target_bits_arg);
2894 psa_set_key_usage_flags(&target_attributes, target_usage_arg);
2895 psa_set_key_algorithm(&target_attributes, target_alg_arg);
2896 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg);
Gilles Peskine4a644642019-05-03 17:14:08 +02002897
2898 /* Try to copy the key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002899 TEST_EQUAL(psa_copy_key(source_key,
2900 &target_attributes, &target_key),
2901 expected_status_arg);
Gilles Peskine76b29a72019-05-28 14:08:50 +02002902
Gilles Peskine449bd832023-01-11 14:50:10 +01002903 PSA_ASSERT(psa_destroy_key(source_key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02002904
Gilles Peskine4a644642019-05-03 17:14:08 +02002905exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002906 psa_reset_key_attributes(&source_attributes);
2907 psa_reset_key_attributes(&target_attributes);
2908 PSA_DONE();
Gilles Peskine4a644642019-05-03 17:14:08 +02002909}
2910/* END_CASE */
2911
2912/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002913void hash_operation_init()
Jaeden Amero6a25b412019-01-04 11:47:44 +00002914{
Jaeden Ameroa0f625a2019-02-15 13:52:25 +00002915 const uint8_t input[1] = { 0 };
Jaeden Amero6a25b412019-01-04 11:47:44 +00002916 /* Test each valid way of initializing the object, except for `= {0}`, as
2917 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
2918 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08002919 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002920 psa_hash_operation_t func = psa_hash_operation_init();
Jaeden Amero6a25b412019-01-04 11:47:44 +00002921 psa_hash_operation_t init = PSA_HASH_OPERATION_INIT;
2922 psa_hash_operation_t zero;
2923
Gilles Peskine449bd832023-01-11 14:50:10 +01002924 memset(&zero, 0, sizeof(zero));
Jaeden Amero6a25b412019-01-04 11:47:44 +00002925
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002926 /* A freshly-initialized hash operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002927 TEST_EQUAL(psa_hash_update(&func, input, sizeof(input)),
2928 PSA_ERROR_BAD_STATE);
2929 TEST_EQUAL(psa_hash_update(&init, input, sizeof(input)),
2930 PSA_ERROR_BAD_STATE);
2931 TEST_EQUAL(psa_hash_update(&zero, input, sizeof(input)),
2932 PSA_ERROR_BAD_STATE);
Jaeden Ameroa0f625a2019-02-15 13:52:25 +00002933
Jaeden Amero5229bbb2019-02-07 16:33:37 +00002934 /* A default hash operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002935 PSA_ASSERT(psa_hash_abort(&func));
2936 PSA_ASSERT(psa_hash_abort(&init));
2937 PSA_ASSERT(psa_hash_abort(&zero));
Jaeden Amero6a25b412019-01-04 11:47:44 +00002938}
2939/* END_CASE */
2940
2941/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002942void hash_setup(int alg_arg,
2943 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002944{
2945 psa_algorithm_t alg = alg_arg;
Neil Armstrongedb20862022-02-07 15:47:44 +01002946 uint8_t *output = NULL;
2947 size_t output_size = 0;
2948 size_t output_length = 0;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02002949 psa_status_t expected_status = expected_status_arg;
Jaeden Amero6a25b412019-01-04 11:47:44 +00002950 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002951 psa_status_t status;
2952
Gilles Peskine449bd832023-01-11 14:50:10 +01002953 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002954
Neil Armstrongedb20862022-02-07 15:47:44 +01002955 /* Hash Setup, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002956 output_size = PSA_HASH_LENGTH(alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002957 TEST_CALLOC(output, output_size);
Neil Armstrongedb20862022-02-07 15:47:44 +01002958
Gilles Peskine449bd832023-01-11 14:50:10 +01002959 status = psa_hash_compute(alg, NULL, 0,
2960 output, output_size, &output_length);
2961 TEST_EQUAL(status, expected_status);
Neil Armstrongedb20862022-02-07 15:47:44 +01002962
2963 /* Hash Setup, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002964 status = psa_hash_setup(&operation, alg);
2965 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002966
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002967 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002968 PSA_ASSERT(psa_hash_abort(&operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002969
2970 /* If setup failed, reproduce the failure, so as to
2971 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002972 if (status != PSA_SUCCESS) {
2973 TEST_EQUAL(psa_hash_setup(&operation, alg), status);
2974 }
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002975
Gilles Peskinef426e0f2019-02-25 17:42:03 +01002976 /* Now the operation object should be reusable. */
2977#if defined(KNOWN_SUPPORTED_HASH_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01002978 PSA_ASSERT(psa_hash_setup(&operation, KNOWN_SUPPORTED_HASH_ALG));
2979 PSA_ASSERT(psa_hash_abort(&operation));
Gilles Peskinef426e0f2019-02-25 17:42:03 +01002980#endif
2981
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002982exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002983 mbedtls_free(output);
2984 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002985}
2986/* END_CASE */
2987
2988/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002989void hash_compute_fail(int alg_arg, data_t *input,
2990 int output_size_arg, int expected_status_arg)
Gilles Peskine0a749c82019-11-28 19:33:58 +01002991{
2992 psa_algorithm_t alg = alg_arg;
2993 uint8_t *output = NULL;
2994 size_t output_size = output_size_arg;
2995 size_t output_length = INVALID_EXPORT_LENGTH;
Neil Armstrong161ec5c2022-02-07 11:18:45 +01002996 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine0a749c82019-11-28 19:33:58 +01002997 psa_status_t expected_status = expected_status_arg;
2998 psa_status_t status;
2999
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003000 TEST_CALLOC(output, output_size);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003001
Gilles Peskine449bd832023-01-11 14:50:10 +01003002 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0a749c82019-11-28 19:33:58 +01003003
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003004 /* Hash Compute, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003005 status = psa_hash_compute(alg, input->x, input->len,
3006 output, output_size, &output_length);
3007 TEST_EQUAL(status, expected_status);
3008 TEST_LE_U(output_length, output_size);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003009
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003010 /* Hash Compute, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003011 status = psa_hash_setup(&operation, alg);
3012 if (status == PSA_SUCCESS) {
3013 status = psa_hash_update(&operation, input->x, input->len);
3014 if (status == PSA_SUCCESS) {
3015 status = psa_hash_finish(&operation, output, output_size,
3016 &output_length);
3017 if (status == PSA_SUCCESS) {
3018 TEST_LE_U(output_length, output_size);
3019 } else {
3020 TEST_EQUAL(status, expected_status);
3021 }
3022 } else {
3023 TEST_EQUAL(status, expected_status);
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003024 }
Gilles Peskine449bd832023-01-11 14:50:10 +01003025 } else {
3026 TEST_EQUAL(status, expected_status);
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003027 }
3028
Gilles Peskine0a749c82019-11-28 19:33:58 +01003029exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003030 PSA_ASSERT(psa_hash_abort(&operation));
3031 mbedtls_free(output);
3032 PSA_DONE();
Gilles Peskine0a749c82019-11-28 19:33:58 +01003033}
3034/* END_CASE */
3035
3036/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003037void hash_compare_fail(int alg_arg, data_t *input,
3038 data_t *reference_hash,
3039 int expected_status_arg)
Gilles Peskine88e08462020-01-28 20:43:00 +01003040{
3041 psa_algorithm_t alg = alg_arg;
3042 psa_status_t expected_status = expected_status_arg;
Neil Armstrong55a1be12022-02-07 11:23:20 +01003043 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine88e08462020-01-28 20:43:00 +01003044 psa_status_t status;
3045
Gilles Peskine449bd832023-01-11 14:50:10 +01003046 PSA_ASSERT(psa_crypto_init());
Gilles Peskine88e08462020-01-28 20:43:00 +01003047
Neil Armstrong55a1be12022-02-07 11:23:20 +01003048 /* Hash Compare, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003049 status = psa_hash_compare(alg, input->x, input->len,
3050 reference_hash->x, reference_hash->len);
3051 TEST_EQUAL(status, expected_status);
Gilles Peskine88e08462020-01-28 20:43:00 +01003052
Neil Armstrong55a1be12022-02-07 11:23:20 +01003053 /* Hash Compare, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003054 status = psa_hash_setup(&operation, alg);
3055 if (status == PSA_SUCCESS) {
3056 status = psa_hash_update(&operation, input->x, input->len);
3057 if (status == PSA_SUCCESS) {
3058 status = psa_hash_verify(&operation, reference_hash->x,
3059 reference_hash->len);
3060 TEST_EQUAL(status, expected_status);
3061 } else {
3062 TEST_EQUAL(status, expected_status);
Neil Armstrong55a1be12022-02-07 11:23:20 +01003063 }
Gilles Peskine449bd832023-01-11 14:50:10 +01003064 } else {
3065 TEST_EQUAL(status, expected_status);
Neil Armstrong55a1be12022-02-07 11:23:20 +01003066 }
3067
Gilles Peskine88e08462020-01-28 20:43:00 +01003068exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003069 PSA_ASSERT(psa_hash_abort(&operation));
3070 PSA_DONE();
Gilles Peskine88e08462020-01-28 20:43:00 +01003071}
3072/* END_CASE */
3073
3074/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003075void hash_compute_compare(int alg_arg, data_t *input,
3076 data_t *expected_output)
Gilles Peskine0a749c82019-11-28 19:33:58 +01003077{
3078 psa_algorithm_t alg = alg_arg;
3079 uint8_t output[PSA_HASH_MAX_SIZE + 1];
3080 size_t output_length = INVALID_EXPORT_LENGTH;
Neil Armstrongca30a002022-02-07 11:40:23 +01003081 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine0a749c82019-11-28 19:33:58 +01003082 size_t i;
3083
Gilles Peskine449bd832023-01-11 14:50:10 +01003084 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0a749c82019-11-28 19:33:58 +01003085
Neil Armstrongca30a002022-02-07 11:40:23 +01003086 /* Compute with tight buffer, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003087 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len,
3088 output, PSA_HASH_LENGTH(alg),
3089 &output_length));
3090 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003091 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003092 expected_output->x, expected_output->len);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003093
Neil Armstrongca30a002022-02-07 11:40:23 +01003094 /* Compute with tight buffer, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003095 PSA_ASSERT(psa_hash_setup(&operation, alg));
3096 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3097 PSA_ASSERT(psa_hash_finish(&operation, output,
3098 PSA_HASH_LENGTH(alg),
3099 &output_length));
3100 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003101 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003102 expected_output->x, expected_output->len);
Neil Armstrongca30a002022-02-07 11:40:23 +01003103
3104 /* Compute with larger buffer, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003105 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len,
3106 output, sizeof(output),
3107 &output_length));
3108 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003109 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003110 expected_output->x, expected_output->len);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003111
Neil Armstrongca30a002022-02-07 11:40:23 +01003112 /* Compute with larger buffer, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003113 PSA_ASSERT(psa_hash_setup(&operation, alg));
3114 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3115 PSA_ASSERT(psa_hash_finish(&operation, output,
3116 sizeof(output), &output_length));
3117 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003118 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003119 expected_output->x, expected_output->len);
Neil Armstrongca30a002022-02-07 11:40:23 +01003120
3121 /* Compare with correct hash, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003122 PSA_ASSERT(psa_hash_compare(alg, input->x, input->len,
3123 output, output_length));
Gilles Peskine0a749c82019-11-28 19:33:58 +01003124
Neil Armstrongca30a002022-02-07 11:40:23 +01003125 /* Compare with correct hash, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003126 PSA_ASSERT(psa_hash_setup(&operation, alg));
3127 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3128 PSA_ASSERT(psa_hash_verify(&operation, output,
3129 output_length));
Neil Armstrongca30a002022-02-07 11:40:23 +01003130
3131 /* Compare with trailing garbage, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003132 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
3133 output, output_length + 1),
3134 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003135
Neil Armstrongca30a002022-02-07 11:40:23 +01003136 /* Compare with trailing garbage, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003137 PSA_ASSERT(psa_hash_setup(&operation, alg));
3138 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3139 TEST_EQUAL(psa_hash_verify(&operation, output, output_length + 1),
3140 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01003141
3142 /* Compare with truncated hash, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003143 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
3144 output, output_length - 1),
3145 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003146
Neil Armstrongca30a002022-02-07 11:40:23 +01003147 /* Compare with truncated hash, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003148 PSA_ASSERT(psa_hash_setup(&operation, alg));
3149 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3150 TEST_EQUAL(psa_hash_verify(&operation, output, output_length - 1),
3151 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01003152
Gilles Peskine0a749c82019-11-28 19:33:58 +01003153 /* Compare with corrupted value */
Gilles Peskine449bd832023-01-11 14:50:10 +01003154 for (i = 0; i < output_length; i++) {
3155 mbedtls_test_set_step(i);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003156 output[i] ^= 1;
Neil Armstrongca30a002022-02-07 11:40:23 +01003157
3158 /* One-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003159 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
3160 output, output_length),
3161 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01003162
3163 /* Multi-Part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003164 PSA_ASSERT(psa_hash_setup(&operation, alg));
3165 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3166 TEST_EQUAL(psa_hash_verify(&operation, output, output_length),
3167 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01003168
Gilles Peskine0a749c82019-11-28 19:33:58 +01003169 output[i] ^= 1;
3170 }
3171
3172exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003173 PSA_ASSERT(psa_hash_abort(&operation));
3174 PSA_DONE();
Gilles Peskine0a749c82019-11-28 19:33:58 +01003175}
3176/* END_CASE */
3177
Gilles Peskined6dc40c2021-01-12 12:55:31 +01003178/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003179void hash_bad_order()
itayzafrirf86548d2018-11-01 10:44:32 +02003180{
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003181 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrirf86548d2018-11-01 10:44:32 +02003182 unsigned char input[] = "";
3183 /* SHA-256 hash of an empty string */
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003184 const unsigned char valid_hash[] = {
itayzafrirf86548d2018-11-01 10:44:32 +02003185 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8,
3186 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
Gilles Peskine449bd832023-01-11 14:50:10 +01003187 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
3188 };
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003189 unsigned char hash[sizeof(valid_hash)] = { 0 };
itayzafrirf86548d2018-11-01 10:44:32 +02003190 size_t hash_len;
Jaeden Amero6a25b412019-01-04 11:47:44 +00003191 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrirf86548d2018-11-01 10:44:32 +02003192
Gilles Peskine449bd832023-01-11 14:50:10 +01003193 PSA_ASSERT(psa_crypto_init());
itayzafrirf86548d2018-11-01 10:44:32 +02003194
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003195 /* Call setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003196 PSA_ASSERT(psa_hash_setup(&operation, alg));
3197 ASSERT_OPERATION_IS_ACTIVE(operation);
3198 TEST_EQUAL(psa_hash_setup(&operation, alg),
3199 PSA_ERROR_BAD_STATE);
3200 ASSERT_OPERATION_IS_INACTIVE(operation);
3201 PSA_ASSERT(psa_hash_abort(&operation));
3202 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003203
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003204 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003205 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
3206 PSA_ERROR_BAD_STATE);
3207 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02003208
Dave Rodgman5ae6f752021-06-24 11:36:14 +01003209 /* Check that update calls abort on error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003210 PSA_ASSERT(psa_hash_setup(&operation, alg));
Dave Rodgman6f710582021-06-24 18:14:52 +01003211 operation.id = UINT_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +01003212 ASSERT_OPERATION_IS_ACTIVE(operation);
3213 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
3214 PSA_ERROR_BAD_STATE);
3215 ASSERT_OPERATION_IS_INACTIVE(operation);
3216 PSA_ASSERT(psa_hash_abort(&operation));
3217 ASSERT_OPERATION_IS_INACTIVE(operation);
Dave Rodgman5ae6f752021-06-24 11:36:14 +01003218
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003219 /* Call update after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003220 PSA_ASSERT(psa_hash_setup(&operation, alg));
3221 PSA_ASSERT(psa_hash_finish(&operation,
3222 hash, sizeof(hash), &hash_len));
3223 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
3224 PSA_ERROR_BAD_STATE);
3225 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02003226
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003227 /* Call verify without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003228 TEST_EQUAL(psa_hash_verify(&operation,
3229 valid_hash, sizeof(valid_hash)),
3230 PSA_ERROR_BAD_STATE);
3231 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003232
3233 /* Call verify after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003234 PSA_ASSERT(psa_hash_setup(&operation, alg));
3235 PSA_ASSERT(psa_hash_finish(&operation,
3236 hash, sizeof(hash), &hash_len));
3237 TEST_EQUAL(psa_hash_verify(&operation,
3238 valid_hash, sizeof(valid_hash)),
3239 PSA_ERROR_BAD_STATE);
3240 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003241
3242 /* Call verify twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003243 PSA_ASSERT(psa_hash_setup(&operation, alg));
3244 ASSERT_OPERATION_IS_ACTIVE(operation);
3245 PSA_ASSERT(psa_hash_verify(&operation,
3246 valid_hash, sizeof(valid_hash)));
3247 ASSERT_OPERATION_IS_INACTIVE(operation);
3248 TEST_EQUAL(psa_hash_verify(&operation,
3249 valid_hash, sizeof(valid_hash)),
3250 PSA_ERROR_BAD_STATE);
3251 ASSERT_OPERATION_IS_INACTIVE(operation);
3252 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003253
3254 /* Call finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003255 TEST_EQUAL(psa_hash_finish(&operation,
3256 hash, sizeof(hash), &hash_len),
3257 PSA_ERROR_BAD_STATE);
3258 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003259
3260 /* Call finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003261 PSA_ASSERT(psa_hash_setup(&operation, alg));
3262 PSA_ASSERT(psa_hash_finish(&operation,
3263 hash, sizeof(hash), &hash_len));
3264 TEST_EQUAL(psa_hash_finish(&operation,
3265 hash, sizeof(hash), &hash_len),
3266 PSA_ERROR_BAD_STATE);
3267 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003268
3269 /* Call finish after calling verify. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003270 PSA_ASSERT(psa_hash_setup(&operation, alg));
3271 PSA_ASSERT(psa_hash_verify(&operation,
3272 valid_hash, sizeof(valid_hash)));
3273 TEST_EQUAL(psa_hash_finish(&operation,
3274 hash, sizeof(hash), &hash_len),
3275 PSA_ERROR_BAD_STATE);
3276 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02003277
3278exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003279 PSA_DONE();
itayzafrirf86548d2018-11-01 10:44:32 +02003280}
3281/* END_CASE */
3282
Gilles Peskined6dc40c2021-01-12 12:55:31 +01003283/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003284void hash_verify_bad_args()
itayzafrirec93d302018-10-18 18:01:10 +03003285{
3286 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrir27e69452018-11-01 14:26:34 +02003287 /* SHA-256 hash of an empty string with 2 extra bytes (0xaa and 0xbb)
3288 * appended to it */
3289 unsigned char hash[] = {
3290 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8,
3291 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
Gilles Peskine449bd832023-01-11 14:50:10 +01003292 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55, 0xaa, 0xbb
3293 };
3294 size_t expected_size = PSA_HASH_LENGTH(alg);
Jaeden Amero6a25b412019-01-04 11:47:44 +00003295 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrirec93d302018-10-18 18:01:10 +03003296
Gilles Peskine449bd832023-01-11 14:50:10 +01003297 PSA_ASSERT(psa_crypto_init());
itayzafrirec93d302018-10-18 18:01:10 +03003298
itayzafrir27e69452018-11-01 14:26:34 +02003299 /* psa_hash_verify with a smaller hash than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003300 PSA_ASSERT(psa_hash_setup(&operation, alg));
3301 ASSERT_OPERATION_IS_ACTIVE(operation);
3302 TEST_EQUAL(psa_hash_verify(&operation, hash, expected_size - 1),
3303 PSA_ERROR_INVALID_SIGNATURE);
3304 ASSERT_OPERATION_IS_INACTIVE(operation);
3305 PSA_ASSERT(psa_hash_abort(&operation));
3306 ASSERT_OPERATION_IS_INACTIVE(operation);
itayzafrirec93d302018-10-18 18:01:10 +03003307
itayzafrir27e69452018-11-01 14:26:34 +02003308 /* psa_hash_verify with a non-matching hash */
Gilles Peskine449bd832023-01-11 14:50:10 +01003309 PSA_ASSERT(psa_hash_setup(&operation, alg));
3310 TEST_EQUAL(psa_hash_verify(&operation, hash + 1, expected_size),
3311 PSA_ERROR_INVALID_SIGNATURE);
itayzafrirec93d302018-10-18 18:01:10 +03003312
itayzafrir27e69452018-11-01 14:26:34 +02003313 /* psa_hash_verify with a hash longer than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003314 PSA_ASSERT(psa_hash_setup(&operation, alg));
3315 TEST_EQUAL(psa_hash_verify(&operation, hash, sizeof(hash)),
3316 PSA_ERROR_INVALID_SIGNATURE);
itayzafrir4271df92018-10-24 18:16:19 +03003317
itayzafrirec93d302018-10-18 18:01:10 +03003318exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003319 PSA_DONE();
itayzafrirec93d302018-10-18 18:01:10 +03003320}
3321/* END_CASE */
3322
Ronald Cronee414c72021-03-18 18:50:08 +01003323/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003324void hash_finish_bad_args()
itayzafrir58028322018-10-25 10:22:01 +03003325{
3326 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrirb2dd5ed2018-11-01 11:58:59 +02003327 unsigned char hash[PSA_HASH_MAX_SIZE];
Gilles Peskine449bd832023-01-11 14:50:10 +01003328 size_t expected_size = PSA_HASH_LENGTH(alg);
Jaeden Amero6a25b412019-01-04 11:47:44 +00003329 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrir58028322018-10-25 10:22:01 +03003330 size_t hash_len;
3331
Gilles Peskine449bd832023-01-11 14:50:10 +01003332 PSA_ASSERT(psa_crypto_init());
itayzafrir58028322018-10-25 10:22:01 +03003333
itayzafrir58028322018-10-25 10:22:01 +03003334 /* psa_hash_finish with a smaller hash buffer than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003335 PSA_ASSERT(psa_hash_setup(&operation, alg));
3336 TEST_EQUAL(psa_hash_finish(&operation,
3337 hash, expected_size - 1, &hash_len),
3338 PSA_ERROR_BUFFER_TOO_SMALL);
itayzafrir58028322018-10-25 10:22:01 +03003339
3340exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003341 PSA_DONE();
itayzafrir58028322018-10-25 10:22:01 +03003342}
3343/* END_CASE */
3344
Ronald Cronee414c72021-03-18 18:50:08 +01003345/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003346void hash_clone_source_state()
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003347{
3348 psa_algorithm_t alg = PSA_ALG_SHA_256;
3349 unsigned char hash[PSA_HASH_MAX_SIZE];
3350 psa_hash_operation_t op_source = PSA_HASH_OPERATION_INIT;
3351 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT;
3352 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT;
3353 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT;
3354 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT;
3355 size_t hash_len;
3356
Gilles Peskine449bd832023-01-11 14:50:10 +01003357 PSA_ASSERT(psa_crypto_init());
3358 PSA_ASSERT(psa_hash_setup(&op_source, alg));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003359
Gilles Peskine449bd832023-01-11 14:50:10 +01003360 PSA_ASSERT(psa_hash_setup(&op_setup, alg));
3361 PSA_ASSERT(psa_hash_setup(&op_finished, alg));
3362 PSA_ASSERT(psa_hash_finish(&op_finished,
3363 hash, sizeof(hash), &hash_len));
3364 PSA_ASSERT(psa_hash_setup(&op_aborted, alg));
3365 PSA_ASSERT(psa_hash_abort(&op_aborted));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003366
Gilles Peskine449bd832023-01-11 14:50:10 +01003367 TEST_EQUAL(psa_hash_clone(&op_source, &op_setup),
3368 PSA_ERROR_BAD_STATE);
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003369
Gilles Peskine449bd832023-01-11 14:50:10 +01003370 PSA_ASSERT(psa_hash_clone(&op_source, &op_init));
3371 PSA_ASSERT(psa_hash_finish(&op_init,
3372 hash, sizeof(hash), &hash_len));
3373 PSA_ASSERT(psa_hash_clone(&op_source, &op_finished));
3374 PSA_ASSERT(psa_hash_finish(&op_finished,
3375 hash, sizeof(hash), &hash_len));
3376 PSA_ASSERT(psa_hash_clone(&op_source, &op_aborted));
3377 PSA_ASSERT(psa_hash_finish(&op_aborted,
3378 hash, sizeof(hash), &hash_len));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003379
3380exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003381 psa_hash_abort(&op_source);
3382 psa_hash_abort(&op_init);
3383 psa_hash_abort(&op_setup);
3384 psa_hash_abort(&op_finished);
3385 psa_hash_abort(&op_aborted);
3386 PSA_DONE();
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003387}
3388/* END_CASE */
3389
Ronald Cronee414c72021-03-18 18:50:08 +01003390/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003391void hash_clone_target_state()
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003392{
3393 psa_algorithm_t alg = PSA_ALG_SHA_256;
3394 unsigned char hash[PSA_HASH_MAX_SIZE];
3395 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT;
3396 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT;
3397 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT;
3398 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT;
3399 psa_hash_operation_t op_target = PSA_HASH_OPERATION_INIT;
3400 size_t hash_len;
3401
Gilles Peskine449bd832023-01-11 14:50:10 +01003402 PSA_ASSERT(psa_crypto_init());
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003403
Gilles Peskine449bd832023-01-11 14:50:10 +01003404 PSA_ASSERT(psa_hash_setup(&op_setup, alg));
3405 PSA_ASSERT(psa_hash_setup(&op_finished, alg));
3406 PSA_ASSERT(psa_hash_finish(&op_finished,
3407 hash, sizeof(hash), &hash_len));
3408 PSA_ASSERT(psa_hash_setup(&op_aborted, alg));
3409 PSA_ASSERT(psa_hash_abort(&op_aborted));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003410
Gilles Peskine449bd832023-01-11 14:50:10 +01003411 PSA_ASSERT(psa_hash_clone(&op_setup, &op_target));
3412 PSA_ASSERT(psa_hash_finish(&op_target,
3413 hash, sizeof(hash), &hash_len));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003414
Gilles Peskine449bd832023-01-11 14:50:10 +01003415 TEST_EQUAL(psa_hash_clone(&op_init, &op_target), PSA_ERROR_BAD_STATE);
3416 TEST_EQUAL(psa_hash_clone(&op_finished, &op_target),
3417 PSA_ERROR_BAD_STATE);
3418 TEST_EQUAL(psa_hash_clone(&op_aborted, &op_target),
3419 PSA_ERROR_BAD_STATE);
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003420
3421exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003422 psa_hash_abort(&op_target);
3423 psa_hash_abort(&op_init);
3424 psa_hash_abort(&op_setup);
3425 psa_hash_abort(&op_finished);
3426 psa_hash_abort(&op_aborted);
3427 PSA_DONE();
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003428}
3429/* END_CASE */
3430
itayzafrir58028322018-10-25 10:22:01 +03003431/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003432void mac_operation_init()
Jaeden Amero769ce272019-01-04 11:48:03 +00003433{
Jaeden Amero252ef282019-02-15 14:05:35 +00003434 const uint8_t input[1] = { 0 };
3435
Jaeden Amero769ce272019-01-04 11:48:03 +00003436 /* Test each valid way of initializing the object, except for `= {0}`, as
3437 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
3438 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08003439 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003440 psa_mac_operation_t func = psa_mac_operation_init();
Jaeden Amero769ce272019-01-04 11:48:03 +00003441 psa_mac_operation_t init = PSA_MAC_OPERATION_INIT;
3442 psa_mac_operation_t zero;
3443
Gilles Peskine449bd832023-01-11 14:50:10 +01003444 memset(&zero, 0, sizeof(zero));
Jaeden Amero769ce272019-01-04 11:48:03 +00003445
Jaeden Amero252ef282019-02-15 14:05:35 +00003446 /* A freshly-initialized MAC operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003447 TEST_EQUAL(psa_mac_update(&func,
3448 input, sizeof(input)),
3449 PSA_ERROR_BAD_STATE);
3450 TEST_EQUAL(psa_mac_update(&init,
3451 input, sizeof(input)),
3452 PSA_ERROR_BAD_STATE);
3453 TEST_EQUAL(psa_mac_update(&zero,
3454 input, sizeof(input)),
3455 PSA_ERROR_BAD_STATE);
Jaeden Amero252ef282019-02-15 14:05:35 +00003456
Jaeden Amero5229bbb2019-02-07 16:33:37 +00003457 /* A default MAC operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003458 PSA_ASSERT(psa_mac_abort(&func));
3459 PSA_ASSERT(psa_mac_abort(&init));
3460 PSA_ASSERT(psa_mac_abort(&zero));
Jaeden Amero769ce272019-01-04 11:48:03 +00003461}
3462/* END_CASE */
3463
3464/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003465void mac_setup(int key_type_arg,
3466 data_t *key,
3467 int alg_arg,
3468 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003469{
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003470 psa_key_type_t key_type = key_type_arg;
3471 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02003472 psa_status_t expected_status = expected_status_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003473 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003474 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3475#if defined(KNOWN_SUPPORTED_MAC_ALG)
3476 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk";
3477#endif
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003478
Gilles Peskine449bd832023-01-11 14:50:10 +01003479 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003480
Gilles Peskine449bd832023-01-11 14:50:10 +01003481 if (!exercise_mac_setup(key_type, key->x, key->len, alg,
3482 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003483 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003484 }
3485 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003486
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003487 /* The operation object should be reusable. */
3488#if defined(KNOWN_SUPPORTED_MAC_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01003489 if (!exercise_mac_setup(KNOWN_SUPPORTED_MAC_KEY_TYPE,
3490 smoke_test_key_data,
3491 sizeof(smoke_test_key_data),
3492 KNOWN_SUPPORTED_MAC_ALG,
3493 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003494 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003495 }
3496 TEST_EQUAL(status, PSA_SUCCESS);
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003497#endif
3498
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003499exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003500 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003501}
3502/* END_CASE */
3503
Gilles Peskined6dc40c2021-01-12 12:55:31 +01003504/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_HMAC:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003505void mac_bad_order()
Jaeden Amero252ef282019-02-15 14:05:35 +00003506{
Ronald Cron5425a212020-08-04 14:58:35 +02003507 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Jaeden Amero252ef282019-02-15 14:05:35 +00003508 psa_key_type_t key_type = PSA_KEY_TYPE_HMAC;
3509 psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256);
Ronald Cron5425a212020-08-04 14:58:35 +02003510 const uint8_t key_data[] = {
Jaeden Amero252ef282019-02-15 14:05:35 +00003511 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
3512 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
Gilles Peskine449bd832023-01-11 14:50:10 +01003513 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
3514 };
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003515 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero252ef282019-02-15 14:05:35 +00003516 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
3517 uint8_t sign_mac[PSA_MAC_MAX_SIZE + 10] = { 0 };
3518 size_t sign_mac_length = 0;
3519 const uint8_t input[] = { 0xbb, 0xbb, 0xbb, 0xbb };
3520 const uint8_t verify_mac[] = {
3521 0x74, 0x65, 0x93, 0x8c, 0xeb, 0x1d, 0xb3, 0x76, 0x5a, 0x38, 0xe7, 0xdd,
3522 0x85, 0xc5, 0xad, 0x4f, 0x07, 0xe7, 0xd5, 0xb2, 0x64, 0xf0, 0x1a, 0x1a,
Gilles Peskine449bd832023-01-11 14:50:10 +01003523 0x2c, 0xf9, 0x18, 0xca, 0x59, 0x7e, 0x5d, 0xf6
3524 };
Jaeden Amero252ef282019-02-15 14:05:35 +00003525
Gilles Peskine449bd832023-01-11 14:50:10 +01003526 PSA_ASSERT(psa_crypto_init());
3527 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
3528 psa_set_key_algorithm(&attributes, alg);
3529 psa_set_key_type(&attributes, key_type);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003530
Gilles Peskine449bd832023-01-11 14:50:10 +01003531 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data),
3532 &key));
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003533
Jaeden Amero252ef282019-02-15 14:05:35 +00003534 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003535 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3536 PSA_ERROR_BAD_STATE);
3537 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003538
3539 /* Call sign finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003540 TEST_EQUAL(psa_mac_sign_finish(&operation, sign_mac, sizeof(sign_mac),
3541 &sign_mac_length),
3542 PSA_ERROR_BAD_STATE);
3543 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003544
3545 /* Call verify finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003546 TEST_EQUAL(psa_mac_verify_finish(&operation,
3547 verify_mac, sizeof(verify_mac)),
3548 PSA_ERROR_BAD_STATE);
3549 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003550
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003551 /* Call setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003552 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3553 ASSERT_OPERATION_IS_ACTIVE(operation);
3554 TEST_EQUAL(psa_mac_sign_setup(&operation, key, alg),
3555 PSA_ERROR_BAD_STATE);
3556 ASSERT_OPERATION_IS_INACTIVE(operation);
3557 PSA_ASSERT(psa_mac_abort(&operation));
3558 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003559
Jaeden Amero252ef282019-02-15 14:05:35 +00003560 /* Call update after sign finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003561 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3562 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3563 PSA_ASSERT(psa_mac_sign_finish(&operation,
3564 sign_mac, sizeof(sign_mac),
3565 &sign_mac_length));
3566 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3567 PSA_ERROR_BAD_STATE);
3568 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003569
3570 /* Call update after verify finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003571 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3572 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3573 PSA_ASSERT(psa_mac_verify_finish(&operation,
3574 verify_mac, sizeof(verify_mac)));
3575 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3576 PSA_ERROR_BAD_STATE);
3577 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003578
3579 /* Call sign finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003580 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3581 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3582 PSA_ASSERT(psa_mac_sign_finish(&operation,
3583 sign_mac, sizeof(sign_mac),
3584 &sign_mac_length));
3585 TEST_EQUAL(psa_mac_sign_finish(&operation,
3586 sign_mac, sizeof(sign_mac),
3587 &sign_mac_length),
3588 PSA_ERROR_BAD_STATE);
3589 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003590
3591 /* Call verify finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003592 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3593 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3594 PSA_ASSERT(psa_mac_verify_finish(&operation,
3595 verify_mac, sizeof(verify_mac)));
3596 TEST_EQUAL(psa_mac_verify_finish(&operation,
3597 verify_mac, sizeof(verify_mac)),
3598 PSA_ERROR_BAD_STATE);
3599 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003600
3601 /* Setup sign but try verify. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003602 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3603 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3604 ASSERT_OPERATION_IS_ACTIVE(operation);
3605 TEST_EQUAL(psa_mac_verify_finish(&operation,
3606 verify_mac, sizeof(verify_mac)),
3607 PSA_ERROR_BAD_STATE);
3608 ASSERT_OPERATION_IS_INACTIVE(operation);
3609 PSA_ASSERT(psa_mac_abort(&operation));
3610 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero252ef282019-02-15 14:05:35 +00003611
3612 /* Setup verify but try sign. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003613 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3614 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3615 ASSERT_OPERATION_IS_ACTIVE(operation);
3616 TEST_EQUAL(psa_mac_sign_finish(&operation,
3617 sign_mac, sizeof(sign_mac),
3618 &sign_mac_length),
3619 PSA_ERROR_BAD_STATE);
3620 ASSERT_OPERATION_IS_INACTIVE(operation);
3621 PSA_ASSERT(psa_mac_abort(&operation));
3622 ASSERT_OPERATION_IS_INACTIVE(operation);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003623
Gilles Peskine449bd832023-01-11 14:50:10 +01003624 PSA_ASSERT(psa_destroy_key(key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02003625
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003626exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003627 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003628}
3629/* END_CASE */
3630
3631/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003632void mac_sign_verify_multi(int key_type_arg,
3633 data_t *key_data,
3634 int alg_arg,
3635 data_t *input,
3636 int is_verify,
3637 data_t *expected_mac)
Neil Armstrong4766f992022-02-28 16:23:59 +01003638{
3639 size_t data_part_len = 0;
3640
Gilles Peskine449bd832023-01-11 14:50:10 +01003641 for (data_part_len = 1; data_part_len <= input->len; data_part_len++) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003642 /* Split data into length(data_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003643 mbedtls_test_set_step(2000 + data_part_len);
Neil Armstrong4766f992022-02-28 16:23:59 +01003644
Gilles Peskine449bd832023-01-11 14:50:10 +01003645 if (mac_multipart_internal_func(key_type_arg, key_data,
3646 alg_arg,
3647 input, data_part_len,
3648 expected_mac,
3649 is_verify, 0) == 0) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003650 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01003651 }
Neil Armstrong4766f992022-02-28 16:23:59 +01003652
3653 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01003654 mbedtls_test_set_step(3000 + data_part_len);
Neil Armstrong4766f992022-02-28 16:23:59 +01003655
Gilles Peskine449bd832023-01-11 14:50:10 +01003656 if (mac_multipart_internal_func(key_type_arg, key_data,
3657 alg_arg,
3658 input, data_part_len,
3659 expected_mac,
3660 is_verify, 1) == 0) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003661 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01003662 }
Neil Armstrong4766f992022-02-28 16:23:59 +01003663 }
3664
3665 /* Goto is required to silence warnings about unused labels, as we
3666 * don't actually do any test assertions in this function. */
3667 goto exit;
3668}
3669/* END_CASE */
3670
3671/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003672void mac_sign(int key_type_arg,
3673 data_t *key_data,
3674 int alg_arg,
3675 data_t *input,
3676 data_t *expected_mac)
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003677{
Ronald Cron5425a212020-08-04 14:58:35 +02003678 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003679 psa_key_type_t key_type = key_type_arg;
3680 psa_algorithm_t alg = alg_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003681 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003682 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine5e65cec2020-08-25 23:38:39 +02003683 uint8_t *actual_mac = NULL;
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003684 size_t mac_buffer_size =
Gilles Peskine449bd832023-01-11 14:50:10 +01003685 PSA_MAC_LENGTH(key_type, PSA_BYTES_TO_BITS(key_data->len), alg);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003686 size_t mac_length = 0;
Gilles Peskine8b356b52020-08-25 23:44:59 +02003687 const size_t output_sizes_to_test[] = {
3688 0,
3689 1,
3690 expected_mac->len - 1,
3691 expected_mac->len,
3692 expected_mac->len + 1,
3693 };
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003694
Gilles Peskine449bd832023-01-11 14:50:10 +01003695 TEST_LE_U(mac_buffer_size, PSA_MAC_MAX_SIZE);
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003696 /* We expect PSA_MAC_LENGTH to be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003697 TEST_ASSERT(expected_mac->len == mac_buffer_size);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003698
Gilles Peskine449bd832023-01-11 14:50:10 +01003699 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003700
Gilles Peskine449bd832023-01-11 14:50:10 +01003701 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
3702 psa_set_key_algorithm(&attributes, alg);
3703 psa_set_key_type(&attributes, key_type);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003704
Gilles Peskine449bd832023-01-11 14:50:10 +01003705 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
3706 &key));
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003707
Gilles Peskine449bd832023-01-11 14:50:10 +01003708 for (size_t i = 0; i < ARRAY_LENGTH(output_sizes_to_test); i++) {
Gilles Peskine8b356b52020-08-25 23:44:59 +02003709 const size_t output_size = output_sizes_to_test[i];
3710 psa_status_t expected_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01003711 (output_size >= expected_mac->len ? PSA_SUCCESS :
3712 PSA_ERROR_BUFFER_TOO_SMALL);
Gilles Peskine5e65cec2020-08-25 23:38:39 +02003713
Gilles Peskine449bd832023-01-11 14:50:10 +01003714 mbedtls_test_set_step(output_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003715 TEST_CALLOC(actual_mac, output_size);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003716
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003717 /* Calculate the MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003718 TEST_EQUAL(psa_mac_compute(key, alg,
3719 input->x, input->len,
3720 actual_mac, output_size, &mac_length),
3721 expected_status);
3722 if (expected_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003723 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003724 actual_mac, mac_length);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003725 }
3726
Gilles Peskine449bd832023-01-11 14:50:10 +01003727 if (output_size > 0) {
3728 memset(actual_mac, 0, output_size);
3729 }
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003730
3731 /* Calculate the MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003732 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3733 PSA_ASSERT(psa_mac_update(&operation,
3734 input->x, input->len));
3735 TEST_EQUAL(psa_mac_sign_finish(&operation,
3736 actual_mac, output_size,
3737 &mac_length),
3738 expected_status);
3739 PSA_ASSERT(psa_mac_abort(&operation));
Gilles Peskine8b356b52020-08-25 23:44:59 +02003740
Gilles Peskine449bd832023-01-11 14:50:10 +01003741 if (expected_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003742 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003743 actual_mac, mac_length);
Gilles Peskine8b356b52020-08-25 23:44:59 +02003744 }
Gilles Peskine449bd832023-01-11 14:50:10 +01003745 mbedtls_free(actual_mac);
Gilles Peskine8b356b52020-08-25 23:44:59 +02003746 actual_mac = NULL;
3747 }
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003748
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003749exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003750 psa_mac_abort(&operation);
3751 psa_destroy_key(key);
3752 PSA_DONE();
3753 mbedtls_free(actual_mac);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003754}
3755/* END_CASE */
3756
3757/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003758void mac_verify(int key_type_arg,
3759 data_t *key_data,
3760 int alg_arg,
3761 data_t *input,
3762 data_t *expected_mac)
Gilles Peskine8c9def32018-02-08 10:02:12 +01003763{
Ronald Cron5425a212020-08-04 14:58:35 +02003764 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine8c9def32018-02-08 10:02:12 +01003765 psa_key_type_t key_type = key_type_arg;
3766 psa_algorithm_t alg = alg_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003767 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003768 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003769 uint8_t *perturbed_mac = NULL;
Gilles Peskine8c9def32018-02-08 10:02:12 +01003770
Gilles Peskine449bd832023-01-11 14:50:10 +01003771 TEST_LE_U(expected_mac->len, PSA_MAC_MAX_SIZE);
Gilles Peskine69c12672018-06-28 00:07:19 +02003772
Gilles Peskine449bd832023-01-11 14:50:10 +01003773 PSA_ASSERT(psa_crypto_init());
Gilles Peskine8c9def32018-02-08 10:02:12 +01003774
Gilles Peskine449bd832023-01-11 14:50:10 +01003775 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
3776 psa_set_key_algorithm(&attributes, alg);
3777 psa_set_key_type(&attributes, key_type);
mohammad16036df908f2018-04-02 08:34:15 -07003778
Gilles Peskine449bd832023-01-11 14:50:10 +01003779 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
3780 &key));
Gilles Peskinec0ec9722018-06-18 17:03:37 +02003781
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003782 /* Verify correct MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003783 PSA_ASSERT(psa_mac_verify(key, alg, input->x, input->len,
3784 expected_mac->x, expected_mac->len));
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003785
3786 /* Verify correct MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003787 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3788 PSA_ASSERT(psa_mac_update(&operation,
3789 input->x, input->len));
3790 PSA_ASSERT(psa_mac_verify_finish(&operation,
3791 expected_mac->x,
3792 expected_mac->len));
Gilles Peskine8c9def32018-02-08 10:02:12 +01003793
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003794 /* Test a MAC that's too short, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003795 TEST_EQUAL(psa_mac_verify(key, alg,
3796 input->x, input->len,
3797 expected_mac->x,
3798 expected_mac->len - 1),
3799 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003800
3801 /* Test a MAC that's too short, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003802 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3803 PSA_ASSERT(psa_mac_update(&operation,
3804 input->x, input->len));
3805 TEST_EQUAL(psa_mac_verify_finish(&operation,
3806 expected_mac->x,
3807 expected_mac->len - 1),
3808 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003809
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003810 /* Test a MAC that's too long, one-shot case. */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003811 TEST_CALLOC(perturbed_mac, expected_mac->len + 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01003812 memcpy(perturbed_mac, expected_mac->x, expected_mac->len);
3813 TEST_EQUAL(psa_mac_verify(key, alg,
3814 input->x, input->len,
3815 perturbed_mac, expected_mac->len + 1),
3816 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003817
3818 /* Test a MAC that's too long, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003819 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3820 PSA_ASSERT(psa_mac_update(&operation,
3821 input->x, input->len));
3822 TEST_EQUAL(psa_mac_verify_finish(&operation,
3823 perturbed_mac,
3824 expected_mac->len + 1),
3825 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003826
3827 /* Test changing one byte. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003828 for (size_t i = 0; i < expected_mac->len; i++) {
3829 mbedtls_test_set_step(i);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003830 perturbed_mac[i] ^= 1;
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003831
Gilles Peskine449bd832023-01-11 14:50:10 +01003832 TEST_EQUAL(psa_mac_verify(key, alg,
3833 input->x, input->len,
3834 perturbed_mac, expected_mac->len),
3835 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003836
Gilles Peskine449bd832023-01-11 14:50:10 +01003837 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3838 PSA_ASSERT(psa_mac_update(&operation,
3839 input->x, input->len));
3840 TEST_EQUAL(psa_mac_verify_finish(&operation,
3841 perturbed_mac,
3842 expected_mac->len),
3843 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003844 perturbed_mac[i] ^= 1;
3845 }
3846
Gilles Peskine8c9def32018-02-08 10:02:12 +01003847exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003848 psa_mac_abort(&operation);
3849 psa_destroy_key(key);
3850 PSA_DONE();
3851 mbedtls_free(perturbed_mac);
Gilles Peskine8c9def32018-02-08 10:02:12 +01003852}
3853/* END_CASE */
3854
3855/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003856void cipher_operation_init()
Jaeden Amero5bae2272019-01-04 11:48:27 +00003857{
Jaeden Ameroab439972019-02-15 14:12:05 +00003858 const uint8_t input[1] = { 0 };
3859 unsigned char output[1] = { 0 };
3860 size_t output_length;
Jaeden Amero5bae2272019-01-04 11:48:27 +00003861 /* Test each valid way of initializing the object, except for `= {0}`, as
3862 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
3863 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08003864 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003865 psa_cipher_operation_t func = psa_cipher_operation_init();
Jaeden Amero5bae2272019-01-04 11:48:27 +00003866 psa_cipher_operation_t init = PSA_CIPHER_OPERATION_INIT;
3867 psa_cipher_operation_t zero;
3868
Gilles Peskine449bd832023-01-11 14:50:10 +01003869 memset(&zero, 0, sizeof(zero));
Jaeden Amero5bae2272019-01-04 11:48:27 +00003870
Jaeden Ameroab439972019-02-15 14:12:05 +00003871 /* A freshly-initialized cipher operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003872 TEST_EQUAL(psa_cipher_update(&func,
3873 input, sizeof(input),
3874 output, sizeof(output),
3875 &output_length),
3876 PSA_ERROR_BAD_STATE);
3877 TEST_EQUAL(psa_cipher_update(&init,
3878 input, sizeof(input),
3879 output, sizeof(output),
3880 &output_length),
3881 PSA_ERROR_BAD_STATE);
3882 TEST_EQUAL(psa_cipher_update(&zero,
3883 input, sizeof(input),
3884 output, sizeof(output),
3885 &output_length),
3886 PSA_ERROR_BAD_STATE);
Jaeden Ameroab439972019-02-15 14:12:05 +00003887
Jaeden Amero5229bbb2019-02-07 16:33:37 +00003888 /* A default cipher operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003889 PSA_ASSERT(psa_cipher_abort(&func));
3890 PSA_ASSERT(psa_cipher_abort(&init));
3891 PSA_ASSERT(psa_cipher_abort(&zero));
Jaeden Amero5bae2272019-01-04 11:48:27 +00003892}
3893/* END_CASE */
3894
3895/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003896void cipher_setup(int key_type_arg,
3897 data_t *key,
3898 int alg_arg,
3899 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003900{
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003901 psa_key_type_t key_type = key_type_arg;
3902 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02003903 psa_status_t expected_status = expected_status_arg;
Jaeden Amero5bae2272019-01-04 11:48:27 +00003904 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003905 psa_status_t status;
Gilles Peskine612ffd22021-01-20 18:51:00 +01003906#if defined(KNOWN_SUPPORTED_CIPHER_ALG)
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003907 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk";
3908#endif
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003909
Gilles Peskine449bd832023-01-11 14:50:10 +01003910 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003911
Gilles Peskine449bd832023-01-11 14:50:10 +01003912 if (!exercise_cipher_setup(key_type, key->x, key->len, alg,
3913 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003914 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003915 }
3916 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003917
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003918 /* The operation object should be reusable. */
3919#if defined(KNOWN_SUPPORTED_CIPHER_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01003920 if (!exercise_cipher_setup(KNOWN_SUPPORTED_CIPHER_KEY_TYPE,
3921 smoke_test_key_data,
3922 sizeof(smoke_test_key_data),
3923 KNOWN_SUPPORTED_CIPHER_ALG,
3924 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003925 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003926 }
3927 TEST_EQUAL(status, PSA_SUCCESS);
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003928#endif
3929
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003930exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003931 psa_cipher_abort(&operation);
3932 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003933}
3934/* END_CASE */
3935
Ronald Cronee414c72021-03-18 18:50:08 +01003936/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_PKCS7 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003937void cipher_bad_order()
Jaeden Ameroab439972019-02-15 14:12:05 +00003938{
Ronald Cron5425a212020-08-04 14:58:35 +02003939 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Jaeden Ameroab439972019-02-15 14:12:05 +00003940 psa_key_type_t key_type = PSA_KEY_TYPE_AES;
3941 psa_algorithm_t alg = PSA_ALG_CBC_PKCS7;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003942 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Ameroab439972019-02-15 14:12:05 +00003943 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003944 unsigned char iv[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 };
Ronald Cron5425a212020-08-04 14:58:35 +02003945 const uint8_t key_data[] = {
Jaeden Ameroab439972019-02-15 14:12:05 +00003946 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
Gilles Peskine449bd832023-01-11 14:50:10 +01003947 0xaa, 0xaa, 0xaa, 0xaa
3948 };
Jaeden Ameroab439972019-02-15 14:12:05 +00003949 const uint8_t text[] = {
3950 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb,
Gilles Peskine449bd832023-01-11 14:50:10 +01003951 0xbb, 0xbb, 0xbb, 0xbb
3952 };
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003953 uint8_t buffer[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 };
Jaeden Ameroab439972019-02-15 14:12:05 +00003954 size_t length = 0;
3955
Gilles Peskine449bd832023-01-11 14:50:10 +01003956 PSA_ASSERT(psa_crypto_init());
3957 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
3958 psa_set_key_algorithm(&attributes, alg);
3959 psa_set_key_type(&attributes, key_type);
3960 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data),
3961 &key));
Jaeden Ameroab439972019-02-15 14:12:05 +00003962
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003963 /* Call encrypt setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003964 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3965 ASSERT_OPERATION_IS_ACTIVE(operation);
3966 TEST_EQUAL(psa_cipher_encrypt_setup(&operation, key, alg),
3967 PSA_ERROR_BAD_STATE);
3968 ASSERT_OPERATION_IS_INACTIVE(operation);
3969 PSA_ASSERT(psa_cipher_abort(&operation));
3970 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003971
3972 /* Call decrypt setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003973 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
3974 ASSERT_OPERATION_IS_ACTIVE(operation);
3975 TEST_EQUAL(psa_cipher_decrypt_setup(&operation, key, alg),
3976 PSA_ERROR_BAD_STATE);
3977 ASSERT_OPERATION_IS_INACTIVE(operation);
3978 PSA_ASSERT(psa_cipher_abort(&operation));
3979 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003980
Jaeden Ameroab439972019-02-15 14:12:05 +00003981 /* Generate an IV without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003982 TEST_EQUAL(psa_cipher_generate_iv(&operation,
3983 buffer, sizeof(buffer),
3984 &length),
3985 PSA_ERROR_BAD_STATE);
3986 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00003987
3988 /* Generate an IV twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003989 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3990 PSA_ASSERT(psa_cipher_generate_iv(&operation,
3991 buffer, sizeof(buffer),
3992 &length));
3993 ASSERT_OPERATION_IS_ACTIVE(operation);
3994 TEST_EQUAL(psa_cipher_generate_iv(&operation,
3995 buffer, sizeof(buffer),
3996 &length),
3997 PSA_ERROR_BAD_STATE);
3998 ASSERT_OPERATION_IS_INACTIVE(operation);
3999 PSA_ASSERT(psa_cipher_abort(&operation));
4000 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00004001
4002 /* Generate an IV after it's already set. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004003 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4004 PSA_ASSERT(psa_cipher_set_iv(&operation,
4005 iv, sizeof(iv)));
4006 TEST_EQUAL(psa_cipher_generate_iv(&operation,
4007 buffer, sizeof(buffer),
4008 &length),
4009 PSA_ERROR_BAD_STATE);
4010 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004011
4012 /* Set an IV without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004013 TEST_EQUAL(psa_cipher_set_iv(&operation,
4014 iv, sizeof(iv)),
4015 PSA_ERROR_BAD_STATE);
4016 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004017
4018 /* Set an IV after it's already set. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004019 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4020 PSA_ASSERT(psa_cipher_set_iv(&operation,
4021 iv, sizeof(iv)));
4022 ASSERT_OPERATION_IS_ACTIVE(operation);
4023 TEST_EQUAL(psa_cipher_set_iv(&operation,
4024 iv, sizeof(iv)),
4025 PSA_ERROR_BAD_STATE);
4026 ASSERT_OPERATION_IS_INACTIVE(operation);
4027 PSA_ASSERT(psa_cipher_abort(&operation));
4028 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00004029
4030 /* Set an IV after it's already generated. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004031 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4032 PSA_ASSERT(psa_cipher_generate_iv(&operation,
4033 buffer, sizeof(buffer),
4034 &length));
4035 TEST_EQUAL(psa_cipher_set_iv(&operation,
4036 iv, sizeof(iv)),
4037 PSA_ERROR_BAD_STATE);
4038 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004039
4040 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004041 TEST_EQUAL(psa_cipher_update(&operation,
4042 text, sizeof(text),
4043 buffer, sizeof(buffer),
4044 &length),
4045 PSA_ERROR_BAD_STATE);
4046 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004047
4048 /* Call update without an IV where an IV is required. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004049 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4050 ASSERT_OPERATION_IS_ACTIVE(operation);
4051 TEST_EQUAL(psa_cipher_update(&operation,
4052 text, sizeof(text),
4053 buffer, sizeof(buffer),
4054 &length),
4055 PSA_ERROR_BAD_STATE);
4056 ASSERT_OPERATION_IS_INACTIVE(operation);
4057 PSA_ASSERT(psa_cipher_abort(&operation));
4058 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00004059
4060 /* Call update after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004061 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4062 PSA_ASSERT(psa_cipher_set_iv(&operation,
4063 iv, sizeof(iv)));
4064 PSA_ASSERT(psa_cipher_finish(&operation,
4065 buffer, sizeof(buffer), &length));
4066 TEST_EQUAL(psa_cipher_update(&operation,
4067 text, sizeof(text),
4068 buffer, sizeof(buffer),
4069 &length),
4070 PSA_ERROR_BAD_STATE);
4071 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004072
4073 /* Call finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004074 TEST_EQUAL(psa_cipher_finish(&operation,
4075 buffer, sizeof(buffer), &length),
4076 PSA_ERROR_BAD_STATE);
4077 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004078
4079 /* Call finish without an IV where an IV is required. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004080 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Jaeden Ameroab439972019-02-15 14:12:05 +00004081 /* Not calling update means we are encrypting an empty buffer, which is OK
4082 * for cipher modes with padding. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004083 ASSERT_OPERATION_IS_ACTIVE(operation);
4084 TEST_EQUAL(psa_cipher_finish(&operation,
4085 buffer, sizeof(buffer), &length),
4086 PSA_ERROR_BAD_STATE);
4087 ASSERT_OPERATION_IS_INACTIVE(operation);
4088 PSA_ASSERT(psa_cipher_abort(&operation));
4089 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00004090
4091 /* Call finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004092 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4093 PSA_ASSERT(psa_cipher_set_iv(&operation,
4094 iv, sizeof(iv)));
4095 PSA_ASSERT(psa_cipher_finish(&operation,
4096 buffer, sizeof(buffer), &length));
4097 TEST_EQUAL(psa_cipher_finish(&operation,
4098 buffer, sizeof(buffer), &length),
4099 PSA_ERROR_BAD_STATE);
4100 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004101
Gilles Peskine449bd832023-01-11 14:50:10 +01004102 PSA_ASSERT(psa_destroy_key(key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02004103
Jaeden Ameroab439972019-02-15 14:12:05 +00004104exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004105 psa_cipher_abort(&operation);
4106 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02004107}
4108/* END_CASE */
4109
4110/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004111void cipher_encrypt_fail(int alg_arg,
4112 int key_type_arg,
4113 data_t *key_data,
4114 data_t *input,
4115 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02004116{
Ronald Cron5425a212020-08-04 14:58:35 +02004117 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004118 psa_status_t status;
4119 psa_key_type_t key_type = key_type_arg;
4120 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02004121 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01004122 unsigned char iv[PSA_CIPHER_IV_MAX_SIZE] = { 0 };
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004123 size_t iv_size = PSA_CIPHER_IV_MAX_SIZE;
4124 size_t iv_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004125 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004126 size_t output_buffer_size = 0;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004127 size_t output_length = 0;
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004128 size_t function_output_length;
4129 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004130 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4131
Gilles Peskine449bd832023-01-11 14:50:10 +01004132 if (PSA_ERROR_BAD_STATE != expected_status) {
4133 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004134
Gilles Peskine449bd832023-01-11 14:50:10 +01004135 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4136 psa_set_key_algorithm(&attributes, alg);
4137 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004138
Gilles Peskine449bd832023-01-11 14:50:10 +01004139 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg,
4140 input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004141 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004142
Gilles Peskine449bd832023-01-11 14:50:10 +01004143 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4144 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004145 }
4146
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004147 /* Encrypt, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01004148 status = psa_cipher_encrypt(key, alg, input->x, input->len, output,
4149 output_buffer_size, &output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004150
Gilles Peskine449bd832023-01-11 14:50:10 +01004151 TEST_EQUAL(status, expected_status);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004152
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004153 /* Encrypt, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01004154 status = psa_cipher_encrypt_setup(&operation, key, alg);
4155 if (status == PSA_SUCCESS) {
4156 if (alg != PSA_ALG_ECB_NO_PADDING) {
4157 PSA_ASSERT(psa_cipher_generate_iv(&operation,
4158 iv, iv_size,
4159 &iv_length));
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004160 }
4161
Gilles Peskine449bd832023-01-11 14:50:10 +01004162 status = psa_cipher_update(&operation, input->x, input->len,
4163 output, output_buffer_size,
4164 &function_output_length);
4165 if (status == PSA_SUCCESS) {
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004166 output_length += function_output_length;
4167
Gilles Peskine449bd832023-01-11 14:50:10 +01004168 status = psa_cipher_finish(&operation, output + output_length,
4169 output_buffer_size - output_length,
4170 &function_output_length);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004171
Gilles Peskine449bd832023-01-11 14:50:10 +01004172 TEST_EQUAL(status, expected_status);
4173 } else {
4174 TEST_EQUAL(status, expected_status);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004175 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004176 } else {
4177 TEST_EQUAL(status, expected_status);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004178 }
4179
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004180exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004181 psa_cipher_abort(&operation);
4182 mbedtls_free(output);
4183 psa_destroy_key(key);
4184 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004185}
4186/* END_CASE */
4187
4188/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004189void cipher_encrypt_validate_iv_length(int alg, int key_type, data_t *key_data,
4190 data_t *input, int iv_length,
4191 int expected_result)
Mateusz Starzyked71e922021-10-21 10:04:57 +02004192{
4193 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4194 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
4195 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4196 size_t output_buffer_size = 0;
4197 unsigned char *output = NULL;
4198
Gilles Peskine449bd832023-01-11 14:50:10 +01004199 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004200 TEST_CALLOC(output, output_buffer_size);
Mateusz Starzyked71e922021-10-21 10:04:57 +02004201
Gilles Peskine449bd832023-01-11 14:50:10 +01004202 PSA_ASSERT(psa_crypto_init());
Mateusz Starzyked71e922021-10-21 10:04:57 +02004203
Gilles Peskine449bd832023-01-11 14:50:10 +01004204 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4205 psa_set_key_algorithm(&attributes, alg);
4206 psa_set_key_type(&attributes, key_type);
Mateusz Starzyked71e922021-10-21 10:04:57 +02004207
Gilles Peskine449bd832023-01-11 14:50:10 +01004208 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4209 &key));
4210 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4211 TEST_EQUAL(expected_result, psa_cipher_set_iv(&operation, output,
4212 iv_length));
Mateusz Starzyked71e922021-10-21 10:04:57 +02004213
4214exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004215 psa_cipher_abort(&operation);
4216 mbedtls_free(output);
4217 psa_destroy_key(key);
4218 PSA_DONE();
Mateusz Starzyked71e922021-10-21 10:04:57 +02004219}
4220/* END_CASE */
4221
4222/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004223void cipher_alg_without_iv(int alg_arg, int key_type_arg, data_t *key_data,
4224 data_t *plaintext, data_t *ciphertext)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004225{
4226 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4227 psa_key_type_t key_type = key_type_arg;
4228 psa_algorithm_t alg = alg_arg;
Ronald Cron6c9bb0f2021-07-15 09:38:11 +02004229 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
4230 uint8_t iv[1] = { 0x5a };
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004231 unsigned char *output = NULL;
4232 size_t output_buffer_size = 0;
Gilles Peskine286c3142022-04-20 17:09:38 +02004233 size_t output_length, length;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004234 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4235
Gilles Peskine449bd832023-01-11 14:50:10 +01004236 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004237
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004238 /* Validate size macros */
Gilles Peskine449bd832023-01-11 14:50:10 +01004239 TEST_LE_U(ciphertext->len,
4240 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len));
4241 TEST_LE_U(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len),
4242 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(plaintext->len));
4243 TEST_LE_U(plaintext->len,
4244 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len));
4245 TEST_LE_U(PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len),
4246 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(ciphertext->len));
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004247
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004248
4249 /* Set up key and output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +01004250 psa_set_key_usage_flags(&attributes,
4251 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4252 psa_set_key_algorithm(&attributes, alg);
4253 psa_set_key_type(&attributes, key_type);
4254 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4255 &key));
4256 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg,
4257 plaintext->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004258 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004259
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004260 /* set_iv() is not allowed */
Gilles Peskine449bd832023-01-11 14:50:10 +01004261 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4262 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)),
4263 PSA_ERROR_BAD_STATE);
4264 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
4265 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)),
4266 PSA_ERROR_BAD_STATE);
Ronald Cron6c9bb0f2021-07-15 09:38:11 +02004267
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004268 /* generate_iv() is not allowed */
Gilles Peskine449bd832023-01-11 14:50:10 +01004269 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4270 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv),
4271 &length),
4272 PSA_ERROR_BAD_STATE);
4273 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
4274 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv),
4275 &length),
4276 PSA_ERROR_BAD_STATE);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004277
Gilles Peskine286c3142022-04-20 17:09:38 +02004278 /* Multipart encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +01004279 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Gilles Peskine286c3142022-04-20 17:09:38 +02004280 output_length = 0;
4281 length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004282 PSA_ASSERT(psa_cipher_update(&operation,
4283 plaintext->x, plaintext->len,
4284 output, output_buffer_size,
4285 &length));
4286 TEST_LE_U(length, output_buffer_size);
Gilles Peskine286c3142022-04-20 17:09:38 +02004287 output_length += length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004288 PSA_ASSERT(psa_cipher_finish(&operation,
4289 mbedtls_buffer_offset(output, output_length),
4290 output_buffer_size - output_length,
4291 &length));
Gilles Peskine286c3142022-04-20 17:09:38 +02004292 output_length += length;
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004293 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004294 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004295
Gilles Peskine286c3142022-04-20 17:09:38 +02004296 /* Multipart encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +01004297 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
Gilles Peskine286c3142022-04-20 17:09:38 +02004298 output_length = 0;
4299 length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004300 PSA_ASSERT(psa_cipher_update(&operation,
4301 ciphertext->x, ciphertext->len,
4302 output, output_buffer_size,
4303 &length));
4304 TEST_LE_U(length, output_buffer_size);
Gilles Peskine286c3142022-04-20 17:09:38 +02004305 output_length += length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004306 PSA_ASSERT(psa_cipher_finish(&operation,
4307 mbedtls_buffer_offset(output, output_length),
4308 output_buffer_size - output_length,
4309 &length));
Gilles Peskine286c3142022-04-20 17:09:38 +02004310 output_length += length;
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004311 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004312 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004313
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004314 /* One-shot encryption */
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004315 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004316 PSA_ASSERT(psa_cipher_encrypt(key, alg, plaintext->x, plaintext->len,
4317 output, output_buffer_size,
4318 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004319 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004320 output, output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004321
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004322 /* One-shot decryption */
4323 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004324 PSA_ASSERT(psa_cipher_decrypt(key, alg, ciphertext->x, ciphertext->len,
4325 output, output_buffer_size,
4326 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004327 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004328 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004329
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004330exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004331 PSA_ASSERT(psa_cipher_abort(&operation));
4332 mbedtls_free(output);
4333 psa_cipher_abort(&operation);
4334 psa_destroy_key(key);
4335 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004336}
4337/* END_CASE */
4338
4339/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004340void cipher_bad_key(int alg_arg, int key_type_arg, data_t *key_data)
Paul Elliotta417f562021-07-14 12:31:21 +01004341{
4342 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4343 psa_algorithm_t alg = alg_arg;
4344 psa_key_type_t key_type = key_type_arg;
4345 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4346 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
4347 psa_status_t status;
4348
Gilles Peskine449bd832023-01-11 14:50:10 +01004349 PSA_ASSERT(psa_crypto_init());
Paul Elliotta417f562021-07-14 12:31:21 +01004350
Gilles Peskine449bd832023-01-11 14:50:10 +01004351 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4352 psa_set_key_algorithm(&attributes, alg);
4353 psa_set_key_type(&attributes, key_type);
Paul Elliotta417f562021-07-14 12:31:21 +01004354
4355 /* Usage of either of these two size macros would cause divide by zero
4356 * with incorrect key types previously. Input length should be irrelevant
4357 * here. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004358 TEST_EQUAL(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 16),
4359 0);
4360 TEST_EQUAL(PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, 16), 0);
Paul Elliotta417f562021-07-14 12:31:21 +01004361
4362
Gilles Peskine449bd832023-01-11 14:50:10 +01004363 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4364 &key));
Paul Elliotta417f562021-07-14 12:31:21 +01004365
4366 /* Should fail due to invalid alg type (to support invalid key type).
4367 * Encrypt or decrypt will end up in the same place. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004368 status = psa_cipher_encrypt_setup(&operation, key, alg);
Paul Elliotta417f562021-07-14 12:31:21 +01004369
Gilles Peskine449bd832023-01-11 14:50:10 +01004370 TEST_EQUAL(status, PSA_ERROR_INVALID_ARGUMENT);
Paul Elliotta417f562021-07-14 12:31:21 +01004371
4372exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004373 psa_cipher_abort(&operation);
4374 psa_destroy_key(key);
4375 PSA_DONE();
Paul Elliotta417f562021-07-14 12:31:21 +01004376}
4377/* END_CASE */
4378
4379/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004380void cipher_encrypt_validation(int alg_arg,
4381 int key_type_arg,
4382 data_t *key_data,
4383 data_t *input)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004384{
4385 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4386 psa_key_type_t key_type = key_type_arg;
4387 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01004388 size_t iv_size = PSA_CIPHER_IV_LENGTH(key_type, alg);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004389 unsigned char *output1 = NULL;
4390 size_t output1_buffer_size = 0;
4391 size_t output1_length = 0;
4392 unsigned char *output2 = NULL;
4393 size_t output2_buffer_size = 0;
4394 size_t output2_length = 0;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004395 size_t function_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004396 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004397 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004398
Gilles Peskine449bd832023-01-11 14:50:10 +01004399 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004400
Gilles Peskine449bd832023-01-11 14:50:10 +01004401 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4402 psa_set_key_algorithm(&attributes, alg);
4403 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004404
Gilles Peskine449bd832023-01-11 14:50:10 +01004405 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
4406 output2_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4407 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004408 TEST_CALLOC(output1, output1_buffer_size);
4409 TEST_CALLOC(output2, output2_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004410
Gilles Peskine449bd832023-01-11 14:50:10 +01004411 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4412 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004413
gabor-mezei-arm50c86cf2021-06-25 15:47:50 +02004414 /* The one-shot cipher encryption uses generated iv so validating
4415 the output is not possible. Validating with multipart encryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004416 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len, output1,
4417 output1_buffer_size, &output1_length));
4418 TEST_LE_U(output1_length,
4419 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len));
4420 TEST_LE_U(output1_length,
4421 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004422
Gilles Peskine449bd832023-01-11 14:50:10 +01004423 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4424 PSA_ASSERT(psa_cipher_set_iv(&operation, output1, iv_size));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004425
Gilles Peskine449bd832023-01-11 14:50:10 +01004426 PSA_ASSERT(psa_cipher_update(&operation,
4427 input->x, input->len,
4428 output2, output2_buffer_size,
4429 &function_output_length));
4430 TEST_LE_U(function_output_length,
4431 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len));
4432 TEST_LE_U(function_output_length,
4433 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004434 output2_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004435
Gilles Peskine449bd832023-01-11 14:50:10 +01004436 PSA_ASSERT(psa_cipher_finish(&operation,
4437 output2 + output2_length,
4438 output2_buffer_size - output2_length,
4439 &function_output_length));
4440 TEST_LE_U(function_output_length,
4441 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4442 TEST_LE_U(function_output_length,
4443 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004444 output2_length += function_output_length;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004445
Gilles Peskine449bd832023-01-11 14:50:10 +01004446 PSA_ASSERT(psa_cipher_abort(&operation));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004447 TEST_MEMORY_COMPARE(output1 + iv_size, output1_length - iv_size,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004448 output2, output2_length);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004449
Gilles Peskine50e586b2018-06-08 14:28:46 +02004450exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004451 psa_cipher_abort(&operation);
4452 mbedtls_free(output1);
4453 mbedtls_free(output2);
4454 psa_destroy_key(key);
4455 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004456}
4457/* END_CASE */
4458
4459/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004460void cipher_encrypt_multipart(int alg_arg, int key_type_arg,
4461 data_t *key_data, data_t *iv,
4462 data_t *input,
4463 int first_part_size_arg,
4464 int output1_length_arg, int output2_length_arg,
4465 data_t *expected_output,
4466 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02004467{
Ronald Cron5425a212020-08-04 14:58:35 +02004468 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004469 psa_key_type_t key_type = key_type_arg;
4470 psa_algorithm_t alg = alg_arg;
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004471 psa_status_t status;
4472 psa_status_t expected_status = expected_status_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004473 size_t first_part_size = first_part_size_arg;
4474 size_t output1_length = output1_length_arg;
4475 size_t output2_length = output2_length_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004476 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004477 size_t output_buffer_size = 0;
4478 size_t function_output_length = 0;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004479 size_t total_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004480 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004481 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004482
Gilles Peskine449bd832023-01-11 14:50:10 +01004483 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004484
Gilles Peskine449bd832023-01-11 14:50:10 +01004485 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4486 psa_set_key_algorithm(&attributes, alg);
4487 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004488
Gilles Peskine449bd832023-01-11 14:50:10 +01004489 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4490 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004491
Gilles Peskine449bd832023-01-11 14:50:10 +01004492 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004493
Gilles Peskine449bd832023-01-11 14:50:10 +01004494 if (iv->len > 0) {
4495 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004496 }
4497
Gilles Peskine449bd832023-01-11 14:50:10 +01004498 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4499 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004500 TEST_CALLOC(output, output_buffer_size);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004501
Gilles Peskine449bd832023-01-11 14:50:10 +01004502 TEST_LE_U(first_part_size, input->len);
4503 PSA_ASSERT(psa_cipher_update(&operation, input->x, first_part_size,
4504 output, output_buffer_size,
4505 &function_output_length));
4506 TEST_ASSERT(function_output_length == output1_length);
4507 TEST_LE_U(function_output_length,
4508 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4509 TEST_LE_U(function_output_length,
4510 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004511 total_output_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004512
Gilles Peskine449bd832023-01-11 14:50:10 +01004513 if (first_part_size < input->len) {
4514 PSA_ASSERT(psa_cipher_update(&operation,
4515 input->x + first_part_size,
4516 input->len - first_part_size,
4517 (output_buffer_size == 0 ? NULL :
4518 output + total_output_length),
4519 output_buffer_size - total_output_length,
4520 &function_output_length));
4521 TEST_ASSERT(function_output_length == output2_length);
4522 TEST_LE_U(function_output_length,
4523 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4524 alg,
4525 input->len - first_part_size));
4526 TEST_LE_U(function_output_length,
4527 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004528 total_output_length += function_output_length;
4529 }
gabor-mezei-armceface22021-01-21 12:26:17 +01004530
Gilles Peskine449bd832023-01-11 14:50:10 +01004531 status = psa_cipher_finish(&operation,
4532 (output_buffer_size == 0 ? NULL :
4533 output + total_output_length),
4534 output_buffer_size - total_output_length,
4535 &function_output_length);
4536 TEST_LE_U(function_output_length,
4537 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4538 TEST_LE_U(function_output_length,
4539 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004540 total_output_length += function_output_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004541 TEST_EQUAL(status, expected_status);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004542
Gilles Peskine449bd832023-01-11 14:50:10 +01004543 if (expected_status == PSA_SUCCESS) {
4544 PSA_ASSERT(psa_cipher_abort(&operation));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004545
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004546 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004547 output, total_output_length);
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004548 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004549
4550exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004551 psa_cipher_abort(&operation);
4552 mbedtls_free(output);
4553 psa_destroy_key(key);
4554 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004555}
4556/* END_CASE */
4557
4558/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004559void cipher_decrypt_multipart(int alg_arg, int key_type_arg,
4560 data_t *key_data, data_t *iv,
4561 data_t *input,
4562 int first_part_size_arg,
4563 int output1_length_arg, int output2_length_arg,
4564 data_t *expected_output,
4565 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02004566{
Ronald Cron5425a212020-08-04 14:58:35 +02004567 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004568 psa_key_type_t key_type = key_type_arg;
4569 psa_algorithm_t alg = alg_arg;
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004570 psa_status_t status;
4571 psa_status_t expected_status = expected_status_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004572 size_t first_part_size = first_part_size_arg;
4573 size_t output1_length = output1_length_arg;
4574 size_t output2_length = output2_length_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004575 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004576 size_t output_buffer_size = 0;
4577 size_t function_output_length = 0;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004578 size_t total_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004579 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004580 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004581
Gilles Peskine449bd832023-01-11 14:50:10 +01004582 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004583
Gilles Peskine449bd832023-01-11 14:50:10 +01004584 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4585 psa_set_key_algorithm(&attributes, alg);
4586 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004587
Gilles Peskine449bd832023-01-11 14:50:10 +01004588 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4589 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004590
Gilles Peskine449bd832023-01-11 14:50:10 +01004591 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004592
Gilles Peskine449bd832023-01-11 14:50:10 +01004593 if (iv->len > 0) {
4594 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004595 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004596
Gilles Peskine449bd832023-01-11 14:50:10 +01004597 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4598 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004599 TEST_CALLOC(output, output_buffer_size);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004600
Gilles Peskine449bd832023-01-11 14:50:10 +01004601 TEST_LE_U(first_part_size, input->len);
4602 PSA_ASSERT(psa_cipher_update(&operation,
4603 input->x, first_part_size,
4604 output, output_buffer_size,
4605 &function_output_length));
4606 TEST_ASSERT(function_output_length == output1_length);
4607 TEST_LE_U(function_output_length,
4608 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4609 TEST_LE_U(function_output_length,
4610 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004611 total_output_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004612
Gilles Peskine449bd832023-01-11 14:50:10 +01004613 if (first_part_size < input->len) {
4614 PSA_ASSERT(psa_cipher_update(&operation,
4615 input->x + first_part_size,
4616 input->len - first_part_size,
4617 (output_buffer_size == 0 ? NULL :
4618 output + total_output_length),
4619 output_buffer_size - total_output_length,
4620 &function_output_length));
4621 TEST_ASSERT(function_output_length == output2_length);
4622 TEST_LE_U(function_output_length,
4623 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4624 alg,
4625 input->len - first_part_size));
4626 TEST_LE_U(function_output_length,
4627 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004628 total_output_length += function_output_length;
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004629 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004630
Gilles Peskine449bd832023-01-11 14:50:10 +01004631 status = psa_cipher_finish(&operation,
4632 (output_buffer_size == 0 ? NULL :
4633 output + total_output_length),
4634 output_buffer_size - total_output_length,
4635 &function_output_length);
4636 TEST_LE_U(function_output_length,
4637 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4638 TEST_LE_U(function_output_length,
4639 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004640 total_output_length += function_output_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004641 TEST_EQUAL(status, expected_status);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004642
Gilles Peskine449bd832023-01-11 14:50:10 +01004643 if (expected_status == PSA_SUCCESS) {
4644 PSA_ASSERT(psa_cipher_abort(&operation));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004645
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004646 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004647 output, total_output_length);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004648 }
4649
Gilles Peskine50e586b2018-06-08 14:28:46 +02004650exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004651 psa_cipher_abort(&operation);
4652 mbedtls_free(output);
4653 psa_destroy_key(key);
4654 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004655}
4656/* END_CASE */
4657
Gilles Peskine50e586b2018-06-08 14:28:46 +02004658/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004659void cipher_decrypt_fail(int alg_arg,
4660 int key_type_arg,
4661 data_t *key_data,
4662 data_t *iv,
4663 data_t *input_arg,
4664 int expected_status_arg)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004665{
4666 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4667 psa_status_t status;
4668 psa_key_type_t key_type = key_type_arg;
4669 psa_algorithm_t alg = alg_arg;
4670 psa_status_t expected_status = expected_status_arg;
4671 unsigned char *input = NULL;
4672 size_t input_buffer_size = 0;
4673 unsigned char *output = NULL;
Neil Armstrong66a479f2022-02-07 15:41:19 +01004674 unsigned char *output_multi = NULL;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004675 size_t output_buffer_size = 0;
4676 size_t output_length = 0;
Neil Armstrong66a479f2022-02-07 15:41:19 +01004677 size_t function_output_length;
4678 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004679 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4680
Gilles Peskine449bd832023-01-11 14:50:10 +01004681 if (PSA_ERROR_BAD_STATE != expected_status) {
4682 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004683
Gilles Peskine449bd832023-01-11 14:50:10 +01004684 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4685 psa_set_key_algorithm(&attributes, alg);
4686 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004687
Gilles Peskine449bd832023-01-11 14:50:10 +01004688 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4689 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004690 }
4691
4692 /* Allocate input buffer and copy the iv and the plaintext */
Gilles Peskine449bd832023-01-11 14:50:10 +01004693 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len);
4694 if (input_buffer_size > 0) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004695 TEST_CALLOC(input, input_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01004696 memcpy(input, iv->x, iv->len);
4697 memcpy(input + iv->len, input_arg->x, input_arg->len);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004698 }
4699
Gilles Peskine449bd832023-01-11 14:50:10 +01004700 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004701 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004702
Neil Armstrong66a479f2022-02-07 15:41:19 +01004703 /* Decrypt, one-short */
Gilles Peskine449bd832023-01-11 14:50:10 +01004704 status = psa_cipher_decrypt(key, alg, input, input_buffer_size, output,
4705 output_buffer_size, &output_length);
4706 TEST_EQUAL(status, expected_status);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004707
Neil Armstrong66a479f2022-02-07 15:41:19 +01004708 /* Decrypt, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01004709 status = psa_cipher_decrypt_setup(&operation, key, alg);
4710 if (status == PSA_SUCCESS) {
4711 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg,
4712 input_arg->len) +
4713 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004714 TEST_CALLOC(output_multi, output_buffer_size);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004715
Gilles Peskine449bd832023-01-11 14:50:10 +01004716 if (iv->len > 0) {
4717 status = psa_cipher_set_iv(&operation, iv->x, iv->len);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004718
Gilles Peskine449bd832023-01-11 14:50:10 +01004719 if (status != PSA_SUCCESS) {
4720 TEST_EQUAL(status, expected_status);
4721 }
Neil Armstrong66a479f2022-02-07 15:41:19 +01004722 }
4723
Gilles Peskine449bd832023-01-11 14:50:10 +01004724 if (status == PSA_SUCCESS) {
4725 status = psa_cipher_update(&operation,
4726 input_arg->x, input_arg->len,
4727 output_multi, output_buffer_size,
4728 &function_output_length);
4729 if (status == PSA_SUCCESS) {
Neil Armstrong66a479f2022-02-07 15:41:19 +01004730 output_length = function_output_length;
4731
Gilles Peskine449bd832023-01-11 14:50:10 +01004732 status = psa_cipher_finish(&operation,
4733 output_multi + output_length,
4734 output_buffer_size - output_length,
4735 &function_output_length);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004736
Gilles Peskine449bd832023-01-11 14:50:10 +01004737 TEST_EQUAL(status, expected_status);
4738 } else {
4739 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004740 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004741 } else {
4742 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004743 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004744 } else {
4745 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004746 }
4747
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004748exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004749 psa_cipher_abort(&operation);
4750 mbedtls_free(input);
4751 mbedtls_free(output);
4752 mbedtls_free(output_multi);
4753 psa_destroy_key(key);
4754 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004755}
4756/* END_CASE */
4757
4758/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004759void cipher_decrypt(int alg_arg,
4760 int key_type_arg,
4761 data_t *key_data,
4762 data_t *iv,
4763 data_t *input_arg,
4764 data_t *expected_output)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004765{
4766 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4767 psa_key_type_t key_type = key_type_arg;
4768 psa_algorithm_t alg = alg_arg;
4769 unsigned char *input = NULL;
4770 size_t input_buffer_size = 0;
4771 unsigned char *output = NULL;
4772 size_t output_buffer_size = 0;
4773 size_t output_length = 0;
4774 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4775
Gilles Peskine449bd832023-01-11 14:50:10 +01004776 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004777
Gilles Peskine449bd832023-01-11 14:50:10 +01004778 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4779 psa_set_key_algorithm(&attributes, alg);
4780 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004781
4782 /* Allocate input buffer and copy the iv and the plaintext */
Gilles Peskine449bd832023-01-11 14:50:10 +01004783 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len);
4784 if (input_buffer_size > 0) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004785 TEST_CALLOC(input, input_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01004786 memcpy(input, iv->x, iv->len);
4787 memcpy(input + iv->len, input_arg->x, input_arg->len);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004788 }
4789
Gilles Peskine449bd832023-01-11 14:50:10 +01004790 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004791 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004792
Gilles Peskine449bd832023-01-11 14:50:10 +01004793 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4794 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004795
Gilles Peskine449bd832023-01-11 14:50:10 +01004796 PSA_ASSERT(psa_cipher_decrypt(key, alg, input, input_buffer_size, output,
4797 output_buffer_size, &output_length));
4798 TEST_LE_U(output_length,
4799 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size));
4800 TEST_LE_U(output_length,
4801 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_buffer_size));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004802
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004803 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004804 output, output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004805exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004806 mbedtls_free(input);
4807 mbedtls_free(output);
4808 psa_destroy_key(key);
4809 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004810}
4811/* END_CASE */
4812
4813/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004814void cipher_verify_output(int alg_arg,
4815 int key_type_arg,
4816 data_t *key_data,
4817 data_t *input)
mohammad1603d7d7ba52018-03-12 18:51:53 +02004818{
Ronald Cron5425a212020-08-04 14:58:35 +02004819 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004820 psa_key_type_t key_type = key_type_arg;
4821 psa_algorithm_t alg = alg_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004822 unsigned char *output1 = NULL;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004823 size_t output1_size = 0;
4824 size_t output1_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004825 unsigned char *output2 = NULL;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004826 size_t output2_size = 0;
4827 size_t output2_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004828 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004829
Gilles Peskine449bd832023-01-11 14:50:10 +01004830 PSA_ASSERT(psa_crypto_init());
mohammad1603d7d7ba52018-03-12 18:51:53 +02004831
Gilles Peskine449bd832023-01-11 14:50:10 +01004832 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4833 psa_set_key_algorithm(&attributes, alg);
4834 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004835
Gilles Peskine449bd832023-01-11 14:50:10 +01004836 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4837 &key));
4838 output1_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004839 TEST_CALLOC(output1, output1_size);
Moran Pekerded84402018-06-06 16:36:50 +03004840
Gilles Peskine449bd832023-01-11 14:50:10 +01004841 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len,
4842 output1, output1_size,
4843 &output1_length));
4844 TEST_LE_U(output1_length,
4845 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len));
4846 TEST_LE_U(output1_length,
4847 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
Moran Pekerded84402018-06-06 16:36:50 +03004848
4849 output2_size = output1_length;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004850 TEST_CALLOC(output2, output2_size);
Moran Pekerded84402018-06-06 16:36:50 +03004851
Gilles Peskine449bd832023-01-11 14:50:10 +01004852 PSA_ASSERT(psa_cipher_decrypt(key, alg, output1, output1_length,
4853 output2, output2_size,
4854 &output2_length));
4855 TEST_LE_U(output2_length,
4856 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length));
4857 TEST_LE_U(output2_length,
4858 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length));
Moran Pekerded84402018-06-06 16:36:50 +03004859
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004860 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length);
Moran Pekerded84402018-06-06 16:36:50 +03004861
4862exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004863 mbedtls_free(output1);
4864 mbedtls_free(output2);
4865 psa_destroy_key(key);
4866 PSA_DONE();
Moran Pekerded84402018-06-06 16:36:50 +03004867}
4868/* END_CASE */
4869
4870/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004871void cipher_verify_output_multipart(int alg_arg,
4872 int key_type_arg,
4873 data_t *key_data,
4874 data_t *input,
4875 int first_part_size_arg)
Moran Pekerded84402018-06-06 16:36:50 +03004876{
Ronald Cron5425a212020-08-04 14:58:35 +02004877 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Moran Pekerded84402018-06-06 16:36:50 +03004878 psa_key_type_t key_type = key_type_arg;
4879 psa_algorithm_t alg = alg_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004880 size_t first_part_size = first_part_size_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01004881 unsigned char iv[16] = { 0 };
Moran Pekerded84402018-06-06 16:36:50 +03004882 size_t iv_size = 16;
4883 size_t iv_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004884 unsigned char *output1 = NULL;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004885 size_t output1_buffer_size = 0;
Moran Pekerded84402018-06-06 16:36:50 +03004886 size_t output1_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004887 unsigned char *output2 = NULL;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004888 size_t output2_buffer_size = 0;
Moran Pekerded84402018-06-06 16:36:50 +03004889 size_t output2_length = 0;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004890 size_t function_output_length;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004891 psa_cipher_operation_t operation1 = PSA_CIPHER_OPERATION_INIT;
4892 psa_cipher_operation_t operation2 = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004893 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Moran Pekerded84402018-06-06 16:36:50 +03004894
Gilles Peskine449bd832023-01-11 14:50:10 +01004895 PSA_ASSERT(psa_crypto_init());
Moran Pekerded84402018-06-06 16:36:50 +03004896
Gilles Peskine449bd832023-01-11 14:50:10 +01004897 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4898 psa_set_key_algorithm(&attributes, alg);
4899 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004900
Gilles Peskine449bd832023-01-11 14:50:10 +01004901 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4902 &key));
Moran Pekerded84402018-06-06 16:36:50 +03004903
Gilles Peskine449bd832023-01-11 14:50:10 +01004904 PSA_ASSERT(psa_cipher_encrypt_setup(&operation1, key, alg));
4905 PSA_ASSERT(psa_cipher_decrypt_setup(&operation2, key, alg));
Moran Pekerded84402018-06-06 16:36:50 +03004906
Gilles Peskine449bd832023-01-11 14:50:10 +01004907 if (alg != PSA_ALG_ECB_NO_PADDING) {
4908 PSA_ASSERT(psa_cipher_generate_iv(&operation1,
4909 iv, iv_size,
4910 &iv_length));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004911 }
4912
Gilles Peskine449bd832023-01-11 14:50:10 +01004913 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
4914 TEST_LE_U(output1_buffer_size,
4915 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004916 TEST_CALLOC(output1, output1_buffer_size);
Moran Pekerded84402018-06-06 16:36:50 +03004917
Gilles Peskine449bd832023-01-11 14:50:10 +01004918 TEST_LE_U(first_part_size, input->len);
Gilles Peskine4ca9c3f2018-06-06 18:44:09 +02004919
Gilles Peskine449bd832023-01-11 14:50:10 +01004920 PSA_ASSERT(psa_cipher_update(&operation1, input->x, first_part_size,
4921 output1, output1_buffer_size,
4922 &function_output_length));
4923 TEST_LE_U(function_output_length,
4924 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4925 TEST_LE_U(function_output_length,
4926 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004927 output1_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004928
Gilles Peskine449bd832023-01-11 14:50:10 +01004929 PSA_ASSERT(psa_cipher_update(&operation1,
4930 input->x + first_part_size,
4931 input->len - first_part_size,
David Horstmannb8dc2452024-02-06 17:03:13 +00004932 output1 + output1_length,
4933 output1_buffer_size - output1_length,
Gilles Peskine449bd832023-01-11 14:50:10 +01004934 &function_output_length));
4935 TEST_LE_U(function_output_length,
4936 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4937 alg,
4938 input->len - first_part_size));
4939 TEST_LE_U(function_output_length,
4940 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len - first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004941 output1_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004942
Gilles Peskine449bd832023-01-11 14:50:10 +01004943 PSA_ASSERT(psa_cipher_finish(&operation1,
4944 output1 + output1_length,
4945 output1_buffer_size - output1_length,
4946 &function_output_length));
4947 TEST_LE_U(function_output_length,
4948 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4949 TEST_LE_U(function_output_length,
4950 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskine048b7f02018-06-08 14:20:49 +02004951 output1_length += function_output_length;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004952
Gilles Peskine449bd832023-01-11 14:50:10 +01004953 PSA_ASSERT(psa_cipher_abort(&operation1));
mohammad1603d7d7ba52018-03-12 18:51:53 +02004954
Gilles Peskine048b7f02018-06-08 14:20:49 +02004955 output2_buffer_size = output1_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004956 TEST_LE_U(output2_buffer_size,
4957 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length));
4958 TEST_LE_U(output2_buffer_size,
4959 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004960 TEST_CALLOC(output2, output2_buffer_size);
mohammad1603d7d7ba52018-03-12 18:51:53 +02004961
Gilles Peskine449bd832023-01-11 14:50:10 +01004962 if (iv_length > 0) {
4963 PSA_ASSERT(psa_cipher_set_iv(&operation2,
4964 iv, iv_length));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004965 }
Moran Pekerded84402018-06-06 16:36:50 +03004966
Gilles Peskine449bd832023-01-11 14:50:10 +01004967 PSA_ASSERT(psa_cipher_update(&operation2, output1, first_part_size,
4968 output2, output2_buffer_size,
4969 &function_output_length));
4970 TEST_LE_U(function_output_length,
4971 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4972 TEST_LE_U(function_output_length,
4973 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004974 output2_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004975
Gilles Peskine449bd832023-01-11 14:50:10 +01004976 PSA_ASSERT(psa_cipher_update(&operation2,
4977 output1 + first_part_size,
4978 output1_length - first_part_size,
David Horstmannb8dc2452024-02-06 17:03:13 +00004979 output2 + output2_length,
4980 output2_buffer_size - output2_length,
Gilles Peskine449bd832023-01-11 14:50:10 +01004981 &function_output_length));
4982 TEST_LE_U(function_output_length,
4983 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4984 alg,
4985 output1_length - first_part_size));
4986 TEST_LE_U(function_output_length,
4987 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(output1_length - first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004988 output2_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004989
Gilles Peskine449bd832023-01-11 14:50:10 +01004990 PSA_ASSERT(psa_cipher_finish(&operation2,
4991 output2 + output2_length,
4992 output2_buffer_size - output2_length,
4993 &function_output_length));
4994 TEST_LE_U(function_output_length,
4995 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4996 TEST_LE_U(function_output_length,
4997 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskine048b7f02018-06-08 14:20:49 +02004998 output2_length += function_output_length;
Gilles Peskine4ca9c3f2018-06-06 18:44:09 +02004999
Gilles Peskine449bd832023-01-11 14:50:10 +01005000 PSA_ASSERT(psa_cipher_abort(&operation2));
mohammad1603d7d7ba52018-03-12 18:51:53 +02005001
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01005002 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length);
mohammad1603d7d7ba52018-03-12 18:51:53 +02005003
5004exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005005 psa_cipher_abort(&operation1);
5006 psa_cipher_abort(&operation2);
5007 mbedtls_free(output1);
5008 mbedtls_free(output2);
5009 psa_destroy_key(key);
5010 PSA_DONE();
mohammad1603d7d7ba52018-03-12 18:51:53 +02005011}
5012/* END_CASE */
Gilles Peskine7268afc2018-06-06 15:19:24 +02005013
Gilles Peskine20035e32018-02-03 22:44:14 +01005014/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005015void aead_encrypt_decrypt(int key_type_arg, data_t *key_data,
5016 int alg_arg,
5017 data_t *nonce,
5018 data_t *additional_data,
5019 data_t *input_data,
5020 int expected_result_arg)
Gilles Peskinea1cac842018-06-11 19:33:02 +02005021{
Ronald Cron5425a212020-08-04 14:58:35 +02005022 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005023 psa_key_type_t key_type = key_type_arg;
5024 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01005025 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005026 unsigned char *output_data = NULL;
5027 size_t output_size = 0;
5028 size_t output_length = 0;
5029 unsigned char *output_data2 = NULL;
5030 size_t output_length2 = 0;
Steven Cooremanf49478b2021-02-15 15:19:25 +01005031 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskine4abf7412018-06-18 16:35:34 +02005032 psa_status_t expected_result = expected_result_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02005033 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005034
Gilles Peskine449bd832023-01-11 14:50:10 +01005035 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02005036
Gilles Peskine449bd832023-01-11 14:50:10 +01005037 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
5038 psa_set_key_algorithm(&attributes, alg);
5039 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005040
Gilles Peskine449bd832023-01-11 14:50:10 +01005041 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5042 &key));
5043 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
5044 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005045
Gilles Peskine449bd832023-01-11 14:50:10 +01005046 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits,
5047 alg);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005048 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE
5049 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005050 if (expected_result != PSA_ERROR_INVALID_ARGUMENT &&
5051 expected_result != PSA_ERROR_NOT_SUPPORTED) {
5052 TEST_EQUAL(output_size,
5053 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
5054 TEST_LE_U(output_size,
5055 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
Bence Szépkútiec174e22021-03-19 18:46:15 +01005056 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005057 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005058
Gilles Peskine449bd832023-01-11 14:50:10 +01005059 status = psa_aead_encrypt(key, alg,
5060 nonce->x, nonce->len,
5061 additional_data->x,
5062 additional_data->len,
5063 input_data->x, input_data->len,
5064 output_data, output_size,
5065 &output_length);
Steven Cooremanf49478b2021-02-15 15:19:25 +01005066
5067 /* If the operation is not supported, just skip and not fail in case the
5068 * encryption involves a common limitation of cryptography hardwares and
5069 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005070 if (status == PSA_ERROR_NOT_SUPPORTED) {
5071 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5072 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremanf49478b2021-02-15 15:19:25 +01005073 }
5074
Gilles Peskine449bd832023-01-11 14:50:10 +01005075 TEST_EQUAL(status, expected_result);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005076
Gilles Peskine449bd832023-01-11 14:50:10 +01005077 if (PSA_SUCCESS == expected_result) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005078 TEST_CALLOC(output_data2, output_length);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005079
Gilles Peskine003a4a92019-05-14 16:09:40 +02005080 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE
5081 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005082 TEST_EQUAL(input_data->len,
5083 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, output_length));
Gilles Peskine003a4a92019-05-14 16:09:40 +02005084
Gilles Peskine449bd832023-01-11 14:50:10 +01005085 TEST_LE_U(input_data->len,
5086 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(output_length));
gabor-mezei-armceface22021-01-21 12:26:17 +01005087
Gilles Peskine449bd832023-01-11 14:50:10 +01005088 TEST_EQUAL(psa_aead_decrypt(key, alg,
5089 nonce->x, nonce->len,
5090 additional_data->x,
5091 additional_data->len,
5092 output_data, output_length,
5093 output_data2, output_length,
5094 &output_length2),
5095 expected_result);
Gilles Peskine2d277862018-06-18 15:41:12 +02005096
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01005097 TEST_MEMORY_COMPARE(input_data->x, input_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01005098 output_data2, output_length2);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005099 }
Gilles Peskine2d277862018-06-18 15:41:12 +02005100
Gilles Peskinea1cac842018-06-11 19:33:02 +02005101exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005102 psa_destroy_key(key);
5103 mbedtls_free(output_data);
5104 mbedtls_free(output_data2);
5105 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02005106}
5107/* END_CASE */
5108
5109/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005110void aead_encrypt(int key_type_arg, data_t *key_data,
5111 int alg_arg,
5112 data_t *nonce,
5113 data_t *additional_data,
5114 data_t *input_data,
5115 data_t *expected_result)
Gilles Peskinea1cac842018-06-11 19:33:02 +02005116{
Ronald Cron5425a212020-08-04 14:58:35 +02005117 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005118 psa_key_type_t key_type = key_type_arg;
5119 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01005120 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005121 unsigned char *output_data = NULL;
5122 size_t output_size = 0;
5123 size_t output_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02005124 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Steven Cooremand588ea12021-01-11 19:36:04 +01005125 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005126
Gilles Peskine449bd832023-01-11 14:50:10 +01005127 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02005128
Gilles Peskine449bd832023-01-11 14:50:10 +01005129 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5130 psa_set_key_algorithm(&attributes, alg);
5131 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005132
Gilles Peskine449bd832023-01-11 14:50:10 +01005133 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5134 &key));
5135 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
5136 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005137
Gilles Peskine449bd832023-01-11 14:50:10 +01005138 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits,
5139 alg);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005140 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE
5141 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005142 TEST_EQUAL(output_size,
5143 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
5144 TEST_LE_U(output_size,
5145 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005146 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005147
Gilles Peskine449bd832023-01-11 14:50:10 +01005148 status = psa_aead_encrypt(key, alg,
5149 nonce->x, nonce->len,
5150 additional_data->x, additional_data->len,
5151 input_data->x, input_data->len,
5152 output_data, output_size,
5153 &output_length);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005154
Ronald Cron28a45ed2021-02-09 20:35:42 +01005155 /* If the operation is not supported, just skip and not fail in case the
5156 * encryption involves a common limitation of cryptography hardwares and
5157 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005158 if (status == PSA_ERROR_NOT_SUPPORTED) {
5159 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5160 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremand588ea12021-01-11 19:36:04 +01005161 }
Steven Cooremand588ea12021-01-11 19:36:04 +01005162
Gilles Peskine449bd832023-01-11 14:50:10 +01005163 PSA_ASSERT(status);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01005164 TEST_MEMORY_COMPARE(expected_result->x, expected_result->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01005165 output_data, output_length);
Gilles Peskine2d277862018-06-18 15:41:12 +02005166
Gilles Peskinea1cac842018-06-11 19:33:02 +02005167exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005168 psa_destroy_key(key);
5169 mbedtls_free(output_data);
5170 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02005171}
5172/* END_CASE */
5173
5174/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005175void aead_decrypt(int key_type_arg, data_t *key_data,
5176 int alg_arg,
5177 data_t *nonce,
5178 data_t *additional_data,
5179 data_t *input_data,
5180 data_t *expected_data,
5181 int expected_result_arg)
Gilles Peskinea1cac842018-06-11 19:33:02 +02005182{
Ronald Cron5425a212020-08-04 14:58:35 +02005183 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005184 psa_key_type_t key_type = key_type_arg;
5185 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01005186 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005187 unsigned char *output_data = NULL;
5188 size_t output_size = 0;
5189 size_t output_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02005190 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine4abf7412018-06-18 16:35:34 +02005191 psa_status_t expected_result = expected_result_arg;
Steven Cooremand588ea12021-01-11 19:36:04 +01005192 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005193
Gilles Peskine449bd832023-01-11 14:50:10 +01005194 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02005195
Gilles Peskine449bd832023-01-11 14:50:10 +01005196 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
5197 psa_set_key_algorithm(&attributes, alg);
5198 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005199
Gilles Peskine449bd832023-01-11 14:50:10 +01005200 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5201 &key));
5202 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
5203 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005204
Gilles Peskine449bd832023-01-11 14:50:10 +01005205 output_size = input_data->len - PSA_AEAD_TAG_LENGTH(key_type, key_bits,
5206 alg);
5207 if (expected_result != PSA_ERROR_INVALID_ARGUMENT &&
5208 expected_result != PSA_ERROR_NOT_SUPPORTED) {
Bence Szépkútiec174e22021-03-19 18:46:15 +01005209 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE
5210 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005211 TEST_EQUAL(output_size,
5212 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
5213 TEST_LE_U(output_size,
5214 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len));
Bence Szépkútiec174e22021-03-19 18:46:15 +01005215 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005216 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005217
Gilles Peskine449bd832023-01-11 14:50:10 +01005218 status = psa_aead_decrypt(key, alg,
5219 nonce->x, nonce->len,
5220 additional_data->x,
5221 additional_data->len,
5222 input_data->x, input_data->len,
5223 output_data, output_size,
5224 &output_length);
Steven Cooremand588ea12021-01-11 19:36:04 +01005225
Ronald Cron28a45ed2021-02-09 20:35:42 +01005226 /* If the operation is not supported, just skip and not fail in case the
5227 * decryption involves a common limitation of cryptography hardwares and
5228 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005229 if (status == PSA_ERROR_NOT_SUPPORTED) {
5230 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5231 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremand588ea12021-01-11 19:36:04 +01005232 }
Steven Cooremand588ea12021-01-11 19:36:04 +01005233
Gilles Peskine449bd832023-01-11 14:50:10 +01005234 TEST_EQUAL(status, expected_result);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005235
Gilles Peskine449bd832023-01-11 14:50:10 +01005236 if (expected_result == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01005237 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01005238 output_data, output_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01005239 }
Gilles Peskinea1cac842018-06-11 19:33:02 +02005240
Gilles Peskinea1cac842018-06-11 19:33:02 +02005241exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005242 psa_destroy_key(key);
5243 mbedtls_free(output_data);
5244 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02005245}
5246/* END_CASE */
5247
5248/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005249void aead_multipart_encrypt(int key_type_arg, data_t *key_data,
5250 int alg_arg,
5251 data_t *nonce,
5252 data_t *additional_data,
5253 data_t *input_data,
5254 int do_set_lengths,
5255 data_t *expected_output)
Paul Elliott0023e0a2021-04-27 10:06:22 +01005256{
Paul Elliottd3f82412021-06-16 16:52:21 +01005257 size_t ad_part_len = 0;
5258 size_t data_part_len = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005259 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005260
Gilles Peskine449bd832023-01-11 14:50:10 +01005261 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) {
5262 mbedtls_test_set_step(ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005263
Gilles Peskine449bd832023-01-11 14:50:10 +01005264 if (do_set_lengths) {
5265 if (ad_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005266 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005267 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005268 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005269 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005270 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005271
5272 /* Split ad into length(ad_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005273 if (!aead_multipart_internal_func(key_type_arg, key_data,
5274 alg_arg, nonce,
5275 additional_data,
5276 ad_part_len,
5277 input_data, -1,
5278 set_lengths_method,
5279 expected_output,
5280 1, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005281 break;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005282 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005283
Gilles Peskine449bd832023-01-11 14:50:10 +01005284 /* length(0) part, length(ad_part_len) part, length(0) part... */
5285 mbedtls_test_set_step(1000 + ad_part_len);
5286
5287 if (!aead_multipart_internal_func(key_type_arg, key_data,
5288 alg_arg, nonce,
5289 additional_data,
5290 ad_part_len,
5291 input_data, -1,
5292 set_lengths_method,
5293 expected_output,
5294 1, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005295 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005296 }
5297 }
5298
5299 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) {
5300 /* Split data into length(data_part_len) parts. */
5301 mbedtls_test_set_step(2000 + data_part_len);
5302
5303 if (do_set_lengths) {
5304 if (data_part_len & 0x01) {
5305 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
5306 } else {
5307 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
5308 }
5309 }
5310
5311 if (!aead_multipart_internal_func(key_type_arg, key_data,
5312 alg_arg, nonce,
5313 additional_data, -1,
5314 input_data, data_part_len,
5315 set_lengths_method,
5316 expected_output,
5317 1, 0)) {
5318 break;
5319 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005320
5321 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005322 mbedtls_test_set_step(3000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005323
Gilles Peskine449bd832023-01-11 14:50:10 +01005324 if (!aead_multipart_internal_func(key_type_arg, key_data,
5325 alg_arg, nonce,
5326 additional_data, -1,
5327 input_data, data_part_len,
5328 set_lengths_method,
5329 expected_output,
5330 1, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005331 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005332 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005333 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005334
Paul Elliott8fc45162021-06-23 16:06:01 +01005335 /* Goto is required to silence warnings about unused labels, as we
5336 * don't actually do any test assertions in this function. */
5337 goto exit;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005338}
5339/* END_CASE */
5340
5341/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005342void aead_multipart_decrypt(int key_type_arg, data_t *key_data,
5343 int alg_arg,
5344 data_t *nonce,
5345 data_t *additional_data,
5346 data_t *input_data,
5347 int do_set_lengths,
5348 data_t *expected_output)
Paul Elliott0023e0a2021-04-27 10:06:22 +01005349{
Paul Elliottd3f82412021-06-16 16:52:21 +01005350 size_t ad_part_len = 0;
5351 size_t data_part_len = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005352 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005353
Gilles Peskine449bd832023-01-11 14:50:10 +01005354 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005355 /* Split ad into length(ad_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005356 mbedtls_test_set_step(ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005357
Gilles Peskine449bd832023-01-11 14:50:10 +01005358 if (do_set_lengths) {
5359 if (ad_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005360 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005361 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005362 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005363 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005364 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005365
Gilles Peskine449bd832023-01-11 14:50:10 +01005366 if (!aead_multipart_internal_func(key_type_arg, key_data,
5367 alg_arg, nonce,
5368 additional_data,
5369 ad_part_len,
5370 input_data, -1,
5371 set_lengths_method,
5372 expected_output,
5373 0, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005374 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005375 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005376
5377 /* length(0) part, length(ad_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005378 mbedtls_test_set_step(1000 + ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005379
Gilles Peskine449bd832023-01-11 14:50:10 +01005380 if (!aead_multipart_internal_func(key_type_arg, key_data,
5381 alg_arg, nonce,
5382 additional_data,
5383 ad_part_len,
5384 input_data, -1,
5385 set_lengths_method,
5386 expected_output,
5387 0, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005388 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005389 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005390 }
5391
Gilles Peskine449bd832023-01-11 14:50:10 +01005392 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005393 /* Split data into length(data_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005394 mbedtls_test_set_step(2000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005395
Gilles Peskine449bd832023-01-11 14:50:10 +01005396 if (do_set_lengths) {
5397 if (data_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005398 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005399 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005400 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005401 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005402 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005403
Gilles Peskine449bd832023-01-11 14:50:10 +01005404 if (!aead_multipart_internal_func(key_type_arg, key_data,
5405 alg_arg, nonce,
5406 additional_data, -1,
5407 input_data, data_part_len,
5408 set_lengths_method,
5409 expected_output,
5410 0, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005411 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005412 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005413
5414 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005415 mbedtls_test_set_step(3000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005416
Gilles Peskine449bd832023-01-11 14:50:10 +01005417 if (!aead_multipart_internal_func(key_type_arg, key_data,
5418 alg_arg, nonce,
5419 additional_data, -1,
5420 input_data, data_part_len,
5421 set_lengths_method,
5422 expected_output,
5423 0, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005424 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005425 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005426 }
5427
Paul Elliott8fc45162021-06-23 16:06:01 +01005428 /* Goto is required to silence warnings about unused labels, as we
5429 * don't actually do any test assertions in this function. */
Paul Elliottd3f82412021-06-16 16:52:21 +01005430 goto exit;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005431}
5432/* END_CASE */
5433
5434/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005435void aead_multipart_generate_nonce(int key_type_arg, data_t *key_data,
5436 int alg_arg,
5437 int nonce_length,
5438 int expected_nonce_length_arg,
5439 data_t *additional_data,
5440 data_t *input_data,
5441 int expected_status_arg)
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005442{
5443
5444 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5445 psa_key_type_t key_type = key_type_arg;
5446 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005447 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
David Horstmann52402ec2023-12-11 15:09:46 +00005448 /* Some tests try to get more than the maximum nonce length,
5449 * so allocate double. */
5450 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE * 2];
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005451 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5452 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Paul Elliott693bf312021-07-23 17:40:41 +01005453 psa_status_t expected_status = expected_status_arg;
Paul Elliottf1277632021-08-24 18:11:37 +01005454 size_t actual_nonce_length = 0;
5455 size_t expected_nonce_length = expected_nonce_length_arg;
5456 unsigned char *output = NULL;
5457 unsigned char *ciphertext = NULL;
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005458 size_t output_size = 0;
Paul Elliottf1277632021-08-24 18:11:37 +01005459 size_t ciphertext_size = 0;
5460 size_t ciphertext_length = 0;
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005461 size_t tag_length = 0;
5462 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005463
Gilles Peskine449bd832023-01-11 14:50:10 +01005464 PSA_ASSERT(psa_crypto_init());
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005465
Gilles Peskine449bd832023-01-11 14:50:10 +01005466 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5467 psa_set_key_algorithm(&attributes, alg);
5468 psa_set_key_type(&attributes, key_type);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005469
Gilles Peskine449bd832023-01-11 14:50:10 +01005470 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5471 &key));
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005472
Gilles Peskine449bd832023-01-11 14:50:10 +01005473 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005474
Gilles Peskine449bd832023-01-11 14:50:10 +01005475 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005476
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005477 TEST_CALLOC(output, output_size);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005478
Gilles Peskine449bd832023-01-11 14:50:10 +01005479 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005480
Gilles Peskine449bd832023-01-11 14:50:10 +01005481 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005482
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005483 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005484
Gilles Peskine449bd832023-01-11 14:50:10 +01005485 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005486
5487 /* If the operation is not supported, just skip and not fail in case the
5488 * encryption involves a common limitation of cryptography hardwares and
5489 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005490 if (status == PSA_ERROR_NOT_SUPPORTED) {
5491 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5492 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005493 }
5494
Gilles Peskine449bd832023-01-11 14:50:10 +01005495 PSA_ASSERT(status);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005496
Gilles Peskine449bd832023-01-11 14:50:10 +01005497 status = psa_aead_generate_nonce(&operation, nonce_buffer,
5498 nonce_length,
5499 &actual_nonce_length);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005500
Gilles Peskine449bd832023-01-11 14:50:10 +01005501 TEST_EQUAL(status, expected_status);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005502
Gilles Peskine449bd832023-01-11 14:50:10 +01005503 TEST_EQUAL(actual_nonce_length, expected_nonce_length);
Paul Elliottd85f5472021-07-16 18:20:16 +01005504
Gilles Peskine449bd832023-01-11 14:50:10 +01005505 if (expected_status == PSA_SUCCESS) {
5506 TEST_EQUAL(actual_nonce_length, PSA_AEAD_NONCE_LENGTH(key_type,
5507 alg));
5508 }
Paul Elliott88ecbe12021-09-22 17:23:03 +01005509
Gilles Peskine449bd832023-01-11 14:50:10 +01005510 TEST_LE_U(actual_nonce_length, PSA_AEAD_NONCE_MAX_SIZE);
Paul Elliotte0fcb3b2021-07-16 18:52:03 +01005511
Gilles Peskine449bd832023-01-11 14:50:10 +01005512 if (expected_status == PSA_SUCCESS) {
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005513 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005514 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5515 input_data->len));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005516
Gilles Peskine449bd832023-01-11 14:50:10 +01005517 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5518 additional_data->len));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005519
Gilles Peskine449bd832023-01-11 14:50:10 +01005520 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len,
5521 output, output_size,
5522 &ciphertext_length));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005523
Gilles Peskine449bd832023-01-11 14:50:10 +01005524 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5525 &ciphertext_length, tag_buffer,
5526 PSA_AEAD_TAG_MAX_SIZE, &tag_length));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005527 }
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005528
5529exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005530 psa_destroy_key(key);
5531 mbedtls_free(output);
5532 mbedtls_free(ciphertext);
5533 psa_aead_abort(&operation);
5534 PSA_DONE();
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005535}
5536/* END_CASE */
5537
5538/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005539void aead_multipart_set_nonce(int key_type_arg, data_t *key_data,
5540 int alg_arg,
5541 int nonce_length_arg,
5542 int set_lengths_method_arg,
5543 data_t *additional_data,
5544 data_t *input_data,
5545 int expected_status_arg)
Paul Elliott863864a2021-07-23 17:28:31 +01005546{
5547
5548 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5549 psa_key_type_t key_type = key_type_arg;
5550 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005551 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott863864a2021-07-23 17:28:31 +01005552 uint8_t *nonce_buffer = NULL;
5553 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5554 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5555 psa_status_t expected_status = expected_status_arg;
Paul Elliott6f0e7202021-08-25 12:57:18 +01005556 unsigned char *output = NULL;
5557 unsigned char *ciphertext = NULL;
Paul Elliott4023ffd2021-09-10 16:21:22 +01005558 size_t nonce_length;
Paul Elliott863864a2021-07-23 17:28:31 +01005559 size_t output_size = 0;
Paul Elliott6f0e7202021-08-25 12:57:18 +01005560 size_t ciphertext_size = 0;
5561 size_t ciphertext_length = 0;
Paul Elliott863864a2021-07-23 17:28:31 +01005562 size_t tag_length = 0;
5563 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliott4023ffd2021-09-10 16:21:22 +01005564 size_t index = 0;
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005565 set_lengths_method_t set_lengths_method = set_lengths_method_arg;
Paul Elliott863864a2021-07-23 17:28:31 +01005566
Gilles Peskine449bd832023-01-11 14:50:10 +01005567 PSA_ASSERT(psa_crypto_init());
Paul Elliott863864a2021-07-23 17:28:31 +01005568
Gilles Peskine449bd832023-01-11 14:50:10 +01005569 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5570 psa_set_key_algorithm(&attributes, alg);
5571 psa_set_key_type(&attributes, key_type);
Paul Elliott863864a2021-07-23 17:28:31 +01005572
Gilles Peskine449bd832023-01-11 14:50:10 +01005573 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5574 &key));
Paul Elliott863864a2021-07-23 17:28:31 +01005575
Gilles Peskine449bd832023-01-11 14:50:10 +01005576 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott863864a2021-07-23 17:28:31 +01005577
Gilles Peskine449bd832023-01-11 14:50:10 +01005578 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott863864a2021-07-23 17:28:31 +01005579
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005580 TEST_CALLOC(output, output_size);
Paul Elliott863864a2021-07-23 17:28:31 +01005581
Gilles Peskine449bd832023-01-11 14:50:10 +01005582 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott863864a2021-07-23 17:28:31 +01005583
Gilles Peskine449bd832023-01-11 14:50:10 +01005584 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliott863864a2021-07-23 17:28:31 +01005585
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005586 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott863864a2021-07-23 17:28:31 +01005587
Gilles Peskine449bd832023-01-11 14:50:10 +01005588 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott863864a2021-07-23 17:28:31 +01005589
5590 /* If the operation is not supported, just skip and not fail in case the
5591 * encryption involves a common limitation of cryptography hardwares and
5592 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005593 if (status == PSA_ERROR_NOT_SUPPORTED) {
5594 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5595 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length_arg);
Paul Elliott863864a2021-07-23 17:28:31 +01005596 }
5597
Gilles Peskine449bd832023-01-11 14:50:10 +01005598 PSA_ASSERT(status);
Paul Elliott863864a2021-07-23 17:28:31 +01005599
Paul Elliott4023ffd2021-09-10 16:21:22 +01005600 /* -1 == zero length and valid buffer, 0 = zero length and NULL buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005601 if (nonce_length_arg == -1) {
5602 /* Arbitrary size buffer, to test zero length valid buffer. */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005603 TEST_CALLOC(nonce_buffer, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +01005604 nonce_length = 0;
5605 } else {
Paul Elliott4023ffd2021-09-10 16:21:22 +01005606 /* If length is zero, then this will return NULL. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005607 nonce_length = (size_t) nonce_length_arg;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005608 TEST_CALLOC(nonce_buffer, nonce_length);
Paul Elliott66696b52021-08-16 18:42:41 +01005609
Gilles Peskine449bd832023-01-11 14:50:10 +01005610 if (nonce_buffer) {
5611 for (index = 0; index < nonce_length - 1; ++index) {
Paul Elliott4023ffd2021-09-10 16:21:22 +01005612 nonce_buffer[index] = 'a' + index;
5613 }
Paul Elliott66696b52021-08-16 18:42:41 +01005614 }
Paul Elliott863864a2021-07-23 17:28:31 +01005615 }
5616
Gilles Peskine449bd832023-01-11 14:50:10 +01005617 if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) {
5618 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5619 input_data->len));
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005620 }
5621
Gilles Peskine449bd832023-01-11 14:50:10 +01005622 status = psa_aead_set_nonce(&operation, nonce_buffer, nonce_length);
Paul Elliott863864a2021-07-23 17:28:31 +01005623
Gilles Peskine449bd832023-01-11 14:50:10 +01005624 TEST_EQUAL(status, expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005625
Gilles Peskine449bd832023-01-11 14:50:10 +01005626 if (expected_status == PSA_SUCCESS) {
5627 if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) {
5628 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5629 input_data->len));
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005630 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005631 if (operation.alg == PSA_ALG_CCM && set_lengths_method == DO_NOT_SET_LENGTHS) {
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005632 expected_status = PSA_ERROR_BAD_STATE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005633 }
Paul Elliott863864a2021-07-23 17:28:31 +01005634
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005635 /* Ensure we can still complete operation, unless it's CCM and we didn't set lengths. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005636 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
5637 additional_data->len),
5638 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005639
Gilles Peskine449bd832023-01-11 14:50:10 +01005640 TEST_EQUAL(psa_aead_update(&operation, input_data->x, input_data->len,
5641 output, output_size,
5642 &ciphertext_length),
5643 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005644
Gilles Peskine449bd832023-01-11 14:50:10 +01005645 TEST_EQUAL(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5646 &ciphertext_length, tag_buffer,
5647 PSA_AEAD_TAG_MAX_SIZE, &tag_length),
5648 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005649 }
5650
5651exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005652 psa_destroy_key(key);
5653 mbedtls_free(output);
5654 mbedtls_free(ciphertext);
5655 mbedtls_free(nonce_buffer);
5656 psa_aead_abort(&operation);
5657 PSA_DONE();
Paul Elliott863864a2021-07-23 17:28:31 +01005658}
5659/* END_CASE */
5660
5661/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005662void aead_multipart_update_buffer_test(int key_type_arg, data_t *key_data,
Paul Elliott43fbda62021-07-23 18:30:59 +01005663 int alg_arg,
Paul Elliottc6d11d02021-09-01 12:04:23 +01005664 int output_size_arg,
Paul Elliott43fbda62021-07-23 18:30:59 +01005665 data_t *nonce,
5666 data_t *additional_data,
5667 data_t *input_data,
Gilles Peskine449bd832023-01-11 14:50:10 +01005668 int expected_status_arg)
Paul Elliott43fbda62021-07-23 18:30:59 +01005669{
5670
5671 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5672 psa_key_type_t key_type = key_type_arg;
5673 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005674 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott43fbda62021-07-23 18:30:59 +01005675 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5676 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5677 psa_status_t expected_status = expected_status_arg;
Paul Elliottc6d11d02021-09-01 12:04:23 +01005678 unsigned char *output = NULL;
5679 unsigned char *ciphertext = NULL;
5680 size_t output_size = output_size_arg;
5681 size_t ciphertext_size = 0;
5682 size_t ciphertext_length = 0;
Paul Elliott43fbda62021-07-23 18:30:59 +01005683 size_t tag_length = 0;
5684 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
5685
Gilles Peskine449bd832023-01-11 14:50:10 +01005686 PSA_ASSERT(psa_crypto_init());
Paul Elliott43fbda62021-07-23 18:30:59 +01005687
Gilles Peskine449bd832023-01-11 14:50:10 +01005688 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5689 psa_set_key_algorithm(&attributes, alg);
5690 psa_set_key_type(&attributes, key_type);
Paul Elliott43fbda62021-07-23 18:30:59 +01005691
Gilles Peskine449bd832023-01-11 14:50:10 +01005692 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5693 &key));
Paul Elliott43fbda62021-07-23 18:30:59 +01005694
Gilles Peskine449bd832023-01-11 14:50:10 +01005695 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott43fbda62021-07-23 18:30:59 +01005696
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005697 TEST_CALLOC(output, output_size);
Paul Elliott43fbda62021-07-23 18:30:59 +01005698
Gilles Peskine449bd832023-01-11 14:50:10 +01005699 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott43fbda62021-07-23 18:30:59 +01005700
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005701 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott43fbda62021-07-23 18:30:59 +01005702
Gilles Peskine449bd832023-01-11 14:50:10 +01005703 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott43fbda62021-07-23 18:30:59 +01005704
5705 /* If the operation is not supported, just skip and not fail in case the
5706 * encryption involves a common limitation of cryptography hardwares and
5707 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005708 if (status == PSA_ERROR_NOT_SUPPORTED) {
5709 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5710 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott43fbda62021-07-23 18:30:59 +01005711 }
5712
Gilles Peskine449bd832023-01-11 14:50:10 +01005713 PSA_ASSERT(status);
Paul Elliott43fbda62021-07-23 18:30:59 +01005714
Gilles Peskine449bd832023-01-11 14:50:10 +01005715 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5716 input_data->len));
Paul Elliott47b9a142021-10-07 15:04:57 +01005717
Gilles Peskine449bd832023-01-11 14:50:10 +01005718 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott43fbda62021-07-23 18:30:59 +01005719
Gilles Peskine449bd832023-01-11 14:50:10 +01005720 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5721 additional_data->len));
Paul Elliott43fbda62021-07-23 18:30:59 +01005722
Gilles Peskine449bd832023-01-11 14:50:10 +01005723 status = psa_aead_update(&operation, input_data->x, input_data->len,
5724 output, output_size, &ciphertext_length);
Paul Elliott43fbda62021-07-23 18:30:59 +01005725
Gilles Peskine449bd832023-01-11 14:50:10 +01005726 TEST_EQUAL(status, expected_status);
Paul Elliott43fbda62021-07-23 18:30:59 +01005727
Gilles Peskine449bd832023-01-11 14:50:10 +01005728 if (expected_status == PSA_SUCCESS) {
Paul Elliott43fbda62021-07-23 18:30:59 +01005729 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005730 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5731 &ciphertext_length, tag_buffer,
5732 PSA_AEAD_TAG_MAX_SIZE, &tag_length));
Paul Elliott43fbda62021-07-23 18:30:59 +01005733 }
5734
5735exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005736 psa_destroy_key(key);
5737 mbedtls_free(output);
5738 mbedtls_free(ciphertext);
5739 psa_aead_abort(&operation);
5740 PSA_DONE();
Paul Elliott43fbda62021-07-23 18:30:59 +01005741}
5742/* END_CASE */
5743
Paul Elliott91b021e2021-07-23 18:52:31 +01005744/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005745void aead_multipart_finish_buffer_test(int key_type_arg, data_t *key_data,
5746 int alg_arg,
5747 int finish_ciphertext_size_arg,
5748 int tag_size_arg,
5749 data_t *nonce,
5750 data_t *additional_data,
5751 data_t *input_data,
5752 int expected_status_arg)
Paul Elliott91b021e2021-07-23 18:52:31 +01005753{
5754
5755 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5756 psa_key_type_t key_type = key_type_arg;
5757 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005758 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott91b021e2021-07-23 18:52:31 +01005759 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5760 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5761 psa_status_t expected_status = expected_status_arg;
Paul Elliotte58cb1e2021-09-10 18:36:00 +01005762 unsigned char *ciphertext = NULL;
5763 unsigned char *finish_ciphertext = NULL;
Paul Elliott719c1322021-09-13 18:27:22 +01005764 unsigned char *tag_buffer = NULL;
Paul Elliotte58cb1e2021-09-10 18:36:00 +01005765 size_t ciphertext_size = 0;
5766 size_t ciphertext_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01005767 size_t finish_ciphertext_size = (size_t) finish_ciphertext_size_arg;
5768 size_t tag_size = (size_t) tag_size_arg;
Paul Elliott91b021e2021-07-23 18:52:31 +01005769 size_t tag_length = 0;
Paul Elliott91b021e2021-07-23 18:52:31 +01005770
Gilles Peskine449bd832023-01-11 14:50:10 +01005771 PSA_ASSERT(psa_crypto_init());
Paul Elliott91b021e2021-07-23 18:52:31 +01005772
Gilles Peskine449bd832023-01-11 14:50:10 +01005773 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5774 psa_set_key_algorithm(&attributes, alg);
5775 psa_set_key_type(&attributes, key_type);
Paul Elliott91b021e2021-07-23 18:52:31 +01005776
Gilles Peskine449bd832023-01-11 14:50:10 +01005777 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5778 &key));
Paul Elliott91b021e2021-07-23 18:52:31 +01005779
Gilles Peskine449bd832023-01-11 14:50:10 +01005780 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott91b021e2021-07-23 18:52:31 +01005781
Gilles Peskine449bd832023-01-11 14:50:10 +01005782 ciphertext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott91b021e2021-07-23 18:52:31 +01005783
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005784 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott91b021e2021-07-23 18:52:31 +01005785
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005786 TEST_CALLOC(finish_ciphertext, finish_ciphertext_size);
Paul Elliott91b021e2021-07-23 18:52:31 +01005787
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005788 TEST_CALLOC(tag_buffer, tag_size);
Paul Elliott719c1322021-09-13 18:27:22 +01005789
Gilles Peskine449bd832023-01-11 14:50:10 +01005790 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott91b021e2021-07-23 18:52:31 +01005791
5792 /* If the operation is not supported, just skip and not fail in case the
5793 * encryption involves a common limitation of cryptography hardwares and
5794 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005795 if (status == PSA_ERROR_NOT_SUPPORTED) {
5796 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5797 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott91b021e2021-07-23 18:52:31 +01005798 }
5799
Gilles Peskine449bd832023-01-11 14:50:10 +01005800 PSA_ASSERT(status);
Paul Elliott91b021e2021-07-23 18:52:31 +01005801
Gilles Peskine449bd832023-01-11 14:50:10 +01005802 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott91b021e2021-07-23 18:52:31 +01005803
Gilles Peskine449bd832023-01-11 14:50:10 +01005804 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5805 input_data->len));
Paul Elliott76bda482021-10-07 17:07:23 +01005806
Gilles Peskine449bd832023-01-11 14:50:10 +01005807 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5808 additional_data->len));
Paul Elliott91b021e2021-07-23 18:52:31 +01005809
Gilles Peskine449bd832023-01-11 14:50:10 +01005810 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len,
5811 ciphertext, ciphertext_size, &ciphertext_length));
Paul Elliott91b021e2021-07-23 18:52:31 +01005812
5813 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005814 status = psa_aead_finish(&operation, finish_ciphertext,
5815 finish_ciphertext_size,
5816 &ciphertext_length, tag_buffer,
5817 tag_size, &tag_length);
Paul Elliott91b021e2021-07-23 18:52:31 +01005818
Gilles Peskine449bd832023-01-11 14:50:10 +01005819 TEST_EQUAL(status, expected_status);
Paul Elliott91b021e2021-07-23 18:52:31 +01005820
5821exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005822 psa_destroy_key(key);
5823 mbedtls_free(ciphertext);
5824 mbedtls_free(finish_ciphertext);
5825 mbedtls_free(tag_buffer);
5826 psa_aead_abort(&operation);
5827 PSA_DONE();
Paul Elliott91b021e2021-07-23 18:52:31 +01005828}
5829/* END_CASE */
Paul Elliott43fbda62021-07-23 18:30:59 +01005830
5831/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005832void aead_multipart_verify(int key_type_arg, data_t *key_data,
5833 int alg_arg,
5834 data_t *nonce,
5835 data_t *additional_data,
5836 data_t *input_data,
5837 data_t *tag,
5838 int tag_usage_arg,
5839 int expected_setup_status_arg,
5840 int expected_status_arg)
Paul Elliott9961a662021-09-17 19:19:02 +01005841{
5842 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5843 psa_key_type_t key_type = key_type_arg;
5844 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005845 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott9961a662021-09-17 19:19:02 +01005846 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5847 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5848 psa_status_t expected_status = expected_status_arg;
Andrzej Kurekf8816012021-12-19 17:00:12 +01005849 psa_status_t expected_setup_status = expected_setup_status_arg;
Paul Elliott9961a662021-09-17 19:19:02 +01005850 unsigned char *plaintext = NULL;
5851 unsigned char *finish_plaintext = NULL;
5852 size_t plaintext_size = 0;
5853 size_t plaintext_length = 0;
5854 size_t verify_plaintext_size = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005855 tag_usage_method_t tag_usage = tag_usage_arg;
Paul Elliott1c67e0b2021-09-19 13:11:50 +01005856 unsigned char *tag_buffer = NULL;
5857 size_t tag_size = 0;
Paul Elliott9961a662021-09-17 19:19:02 +01005858
Gilles Peskine449bd832023-01-11 14:50:10 +01005859 PSA_ASSERT(psa_crypto_init());
Paul Elliott9961a662021-09-17 19:19:02 +01005860
Gilles Peskine449bd832023-01-11 14:50:10 +01005861 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
5862 psa_set_key_algorithm(&attributes, alg);
5863 psa_set_key_type(&attributes, key_type);
Paul Elliott9961a662021-09-17 19:19:02 +01005864
Gilles Peskine449bd832023-01-11 14:50:10 +01005865 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5866 &key));
Paul Elliott9961a662021-09-17 19:19:02 +01005867
Gilles Peskine449bd832023-01-11 14:50:10 +01005868 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott9961a662021-09-17 19:19:02 +01005869
Gilles Peskine449bd832023-01-11 14:50:10 +01005870 plaintext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
5871 input_data->len);
Paul Elliott9961a662021-09-17 19:19:02 +01005872
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005873 TEST_CALLOC(plaintext, plaintext_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005874
Gilles Peskine449bd832023-01-11 14:50:10 +01005875 verify_plaintext_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg);
Paul Elliott9961a662021-09-17 19:19:02 +01005876
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005877 TEST_CALLOC(finish_plaintext, verify_plaintext_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005878
Gilles Peskine449bd832023-01-11 14:50:10 +01005879 status = psa_aead_decrypt_setup(&operation, key, alg);
Paul Elliott9961a662021-09-17 19:19:02 +01005880
5881 /* If the operation is not supported, just skip and not fail in case the
5882 * encryption involves a common limitation of cryptography hardwares and
5883 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005884 if (status == PSA_ERROR_NOT_SUPPORTED) {
5885 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5886 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott9961a662021-09-17 19:19:02 +01005887 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005888 TEST_EQUAL(status, expected_setup_status);
Andrzej Kurekf8816012021-12-19 17:00:12 +01005889
Gilles Peskine449bd832023-01-11 14:50:10 +01005890 if (status != PSA_SUCCESS) {
Andrzej Kurekf8816012021-12-19 17:00:12 +01005891 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01005892 }
Paul Elliott9961a662021-09-17 19:19:02 +01005893
Gilles Peskine449bd832023-01-11 14:50:10 +01005894 PSA_ASSERT(status);
Paul Elliott9961a662021-09-17 19:19:02 +01005895
Gilles Peskine449bd832023-01-11 14:50:10 +01005896 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott9961a662021-09-17 19:19:02 +01005897
Gilles Peskine449bd832023-01-11 14:50:10 +01005898 status = psa_aead_set_lengths(&operation, additional_data->len,
5899 input_data->len);
5900 PSA_ASSERT(status);
Paul Elliottfec6f372021-10-06 17:15:02 +01005901
Gilles Peskine449bd832023-01-11 14:50:10 +01005902 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5903 additional_data->len));
Paul Elliott9961a662021-09-17 19:19:02 +01005904
Gilles Peskine449bd832023-01-11 14:50:10 +01005905 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
5906 input_data->len,
5907 plaintext, plaintext_size,
5908 &plaintext_length));
Paul Elliott9961a662021-09-17 19:19:02 +01005909
Gilles Peskine449bd832023-01-11 14:50:10 +01005910 if (tag_usage == USE_GIVEN_TAG) {
Paul Elliott1c67e0b2021-09-19 13:11:50 +01005911 tag_buffer = tag->x;
5912 tag_size = tag->len;
5913 }
5914
Gilles Peskine449bd832023-01-11 14:50:10 +01005915 status = psa_aead_verify(&operation, finish_plaintext,
5916 verify_plaintext_size,
5917 &plaintext_length,
5918 tag_buffer, tag_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005919
Gilles Peskine449bd832023-01-11 14:50:10 +01005920 TEST_EQUAL(status, expected_status);
Paul Elliott9961a662021-09-17 19:19:02 +01005921
5922exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005923 psa_destroy_key(key);
5924 mbedtls_free(plaintext);
5925 mbedtls_free(finish_plaintext);
5926 psa_aead_abort(&operation);
5927 PSA_DONE();
Paul Elliott9961a662021-09-17 19:19:02 +01005928}
5929/* END_CASE */
5930
Paul Elliott9961a662021-09-17 19:19:02 +01005931/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005932void aead_multipart_setup(int key_type_arg, data_t *key_data,
5933 int alg_arg, int expected_status_arg)
Paul Elliott5221ef62021-09-19 17:33:03 +01005934{
5935 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5936 psa_key_type_t key_type = key_type_arg;
5937 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005938 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott5221ef62021-09-19 17:33:03 +01005939 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5940 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5941 psa_status_t expected_status = expected_status_arg;
5942
Gilles Peskine449bd832023-01-11 14:50:10 +01005943 PSA_ASSERT(psa_crypto_init());
Paul Elliott5221ef62021-09-19 17:33:03 +01005944
Gilles Peskine449bd832023-01-11 14:50:10 +01005945 psa_set_key_usage_flags(&attributes,
5946 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
5947 psa_set_key_algorithm(&attributes, alg);
5948 psa_set_key_type(&attributes, key_type);
Paul Elliott5221ef62021-09-19 17:33:03 +01005949
Gilles Peskine449bd832023-01-11 14:50:10 +01005950 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5951 &key));
Paul Elliott5221ef62021-09-19 17:33:03 +01005952
Gilles Peskine449bd832023-01-11 14:50:10 +01005953 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott5221ef62021-09-19 17:33:03 +01005954
Gilles Peskine449bd832023-01-11 14:50:10 +01005955 TEST_EQUAL(status, expected_status);
Paul Elliott5221ef62021-09-19 17:33:03 +01005956
Gilles Peskine449bd832023-01-11 14:50:10 +01005957 psa_aead_abort(&operation);
Paul Elliott5221ef62021-09-19 17:33:03 +01005958
Gilles Peskine449bd832023-01-11 14:50:10 +01005959 status = psa_aead_decrypt_setup(&operation, key, alg);
Paul Elliott5221ef62021-09-19 17:33:03 +01005960
Gilles Peskine449bd832023-01-11 14:50:10 +01005961 TEST_EQUAL(status, expected_status);
Paul Elliott5221ef62021-09-19 17:33:03 +01005962
5963exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005964 psa_destroy_key(key);
5965 psa_aead_abort(&operation);
5966 PSA_DONE();
Paul Elliott5221ef62021-09-19 17:33:03 +01005967}
5968/* END_CASE */
5969
5970/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005971void aead_multipart_state_test(int key_type_arg, data_t *key_data,
5972 int alg_arg,
5973 data_t *nonce,
5974 data_t *additional_data,
5975 data_t *input_data)
Paul Elliottc23a9a02021-06-21 18:32:46 +01005976{
5977 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5978 psa_key_type_t key_type = key_type_arg;
5979 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005980 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliottc23a9a02021-06-21 18:32:46 +01005981 unsigned char *output_data = NULL;
5982 unsigned char *final_data = NULL;
5983 size_t output_size = 0;
5984 size_t finish_output_size = 0;
5985 size_t output_length = 0;
5986 size_t key_bits = 0;
5987 size_t tag_length = 0;
5988 size_t tag_size = 0;
5989 size_t nonce_length = 0;
5990 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE];
5991 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
5992 size_t output_part_length = 0;
5993 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5994
Gilles Peskine449bd832023-01-11 14:50:10 +01005995 PSA_ASSERT(psa_crypto_init());
Paul Elliottc23a9a02021-06-21 18:32:46 +01005996
Gilles Peskine449bd832023-01-11 14:50:10 +01005997 psa_set_key_usage_flags(&attributes,
5998 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
5999 psa_set_key_algorithm(&attributes, alg);
6000 psa_set_key_type(&attributes, key_type);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006001
Gilles Peskine449bd832023-01-11 14:50:10 +01006002 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6003 &key));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006004
Gilles Peskine449bd832023-01-11 14:50:10 +01006005 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6006 key_bits = psa_get_key_bits(&attributes);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006007
Gilles Peskine449bd832023-01-11 14:50:10 +01006008 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006009
Gilles Peskine449bd832023-01-11 14:50:10 +01006010 TEST_LE_U(tag_length, PSA_AEAD_TAG_MAX_SIZE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006011
Gilles Peskine449bd832023-01-11 14:50:10 +01006012 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006013
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006014 TEST_CALLOC(output_data, output_size);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006015
Gilles Peskine449bd832023-01-11 14:50:10 +01006016 finish_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006017
Gilles Peskine449bd832023-01-11 14:50:10 +01006018 TEST_LE_U(finish_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006019
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006020 TEST_CALLOC(final_data, finish_output_size);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006021
6022 /* Test all operations error without calling setup first. */
6023
Gilles Peskine449bd832023-01-11 14:50:10 +01006024 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6025 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006026
Gilles Peskine449bd832023-01-11 14:50:10 +01006027 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006028
Gilles Peskine449bd832023-01-11 14:50:10 +01006029 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6030 PSA_AEAD_NONCE_MAX_SIZE,
6031 &nonce_length),
6032 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006033
Gilles Peskine449bd832023-01-11 14:50:10 +01006034 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006035
Paul Elliott481be342021-07-16 17:38:47 +01006036 /* ------------------------------------------------------- */
6037
Gilles Peskine449bd832023-01-11 14:50:10 +01006038 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6039 input_data->len),
6040 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006041
Gilles Peskine449bd832023-01-11 14:50:10 +01006042 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006043
Paul Elliott481be342021-07-16 17:38:47 +01006044 /* ------------------------------------------------------- */
6045
Gilles Peskine449bd832023-01-11 14:50:10 +01006046 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6047 additional_data->len),
6048 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006049
Gilles Peskine449bd832023-01-11 14:50:10 +01006050 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006051
Paul Elliott481be342021-07-16 17:38:47 +01006052 /* ------------------------------------------------------- */
6053
Gilles Peskine449bd832023-01-11 14:50:10 +01006054 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6055 input_data->len, output_data,
6056 output_size, &output_length),
6057 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006058
Gilles Peskine449bd832023-01-11 14:50:10 +01006059 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006060
Paul Elliott481be342021-07-16 17:38:47 +01006061 /* ------------------------------------------------------- */
6062
Gilles Peskine449bd832023-01-11 14:50:10 +01006063 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6064 finish_output_size,
6065 &output_part_length,
6066 tag_buffer, tag_length,
6067 &tag_size),
6068 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006069
Gilles Peskine449bd832023-01-11 14:50:10 +01006070 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006071
Paul Elliott481be342021-07-16 17:38:47 +01006072 /* ------------------------------------------------------- */
6073
Gilles Peskine449bd832023-01-11 14:50:10 +01006074 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6075 finish_output_size,
6076 &output_part_length,
6077 tag_buffer,
6078 tag_length),
6079 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006080
Gilles Peskine449bd832023-01-11 14:50:10 +01006081 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006082
6083 /* Test for double setups. */
6084
Gilles Peskine449bd832023-01-11 14:50:10 +01006085 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006086
Gilles Peskine449bd832023-01-11 14:50:10 +01006087 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg),
6088 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006089
Gilles Peskine449bd832023-01-11 14:50:10 +01006090 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006091
Paul Elliott481be342021-07-16 17:38:47 +01006092 /* ------------------------------------------------------- */
6093
Gilles Peskine449bd832023-01-11 14:50:10 +01006094 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006095
Gilles Peskine449bd832023-01-11 14:50:10 +01006096 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg),
6097 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006098
Gilles Peskine449bd832023-01-11 14:50:10 +01006099 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006100
Paul Elliott374a2be2021-07-16 17:53:40 +01006101 /* ------------------------------------------------------- */
6102
Gilles Peskine449bd832023-01-11 14:50:10 +01006103 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006104
Gilles Peskine449bd832023-01-11 14:50:10 +01006105 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg),
6106 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006107
Gilles Peskine449bd832023-01-11 14:50:10 +01006108 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006109
6110 /* ------------------------------------------------------- */
6111
Gilles Peskine449bd832023-01-11 14:50:10 +01006112 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006113
Gilles Peskine449bd832023-01-11 14:50:10 +01006114 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg),
6115 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006116
Gilles Peskine449bd832023-01-11 14:50:10 +01006117 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006118
Paul Elliottc23a9a02021-06-21 18:32:46 +01006119 /* Test for not setting a nonce. */
6120
Gilles Peskine449bd832023-01-11 14:50:10 +01006121 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006122
Gilles Peskine449bd832023-01-11 14:50:10 +01006123 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6124 additional_data->len),
6125 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006126
Gilles Peskine449bd832023-01-11 14:50:10 +01006127 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006128
Paul Elliott7f628422021-09-01 12:08:29 +01006129 /* ------------------------------------------------------- */
6130
Gilles Peskine449bd832023-01-11 14:50:10 +01006131 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott7f628422021-09-01 12:08:29 +01006132
Gilles Peskine449bd832023-01-11 14:50:10 +01006133 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6134 input_data->len, output_data,
6135 output_size, &output_length),
6136 PSA_ERROR_BAD_STATE);
Paul Elliott7f628422021-09-01 12:08:29 +01006137
Gilles Peskine449bd832023-01-11 14:50:10 +01006138 psa_aead_abort(&operation);
Paul Elliott7f628422021-09-01 12:08:29 +01006139
Paul Elliottbdc2c682021-09-21 18:37:10 +01006140 /* ------------------------------------------------------- */
6141
Gilles Peskine449bd832023-01-11 14:50:10 +01006142 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottbdc2c682021-09-21 18:37:10 +01006143
Gilles Peskine449bd832023-01-11 14:50:10 +01006144 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6145 finish_output_size,
6146 &output_part_length,
6147 tag_buffer, tag_length,
6148 &tag_size),
6149 PSA_ERROR_BAD_STATE);
Paul Elliottbdc2c682021-09-21 18:37:10 +01006150
Gilles Peskine449bd832023-01-11 14:50:10 +01006151 psa_aead_abort(&operation);
Paul Elliottbdc2c682021-09-21 18:37:10 +01006152
6153 /* ------------------------------------------------------- */
6154
Gilles Peskine449bd832023-01-11 14:50:10 +01006155 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottbdc2c682021-09-21 18:37:10 +01006156
Gilles Peskine449bd832023-01-11 14:50:10 +01006157 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6158 finish_output_size,
6159 &output_part_length,
6160 tag_buffer,
6161 tag_length),
6162 PSA_ERROR_BAD_STATE);
Paul Elliottbdc2c682021-09-21 18:37:10 +01006163
Gilles Peskine449bd832023-01-11 14:50:10 +01006164 psa_aead_abort(&operation);
Paul Elliottbdc2c682021-09-21 18:37:10 +01006165
Paul Elliottc23a9a02021-06-21 18:32:46 +01006166 /* Test for double setting nonce. */
6167
Gilles Peskine449bd832023-01-11 14:50:10 +01006168 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006169
Gilles Peskine449bd832023-01-11 14:50:10 +01006170 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006171
Gilles Peskine449bd832023-01-11 14:50:10 +01006172 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6173 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006174
Gilles Peskine449bd832023-01-11 14:50:10 +01006175 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006176
Paul Elliott374a2be2021-07-16 17:53:40 +01006177 /* Test for double generating nonce. */
6178
Gilles Peskine449bd832023-01-11 14:50:10 +01006179 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006180
Gilles Peskine449bd832023-01-11 14:50:10 +01006181 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6182 PSA_AEAD_NONCE_MAX_SIZE,
6183 &nonce_length));
Paul Elliott374a2be2021-07-16 17:53:40 +01006184
Gilles Peskine449bd832023-01-11 14:50:10 +01006185 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6186 PSA_AEAD_NONCE_MAX_SIZE,
6187 &nonce_length),
6188 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006189
6190
Gilles Peskine449bd832023-01-11 14:50:10 +01006191 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006192
6193 /* Test for generate nonce then set and vice versa */
6194
Gilles Peskine449bd832023-01-11 14:50:10 +01006195 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006196
Gilles Peskine449bd832023-01-11 14:50:10 +01006197 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6198 PSA_AEAD_NONCE_MAX_SIZE,
6199 &nonce_length));
Paul Elliott374a2be2021-07-16 17:53:40 +01006200
Gilles Peskine449bd832023-01-11 14:50:10 +01006201 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6202 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006203
Gilles Peskine449bd832023-01-11 14:50:10 +01006204 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006205
Andrzej Kurekad837522021-12-15 15:28:49 +01006206 /* Test for generating nonce after calling set lengths */
6207
Gilles Peskine449bd832023-01-11 14:50:10 +01006208 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006209
Gilles Peskine449bd832023-01-11 14:50:10 +01006210 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6211 input_data->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01006212
Gilles Peskine449bd832023-01-11 14:50:10 +01006213 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6214 PSA_AEAD_NONCE_MAX_SIZE,
6215 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006216
Gilles Peskine449bd832023-01-11 14:50:10 +01006217 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006218
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006219 /* Test for generating nonce after calling set lengths with UINT32_MAX ad_data length */
Andrzej Kurekad837522021-12-15 15:28:49 +01006220
Gilles Peskine449bd832023-01-11 14:50:10 +01006221 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006222
Gilles Peskine449bd832023-01-11 14:50:10 +01006223 if (operation.alg == PSA_ALG_CCM) {
6224 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6225 input_data->len),
6226 PSA_ERROR_INVALID_ARGUMENT);
6227 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6228 PSA_AEAD_NONCE_MAX_SIZE,
6229 &nonce_length),
6230 PSA_ERROR_BAD_STATE);
6231 } else {
6232 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6233 input_data->len));
6234 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6235 PSA_AEAD_NONCE_MAX_SIZE,
6236 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006237 }
6238
Gilles Peskine449bd832023-01-11 14:50:10 +01006239 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006240
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006241 /* Test for generating nonce after calling set lengths with SIZE_MAX ad_data length */
Dave Rodgmand26d7442023-02-11 17:14:54 +00006242#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006243 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006244
Gilles Peskine449bd832023-01-11 14:50:10 +01006245 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) {
6246 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX,
6247 input_data->len),
6248 PSA_ERROR_INVALID_ARGUMENT);
6249 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6250 PSA_AEAD_NONCE_MAX_SIZE,
6251 &nonce_length),
6252 PSA_ERROR_BAD_STATE);
6253 } else {
6254 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX,
6255 input_data->len));
6256 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6257 PSA_AEAD_NONCE_MAX_SIZE,
6258 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006259 }
6260
Gilles Peskine449bd832023-01-11 14:50:10 +01006261 psa_aead_abort(&operation);
Dave Rodgmand26d7442023-02-11 17:14:54 +00006262#endif
Andrzej Kurekad837522021-12-15 15:28:49 +01006263
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006264 /* Test for calling set lengths with a UINT32_MAX ad_data length, after generating nonce */
Andrzej Kurekad837522021-12-15 15:28:49 +01006265
Gilles Peskine449bd832023-01-11 14:50:10 +01006266 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006267
Gilles Peskine449bd832023-01-11 14:50:10 +01006268 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6269 PSA_AEAD_NONCE_MAX_SIZE,
6270 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006271
Gilles Peskine449bd832023-01-11 14:50:10 +01006272 if (operation.alg == PSA_ALG_CCM) {
6273 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6274 input_data->len),
6275 PSA_ERROR_INVALID_ARGUMENT);
6276 } else {
6277 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6278 input_data->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01006279 }
6280
Gilles Peskine449bd832023-01-11 14:50:10 +01006281 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006282
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006283 /* ------------------------------------------------------- */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006284 /* Test for setting nonce after calling set lengths */
6285
Gilles Peskine449bd832023-01-11 14:50:10 +01006286 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006287
Gilles Peskine449bd832023-01-11 14:50:10 +01006288 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6289 input_data->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006290
Gilles Peskine449bd832023-01-11 14:50:10 +01006291 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006292
Gilles Peskine449bd832023-01-11 14:50:10 +01006293 psa_aead_abort(&operation);
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006294
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006295 /* Test for setting nonce after calling set lengths with UINT32_MAX ad_data length */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006296
Gilles Peskine449bd832023-01-11 14:50:10 +01006297 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006298
Gilles Peskine449bd832023-01-11 14:50:10 +01006299 if (operation.alg == PSA_ALG_CCM) {
6300 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6301 input_data->len),
6302 PSA_ERROR_INVALID_ARGUMENT);
6303 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6304 PSA_ERROR_BAD_STATE);
6305 } else {
6306 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6307 input_data->len));
6308 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006309 }
6310
Gilles Peskine449bd832023-01-11 14:50:10 +01006311 psa_aead_abort(&operation);
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006312
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006313 /* Test for setting nonce after calling set lengths with SIZE_MAX ad_data length */
Dave Rodgmana4763632023-02-11 18:36:23 +00006314#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006315 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006316
Gilles Peskine449bd832023-01-11 14:50:10 +01006317 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) {
6318 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX,
6319 input_data->len),
6320 PSA_ERROR_INVALID_ARGUMENT);
6321 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6322 PSA_ERROR_BAD_STATE);
6323 } else {
6324 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX,
6325 input_data->len));
6326 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006327 }
6328
Gilles Peskine449bd832023-01-11 14:50:10 +01006329 psa_aead_abort(&operation);
Dave Rodgmana4763632023-02-11 18:36:23 +00006330#endif
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006331
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006332 /* Test for calling set lengths with an ad_data length of UINT32_MAX, after setting nonce */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006333
Gilles Peskine449bd832023-01-11 14:50:10 +01006334 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006335
Gilles Peskine449bd832023-01-11 14:50:10 +01006336 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006337
Gilles Peskine449bd832023-01-11 14:50:10 +01006338 if (operation.alg == PSA_ALG_CCM) {
6339 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6340 input_data->len),
6341 PSA_ERROR_INVALID_ARGUMENT);
6342 } else {
6343 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6344 input_data->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006345 }
6346
Gilles Peskine449bd832023-01-11 14:50:10 +01006347 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006348
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006349 /* Test for setting nonce after calling set lengths with plaintext length of SIZE_MAX */
Dave Rodgman91e83212023-02-11 20:07:43 +00006350#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006351 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006352
Gilles Peskine449bd832023-01-11 14:50:10 +01006353 if (operation.alg == PSA_ALG_GCM) {
6354 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6355 SIZE_MAX),
6356 PSA_ERROR_INVALID_ARGUMENT);
6357 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6358 PSA_ERROR_BAD_STATE);
6359 } else if (operation.alg != PSA_ALG_CCM) {
6360 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6361 SIZE_MAX));
6362 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006363 }
6364
Gilles Peskine449bd832023-01-11 14:50:10 +01006365 psa_aead_abort(&operation);
Dave Rodgman91e83212023-02-11 20:07:43 +00006366#endif
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006367
Tom Cosgrove1797b052022-12-04 17:19:59 +00006368 /* Test for calling set lengths with a plaintext length of SIZE_MAX, after setting nonce */
Dave Rodgman641288b2023-02-11 22:02:04 +00006369#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006370 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006371
Gilles Peskine449bd832023-01-11 14:50:10 +01006372 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006373
Gilles Peskine449bd832023-01-11 14:50:10 +01006374 if (operation.alg == PSA_ALG_GCM) {
6375 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6376 SIZE_MAX),
6377 PSA_ERROR_INVALID_ARGUMENT);
6378 } else if (operation.alg != PSA_ALG_CCM) {
6379 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6380 SIZE_MAX));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006381 }
6382
Gilles Peskine449bd832023-01-11 14:50:10 +01006383 psa_aead_abort(&operation);
Dave Rodgman641288b2023-02-11 22:02:04 +00006384#endif
Paul Elliott374a2be2021-07-16 17:53:40 +01006385
6386 /* ------------------------------------------------------- */
6387
Gilles Peskine449bd832023-01-11 14:50:10 +01006388 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006389
Gilles Peskine449bd832023-01-11 14:50:10 +01006390 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott374a2be2021-07-16 17:53:40 +01006391
Gilles Peskine449bd832023-01-11 14:50:10 +01006392 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6393 PSA_AEAD_NONCE_MAX_SIZE,
6394 &nonce_length),
6395 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006396
Gilles Peskine449bd832023-01-11 14:50:10 +01006397 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006398
Paul Elliott7220cae2021-06-22 17:25:57 +01006399 /* Test for generating nonce in decrypt setup. */
6400
Gilles Peskine449bd832023-01-11 14:50:10 +01006401 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott7220cae2021-06-22 17:25:57 +01006402
Gilles Peskine449bd832023-01-11 14:50:10 +01006403 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6404 PSA_AEAD_NONCE_MAX_SIZE,
6405 &nonce_length),
6406 PSA_ERROR_BAD_STATE);
Paul Elliott7220cae2021-06-22 17:25:57 +01006407
Gilles Peskine449bd832023-01-11 14:50:10 +01006408 psa_aead_abort(&operation);
Paul Elliott7220cae2021-06-22 17:25:57 +01006409
Paul Elliottc23a9a02021-06-21 18:32:46 +01006410 /* Test for setting lengths twice. */
6411
Gilles Peskine449bd832023-01-11 14:50:10 +01006412 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006413
Gilles Peskine449bd832023-01-11 14:50:10 +01006414 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006415
Gilles Peskine449bd832023-01-11 14:50:10 +01006416 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6417 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006418
Gilles Peskine449bd832023-01-11 14:50:10 +01006419 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6420 input_data->len),
6421 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006422
Gilles Peskine449bd832023-01-11 14:50:10 +01006423 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006424
Andrzej Kurekad837522021-12-15 15:28:49 +01006425 /* Test for setting lengths after setting nonce + already starting data. */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006426
Gilles Peskine449bd832023-01-11 14:50:10 +01006427 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006428
Gilles Peskine449bd832023-01-11 14:50:10 +01006429 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006430
Gilles Peskine449bd832023-01-11 14:50:10 +01006431 if (operation.alg == PSA_ALG_CCM) {
Paul Elliottf94bd992021-09-19 18:15:59 +01006432
Gilles Peskine449bd832023-01-11 14:50:10 +01006433 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6434 additional_data->len),
6435 PSA_ERROR_BAD_STATE);
6436 } else {
6437 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6438 additional_data->len));
6439
6440 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6441 input_data->len),
6442 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006443 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006444 psa_aead_abort(&operation);
Paul Elliottf94bd992021-09-19 18:15:59 +01006445
6446 /* ------------------------------------------------------- */
6447
Gilles Peskine449bd832023-01-11 14:50:10 +01006448 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottf94bd992021-09-19 18:15:59 +01006449
Gilles Peskine449bd832023-01-11 14:50:10 +01006450 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006451
Gilles Peskine449bd832023-01-11 14:50:10 +01006452 if (operation.alg == PSA_ALG_CCM) {
6453 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6454 input_data->len, output_data,
6455 output_size, &output_length),
6456 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006457
Gilles Peskine449bd832023-01-11 14:50:10 +01006458 } else {
6459 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6460 input_data->len, output_data,
6461 output_size, &output_length));
6462
6463 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6464 input_data->len),
6465 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006466 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006467 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006468
6469 /* ------------------------------------------------------- */
6470
Gilles Peskine449bd832023-01-11 14:50:10 +01006471 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006472
Gilles Peskine449bd832023-01-11 14:50:10 +01006473 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01006474
Gilles Peskine449bd832023-01-11 14:50:10 +01006475 if (operation.alg == PSA_ALG_CCM) {
6476 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6477 finish_output_size,
6478 &output_part_length,
6479 tag_buffer, tag_length,
6480 &tag_size));
6481 } else {
6482 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6483 finish_output_size,
6484 &output_part_length,
6485 tag_buffer, tag_length,
6486 &tag_size));
6487
6488 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6489 input_data->len),
6490 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006491 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006492 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006493
6494 /* Test for setting lengths after generating nonce + already starting data. */
6495
Gilles Peskine449bd832023-01-11 14:50:10 +01006496 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006497
Gilles Peskine449bd832023-01-11 14:50:10 +01006498 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6499 PSA_AEAD_NONCE_MAX_SIZE,
6500 &nonce_length));
6501 if (operation.alg == PSA_ALG_CCM) {
Andrzej Kurekad837522021-12-15 15:28:49 +01006502
Gilles Peskine449bd832023-01-11 14:50:10 +01006503 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6504 additional_data->len),
6505 PSA_ERROR_BAD_STATE);
6506 } else {
6507 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6508 additional_data->len));
6509
6510 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6511 input_data->len),
6512 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006513 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006514 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006515
6516 /* ------------------------------------------------------- */
6517
Gilles Peskine449bd832023-01-11 14:50:10 +01006518 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006519
Gilles Peskine449bd832023-01-11 14:50:10 +01006520 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6521 PSA_AEAD_NONCE_MAX_SIZE,
6522 &nonce_length));
6523 if (operation.alg == PSA_ALG_CCM) {
6524 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6525 input_data->len, output_data,
6526 output_size, &output_length),
6527 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006528
Gilles Peskine449bd832023-01-11 14:50:10 +01006529 } else {
6530 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6531 input_data->len, output_data,
6532 output_size, &output_length));
6533
6534 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6535 input_data->len),
6536 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006537 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006538 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006539
6540 /* ------------------------------------------------------- */
6541
Gilles Peskine449bd832023-01-11 14:50:10 +01006542 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006543
Gilles Peskine449bd832023-01-11 14:50:10 +01006544 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6545 PSA_AEAD_NONCE_MAX_SIZE,
6546 &nonce_length));
6547 if (operation.alg == PSA_ALG_CCM) {
6548 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6549 finish_output_size,
6550 &output_part_length,
6551 tag_buffer, tag_length,
6552 &tag_size));
6553 } else {
6554 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6555 finish_output_size,
6556 &output_part_length,
6557 tag_buffer, tag_length,
6558 &tag_size));
Andrzej Kurekad837522021-12-15 15:28:49 +01006559
Gilles Peskine449bd832023-01-11 14:50:10 +01006560 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6561 input_data->len),
6562 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006563 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006564 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006565
Paul Elliott243080c2021-07-21 19:01:17 +01006566 /* Test for not sending any additional data or data after setting non zero
6567 * lengths for them. (encrypt) */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006568
Gilles Peskine449bd832023-01-11 14:50:10 +01006569 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006570
Gilles Peskine449bd832023-01-11 14:50:10 +01006571 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006572
Gilles Peskine449bd832023-01-11 14:50:10 +01006573 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6574 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006575
Gilles Peskine449bd832023-01-11 14:50:10 +01006576 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6577 finish_output_size,
6578 &output_part_length,
6579 tag_buffer, tag_length,
6580 &tag_size),
6581 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006582
Gilles Peskine449bd832023-01-11 14:50:10 +01006583 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006584
Paul Elliott243080c2021-07-21 19:01:17 +01006585 /* Test for not sending any additional data or data after setting non-zero
6586 * lengths for them. (decrypt) */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006587
Gilles Peskine449bd832023-01-11 14:50:10 +01006588 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006589
Gilles Peskine449bd832023-01-11 14:50:10 +01006590 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006591
Gilles Peskine449bd832023-01-11 14:50:10 +01006592 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6593 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006594
Gilles Peskine449bd832023-01-11 14:50:10 +01006595 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6596 finish_output_size,
6597 &output_part_length,
6598 tag_buffer,
6599 tag_length),
6600 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006601
Gilles Peskine449bd832023-01-11 14:50:10 +01006602 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006603
Paul Elliott243080c2021-07-21 19:01:17 +01006604 /* Test for not sending any additional data after setting a non-zero length
6605 * for it. */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006606
Gilles Peskine449bd832023-01-11 14:50:10 +01006607 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006608
Gilles Peskine449bd832023-01-11 14:50:10 +01006609 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006610
Gilles Peskine449bd832023-01-11 14:50:10 +01006611 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6612 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006613
Gilles Peskine449bd832023-01-11 14:50:10 +01006614 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6615 input_data->len, output_data,
6616 output_size, &output_length),
6617 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006618
Gilles Peskine449bd832023-01-11 14:50:10 +01006619 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006620
Paul Elliottf94bd992021-09-19 18:15:59 +01006621 /* Test for not sending any data after setting a non-zero length for it.*/
6622
Gilles Peskine449bd832023-01-11 14:50:10 +01006623 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottf94bd992021-09-19 18:15:59 +01006624
Gilles Peskine449bd832023-01-11 14:50:10 +01006625 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006626
Gilles Peskine449bd832023-01-11 14:50:10 +01006627 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6628 input_data->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006629
Gilles Peskine449bd832023-01-11 14:50:10 +01006630 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6631 additional_data->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006632
Gilles Peskine449bd832023-01-11 14:50:10 +01006633 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6634 finish_output_size,
6635 &output_part_length,
6636 tag_buffer, tag_length,
6637 &tag_size),
6638 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottf94bd992021-09-19 18:15:59 +01006639
Gilles Peskine449bd832023-01-11 14:50:10 +01006640 psa_aead_abort(&operation);
Paul Elliottf94bd992021-09-19 18:15:59 +01006641
Paul Elliottb0450fe2021-09-01 15:06:26 +01006642 /* Test for sending too much additional data after setting lengths. */
6643
Gilles Peskine449bd832023-01-11 14:50:10 +01006644 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006645
Gilles Peskine449bd832023-01-11 14:50:10 +01006646 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006647
Gilles Peskine449bd832023-01-11 14:50:10 +01006648 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006649
6650
Gilles Peskine449bd832023-01-11 14:50:10 +01006651 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6652 additional_data->len),
6653 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006654
Gilles Peskine449bd832023-01-11 14:50:10 +01006655 psa_aead_abort(&operation);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006656
Paul Elliotta2a09b02021-09-22 14:56:40 +01006657 /* ------------------------------------------------------- */
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006658
Gilles Peskine449bd832023-01-11 14:50:10 +01006659 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006660
Gilles Peskine449bd832023-01-11 14:50:10 +01006661 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006662
Gilles Peskine449bd832023-01-11 14:50:10 +01006663 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6664 input_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006665
Gilles Peskine449bd832023-01-11 14:50:10 +01006666 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6667 additional_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006668
Gilles Peskine449bd832023-01-11 14:50:10 +01006669 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6670 1),
6671 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006672
Gilles Peskine449bd832023-01-11 14:50:10 +01006673 psa_aead_abort(&operation);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006674
Paul Elliottb0450fe2021-09-01 15:06:26 +01006675 /* Test for sending too much data after setting lengths. */
6676
Gilles Peskine449bd832023-01-11 14:50:10 +01006677 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006678
Gilles Peskine449bd832023-01-11 14:50:10 +01006679 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006680
Gilles Peskine449bd832023-01-11 14:50:10 +01006681 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006682
Gilles Peskine449bd832023-01-11 14:50:10 +01006683 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6684 input_data->len, output_data,
6685 output_size, &output_length),
6686 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006687
Gilles Peskine449bd832023-01-11 14:50:10 +01006688 psa_aead_abort(&operation);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006689
Paul Elliotta2a09b02021-09-22 14:56:40 +01006690 /* ------------------------------------------------------- */
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006691
Gilles Peskine449bd832023-01-11 14:50:10 +01006692 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006693
Gilles Peskine449bd832023-01-11 14:50:10 +01006694 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006695
Gilles Peskine449bd832023-01-11 14:50:10 +01006696 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6697 input_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006698
Gilles Peskine449bd832023-01-11 14:50:10 +01006699 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6700 additional_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006701
Gilles Peskine449bd832023-01-11 14:50:10 +01006702 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6703 input_data->len, output_data,
6704 output_size, &output_length));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006705
Gilles Peskine449bd832023-01-11 14:50:10 +01006706 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6707 1, output_data,
6708 output_size, &output_length),
6709 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006710
Gilles Peskine449bd832023-01-11 14:50:10 +01006711 psa_aead_abort(&operation);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006712
Paul Elliottc23a9a02021-06-21 18:32:46 +01006713 /* Test sending additional data after data. */
6714
Gilles Peskine449bd832023-01-11 14:50:10 +01006715 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006716
Gilles Peskine449bd832023-01-11 14:50:10 +01006717 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006718
Gilles Peskine449bd832023-01-11 14:50:10 +01006719 if (operation.alg != PSA_ALG_CCM) {
6720 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6721 input_data->len, output_data,
6722 output_size, &output_length));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006723
Gilles Peskine449bd832023-01-11 14:50:10 +01006724 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6725 additional_data->len),
6726 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006727 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006728 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006729
Paul Elliott534d0b42021-06-22 19:15:20 +01006730 /* Test calling finish on decryption. */
6731
Gilles Peskine449bd832023-01-11 14:50:10 +01006732 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott534d0b42021-06-22 19:15:20 +01006733
Gilles Peskine449bd832023-01-11 14:50:10 +01006734 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott534d0b42021-06-22 19:15:20 +01006735
Gilles Peskine449bd832023-01-11 14:50:10 +01006736 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6737 finish_output_size,
6738 &output_part_length,
6739 tag_buffer, tag_length,
6740 &tag_size),
6741 PSA_ERROR_BAD_STATE);
Paul Elliott534d0b42021-06-22 19:15:20 +01006742
Gilles Peskine449bd832023-01-11 14:50:10 +01006743 psa_aead_abort(&operation);
Paul Elliott534d0b42021-06-22 19:15:20 +01006744
6745 /* Test calling verify on encryption. */
6746
Gilles Peskine449bd832023-01-11 14:50:10 +01006747 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott534d0b42021-06-22 19:15:20 +01006748
Gilles Peskine449bd832023-01-11 14:50:10 +01006749 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott534d0b42021-06-22 19:15:20 +01006750
Gilles Peskine449bd832023-01-11 14:50:10 +01006751 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6752 finish_output_size,
6753 &output_part_length,
6754 tag_buffer,
6755 tag_length),
6756 PSA_ERROR_BAD_STATE);
Paul Elliott534d0b42021-06-22 19:15:20 +01006757
Gilles Peskine449bd832023-01-11 14:50:10 +01006758 psa_aead_abort(&operation);
Paul Elliott534d0b42021-06-22 19:15:20 +01006759
6760
Paul Elliottc23a9a02021-06-21 18:32:46 +01006761exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01006762 psa_destroy_key(key);
6763 psa_aead_abort(&operation);
6764 mbedtls_free(output_data);
6765 mbedtls_free(final_data);
6766 PSA_DONE();
Paul Elliottc23a9a02021-06-21 18:32:46 +01006767}
6768/* END_CASE */
6769
6770/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006771void signature_size(int type_arg,
6772 int bits,
6773 int alg_arg,
6774 int expected_size_arg)
Gilles Peskinee59236f2018-01-27 23:32:46 +01006775{
6776 psa_key_type_t type = type_arg;
6777 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01006778 size_t actual_size = PSA_SIGN_OUTPUT_SIZE(type, bits, alg);
Gilles Peskine841b14b2019-11-26 17:37:37 +01006779
Gilles Peskine449bd832023-01-11 14:50:10 +01006780 TEST_EQUAL(actual_size, (size_t) expected_size_arg);
Gilles Peskine841b14b2019-11-26 17:37:37 +01006781
Gilles Peskinee59236f2018-01-27 23:32:46 +01006782exit:
6783 ;
6784}
6785/* END_CASE */
6786
6787/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006788void sign_hash_deterministic(int key_type_arg, data_t *key_data,
6789 int alg_arg, data_t *input_data,
6790 data_t *output_data)
Gilles Peskinee59236f2018-01-27 23:32:46 +01006791{
Ronald Cron5425a212020-08-04 14:58:35 +02006792 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinee59236f2018-01-27 23:32:46 +01006793 psa_key_type_t key_type = key_type_arg;
6794 psa_algorithm_t alg = alg_arg;
Gilles Peskine20035e32018-02-03 22:44:14 +01006795 size_t key_bits;
Gilles Peskine20035e32018-02-03 22:44:14 +01006796 unsigned char *signature = NULL;
6797 size_t signature_size;
6798 size_t signature_length = 0xdeadbeef;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02006799 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01006800
Gilles Peskine449bd832023-01-11 14:50:10 +01006801 PSA_ASSERT(psa_crypto_init());
Gilles Peskine20035e32018-02-03 22:44:14 +01006802
Gilles Peskine449bd832023-01-11 14:50:10 +01006803 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6804 psa_set_key_algorithm(&attributes, alg);
6805 psa_set_key_type(&attributes, key_type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07006806
Gilles Peskine449bd832023-01-11 14:50:10 +01006807 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6808 &key));
6809 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6810 key_bits = psa_get_key_bits(&attributes);
Gilles Peskine20035e32018-02-03 22:44:14 +01006811
Shaun Case8b0ecbc2021-12-20 21:14:10 -08006812 /* Allocate a buffer which has the size advertised by the
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006813 * library. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006814 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
6815 key_bits, alg);
6816 TEST_ASSERT(signature_size != 0);
6817 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006818 TEST_CALLOC(signature, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01006819
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006820 /* Perform the signature. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006821 PSA_ASSERT(psa_sign_hash(key, alg,
6822 input_data->x, input_data->len,
6823 signature, signature_size,
6824 &signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02006825 /* Verify that the signature is what is expected. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01006826 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01006827 signature, signature_length);
Gilles Peskine20035e32018-02-03 22:44:14 +01006828
6829exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01006830 /*
6831 * Key attributes may have been returned by psa_get_key_attributes()
6832 * thus reset them as required.
6833 */
Gilles Peskine449bd832023-01-11 14:50:10 +01006834 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01006835
Gilles Peskine449bd832023-01-11 14:50:10 +01006836 psa_destroy_key(key);
6837 mbedtls_free(signature);
6838 PSA_DONE();
Gilles Peskine20035e32018-02-03 22:44:14 +01006839}
6840/* END_CASE */
6841
Paul Elliott712d5122022-12-07 14:03:10 +00006842/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00006843/**
6844 * sign_hash_interruptible() test intentions:
6845 *
6846 * Note: This test can currently only handle ECDSA.
6847 *
6848 * 1. Test interruptible sign hash with known outcomes (deterministic ECDSA
Paul Elliott8c092052023-03-06 17:49:14 +00006849 * and private keys / keypairs only).
Paul Elliottc7f68822023-02-24 17:37:04 +00006850 *
6851 * 2. Test the number of calls to psa_sign_hash_complete() required are as
6852 * expected for different max_ops values.
6853 *
6854 * 3. Test that the number of ops done prior to start and after abort is zero
6855 * and that each successful stage completes some ops (this is not mandated by
6856 * the PSA specification, but is currently the case).
6857 *
6858 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between
6859 * complete() calls does not alter the number of ops returned.
6860 */
Paul Elliott712d5122022-12-07 14:03:10 +00006861void sign_hash_interruptible(int key_type_arg, data_t *key_data,
6862 int alg_arg, data_t *input_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00006863 data_t *output_data, int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00006864{
6865 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
6866 psa_key_type_t key_type = key_type_arg;
6867 psa_algorithm_t alg = alg_arg;
6868 size_t key_bits;
6869 unsigned char *signature = NULL;
6870 size_t signature_size;
6871 size_t signature_length = 0xdeadbeef;
6872 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
6873 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00006874 uint32_t num_ops = 0;
6875 uint32_t max_ops = max_ops_arg;
Paul Elliott712d5122022-12-07 14:03:10 +00006876 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00006877 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00006878 size_t min_completes = 0;
6879 size_t max_completes = 0;
Paul Elliottab7c5c82023-02-03 15:49:42 +00006880
Paul Elliott712d5122022-12-07 14:03:10 +00006881 psa_sign_hash_interruptible_operation_t operation =
6882 psa_sign_hash_interruptible_operation_init();
6883
6884 PSA_ASSERT(psa_crypto_init());
6885
6886 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6887 psa_set_key_algorithm(&attributes, alg);
6888 psa_set_key_type(&attributes, key_type);
6889
6890 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6891 &key));
6892 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6893 key_bits = psa_get_key_bits(&attributes);
6894
6895 /* Allocate a buffer which has the size advertised by the
6896 * library. */
6897 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
6898 key_bits, alg);
6899 TEST_ASSERT(signature_size != 0);
6900 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006901 TEST_CALLOC(signature, signature_size);
Paul Elliott712d5122022-12-07 14:03:10 +00006902
Paul Elliott0c683352022-12-16 19:16:56 +00006903 psa_interruptible_set_max_ops(max_ops);
6904
Paul Elliott6f600372023-02-06 18:41:05 +00006905 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
6906 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00006907
Paul Elliott712d5122022-12-07 14:03:10 +00006908 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
6909 TEST_ASSERT(num_ops_prior == 0);
6910
6911 /* Start performing the signature. */
6912 PSA_ASSERT(psa_sign_hash_start(&operation, key, alg,
6913 input_data->x, input_data->len));
6914
6915 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
6916 TEST_ASSERT(num_ops_prior == 0);
6917
6918 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00006919 do {
Paul Elliott712d5122022-12-07 14:03:10 +00006920 status = psa_sign_hash_complete(&operation, signature, signature_size,
6921 &signature_length);
6922
Paul Elliott0c683352022-12-16 19:16:56 +00006923 num_completes++;
6924
Paul Elliott712d5122022-12-07 14:03:10 +00006925 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
6926 num_ops = psa_sign_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00006927 /* We are asserting here that every complete makes progress
6928 * (completes some ops), which is true of the internal
6929 * implementation and probably any implementation, however this is
6930 * not mandated by the PSA specification. */
Paul Elliott712d5122022-12-07 14:03:10 +00006931 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00006932
Paul Elliott712d5122022-12-07 14:03:10 +00006933 num_ops_prior = num_ops;
Paul Elliottf8e5b562023-02-19 18:43:45 +00006934
6935 /* Ensure calling get_num_ops() twice still returns the same
6936 * number of ops as previously reported. */
6937 num_ops = psa_sign_hash_get_num_ops(&operation);
6938
6939 TEST_EQUAL(num_ops, num_ops_prior);
Paul Elliott712d5122022-12-07 14:03:10 +00006940 }
Paul Elliottedfc8832023-01-20 17:13:10 +00006941 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00006942
6943 TEST_ASSERT(status == PSA_SUCCESS);
6944
Paul Elliott0c683352022-12-16 19:16:56 +00006945 TEST_LE_U(min_completes, num_completes);
6946 TEST_LE_U(num_completes, max_completes);
6947
Paul Elliott712d5122022-12-07 14:03:10 +00006948 /* Verify that the signature is what is expected. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01006949 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01006950 signature, signature_length);
Paul Elliott712d5122022-12-07 14:03:10 +00006951
6952 PSA_ASSERT(psa_sign_hash_abort(&operation));
6953
Paul Elliott59ad9452022-12-18 15:09:02 +00006954 num_ops = psa_sign_hash_get_num_ops(&operation);
6955 TEST_ASSERT(num_ops == 0);
6956
Paul Elliott712d5122022-12-07 14:03:10 +00006957exit:
6958
6959 /*
6960 * Key attributes may have been returned by psa_get_key_attributes()
6961 * thus reset them as required.
6962 */
6963 psa_reset_key_attributes(&attributes);
6964
6965 psa_destroy_key(key);
6966 mbedtls_free(signature);
6967 PSA_DONE();
6968}
6969/* END_CASE */
6970
Gilles Peskine20035e32018-02-03 22:44:14 +01006971/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006972void sign_hash_fail(int key_type_arg, data_t *key_data,
6973 int alg_arg, data_t *input_data,
6974 int signature_size_arg, int expected_status_arg)
Gilles Peskine20035e32018-02-03 22:44:14 +01006975{
Ronald Cron5425a212020-08-04 14:58:35 +02006976 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01006977 psa_key_type_t key_type = key_type_arg;
6978 psa_algorithm_t alg = alg_arg;
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006979 size_t signature_size = signature_size_arg;
Gilles Peskine20035e32018-02-03 22:44:14 +01006980 psa_status_t actual_status;
6981 psa_status_t expected_status = expected_status_arg;
Gilles Peskine40f68b92018-03-07 16:43:36 +01006982 unsigned char *signature = NULL;
Gilles Peskine93aa0332018-02-03 23:58:03 +01006983 size_t signature_length = 0xdeadbeef;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02006984 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01006985
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006986 TEST_CALLOC(signature, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01006987
Gilles Peskine449bd832023-01-11 14:50:10 +01006988 PSA_ASSERT(psa_crypto_init());
Gilles Peskine20035e32018-02-03 22:44:14 +01006989
Gilles Peskine449bd832023-01-11 14:50:10 +01006990 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6991 psa_set_key_algorithm(&attributes, alg);
6992 psa_set_key_type(&attributes, key_type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07006993
Gilles Peskine449bd832023-01-11 14:50:10 +01006994 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6995 &key));
Gilles Peskine20035e32018-02-03 22:44:14 +01006996
Gilles Peskine449bd832023-01-11 14:50:10 +01006997 actual_status = psa_sign_hash(key, alg,
6998 input_data->x, input_data->len,
6999 signature, signature_size,
7000 &signature_length);
7001 TEST_EQUAL(actual_status, expected_status);
Gilles Peskine860ce9d2018-06-28 12:23:00 +02007002 /* The value of *signature_length is unspecified on error, but
7003 * whatever it is, it should be less than signature_size, so that
7004 * if the caller tries to read *signature_length bytes without
7005 * checking the error code then they don't overflow a buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007006 TEST_LE_U(signature_length, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01007007
7008exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007009 psa_reset_key_attributes(&attributes);
7010 psa_destroy_key(key);
7011 mbedtls_free(signature);
7012 PSA_DONE();
Gilles Peskine20035e32018-02-03 22:44:14 +01007013}
7014/* END_CASE */
mohammad16038cc1cee2018-03-28 01:21:33 +03007015
Paul Elliott91007972022-12-16 12:21:24 +00007016/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007017/**
7018 * sign_hash_fail_interruptible() test intentions:
7019 *
7020 * Note: This test can currently only handle ECDSA.
7021 *
7022 * 1. Test that various failure cases for interruptible sign hash fail with the
7023 * correct error codes, and at the correct point (at start or during
7024 * complete).
7025 *
7026 * 2. Test the number of calls to psa_sign_hash_complete() required are as
7027 * expected for different max_ops values.
7028 *
7029 * 3. Test that the number of ops done prior to start and after abort is zero
7030 * and that each successful stage completes some ops (this is not mandated by
7031 * the PSA specification, but is currently the case).
Paul Elliott587e7802023-02-27 09:53:08 +00007032 *
7033 * 4. Check that calling complete() when start() fails and complete()
7034 * after completion results in a BAD_STATE error.
7035 *
7036 * 5. Check that calling start() again after start fails results in a BAD_STATE
7037 * error.
Paul Elliottc7f68822023-02-24 17:37:04 +00007038 */
Paul Elliott91007972022-12-16 12:21:24 +00007039void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
7040 int alg_arg, data_t *input_data,
7041 int signature_size_arg,
7042 int expected_start_status_arg,
Paul Elliott0c683352022-12-16 19:16:56 +00007043 int expected_complete_status_arg,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007044 int max_ops_arg)
Paul Elliott91007972022-12-16 12:21:24 +00007045{
7046 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7047 psa_key_type_t key_type = key_type_arg;
7048 psa_algorithm_t alg = alg_arg;
7049 size_t signature_size = signature_size_arg;
7050 psa_status_t actual_status;
7051 psa_status_t expected_start_status = expected_start_status_arg;
7052 psa_status_t expected_complete_status = expected_complete_status_arg;
7053 unsigned char *signature = NULL;
7054 size_t signature_length = 0xdeadbeef;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007055 uint32_t num_ops = 0;
7056 uint32_t max_ops = max_ops_arg;
Paul Elliott91007972022-12-16 12:21:24 +00007057 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007058 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007059 size_t min_completes = 0;
7060 size_t max_completes = 0;
7061
Paul Elliott91007972022-12-16 12:21:24 +00007062 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7063 psa_sign_hash_interruptible_operation_t operation =
7064 psa_sign_hash_interruptible_operation_init();
7065
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007066 TEST_CALLOC(signature, signature_size);
Paul Elliott91007972022-12-16 12:21:24 +00007067
7068 PSA_ASSERT(psa_crypto_init());
7069
7070 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
7071 psa_set_key_algorithm(&attributes, alg);
7072 psa_set_key_type(&attributes, key_type);
7073
7074 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7075 &key));
7076
Paul Elliott0c683352022-12-16 19:16:56 +00007077 psa_interruptible_set_max_ops(max_ops);
7078
Paul Elliott6f600372023-02-06 18:41:05 +00007079 interruptible_signverify_get_minmax_completes(max_ops,
7080 expected_complete_status,
7081 &min_completes,
7082 &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007083
Paul Elliott91007972022-12-16 12:21:24 +00007084 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
7085 TEST_ASSERT(num_ops_prior == 0);
7086
7087 /* Start performing the signature. */
7088 actual_status = psa_sign_hash_start(&operation, key, alg,
7089 input_data->x, input_data->len);
7090
7091 TEST_EQUAL(actual_status, expected_start_status);
7092
Paul Elliottc9774412023-02-06 15:14:07 +00007093 if (expected_start_status != PSA_SUCCESS) {
Paul Elliottde7c31e2023-03-01 14:37:48 +00007094 /* Emulate poor application code, and call complete anyway, even though
Paul Elliott587e7802023-02-27 09:53:08 +00007095 * start failed. */
7096 actual_status = psa_sign_hash_complete(&operation, signature,
7097 signature_size,
7098 &signature_length);
7099
7100 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7101
7102 /* Test that calling start again after failure also causes BAD_STATE. */
Paul Elliottc9774412023-02-06 15:14:07 +00007103 actual_status = psa_sign_hash_start(&operation, key, alg,
7104 input_data->x, input_data->len);
7105
7106 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7107 }
7108
Paul Elliott91007972022-12-16 12:21:24 +00007109 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
7110 TEST_ASSERT(num_ops_prior == 0);
7111
Paul Elliott91007972022-12-16 12:21:24 +00007112 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007113 do {
Paul Elliott91007972022-12-16 12:21:24 +00007114 actual_status = psa_sign_hash_complete(&operation, signature,
7115 signature_size,
7116 &signature_length);
7117
Paul Elliott0c683352022-12-16 19:16:56 +00007118 num_completes++;
7119
Paul Elliott334d7262023-01-20 17:29:41 +00007120 if (actual_status == PSA_SUCCESS ||
7121 actual_status == PSA_OPERATION_INCOMPLETE) {
Paul Elliott91007972022-12-16 12:21:24 +00007122 num_ops = psa_sign_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00007123 /* We are asserting here that every complete makes progress
7124 * (completes some ops), which is true of the internal
7125 * implementation and probably any implementation, however this is
7126 * not mandated by the PSA specification. */
Paul Elliott91007972022-12-16 12:21:24 +00007127 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00007128
Paul Elliott91007972022-12-16 12:21:24 +00007129 num_ops_prior = num_ops;
7130 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007131 } while (actual_status == PSA_OPERATION_INCOMPLETE);
Paul Elliott91007972022-12-16 12:21:24 +00007132
Paul Elliottc9774412023-02-06 15:14:07 +00007133 TEST_EQUAL(actual_status, expected_complete_status);
7134
Paul Elliottefebad02023-02-15 16:56:45 +00007135 /* Check that another complete returns BAD_STATE. */
7136 actual_status = psa_sign_hash_complete(&operation, signature,
7137 signature_size,
7138 &signature_length);
Paul Elliottc9774412023-02-06 15:14:07 +00007139
Paul Elliottefebad02023-02-15 16:56:45 +00007140 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
Paul Elliott334d7262023-01-20 17:29:41 +00007141
Paul Elliott91007972022-12-16 12:21:24 +00007142 PSA_ASSERT(psa_sign_hash_abort(&operation));
7143
Paul Elliott59ad9452022-12-18 15:09:02 +00007144 num_ops = psa_sign_hash_get_num_ops(&operation);
7145 TEST_ASSERT(num_ops == 0);
7146
Paul Elliott91007972022-12-16 12:21:24 +00007147 /* The value of *signature_length is unspecified on error, but
7148 * whatever it is, it should be less than signature_size, so that
7149 * if the caller tries to read *signature_length bytes without
7150 * checking the error code then they don't overflow a buffer. */
7151 TEST_LE_U(signature_length, signature_size);
7152
Paul Elliott0c683352022-12-16 19:16:56 +00007153 TEST_LE_U(min_completes, num_completes);
7154 TEST_LE_U(num_completes, max_completes);
7155
Paul Elliott91007972022-12-16 12:21:24 +00007156exit:
7157 psa_reset_key_attributes(&attributes);
7158 psa_destroy_key(key);
7159 mbedtls_free(signature);
7160 PSA_DONE();
7161}
7162/* END_CASE */
7163
mohammad16038cc1cee2018-03-28 01:21:33 +03007164/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007165void sign_verify_hash(int key_type_arg, data_t *key_data,
7166 int alg_arg, data_t *input_data)
Gilles Peskine9911b022018-06-29 17:30:48 +02007167{
Ronald Cron5425a212020-08-04 14:58:35 +02007168 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine9911b022018-06-29 17:30:48 +02007169 psa_key_type_t key_type = key_type_arg;
7170 psa_algorithm_t alg = alg_arg;
7171 size_t key_bits;
7172 unsigned char *signature = NULL;
7173 size_t signature_size;
7174 size_t signature_length = 0xdeadbeef;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02007175 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine9911b022018-06-29 17:30:48 +02007176
Gilles Peskine449bd832023-01-11 14:50:10 +01007177 PSA_ASSERT(psa_crypto_init());
Gilles Peskine9911b022018-06-29 17:30:48 +02007178
Gilles Peskine449bd832023-01-11 14:50:10 +01007179 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
7180 psa_set_key_algorithm(&attributes, alg);
7181 psa_set_key_type(&attributes, key_type);
Gilles Peskine9911b022018-06-29 17:30:48 +02007182
Gilles Peskine449bd832023-01-11 14:50:10 +01007183 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7184 &key));
7185 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7186 key_bits = psa_get_key_bits(&attributes);
Gilles Peskine9911b022018-06-29 17:30:48 +02007187
Shaun Case8b0ecbc2021-12-20 21:14:10 -08007188 /* Allocate a buffer which has the size advertised by the
Gilles Peskine9911b022018-06-29 17:30:48 +02007189 * library. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007190 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7191 key_bits, alg);
7192 TEST_ASSERT(signature_size != 0);
7193 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007194 TEST_CALLOC(signature, signature_size);
Gilles Peskine9911b022018-06-29 17:30:48 +02007195
7196 /* Perform the signature. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007197 PSA_ASSERT(psa_sign_hash(key, alg,
7198 input_data->x, input_data->len,
7199 signature, signature_size,
7200 &signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02007201 /* Check that the signature length looks sensible. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007202 TEST_LE_U(signature_length, signature_size);
7203 TEST_ASSERT(signature_length > 0);
Gilles Peskine9911b022018-06-29 17:30:48 +02007204
7205 /* Use the library to verify that the signature is correct. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007206 PSA_ASSERT(psa_verify_hash(key, alg,
7207 input_data->x, input_data->len,
7208 signature, signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02007209
Gilles Peskine449bd832023-01-11 14:50:10 +01007210 if (input_data->len != 0) {
Gilles Peskine9911b022018-06-29 17:30:48 +02007211 /* Flip a bit in the input and verify that the signature is now
7212 * detected as invalid. Flip a bit at the beginning, not at the end,
7213 * because ECDSA may ignore the last few bits of the input. */
7214 input_data->x[0] ^= 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01007215 TEST_EQUAL(psa_verify_hash(key, alg,
7216 input_data->x, input_data->len,
7217 signature, signature_length),
7218 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine9911b022018-06-29 17:30:48 +02007219 }
7220
7221exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01007222 /*
7223 * Key attributes may have been returned by psa_get_key_attributes()
7224 * thus reset them as required.
7225 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007226 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01007227
Gilles Peskine449bd832023-01-11 14:50:10 +01007228 psa_destroy_key(key);
7229 mbedtls_free(signature);
7230 PSA_DONE();
Gilles Peskine9911b022018-06-29 17:30:48 +02007231}
7232/* END_CASE */
7233
Paul Elliott712d5122022-12-07 14:03:10 +00007234/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007235/**
7236 * sign_verify_hash_interruptible() test intentions:
7237 *
7238 * Note: This test can currently only handle ECDSA.
7239 *
Paul Elliott8c092052023-03-06 17:49:14 +00007240 * 1. Test that we can sign an input hash with the given keypair and then
7241 * afterwards verify that signature. This is currently the only way to test
7242 * non deterministic ECDSA, but this test can also handle deterministic.
Paul Elliottc7f68822023-02-24 17:37:04 +00007243 *
7244 * 2. Test that after corrupting the hash, the verification detects an invalid
7245 * signature.
7246 *
7247 * 3. Test the number of calls to psa_sign_hash_complete() required are as
7248 * expected for different max_ops values.
Paul Elliott7c173082023-02-26 18:44:45 +00007249 *
7250 * 4. Test that the number of ops done prior to starting signing and after abort
7251 * is zero and that each successful signing stage completes some ops (this is
7252 * not mandated by the PSA specification, but is currently the case).
Paul Elliottc7f68822023-02-24 17:37:04 +00007253 */
Paul Elliott712d5122022-12-07 14:03:10 +00007254void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
Paul Elliott0c683352022-12-16 19:16:56 +00007255 int alg_arg, data_t *input_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007256 int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00007257{
7258 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7259 psa_key_type_t key_type = key_type_arg;
7260 psa_algorithm_t alg = alg_arg;
7261 size_t key_bits;
7262 unsigned char *signature = NULL;
7263 size_t signature_size;
7264 size_t signature_length = 0xdeadbeef;
7265 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7266 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007267 uint32_t max_ops = max_ops_arg;
Paul Elliott7c173082023-02-26 18:44:45 +00007268 uint32_t num_ops = 0;
7269 uint32_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007270 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007271 size_t min_completes = 0;
7272 size_t max_completes = 0;
7273
Paul Elliott712d5122022-12-07 14:03:10 +00007274 psa_sign_hash_interruptible_operation_t sign_operation =
7275 psa_sign_hash_interruptible_operation_init();
7276 psa_verify_hash_interruptible_operation_t verify_operation =
7277 psa_verify_hash_interruptible_operation_init();
7278
7279 PSA_ASSERT(psa_crypto_init());
7280
Paul Elliott0c683352022-12-16 19:16:56 +00007281 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7282 PSA_KEY_USAGE_VERIFY_HASH);
Paul Elliott712d5122022-12-07 14:03:10 +00007283 psa_set_key_algorithm(&attributes, alg);
7284 psa_set_key_type(&attributes, key_type);
7285
7286 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7287 &key));
7288 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7289 key_bits = psa_get_key_bits(&attributes);
7290
7291 /* Allocate a buffer which has the size advertised by the
7292 * library. */
7293 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7294 key_bits, alg);
7295 TEST_ASSERT(signature_size != 0);
7296 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007297 TEST_CALLOC(signature, signature_size);
Paul Elliott712d5122022-12-07 14:03:10 +00007298
Paul Elliott0c683352022-12-16 19:16:56 +00007299 psa_interruptible_set_max_ops(max_ops);
7300
Paul Elliott6f600372023-02-06 18:41:05 +00007301 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
7302 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007303
Paul Elliott7c173082023-02-26 18:44:45 +00007304 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation);
7305 TEST_ASSERT(num_ops_prior == 0);
7306
Paul Elliott712d5122022-12-07 14:03:10 +00007307 /* Start performing the signature. */
7308 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7309 input_data->x, input_data->len));
7310
Paul Elliott7c173082023-02-26 18:44:45 +00007311 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation);
7312 TEST_ASSERT(num_ops_prior == 0);
7313
Paul Elliott712d5122022-12-07 14:03:10 +00007314 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007315 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007316
Paul Elliott0c683352022-12-16 19:16:56 +00007317 status = psa_sign_hash_complete(&sign_operation, signature,
7318 signature_size,
Paul Elliott712d5122022-12-07 14:03:10 +00007319 &signature_length);
Paul Elliott0c683352022-12-16 19:16:56 +00007320
7321 num_completes++;
Paul Elliott7c173082023-02-26 18:44:45 +00007322
7323 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
7324 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
7325 /* We are asserting here that every complete makes progress
7326 * (completes some ops), which is true of the internal
7327 * implementation and probably any implementation, however this is
7328 * not mandated by the PSA specification. */
7329 TEST_ASSERT(num_ops > num_ops_prior);
7330
7331 num_ops_prior = num_ops;
7332 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007333 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007334
7335 TEST_ASSERT(status == PSA_SUCCESS);
7336
Paul Elliott0c683352022-12-16 19:16:56 +00007337 TEST_LE_U(min_completes, num_completes);
7338 TEST_LE_U(num_completes, max_completes);
7339
Paul Elliott712d5122022-12-07 14:03:10 +00007340 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7341
Paul Elliott7c173082023-02-26 18:44:45 +00007342 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
7343 TEST_ASSERT(num_ops == 0);
7344
Paul Elliott712d5122022-12-07 14:03:10 +00007345 /* Check that the signature length looks sensible. */
7346 TEST_LE_U(signature_length, signature_size);
7347 TEST_ASSERT(signature_length > 0);
7348
Paul Elliott0c683352022-12-16 19:16:56 +00007349 num_completes = 0;
Paul Elliott712d5122022-12-07 14:03:10 +00007350
7351 /* Start verification. */
7352 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7353 input_data->x, input_data->len,
7354 signature, signature_length));
7355
7356 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007357 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007358 status = psa_verify_hash_complete(&verify_operation);
Paul Elliott0c683352022-12-16 19:16:56 +00007359
7360 num_completes++;
Paul Elliottedfc8832023-01-20 17:13:10 +00007361 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007362
7363 TEST_ASSERT(status == PSA_SUCCESS);
7364
Paul Elliott0c683352022-12-16 19:16:56 +00007365 TEST_LE_U(min_completes, num_completes);
7366 TEST_LE_U(num_completes, max_completes);
7367
Paul Elliott712d5122022-12-07 14:03:10 +00007368 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7369
7370 verify_operation = psa_verify_hash_interruptible_operation_init();
7371
7372 if (input_data->len != 0) {
7373 /* Flip a bit in the input and verify that the signature is now
7374 * detected as invalid. Flip a bit at the beginning, not at the end,
7375 * because ECDSA may ignore the last few bits of the input. */
7376 input_data->x[0] ^= 1;
7377
Paul Elliott712d5122022-12-07 14:03:10 +00007378 /* Start verification. */
7379 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7380 input_data->x, input_data->len,
7381 signature, signature_length));
7382
7383 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007384 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007385 status = psa_verify_hash_complete(&verify_operation);
Paul Elliottedfc8832023-01-20 17:13:10 +00007386 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007387
7388 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE);
7389 }
7390
7391 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7392
7393exit:
7394 /*
7395 * Key attributes may have been returned by psa_get_key_attributes()
7396 * thus reset them as required.
7397 */
7398 psa_reset_key_attributes(&attributes);
7399
7400 psa_destroy_key(key);
7401 mbedtls_free(signature);
7402 PSA_DONE();
7403}
7404/* END_CASE */
7405
Gilles Peskine9911b022018-06-29 17:30:48 +02007406/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007407void verify_hash(int key_type_arg, data_t *key_data,
7408 int alg_arg, data_t *hash_data,
7409 data_t *signature_data)
itayzafrir5c753392018-05-08 11:18:38 +03007410{
Ronald Cron5425a212020-08-04 14:58:35 +02007411 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
itayzafrir5c753392018-05-08 11:18:38 +03007412 psa_key_type_t key_type = key_type_arg;
7413 psa_algorithm_t alg = alg_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02007414 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
itayzafrir5c753392018-05-08 11:18:38 +03007415
Gilles Peskine449bd832023-01-11 14:50:10 +01007416 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
Gilles Peskine69c12672018-06-28 00:07:19 +02007417
Gilles Peskine449bd832023-01-11 14:50:10 +01007418 PSA_ASSERT(psa_crypto_init());
itayzafrir5c753392018-05-08 11:18:38 +03007419
Gilles Peskine449bd832023-01-11 14:50:10 +01007420 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7421 psa_set_key_algorithm(&attributes, alg);
7422 psa_set_key_type(&attributes, key_type);
itayzafrir5c753392018-05-08 11:18:38 +03007423
Gilles Peskine449bd832023-01-11 14:50:10 +01007424 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7425 &key));
itayzafrir5c753392018-05-08 11:18:38 +03007426
Gilles Peskine449bd832023-01-11 14:50:10 +01007427 PSA_ASSERT(psa_verify_hash(key, alg,
7428 hash_data->x, hash_data->len,
7429 signature_data->x, signature_data->len));
Gilles Peskine0627f982019-11-26 19:12:16 +01007430
itayzafrir5c753392018-05-08 11:18:38 +03007431exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007432 psa_reset_key_attributes(&attributes);
7433 psa_destroy_key(key);
7434 PSA_DONE();
itayzafrir5c753392018-05-08 11:18:38 +03007435}
7436/* END_CASE */
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007437
Paul Elliott712d5122022-12-07 14:03:10 +00007438/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007439/**
7440 * verify_hash_interruptible() test intentions:
7441 *
7442 * Note: This test can currently only handle ECDSA.
7443 *
7444 * 1. Test interruptible verify hash with known outcomes (deterministic ECDSA
Paul Elliott8c092052023-03-06 17:49:14 +00007445 * only). Given this test only does verification it can accept public keys as
7446 * well as private keys / keypairs.
Paul Elliottc7f68822023-02-24 17:37:04 +00007447 *
7448 * 2. Test the number of calls to psa_verify_hash_complete() required are as
7449 * expected for different max_ops values.
7450 *
7451 * 3. Test that the number of ops done prior to start and after abort is zero
7452 * and that each successful stage completes some ops (this is not mandated by
7453 * the PSA specification, but is currently the case).
Paul Elliott8359c142023-02-24 18:40:10 +00007454 *
7455 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between
7456 * complete() calls does not alter the number of ops returned.
7457 *
7458 * 5. Test that after corrupting the hash, the verification detects an invalid
7459 * signature.
Paul Elliottc7f68822023-02-24 17:37:04 +00007460 */
Paul Elliott712d5122022-12-07 14:03:10 +00007461void verify_hash_interruptible(int key_type_arg, data_t *key_data,
7462 int alg_arg, data_t *hash_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007463 data_t *signature_data, int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00007464{
7465 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7466 psa_key_type_t key_type = key_type_arg;
7467 psa_algorithm_t alg = alg_arg;
7468 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7469 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007470 uint32_t num_ops = 0;
7471 uint32_t max_ops = max_ops_arg;
Paul Elliott712d5122022-12-07 14:03:10 +00007472 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007473 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007474 size_t min_completes = 0;
7475 size_t max_completes = 0;
7476
Paul Elliott712d5122022-12-07 14:03:10 +00007477 psa_verify_hash_interruptible_operation_t operation =
7478 psa_verify_hash_interruptible_operation_init();
7479
7480 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
7481
7482 PSA_ASSERT(psa_crypto_init());
7483
7484 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7485 psa_set_key_algorithm(&attributes, alg);
7486 psa_set_key_type(&attributes, key_type);
7487
7488 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7489 &key));
7490
Paul Elliott0c683352022-12-16 19:16:56 +00007491 psa_interruptible_set_max_ops(max_ops);
7492
Paul Elliott6f600372023-02-06 18:41:05 +00007493 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
7494 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007495
Paul Elliott712d5122022-12-07 14:03:10 +00007496 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7497
7498 TEST_ASSERT(num_ops_prior == 0);
7499
7500 /* Start verification. */
7501 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
7502 hash_data->x, hash_data->len,
7503 signature_data->x, signature_data->len)
7504 );
7505
7506 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7507
7508 TEST_ASSERT(num_ops_prior == 0);
7509
7510 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007511 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007512 status = psa_verify_hash_complete(&operation);
7513
Paul Elliott0c683352022-12-16 19:16:56 +00007514 num_completes++;
7515
Paul Elliott712d5122022-12-07 14:03:10 +00007516 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
7517 num_ops = psa_verify_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00007518 /* We are asserting here that every complete makes progress
7519 * (completes some ops), which is true of the internal
7520 * implementation and probably any implementation, however this is
7521 * not mandated by the PSA specification. */
Paul Elliott712d5122022-12-07 14:03:10 +00007522 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00007523
Paul Elliott712d5122022-12-07 14:03:10 +00007524 num_ops_prior = num_ops;
Paul Elliottf8e5b562023-02-19 18:43:45 +00007525
7526 /* Ensure calling get_num_ops() twice still returns the same
7527 * number of ops as previously reported. */
7528 num_ops = psa_verify_hash_get_num_ops(&operation);
7529
7530 TEST_EQUAL(num_ops, num_ops_prior);
Paul Elliott712d5122022-12-07 14:03:10 +00007531 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007532 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007533
7534 TEST_ASSERT(status == PSA_SUCCESS);
7535
Paul Elliott0c683352022-12-16 19:16:56 +00007536 TEST_LE_U(min_completes, num_completes);
7537 TEST_LE_U(num_completes, max_completes);
7538
Paul Elliott712d5122022-12-07 14:03:10 +00007539 PSA_ASSERT(psa_verify_hash_abort(&operation));
7540
Paul Elliott59ad9452022-12-18 15:09:02 +00007541 num_ops = psa_verify_hash_get_num_ops(&operation);
7542 TEST_ASSERT(num_ops == 0);
7543
Paul Elliott8359c142023-02-24 18:40:10 +00007544 if (hash_data->len != 0) {
7545 /* Flip a bit in the hash and verify that the signature is now detected
7546 * as invalid. Flip a bit at the beginning, not at the end, because
7547 * ECDSA may ignore the last few bits of the input. */
7548 hash_data->x[0] ^= 1;
7549
7550 /* Start verification. */
7551 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
7552 hash_data->x, hash_data->len,
7553 signature_data->x, signature_data->len));
7554
7555 /* Continue performing the signature until complete. */
7556 do {
7557 status = psa_verify_hash_complete(&operation);
7558 } while (status == PSA_OPERATION_INCOMPLETE);
7559
7560 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE);
7561 }
7562
Paul Elliott712d5122022-12-07 14:03:10 +00007563exit:
7564 psa_reset_key_attributes(&attributes);
7565 psa_destroy_key(key);
7566 PSA_DONE();
7567}
7568/* END_CASE */
7569
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007570/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007571void verify_hash_fail(int key_type_arg, data_t *key_data,
7572 int alg_arg, data_t *hash_data,
7573 data_t *signature_data,
7574 int expected_status_arg)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007575{
Ronald Cron5425a212020-08-04 14:58:35 +02007576 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007577 psa_key_type_t key_type = key_type_arg;
7578 psa_algorithm_t alg = alg_arg;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007579 psa_status_t actual_status;
7580 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02007581 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007582
Gilles Peskine449bd832023-01-11 14:50:10 +01007583 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007584
Gilles Peskine449bd832023-01-11 14:50:10 +01007585 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7586 psa_set_key_algorithm(&attributes, alg);
7587 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03007588
Gilles Peskine449bd832023-01-11 14:50:10 +01007589 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7590 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007591
Gilles Peskine449bd832023-01-11 14:50:10 +01007592 actual_status = psa_verify_hash(key, alg,
7593 hash_data->x, hash_data->len,
7594 signature_data->x, signature_data->len);
7595 TEST_EQUAL(actual_status, expected_status);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007596
7597exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007598 psa_reset_key_attributes(&attributes);
7599 psa_destroy_key(key);
7600 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007601}
7602/* END_CASE */
7603
Paul Elliott91007972022-12-16 12:21:24 +00007604/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007605/**
7606 * verify_hash_fail_interruptible() test intentions:
7607 *
7608 * Note: This test can currently only handle ECDSA.
7609 *
7610 * 1. Test that various failure cases for interruptible verify hash fail with
7611 * the correct error codes, and at the correct point (at start or during
7612 * complete).
7613 *
7614 * 2. Test the number of calls to psa_verify_hash_complete() required are as
7615 * expected for different max_ops values.
7616 *
7617 * 3. Test that the number of ops done prior to start and after abort is zero
7618 * and that each successful stage completes some ops (this is not mandated by
7619 * the PSA specification, but is currently the case).
Paul Elliott587e7802023-02-27 09:53:08 +00007620 *
7621 * 4. Check that calling complete() when start() fails and complete()
7622 * after completion results in a BAD_STATE error.
7623 *
7624 * 5. Check that calling start() again after start fails results in a BAD_STATE
7625 * error.
Paul Elliottc7f68822023-02-24 17:37:04 +00007626 */
Paul Elliott91007972022-12-16 12:21:24 +00007627void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
7628 int alg_arg, data_t *hash_data,
7629 data_t *signature_data,
7630 int expected_start_status_arg,
Paul Elliott0c683352022-12-16 19:16:56 +00007631 int expected_complete_status_arg,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007632 int max_ops_arg)
Paul Elliott91007972022-12-16 12:21:24 +00007633{
7634 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7635 psa_key_type_t key_type = key_type_arg;
7636 psa_algorithm_t alg = alg_arg;
7637 psa_status_t actual_status;
7638 psa_status_t expected_start_status = expected_start_status_arg;
7639 psa_status_t expected_complete_status = expected_complete_status_arg;
7640 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007641 uint32_t num_ops = 0;
7642 uint32_t max_ops = max_ops_arg;
Paul Elliott91007972022-12-16 12:21:24 +00007643 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007644 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007645 size_t min_completes = 0;
7646 size_t max_completes = 0;
Paul Elliott91007972022-12-16 12:21:24 +00007647 psa_verify_hash_interruptible_operation_t operation =
7648 psa_verify_hash_interruptible_operation_init();
7649
7650 PSA_ASSERT(psa_crypto_init());
7651
7652 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7653 psa_set_key_algorithm(&attributes, alg);
7654 psa_set_key_type(&attributes, key_type);
7655
7656 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7657 &key));
7658
Paul Elliott0c683352022-12-16 19:16:56 +00007659 psa_interruptible_set_max_ops(max_ops);
7660
Paul Elliott6f600372023-02-06 18:41:05 +00007661 interruptible_signverify_get_minmax_completes(max_ops,
7662 expected_complete_status,
7663 &min_completes,
7664 &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007665
Paul Elliott91007972022-12-16 12:21:24 +00007666 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7667 TEST_ASSERT(num_ops_prior == 0);
7668
7669 /* Start verification. */
7670 actual_status = psa_verify_hash_start(&operation, key, alg,
7671 hash_data->x, hash_data->len,
7672 signature_data->x,
7673 signature_data->len);
7674
7675 TEST_EQUAL(actual_status, expected_start_status);
7676
Paul Elliottc9774412023-02-06 15:14:07 +00007677 if (expected_start_status != PSA_SUCCESS) {
Paul Elliottde7c31e2023-03-01 14:37:48 +00007678 /* Emulate poor application code, and call complete anyway, even though
Paul Elliott587e7802023-02-27 09:53:08 +00007679 * start failed. */
7680 actual_status = psa_verify_hash_complete(&operation);
7681
7682 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7683
7684 /* Test that calling start again after failure also causes BAD_STATE. */
Paul Elliottc9774412023-02-06 15:14:07 +00007685 actual_status = psa_verify_hash_start(&operation, key, alg,
7686 hash_data->x, hash_data->len,
7687 signature_data->x,
7688 signature_data->len);
7689
7690 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7691 }
7692
Paul Elliott91007972022-12-16 12:21:24 +00007693 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7694 TEST_ASSERT(num_ops_prior == 0);
7695
Paul Elliott91007972022-12-16 12:21:24 +00007696 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007697 do {
Paul Elliott91007972022-12-16 12:21:24 +00007698 actual_status = psa_verify_hash_complete(&operation);
7699
Paul Elliott0c683352022-12-16 19:16:56 +00007700 num_completes++;
7701
Paul Elliott334d7262023-01-20 17:29:41 +00007702 if (actual_status == PSA_SUCCESS ||
7703 actual_status == PSA_OPERATION_INCOMPLETE) {
Paul Elliott91007972022-12-16 12:21:24 +00007704 num_ops = psa_verify_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00007705 /* We are asserting here that every complete makes progress
7706 * (completes some ops), which is true of the internal
7707 * implementation and probably any implementation, however this is
7708 * not mandated by the PSA specification. */
Paul Elliott91007972022-12-16 12:21:24 +00007709 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00007710
Paul Elliott91007972022-12-16 12:21:24 +00007711 num_ops_prior = num_ops;
7712 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007713 } while (actual_status == PSA_OPERATION_INCOMPLETE);
Paul Elliott91007972022-12-16 12:21:24 +00007714
Paul Elliottc9774412023-02-06 15:14:07 +00007715 TEST_EQUAL(actual_status, expected_complete_status);
7716
Paul Elliottefebad02023-02-15 16:56:45 +00007717 /* Check that another complete returns BAD_STATE. */
7718 actual_status = psa_verify_hash_complete(&operation);
7719 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
Paul Elliott334d7262023-01-20 17:29:41 +00007720
Paul Elliott0c683352022-12-16 19:16:56 +00007721 TEST_LE_U(min_completes, num_completes);
7722 TEST_LE_U(num_completes, max_completes);
7723
Paul Elliott91007972022-12-16 12:21:24 +00007724 PSA_ASSERT(psa_verify_hash_abort(&operation));
7725
Paul Elliott59ad9452022-12-18 15:09:02 +00007726 num_ops = psa_verify_hash_get_num_ops(&operation);
7727 TEST_ASSERT(num_ops == 0);
7728
Paul Elliott91007972022-12-16 12:21:24 +00007729exit:
7730 psa_reset_key_attributes(&attributes);
7731 psa_destroy_key(key);
7732 PSA_DONE();
7733}
7734/* END_CASE */
7735
Paul Elliott20a36062022-12-18 13:21:25 +00007736/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007737/**
7738 * interruptible_signverify_hash_state_test() test intentions:
7739 *
7740 * Note: This test can currently only handle ECDSA.
7741 *
7742 * 1. Test that calling the various interruptible sign and verify hash functions
7743 * in incorrect orders returns BAD_STATE errors.
7744 */
Paul Elliott76d671a2023-02-07 17:45:18 +00007745void interruptible_signverify_hash_state_test(int key_type_arg,
7746 data_t *key_data, int alg_arg, data_t *input_data)
Paul Elliott20a36062022-12-18 13:21:25 +00007747{
7748 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7749 psa_key_type_t key_type = key_type_arg;
7750 psa_algorithm_t alg = alg_arg;
7751 size_t key_bits;
7752 unsigned char *signature = NULL;
7753 size_t signature_size;
7754 size_t signature_length = 0xdeadbeef;
7755 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7756 psa_sign_hash_interruptible_operation_t sign_operation =
7757 psa_sign_hash_interruptible_operation_init();
7758 psa_verify_hash_interruptible_operation_t verify_operation =
7759 psa_verify_hash_interruptible_operation_init();
7760
7761 PSA_ASSERT(psa_crypto_init());
7762
7763 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7764 PSA_KEY_USAGE_VERIFY_HASH);
7765 psa_set_key_algorithm(&attributes, alg);
7766 psa_set_key_type(&attributes, key_type);
7767
7768 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7769 &key));
7770 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7771 key_bits = psa_get_key_bits(&attributes);
7772
7773 /* Allocate a buffer which has the size advertised by the
7774 * library. */
7775 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7776 key_bits, alg);
7777 TEST_ASSERT(signature_size != 0);
7778 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007779 TEST_CALLOC(signature, signature_size);
Paul Elliott20a36062022-12-18 13:21:25 +00007780
7781 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7782
7783 /* --- Attempt completes prior to starts --- */
7784 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7785 signature_size,
7786 &signature_length),
7787 PSA_ERROR_BAD_STATE);
7788
7789 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7790
7791 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
7792 PSA_ERROR_BAD_STATE);
7793
7794 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7795
7796 /* --- Aborts in all other places. --- */
7797 psa_sign_hash_abort(&sign_operation);
7798
7799 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7800 input_data->x, input_data->len));
7801
7802 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7803
7804 psa_interruptible_set_max_ops(1);
7805
7806 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7807 input_data->x, input_data->len));
7808
7809 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7810 signature_size,
7811 &signature_length),
7812 PSA_OPERATION_INCOMPLETE);
7813
7814 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7815
7816 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7817
7818 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7819 input_data->x, input_data->len));
7820
7821 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
7822 signature_size,
7823 &signature_length));
7824
7825 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7826
7827 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7828
7829 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7830 input_data->x, input_data->len,
7831 signature, signature_length));
7832
7833 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7834
7835 psa_interruptible_set_max_ops(1);
7836
7837 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7838 input_data->x, input_data->len,
7839 signature, signature_length));
7840
7841 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
7842 PSA_OPERATION_INCOMPLETE);
7843
7844 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7845
7846 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7847
7848 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7849 input_data->x, input_data->len,
7850 signature, signature_length));
7851
7852 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
7853
7854 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7855
7856 /* --- Attempt double starts. --- */
7857
7858 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7859 input_data->x, input_data->len));
7860
7861 TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg,
7862 input_data->x, input_data->len),
7863 PSA_ERROR_BAD_STATE);
7864
7865 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7866
7867 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7868 input_data->x, input_data->len,
7869 signature, signature_length));
7870
7871 TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg,
7872 input_data->x, input_data->len,
7873 signature, signature_length),
7874 PSA_ERROR_BAD_STATE);
7875
7876 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7877
Paul Elliott76d671a2023-02-07 17:45:18 +00007878exit:
7879 /*
7880 * Key attributes may have been returned by psa_get_key_attributes()
7881 * thus reset them as required.
7882 */
7883 psa_reset_key_attributes(&attributes);
7884
7885 psa_destroy_key(key);
7886 mbedtls_free(signature);
7887 PSA_DONE();
7888}
7889/* END_CASE */
7890
7891/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007892/**
Paul Elliottc2033502023-02-26 17:09:14 +00007893 * interruptible_signverify_hash_edgecase_tests() test intentions:
Paul Elliottc7f68822023-02-24 17:37:04 +00007894 *
7895 * Note: This test can currently only handle ECDSA.
7896 *
7897 * 1. Test various edge cases in the interruptible sign and verify hash
7898 * interfaces.
7899 */
Paul Elliottc2033502023-02-26 17:09:14 +00007900void interruptible_signverify_hash_edgecase_tests(int key_type_arg,
Paul Elliott76d671a2023-02-07 17:45:18 +00007901 data_t *key_data, int alg_arg, data_t *input_data)
7902{
7903 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7904 psa_key_type_t key_type = key_type_arg;
7905 psa_algorithm_t alg = alg_arg;
7906 size_t key_bits;
7907 unsigned char *signature = NULL;
7908 size_t signature_size;
7909 size_t signature_length = 0xdeadbeef;
7910 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7911 uint8_t *input_buffer = NULL;
7912 psa_sign_hash_interruptible_operation_t sign_operation =
7913 psa_sign_hash_interruptible_operation_init();
7914 psa_verify_hash_interruptible_operation_t verify_operation =
7915 psa_verify_hash_interruptible_operation_init();
7916
7917 PSA_ASSERT(psa_crypto_init());
7918
7919 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7920 PSA_KEY_USAGE_VERIFY_HASH);
7921 psa_set_key_algorithm(&attributes, alg);
7922 psa_set_key_type(&attributes, key_type);
7923
7924 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7925 &key));
7926 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7927 key_bits = psa_get_key_bits(&attributes);
7928
7929 /* Allocate a buffer which has the size advertised by the
7930 * library. */
7931 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7932 key_bits, alg);
7933 TEST_ASSERT(signature_size != 0);
7934 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007935 TEST_CALLOC(signature, signature_size);
Paul Elliott76d671a2023-02-07 17:45:18 +00007936
Paul Elliott20a36062022-12-18 13:21:25 +00007937 /* --- Change function inputs mid run, to cause an error (sign only,
7938 * verify passes all inputs to start. --- */
7939
7940 psa_interruptible_set_max_ops(1);
7941
7942 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7943 input_data->x, input_data->len));
7944
7945 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7946 signature_size,
7947 &signature_length),
7948 PSA_OPERATION_INCOMPLETE);
7949
7950 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7951 0,
7952 &signature_length),
7953 PSA_ERROR_BUFFER_TOO_SMALL);
7954
Paul Elliottc9774412023-02-06 15:14:07 +00007955 /* And test that this invalidates the operation. */
7956 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7957 0,
7958 &signature_length),
7959 PSA_ERROR_BAD_STATE);
7960
Paul Elliott20a36062022-12-18 13:21:25 +00007961 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7962
Paul Elliottf9c91a72023-02-05 18:06:38 +00007963 /* Trash the hash buffer in between start and complete, to ensure
7964 * no reliance on external buffers. */
7965 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7966
Paul Elliott6c68df42023-10-23 15:33:37 +01007967 TEST_CALLOC(input_buffer, input_data->len);
Paul Elliottf9c91a72023-02-05 18:06:38 +00007968
7969 memcpy(input_buffer, input_data->x, input_data->len);
7970
7971 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7972 input_buffer, input_data->len));
7973
7974 memset(input_buffer, '!', input_data->len);
7975 mbedtls_free(input_buffer);
7976 input_buffer = NULL;
7977
7978 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
7979 signature_size,
7980 &signature_length));
7981
7982 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7983
Paul Elliott6c68df42023-10-23 15:33:37 +01007984 TEST_CALLOC(input_buffer, input_data->len);
Paul Elliottf9c91a72023-02-05 18:06:38 +00007985
7986 memcpy(input_buffer, input_data->x, input_data->len);
7987
7988 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7989 input_buffer, input_data->len,
7990 signature, signature_length));
7991
7992 memset(input_buffer, '!', input_data->len);
7993 mbedtls_free(input_buffer);
7994 input_buffer = NULL;
7995
7996 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
7997
7998 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7999
Paul Elliott20a36062022-12-18 13:21:25 +00008000exit:
8001 /*
8002 * Key attributes may have been returned by psa_get_key_attributes()
8003 * thus reset them as required.
8004 */
8005 psa_reset_key_attributes(&attributes);
8006
8007 psa_destroy_key(key);
8008 mbedtls_free(signature);
Paul Elliott6c68df42023-10-23 15:33:37 +01008009 mbedtls_free(input_buffer);
Paul Elliott20a36062022-12-18 13:21:25 +00008010 PSA_DONE();
8011}
8012/* END_CASE */
8013
Paul Elliotta4cb9092023-02-07 18:01:55 +00008014/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00008015/**
Paul Elliott57702242023-02-26 20:36:10 +00008016 * interruptible_signverify_hash_ops_tests() test intentions:
Paul Elliottc7f68822023-02-24 17:37:04 +00008017 *
8018 * Note: This test can currently only handle ECDSA.
8019 *
8020 * 1. Test that setting max ops is reflected in both interruptible sign and
8021 * verify hash
Paul Elliott9e8819f2023-02-26 19:01:35 +00008022 * 2. Test that changing the value of max_ops to unlimited during an operation
8023 * causes that operation to complete in the next call.
Paul Elliottc1e04002023-02-26 20:27:23 +00008024 *
8025 * 3. Test that calling get_num_ops() between complete calls gives the same
8026 * result as calling get_num_ops() once at the end of the operation.
Paul Elliottc7f68822023-02-24 17:37:04 +00008027 */
Paul Elliott57702242023-02-26 20:36:10 +00008028void interruptible_signverify_hash_ops_tests(int key_type_arg,
8029 data_t *key_data, int alg_arg,
8030 data_t *input_data)
Paul Elliotta4cb9092023-02-07 18:01:55 +00008031{
8032 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8033 psa_key_type_t key_type = key_type_arg;
8034 psa_algorithm_t alg = alg_arg;
8035 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Paul Elliottf1743e22023-02-15 18:44:16 +00008036 size_t key_bits;
8037 unsigned char *signature = NULL;
8038 size_t signature_size;
Paul Elliott9e8819f2023-02-26 19:01:35 +00008039 size_t signature_length = 0xdeadbeef;
Paul Elliottc1e04002023-02-26 20:27:23 +00008040 uint32_t num_ops = 0;
8041 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8042
Paul Elliotta4cb9092023-02-07 18:01:55 +00008043 psa_sign_hash_interruptible_operation_t sign_operation =
8044 psa_sign_hash_interruptible_operation_init();
Paul Elliottf1743e22023-02-15 18:44:16 +00008045 psa_verify_hash_interruptible_operation_t verify_operation =
8046 psa_verify_hash_interruptible_operation_init();
Paul Elliotta4cb9092023-02-07 18:01:55 +00008047
8048 PSA_ASSERT(psa_crypto_init());
8049
8050 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
8051 PSA_KEY_USAGE_VERIFY_HASH);
8052 psa_set_key_algorithm(&attributes, alg);
8053 psa_set_key_type(&attributes, key_type);
8054
Paul Elliottf1743e22023-02-15 18:44:16 +00008055 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key));
8056 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8057 key_bits = psa_get_key_bits(&attributes);
8058
8059 /* Allocate a buffer which has the size advertised by the
8060 * library. */
8061 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
8062
8063 TEST_ASSERT(signature_size != 0);
8064 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008065 TEST_CALLOC(signature, signature_size);
Paul Elliotta4cb9092023-02-07 18:01:55 +00008066
8067 /* Check that default max ops gets set if we don't set it. */
8068 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
8069 input_data->x, input_data->len));
8070
8071 TEST_EQUAL(psa_interruptible_get_max_ops(),
8072 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
8073
8074 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8075
Paul Elliottf1743e22023-02-15 18:44:16 +00008076 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8077 input_data->x, input_data->len,
8078 signature, signature_size));
8079
8080 TEST_EQUAL(psa_interruptible_get_max_ops(),
8081 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
8082
8083 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8084
Paul Elliotta4cb9092023-02-07 18:01:55 +00008085 /* Check that max ops gets set properly. */
8086
8087 psa_interruptible_set_max_ops(0xbeef);
8088
Paul Elliottf1743e22023-02-15 18:44:16 +00008089 TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef);
Paul Elliotta4cb9092023-02-07 18:01:55 +00008090
Paul Elliott9e8819f2023-02-26 19:01:35 +00008091 /* --- Ensure changing the max ops mid operation works (operation should
8092 * complete successfully after setting max ops to unlimited --- */
8093 psa_interruptible_set_max_ops(1);
8094
8095 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
8096 input_data->x, input_data->len));
8097
8098 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
8099 signature_size,
8100 &signature_length),
8101 PSA_OPERATION_INCOMPLETE);
8102
8103 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
8104
8105 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
8106 signature_size,
8107 &signature_length));
8108
8109 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8110
8111 psa_interruptible_set_max_ops(1);
8112
8113 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8114 input_data->x, input_data->len,
8115 signature, signature_length));
8116
8117 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
8118 PSA_OPERATION_INCOMPLETE);
8119
8120 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
8121
8122 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
8123
8124 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8125
Paul Elliottc1e04002023-02-26 20:27:23 +00008126 /* --- Test that not calling get_num_ops inbetween complete calls does not
8127 * result in lost ops. ---*/
8128
8129 psa_interruptible_set_max_ops(1);
8130
8131 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
8132 input_data->x, input_data->len));
8133
8134 /* Continue performing the signature until complete. */
8135 do {
8136 status = psa_sign_hash_complete(&sign_operation, signature,
8137 signature_size,
8138 &signature_length);
8139
8140 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
8141
8142 } while (status == PSA_OPERATION_INCOMPLETE);
8143
8144 PSA_ASSERT(status);
8145
8146 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8147
8148 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
8149 input_data->x, input_data->len));
8150
8151 /* Continue performing the signature until complete. */
8152 do {
8153 status = psa_sign_hash_complete(&sign_operation, signature,
8154 signature_size,
8155 &signature_length);
8156 } while (status == PSA_OPERATION_INCOMPLETE);
8157
8158 PSA_ASSERT(status);
8159
8160 TEST_EQUAL(num_ops, psa_sign_hash_get_num_ops(&sign_operation));
8161
8162 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8163
8164 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8165 input_data->x, input_data->len,
8166 signature, signature_length));
8167
8168 /* Continue performing the verification until complete. */
8169 do {
8170 status = psa_verify_hash_complete(&verify_operation);
8171
8172 num_ops = psa_verify_hash_get_num_ops(&verify_operation);
8173
8174 } while (status == PSA_OPERATION_INCOMPLETE);
8175
8176 PSA_ASSERT(status);
8177
8178 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8179
8180 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8181 input_data->x, input_data->len,
8182 signature, signature_length));
8183
8184 /* Continue performing the verification until complete. */
8185 do {
8186 status = psa_verify_hash_complete(&verify_operation);
8187
8188 } while (status == PSA_OPERATION_INCOMPLETE);
8189
8190 PSA_ASSERT(status);
8191
8192 TEST_EQUAL(num_ops, psa_verify_hash_get_num_ops(&verify_operation));
8193
8194 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8195
Paul Elliotta4cb9092023-02-07 18:01:55 +00008196exit:
8197 /*
8198 * Key attributes may have been returned by psa_get_key_attributes()
8199 * thus reset them as required.
8200 */
8201 psa_reset_key_attributes(&attributes);
8202
8203 psa_destroy_key(key);
Paul Elliottf1743e22023-02-15 18:44:16 +00008204 mbedtls_free(signature);
Paul Elliotta4cb9092023-02-07 18:01:55 +00008205 PSA_DONE();
8206}
8207/* END_CASE */
Paul Elliott76d671a2023-02-07 17:45:18 +00008208
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008209/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008210void sign_message_deterministic(int key_type_arg,
8211 data_t *key_data,
8212 int alg_arg,
8213 data_t *input_data,
8214 data_t *output_data)
gabor-mezei-arm53028482021-04-15 18:19:50 +02008215{
8216 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8217 psa_key_type_t key_type = key_type_arg;
8218 psa_algorithm_t alg = alg_arg;
8219 size_t key_bits;
8220 unsigned char *signature = NULL;
8221 size_t signature_size;
8222 size_t signature_length = 0xdeadbeef;
8223 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8224
Gilles Peskine449bd832023-01-11 14:50:10 +01008225 PSA_ASSERT(psa_crypto_init());
gabor-mezei-arm53028482021-04-15 18:19:50 +02008226
Gilles Peskine449bd832023-01-11 14:50:10 +01008227 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8228 psa_set_key_algorithm(&attributes, alg);
8229 psa_set_key_type(&attributes, key_type);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008230
Gilles Peskine449bd832023-01-11 14:50:10 +01008231 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8232 &key));
8233 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8234 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008235
Gilles Peskine449bd832023-01-11 14:50:10 +01008236 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
8237 TEST_ASSERT(signature_size != 0);
8238 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008239 TEST_CALLOC(signature, signature_size);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008240
Gilles Peskine449bd832023-01-11 14:50:10 +01008241 PSA_ASSERT(psa_sign_message(key, alg,
8242 input_data->x, input_data->len,
8243 signature, signature_size,
8244 &signature_length));
gabor-mezei-arm53028482021-04-15 18:19:50 +02008245
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008246 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008247 signature, signature_length);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008248
8249exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008250 psa_reset_key_attributes(&attributes);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008251
Gilles Peskine449bd832023-01-11 14:50:10 +01008252 psa_destroy_key(key);
8253 mbedtls_free(signature);
8254 PSA_DONE();
gabor-mezei-arm53028482021-04-15 18:19:50 +02008255
8256}
8257/* END_CASE */
8258
8259/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008260void sign_message_fail(int key_type_arg,
8261 data_t *key_data,
8262 int alg_arg,
8263 data_t *input_data,
8264 int signature_size_arg,
8265 int expected_status_arg)
8266{
8267 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8268 psa_key_type_t key_type = key_type_arg;
8269 psa_algorithm_t alg = alg_arg;
8270 size_t signature_size = signature_size_arg;
8271 psa_status_t actual_status;
8272 psa_status_t expected_status = expected_status_arg;
8273 unsigned char *signature = NULL;
8274 size_t signature_length = 0xdeadbeef;
8275 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8276
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008277 TEST_CALLOC(signature, signature_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01008278
8279 PSA_ASSERT(psa_crypto_init());
8280
8281 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8282 psa_set_key_algorithm(&attributes, alg);
8283 psa_set_key_type(&attributes, key_type);
8284
8285 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8286 &key));
8287
8288 actual_status = psa_sign_message(key, alg,
8289 input_data->x, input_data->len,
8290 signature, signature_size,
8291 &signature_length);
8292 TEST_EQUAL(actual_status, expected_status);
8293 /* The value of *signature_length is unspecified on error, but
8294 * whatever it is, it should be less than signature_size, so that
8295 * if the caller tries to read *signature_length bytes without
8296 * checking the error code then they don't overflow a buffer. */
8297 TEST_LE_U(signature_length, signature_size);
8298
8299exit:
8300 psa_reset_key_attributes(&attributes);
8301 psa_destroy_key(key);
8302 mbedtls_free(signature);
8303 PSA_DONE();
8304}
8305/* END_CASE */
8306
8307/* BEGIN_CASE */
8308void sign_verify_message(int key_type_arg,
8309 data_t *key_data,
8310 int alg_arg,
8311 data_t *input_data)
8312{
8313 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8314 psa_key_type_t key_type = key_type_arg;
8315 psa_algorithm_t alg = alg_arg;
8316 size_t key_bits;
8317 unsigned char *signature = NULL;
8318 size_t signature_size;
8319 size_t signature_length = 0xdeadbeef;
8320 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8321
8322 PSA_ASSERT(psa_crypto_init());
8323
8324 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE |
8325 PSA_KEY_USAGE_VERIFY_MESSAGE);
8326 psa_set_key_algorithm(&attributes, alg);
8327 psa_set_key_type(&attributes, key_type);
8328
8329 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8330 &key));
8331 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8332 key_bits = psa_get_key_bits(&attributes);
8333
8334 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
8335 TEST_ASSERT(signature_size != 0);
8336 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008337 TEST_CALLOC(signature, signature_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01008338
8339 PSA_ASSERT(psa_sign_message(key, alg,
8340 input_data->x, input_data->len,
8341 signature, signature_size,
8342 &signature_length));
8343 TEST_LE_U(signature_length, signature_size);
8344 TEST_ASSERT(signature_length > 0);
8345
8346 PSA_ASSERT(psa_verify_message(key, alg,
8347 input_data->x, input_data->len,
8348 signature, signature_length));
8349
8350 if (input_data->len != 0) {
8351 /* Flip a bit in the input and verify that the signature is now
8352 * detected as invalid. Flip a bit at the beginning, not at the end,
8353 * because ECDSA may ignore the last few bits of the input. */
8354 input_data->x[0] ^= 1;
8355 TEST_EQUAL(psa_verify_message(key, alg,
8356 input_data->x, input_data->len,
8357 signature, signature_length),
8358 PSA_ERROR_INVALID_SIGNATURE);
8359 }
8360
8361exit:
8362 psa_reset_key_attributes(&attributes);
8363
8364 psa_destroy_key(key);
8365 mbedtls_free(signature);
8366 PSA_DONE();
8367}
8368/* END_CASE */
8369
8370/* BEGIN_CASE */
8371void verify_message(int key_type_arg,
8372 data_t *key_data,
8373 int alg_arg,
8374 data_t *input_data,
8375 data_t *signature_data)
8376{
8377 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8378 psa_key_type_t key_type = key_type_arg;
8379 psa_algorithm_t alg = alg_arg;
8380 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8381
8382 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
8383
8384 PSA_ASSERT(psa_crypto_init());
8385
8386 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);
8387 psa_set_key_algorithm(&attributes, alg);
8388 psa_set_key_type(&attributes, key_type);
8389
8390 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8391 &key));
8392
8393 PSA_ASSERT(psa_verify_message(key, alg,
8394 input_data->x, input_data->len,
8395 signature_data->x, signature_data->len));
8396
8397exit:
8398 psa_reset_key_attributes(&attributes);
8399 psa_destroy_key(key);
8400 PSA_DONE();
8401}
8402/* END_CASE */
8403
8404/* BEGIN_CASE */
8405void verify_message_fail(int key_type_arg,
8406 data_t *key_data,
8407 int alg_arg,
8408 data_t *hash_data,
8409 data_t *signature_data,
8410 int expected_status_arg)
8411{
8412 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8413 psa_key_type_t key_type = key_type_arg;
8414 psa_algorithm_t alg = alg_arg;
8415 psa_status_t actual_status;
8416 psa_status_t expected_status = expected_status_arg;
8417 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8418
8419 PSA_ASSERT(psa_crypto_init());
8420
8421 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);
8422 psa_set_key_algorithm(&attributes, alg);
8423 psa_set_key_type(&attributes, key_type);
8424
8425 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8426 &key));
8427
8428 actual_status = psa_verify_message(key, alg,
8429 hash_data->x, hash_data->len,
8430 signature_data->x,
8431 signature_data->len);
8432 TEST_EQUAL(actual_status, expected_status);
8433
8434exit:
8435 psa_reset_key_attributes(&attributes);
8436 psa_destroy_key(key);
8437 PSA_DONE();
8438}
8439/* END_CASE */
8440
8441/* BEGIN_CASE */
8442void asymmetric_encrypt(int key_type_arg,
gabor-mezei-arm53028482021-04-15 18:19:50 +02008443 data_t *key_data,
8444 int alg_arg,
8445 data_t *input_data,
Gilles Peskine449bd832023-01-11 14:50:10 +01008446 data_t *label,
8447 int expected_output_length_arg,
8448 int expected_status_arg)
Gilles Peskine656896e2018-06-29 19:12:28 +02008449{
Ronald Cron5425a212020-08-04 14:58:35 +02008450 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine656896e2018-06-29 19:12:28 +02008451 psa_key_type_t key_type = key_type_arg;
8452 psa_algorithm_t alg = alg_arg;
8453 size_t expected_output_length = expected_output_length_arg;
8454 size_t key_bits;
8455 unsigned char *output = NULL;
8456 size_t output_size;
8457 size_t output_length = ~0;
8458 psa_status_t actual_status;
8459 psa_status_t expected_status = expected_status_arg;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02008460 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine656896e2018-06-29 19:12:28 +02008461
Gilles Peskine449bd832023-01-11 14:50:10 +01008462 PSA_ASSERT(psa_crypto_init());
Gilles Peskinebdf309c2018-12-03 15:36:32 +01008463
Gilles Peskine656896e2018-06-29 19:12:28 +02008464 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01008465 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8466 psa_set_key_algorithm(&attributes, alg);
8467 psa_set_key_type(&attributes, key_type);
8468 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8469 &key));
Gilles Peskine656896e2018-06-29 19:12:28 +02008470
8471 /* Determine the maximum output length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008472 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8473 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008474
Gilles Peskine449bd832023-01-11 14:50:10 +01008475 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8476 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008477 TEST_CALLOC(output, output_size);
Gilles Peskine656896e2018-06-29 19:12:28 +02008478
8479 /* Encrypt the input */
Gilles Peskine449bd832023-01-11 14:50:10 +01008480 actual_status = psa_asymmetric_encrypt(key, alg,
8481 input_data->x, input_data->len,
8482 label->x, label->len,
8483 output, output_size,
8484 &output_length);
8485 TEST_EQUAL(actual_status, expected_status);
oberon-sk10c0f772023-02-13 13:42:02 +01008486 if (actual_status == PSA_SUCCESS) {
8487 TEST_EQUAL(output_length, expected_output_length);
Stephan Koch5819d2c2023-02-22 13:39:21 +01008488 } else {
8489 TEST_LE_U(output_length, output_size);
oberon-sk10c0f772023-02-13 13:42:02 +01008490 }
Gilles Peskine656896e2018-06-29 19:12:28 +02008491
Gilles Peskine68428122018-06-30 18:42:41 +02008492 /* If the label is empty, the test framework puts a non-null pointer
8493 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008494 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008495 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008496 if (output_size != 0) {
8497 memset(output, 0, output_size);
8498 }
8499 actual_status = psa_asymmetric_encrypt(key, alg,
8500 input_data->x, input_data->len,
8501 NULL, label->len,
8502 output, output_size,
8503 &output_length);
8504 TEST_EQUAL(actual_status, expected_status);
oberon-sk10c0f772023-02-13 13:42:02 +01008505 if (actual_status == PSA_SUCCESS) {
8506 TEST_EQUAL(output_length, expected_output_length);
Stephan Koch5819d2c2023-02-22 13:39:21 +01008507 } else {
8508 TEST_LE_U(output_length, output_size);
oberon-sk10c0f772023-02-13 13:42:02 +01008509 }
Gilles Peskine68428122018-06-30 18:42:41 +02008510 }
8511
Gilles Peskine656896e2018-06-29 19:12:28 +02008512exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008513 /*
8514 * Key attributes may have been returned by psa_get_key_attributes()
8515 * thus reset them as required.
8516 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008517 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008518
Gilles Peskine449bd832023-01-11 14:50:10 +01008519 psa_destroy_key(key);
8520 mbedtls_free(output);
8521 PSA_DONE();
Gilles Peskine656896e2018-06-29 19:12:28 +02008522}
8523/* END_CASE */
8524
8525/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008526void asymmetric_encrypt_decrypt(int key_type_arg,
8527 data_t *key_data,
8528 int alg_arg,
8529 data_t *input_data,
8530 data_t *label)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008531{
Ronald Cron5425a212020-08-04 14:58:35 +02008532 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008533 psa_key_type_t key_type = key_type_arg;
8534 psa_algorithm_t alg = alg_arg;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008535 size_t key_bits;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008536 unsigned char *output = NULL;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008537 size_t output_size;
8538 size_t output_length = ~0;
Nir Sonnenschein0f3bdbd2018-05-02 23:56:12 +03008539 unsigned char *output2 = NULL;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008540 size_t output2_size;
8541 size_t output2_length = ~0;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02008542 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008543
Gilles Peskine449bd832023-01-11 14:50:10 +01008544 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008545
Gilles Peskine449bd832023-01-11 14:50:10 +01008546 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
8547 psa_set_key_algorithm(&attributes, alg);
8548 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008549
Gilles Peskine449bd832023-01-11 14:50:10 +01008550 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8551 &key));
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008552
8553 /* Determine the maximum ciphertext length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008554 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8555 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008556
Gilles Peskine449bd832023-01-11 14:50:10 +01008557 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8558 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008559 TEST_CALLOC(output, output_size);
gabor-mezei-armceface22021-01-21 12:26:17 +01008560
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008561 output2_size = input_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +01008562 TEST_LE_U(output2_size,
8563 PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg));
8564 TEST_LE_U(output2_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008565 TEST_CALLOC(output2, output2_size);
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008566
Gilles Peskineeebd7382018-06-08 18:11:54 +02008567 /* We test encryption by checking that encrypt-then-decrypt gives back
8568 * the original plaintext because of the non-optional random
8569 * part of encryption process which prevents using fixed vectors. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008570 PSA_ASSERT(psa_asymmetric_encrypt(key, alg,
8571 input_data->x, input_data->len,
8572 label->x, label->len,
8573 output, output_size,
8574 &output_length));
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008575 /* We don't know what ciphertext length to expect, but check that
8576 * it looks sensible. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008577 TEST_LE_U(output_length, output_size);
Nir Sonnenschein0f3bdbd2018-05-02 23:56:12 +03008578
Gilles Peskine449bd832023-01-11 14:50:10 +01008579 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8580 output, output_length,
8581 label->x, label->len,
8582 output2, output2_size,
8583 &output2_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008584 TEST_MEMORY_COMPARE(input_data->x, input_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008585 output2, output2_length);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008586
8587exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008588 /*
8589 * Key attributes may have been returned by psa_get_key_attributes()
8590 * thus reset them as required.
8591 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008592 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008593
Gilles Peskine449bd832023-01-11 14:50:10 +01008594 psa_destroy_key(key);
8595 mbedtls_free(output);
8596 mbedtls_free(output2);
8597 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008598}
8599/* END_CASE */
8600
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008601/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008602void asymmetric_decrypt(int key_type_arg,
8603 data_t *key_data,
8604 int alg_arg,
8605 data_t *input_data,
8606 data_t *label,
8607 data_t *expected_data)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008608{
Ronald Cron5425a212020-08-04 14:58:35 +02008609 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008610 psa_key_type_t key_type = key_type_arg;
8611 psa_algorithm_t alg = alg_arg;
gabor-mezei-armceface22021-01-21 12:26:17 +01008612 size_t key_bits;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008613 unsigned char *output = NULL;
Nir Sonnenscheind70bc482018-06-04 16:31:13 +03008614 size_t output_size = 0;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008615 size_t output_length = ~0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008616 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008617
Gilles Peskine449bd832023-01-11 14:50:10 +01008618 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008619
Gilles Peskine449bd832023-01-11 14:50:10 +01008620 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8621 psa_set_key_algorithm(&attributes, alg);
8622 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008623
Gilles Peskine449bd832023-01-11 14:50:10 +01008624 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8625 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008626
Gilles Peskine449bd832023-01-11 14:50:10 +01008627 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8628 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008629
8630 /* Determine the maximum ciphertext length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008631 output_size = PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8632 TEST_LE_U(output_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008633 TEST_CALLOC(output, output_size);
gabor-mezei-armceface22021-01-21 12:26:17 +01008634
Gilles Peskine449bd832023-01-11 14:50:10 +01008635 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8636 input_data->x, input_data->len,
8637 label->x, label->len,
8638 output,
8639 output_size,
8640 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008641 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008642 output, output_length);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008643
Gilles Peskine68428122018-06-30 18:42:41 +02008644 /* If the label is empty, the test framework puts a non-null pointer
8645 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008646 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008647 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008648 if (output_size != 0) {
8649 memset(output, 0, output_size);
8650 }
8651 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8652 input_data->x, input_data->len,
8653 NULL, label->len,
8654 output,
8655 output_size,
8656 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008657 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008658 output, output_length);
Gilles Peskine68428122018-06-30 18:42:41 +02008659 }
8660
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008661exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008662 psa_reset_key_attributes(&attributes);
8663 psa_destroy_key(key);
8664 mbedtls_free(output);
8665 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008666}
8667/* END_CASE */
8668
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008669/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008670void asymmetric_decrypt_fail(int key_type_arg,
8671 data_t *key_data,
8672 int alg_arg,
8673 data_t *input_data,
8674 data_t *label,
8675 int output_size_arg,
8676 int expected_status_arg)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008677{
Ronald Cron5425a212020-08-04 14:58:35 +02008678 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008679 psa_key_type_t key_type = key_type_arg;
8680 psa_algorithm_t alg = alg_arg;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008681 unsigned char *output = NULL;
Jaeden Amerof8daab72019-02-06 12:57:46 +00008682 size_t output_size = output_size_arg;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008683 size_t output_length = ~0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008684 psa_status_t actual_status;
8685 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008686 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008687
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008688 TEST_CALLOC(output, output_size);
Gilles Peskine5b051bc2018-05-31 13:25:48 +02008689
Gilles Peskine449bd832023-01-11 14:50:10 +01008690 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008691
Gilles Peskine449bd832023-01-11 14:50:10 +01008692 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8693 psa_set_key_algorithm(&attributes, alg);
8694 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008695
Gilles Peskine449bd832023-01-11 14:50:10 +01008696 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8697 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008698
Gilles Peskine449bd832023-01-11 14:50:10 +01008699 actual_status = psa_asymmetric_decrypt(key, alg,
8700 input_data->x, input_data->len,
8701 label->x, label->len,
8702 output, output_size,
8703 &output_length);
8704 TEST_EQUAL(actual_status, expected_status);
8705 TEST_LE_U(output_length, output_size);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008706
Gilles Peskine68428122018-06-30 18:42:41 +02008707 /* If the label is empty, the test framework puts a non-null pointer
8708 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008709 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008710 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008711 if (output_size != 0) {
8712 memset(output, 0, output_size);
8713 }
8714 actual_status = psa_asymmetric_decrypt(key, alg,
8715 input_data->x, input_data->len,
8716 NULL, label->len,
8717 output, output_size,
8718 &output_length);
8719 TEST_EQUAL(actual_status, expected_status);
8720 TEST_LE_U(output_length, output_size);
Gilles Peskine68428122018-06-30 18:42:41 +02008721 }
8722
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008723exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008724 psa_reset_key_attributes(&attributes);
8725 psa_destroy_key(key);
8726 mbedtls_free(output);
8727 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008728}
Gilles Peskine5b051bc2018-05-31 13:25:48 +02008729/* END_CASE */
Gilles Peskine05d69892018-06-19 22:00:52 +02008730
8731/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008732void key_derivation_init()
Jaeden Amerod94d6712019-01-04 14:11:48 +00008733{
8734 /* Test each valid way of initializing the object, except for `= {0}`, as
8735 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
8736 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08008737 * to suppress the Clang warning for the test. */
Jaeden Amero5229bbb2019-02-07 16:33:37 +00008738 size_t capacity;
Gilles Peskine449bd832023-01-11 14:50:10 +01008739 psa_key_derivation_operation_t func = psa_key_derivation_operation_init();
Gilles Peskinea99d3fb2019-05-16 15:28:51 +02008740 psa_key_derivation_operation_t init = PSA_KEY_DERIVATION_OPERATION_INIT;
8741 psa_key_derivation_operation_t zero;
Jaeden Amerod94d6712019-01-04 14:11:48 +00008742
Gilles Peskine449bd832023-01-11 14:50:10 +01008743 memset(&zero, 0, sizeof(zero));
Jaeden Amerod94d6712019-01-04 14:11:48 +00008744
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008745 /* A default operation should not be able to report its capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008746 TEST_EQUAL(psa_key_derivation_get_capacity(&func, &capacity),
8747 PSA_ERROR_BAD_STATE);
8748 TEST_EQUAL(psa_key_derivation_get_capacity(&init, &capacity),
8749 PSA_ERROR_BAD_STATE);
8750 TEST_EQUAL(psa_key_derivation_get_capacity(&zero, &capacity),
8751 PSA_ERROR_BAD_STATE);
Jaeden Amero5229bbb2019-02-07 16:33:37 +00008752
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008753 /* A default operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008754 PSA_ASSERT(psa_key_derivation_abort(&func));
8755 PSA_ASSERT(psa_key_derivation_abort(&init));
8756 PSA_ASSERT(psa_key_derivation_abort(&zero));
Jaeden Amerod94d6712019-01-04 14:11:48 +00008757}
8758/* END_CASE */
8759
Janos Follath16de4a42019-06-13 16:32:24 +01008760/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008761void derive_setup(int alg_arg, int expected_status_arg)
Gilles Peskineea0fb492018-07-12 17:17:20 +02008762{
Gilles Peskineea0fb492018-07-12 17:17:20 +02008763 psa_algorithm_t alg = alg_arg;
Gilles Peskineea0fb492018-07-12 17:17:20 +02008764 psa_status_t expected_status = expected_status_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008765 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineea0fb492018-07-12 17:17:20 +02008766
Gilles Peskine449bd832023-01-11 14:50:10 +01008767 PSA_ASSERT(psa_crypto_init());
Gilles Peskineea0fb492018-07-12 17:17:20 +02008768
Gilles Peskine449bd832023-01-11 14:50:10 +01008769 TEST_EQUAL(psa_key_derivation_setup(&operation, alg),
8770 expected_status);
Gilles Peskineea0fb492018-07-12 17:17:20 +02008771
8772exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008773 psa_key_derivation_abort(&operation);
8774 PSA_DONE();
Gilles Peskineea0fb492018-07-12 17:17:20 +02008775}
8776/* END_CASE */
8777
Janos Follathaf3c2a02019-06-12 12:34:34 +01008778/* BEGIN_CASE */
Kusumit Ghoderao9ffd3972023-12-01 16:40:13 +05308779void derive_set_capacity(int alg_arg, int64_t capacity_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01008780 int expected_status_arg)
Janos Follatha27c9272019-06-14 09:59:36 +01008781{
8782 psa_algorithm_t alg = alg_arg;
8783 size_t capacity = capacity_arg;
8784 psa_status_t expected_status = expected_status_arg;
8785 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8786
Gilles Peskine449bd832023-01-11 14:50:10 +01008787 PSA_ASSERT(psa_crypto_init());
Janos Follatha27c9272019-06-14 09:59:36 +01008788
Gilles Peskine449bd832023-01-11 14:50:10 +01008789 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
Janos Follatha27c9272019-06-14 09:59:36 +01008790
Gilles Peskine449bd832023-01-11 14:50:10 +01008791 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity),
8792 expected_status);
Janos Follatha27c9272019-06-14 09:59:36 +01008793
8794exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008795 psa_key_derivation_abort(&operation);
8796 PSA_DONE();
Janos Follatha27c9272019-06-14 09:59:36 +01008797}
8798/* END_CASE */
8799
8800/* BEGIN_CASE */
Kusumit Ghoderaod60dfc02023-05-01 17:39:27 +05308801void parse_binary_string_test(data_t *input, int output)
8802{
8803 uint64_t value;
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05308804 value = mbedtls_test_parse_binary_string(input);
Kusumit Ghoderaod60dfc02023-05-01 17:39:27 +05308805 TEST_EQUAL(value, output);
8806}
8807/* END_CASE */
8808
8809/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008810void derive_input(int alg_arg,
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308811 int step_arg1, int key_type_arg1, data_t *input1,
8812 int expected_status_arg1,
8813 int step_arg2, int key_type_arg2, data_t *input2,
8814 int expected_status_arg2,
8815 int step_arg3, int key_type_arg3, data_t *input3,
8816 int expected_status_arg3,
Gilles Peskine449bd832023-01-11 14:50:10 +01008817 int output_key_type_arg, int expected_output_status_arg)
Janos Follathaf3c2a02019-06-12 12:34:34 +01008818{
8819 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01008820 psa_key_derivation_step_t steps[] = { step_arg1, step_arg2, step_arg3 };
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308821 uint32_t key_types[] = { key_type_arg1, key_type_arg2, key_type_arg3 };
Gilles Peskine449bd832023-01-11 14:50:10 +01008822 psa_status_t expected_statuses[] = { expected_status_arg1,
8823 expected_status_arg2,
8824 expected_status_arg3 };
8825 data_t *inputs[] = { input1, input2, input3 };
Ronald Cron5425a212020-08-04 14:58:35 +02008826 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT,
8827 MBEDTLS_SVC_KEY_ID_INIT,
8828 MBEDTLS_SVC_KEY_ID_INIT };
Janos Follathaf3c2a02019-06-12 12:34:34 +01008829 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8830 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8831 size_t i;
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008832 psa_key_type_t output_key_type = output_key_type_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02008833 mbedtls_svc_key_id_t output_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008834 psa_status_t expected_output_status = expected_output_status_arg;
8835 psa_status_t actual_output_status;
Janos Follathaf3c2a02019-06-12 12:34:34 +01008836
Gilles Peskine449bd832023-01-11 14:50:10 +01008837 PSA_ASSERT(psa_crypto_init());
Janos Follathaf3c2a02019-06-12 12:34:34 +01008838
Gilles Peskine449bd832023-01-11 14:50:10 +01008839 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
8840 psa_set_key_algorithm(&attributes, alg);
Janos Follathaf3c2a02019-06-12 12:34:34 +01008841
Waleed Elmelegycba05ec2025-03-03 12:48:40 +00008842 if (alg != PSA_ALG_NONE) {
Waleed Elmelegyb6ed6f72025-03-03 12:42:55 +00008843 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
8844 }
Janos Follathaf3c2a02019-06-12 12:34:34 +01008845
Gilles Peskine449bd832023-01-11 14:50:10 +01008846 for (i = 0; i < ARRAY_LENGTH(steps); i++) {
8847 mbedtls_test_set_step(i);
8848 if (steps[i] == 0) {
Gilles Peskine4023c012021-05-27 13:21:20 +02008849 /* Skip this step */
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308850 } else if (((psa_key_type_t) key_types[i]) != PSA_KEY_TYPE_NONE &&
8851 key_types[i] != INPUT_INTEGER) {
8852 psa_set_key_type(&attributes, ((psa_key_type_t) key_types[i]));
Gilles Peskine449bd832023-01-11 14:50:10 +01008853 PSA_ASSERT(psa_import_key(&attributes,
8854 inputs[i]->x, inputs[i]->len,
8855 &keys[i]));
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308856 if (PSA_KEY_TYPE_IS_KEY_PAIR((psa_key_type_t) key_types[i]) &&
Gilles Peskine449bd832023-01-11 14:50:10 +01008857 steps[i] == PSA_KEY_DERIVATION_INPUT_SECRET) {
Steven Cooreman0ee0d522020-10-05 16:03:42 +02008858 // When taking a private key as secret input, use key agreement
8859 // to add the shared secret to the derivation
Gilles Peskine449bd832023-01-11 14:50:10 +01008860 TEST_EQUAL(mbedtls_test_psa_key_agreement_with_self(
Ryan Everett73e4ea32024-03-12 16:29:55 +00008861 &operation, keys[i], 0),
Gilles Peskine449bd832023-01-11 14:50:10 +01008862 expected_statuses[i]);
8863 } else {
8864 TEST_EQUAL(psa_key_derivation_input_key(&operation, steps[i],
8865 keys[i]),
8866 expected_statuses[i]);
Steven Cooreman0ee0d522020-10-05 16:03:42 +02008867 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008868 } else {
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308869 if (key_types[i] == INPUT_INTEGER) {
8870 TEST_EQUAL(psa_key_derivation_input_integer(
8871 &operation, steps[i],
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05308872 mbedtls_test_parse_binary_string(inputs[i])),
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308873 expected_statuses[i]);
8874 } else {
Kusumit Ghoderao02326d52023-04-06 17:47:59 +05308875 TEST_EQUAL(psa_key_derivation_input_bytes(
8876 &operation, steps[i],
8877 inputs[i]->x, inputs[i]->len),
8878 expected_statuses[i]);
Kusumit Ghoderao02326d52023-04-06 17:47:59 +05308879 }
Janos Follathaf3c2a02019-06-12 12:34:34 +01008880 }
8881 }
8882
Gilles Peskine449bd832023-01-11 14:50:10 +01008883 if (output_key_type != PSA_KEY_TYPE_NONE) {
8884 psa_reset_key_attributes(&attributes);
8885 psa_set_key_type(&attributes, output_key_type);
8886 psa_set_key_bits(&attributes, 8);
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008887 actual_output_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01008888 psa_key_derivation_output_key(&attributes, &operation,
8889 &output_key);
8890 } else {
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008891 uint8_t buffer[1];
8892 actual_output_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01008893 psa_key_derivation_output_bytes(&operation,
8894 buffer, sizeof(buffer));
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008895 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008896 TEST_EQUAL(actual_output_status, expected_output_status);
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008897
Janos Follathaf3c2a02019-06-12 12:34:34 +01008898exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008899 psa_key_derivation_abort(&operation);
8900 for (i = 0; i < ARRAY_LENGTH(keys); i++) {
8901 psa_destroy_key(keys[i]);
8902 }
8903 psa_destroy_key(output_key);
8904 PSA_DONE();
Janos Follathaf3c2a02019-06-12 12:34:34 +01008905}
8906/* END_CASE */
8907
Kusumit Ghoderao42b02b92023-06-06 16:48:46 +05308908/* BEGIN_CASE*/
8909void derive_input_invalid_cost(int alg_arg, int64_t cost)
8910{
8911 psa_algorithm_t alg = alg_arg;
8912 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8913
8914 PSA_ASSERT(psa_crypto_init());
8915 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
8916
8917 TEST_EQUAL(psa_key_derivation_input_integer(&operation,
8918 PSA_KEY_DERIVATION_INPUT_COST,
8919 cost),
8920 PSA_ERROR_NOT_SUPPORTED);
8921
8922exit:
8923 psa_key_derivation_abort(&operation);
8924 PSA_DONE();
8925}
8926/* END_CASE*/
8927
Janos Follathd958bb72019-07-03 15:02:16 +01008928/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008929void derive_over_capacity(int alg_arg)
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03008930{
Janos Follathd958bb72019-07-03 15:02:16 +01008931 psa_algorithm_t alg = alg_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02008932 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein4eda37b2018-10-31 12:15:58 +02008933 size_t key_type = PSA_KEY_TYPE_DERIVE;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008934 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Janos Follathd958bb72019-07-03 15:02:16 +01008935 unsigned char input1[] = "Input 1";
Gilles Peskine449bd832023-01-11 14:50:10 +01008936 size_t input1_length = sizeof(input1);
Janos Follathd958bb72019-07-03 15:02:16 +01008937 unsigned char input2[] = "Input 2";
Gilles Peskine449bd832023-01-11 14:50:10 +01008938 size_t input2_length = sizeof(input2);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008939 uint8_t buffer[42];
Gilles Peskine449bd832023-01-11 14:50:10 +01008940 size_t capacity = sizeof(buffer);
Nir Sonnenscheindd69d8b2018-11-01 12:24:23 +02008941 const uint8_t key_data[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
8942 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
Gilles Peskine449bd832023-01-11 14:50:10 +01008943 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008944 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03008945
Gilles Peskine449bd832023-01-11 14:50:10 +01008946 PSA_ASSERT(psa_crypto_init());
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008947
Gilles Peskine449bd832023-01-11 14:50:10 +01008948 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
8949 psa_set_key_algorithm(&attributes, alg);
8950 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008951
Gilles Peskine449bd832023-01-11 14:50:10 +01008952 PSA_ASSERT(psa_import_key(&attributes,
8953 key_data, sizeof(key_data),
8954 &key));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008955
8956 /* valid key derivation */
Gilles Peskine449bd832023-01-11 14:50:10 +01008957 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
8958 input1, input1_length,
8959 input2, input2_length,
Ryan Everettc1cc6682024-03-12 16:17:43 +00008960 capacity, 0)) {
Janos Follathd958bb72019-07-03 15:02:16 +01008961 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01008962 }
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008963
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008964 /* state of operation shouldn't allow additional generation */
Gilles Peskine449bd832023-01-11 14:50:10 +01008965 TEST_EQUAL(psa_key_derivation_setup(&operation, alg),
8966 PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008967
Gilles Peskine449bd832023-01-11 14:50:10 +01008968 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, buffer, capacity));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008969
Gilles Peskine449bd832023-01-11 14:50:10 +01008970 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, buffer, capacity),
8971 PSA_ERROR_INSUFFICIENT_DATA);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008972
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008973exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008974 psa_key_derivation_abort(&operation);
8975 psa_destroy_key(key);
8976 PSA_DONE();
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008977}
8978/* END_CASE */
8979
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008980/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008981void derive_actions_without_setup()
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008982{
8983 uint8_t output_buffer[16];
8984 size_t buffer_size = 16;
8985 size_t capacity = 0;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008986 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008987
Gilles Peskine449bd832023-01-11 14:50:10 +01008988 TEST_ASSERT(psa_key_derivation_output_bytes(&operation,
8989 output_buffer, buffer_size)
8990 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008991
Gilles Peskine449bd832023-01-11 14:50:10 +01008992 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity)
8993 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008994
Gilles Peskine449bd832023-01-11 14:50:10 +01008995 PSA_ASSERT(psa_key_derivation_abort(&operation));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008996
Gilles Peskine449bd832023-01-11 14:50:10 +01008997 TEST_ASSERT(psa_key_derivation_output_bytes(&operation,
8998 output_buffer, buffer_size)
8999 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009000
Gilles Peskine449bd832023-01-11 14:50:10 +01009001 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity)
9002 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009003
9004exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009005 psa_key_derivation_abort(&operation);
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03009006}
9007/* END_CASE */
9008
9009/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009010void derive_output(int alg_arg,
9011 int step1_arg, data_t *input1, int expected_status_arg1,
9012 int step2_arg, data_t *input2, int expected_status_arg2,
9013 int step3_arg, data_t *input3, int expected_status_arg3,
9014 int step4_arg, data_t *input4, int expected_status_arg4,
9015 data_t *key_agreement_peer_key,
9016 int requested_capacity_arg,
9017 data_t *expected_output1,
9018 data_t *expected_output2,
9019 int other_key_input_type,
9020 int key_input_type,
9021 int derive_type)
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009022{
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009023 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01009024 psa_key_derivation_step_t steps[] = { step1_arg, step2_arg, step3_arg, step4_arg };
9025 data_t *inputs[] = { input1, input2, input3, input4 };
9026 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT,
9027 MBEDTLS_SVC_KEY_ID_INIT,
9028 MBEDTLS_SVC_KEY_ID_INIT,
9029 MBEDTLS_SVC_KEY_ID_INIT };
9030 psa_status_t statuses[] = { expected_status_arg1, expected_status_arg2,
9031 expected_status_arg3, expected_status_arg4 };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009032 size_t requested_capacity = requested_capacity_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009033 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009034 uint8_t *expected_outputs[2] =
Gilles Peskine449bd832023-01-11 14:50:10 +01009035 { expected_output1->x, expected_output2->x };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009036 size_t output_sizes[2] =
Gilles Peskine449bd832023-01-11 14:50:10 +01009037 { expected_output1->len, expected_output2->len };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009038 size_t output_buffer_size = 0;
9039 uint8_t *output_buffer = NULL;
9040 size_t expected_capacity;
9041 size_t current_capacity;
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009042 psa_key_attributes_t attributes1 = PSA_KEY_ATTRIBUTES_INIT;
9043 psa_key_attributes_t attributes2 = PSA_KEY_ATTRIBUTES_INIT;
9044 psa_key_attributes_t attributes3 = PSA_KEY_ATTRIBUTES_INIT;
9045 psa_key_attributes_t attributes4 = PSA_KEY_ATTRIBUTES_INIT;
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02009046 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009047 psa_status_t status;
Gilles Peskine1468da72019-05-29 17:35:49 +02009048 size_t i;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009049
Gilles Peskine449bd832023-01-11 14:50:10 +01009050 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) {
9051 if (output_sizes[i] > output_buffer_size) {
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009052 output_buffer_size = output_sizes[i];
Gilles Peskine449bd832023-01-11 14:50:10 +01009053 }
9054 if (output_sizes[i] == 0) {
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009055 expected_outputs[i] = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01009056 }
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009057 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009058 TEST_CALLOC(output_buffer, output_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01009059 PSA_ASSERT(psa_crypto_init());
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009060
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009061 /* Extraction phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009062 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9063 PSA_ASSERT(psa_key_derivation_set_capacity(&operation,
9064 requested_capacity));
9065 for (i = 0; i < ARRAY_LENGTH(steps); i++) {
9066 switch (steps[i]) {
Gilles Peskine1468da72019-05-29 17:35:49 +02009067 case 0:
9068 break;
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05309069 case PSA_KEY_DERIVATION_INPUT_COST:
9070 TEST_EQUAL(psa_key_derivation_input_integer(
Kusumit Ghoderaof28e0f52023-06-06 15:03:22 +05309071 &operation, steps[i],
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05309072 mbedtls_test_parse_binary_string(inputs[i])),
Kusumit Ghoderaof28e0f52023-06-06 15:03:22 +05309073 statuses[i]);
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05309074 if (statuses[i] != PSA_SUCCESS) {
9075 goto exit;
9076 }
9077 break;
9078 case PSA_KEY_DERIVATION_INPUT_PASSWORD:
Gilles Peskine1468da72019-05-29 17:35:49 +02009079 case PSA_KEY_DERIVATION_INPUT_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +01009080 switch (key_input_type) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009081 case 0: // input bytes
Gilles Peskine449bd832023-01-11 14:50:10 +01009082 TEST_EQUAL(psa_key_derivation_input_bytes(
9083 &operation, steps[i],
9084 inputs[i]->x, inputs[i]->len),
9085 statuses[i]);
Przemek Stekielfcdd0232022-05-19 10:28:58 +02009086
Gilles Peskine449bd832023-01-11 14:50:10 +01009087 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielfcdd0232022-05-19 10:28:58 +02009088 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009089 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009090 break;
9091 case 1: // input key
Gilles Peskine449bd832023-01-11 14:50:10 +01009092 psa_set_key_usage_flags(&attributes1, PSA_KEY_USAGE_DERIVE);
9093 psa_set_key_algorithm(&attributes1, alg);
9094 psa_set_key_type(&attributes1, PSA_KEY_TYPE_DERIVE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009095
Gilles Peskine449bd832023-01-11 14:50:10 +01009096 PSA_ASSERT(psa_import_key(&attributes1,
9097 inputs[i]->x, inputs[i]->len,
9098 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009099
Gilles Peskine449bd832023-01-11 14:50:10 +01009100 if (PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
9101 PSA_ASSERT(psa_get_key_attributes(keys[i], &attributes1));
9102 TEST_LE_U(PSA_BITS_TO_BYTES(psa_get_key_bits(&attributes1)),
9103 PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009104 }
9105
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05309106 TEST_EQUAL(psa_key_derivation_input_key(&operation,
Gilles Peskine449bd832023-01-11 14:50:10 +01009107 steps[i],
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05309108 keys[i]),
9109 statuses[i]);
9110
9111 if (statuses[i] != PSA_SUCCESS) {
9112 goto exit;
9113 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009114 break;
9115 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +01009116 TEST_FAIL("default case not supported");
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009117 break;
9118 }
9119 break;
9120 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +01009121 switch (other_key_input_type) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009122 case 0: // input bytes
Gilles Peskine449bd832023-01-11 14:50:10 +01009123 TEST_EQUAL(psa_key_derivation_input_bytes(&operation,
9124 steps[i],
9125 inputs[i]->x,
9126 inputs[i]->len),
9127 statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009128 break;
Przemek Stekiele6654662022-04-20 09:14:51 +02009129 case 1: // input key, type DERIVE
9130 case 11: // input key, type RAW
Gilles Peskine449bd832023-01-11 14:50:10 +01009131 psa_set_key_usage_flags(&attributes2, PSA_KEY_USAGE_DERIVE);
9132 psa_set_key_algorithm(&attributes2, alg);
9133 psa_set_key_type(&attributes2, PSA_KEY_TYPE_DERIVE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009134
9135 // other secret of type RAW_DATA passed with input_key
Gilles Peskine449bd832023-01-11 14:50:10 +01009136 if (other_key_input_type == 11) {
9137 psa_set_key_type(&attributes2, PSA_KEY_TYPE_RAW_DATA);
9138 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009139
Gilles Peskine449bd832023-01-11 14:50:10 +01009140 PSA_ASSERT(psa_import_key(&attributes2,
9141 inputs[i]->x, inputs[i]->len,
9142 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009143
Gilles Peskine449bd832023-01-11 14:50:10 +01009144 TEST_EQUAL(psa_key_derivation_input_key(&operation,
9145 steps[i],
9146 keys[i]),
9147 statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009148 break;
9149 case 2: // key agreement
Gilles Peskine449bd832023-01-11 14:50:10 +01009150 psa_set_key_usage_flags(&attributes3, PSA_KEY_USAGE_DERIVE);
9151 psa_set_key_algorithm(&attributes3, alg);
9152 psa_set_key_type(&attributes3,
9153 PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009154
Gilles Peskine449bd832023-01-11 14:50:10 +01009155 PSA_ASSERT(psa_import_key(&attributes3,
9156 inputs[i]->x, inputs[i]->len,
9157 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009158
Gilles Peskine449bd832023-01-11 14:50:10 +01009159 TEST_EQUAL(psa_key_derivation_key_agreement(
9160 &operation,
9161 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
9162 keys[i], key_agreement_peer_key->x,
9163 key_agreement_peer_key->len), statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009164 break;
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009165 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +01009166 TEST_FAIL("default case not supported");
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009167 break;
gabor-mezei-armceface22021-01-21 12:26:17 +01009168 }
9169
Gilles Peskine449bd832023-01-11 14:50:10 +01009170 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009171 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009172 }
Gilles Peskine1468da72019-05-29 17:35:49 +02009173 break;
9174 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01009175 TEST_EQUAL(psa_key_derivation_input_bytes(
9176 &operation, steps[i],
9177 inputs[i]->x, inputs[i]->len), statuses[i]);
Przemek Stekielead1bb92022-05-11 12:22:57 +02009178
Gilles Peskine449bd832023-01-11 14:50:10 +01009179 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielead1bb92022-05-11 12:22:57 +02009180 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009181 }
Gilles Peskine1468da72019-05-29 17:35:49 +02009182 break;
9183 }
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01009184 }
Gilles Peskine1468da72019-05-29 17:35:49 +02009185
Gilles Peskine449bd832023-01-11 14:50:10 +01009186 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9187 &current_capacity));
9188 TEST_EQUAL(current_capacity, requested_capacity);
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009189 expected_capacity = requested_capacity;
9190
Gilles Peskine449bd832023-01-11 14:50:10 +01009191 if (derive_type == 1) { // output key
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02009192 psa_status_t expected_status = PSA_ERROR_NOT_PERMITTED;
9193
9194 /* For output key derivation secret must be provided using
9195 input key, otherwise operation is not permitted. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009196 if (key_input_type == 1) {
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02009197 expected_status = PSA_SUCCESS;
Gilles Peskine449bd832023-01-11 14:50:10 +01009198 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009199
Gilles Peskine449bd832023-01-11 14:50:10 +01009200 psa_set_key_usage_flags(&attributes4, PSA_KEY_USAGE_EXPORT);
9201 psa_set_key_algorithm(&attributes4, alg);
9202 psa_set_key_type(&attributes4, PSA_KEY_TYPE_DERIVE);
9203 psa_set_key_bits(&attributes4, PSA_BYTES_TO_BITS(requested_capacity));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009204
Gilles Peskine449bd832023-01-11 14:50:10 +01009205 TEST_EQUAL(psa_key_derivation_output_key(&attributes4, &operation,
9206 &derived_key), expected_status);
9207 } else { // output bytes
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009208 /* Expansion phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009209 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009210 /* Read some bytes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009211 status = psa_key_derivation_output_bytes(&operation,
9212 output_buffer, output_sizes[i]);
9213 if (expected_capacity == 0 && output_sizes[i] == 0) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009214 /* Reading 0 bytes when 0 bytes are available can go either way. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009215 TEST_ASSERT(status == PSA_SUCCESS ||
9216 status == PSA_ERROR_INSUFFICIENT_DATA);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009217 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01009218 } else if (expected_capacity == 0 ||
9219 output_sizes[i] > expected_capacity) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009220 /* Capacity exceeded. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009221 TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_DATA);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009222 expected_capacity = 0;
9223 continue;
9224 }
9225 /* Success. Check the read data. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009226 PSA_ASSERT(status);
9227 if (output_sizes[i] != 0) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009228 TEST_MEMORY_COMPARE(output_buffer, output_sizes[i],
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009229 expected_outputs[i], output_sizes[i]);
Gilles Peskine449bd832023-01-11 14:50:10 +01009230 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009231 /* Check the operation status. */
9232 expected_capacity -= output_sizes[i];
Gilles Peskine449bd832023-01-11 14:50:10 +01009233 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9234 &current_capacity));
9235 TEST_EQUAL(expected_capacity, current_capacity);
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009236 }
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009237 }
Gilles Peskine449bd832023-01-11 14:50:10 +01009238 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009239
9240exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009241 mbedtls_free(output_buffer);
9242 psa_key_derivation_abort(&operation);
9243 for (i = 0; i < ARRAY_LENGTH(keys); i++) {
9244 psa_destroy_key(keys[i]);
9245 }
9246 psa_destroy_key(derived_key);
9247 PSA_DONE();
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009248}
9249/* END_CASE */
9250
9251/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009252void derive_full(int alg_arg,
9253 data_t *key_data,
9254 data_t *input1,
9255 data_t *input2,
9256 int requested_capacity_arg)
Gilles Peskined54931c2018-07-17 21:06:59 +02009257{
Ronald Cron5425a212020-08-04 14:58:35 +02009258 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskined54931c2018-07-17 21:06:59 +02009259 psa_algorithm_t alg = alg_arg;
9260 size_t requested_capacity = requested_capacity_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009261 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Kusumit Ghoderao9ffd3972023-12-01 16:40:13 +05309262 unsigned char output_buffer[32];
Gilles Peskined54931c2018-07-17 21:06:59 +02009263 size_t expected_capacity = requested_capacity;
9264 size_t current_capacity;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009265 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskined54931c2018-07-17 21:06:59 +02009266
Gilles Peskine449bd832023-01-11 14:50:10 +01009267 PSA_ASSERT(psa_crypto_init());
Gilles Peskined54931c2018-07-17 21:06:59 +02009268
Gilles Peskine449bd832023-01-11 14:50:10 +01009269 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9270 psa_set_key_algorithm(&attributes, alg);
9271 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
Gilles Peskined54931c2018-07-17 21:06:59 +02009272
Gilles Peskine449bd832023-01-11 14:50:10 +01009273 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
9274 &key));
Gilles Peskined54931c2018-07-17 21:06:59 +02009275
Gilles Peskine449bd832023-01-11 14:50:10 +01009276 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
9277 input1->x, input1->len,
9278 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009279 requested_capacity, 0)) {
Janos Follathf2815ea2019-07-03 12:41:36 +01009280 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009281 }
Janos Follath47f27ed2019-06-25 13:24:52 +01009282
Gilles Peskine449bd832023-01-11 14:50:10 +01009283 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9284 &current_capacity));
9285 TEST_EQUAL(current_capacity, expected_capacity);
Gilles Peskined54931c2018-07-17 21:06:59 +02009286
9287 /* Expansion phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009288 while (current_capacity > 0) {
9289 size_t read_size = sizeof(output_buffer);
9290 if (read_size > current_capacity) {
Gilles Peskined54931c2018-07-17 21:06:59 +02009291 read_size = current_capacity;
Gilles Peskine449bd832023-01-11 14:50:10 +01009292 }
9293 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9294 output_buffer,
9295 read_size));
Gilles Peskined54931c2018-07-17 21:06:59 +02009296 expected_capacity -= read_size;
Gilles Peskine449bd832023-01-11 14:50:10 +01009297 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9298 &current_capacity));
9299 TEST_EQUAL(current_capacity, expected_capacity);
Gilles Peskined54931c2018-07-17 21:06:59 +02009300 }
9301
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009302 /* Check that the operation refuses to go over capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009303 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output_buffer, 1),
9304 PSA_ERROR_INSUFFICIENT_DATA);
Gilles Peskined54931c2018-07-17 21:06:59 +02009305
Gilles Peskine449bd832023-01-11 14:50:10 +01009306 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskined54931c2018-07-17 21:06:59 +02009307
9308exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009309 psa_key_derivation_abort(&operation);
9310 psa_destroy_key(key);
9311 PSA_DONE();
Gilles Peskined54931c2018-07-17 21:06:59 +02009312}
9313/* END_CASE */
9314
Stephan Koch78109f52023-04-12 14:19:36 +02009315/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */
Gilles Peskine449bd832023-01-11 14:50:10 +01009316void derive_ecjpake_to_pms(data_t *input, int expected_input_status_arg,
9317 int derivation_step,
9318 int capacity, int expected_capacity_status_arg,
9319 data_t *expected_output,
9320 int expected_output_status_arg)
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009321{
9322 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
9323 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Andrzej Kurekd3785042022-09-16 06:45:44 -04009324 psa_key_derivation_step_t step = (psa_key_derivation_step_t) derivation_step;
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009325 uint8_t *output_buffer = NULL;
9326 psa_status_t status;
Andrzej Kurek3539f2c2022-09-26 10:56:02 -04009327 psa_status_t expected_input_status = (psa_status_t) expected_input_status_arg;
9328 psa_status_t expected_capacity_status = (psa_status_t) expected_capacity_status_arg;
9329 psa_status_t expected_output_status = (psa_status_t) expected_output_status_arg;
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009330
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009331 TEST_CALLOC(output_buffer, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009332 PSA_ASSERT(psa_crypto_init());
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009333
Gilles Peskine449bd832023-01-11 14:50:10 +01009334 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9335 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity),
9336 expected_capacity_status);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009337
Gilles Peskine449bd832023-01-11 14:50:10 +01009338 TEST_EQUAL(psa_key_derivation_input_bytes(&operation,
9339 step, input->x, input->len),
9340 expected_input_status);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009341
Gilles Peskine449bd832023-01-11 14:50:10 +01009342 if (((psa_status_t) expected_input_status) != PSA_SUCCESS) {
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009343 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009344 }
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009345
Gilles Peskine449bd832023-01-11 14:50:10 +01009346 status = psa_key_derivation_output_bytes(&operation, output_buffer,
9347 expected_output->len);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009348
Gilles Peskine449bd832023-01-11 14:50:10 +01009349 TEST_EQUAL(status, expected_output_status);
9350 if (expected_output->len != 0 && expected_output_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009351 TEST_MEMORY_COMPARE(output_buffer, expected_output->len, expected_output->x,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009352 expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009353 }
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009354
9355exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009356 mbedtls_free(output_buffer);
9357 psa_key_derivation_abort(&operation);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009358 PSA_DONE();
9359}
9360/* END_CASE */
9361
Janos Follathe60c9052019-07-03 13:51:30 +01009362/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009363void derive_key_exercise(int alg_arg,
9364 data_t *key_data,
9365 data_t *input1,
9366 data_t *input2,
9367 int derived_type_arg,
9368 int derived_bits_arg,
9369 int derived_usage_arg,
9370 int derived_alg_arg)
Gilles Peskine0386fba2018-07-12 17:29:22 +02009371{
Ronald Cron5425a212020-08-04 14:58:35 +02009372 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9373 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009374 psa_algorithm_t alg = alg_arg;
9375 psa_key_type_t derived_type = derived_type_arg;
9376 size_t derived_bits = derived_bits_arg;
9377 psa_key_usage_t derived_usage = derived_usage_arg;
9378 psa_algorithm_t derived_alg = derived_alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01009379 size_t capacity = PSA_BITS_TO_BYTES(derived_bits);
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009380 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009381 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02009382 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009383
Gilles Peskine449bd832023-01-11 14:50:10 +01009384 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0386fba2018-07-12 17:29:22 +02009385
Gilles Peskine449bd832023-01-11 14:50:10 +01009386 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9387 psa_set_key_algorithm(&attributes, alg);
9388 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
9389 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
9390 &base_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009391
9392 /* Derive a key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009393 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9394 input1->x, input1->len,
9395 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009396 capacity, 0)) {
Janos Follathe60c9052019-07-03 13:51:30 +01009397 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009398 }
Janos Follathe60c9052019-07-03 13:51:30 +01009399
Gilles Peskine449bd832023-01-11 14:50:10 +01009400 psa_set_key_usage_flags(&attributes, derived_usage);
9401 psa_set_key_algorithm(&attributes, derived_alg);
9402 psa_set_key_type(&attributes, derived_type);
9403 psa_set_key_bits(&attributes, derived_bits);
9404 PSA_ASSERT(psa_key_derivation_output_key(&attributes, &operation,
9405 &derived_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009406
9407 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01009408 PSA_ASSERT(psa_get_key_attributes(derived_key, &got_attributes));
9409 TEST_EQUAL(psa_get_key_type(&got_attributes), derived_type);
9410 TEST_EQUAL(psa_get_key_bits(&got_attributes), derived_bits);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009411
9412 /* Exercise the derived key. */
Ryan Everett0a271fd2024-03-12 16:34:02 +00009413 if (!mbedtls_test_psa_exercise_key(derived_key, derived_usage, derived_alg, 0)) {
Gilles Peskine0386fba2018-07-12 17:29:22 +02009414 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009415 }
Gilles Peskine0386fba2018-07-12 17:29:22 +02009416
9417exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009418 /*
9419 * Key attributes may have been returned by psa_get_key_attributes()
9420 * thus reset them as required.
9421 */
Gilles Peskine449bd832023-01-11 14:50:10 +01009422 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009423
Gilles Peskine449bd832023-01-11 14:50:10 +01009424 psa_key_derivation_abort(&operation);
9425 psa_destroy_key(base_key);
9426 psa_destroy_key(derived_key);
9427 PSA_DONE();
Gilles Peskine0386fba2018-07-12 17:29:22 +02009428}
9429/* END_CASE */
9430
Janos Follath42fd8882019-07-03 14:17:09 +01009431/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009432void derive_key_export(int alg_arg,
9433 data_t *key_data,
9434 data_t *input1,
9435 data_t *input2,
9436 int bytes1_arg,
9437 int bytes2_arg)
Gilles Peskine0386fba2018-07-12 17:29:22 +02009438{
Ronald Cron5425a212020-08-04 14:58:35 +02009439 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9440 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009441 psa_algorithm_t alg = alg_arg;
9442 size_t bytes1 = bytes1_arg;
9443 size_t bytes2 = bytes2_arg;
9444 size_t capacity = bytes1 + bytes2;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009445 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine8cebbba2018-09-27 13:54:18 +02009446 uint8_t *output_buffer = NULL;
9447 uint8_t *export_buffer = NULL;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009448 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9449 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009450 size_t length;
9451
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009452 TEST_CALLOC(output_buffer, capacity);
9453 TEST_CALLOC(export_buffer, capacity);
Gilles Peskine449bd832023-01-11 14:50:10 +01009454 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0386fba2018-07-12 17:29:22 +02009455
Gilles Peskine449bd832023-01-11 14:50:10 +01009456 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9457 psa_set_key_algorithm(&base_attributes, alg);
9458 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9459 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9460 &base_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009461
9462 /* Derive some material and output it. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009463 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9464 input1->x, input1->len,
9465 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009466 capacity, 0)) {
Janos Follath42fd8882019-07-03 14:17:09 +01009467 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009468 }
Janos Follath42fd8882019-07-03 14:17:09 +01009469
Gilles Peskine449bd832023-01-11 14:50:10 +01009470 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9471 output_buffer,
9472 capacity));
9473 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009474
9475 /* Derive the same output again, but this time store it in key objects. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009476 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9477 input1->x, input1->len,
9478 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009479 capacity, 0)) {
Janos Follath42fd8882019-07-03 14:17:09 +01009480 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009481 }
Janos Follath42fd8882019-07-03 14:17:09 +01009482
Gilles Peskine449bd832023-01-11 14:50:10 +01009483 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9484 psa_set_key_algorithm(&derived_attributes, 0);
9485 psa_set_key_type(&derived_attributes, PSA_KEY_TYPE_RAW_DATA);
9486 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes1));
9487 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9488 &derived_key));
9489 PSA_ASSERT(psa_export_key(derived_key,
9490 export_buffer, bytes1,
9491 &length));
9492 TEST_EQUAL(length, bytes1);
9493 PSA_ASSERT(psa_destroy_key(derived_key));
9494 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes2));
9495 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9496 &derived_key));
9497 PSA_ASSERT(psa_export_key(derived_key,
9498 export_buffer + bytes1, bytes2,
9499 &length));
9500 TEST_EQUAL(length, bytes2);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009501
9502 /* Compare the outputs from the two runs. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009503 TEST_MEMORY_COMPARE(output_buffer, bytes1 + bytes2,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009504 export_buffer, capacity);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009505
9506exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009507 mbedtls_free(output_buffer);
9508 mbedtls_free(export_buffer);
9509 psa_key_derivation_abort(&operation);
9510 psa_destroy_key(base_key);
9511 psa_destroy_key(derived_key);
9512 PSA_DONE();
Gilles Peskine0386fba2018-07-12 17:29:22 +02009513}
9514/* END_CASE */
9515
9516/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009517void derive_key_type(int alg_arg,
9518 data_t *key_data,
9519 data_t *input1,
9520 data_t *input2,
9521 int key_type_arg, int bits_arg,
9522 data_t *expected_export)
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009523{
9524 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9525 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
9526 const psa_algorithm_t alg = alg_arg;
9527 const psa_key_type_t key_type = key_type_arg;
9528 const size_t bits = bits_arg;
9529 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9530 const size_t export_buffer_size =
Gilles Peskine449bd832023-01-11 14:50:10 +01009531 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009532 uint8_t *export_buffer = NULL;
9533 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9534 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9535 size_t export_length;
9536
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009537 TEST_CALLOC(export_buffer, export_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01009538 PSA_ASSERT(psa_crypto_init());
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009539
Gilles Peskine449bd832023-01-11 14:50:10 +01009540 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9541 psa_set_key_algorithm(&base_attributes, alg);
9542 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9543 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9544 &base_key));
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009545
Gilles Peskine449bd832023-01-11 14:50:10 +01009546 if (mbedtls_test_psa_setup_key_derivation_wrap(
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009547 &operation, base_key, alg,
9548 input1->x, input1->len,
9549 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009550 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009551 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009552 }
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009553
Gilles Peskine449bd832023-01-11 14:50:10 +01009554 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9555 psa_set_key_algorithm(&derived_attributes, 0);
9556 psa_set_key_type(&derived_attributes, key_type);
9557 psa_set_key_bits(&derived_attributes, bits);
9558 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9559 &derived_key));
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009560
Gilles Peskine449bd832023-01-11 14:50:10 +01009561 PSA_ASSERT(psa_export_key(derived_key,
9562 export_buffer, export_buffer_size,
9563 &export_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009564 TEST_MEMORY_COMPARE(export_buffer, export_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009565 expected_export->x, expected_export->len);
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009566
9567exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009568 mbedtls_free(export_buffer);
9569 psa_key_derivation_abort(&operation);
9570 psa_destroy_key(base_key);
9571 psa_destroy_key(derived_key);
9572 PSA_DONE();
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009573}
9574/* END_CASE */
9575
9576/* BEGIN_CASE */
Gilles Peskinef36d7852024-06-06 21:11:44 +02009577void derive_key_custom(int alg_arg,
9578 data_t *key_data,
9579 data_t *input1,
9580 data_t *input2,
9581 int key_type_arg, int bits_arg,
9582 int flags_arg,
9583 data_t *custom_data,
9584 psa_status_t expected_status,
9585 data_t *expected_export)
9586{
9587 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9588 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
9589 const psa_algorithm_t alg = alg_arg;
9590 const psa_key_type_t key_type = key_type_arg;
9591 const size_t bits = bits_arg;
9592 psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT;
9593 custom.flags = flags_arg;
9594 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9595 const size_t export_buffer_size =
9596 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
9597 uint8_t *export_buffer = NULL;
9598 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9599 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9600 size_t export_length;
9601
9602 TEST_CALLOC(export_buffer, export_buffer_size);
9603 PSA_ASSERT(psa_crypto_init());
9604
9605 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9606 psa_set_key_algorithm(&base_attributes, alg);
9607 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9608 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9609 &base_key));
9610
9611 if (mbedtls_test_psa_setup_key_derivation_wrap(
9612 &operation, base_key, alg,
9613 input1->x, input1->len,
9614 input2->x, input2->len,
9615 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
9616 goto exit;
9617 }
9618
9619 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9620 psa_set_key_algorithm(&derived_attributes, 0);
9621 psa_set_key_type(&derived_attributes, key_type);
9622 psa_set_key_bits(&derived_attributes, bits);
9623
9624 TEST_EQUAL(psa_key_derivation_output_key_custom(
9625 &derived_attributes, &operation,
9626 &custom, custom_data->x, custom_data->len,
9627 &derived_key),
9628 expected_status);
9629
9630 if (expected_status == PSA_SUCCESS) {
9631 PSA_ASSERT(psa_export_key(derived_key,
9632 export_buffer, export_buffer_size,
9633 &export_length));
9634 TEST_MEMORY_COMPARE(export_buffer, export_length,
9635 expected_export->x, expected_export->len);
9636 }
9637
9638exit:
9639 mbedtls_free(export_buffer);
9640 psa_key_derivation_abort(&operation);
9641 psa_destroy_key(base_key);
9642 psa_destroy_key(derived_key);
9643 PSA_DONE();
9644}
9645/* END_CASE */
9646
9647/* BEGIN_CASE */
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009648void derive_key_ext(int alg_arg,
9649 data_t *key_data,
9650 data_t *input1,
9651 data_t *input2,
9652 int key_type_arg, int bits_arg,
Gilles Peskinec81393b2024-02-14 20:51:28 +01009653 int flags_arg,
Gilles Peskine092ce512024-02-20 12:31:24 +01009654 data_t *params_data,
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009655 psa_status_t expected_status,
9656 data_t *expected_export)
9657{
9658 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9659 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
9660 const psa_algorithm_t alg = alg_arg;
9661 const psa_key_type_t key_type = key_type_arg;
9662 const size_t bits = bits_arg;
Gilles Peskine092ce512024-02-20 12:31:24 +01009663 psa_key_production_parameters_t *params = NULL;
9664 size_t params_data_length = 0;
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009665 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9666 const size_t export_buffer_size =
9667 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
9668 uint8_t *export_buffer = NULL;
9669 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9670 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9671 size_t export_length;
9672
9673 TEST_CALLOC(export_buffer, export_buffer_size);
9674 PSA_ASSERT(psa_crypto_init());
9675
9676 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9677 psa_set_key_algorithm(&base_attributes, alg);
9678 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9679 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9680 &base_key));
9681
9682 if (mbedtls_test_psa_setup_key_derivation_wrap(
9683 &operation, base_key, alg,
9684 input1->x, input1->len,
9685 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009686 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009687 goto exit;
9688 }
9689
9690 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9691 psa_set_key_algorithm(&derived_attributes, 0);
9692 psa_set_key_type(&derived_attributes, key_type);
9693 psa_set_key_bits(&derived_attributes, bits);
Gilles Peskine092ce512024-02-20 12:31:24 +01009694 if (!setup_key_production_parameters(&params, &params_data_length,
9695 flags_arg, params_data)) {
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009696 goto exit;
9697 }
9698
9699 TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation,
Gilles Peskine092ce512024-02-20 12:31:24 +01009700 params, params_data_length,
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009701 &derived_key),
9702 expected_status);
9703
9704 if (expected_status == PSA_SUCCESS) {
9705 PSA_ASSERT(psa_export_key(derived_key,
9706 export_buffer, export_buffer_size,
9707 &export_length));
9708 TEST_MEMORY_COMPARE(export_buffer, export_length,
9709 expected_export->x, expected_export->len);
9710 }
9711
9712exit:
9713 mbedtls_free(export_buffer);
Gilles Peskine092ce512024-02-20 12:31:24 +01009714 mbedtls_free(params);
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009715 psa_key_derivation_abort(&operation);
9716 psa_destroy_key(base_key);
9717 psa_destroy_key(derived_key);
9718 PSA_DONE();
9719}
9720/* END_CASE */
9721
9722/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009723void derive_key(int alg_arg,
9724 data_t *key_data, data_t *input1, data_t *input2,
9725 int type_arg, int bits_arg,
9726 int expected_status_arg,
9727 int is_large_output)
Gilles Peskinec744d992019-07-30 17:26:54 +02009728{
Ronald Cron5425a212020-08-04 14:58:35 +02009729 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9730 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinec744d992019-07-30 17:26:54 +02009731 psa_algorithm_t alg = alg_arg;
Gilles Peskine7c227ae2019-07-31 15:14:44 +02009732 psa_key_type_t type = type_arg;
Gilles Peskinec744d992019-07-30 17:26:54 +02009733 size_t bits = bits_arg;
9734 psa_status_t expected_status = expected_status_arg;
9735 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9736 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9737 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9738
Gilles Peskine449bd832023-01-11 14:50:10 +01009739 PSA_ASSERT(psa_crypto_init());
Gilles Peskinec744d992019-07-30 17:26:54 +02009740
Gilles Peskine449bd832023-01-11 14:50:10 +01009741 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9742 psa_set_key_algorithm(&base_attributes, alg);
9743 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9744 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9745 &base_key));
Gilles Peskinec744d992019-07-30 17:26:54 +02009746
Gilles Peskine449bd832023-01-11 14:50:10 +01009747 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9748 input1->x, input1->len,
9749 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009750 SIZE_MAX, 0)) {
Gilles Peskinec744d992019-07-30 17:26:54 +02009751 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009752 }
Gilles Peskinec744d992019-07-30 17:26:54 +02009753
Gilles Peskine449bd832023-01-11 14:50:10 +01009754 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9755 psa_set_key_algorithm(&derived_attributes, 0);
9756 psa_set_key_type(&derived_attributes, type);
9757 psa_set_key_bits(&derived_attributes, bits);
Steven Cooreman83fdb702021-01-21 14:24:39 +01009758
9759 psa_status_t status =
Gilles Peskine449bd832023-01-11 14:50:10 +01009760 psa_key_derivation_output_key(&derived_attributes,
9761 &operation,
9762 &derived_key);
9763 if (is_large_output > 0) {
9764 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
9765 }
9766 TEST_EQUAL(status, expected_status);
Gilles Peskinec744d992019-07-30 17:26:54 +02009767
9768exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009769 psa_key_derivation_abort(&operation);
9770 psa_destroy_key(base_key);
9771 psa_destroy_key(derived_key);
9772 PSA_DONE();
Gilles Peskinec744d992019-07-30 17:26:54 +02009773}
9774/* END_CASE */
9775
9776/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009777void key_agreement_setup(int alg_arg,
9778 int our_key_type_arg, int our_key_alg_arg,
9779 data_t *our_key_data, data_t *peer_key_data,
9780 int expected_status_arg)
Gilles Peskine01d718c2018-09-18 12:01:02 +02009781{
Ronald Cron5425a212020-08-04 14:58:35 +02009782 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009783 psa_algorithm_t alg = alg_arg;
Steven Cooremanfa5e6312020-10-15 17:07:12 +02009784 psa_algorithm_t our_key_alg = our_key_alg_arg;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009785 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009786 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009787 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine77f40d82019-04-11 21:27:06 +02009788 psa_status_t expected_status = expected_status_arg;
9789 psa_status_t status;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009790
Gilles Peskine449bd832023-01-11 14:50:10 +01009791 PSA_ASSERT(psa_crypto_init());
Gilles Peskine01d718c2018-09-18 12:01:02 +02009792
Gilles Peskine449bd832023-01-11 14:50:10 +01009793 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9794 psa_set_key_algorithm(&attributes, our_key_alg);
9795 psa_set_key_type(&attributes, our_key_type);
9796 PSA_ASSERT(psa_import_key(&attributes,
9797 our_key_data->x, our_key_data->len,
9798 &our_key));
Gilles Peskine01d718c2018-09-18 12:01:02 +02009799
Gilles Peskine77f40d82019-04-11 21:27:06 +02009800 /* The tests currently include inputs that should fail at either step.
9801 * Test cases that fail at the setup step should be changed to call
9802 * key_derivation_setup instead, and this function should be renamed
9803 * to key_agreement_fail. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009804 status = psa_key_derivation_setup(&operation, alg);
9805 if (status == PSA_SUCCESS) {
9806 TEST_EQUAL(psa_key_derivation_key_agreement(
9807 &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
9808 our_key,
9809 peer_key_data->x, peer_key_data->len),
9810 expected_status);
9811 } else {
9812 TEST_ASSERT(status == expected_status);
Gilles Peskine77f40d82019-04-11 21:27:06 +02009813 }
Gilles Peskine01d718c2018-09-18 12:01:02 +02009814
9815exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009816 psa_key_derivation_abort(&operation);
9817 psa_destroy_key(our_key);
9818 PSA_DONE();
Gilles Peskine01d718c2018-09-18 12:01:02 +02009819}
9820/* END_CASE */
9821
9822/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009823void raw_key_agreement(int alg_arg,
9824 int our_key_type_arg, data_t *our_key_data,
9825 data_t *peer_key_data,
9826 data_t *expected_output)
Gilles Peskinef0cba732019-04-11 22:12:38 +02009827{
Ronald Cron5425a212020-08-04 14:58:35 +02009828 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009829 psa_algorithm_t alg = alg_arg;
9830 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009831 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009832 unsigned char *output = NULL;
9833 size_t output_length = ~0;
gabor-mezei-armceface22021-01-21 12:26:17 +01009834 size_t key_bits;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009835
Gilles Peskine449bd832023-01-11 14:50:10 +01009836 PSA_ASSERT(psa_crypto_init());
Gilles Peskinef0cba732019-04-11 22:12:38 +02009837
Gilles Peskine449bd832023-01-11 14:50:10 +01009838 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9839 psa_set_key_algorithm(&attributes, alg);
9840 psa_set_key_type(&attributes, our_key_type);
9841 PSA_ASSERT(psa_import_key(&attributes,
9842 our_key_data->x, our_key_data->len,
9843 &our_key));
Gilles Peskinef0cba732019-04-11 22:12:38 +02009844
Gilles Peskine449bd832023-01-11 14:50:10 +01009845 PSA_ASSERT(psa_get_key_attributes(our_key, &attributes));
9846 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01009847
Gilles Peskine992bee82022-04-13 23:25:52 +02009848 /* Validate size macros */
Gilles Peskine449bd832023-01-11 14:50:10 +01009849 TEST_LE_U(expected_output->len,
9850 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits));
9851 TEST_LE_U(PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits),
9852 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE);
Gilles Peskine992bee82022-04-13 23:25:52 +02009853
9854 /* Good case with exact output size */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009855 TEST_CALLOC(output, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009856 PSA_ASSERT(psa_raw_key_agreement(alg, our_key,
9857 peer_key_data->x, peer_key_data->len,
9858 output, expected_output->len,
9859 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009860 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009861 expected_output->x, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009862 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009863 output = NULL;
9864 output_length = ~0;
9865
9866 /* Larger buffer */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009867 TEST_CALLOC(output, expected_output->len + 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01009868 PSA_ASSERT(psa_raw_key_agreement(alg, our_key,
9869 peer_key_data->x, peer_key_data->len,
9870 output, expected_output->len + 1,
9871 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009872 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009873 expected_output->x, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009874 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009875 output = NULL;
9876 output_length = ~0;
9877
9878 /* Buffer too small */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009879 TEST_CALLOC(output, expected_output->len - 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01009880 TEST_EQUAL(psa_raw_key_agreement(alg, our_key,
9881 peer_key_data->x, peer_key_data->len,
9882 output, expected_output->len - 1,
9883 &output_length),
9884 PSA_ERROR_BUFFER_TOO_SMALL);
Gilles Peskine992bee82022-04-13 23:25:52 +02009885 /* Not required by the spec, but good robustness */
Gilles Peskine449bd832023-01-11 14:50:10 +01009886 TEST_LE_U(output_length, expected_output->len - 1);
9887 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009888 output = NULL;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009889
9890exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009891 mbedtls_free(output);
9892 psa_destroy_key(our_key);
9893 PSA_DONE();
Gilles Peskinef0cba732019-04-11 22:12:38 +02009894}
9895/* END_CASE */
9896
9897/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009898void key_agreement_capacity(int alg_arg,
9899 int our_key_type_arg, data_t *our_key_data,
9900 data_t *peer_key_data,
9901 int expected_capacity_arg)
Gilles Peskine59685592018-09-18 12:11:34 +02009902{
Ronald Cron5425a212020-08-04 14:58:35 +02009903 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +02009904 psa_algorithm_t alg = alg_arg;
9905 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009906 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009907 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +02009908 size_t actual_capacity;
Gilles Peskinebf491972018-10-25 22:36:12 +02009909 unsigned char output[16];
Gilles Peskine59685592018-09-18 12:11:34 +02009910
Gilles Peskine449bd832023-01-11 14:50:10 +01009911 PSA_ASSERT(psa_crypto_init());
Gilles Peskine59685592018-09-18 12:11:34 +02009912
Gilles Peskine449bd832023-01-11 14:50:10 +01009913 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9914 psa_set_key_algorithm(&attributes, alg);
9915 psa_set_key_type(&attributes, our_key_type);
9916 PSA_ASSERT(psa_import_key(&attributes,
9917 our_key_data->x, our_key_data->len,
9918 &our_key));
Gilles Peskine59685592018-09-18 12:11:34 +02009919
Gilles Peskine449bd832023-01-11 14:50:10 +01009920 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9921 PSA_ASSERT(psa_key_derivation_key_agreement(
9922 &operation,
9923 PSA_KEY_DERIVATION_INPUT_SECRET, our_key,
9924 peer_key_data->x, peer_key_data->len));
9925 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) {
Gilles Peskinef8a9d942019-04-11 22:13:20 +02009926 /* The test data is for info="" */
Gilles Peskine449bd832023-01-11 14:50:10 +01009927 PSA_ASSERT(psa_key_derivation_input_bytes(&operation,
9928 PSA_KEY_DERIVATION_INPUT_INFO,
9929 NULL, 0));
Gilles Peskinef8a9d942019-04-11 22:13:20 +02009930 }
Gilles Peskine59685592018-09-18 12:11:34 +02009931
Shaun Case8b0ecbc2021-12-20 21:14:10 -08009932 /* Test the advertised capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009933 PSA_ASSERT(psa_key_derivation_get_capacity(
9934 &operation, &actual_capacity));
9935 TEST_EQUAL(actual_capacity, (size_t) expected_capacity_arg);
Gilles Peskine59685592018-09-18 12:11:34 +02009936
Gilles Peskinebf491972018-10-25 22:36:12 +02009937 /* Test the actual capacity by reading the output. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009938 while (actual_capacity > sizeof(output)) {
9939 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9940 output, sizeof(output)));
9941 actual_capacity -= sizeof(output);
Gilles Peskinebf491972018-10-25 22:36:12 +02009942 }
Gilles Peskine449bd832023-01-11 14:50:10 +01009943 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9944 output, actual_capacity));
9945 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output, 1),
9946 PSA_ERROR_INSUFFICIENT_DATA);
Gilles Peskinebf491972018-10-25 22:36:12 +02009947
Gilles Peskine59685592018-09-18 12:11:34 +02009948exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009949 psa_key_derivation_abort(&operation);
9950 psa_destroy_key(our_key);
9951 PSA_DONE();
Gilles Peskine59685592018-09-18 12:11:34 +02009952}
9953/* END_CASE */
9954
Valerio Settiad819672023-12-29 12:14:41 +01009955/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
9956void ecc_conversion_functions(int grp_id_arg, int psa_family_arg, int bits_arg)
Valerio Settibf999cb2023-12-28 17:48:13 +01009957{
9958 mbedtls_ecp_group_id grp_id = grp_id_arg;
Valerio Settiad819672023-12-29 12:14:41 +01009959 psa_ecc_family_t ecc_family = psa_family_arg;
9960 size_t bits = bits_arg;
9961 size_t bits_tmp;
Valerio Settibf999cb2023-12-28 17:48:13 +01009962
Valerio Settiad819672023-12-29 12:14:41 +01009963 TEST_EQUAL(ecc_family, mbedtls_ecc_group_to_psa(grp_id, &bits_tmp));
9964 TEST_EQUAL(bits, bits_tmp);
Valerio Settiac739522024-01-04 10:22:01 +01009965 TEST_EQUAL(grp_id, mbedtls_ecc_group_from_psa(ecc_family, bits));
Valerio Settibf999cb2023-12-28 17:48:13 +01009966}
9967/* END_CASE */
9968
Valerio Settiac739522024-01-04 10:22:01 +01009969/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
9970void ecc_conversion_functions_fail()
9971{
9972 size_t bits;
9973
Valerio Settidb6e0292024-01-05 10:15:45 +01009974 /* Invalid legacy curve identifiers. */
9975 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_MAX, &bits));
9976 TEST_EQUAL(0, bits);
Valerio Settiac739522024-01-04 10:22:01 +01009977 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_NONE, &bits));
9978 TEST_EQUAL(0, bits);
9979
9980 /* Invalid PSA EC family. */
9981 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(0, 192));
9982 /* Invalid bit-size for a valid EC family. */
9983 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_SECP_R1, 512));
9984
9985 /* Twisted-Edward curves are not supported yet. */
9986 TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
9987 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 255));
9988 TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
9989 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 448));
9990}
9991/* END_CASE */
9992
9993
Gilles Peskine59685592018-09-18 12:11:34 +02009994/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009995void key_agreement_output(int alg_arg,
9996 int our_key_type_arg, data_t *our_key_data,
9997 data_t *peer_key_data,
9998 data_t *expected_output1, data_t *expected_output2)
Gilles Peskine59685592018-09-18 12:11:34 +02009999{
Ronald Cron5425a212020-08-04 14:58:35 +020010000 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +020010001 psa_algorithm_t alg = alg_arg;
10002 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +020010003 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +020010004 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine3ec8ed82018-10-25 22:37:15 +020010005 uint8_t *actual_output = NULL;
Gilles Peskine59685592018-09-18 12:11:34 +020010006
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010007 TEST_CALLOC(actual_output, MAX(expected_output1->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010008 expected_output2->len));
Gilles Peskine59685592018-09-18 12:11:34 +020010009
Gilles Peskine449bd832023-01-11 14:50:10 +010010010 PSA_ASSERT(psa_crypto_init());
Gilles Peskine59685592018-09-18 12:11:34 +020010011
Gilles Peskine449bd832023-01-11 14:50:10 +010010012 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
10013 psa_set_key_algorithm(&attributes, alg);
10014 psa_set_key_type(&attributes, our_key_type);
10015 PSA_ASSERT(psa_import_key(&attributes,
10016 our_key_data->x, our_key_data->len,
10017 &our_key));
Gilles Peskine59685592018-09-18 12:11:34 +020010018
Gilles Peskine449bd832023-01-11 14:50:10 +010010019 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
10020 PSA_ASSERT(psa_key_derivation_key_agreement(
10021 &operation,
10022 PSA_KEY_DERIVATION_INPUT_SECRET, our_key,
10023 peer_key_data->x, peer_key_data->len));
10024 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) {
Gilles Peskinef8a9d942019-04-11 22:13:20 +020010025 /* The test data is for info="" */
Gilles Peskine449bd832023-01-11 14:50:10 +010010026 PSA_ASSERT(psa_key_derivation_input_bytes(&operation,
10027 PSA_KEY_DERIVATION_INPUT_INFO,
10028 NULL, 0));
Gilles Peskinef8a9d942019-04-11 22:13:20 +020010029 }
Gilles Peskine59685592018-09-18 12:11:34 +020010030
Gilles Peskine449bd832023-01-11 14:50:10 +010010031 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
10032 actual_output,
10033 expected_output1->len));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010034 TEST_MEMORY_COMPARE(actual_output, expected_output1->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010035 expected_output1->x, expected_output1->len);
Gilles Peskine449bd832023-01-11 14:50:10 +010010036 if (expected_output2->len != 0) {
10037 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
10038 actual_output,
10039 expected_output2->len));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010040 TEST_MEMORY_COMPARE(actual_output, expected_output2->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010041 expected_output2->x, expected_output2->len);
Gilles Peskine3ec8ed82018-10-25 22:37:15 +020010042 }
Gilles Peskine59685592018-09-18 12:11:34 +020010043
10044exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010045 psa_key_derivation_abort(&operation);
10046 psa_destroy_key(our_key);
10047 PSA_DONE();
10048 mbedtls_free(actual_output);
Gilles Peskine59685592018-09-18 12:11:34 +020010049}
10050/* END_CASE */
10051
10052/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010053void generate_random(int bytes_arg)
Gilles Peskine05d69892018-06-19 22:00:52 +020010054{
Gilles Peskinea50d7392018-06-21 10:22:13 +020010055 size_t bytes = bytes_arg;
Gilles Peskine8cebbba2018-09-27 13:54:18 +020010056 unsigned char *output = NULL;
10057 unsigned char *changed = NULL;
Gilles Peskinea50d7392018-06-21 10:22:13 +020010058 size_t i;
10059 unsigned run;
Gilles Peskine05d69892018-06-19 22:00:52 +020010060
Gilles Peskine449bd832023-01-11 14:50:10 +010010061 TEST_ASSERT(bytes_arg >= 0);
Simon Butcher49f8e312020-03-03 15:51:50 +000010062
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010063 TEST_CALLOC(output, bytes);
10064 TEST_CALLOC(changed, bytes);
Gilles Peskine05d69892018-06-19 22:00:52 +020010065
Gilles Peskine449bd832023-01-11 14:50:10 +010010066 PSA_ASSERT(psa_crypto_init());
Gilles Peskine05d69892018-06-19 22:00:52 +020010067
Gilles Peskinea50d7392018-06-21 10:22:13 +020010068 /* Run several times, to ensure that every output byte will be
10069 * nonzero at least once with overwhelming probability
10070 * (2^(-8*number_of_runs)). */
Gilles Peskine449bd832023-01-11 14:50:10 +010010071 for (run = 0; run < 10; run++) {
10072 if (bytes != 0) {
10073 memset(output, 0, bytes);
10074 }
10075 PSA_ASSERT(psa_generate_random(output, bytes));
Gilles Peskinea50d7392018-06-21 10:22:13 +020010076
Gilles Peskine449bd832023-01-11 14:50:10 +010010077 for (i = 0; i < bytes; i++) {
10078 if (output[i] != 0) {
Gilles Peskinea50d7392018-06-21 10:22:13 +020010079 ++changed[i];
Gilles Peskine449bd832023-01-11 14:50:10 +010010080 }
Gilles Peskinea50d7392018-06-21 10:22:13 +020010081 }
Gilles Peskine05d69892018-06-19 22:00:52 +020010082 }
Gilles Peskinea50d7392018-06-21 10:22:13 +020010083
10084 /* Check that every byte was changed to nonzero at least once. This
10085 * validates that psa_generate_random is overwriting every byte of
10086 * the output buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010087 for (i = 0; i < bytes; i++) {
10088 TEST_ASSERT(changed[i] != 0);
Gilles Peskinea50d7392018-06-21 10:22:13 +020010089 }
Gilles Peskine05d69892018-06-19 22:00:52 +020010090
10091exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010092 PSA_DONE();
10093 mbedtls_free(output);
10094 mbedtls_free(changed);
Gilles Peskine05d69892018-06-19 22:00:52 +020010095}
10096/* END_CASE */
Gilles Peskine12313cd2018-06-20 00:20:32 +020010097
Ryan3a1b7862024-03-01 17:24:04 +000010098#if defined MBEDTLS_THREADING_PTHREAD
10099
10100/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */
10101void concurrently_generate_keys(int type_arg,
10102 int bits_arg,
10103 int usage_arg,
10104 int alg_arg,
10105 int expected_status_arg,
10106 int is_large_key_arg,
10107 int arg_thread_count,
10108 int reps_arg)
10109{
10110 size_t thread_count = (size_t) arg_thread_count;
10111 mbedtls_test_thread_t *threads = NULL;
10112 generate_key_context gkc;
10113 gkc.type = type_arg;
10114 gkc.usage = usage_arg;
10115 gkc.bits = bits_arg;
10116 gkc.alg = alg_arg;
10117 gkc.expected_status = expected_status_arg;
10118 gkc.is_large_key = is_large_key_arg;
10119 gkc.reps = reps_arg;
10120 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10121
10122 PSA_ASSERT(psa_crypto_init());
10123
10124 psa_set_key_usage_flags(&attributes, usage_arg);
10125 psa_set_key_algorithm(&attributes, alg_arg);
10126 psa_set_key_type(&attributes, type_arg);
10127 psa_set_key_bits(&attributes, bits_arg);
10128 gkc.attributes = &attributes;
10129
10130 TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
10131
10132 /* Split threads to generate key then destroy key. */
10133 for (size_t i = 0; i < thread_count; i++) {
10134 TEST_EQUAL(
10135 mbedtls_test_thread_create(&threads[i], thread_generate_key,
10136 (void *) &gkc), 0);
10137 }
10138
10139 /* Join threads. */
10140 for (size_t i = 0; i < thread_count; i++) {
10141 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
10142 }
10143
10144exit:
10145 mbedtls_free(threads);
10146 PSA_DONE();
10147}
10148/* END_CASE */
10149#endif
10150
Gilles Peskine12313cd2018-06-20 00:20:32 +020010151/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010152void generate_key(int type_arg,
10153 int bits_arg,
10154 int usage_arg,
10155 int alg_arg,
10156 int expected_status_arg,
10157 int is_large_key)
Gilles Peskine12313cd2018-06-20 00:20:32 +020010158{
Ronald Cron5425a212020-08-04 14:58:35 +020010159 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine12313cd2018-06-20 00:20:32 +020010160 psa_key_type_t type = type_arg;
10161 psa_key_usage_t usage = usage_arg;
10162 size_t bits = bits_arg;
10163 psa_algorithm_t alg = alg_arg;
10164 psa_status_t expected_status = expected_status_arg;
Gilles Peskineff5f0e72019-04-18 12:53:30 +020010165 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +020010166 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine12313cd2018-06-20 00:20:32 +020010167
Gilles Peskine449bd832023-01-11 14:50:10 +010010168 PSA_ASSERT(psa_crypto_init());
Gilles Peskine12313cd2018-06-20 00:20:32 +020010169
Gilles Peskine449bd832023-01-11 14:50:10 +010010170 psa_set_key_usage_flags(&attributes, usage);
10171 psa_set_key_algorithm(&attributes, alg);
10172 psa_set_key_type(&attributes, type);
10173 psa_set_key_bits(&attributes, bits);
Gilles Peskine12313cd2018-06-20 00:20:32 +020010174
10175 /* Generate a key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010176 psa_status_t status = psa_generate_key(&attributes, &key);
Steven Cooreman83fdb702021-01-21 14:24:39 +010010177
Gilles Peskine449bd832023-01-11 14:50:10 +010010178 if (is_large_key > 0) {
10179 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
10180 }
10181 TEST_EQUAL(status, expected_status);
10182 if (expected_status != PSA_SUCCESS) {
Gilles Peskineff5f0e72019-04-18 12:53:30 +020010183 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010184 }
Gilles Peskine12313cd2018-06-20 00:20:32 +020010185
10186 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +010010187 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
10188 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
10189 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
Gilles Peskine12313cd2018-06-20 00:20:32 +020010190
Gilles Peskine818ca122018-06-20 18:16:48 +020010191 /* Do something with the key according to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +000010192 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
Gilles Peskine02b75072018-07-01 22:31:34 +020010193 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010194 }
Gilles Peskine12313cd2018-06-20 00:20:32 +020010195
10196exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010197 /*
10198 * Key attributes may have been returned by psa_get_key_attributes()
10199 * thus reset them as required.
10200 */
Gilles Peskine449bd832023-01-11 14:50:10 +010010201 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010202
Gilles Peskine449bd832023-01-11 14:50:10 +010010203 psa_destroy_key(key);
10204 PSA_DONE();
Gilles Peskine12313cd2018-06-20 00:20:32 +020010205}
10206/* END_CASE */
itayzafrir0adf0fc2018-09-06 16:24:41 +030010207
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010208/* BEGIN_CASE */
Gilles Peskinef36d7852024-06-06 21:11:44 +020010209void generate_key_custom(int type_arg,
10210 int bits_arg,
10211 int usage_arg,
10212 int alg_arg,
10213 int flags_arg,
10214 data_t *custom_data,
10215 int expected_status_arg)
10216{
10217 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10218 psa_key_type_t type = type_arg;
10219 psa_key_usage_t usage = usage_arg;
10220 size_t bits = bits_arg;
10221 psa_algorithm_t alg = alg_arg;
10222 psa_status_t expected_status = expected_status_arg;
10223 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10224 psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT;
10225 custom.flags = flags_arg;
10226 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
10227
10228 PSA_ASSERT(psa_crypto_init());
10229
10230 psa_set_key_usage_flags(&attributes, usage);
10231 psa_set_key_algorithm(&attributes, alg);
10232 psa_set_key_type(&attributes, type);
10233 psa_set_key_bits(&attributes, bits);
10234
10235 /* Generate a key */
10236 psa_status_t status =
10237 psa_generate_key_custom(&attributes,
10238 &custom, custom_data->x, custom_data->len,
10239 &key);
10240
10241 TEST_EQUAL(status, expected_status);
10242 if (expected_status != PSA_SUCCESS) {
10243 goto exit;
10244 }
10245
10246 /* Test the key information */
10247 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
10248 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
10249 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
10250
Valerio Settiefce6052024-06-25 18:31:36 +020010251#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) && defined(MBEDTLS_ASN1_PARSE_C)
Gilles Peskinef36d7852024-06-06 21:11:44 +020010252 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
10253 TEST_ASSERT(rsa_test_e(key, bits, custom_data));
10254 }
10255#endif
10256
10257 /* Do something with the key according to its type and permitted usage. */
10258 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
10259 goto exit;
10260 }
10261
10262exit:
10263 /*
10264 * Key attributes may have been returned by psa_get_key_attributes()
10265 * thus reset them as required.
10266 */
10267 psa_reset_key_attributes(&got_attributes);
10268 psa_destroy_key(key);
10269 PSA_DONE();
10270}
10271/* END_CASE */
10272
10273/* BEGIN_CASE */
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010274void generate_key_ext(int type_arg,
10275 int bits_arg,
10276 int usage_arg,
10277 int alg_arg,
Gilles Peskinec81393b2024-02-14 20:51:28 +010010278 int flags_arg,
Gilles Peskine092ce512024-02-20 12:31:24 +010010279 data_t *params_data,
Gilles Peskine449bd832023-01-11 14:50:10 +010010280 int expected_status_arg)
Gilles Peskinee56e8782019-04-26 17:34:02 +020010281{
Ronald Cron5425a212020-08-04 14:58:35 +020010282 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010283 psa_key_type_t type = type_arg;
10284 psa_key_usage_t usage = usage_arg;
Gilles Peskinee56e8782019-04-26 17:34:02 +020010285 size_t bits = bits_arg;
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010286 psa_algorithm_t alg = alg_arg;
Gilles Peskinee56e8782019-04-26 17:34:02 +020010287 psa_status_t expected_status = expected_status_arg;
10288 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine092ce512024-02-20 12:31:24 +010010289 psa_key_production_parameters_t *params = NULL;
10290 size_t params_data_length = 0;
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010291 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinee56e8782019-04-26 17:34:02 +020010292
Gilles Peskine449bd832023-01-11 14:50:10 +010010293 PSA_ASSERT(psa_crypto_init());
Gilles Peskinee56e8782019-04-26 17:34:02 +020010294
Gilles Peskine449bd832023-01-11 14:50:10 +010010295 psa_set_key_usage_flags(&attributes, usage);
10296 psa_set_key_algorithm(&attributes, alg);
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010297 psa_set_key_type(&attributes, type);
Gilles Peskine449bd832023-01-11 14:50:10 +010010298 psa_set_key_bits(&attributes, bits);
Gilles Peskinee56e8782019-04-26 17:34:02 +020010299
Gilles Peskine092ce512024-02-20 12:31:24 +010010300 if (!setup_key_production_parameters(&params, &params_data_length,
10301 flags_arg, params_data)) {
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010302 goto exit;
10303 }
10304
Gilles Peskinee56e8782019-04-26 17:34:02 +020010305 /* Generate a key */
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010306 psa_status_t status = psa_generate_key_ext(&attributes,
Gilles Peskine092ce512024-02-20 12:31:24 +010010307 params, params_data_length,
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010308 &key);
10309
10310 TEST_EQUAL(status, expected_status);
Gilles Peskine449bd832023-01-11 14:50:10 +010010311 if (expected_status != PSA_SUCCESS) {
Gilles Peskinee56e8782019-04-26 17:34:02 +020010312 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010313 }
Gilles Peskinee56e8782019-04-26 17:34:02 +020010314
10315 /* Test the key information */
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010316 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
10317 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
10318 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
Pengyu Lvd90fbf72023-12-08 17:13:22 +080010319
Gilles Peskine7a18f962024-02-12 16:48:11 +010010320#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
10321 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
Gilles Peskine092ce512024-02-20 12:31:24 +010010322 TEST_ASSERT(rsa_test_e(key, bits, params_data));
Gilles Peskine449bd832023-01-11 14:50:10 +010010323 }
Pengyu Lv9e976f32023-12-06 16:58:05 +080010324#endif
Gilles Peskinee56e8782019-04-26 17:34:02 +020010325
10326 /* Do something with the key according to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +000010327 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
Gilles Peskinee56e8782019-04-26 17:34:02 +020010328 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010329 }
Gilles Peskinee56e8782019-04-26 17:34:02 +020010330
Gilles Peskinee56e8782019-04-26 17:34:02 +020010331exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010332 /*
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010333 * Key attributes may have been returned by psa_get_key_attributes()
10334 * thus reset them as required.
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010335 */
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010336 psa_reset_key_attributes(&got_attributes);
Gilles Peskine092ce512024-02-20 12:31:24 +010010337 mbedtls_free(params);
Gilles Peskine449bd832023-01-11 14:50:10 +010010338 psa_destroy_key(key);
10339 PSA_DONE();
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010340}
10341/* END_CASE */
10342
10343/* BEGIN_CASE */
Gilles Peskine092ce512024-02-20 12:31:24 +010010344void key_production_parameters_init()
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010345{
Gilles Peskine092ce512024-02-20 12:31:24 +010010346 psa_key_production_parameters_t init = PSA_KEY_PRODUCTION_PARAMETERS_INIT;
10347 psa_key_production_parameters_t zero;
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010348 memset(&zero, 0, sizeof(zero));
10349
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010350 TEST_EQUAL(init.flags, 0);
10351 TEST_EQUAL(zero.flags, 0);
Gilles Peskinee56e8782019-04-26 17:34:02 +020010352}
10353/* END_CASE */
10354
Darryl Greend49a4992018-06-18 17:27:26 +010010355/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */
Gilles Peskine449bd832023-01-11 14:50:10 +010010356void persistent_key_load_key_from_storage(data_t *data,
10357 int type_arg, int bits_arg,
10358 int usage_flags_arg, int alg_arg,
10359 int generation_method)
Darryl Greend49a4992018-06-18 17:27:26 +010010360{
Gilles Peskine449bd832023-01-11 14:50:10 +010010361 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1);
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010362 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +020010363 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10364 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010365 psa_key_type_t type = type_arg;
10366 size_t bits = bits_arg;
10367 psa_key_usage_t usage_flags = usage_flags_arg;
10368 psa_algorithm_t alg = alg_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +020010369 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Darryl Greend49a4992018-06-18 17:27:26 +010010370 unsigned char *first_export = NULL;
10371 unsigned char *second_export = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +010010372 size_t export_size = PSA_EXPORT_KEY_OUTPUT_SIZE(type, bits);
Sergeybef1f632023-03-06 15:25:06 -070010373 size_t first_exported_length = 0;
Darryl Greend49a4992018-06-18 17:27:26 +010010374 size_t second_exported_length;
10375
Gilles Peskine449bd832023-01-11 14:50:10 +010010376 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010377 TEST_CALLOC(first_export, export_size);
10378 TEST_CALLOC(second_export, export_size);
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010379 }
Darryl Greend49a4992018-06-18 17:27:26 +010010380
Gilles Peskine449bd832023-01-11 14:50:10 +010010381 PSA_ASSERT(psa_crypto_init());
Darryl Greend49a4992018-06-18 17:27:26 +010010382
Gilles Peskine449bd832023-01-11 14:50:10 +010010383 psa_set_key_id(&attributes, key_id);
10384 psa_set_key_usage_flags(&attributes, usage_flags);
10385 psa_set_key_algorithm(&attributes, alg);
10386 psa_set_key_type(&attributes, type);
10387 psa_set_key_bits(&attributes, bits);
Darryl Greend49a4992018-06-18 17:27:26 +010010388
Gilles Peskine449bd832023-01-11 14:50:10 +010010389 switch (generation_method) {
Darryl Green0c6575a2018-11-07 16:05:30 +000010390 case IMPORT_KEY:
10391 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010392 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len,
10393 &key));
Darryl Green0c6575a2018-11-07 16:05:30 +000010394 break;
Darryl Greend49a4992018-06-18 17:27:26 +010010395
Darryl Green0c6575a2018-11-07 16:05:30 +000010396 case GENERATE_KEY:
10397 /* Generate a key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010398 PSA_ASSERT(psa_generate_key(&attributes, &key));
Darryl Green0c6575a2018-11-07 16:05:30 +000010399 break;
10400
10401 case DERIVE_KEY:
Steven Cooreman70f654a2021-02-15 10:51:43 +010010402#if defined(PSA_WANT_ALG_HKDF) && defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +010010403 {
10404 /* Create base key */
10405 psa_algorithm_t derive_alg = PSA_ALG_HKDF(PSA_ALG_SHA_256);
10406 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
10407 psa_set_key_usage_flags(&base_attributes,
10408 PSA_KEY_USAGE_DERIVE);
10409 psa_set_key_algorithm(&base_attributes, derive_alg);
10410 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
10411 PSA_ASSERT(psa_import_key(&base_attributes,
10412 data->x, data->len,
10413 &base_key));
10414 /* Derive a key. */
10415 PSA_ASSERT(psa_key_derivation_setup(&operation, derive_alg));
10416 PSA_ASSERT(psa_key_derivation_input_key(
10417 &operation,
10418 PSA_KEY_DERIVATION_INPUT_SECRET, base_key));
10419 PSA_ASSERT(psa_key_derivation_input_bytes(
10420 &operation, PSA_KEY_DERIVATION_INPUT_INFO,
10421 NULL, 0));
10422 PSA_ASSERT(psa_key_derivation_output_key(&attributes,
10423 &operation,
10424 &key));
10425 PSA_ASSERT(psa_key_derivation_abort(&operation));
10426 PSA_ASSERT(psa_destroy_key(base_key));
10427 base_key = MBEDTLS_SVC_KEY_ID_INIT;
10428 }
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010429#else
Gilles Peskine449bd832023-01-11 14:50:10 +010010430 TEST_ASSUME(!"KDF not supported in this configuration");
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010431#endif
10432 break;
10433
10434 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +010010435 TEST_FAIL("generation_method not implemented in test");
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010436 break;
Darryl Green0c6575a2018-11-07 16:05:30 +000010437 }
Gilles Peskine449bd832023-01-11 14:50:10 +010010438 psa_reset_key_attributes(&attributes);
Darryl Greend49a4992018-06-18 17:27:26 +010010439
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010440 /* Export the key if permitted by the key policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010441 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
10442 PSA_ASSERT(psa_export_key(key,
10443 first_export, export_size,
10444 &first_exported_length));
10445 if (generation_method == IMPORT_KEY) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010446 TEST_MEMORY_COMPARE(data->x, data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010447 first_export, first_exported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +010010448 }
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010449 }
Darryl Greend49a4992018-06-18 17:27:26 +010010450
10451 /* Shutdown and restart */
Gilles Peskine449bd832023-01-11 14:50:10 +010010452 PSA_ASSERT(psa_purge_key(key));
Gilles Peskine1153e7b2019-05-28 15:10:21 +020010453 PSA_DONE();
Gilles Peskine449bd832023-01-11 14:50:10 +010010454 PSA_ASSERT(psa_crypto_init());
Darryl Greend49a4992018-06-18 17:27:26 +010010455
Darryl Greend49a4992018-06-18 17:27:26 +010010456 /* Check key slot still contains key data */
Gilles Peskine449bd832023-01-11 14:50:10 +010010457 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
10458 TEST_ASSERT(mbedtls_svc_key_id_equal(
10459 psa_get_key_id(&attributes), key_id));
10460 TEST_EQUAL(psa_get_key_lifetime(&attributes),
10461 PSA_KEY_LIFETIME_PERSISTENT);
10462 TEST_EQUAL(psa_get_key_type(&attributes), type);
10463 TEST_EQUAL(psa_get_key_bits(&attributes), bits);
10464 TEST_EQUAL(psa_get_key_usage_flags(&attributes),
10465 mbedtls_test_update_key_usage_flags(usage_flags));
10466 TEST_EQUAL(psa_get_key_algorithm(&attributes), alg);
Darryl Greend49a4992018-06-18 17:27:26 +010010467
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010468 /* Export the key again if permitted by the key policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010469 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
10470 PSA_ASSERT(psa_export_key(key,
10471 second_export, export_size,
10472 &second_exported_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010473 TEST_MEMORY_COMPARE(first_export, first_exported_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010474 second_export, second_exported_length);
Darryl Green0c6575a2018-11-07 16:05:30 +000010475 }
10476
10477 /* Do something with the key according to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +000010478 if (!mbedtls_test_psa_exercise_key(key, usage_flags, alg, 0)) {
Darryl Green0c6575a2018-11-07 16:05:30 +000010479 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010480 }
Darryl Greend49a4992018-06-18 17:27:26 +010010481
10482exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010483 /*
10484 * Key attributes may have been returned by psa_get_key_attributes()
10485 * thus reset them as required.
10486 */
Gilles Peskine449bd832023-01-11 14:50:10 +010010487 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010488
Gilles Peskine449bd832023-01-11 14:50:10 +010010489 mbedtls_free(first_export);
10490 mbedtls_free(second_export);
10491 psa_key_derivation_abort(&operation);
10492 psa_destroy_key(base_key);
10493 psa_destroy_key(key);
Gilles Peskine1153e7b2019-05-28 15:10:21 +020010494 PSA_DONE();
Darryl Greend49a4992018-06-18 17:27:26 +010010495}
10496/* END_CASE */
Neil Armstrongd597bc72022-05-25 11:28:39 +020010497
Neil Armstronga557cb82022-06-10 08:58:32 +020010498/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010499void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
10500 int primitive_arg, int hash_arg, int role_arg,
10501 int test_input, data_t *pw_data,
10502 int inj_err_type_arg,
10503 int expected_error_arg)
Neil Armstrongd597bc72022-05-25 11:28:39 +020010504{
10505 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10506 psa_pake_operation_t operation = psa_pake_operation_init();
10507 psa_algorithm_t alg = alg_arg;
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010508 psa_pake_primitive_t primitive = primitive_arg;
Neil Armstrong2a73f212022-09-06 11:34:54 +020010509 psa_key_type_t key_type_pw = key_type_pw_arg;
10510 psa_key_usage_t key_usage_pw = key_usage_pw_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010511 psa_algorithm_t hash_alg = hash_arg;
10512 psa_pake_role_t role = role_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010513 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10514 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Setti1070aed2022-11-11 19:37:31 +010010515 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg;
10516 psa_status_t expected_error = expected_error_arg;
10517 psa_status_t status;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010518 unsigned char *output_buffer = NULL;
10519 size_t output_len = 0;
10520
Gilles Peskine449bd832023-01-11 14:50:10 +010010521 PSA_INIT();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010522
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010523 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +010010524 PSA_PAKE_STEP_KEY_SHARE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010525 TEST_CALLOC(output_buffer, buf_size);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010526
Gilles Peskine449bd832023-01-11 14:50:10 +010010527 if (pw_data->len > 0) {
10528 psa_set_key_usage_flags(&attributes, key_usage_pw);
10529 psa_set_key_algorithm(&attributes, alg);
10530 psa_set_key_type(&attributes, key_type_pw);
10531 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10532 &key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010533 }
10534
Gilles Peskine449bd832023-01-11 14:50:10 +010010535 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10536 psa_pake_cs_set_primitive(&cipher_suite, primitive);
10537 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010538
Gilles Peskine449bd832023-01-11 14:50:10 +010010539 PSA_ASSERT(psa_pake_abort(&operation));
Neil Armstrong645cccd2022-06-08 17:36:23 +020010540
Gilles Peskine449bd832023-01-11 14:50:10 +010010541 if (inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS) {
10542 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0),
10543 expected_error);
10544 PSA_ASSERT(psa_pake_abort(&operation));
10545 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0),
10546 expected_error);
10547 PSA_ASSERT(psa_pake_abort(&operation));
10548 TEST_EQUAL(psa_pake_set_password_key(&operation, key),
10549 expected_error);
10550 PSA_ASSERT(psa_pake_abort(&operation));
10551 TEST_EQUAL(psa_pake_set_role(&operation, role),
10552 expected_error);
10553 PSA_ASSERT(psa_pake_abort(&operation));
10554 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE,
10555 NULL, 0, NULL),
10556 expected_error);
10557 PSA_ASSERT(psa_pake_abort(&operation));
10558 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0),
10559 expected_error);
10560 PSA_ASSERT(psa_pake_abort(&operation));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010561 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010562 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010563
Gilles Peskine449bd832023-01-11 14:50:10 +010010564 status = psa_pake_setup(&operation, &cipher_suite);
10565 if (status != PSA_SUCCESS) {
10566 TEST_EQUAL(status, expected_error);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010567 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010568 }
10569
Gilles Peskine449bd832023-01-11 14:50:10 +010010570 if (inj_err_type == INJECT_ERR_DUPLICATE_SETUP) {
10571 TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite),
10572 expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010573 goto exit;
10574 }
10575
Gilles Peskine449bd832023-01-11 14:50:10 +010010576 status = psa_pake_set_role(&operation, role);
10577 if (status != PSA_SUCCESS) {
10578 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010579 goto exit;
10580 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010581
Gilles Peskine449bd832023-01-11 14:50:10 +010010582 if (pw_data->len > 0) {
10583 status = psa_pake_set_password_key(&operation, key);
10584 if (status != PSA_SUCCESS) {
10585 TEST_EQUAL(status, expected_error);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010586 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010587 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010588 }
10589
Gilles Peskine449bd832023-01-11 14:50:10 +010010590 if (inj_err_type == INJECT_ERR_INVALID_USER) {
10591 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0),
10592 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010593 goto exit;
10594 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010595
Gilles Peskine449bd832023-01-11 14:50:10 +010010596 if (inj_err_type == INJECT_ERR_INVALID_PEER) {
10597 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0),
10598 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010599 goto exit;
10600 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010601
Gilles Peskine449bd832023-01-11 14:50:10 +010010602 if (inj_err_type == INJECT_ERR_SET_USER) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010603 const uint8_t unsupported_id[] = "abcd";
Gilles Peskine449bd832023-01-11 14:50:10 +010010604 TEST_EQUAL(psa_pake_set_user(&operation, unsupported_id, 4),
10605 PSA_ERROR_NOT_SUPPORTED);
Valerio Setti1070aed2022-11-11 19:37:31 +010010606 goto exit;
10607 }
10608
Gilles Peskine449bd832023-01-11 14:50:10 +010010609 if (inj_err_type == INJECT_ERR_SET_PEER) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010610 const uint8_t unsupported_id[] = "abcd";
Gilles Peskine449bd832023-01-11 14:50:10 +010010611 TEST_EQUAL(psa_pake_set_peer(&operation, unsupported_id, 4),
10612 PSA_ERROR_NOT_SUPPORTED);
Valerio Setti1070aed2022-11-11 19:37:31 +010010613 goto exit;
10614 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010615
Gilles Peskine449bd832023-01-11 14:50:10 +010010616 const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive,
10617 PSA_PAKE_STEP_KEY_SHARE);
10618 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE(alg, primitive,
10619 PSA_PAKE_STEP_ZK_PUBLIC);
10620 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE(alg, primitive,
10621 PSA_PAKE_STEP_ZK_PROOF);
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010622
Gilles Peskine449bd832023-01-11 14:50:10 +010010623 if (test_input) {
10624 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) {
10625 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0),
10626 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010627 goto exit;
10628 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010629
Gilles Peskine449bd832023-01-11 14:50:10 +010010630 if (inj_err_type == INJECT_UNKNOWN_STEP) {
10631 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF + 10,
10632 output_buffer, size_zk_proof),
10633 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010634 goto exit;
10635 }
10636
Gilles Peskine449bd832023-01-11 14:50:10 +010010637 if (inj_err_type == INJECT_INVALID_FIRST_STEP) {
10638 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF,
10639 output_buffer, size_zk_proof),
10640 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010641 goto exit;
10642 }
10643
Gilles Peskine449bd832023-01-11 14:50:10 +010010644 status = psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE,
10645 output_buffer, size_key_share);
10646 if (status != PSA_SUCCESS) {
10647 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010648 goto exit;
10649 }
10650
Gilles Peskine449bd832023-01-11 14:50:10 +010010651 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) {
10652 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10653 output_buffer, size_zk_public + 1),
10654 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010655 goto exit;
10656 }
10657
Gilles Peskine449bd832023-01-11 14:50:10 +010010658 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010659 // Just trigger any kind of error. We don't care about the result here
Gilles Peskine449bd832023-01-11 14:50:10 +010010660 psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10661 output_buffer, size_zk_public + 1);
10662 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10663 output_buffer, size_zk_public),
10664 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010665 goto exit;
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010666 }
Valerio Setti1070aed2022-11-11 19:37:31 +010010667 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +010010668 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) {
10669 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF,
10670 NULL, 0, NULL),
10671 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010672 goto exit;
10673 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010674
Gilles Peskine449bd832023-01-11 14:50:10 +010010675 if (inj_err_type == INJECT_UNKNOWN_STEP) {
10676 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF + 10,
10677 output_buffer, buf_size, &output_len),
10678 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010679 goto exit;
10680 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010681
Gilles Peskine449bd832023-01-11 14:50:10 +010010682 if (inj_err_type == INJECT_INVALID_FIRST_STEP) {
10683 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF,
10684 output_buffer, buf_size, &output_len),
10685 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010686 goto exit;
10687 }
10688
Gilles Peskine449bd832023-01-11 14:50:10 +010010689 status = psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE,
10690 output_buffer, buf_size, &output_len);
10691 if (status != PSA_SUCCESS) {
10692 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010693 goto exit;
10694 }
10695
Gilles Peskine449bd832023-01-11 14:50:10 +010010696 TEST_ASSERT(output_len > 0);
Valerio Setti1070aed2022-11-11 19:37:31 +010010697
Gilles Peskine449bd832023-01-11 14:50:10 +010010698 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) {
10699 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10700 output_buffer, size_zk_public - 1, &output_len),
10701 PSA_ERROR_BUFFER_TOO_SMALL);
Valerio Setti1070aed2022-11-11 19:37:31 +010010702 goto exit;
10703 }
10704
Gilles Peskine449bd832023-01-11 14:50:10 +010010705 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010706 // Just trigger any kind of error. We don't care about the result here
Gilles Peskine449bd832023-01-11 14:50:10 +010010707 psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10708 output_buffer, size_zk_public - 1, &output_len);
10709 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10710 output_buffer, buf_size, &output_len),
10711 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010712 goto exit;
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010713 }
10714 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010715
10716exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010717 PSA_ASSERT(psa_destroy_key(key));
10718 PSA_ASSERT(psa_pake_abort(&operation));
10719 mbedtls_free(output_buffer);
10720 PSA_DONE();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010721}
10722/* END_CASE */
10723
Neil Armstronga557cb82022-06-10 08:58:32 +020010724/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010725void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg,
10726 int client_input_first, int inject_error,
10727 data_t *pw_data)
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010728{
10729 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10730 psa_pake_operation_t server = psa_pake_operation_init();
10731 psa_pake_operation_t client = psa_pake_operation_init();
10732 psa_algorithm_t alg = alg_arg;
10733 psa_algorithm_t hash_alg = hash_arg;
10734 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10735 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10736
Gilles Peskine449bd832023-01-11 14:50:10 +010010737 PSA_INIT();
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010738
Gilles Peskine449bd832023-01-11 14:50:10 +010010739 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
10740 psa_set_key_algorithm(&attributes, alg);
10741 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
10742 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10743 &key));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010744
Gilles Peskine449bd832023-01-11 14:50:10 +010010745 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10746 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg);
10747 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010748
10749
Gilles Peskine449bd832023-01-11 14:50:10 +010010750 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite));
10751 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010752
Gilles Peskine449bd832023-01-11 14:50:10 +010010753 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER));
10754 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010755
Gilles Peskine449bd832023-01-11 14:50:10 +010010756 PSA_ASSERT(psa_pake_set_password_key(&server, key));
10757 PSA_ASSERT(psa_pake_set_password_key(&client, key));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010758
Gilles Peskine449bd832023-01-11 14:50:10 +010010759 ecjpake_do_round(alg, primitive_arg, &server, &client,
10760 client_input_first, 1, inject_error);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010761
Gilles Peskine449bd832023-01-11 14:50:10 +010010762 if (inject_error == 1 || inject_error == 2) {
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010763 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010764 }
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010765
Gilles Peskine449bd832023-01-11 14:50:10 +010010766 ecjpake_do_round(alg, primitive_arg, &server, &client,
10767 client_input_first, 2, inject_error);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010768
10769exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010770 psa_destroy_key(key);
10771 psa_pake_abort(&server);
10772 psa_pake_abort(&client);
10773 PSA_DONE();
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010774}
10775/* END_CASE */
10776
10777/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010778void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg,
10779 int derive_alg_arg, data_t *pw_data,
10780 int client_input_first, int inj_err_type_arg)
Neil Armstrongd597bc72022-05-25 11:28:39 +020010781{
10782 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10783 psa_pake_operation_t server = psa_pake_operation_init();
10784 psa_pake_operation_t client = psa_pake_operation_init();
10785 psa_algorithm_t alg = alg_arg;
10786 psa_algorithm_t hash_alg = hash_arg;
10787 psa_algorithm_t derive_alg = derive_alg_arg;
10788 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10789 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10790 psa_key_derivation_operation_t server_derive =
Gilles Peskine449bd832023-01-11 14:50:10 +010010791 PSA_KEY_DERIVATION_OPERATION_INIT;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010792 psa_key_derivation_operation_t client_derive =
Gilles Peskine449bd832023-01-11 14:50:10 +010010793 PSA_KEY_DERIVATION_OPERATION_INIT;
Valerio Setti1070aed2022-11-11 19:37:31 +010010794 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010795
Gilles Peskine449bd832023-01-11 14:50:10 +010010796 PSA_INIT();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010797
Gilles Peskine449bd832023-01-11 14:50:10 +010010798 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
10799 psa_set_key_algorithm(&attributes, alg);
10800 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
10801 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10802 &key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010803
Gilles Peskine449bd832023-01-11 14:50:10 +010010804 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10805 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg);
10806 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010807
Neil Armstrong1e855602022-06-15 11:32:11 +020010808 /* Get shared key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010809 PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg));
10810 PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg));
Neil Armstrong1e855602022-06-15 11:32:11 +020010811
Gilles Peskine449bd832023-01-11 14:50:10 +010010812 if (PSA_ALG_IS_TLS12_PRF(derive_alg) ||
10813 PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) {
10814 PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive,
10815 PSA_KEY_DERIVATION_INPUT_SEED,
10816 (const uint8_t *) "", 0));
10817 PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive,
10818 PSA_KEY_DERIVATION_INPUT_SEED,
10819 (const uint8_t *) "", 0));
Neil Armstrong1e855602022-06-15 11:32:11 +020010820 }
10821
Gilles Peskine449bd832023-01-11 14:50:10 +010010822 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite));
10823 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010824
Gilles Peskine449bd832023-01-11 14:50:10 +010010825 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER));
10826 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010827
Gilles Peskine449bd832023-01-11 14:50:10 +010010828 PSA_ASSERT(psa_pake_set_password_key(&server, key));
10829 PSA_ASSERT(psa_pake_set_password_key(&client, key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010830
Gilles Peskine449bd832023-01-11 14:50:10 +010010831 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1) {
10832 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive),
10833 PSA_ERROR_BAD_STATE);
10834 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive),
10835 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010836 goto exit;
10837 }
Neil Armstrong1e855602022-06-15 11:32:11 +020010838
Neil Armstrongf983caf2022-06-15 15:27:48 +020010839 /* First round */
Gilles Peskine449bd832023-01-11 14:50:10 +010010840 ecjpake_do_round(alg, primitive_arg, &server, &client,
10841 client_input_first, 1, 0);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010842
Gilles Peskine449bd832023-01-11 14:50:10 +010010843 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2) {
10844 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive),
10845 PSA_ERROR_BAD_STATE);
10846 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive),
10847 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010848 goto exit;
10849 }
Neil Armstrong1e855602022-06-15 11:32:11 +020010850
Neil Armstrongf983caf2022-06-15 15:27:48 +020010851 /* Second round */
Gilles Peskine449bd832023-01-11 14:50:10 +010010852 ecjpake_do_round(alg, primitive_arg, &server, &client,
10853 client_input_first, 2, 0);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010854
Gilles Peskine449bd832023-01-11 14:50:10 +010010855 PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive));
10856 PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010857
10858exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010859 psa_key_derivation_abort(&server_derive);
10860 psa_key_derivation_abort(&client_derive);
10861 psa_destroy_key(key);
10862 psa_pake_abort(&server);
10863 psa_pake_abort(&client);
10864 PSA_DONE();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010865}
10866/* END_CASE */
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010867
10868/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010869void ecjpake_size_macros()
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010870{
10871 const psa_algorithm_t alg = PSA_ALG_JPAKE;
10872 const size_t bits = 256;
10873 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE(
Gilles Peskine449bd832023-01-11 14:50:10 +010010874 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010875 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(
Gilles Peskine449bd832023-01-11 14:50:10 +010010876 PSA_ECC_FAMILY_SECP_R1);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010877
10878 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types
10879 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010880 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10881 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits));
10882 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10883 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010884 /* The output for ZK_PROOF is the same bitsize as the curve */
Gilles Peskine449bd832023-01-11 14:50:10 +010010885 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10886 PSA_BITS_TO_BYTES(bits));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010887
10888 /* Input sizes are the same as output sizes */
Gilles Peskine449bd832023-01-11 14:50:10 +010010889 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10890 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE));
10891 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10892 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC));
10893 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10894 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010895
10896 /* These inequalities will always hold even when other PAKEs are added */
Gilles Peskine449bd832023-01-11 14:50:10 +010010897 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10898 PSA_PAKE_OUTPUT_MAX_SIZE);
10899 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10900 PSA_PAKE_OUTPUT_MAX_SIZE);
10901 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10902 PSA_PAKE_OUTPUT_MAX_SIZE);
10903 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10904 PSA_PAKE_INPUT_MAX_SIZE);
10905 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10906 PSA_PAKE_INPUT_MAX_SIZE);
10907 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10908 PSA_PAKE_INPUT_MAX_SIZE);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010909}
10910/* END_CASE */