blob: 7f47f27f129f81a795a88a3e24fa7d9c0cade3d1 [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +01001/* BEGIN_HEADER */
itayzafrir3e02b3b2018-06-12 17:06:52 +03002#include <stdint.h>
mohammad160327010052018-07-03 13:16:15 +03003
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02004#include "mbedtls/asn1.h"
Gilles Peskine0b352bc2018-06-28 00:16:11 +02005#include "mbedtls/asn1write.h"
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02006#include "mbedtls/oid.h"
Gilles Peskine42649d92022-11-23 14:15:57 +01007#include "common.h"
Gilles Peskinedd2f95b2018-08-11 01:22:42 +02008
Valerio Settibf999cb2023-12-28 17:48:13 +01009#include "mbedtls/psa_util.h"
10
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020011/* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random()
12 * uses mbedtls_ctr_drbg internally. */
13#include "mbedtls/ctr_drbg.h"
14
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020015#include "psa/crypto.h"
Ronald Cron41841072020-09-17 15:28:26 +020016#include "psa_crypto_slot_management.h"
Gilles Peskinebdc96fd2019-08-07 12:08:04 +020017
Manuel Pégourié-Gonnard7abdf7e2023-03-09 11:17:43 +010018#include "psa_crypto_core.h"
19
Gilles Peskine8e94efe2021-02-13 00:25:53 +010020#include "test/asn1_helpers.h"
Ronald Cron28a45ed2021-02-09 20:35:42 +010021#include "test/psa_crypto_helpers.h"
Gilles Peskinee78b0022021-02-13 00:41:11 +010022#include "test/psa_exercise_key.h"
Archana4d7ae1d2021-07-07 02:50:22 +053023#if defined(PSA_CRYPTO_DRIVER_TEST)
24#include "test/drivers/test_driver.h"
Archana8a180362021-07-05 02:18:48 +053025#define TEST_DRIVER_LOCATION PSA_CRYPTO_TEST_DRIVER_LOCATION
26#else
27#define TEST_DRIVER_LOCATION 0x7fffff
Archana4d7ae1d2021-07-07 02:50:22 +053028#endif
Ronald Cron28a45ed2021-02-09 20:35:42 +010029
Ryan3a1b7862024-03-01 17:24:04 +000030#if defined(MBEDTLS_THREADING_PTHREAD)
31#include "mbedtls/threading.h"
32#endif
33
Gilles Peskine4023c012021-05-27 13:21:20 +020034/* If this comes up, it's a bug in the test code or in the test data. */
35#define UNUSED 0xdeadbeef
36
Dave Rodgman647791d2021-06-23 12:49:59 +010037/* Assert that an operation is (not) active.
38 * This serves as a proxy for checking if the operation is aborted. */
Gilles Peskine449bd832023-01-11 14:50:10 +010039#define ASSERT_OPERATION_IS_ACTIVE(operation) TEST_ASSERT(operation.id != 0)
40#define ASSERT_OPERATION_IS_INACTIVE(operation) TEST_ASSERT(operation.id == 0)
Gilles Peskinef426e0f2019-02-25 17:42:03 +010041
Przemek Stekiel7c795482022-11-15 22:26:12 +010042#if defined(PSA_WANT_ALG_JPAKE)
Gilles Peskine449bd832023-01-11 14:50:10 +010043int ecjpake_operation_setup(psa_pake_operation_t *operation,
44 psa_pake_cipher_suite_t *cipher_suite,
45 psa_pake_role_t role,
46 mbedtls_svc_key_id_t key,
47 size_t key_available)
Przemek Stekiel7c795482022-11-15 22:26:12 +010048{
Gilles Peskine449bd832023-01-11 14:50:10 +010049 PSA_ASSERT(psa_pake_abort(operation));
Przemek Stekiel7c795482022-11-15 22:26:12 +010050
Gilles Peskine449bd832023-01-11 14:50:10 +010051 PSA_ASSERT(psa_pake_setup(operation, cipher_suite));
Przemek Stekiel7c795482022-11-15 22:26:12 +010052
Gilles Peskine449bd832023-01-11 14:50:10 +010053 PSA_ASSERT(psa_pake_set_role(operation, role));
Przemek Stekiel7c795482022-11-15 22:26:12 +010054
Gilles Peskine449bd832023-01-11 14:50:10 +010055 if (key_available) {
56 PSA_ASSERT(psa_pake_set_password_key(operation, key));
57 }
Przemek Stekielf82effa2022-11-21 15:10:32 +010058 return 0;
Przemek Stekiel7c795482022-11-15 22:26:12 +010059exit:
Przemek Stekielf82effa2022-11-21 15:10:32 +010060 return 1;
Przemek Stekiel7c795482022-11-15 22:26:12 +010061}
62#endif
63
Jaeden Amerof24c7f82018-06-27 17:20:43 +010064/** An invalid export length that will never be set by psa_export_key(). */
65static const size_t INVALID_EXPORT_LENGTH = ~0U;
66
Gilles Peskinea7aa4422018-08-14 15:17:54 +020067/** Test if a buffer contains a constant byte value.
68 *
69 * `mem_is_char(buffer, c, size)` is true after `memset(buffer, c, size)`.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020070 *
71 * \param buffer Pointer to the beginning of the buffer.
Gilles Peskinea7aa4422018-08-14 15:17:54 +020072 * \param c Expected value of every byte.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020073 * \param size Size of the buffer in bytes.
74 *
Gilles Peskine3f669c32018-06-21 09:21:51 +020075 * \return 1 if the buffer is all-bits-zero.
76 * \return 0 if there is at least one nonzero byte.
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020077 */
Gilles Peskine449bd832023-01-11 14:50:10 +010078static int mem_is_char(void *buffer, unsigned char c, size_t size)
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020079{
80 size_t i;
Gilles Peskine449bd832023-01-11 14:50:10 +010081 for (i = 0; i < size; i++) {
82 if (((unsigned char *) buffer)[i] != c) {
83 return 0;
84 }
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020085 }
Gilles Peskine449bd832023-01-11 14:50:10 +010086 return 1;
Gilles Peskinee66ca3b2018-06-20 00:11:45 +020087}
Andrzej Kurek77b8e092022-01-17 15:29:38 +010088#if defined(MBEDTLS_ASN1_WRITE_C)
Gilles Peskine0b352bc2018-06-28 00:16:11 +020089/* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */
Gilles Peskine449bd832023-01-11 14:50:10 +010090static int asn1_write_10x(unsigned char **p,
91 unsigned char *start,
92 size_t bits,
93 unsigned char x)
Gilles Peskine0b352bc2018-06-28 00:16:11 +020094{
95 int ret;
96 int len = bits / 8 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +010097 if (bits == 0) {
98 return MBEDTLS_ERR_ASN1_INVALID_DATA;
99 }
100 if (bits <= 8 && x >= 1 << (bits - 1)) {
101 return MBEDTLS_ERR_ASN1_INVALID_DATA;
102 }
103 if (*p < start || *p - start < (ptrdiff_t) len) {
104 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
105 }
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200106 *p -= len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100107 (*p)[len-1] = x;
108 if (bits % 8 == 0) {
109 (*p)[1] |= 1;
110 } else {
111 (*p)[0] |= 1 << (bits % 8);
112 }
113 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
114 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
115 MBEDTLS_ASN1_INTEGER));
116 return len;
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200117}
118
Gilles Peskine449bd832023-01-11 14:50:10 +0100119static int construct_fake_rsa_key(unsigned char *buffer,
120 size_t buffer_size,
121 unsigned char **p,
122 size_t bits,
123 int keypair)
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200124{
Gilles Peskine449bd832023-01-11 14:50:10 +0100125 size_t half_bits = (bits + 1) / 2;
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200126 int ret;
127 int len = 0;
128 /* Construct something that looks like a DER encoding of
129 * as defined by PKCS#1 v2.2 (RFC 8017) section A.1.2:
130 * RSAPrivateKey ::= SEQUENCE {
131 * version Version,
132 * modulus INTEGER, -- n
133 * publicExponent INTEGER, -- e
134 * privateExponent INTEGER, -- d
135 * prime1 INTEGER, -- p
136 * prime2 INTEGER, -- q
137 * exponent1 INTEGER, -- d mod (p-1)
138 * exponent2 INTEGER, -- d mod (q-1)
139 * coefficient INTEGER, -- (inverse of q) mod p
140 * otherPrimeInfos OtherPrimeInfos OPTIONAL
141 * }
142 * Or, for a public key, the same structure with only
143 * version, modulus and publicExponent.
144 */
145 *p = buffer + buffer_size;
Gilles Peskine449bd832023-01-11 14:50:10 +0100146 if (keypair) {
147 MBEDTLS_ASN1_CHK_ADD(len, /* pq */
148 asn1_write_10x(p, buffer, half_bits, 1));
149 MBEDTLS_ASN1_CHK_ADD(len, /* dq */
150 asn1_write_10x(p, buffer, half_bits, 1));
151 MBEDTLS_ASN1_CHK_ADD(len, /* dp */
152 asn1_write_10x(p, buffer, half_bits, 1));
153 MBEDTLS_ASN1_CHK_ADD(len, /* q */
154 asn1_write_10x(p, buffer, half_bits, 1));
155 MBEDTLS_ASN1_CHK_ADD(len, /* p != q to pass mbedtls sanity checks */
156 asn1_write_10x(p, buffer, half_bits, 3));
157 MBEDTLS_ASN1_CHK_ADD(len, /* d */
158 asn1_write_10x(p, buffer, bits, 1));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200159 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100160 MBEDTLS_ASN1_CHK_ADD(len, /* e = 65537 */
161 asn1_write_10x(p, buffer, 17, 1));
162 MBEDTLS_ASN1_CHK_ADD(len, /* n */
163 asn1_write_10x(p, buffer, bits, 1));
164 if (keypair) {
165 MBEDTLS_ASN1_CHK_ADD(len, /* version = 0 */
166 mbedtls_asn1_write_int(p, buffer, 0));
167 }
168 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buffer, len));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200169 {
170 const unsigned char tag =
171 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100172 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buffer, tag));
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200173 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100174 return len;
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200175}
Andrzej Kurek77b8e092022-01-17 15:29:38 +0100176#endif /* MBEDTLS_ASN1_WRITE_C */
Gilles Peskine0b352bc2018-06-28 00:16:11 +0200177
Gilles Peskine449bd832023-01-11 14:50:10 +0100178int exercise_mac_setup(psa_key_type_t key_type,
179 const unsigned char *key_bytes,
180 size_t key_length,
181 psa_algorithm_t alg,
182 psa_mac_operation_t *operation,
183 psa_status_t *status)
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100184{
Ronald Cron5425a212020-08-04 14:58:35 +0200185 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +0200186 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100187
Gilles Peskine449bd832023-01-11 14:50:10 +0100188 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
189 psa_set_key_algorithm(&attributes, alg);
190 psa_set_key_type(&attributes, key_type);
191 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key));
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100192
Gilles Peskine449bd832023-01-11 14:50:10 +0100193 *status = psa_mac_sign_setup(operation, key, alg);
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100194 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100195 PSA_ASSERT(psa_mac_abort(operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100196 /* If setup failed, reproduce the failure, so that the caller can
197 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100198 if (*status != PSA_SUCCESS) {
199 TEST_EQUAL(psa_mac_sign_setup(operation, key, alg), *status);
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100200 }
201
Gilles Peskine449bd832023-01-11 14:50:10 +0100202 psa_destroy_key(key);
203 return 1;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100204
205exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100206 psa_destroy_key(key);
207 return 0;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100208}
209
Gilles Peskine449bd832023-01-11 14:50:10 +0100210int exercise_cipher_setup(psa_key_type_t key_type,
211 const unsigned char *key_bytes,
212 size_t key_length,
213 psa_algorithm_t alg,
214 psa_cipher_operation_t *operation,
215 psa_status_t *status)
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100216{
Ronald Cron5425a212020-08-04 14:58:35 +0200217 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +0200218 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100219
Gilles Peskine449bd832023-01-11 14:50:10 +0100220 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
221 psa_set_key_algorithm(&attributes, alg);
222 psa_set_key_type(&attributes, key_type);
223 PSA_ASSERT(psa_import_key(&attributes, key_bytes, key_length, &key));
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100224
Gilles Peskine449bd832023-01-11 14:50:10 +0100225 *status = psa_cipher_encrypt_setup(operation, key, alg);
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100226 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100227 PSA_ASSERT(psa_cipher_abort(operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +0100228 /* If setup failed, reproduce the failure, so that the caller can
229 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100230 if (*status != PSA_SUCCESS) {
231 TEST_EQUAL(psa_cipher_encrypt_setup(operation, key, alg),
232 *status);
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100233 }
234
Gilles Peskine449bd832023-01-11 14:50:10 +0100235 psa_destroy_key(key);
236 return 1;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100237
238exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100239 psa_destroy_key(key);
240 return 0;
Gilles Peskinef426e0f2019-02-25 17:42:03 +0100241}
242
Gilles Peskine449bd832023-01-11 14:50:10 +0100243static int test_operations_on_invalid_key(mbedtls_svc_key_id_t key)
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200244{
245 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100246 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 0x6964);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200247 uint8_t buffer[1];
248 size_t length;
249 int ok = 0;
250
Gilles Peskine449bd832023-01-11 14:50:10 +0100251 psa_set_key_id(&attributes, key_id);
252 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
253 psa_set_key_algorithm(&attributes, PSA_ALG_CTR);
254 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
255 TEST_EQUAL(psa_get_key_attributes(key, &attributes),
256 PSA_ERROR_INVALID_HANDLE);
Ronald Cronecfb2372020-07-23 17:13:42 +0200257 TEST_EQUAL(
Gilles Peskine449bd832023-01-11 14:50:10 +0100258 MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(&attributes)), 0);
Ronald Cronecfb2372020-07-23 17:13:42 +0200259 TEST_EQUAL(
Gilles Peskine449bd832023-01-11 14:50:10 +0100260 MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(psa_get_key_id(&attributes)), 0);
261 TEST_EQUAL(psa_get_key_lifetime(&attributes), 0);
262 TEST_EQUAL(psa_get_key_usage_flags(&attributes), 0);
263 TEST_EQUAL(psa_get_key_algorithm(&attributes), 0);
264 TEST_EQUAL(psa_get_key_type(&attributes), 0);
265 TEST_EQUAL(psa_get_key_bits(&attributes), 0);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200266
Gilles Peskine449bd832023-01-11 14:50:10 +0100267 TEST_EQUAL(psa_export_key(key, buffer, sizeof(buffer), &length),
268 PSA_ERROR_INVALID_HANDLE);
269 TEST_EQUAL(psa_export_public_key(key,
270 buffer, sizeof(buffer), &length),
271 PSA_ERROR_INVALID_HANDLE);
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200272
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200273 ok = 1;
274
275exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +0100276 /*
277 * Key attributes may have been returned by psa_get_key_attributes()
278 * thus reset them as required.
279 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100280 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +0100281
Gilles Peskine449bd832023-01-11 14:50:10 +0100282 return ok;
Gilles Peskine4cf3a432019-04-18 22:28:52 +0200283}
284
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200285/* Assert that a key isn't reported as having a slot number. */
286#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100287#define ASSERT_NO_SLOT_NUMBER(attributes) \
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200288 do \
289 { \
290 psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \
Gilles Peskine449bd832023-01-11 14:50:10 +0100291 TEST_EQUAL(psa_get_key_slot_number( \
292 attributes, \
293 &ASSERT_NO_SLOT_NUMBER_slot_number), \
294 PSA_ERROR_INVALID_ARGUMENT); \
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200295 } \
Gilles Peskine449bd832023-01-11 14:50:10 +0100296 while (0)
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200297#else /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskine449bd832023-01-11 14:50:10 +0100298#define ASSERT_NO_SLOT_NUMBER(attributes) \
299 ((void) 0)
Gilles Peskine5fe5e272019-08-02 20:30:01 +0200300#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
301
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +0530302#define INPUT_INTEGER 0x10000 /* Out of range of psa_key_type_t */
303
Gilles Peskinebdf309c2018-12-03 15:36:32 +0100304/* An overapproximation of the amount of storage needed for a key of the
305 * given type and with the given content. The API doesn't make it easy
306 * to find a good value for the size. The current implementation doesn't
307 * care about the value anyway. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100308#define KEY_BITS_FROM_DATA(type, data) \
309 (data)->len
Gilles Peskinebdf309c2018-12-03 15:36:32 +0100310
Darryl Green0c6575a2018-11-07 16:05:30 +0000311typedef enum {
312 IMPORT_KEY = 0,
313 GENERATE_KEY = 1,
314 DERIVE_KEY = 2
315} generate_method;
316
Gilles Peskine449bd832023-01-11 14:50:10 +0100317typedef enum {
Paul Elliott33746aa2021-09-15 16:40:40 +0100318 DO_NOT_SET_LENGTHS = 0,
319 SET_LENGTHS_BEFORE_NONCE = 1,
320 SET_LENGTHS_AFTER_NONCE = 2
Paul Elliottbb979e72021-09-22 12:54:42 +0100321} set_lengths_method_t;
Paul Elliott33746aa2021-09-15 16:40:40 +0100322
Gilles Peskine449bd832023-01-11 14:50:10 +0100323typedef enum {
Paul Elliott1c67e0b2021-09-19 13:11:50 +0100324 USE_NULL_TAG = 0,
325 USE_GIVEN_TAG = 1,
Paul Elliottbb979e72021-09-22 12:54:42 +0100326} tag_usage_method_t;
Paul Elliott1c67e0b2021-09-19 13:11:50 +0100327
Kusumit Ghoderaoa14ae5a2023-04-19 14:16:26 +0530328
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100329/*!
330 * \brief Internal Function for AEAD multipart tests.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100331 * \param key_type_arg Type of key passed in
332 * \param key_data The encryption / decryption key data
333 * \param alg_arg The type of algorithm used
334 * \param nonce Nonce data
335 * \param additional_data Additional data
Paul Elliott8eec8d42021-09-19 22:38:27 +0100336 * \param ad_part_len_arg If not -1, the length of chunks to
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100337 * feed additional data in to be encrypted /
338 * decrypted. If -1, no chunking.
339 * \param input_data Data to encrypt / decrypt
Paul Elliott8eec8d42021-09-19 22:38:27 +0100340 * \param data_part_len_arg If not -1, the length of chunks to feed
341 * the data in to be encrypted / decrypted. If
342 * -1, no chunking
Paul Elliottbb979e72021-09-22 12:54:42 +0100343 * \param set_lengths_method A member of the set_lengths_method_t enum is
Paul Elliott8eec8d42021-09-19 22:38:27 +0100344 * expected here, this controls whether or not
345 * to set lengths, and in what order with
346 * respect to set nonce.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100347 * \param expected_output Expected output
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100348 * \param is_encrypt If non-zero this is an encryption operation.
Paul Elliott41ffae12021-07-22 21:52:01 +0100349 * \param do_zero_parts If non-zero, interleave zero length chunks
Paul Elliott8eec8d42021-09-19 22:38:27 +0100350 * with normal length chunks.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100351 * \return int Zero on failure, non-zero on success.
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100352 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100353static int aead_multipart_internal_func(int key_type_arg, data_t *key_data,
354 int alg_arg,
355 data_t *nonce,
356 data_t *additional_data,
357 int ad_part_len_arg,
358 data_t *input_data,
359 int data_part_len_arg,
360 set_lengths_method_t set_lengths_method,
361 data_t *expected_output,
362 int is_encrypt,
363 int do_zero_parts)
Paul Elliottd3f82412021-06-16 16:52:21 +0100364{
365 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
366 psa_key_type_t key_type = key_type_arg;
367 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +0100368 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliottd3f82412021-06-16 16:52:21 +0100369 unsigned char *output_data = NULL;
370 unsigned char *part_data = NULL;
371 unsigned char *final_data = NULL;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100372 size_t data_true_size = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100373 size_t part_data_size = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100374 size_t output_size = 0;
375 size_t final_output_size = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100376 size_t output_length = 0;
377 size_t key_bits = 0;
378 size_t tag_length = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100379 size_t part_offset = 0;
Paul Elliottd3f82412021-06-16 16:52:21 +0100380 size_t part_length = 0;
381 size_t output_part_length = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100382 size_t tag_size = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100383 size_t ad_part_len = 0;
384 size_t data_part_len = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100385 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliottd3f82412021-06-16 16:52:21 +0100386 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
387 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
388
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100389 int test_ok = 0;
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100390 size_t part_count = 0;
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100391
Gilles Peskine449bd832023-01-11 14:50:10 +0100392 PSA_ASSERT(psa_crypto_init());
Paul Elliottd3f82412021-06-16 16:52:21 +0100393
Gilles Peskine449bd832023-01-11 14:50:10 +0100394 if (is_encrypt) {
395 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
396 } else {
397 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100398 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100399
400 psa_set_key_algorithm(&attributes, alg);
401 psa_set_key_type(&attributes, key_type);
402
403 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
404 &key));
405
406 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
407 key_bits = psa_get_key_bits(&attributes);
408
409 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg);
410
411 if (is_encrypt) {
412 /* Tag gets written at end of buffer. */
413 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
414 (input_data->len +
415 tag_length));
416 data_true_size = input_data->len;
417 } else {
418 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
419 (input_data->len -
420 tag_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100421
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100422 /* Do not want to attempt to decrypt tag. */
423 data_true_size = input_data->len - tag_length;
424 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100425
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100426 TEST_CALLOC(output_data, output_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100427
Gilles Peskine449bd832023-01-11 14:50:10 +0100428 if (is_encrypt) {
429 final_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
430 TEST_LE_U(final_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
431 } else {
432 final_output_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg);
433 TEST_LE_U(final_output_size, PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100434 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100435
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100436 TEST_CALLOC(final_data, final_output_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100437
Gilles Peskine449bd832023-01-11 14:50:10 +0100438 if (is_encrypt) {
439 status = psa_aead_encrypt_setup(&operation, key, alg);
440 } else {
441 status = psa_aead_decrypt_setup(&operation, key, alg);
442 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100443
444 /* If the operation is not supported, just skip and not fail in case the
445 * encryption involves a common limitation of cryptography hardwares and
446 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100447 if (status == PSA_ERROR_NOT_SUPPORTED) {
448 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
449 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliottd3f82412021-06-16 16:52:21 +0100450 }
451
Gilles Peskine449bd832023-01-11 14:50:10 +0100452 PSA_ASSERT(status);
Paul Elliottd3f82412021-06-16 16:52:21 +0100453
Gilles Peskine449bd832023-01-11 14:50:10 +0100454 if (set_lengths_method == DO_NOT_SET_LENGTHS) {
455 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
456 } else if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) {
457 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
458 data_true_size));
459 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
460 } else if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) {
461 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottebf91632021-07-22 17:54:42 +0100462
Gilles Peskine449bd832023-01-11 14:50:10 +0100463 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
464 data_true_size));
Paul Elliottd3f82412021-06-16 16:52:21 +0100465 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100466
Gilles Peskine449bd832023-01-11 14:50:10 +0100467 if (ad_part_len_arg != -1) {
Paul Elliottd3f82412021-06-16 16:52:21 +0100468 /* Pass additional data in parts */
Paul Elliott6bfd0fb2021-09-15 14:15:55 +0100469 ad_part_len = (size_t) ad_part_len_arg;
Paul Elliottd3f82412021-06-16 16:52:21 +0100470
Gilles Peskine449bd832023-01-11 14:50:10 +0100471 for (part_offset = 0, part_count = 0;
Paul Elliott4e4d71a2021-09-15 16:50:01 +0100472 part_offset < additional_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100473 part_offset += part_length, part_count++) {
474 if (do_zero_parts && (part_count & 0x01)) {
Paul Elliott329d5382021-07-22 17:10:45 +0100475 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100476 } else if (additional_data->len - part_offset < ad_part_len) {
Paul Elliotte49fe452021-09-15 16:52:11 +0100477 part_length = additional_data->len - part_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100478 } else {
Paul Elliotte49fe452021-09-15 16:52:11 +0100479 part_length = ad_part_len;
Paul Elliottd3f82412021-06-16 16:52:21 +0100480 }
481
Gilles Peskine449bd832023-01-11 14:50:10 +0100482 PSA_ASSERT(psa_aead_update_ad(&operation,
483 additional_data->x + part_offset,
484 part_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100485
Paul Elliottd3f82412021-06-16 16:52:21 +0100486 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100487 } else {
Paul Elliottd3f82412021-06-16 16:52:21 +0100488 /* Pass additional data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100489 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
490 additional_data->len));
Paul Elliottd3f82412021-06-16 16:52:21 +0100491 }
492
Gilles Peskine449bd832023-01-11 14:50:10 +0100493 if (data_part_len_arg != -1) {
Paul Elliottd3f82412021-06-16 16:52:21 +0100494 /* Pass data in parts */
Gilles Peskine449bd832023-01-11 14:50:10 +0100495 data_part_len = (size_t) data_part_len_arg;
496 part_data_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
497 (size_t) data_part_len);
Paul Elliottd3f82412021-06-16 16:52:21 +0100498
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100499 TEST_CALLOC(part_data, part_data_size);
Paul Elliottd3f82412021-06-16 16:52:21 +0100500
Gilles Peskine449bd832023-01-11 14:50:10 +0100501 for (part_offset = 0, part_count = 0;
Paul Elliott4e4d71a2021-09-15 16:50:01 +0100502 part_offset < data_true_size;
Gilles Peskine449bd832023-01-11 14:50:10 +0100503 part_offset += part_length, part_count++) {
504 if (do_zero_parts && (part_count & 0x01)) {
Paul Elliott329d5382021-07-22 17:10:45 +0100505 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100506 } else if ((data_true_size - part_offset) < data_part_len) {
507 part_length = (data_true_size - part_offset);
508 } else {
Paul Elliotte49fe452021-09-15 16:52:11 +0100509 part_length = data_part_len;
Paul Elliottd3f82412021-06-16 16:52:21 +0100510 }
511
Gilles Peskine449bd832023-01-11 14:50:10 +0100512 PSA_ASSERT(psa_aead_update(&operation,
513 (input_data->x + part_offset),
514 part_length, part_data,
515 part_data_size,
516 &output_part_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100517
Gilles Peskine449bd832023-01-11 14:50:10 +0100518 if (output_data && output_part_length) {
519 memcpy((output_data + output_length), part_data,
520 output_part_length);
Paul Elliottd3f82412021-06-16 16:52:21 +0100521 }
522
Paul Elliottd3f82412021-06-16 16:52:21 +0100523 output_length += output_part_length;
524 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100525 } else {
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100526 /* Pass all data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100527 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
528 data_true_size, output_data,
529 output_size, &output_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100530 }
531
Gilles Peskine449bd832023-01-11 14:50:10 +0100532 if (is_encrypt) {
533 PSA_ASSERT(psa_aead_finish(&operation, final_data,
534 final_output_size,
535 &output_part_length,
536 tag_buffer, tag_length,
537 &tag_size));
538 } else {
539 PSA_ASSERT(psa_aead_verify(&operation, final_data,
540 final_output_size,
541 &output_part_length,
542 (input_data->x + data_true_size),
543 tag_length));
Paul Elliottd3f82412021-06-16 16:52:21 +0100544 }
545
Gilles Peskine449bd832023-01-11 14:50:10 +0100546 if (output_data && output_part_length) {
547 memcpy((output_data + output_length), final_data,
548 output_part_length);
549 }
Paul Elliottd3f82412021-06-16 16:52:21 +0100550
551 output_length += output_part_length;
552
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100553
554 /* For all currently defined algorithms, PSA_AEAD_xxx_OUTPUT_SIZE
555 * should be exact.*/
Gilles Peskine449bd832023-01-11 14:50:10 +0100556 if (is_encrypt) {
557 TEST_EQUAL(tag_length, tag_size);
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100558
Gilles Peskine449bd832023-01-11 14:50:10 +0100559 if (output_data && tag_length) {
560 memcpy((output_data + output_length), tag_buffer,
561 tag_length);
562 }
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100563
564 output_length += tag_length;
565
Gilles Peskine449bd832023-01-11 14:50:10 +0100566 TEST_EQUAL(output_length,
567 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg,
568 input_data->len));
569 TEST_LE_U(output_length,
570 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
571 } else {
572 TEST_EQUAL(output_length,
573 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg,
574 input_data->len));
575 TEST_LE_U(output_length,
576 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len));
Paul Elliottd3f82412021-06-16 16:52:21 +0100577 }
578
Paul Elliottd3f82412021-06-16 16:52:21 +0100579
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100580 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +0100581 output_data, output_length);
Paul Elliottd3f82412021-06-16 16:52:21 +0100582
Paul Elliottd3f82412021-06-16 16:52:21 +0100583
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100584 test_ok = 1;
Paul Elliottd3f82412021-06-16 16:52:21 +0100585
586exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100587 psa_destroy_key(key);
588 psa_aead_abort(&operation);
589 mbedtls_free(output_data);
590 mbedtls_free(part_data);
591 mbedtls_free(final_data);
592 PSA_DONE();
Paul Elliott97fd1ba2021-07-21 18:46:06 +0100593
Gilles Peskine449bd832023-01-11 14:50:10 +0100594 return test_ok;
Paul Elliottd3f82412021-06-16 16:52:21 +0100595}
596
Neil Armstrong4766f992022-02-28 16:23:59 +0100597/*!
598 * \brief Internal Function for MAC multipart tests.
599 * \param key_type_arg Type of key passed in
600 * \param key_data The encryption / decryption key data
601 * \param alg_arg The type of algorithm used
602 * \param input_data Data to encrypt / decrypt
603 * \param data_part_len_arg If not -1, the length of chunks to feed
604 * the data in to be encrypted / decrypted. If
605 * -1, no chunking
606 * \param expected_output Expected output
Tom Cosgrove1797b052022-12-04 17:19:59 +0000607 * \param is_verify If non-zero this is a verify operation.
Neil Armstrong4766f992022-02-28 16:23:59 +0100608 * \param do_zero_parts If non-zero, interleave zero length chunks
609 * with normal length chunks.
610 * \return int Zero on failure, non-zero on success.
611 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100612static int mac_multipart_internal_func(int key_type_arg, data_t *key_data,
613 int alg_arg,
614 data_t *input_data,
615 int data_part_len_arg,
616 data_t *expected_output,
617 int is_verify,
618 int do_zero_parts)
Neil Armstrong4766f992022-02-28 16:23:59 +0100619{
620 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
621 psa_key_type_t key_type = key_type_arg;
622 psa_algorithm_t alg = alg_arg;
623 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
624 unsigned char mac[PSA_MAC_MAX_SIZE];
625 size_t part_offset = 0;
626 size_t part_length = 0;
627 size_t data_part_len = 0;
628 size_t mac_len = 0;
629 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
630 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
631
632 int test_ok = 0;
633 size_t part_count = 0;
634
Gilles Peskine449bd832023-01-11 14:50:10 +0100635 PSA_INIT();
Neil Armstrong4766f992022-02-28 16:23:59 +0100636
Gilles Peskine449bd832023-01-11 14:50:10 +0100637 if (is_verify) {
638 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
639 } else {
640 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
641 }
Neil Armstrong4766f992022-02-28 16:23:59 +0100642
Gilles Peskine449bd832023-01-11 14:50:10 +0100643 psa_set_key_algorithm(&attributes, alg);
644 psa_set_key_type(&attributes, key_type);
Neil Armstrong4766f992022-02-28 16:23:59 +0100645
Gilles Peskine449bd832023-01-11 14:50:10 +0100646 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
647 &key));
Neil Armstrong4766f992022-02-28 16:23:59 +0100648
Gilles Peskine449bd832023-01-11 14:50:10 +0100649 if (is_verify) {
650 status = psa_mac_verify_setup(&operation, key, alg);
651 } else {
652 status = psa_mac_sign_setup(&operation, key, alg);
653 }
Neil Armstrong4766f992022-02-28 16:23:59 +0100654
Gilles Peskine449bd832023-01-11 14:50:10 +0100655 PSA_ASSERT(status);
Neil Armstrong4766f992022-02-28 16:23:59 +0100656
Gilles Peskine449bd832023-01-11 14:50:10 +0100657 if (data_part_len_arg != -1) {
Neil Armstrong4766f992022-02-28 16:23:59 +0100658 /* Pass data in parts */
Gilles Peskine449bd832023-01-11 14:50:10 +0100659 data_part_len = (size_t) data_part_len_arg;
Neil Armstrong4766f992022-02-28 16:23:59 +0100660
Gilles Peskine449bd832023-01-11 14:50:10 +0100661 for (part_offset = 0, part_count = 0;
Neil Armstrong4766f992022-02-28 16:23:59 +0100662 part_offset < input_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100663 part_offset += part_length, part_count++) {
664 if (do_zero_parts && (part_count & 0x01)) {
Neil Armstrong4766f992022-02-28 16:23:59 +0100665 part_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100666 } else if ((input_data->len - part_offset) < data_part_len) {
667 part_length = (input_data->len - part_offset);
668 } else {
Neil Armstrong4766f992022-02-28 16:23:59 +0100669 part_length = data_part_len;
670 }
671
Gilles Peskine449bd832023-01-11 14:50:10 +0100672 PSA_ASSERT(psa_mac_update(&operation,
673 (input_data->x + part_offset),
674 part_length));
Neil Armstrong4766f992022-02-28 16:23:59 +0100675 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100676 } else {
Neil Armstrong4766f992022-02-28 16:23:59 +0100677 /* Pass all data in one go. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100678 PSA_ASSERT(psa_mac_update(&operation, input_data->x,
679 input_data->len));
Neil Armstrong4766f992022-02-28 16:23:59 +0100680 }
681
Gilles Peskine449bd832023-01-11 14:50:10 +0100682 if (is_verify) {
683 PSA_ASSERT(psa_mac_verify_finish(&operation, expected_output->x,
684 expected_output->len));
685 } else {
686 PSA_ASSERT(psa_mac_sign_finish(&operation, mac,
687 PSA_MAC_MAX_SIZE, &mac_len));
Neil Armstrong4766f992022-02-28 16:23:59 +0100688
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +0100689 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +0100690 mac, mac_len);
Neil Armstrong4766f992022-02-28 16:23:59 +0100691 }
692
693 test_ok = 1;
694
695exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100696 psa_destroy_key(key);
697 psa_mac_abort(&operation);
698 PSA_DONE();
Neil Armstrong4766f992022-02-28 16:23:59 +0100699
Gilles Peskine449bd832023-01-11 14:50:10 +0100700 return test_ok;
Neil Armstrong4766f992022-02-28 16:23:59 +0100701}
702
Neil Armstrong75673ab2022-06-15 17:39:01 +0200703#if defined(PSA_WANT_ALG_JPAKE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100704static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
705 psa_pake_operation_t *server,
706 psa_pake_operation_t *client,
707 int client_input_first,
708 int round, int inject_error)
Neil Armstrongf983caf2022-06-15 15:27:48 +0200709{
710 unsigned char *buffer0 = NULL, *buffer1 = NULL;
711 size_t buffer_length = (
712 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) +
713 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) +
714 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2;
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +0200715 /* The output should be exactly this size according to the spec */
716 const size_t expected_size_key_share =
717 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE);
718 /* The output should be exactly this size according to the spec */
719 const size_t expected_size_zk_public =
720 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC);
721 /* The output can be smaller: the spec allows stripping leading zeroes */
722 const size_t max_expected_size_zk_proof =
723 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200724 size_t buffer0_off = 0;
725 size_t buffer1_off = 0;
726 size_t s_g1_len, s_g2_len, s_a_len;
727 size_t s_g1_off, s_g2_off, s_a_off;
728 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len;
729 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off;
730 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len;
731 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off;
732 size_t c_g1_len, c_g2_len, c_a_len;
733 size_t c_g1_off, c_g2_off, c_a_off;
734 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len;
735 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off;
736 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len;
737 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off;
738 psa_status_t expected_status = PSA_SUCCESS;
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200739 psa_status_t status;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200740
Tom Cosgrove05b2a872023-07-21 11:31:13 +0100741 TEST_CALLOC(buffer0, buffer_length);
742 TEST_CALLOC(buffer1, buffer_length);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200743
Gilles Peskine449bd832023-01-11 14:50:10 +0100744 switch (round) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200745 case 1:
746 /* Server first round Output */
Gilles Peskine449bd832023-01-11 14:50:10 +0100747 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
748 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000749 buffer_length - buffer0_off, &s_g1_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100750 TEST_EQUAL(s_g1_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200751 s_g1_off = buffer0_off;
752 buffer0_off += s_g1_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100753 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
754 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000755 buffer_length - buffer0_off, &s_x1_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100756 TEST_EQUAL(s_x1_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200757 s_x1_pk_off = buffer0_off;
758 buffer0_off += s_x1_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100759 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
760 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000761 buffer_length - buffer0_off, &s_x1_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100762 TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200763 s_x1_pr_off = buffer0_off;
764 buffer0_off += s_x1_pr_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100765 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
766 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000767 buffer_length - buffer0_off, &s_g2_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100768 TEST_EQUAL(s_g2_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200769 s_g2_off = buffer0_off;
770 buffer0_off += s_g2_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100771 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
772 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000773 buffer_length - buffer0_off, &s_x2_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100774 TEST_EQUAL(s_x2_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200775 s_x2_pk_off = buffer0_off;
776 buffer0_off += s_x2_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100777 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
778 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000779 buffer_length - buffer0_off, &s_x2_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100780 TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200781 s_x2_pr_off = buffer0_off;
782 buffer0_off += s_x2_pr_len;
783
Gilles Peskine449bd832023-01-11 14:50:10 +0100784 if (inject_error == 1) {
Andrzej Kurekc0182042022-11-08 08:12:56 -0500785 buffer0[s_x1_pr_off + 8] ^= 1;
786 buffer0[s_x2_pr_off + 7] ^= 1;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200787 expected_status = PSA_ERROR_DATA_INVALID;
788 }
789
Neil Armstrong51009d72022-09-05 17:59:54 +0200790 /*
791 * When injecting errors in inputs, the implementation is
792 * free to detect it right away of with a delay.
793 * This permits delaying the error until the end of the input
794 * sequence, if no error appears then, this will be treated
795 * as an error.
796 */
797
Gilles Peskine449bd832023-01-11 14:50:10 +0100798 if (client_input_first == 1) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200799 /* Client first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100800 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
801 buffer0 + s_g1_off, s_g1_len);
802 if (inject_error == 1 && status != PSA_SUCCESS) {
803 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200804 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100805 } else {
806 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200807 }
808
Gilles Peskine449bd832023-01-11 14:50:10 +0100809 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
810 buffer0 + s_x1_pk_off,
811 s_x1_pk_len);
812 if (inject_error == 1 && status != PSA_SUCCESS) {
813 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200814 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100815 } else {
816 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200817 }
818
Gilles Peskine449bd832023-01-11 14:50:10 +0100819 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
820 buffer0 + s_x1_pr_off,
821 s_x1_pr_len);
822 if (inject_error == 1 && status != PSA_SUCCESS) {
823 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200824 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100825 } else {
826 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200827 }
828
Gilles Peskine449bd832023-01-11 14:50:10 +0100829 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
830 buffer0 + s_g2_off,
831 s_g2_len);
832 if (inject_error == 1 && status != PSA_SUCCESS) {
833 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200834 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100835 } else {
836 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200837 }
838
Gilles Peskine449bd832023-01-11 14:50:10 +0100839 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
840 buffer0 + s_x2_pk_off,
841 s_x2_pk_len);
842 if (inject_error == 1 && status != PSA_SUCCESS) {
843 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200844 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100845 } else {
846 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200847 }
848
Gilles Peskine449bd832023-01-11 14:50:10 +0100849 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
850 buffer0 + s_x2_pr_off,
851 s_x2_pr_len);
852 if (inject_error == 1 && status != PSA_SUCCESS) {
853 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200854 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100855 } else {
856 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200857 }
858
Neil Armstrong78c4e8e2022-09-05 18:08:13 +0200859 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +0100860 if (inject_error == 1) {
861 TEST_ASSERT(
862 !"One of the last psa_pake_input() calls should have returned the expected error.");
863 }
Neil Armstrongf983caf2022-06-15 15:27:48 +0200864 }
865
866 /* Client first round Output */
Gilles Peskine449bd832023-01-11 14:50:10 +0100867 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
868 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000869 buffer_length - buffer1_off, &c_g1_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100870 TEST_EQUAL(c_g1_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200871 c_g1_off = buffer1_off;
872 buffer1_off += c_g1_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100873 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
874 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000875 buffer_length - buffer1_off, &c_x1_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100876 TEST_EQUAL(c_x1_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200877 c_x1_pk_off = buffer1_off;
878 buffer1_off += c_x1_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100879 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
880 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000881 buffer_length - buffer1_off, &c_x1_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100882 TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200883 c_x1_pr_off = buffer1_off;
884 buffer1_off += c_x1_pr_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100885 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
886 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000887 buffer_length - buffer1_off, &c_g2_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100888 TEST_EQUAL(c_g2_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200889 c_g2_off = buffer1_off;
890 buffer1_off += c_g2_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100891 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
892 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000893 buffer_length - buffer1_off, &c_x2_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100894 TEST_EQUAL(c_x2_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200895 c_x2_pk_off = buffer1_off;
896 buffer1_off += c_x2_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100897 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
898 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +0000899 buffer_length - buffer1_off, &c_x2_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100900 TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200901 c_x2_pr_off = buffer1_off;
902 buffer1_off += c_x2_pr_len;
903
Gilles Peskine449bd832023-01-11 14:50:10 +0100904 if (client_input_first == 0) {
Neil Armstrongf983caf2022-06-15 15:27:48 +0200905 /* Client first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100906 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
907 buffer0 + s_g1_off, s_g1_len);
908 if (inject_error == 1 && status != PSA_SUCCESS) {
909 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +0200910 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100911 } else {
912 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200913 }
914
Gilles Peskine449bd832023-01-11 14:50:10 +0100915 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
916 buffer0 + s_x1_pk_off,
917 s_x1_pk_len);
918 if (inject_error == 1 && status != PSA_SUCCESS) {
919 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200920 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100921 } else {
922 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200923 }
924
Gilles Peskine449bd832023-01-11 14:50:10 +0100925 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
926 buffer0 + s_x1_pr_off,
927 s_x1_pr_len);
928 if (inject_error == 1 && status != PSA_SUCCESS) {
929 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200930 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100931 } else {
932 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200933 }
934
Gilles Peskine449bd832023-01-11 14:50:10 +0100935 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
936 buffer0 + s_g2_off,
937 s_g2_len);
938 if (inject_error == 1 && status != PSA_SUCCESS) {
939 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200940 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100941 } else {
942 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200943 }
944
Gilles Peskine449bd832023-01-11 14:50:10 +0100945 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
946 buffer0 + s_x2_pk_off,
947 s_x2_pk_len);
948 if (inject_error == 1 && status != PSA_SUCCESS) {
949 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200950 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100951 } else {
952 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200953 }
954
Gilles Peskine449bd832023-01-11 14:50:10 +0100955 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
956 buffer0 + s_x2_pr_off,
957 s_x2_pr_len);
958 if (inject_error == 1 && status != PSA_SUCCESS) {
959 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200960 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100961 } else {
962 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200963 }
964
Neil Armstrong78c4e8e2022-09-05 18:08:13 +0200965 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +0100966 if (inject_error == 1) {
967 TEST_ASSERT(
968 !"One of the last psa_pake_input() calls should have returned the expected error.");
969 }
Neil Armstrongf983caf2022-06-15 15:27:48 +0200970 }
971
Gilles Peskine449bd832023-01-11 14:50:10 +0100972 if (inject_error == 2) {
Andrzej Kurekc0182042022-11-08 08:12:56 -0500973 buffer1[c_x1_pr_off + 12] ^= 1;
974 buffer1[c_x2_pr_off + 7] ^= 1;
Neil Armstrongf983caf2022-06-15 15:27:48 +0200975 expected_status = PSA_ERROR_DATA_INVALID;
976 }
977
978 /* Server first round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +0100979 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
980 buffer1 + c_g1_off, c_g1_len);
981 if (inject_error == 2 && status != PSA_SUCCESS) {
982 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200983 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100984 } else {
985 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200986 }
987
Gilles Peskine449bd832023-01-11 14:50:10 +0100988 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
989 buffer1 + c_x1_pk_off, c_x1_pk_len);
990 if (inject_error == 2 && status != PSA_SUCCESS) {
991 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200992 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100993 } else {
994 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +0200995 }
996
Gilles Peskine449bd832023-01-11 14:50:10 +0100997 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
998 buffer1 + c_x1_pr_off, c_x1_pr_len);
999 if (inject_error == 2 && status != PSA_SUCCESS) {
1000 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001001 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001002 } else {
1003 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001004 }
1005
Gilles Peskine449bd832023-01-11 14:50:10 +01001006 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
1007 buffer1 + c_g2_off, c_g2_len);
1008 if (inject_error == 2 && status != PSA_SUCCESS) {
1009 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001010 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001011 } else {
1012 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001013 }
1014
Gilles Peskine449bd832023-01-11 14:50:10 +01001015 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
1016 buffer1 + c_x2_pk_off, c_x2_pk_len);
1017 if (inject_error == 2 && status != PSA_SUCCESS) {
1018 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001019 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001020 } else {
1021 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001022 }
1023
Gilles Peskine449bd832023-01-11 14:50:10 +01001024 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
1025 buffer1 + c_x2_pr_off, c_x2_pr_len);
1026 if (inject_error == 2 && status != PSA_SUCCESS) {
1027 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001028 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001029 } else {
1030 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001031 }
1032
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001033 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001034 if (inject_error == 2) {
1035 TEST_ASSERT(
1036 !"One of the last psa_pake_input() calls should have returned the expected error.");
1037 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001038
1039 break;
1040
1041 case 2:
1042 /* Server second round Output */
1043 buffer0_off = 0;
1044
Gilles Peskine449bd832023-01-11 14:50:10 +01001045 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
1046 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001047 buffer_length - buffer0_off, &s_a_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001048 TEST_EQUAL(s_a_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001049 s_a_off = buffer0_off;
1050 buffer0_off += s_a_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001051 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
1052 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001053 buffer_length - buffer0_off, &s_x2s_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001054 TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001055 s_x2s_pk_off = buffer0_off;
1056 buffer0_off += s_x2s_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001057 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
1058 buffer0 + buffer0_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001059 buffer_length - buffer0_off, &s_x2s_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001060 TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001061 s_x2s_pr_off = buffer0_off;
1062 buffer0_off += s_x2s_pr_len;
1063
Gilles Peskine449bd832023-01-11 14:50:10 +01001064 if (inject_error == 3) {
Neil Armstrongeae1dfc2022-06-21 13:37:06 +02001065 buffer0[s_x2s_pk_off + 12] += 0x33;
Neil Armstrongf983caf2022-06-15 15:27:48 +02001066 expected_status = PSA_ERROR_DATA_INVALID;
1067 }
1068
Gilles Peskine449bd832023-01-11 14:50:10 +01001069 if (client_input_first == 1) {
Neil Armstrongf983caf2022-06-15 15:27:48 +02001070 /* Client second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001071 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
1072 buffer0 + s_a_off, s_a_len);
1073 if (inject_error == 3 && status != PSA_SUCCESS) {
1074 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001075 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001076 } else {
1077 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001078 }
1079
Gilles Peskine449bd832023-01-11 14:50:10 +01001080 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
1081 buffer0 + s_x2s_pk_off,
1082 s_x2s_pk_len);
1083 if (inject_error == 3 && status != PSA_SUCCESS) {
1084 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001085 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001086 } else {
1087 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001088 }
1089
Gilles Peskine449bd832023-01-11 14:50:10 +01001090 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
1091 buffer0 + s_x2s_pr_off,
1092 s_x2s_pr_len);
1093 if (inject_error == 3 && status != PSA_SUCCESS) {
1094 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001095 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001096 } else {
1097 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001098 }
1099
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001100 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001101 if (inject_error == 3) {
1102 TEST_ASSERT(
1103 !"One of the last psa_pake_input() calls should have returned the expected error.");
1104 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001105 }
1106
1107 /* Client second round Output */
1108 buffer1_off = 0;
1109
Gilles Peskine449bd832023-01-11 14:50:10 +01001110 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
1111 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001112 buffer_length - buffer1_off, &c_a_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001113 TEST_EQUAL(c_a_len, expected_size_key_share);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001114 c_a_off = buffer1_off;
1115 buffer1_off += c_a_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001116 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
1117 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001118 buffer_length - buffer1_off, &c_x2s_pk_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001119 TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001120 c_x2s_pk_off = buffer1_off;
1121 buffer1_off += c_x2s_pk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001122 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
1123 buffer1 + buffer1_off,
David Horstmann433a58c2024-01-25 16:29:26 +00001124 buffer_length - buffer1_off, &c_x2s_pr_len));
Gilles Peskine449bd832023-01-11 14:50:10 +01001125 TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001126 c_x2s_pr_off = buffer1_off;
1127 buffer1_off += c_x2s_pr_len;
1128
Gilles Peskine449bd832023-01-11 14:50:10 +01001129 if (client_input_first == 0) {
Neil Armstrongf983caf2022-06-15 15:27:48 +02001130 /* Client second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001131 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE,
1132 buffer0 + s_a_off, s_a_len);
1133 if (inject_error == 3 && status != PSA_SUCCESS) {
1134 TEST_EQUAL(status, expected_status);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001135 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001136 } else {
1137 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001138 }
1139
Gilles Peskine449bd832023-01-11 14:50:10 +01001140 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC,
1141 buffer0 + s_x2s_pk_off,
1142 s_x2s_pk_len);
1143 if (inject_error == 3 && status != PSA_SUCCESS) {
1144 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001145 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001146 } else {
1147 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001148 }
1149
Gilles Peskine449bd832023-01-11 14:50:10 +01001150 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF,
1151 buffer0 + s_x2s_pr_off,
1152 s_x2s_pr_len);
1153 if (inject_error == 3 && status != PSA_SUCCESS) {
1154 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001155 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001156 } else {
1157 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001158 }
1159
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001160 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001161 if (inject_error == 3) {
1162 TEST_ASSERT(
1163 !"One of the last psa_pake_input() calls should have returned the expected error.");
1164 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001165 }
1166
Gilles Peskine449bd832023-01-11 14:50:10 +01001167 if (inject_error == 4) {
Neil Armstrongeae1dfc2022-06-21 13:37:06 +02001168 buffer1[c_x2s_pk_off + 7] += 0x28;
Neil Armstrongf983caf2022-06-15 15:27:48 +02001169 expected_status = PSA_ERROR_DATA_INVALID;
1170 }
1171
1172 /* Server second round Input */
Gilles Peskine449bd832023-01-11 14:50:10 +01001173 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE,
1174 buffer1 + c_a_off, c_a_len);
1175 if (inject_error == 4 && status != PSA_SUCCESS) {
1176 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001177 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001178 } else {
1179 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001180 }
1181
Gilles Peskine449bd832023-01-11 14:50:10 +01001182 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC,
1183 buffer1 + c_x2s_pk_off, c_x2s_pk_len);
1184 if (inject_error == 4 && status != PSA_SUCCESS) {
1185 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001186 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001187 } else {
1188 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001189 }
1190
Gilles Peskine449bd832023-01-11 14:50:10 +01001191 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF,
1192 buffer1 + c_x2s_pr_off, c_x2s_pr_len);
1193 if (inject_error == 4 && status != PSA_SUCCESS) {
1194 TEST_EQUAL(status, expected_status);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001195 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01001196 } else {
1197 TEST_EQUAL(status, PSA_SUCCESS);
Neil Armstrongdb5b9602022-06-20 14:56:50 +02001198 }
1199
Neil Armstrong78c4e8e2022-09-05 18:08:13 +02001200 /* Error didn't trigger, make test fail */
Gilles Peskine449bd832023-01-11 14:50:10 +01001201 if (inject_error == 4) {
1202 TEST_ASSERT(
1203 !"One of the last psa_pake_input() calls should have returned the expected error.");
1204 }
Neil Armstrongf983caf2022-06-15 15:27:48 +02001205
1206 break;
1207
1208 }
1209
Neil Armstrongf983caf2022-06-15 15:27:48 +02001210exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001211 mbedtls_free(buffer0);
1212 mbedtls_free(buffer1);
Neil Armstrongf983caf2022-06-15 15:27:48 +02001213}
Neil Armstrong75673ab2022-06-15 17:39:01 +02001214#endif /* PSA_WANT_ALG_JPAKE */
Neil Armstrongf983caf2022-06-15 15:27:48 +02001215
Gilles Peskine449bd832023-01-11 14:50:10 +01001216typedef enum {
Valerio Setti1070aed2022-11-11 19:37:31 +01001217 INJECT_ERR_NONE = 0,
1218 INJECT_ERR_UNINITIALIZED_ACCESS,
1219 INJECT_ERR_DUPLICATE_SETUP,
1220 INJECT_ERR_INVALID_USER,
1221 INJECT_ERR_INVALID_PEER,
1222 INJECT_ERR_SET_USER,
1223 INJECT_ERR_SET_PEER,
1224 INJECT_EMPTY_IO_BUFFER,
1225 INJECT_UNKNOWN_STEP,
1226 INJECT_INVALID_FIRST_STEP,
1227 INJECT_WRONG_BUFFER_SIZE,
1228 INJECT_VALID_OPERATION_AFTER_FAILURE,
1229 INJECT_ANTICIPATE_KEY_DERIVATION_1,
1230 INJECT_ANTICIPATE_KEY_DERIVATION_2,
1231} ecjpake_injected_failure_t;
1232
Paul Elliott01885fa2023-02-09 12:07:30 +00001233#if defined(MBEDTLS_ECP_RESTARTABLE)
Paul Elliott1243f932023-02-07 11:21:10 +00001234
Paul Elliott6f600372023-02-06 18:41:05 +00001235static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
1236 psa_status_t expected_status,
1237 size_t *min_completes,
1238 size_t *max_completes)
1239{
1240
1241 /* This is slightly contrived, but we only really know that with a minimum
1242 value of max_ops that a successful operation should take more than one op
1243 to complete, and likewise that with a max_ops of
1244 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */
1245 if (max_ops == 0 || max_ops == 1) {
Paul Elliottc86d45e2023-02-15 17:38:05 +00001246
Paul Elliott6f600372023-02-06 18:41:05 +00001247 if (expected_status == PSA_SUCCESS) {
1248 *min_completes = 2;
1249 } else {
1250 *min_completes = 1;
1251 }
1252
1253 *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
1254 } else {
1255 *min_completes = 1;
1256 *max_completes = 1;
1257 }
1258}
Paul Elliott01885fa2023-02-09 12:07:30 +00001259#endif /* MBEDTLS_ECP_RESTARTABLE */
Paul Elliott6f600372023-02-06 18:41:05 +00001260
Gilles Peskine1d25a0a2024-02-12 16:40:04 +01001261#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
1262static int rsa_test_e(mbedtls_svc_key_id_t key,
1263 size_t bits,
1264 const data_t *e_arg)
1265{
1266 uint8_t *exported = NULL;
1267 size_t exported_size =
1268 PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits);
1269 size_t exported_length = SIZE_MAX;
1270 int ok = 0;
1271
1272 TEST_CALLOC(exported, exported_size);
1273 PSA_ASSERT(psa_export_public_key(key,
1274 exported, exported_size,
1275 &exported_length));
1276 uint8_t *p = exported;
1277 uint8_t *end = exported + exported_length;
1278 size_t len;
1279 /* RSAPublicKey ::= SEQUENCE {
1280 * modulus INTEGER, -- n
1281 * publicExponent INTEGER } -- e
1282 */
1283 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
1284 MBEDTLS_ASN1_SEQUENCE |
1285 MBEDTLS_ASN1_CONSTRUCTED));
1286 TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1));
1287 TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
1288 MBEDTLS_ASN1_INTEGER));
1289 if (len >= 1 && p[0] == 0) {
1290 ++p;
1291 --len;
1292 }
1293 if (e_arg->len == 0) {
1294 TEST_EQUAL(len, 3);
1295 TEST_EQUAL(p[0], 1);
1296 TEST_EQUAL(p[1], 0);
1297 TEST_EQUAL(p[2], 1);
1298 } else {
Gilles Peskine7a18f962024-02-12 16:48:11 +01001299 const uint8_t *expected = e_arg->x;
1300 size_t expected_len = e_arg->len;
1301 while (expected_len > 0 && *expected == 0) {
1302 ++expected;
1303 --expected_len;
1304 }
1305 TEST_MEMORY_COMPARE(p, len, expected, expected_len);
Gilles Peskine1d25a0a2024-02-12 16:40:04 +01001306 }
1307 ok = 1;
1308
1309exit:
1310 mbedtls_free(exported);
1311 return ok;
1312}
1313#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
1314
Gilles Peskine092ce512024-02-20 12:31:24 +01001315static int setup_key_production_parameters(
1316 psa_key_production_parameters_t **params, size_t *params_data_length,
1317 int flags_arg, const data_t *params_data)
Gilles Peskinef0765fa2024-02-12 16:46:16 +01001318{
Gilles Peskine092ce512024-02-20 12:31:24 +01001319 *params_data_length = params_data->len;
Gilles Peskinec81393b2024-02-14 20:51:28 +01001320 /* If there are N bytes of padding at the end of
Gilles Peskine092ce512024-02-20 12:31:24 +01001321 * psa_key_production_parameters_t, then it's enough to allocate
1322 * MIN(sizeof(psa_key_production_parameters_t),
1323 * offsetof(psa_key_production_parameters_t, data) + params_data_length).
Gilles Peskinec81393b2024-02-14 20:51:28 +01001324 *
1325 * For simplicity, here, we allocate up to N more bytes than necessary.
Gilles Peskine092ce512024-02-20 12:31:24 +01001326 * In practice, the current layout of psa_key_production_parameters_t
Gilles Peskinec81393b2024-02-14 20:51:28 +01001327 * makes padding extremely unlikely, so we don't worry about testing
1328 * that the library code doesn't try to access these extra N bytes.
1329 */
Gilles Peskine092ce512024-02-20 12:31:24 +01001330 *params = mbedtls_calloc(1, sizeof(**params) + *params_data_length);
1331 TEST_ASSERT(*params != NULL);
1332 (*params)->flags = (uint32_t) flags_arg;
1333 memcpy((*params)->data, params_data->x, params_data->len);
Gilles Peskinef0765fa2024-02-12 16:46:16 +01001334 return 1;
1335exit:
1336 return 0;
1337}
1338
Ryan3a1b7862024-03-01 17:24:04 +00001339#if defined(MBEDTLS_THREADING_PTHREAD)
Ryan Everett50619992024-03-12 16:55:14 +00001340
1341typedef struct same_key_context {
1342 data_t *data;
1343 mbedtls_svc_key_id_t key;
1344 psa_key_attributes_t *attributes;
1345 int type;
1346 int bits;
1347 /* The following two parameters are used to ensure that when multiple
1348 * threads attempt to load/destroy the key, exactly one thread succeeds. */
1349 int key_loaded;
1350 mbedtls_threading_mutex_t MBEDTLS_PRIVATE(key_loaded_mutex);
1351}
1352same_key_context;
1353
1354/* Attempt to import the key in ctx. This handles any valid error codes
1355 * and reports an error for any invalid codes. This function also insures
1356 * that once imported by some thread, all threads can use the key. */
1357void *thread_import_key(void *ctx)
1358{
1359 mbedtls_svc_key_id_t returned_key_id;
1360 same_key_context *skc = (struct same_key_context *) ctx;
1361 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
1362
Ryan Everett6c488702024-03-14 17:49:44 +00001363 /* Import the key, exactly one thread must succeed. */
Ryan Everett50619992024-03-12 16:55:14 +00001364 psa_status_t status = psa_import_key(skc->attributes, skc->data->x,
1365 skc->data->len, &returned_key_id);
1366 switch (status) {
1367 case PSA_SUCCESS:
1368 if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) {
1369 if (skc->key_loaded) {
1370 mbedtls_mutex_unlock(&skc->key_loaded_mutex);
1371 /* More than one thread has succeeded, report a failure. */
Ryan Everett3de040f2024-03-14 17:50:06 +00001372 TEST_FAIL("The same key has been loaded into the key store multiple times.");
Ryan Everett50619992024-03-12 16:55:14 +00001373 }
1374 skc->key_loaded = 1;
1375 mbedtls_mutex_unlock(&skc->key_loaded_mutex);
1376 }
1377 break;
1378 case PSA_ERROR_INSUFFICIENT_MEMORY:
1379 /* If all of the key slots are reserved when a thread
1380 * locks the mutex to reserve a new slot, it will return
1381 * PSA_ERROR_INSUFFICIENT_MEMORY; this is correct behaviour.
1382 * There is a chance for this to occur here when the number of
1383 * threads running this function is larger than the number of
1384 * free key slots. Each thread reserves an empty key slot,
1385 * unlocks the mutex, then relocks it to finalize key creation.
1386 * It is at that point where the thread sees that the key
1387 * already exists, releases the reserved slot,
1388 * and returns PSA_ERROR_ALREADY_EXISTS.
1389 * There is no guarantee that the key is loaded upon this return
1390 * code, so we can't test the key information. Just stop this
1391 * thread from executing, note that this is not an error. */
1392 goto exit;
1393 break;
1394 case PSA_ERROR_ALREADY_EXISTS:
1395 /* The key has been loaded by a different thread. */
1396 break;
1397 default:
1398 PSA_ASSERT(status);
1399 }
1400 /* At this point the key must exist, test the key information. */
1401 status = psa_get_key_attributes(skc->key, &got_attributes);
1402 if (status == PSA_ERROR_INSUFFICIENT_MEMORY) {
1403 /* This is not a test failure. The following sequence of events
1404 * causes this to occur:
1405 * 1: This thread successfuly imports a persistent key skc->key.
1406 * 2: N threads reserve an empty key slot in psa_import_key,
1407 * where N is equal to the number of free key slots.
1408 * 3: A final thread attempts to reserve an empty key slot, kicking
1409 * skc->key (which has no registered readers) out of its slot.
1410 * 4: This thread calls psa_get_key_attributes(skc->key,...):
1411 * it sees that skc->key is not in a slot, attempts to load it and
1412 * finds that there are no free slots.
1413 * This thread returns PSA_ERROR_INSUFFICIENT_MEMORY.
1414 *
1415 * The PSA spec allows this behaviour, it is an unavoidable consequence
1416 * of allowing persistent keys to be kicked out of the key store while
1417 * they are still valid. */
1418 goto exit;
1419 }
1420 PSA_ASSERT(status);
1421 TEST_EQUAL(psa_get_key_type(&got_attributes), skc->type);
1422 TEST_EQUAL(psa_get_key_bits(&got_attributes), skc->bits);
1423
1424exit:
1425 /* Key attributes may have been returned by psa_get_key_attributes(),
1426 * reset them as required. */
1427 psa_reset_key_attributes(&got_attributes);
1428 return NULL;
1429}
1430
1431void *thread_use_and_destroy_key(void *ctx)
1432{
1433 same_key_context *skc = (struct same_key_context *) ctx;
1434
1435 /* Do something with the key according
1436 * to its type and permitted usage. */
1437 TEST_ASSERT(mbedtls_test_psa_exercise_key(skc->key,
1438 skc->attributes->policy.usage,
1439 skc->attributes->policy.alg, 1));
1440
1441 psa_status_t status = psa_destroy_key(skc->key);
1442 if (status == PSA_SUCCESS) {
1443 if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) {
1444 /* Ensure that we are the only thread to succeed. */
1445 if (skc->key_loaded != 1) {
1446 mbedtls_mutex_unlock(&skc->key_loaded_mutex);
Ryan Everett3de040f2024-03-14 17:50:06 +00001447 TEST_FAIL("The same key has been destroyed multiple times.");
Ryan Everett50619992024-03-12 16:55:14 +00001448 }
1449 skc->key_loaded = 0;
1450 mbedtls_mutex_unlock(&skc->key_loaded_mutex);
1451 }
1452 } else {
1453 TEST_EQUAL(status, PSA_ERROR_INVALID_HANDLE);
1454 }
1455
1456exit:
1457 return NULL;
1458}
1459
Ryan3a1b7862024-03-01 17:24:04 +00001460typedef struct generate_key_context {
1461 psa_key_type_t type;
1462 psa_key_usage_t usage;
1463 size_t bits;
1464 psa_algorithm_t alg;
1465 psa_status_t expected_status;
1466 psa_key_attributes_t *attributes;
1467 int is_large_key;
1468 int reps;
1469}
1470generate_key_context;
1471void *thread_generate_key(void *ctx)
1472{
1473 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
1474 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
1475 generate_key_context *gkc = (struct generate_key_context *) ctx;
1476
1477 /* If there are race conditions, it is likely the case that they do not
1478 * arise every time the code runs. We repeat the code to increase the
1479 * chance that any race conditions will be hit. */
1480 for (int n = 0; n < gkc->reps; n++) {
1481 /* Generate a key */
1482 psa_status_t status = psa_generate_key(gkc->attributes, &key);
1483
1484 if (gkc->is_large_key > 0) {
1485 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
1486 }
1487
1488 TEST_EQUAL(status, gkc->expected_status);
1489 if (gkc->expected_status != PSA_SUCCESS) {
1490 PSA_ASSERT(psa_destroy_key(key));
1491 goto exit;
1492 }
1493
1494 /* Test the key information */
1495 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1496 TEST_EQUAL(psa_get_key_type(&got_attributes), gkc->type);
1497 TEST_EQUAL(psa_get_key_bits(&got_attributes), gkc->bits);
1498
1499 /* Do something with the key according
1500 * to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +00001501 if (!mbedtls_test_psa_exercise_key(key, gkc->usage, gkc->alg, 0)) {
Ryan3a1b7862024-03-01 17:24:04 +00001502 psa_destroy_key(key);
1503 goto exit;
1504 }
1505 psa_reset_key_attributes(&got_attributes);
1506
1507 PSA_ASSERT(psa_destroy_key(key));
1508 }
1509exit:
1510 /*
1511 * Key attributes may have been returned by psa_get_key_attributes()
1512 * thus reset them as required.
1513 */
1514 psa_reset_key_attributes(&got_attributes);
1515 return NULL;
1516}
1517#endif /* MBEDTLS_THREADING_PTHREAD */
1518
Gilles Peskinee59236f2018-01-27 23:32:46 +01001519/* END_HEADER */
1520
1521/* BEGIN_DEPENDENCIES
1522 * depends_on:MBEDTLS_PSA_CRYPTO_C
1523 * END_DEPENDENCIES
1524 */
1525
1526/* BEGIN_CASE */
Manuel Pégourié-Gonnard7abdf7e2023-03-09 11:17:43 +01001527void psa_can_do_hash()
1528{
1529 /* We can't test that this is specific to drivers until partial init has
1530 * been implemented, but we can at least test before/after full init. */
1531 TEST_EQUAL(0, psa_can_do_hash(PSA_ALG_NONE));
1532 PSA_INIT();
1533 TEST_EQUAL(1, psa_can_do_hash(PSA_ALG_NONE));
1534 PSA_DONE();
1535}
1536/* END_CASE */
1537
1538/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001539void static_checks()
Gilles Peskinee1f2d7d2018-08-21 14:54:54 +02001540{
1541 size_t max_truncated_mac_size =
1542 PSA_ALG_MAC_TRUNCATION_MASK >> PSA_MAC_TRUNCATION_OFFSET;
1543
1544 /* Check that the length for a truncated MAC always fits in the algorithm
1545 * encoding. The shifted mask is the maximum truncated value. The
1546 * untruncated algorithm may be one byte larger. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001547 TEST_LE_U(PSA_MAC_MAX_SIZE, 1 + max_truncated_mac_size);
Gilles Peskinee1f2d7d2018-08-21 14:54:54 +02001548}
1549/* END_CASE */
1550
1551/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001552void import_with_policy(int type_arg,
1553 int usage_arg, int alg_arg,
1554 int expected_status_arg)
Gilles Peskine6edfa292019-07-31 15:53:45 +02001555{
1556 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1557 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02001558 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine6edfa292019-07-31 15:53:45 +02001559 psa_key_type_t type = type_arg;
1560 psa_key_usage_t usage = usage_arg;
1561 psa_algorithm_t alg = alg_arg;
1562 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01001563 const uint8_t key_material[16] = { 0 };
Gilles Peskine6edfa292019-07-31 15:53:45 +02001564 psa_status_t status;
1565
Gilles Peskine449bd832023-01-11 14:50:10 +01001566 PSA_ASSERT(psa_crypto_init());
Gilles Peskine6edfa292019-07-31 15:53:45 +02001567
Gilles Peskine449bd832023-01-11 14:50:10 +01001568 psa_set_key_type(&attributes, type);
1569 psa_set_key_usage_flags(&attributes, usage);
1570 psa_set_key_algorithm(&attributes, alg);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001571
Gilles Peskine449bd832023-01-11 14:50:10 +01001572 status = psa_import_key(&attributes,
1573 key_material, sizeof(key_material),
1574 &key);
1575 TEST_EQUAL(status, expected_status);
1576 if (status != PSA_SUCCESS) {
Gilles Peskine6edfa292019-07-31 15:53:45 +02001577 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001578 }
Gilles Peskine6edfa292019-07-31 15:53:45 +02001579
Gilles Peskine449bd832023-01-11 14:50:10 +01001580 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1581 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1582 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes),
1583 mbedtls_test_update_key_usage_flags(usage));
1584 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg);
1585 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001586
Gilles Peskine449bd832023-01-11 14:50:10 +01001587 PSA_ASSERT(psa_destroy_key(key));
1588 test_operations_on_invalid_key(key);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001589
1590exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001591 /*
1592 * Key attributes may have been returned by psa_get_key_attributes()
1593 * thus reset them as required.
1594 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001595 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001596
Gilles Peskine449bd832023-01-11 14:50:10 +01001597 psa_destroy_key(key);
1598 PSA_DONE();
Gilles Peskine6edfa292019-07-31 15:53:45 +02001599}
1600/* END_CASE */
1601
1602/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001603void import_with_data(data_t *data, int type_arg,
1604 int attr_bits_arg,
1605 int expected_status_arg)
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001606{
1607 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1608 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02001609 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001610 psa_key_type_t type = type_arg;
Gilles Peskine8fb3a9e2019-05-03 16:59:21 +02001611 size_t attr_bits = attr_bits_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001612 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001613 psa_status_t status;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001614
Gilles Peskine449bd832023-01-11 14:50:10 +01001615 PSA_ASSERT(psa_crypto_init());
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001616
Gilles Peskine449bd832023-01-11 14:50:10 +01001617 psa_set_key_type(&attributes, type);
1618 psa_set_key_bits(&attributes, attr_bits);
Gilles Peskine6edfa292019-07-31 15:53:45 +02001619
Gilles Peskine449bd832023-01-11 14:50:10 +01001620 status = psa_import_key(&attributes, data->x, data->len, &key);
Manuel Pégourié-Gonnard0509b582023-08-08 12:47:56 +02001621 /* When expecting INVALID_ARGUMENT, also accept NOT_SUPPORTED.
1622 *
1623 * This can happen with a type supported only by a driver:
1624 * - the driver sees the invalid data (for example wrong size) and thinks
1625 * "well perhaps this is a key size I don't support" so it returns
1626 * NOT_SUPPORTED which is correct at this point;
1627 * - we fallback to built-ins, which don't support this type, so return
1628 * NOT_SUPPORTED which again is correct at this point.
1629 */
1630 if (expected_status == PSA_ERROR_INVALID_ARGUMENT &&
1631 status == PSA_ERROR_NOT_SUPPORTED) {
1632 ; // OK
1633 } else {
1634 TEST_EQUAL(status, expected_status);
1635 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001636 if (status != PSA_SUCCESS) {
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001637 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001638 }
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001639
Gilles Peskine449bd832023-01-11 14:50:10 +01001640 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1641 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1642 if (attr_bits != 0) {
1643 TEST_EQUAL(attr_bits, psa_get_key_bits(&got_attributes));
1644 }
1645 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001646
Gilles Peskine449bd832023-01-11 14:50:10 +01001647 PSA_ASSERT(psa_destroy_key(key));
1648 test_operations_on_invalid_key(key);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001649
1650exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001651 /*
1652 * Key attributes may have been returned by psa_get_key_attributes()
1653 * thus reset them as required.
1654 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001655 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001656
Gilles Peskine449bd832023-01-11 14:50:10 +01001657 psa_destroy_key(key);
1658 PSA_DONE();
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001659}
1660/* END_CASE */
1661
1662/* BEGIN_CASE */
Gilles Peskine07510f52022-11-11 16:37:16 +01001663/* Construct and attempt to import a large unstructured key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001664void import_large_key(int type_arg, int byte_size_arg,
1665 int expected_status_arg)
Gilles Peskinec744d992019-07-30 17:26:54 +02001666{
1667 psa_key_type_t type = type_arg;
1668 size_t byte_size = byte_size_arg;
1669 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1670 psa_status_t expected_status = expected_status_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02001671 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinec744d992019-07-30 17:26:54 +02001672 psa_status_t status;
1673 uint8_t *buffer = NULL;
1674 size_t buffer_size = byte_size + 1;
1675 size_t n;
1676
Steven Cooreman69967ce2021-01-18 18:01:08 +01001677 /* Skip the test case if the target running the test cannot
Shaun Case8b0ecbc2021-12-20 21:14:10 -08001678 * accommodate large keys due to heap size constraints */
Tom Cosgrove412a8132023-07-20 16:55:14 +01001679 TEST_CALLOC_OR_SKIP(buffer, buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001680 memset(buffer, 'K', byte_size);
Gilles Peskinec744d992019-07-30 17:26:54 +02001681
Gilles Peskine449bd832023-01-11 14:50:10 +01001682 PSA_ASSERT(psa_crypto_init());
Gilles Peskinec744d992019-07-30 17:26:54 +02001683
1684 /* Try importing the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001685 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
1686 psa_set_key_type(&attributes, type);
1687 status = psa_import_key(&attributes, buffer, byte_size, &key);
1688 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
1689 TEST_EQUAL(status, expected_status);
Gilles Peskinec744d992019-07-30 17:26:54 +02001690
Gilles Peskine449bd832023-01-11 14:50:10 +01001691 if (status == PSA_SUCCESS) {
1692 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
1693 TEST_EQUAL(psa_get_key_type(&attributes), type);
1694 TEST_EQUAL(psa_get_key_bits(&attributes),
1695 PSA_BYTES_TO_BITS(byte_size));
1696 ASSERT_NO_SLOT_NUMBER(&attributes);
1697 memset(buffer, 0, byte_size + 1);
1698 PSA_ASSERT(psa_export_key(key, buffer, byte_size, &n));
1699 for (n = 0; n < byte_size; n++) {
1700 TEST_EQUAL(buffer[n], 'K');
1701 }
1702 for (n = byte_size; n < buffer_size; n++) {
1703 TEST_EQUAL(buffer[n], 0);
1704 }
Gilles Peskinec744d992019-07-30 17:26:54 +02001705 }
1706
1707exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001708 /*
1709 * Key attributes may have been returned by psa_get_key_attributes()
1710 * thus reset them as required.
1711 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001712 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001713
Gilles Peskine449bd832023-01-11 14:50:10 +01001714 psa_destroy_key(key);
1715 PSA_DONE();
1716 mbedtls_free(buffer);
Gilles Peskinec744d992019-07-30 17:26:54 +02001717}
1718/* END_CASE */
1719
Andrzej Kurek77b8e092022-01-17 15:29:38 +01001720/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */
Gilles Peskine07510f52022-11-11 16:37:16 +01001721/* Import an RSA key with a valid structure (but not valid numbers
1722 * inside, beyond having sensible size and parity). This is expected to
1723 * fail for large keys. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001724void import_rsa_made_up(int bits_arg, int keypair, int expected_status_arg)
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001725{
Ronald Cron5425a212020-08-04 14:58:35 +02001726 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001727 size_t bits = bits_arg;
1728 psa_status_t expected_status = expected_status_arg;
1729 psa_status_t status;
1730 psa_key_type_t type =
Gilles Peskinec93b80c2019-05-16 19:39:54 +02001731 keypair ? PSA_KEY_TYPE_RSA_KEY_PAIR : PSA_KEY_TYPE_RSA_PUBLIC_KEY;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001732 size_t buffer_size = /* Slight overapproximations */
Gilles Peskine449bd832023-01-11 14:50:10 +01001733 keypair ? bits * 9 / 16 + 80 : bits / 8 + 20;
Gilles Peskine8cebbba2018-09-27 13:54:18 +02001734 unsigned char *buffer = NULL;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001735 unsigned char *p;
1736 int ret;
1737 size_t length;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02001738 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001739
Gilles Peskine449bd832023-01-11 14:50:10 +01001740 PSA_ASSERT(psa_crypto_init());
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001741 TEST_CALLOC(buffer, buffer_size);
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001742
Gilles Peskine449bd832023-01-11 14:50:10 +01001743 TEST_ASSERT((ret = construct_fake_rsa_key(buffer, buffer_size, &p,
1744 bits, keypair)) >= 0);
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001745 length = ret;
1746
1747 /* Try importing the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001748 psa_set_key_type(&attributes, type);
1749 status = psa_import_key(&attributes, p, length, &key);
1750 TEST_EQUAL(status, expected_status);
Gilles Peskine76b29a72019-05-28 14:08:50 +02001751
Gilles Peskine449bd832023-01-11 14:50:10 +01001752 if (status == PSA_SUCCESS) {
1753 PSA_ASSERT(psa_destroy_key(key));
1754 }
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001755
1756exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001757 mbedtls_free(buffer);
1758 PSA_DONE();
Gilles Peskine0b352bc2018-06-28 00:16:11 +02001759}
1760/* END_CASE */
1761
1762/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001763void import_export(data_t *data,
1764 int type_arg,
1765 int usage_arg, int alg_arg,
1766 int lifetime_arg,
1767 int expected_bits,
1768 int export_size_delta,
1769 int expected_export_status_arg,
1770 /*whether reexport must give the original input exactly*/
1771 int canonical_input)
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001772{
Ronald Cron5425a212020-08-04 14:58:35 +02001773 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001774 psa_key_type_t type = type_arg;
Gilles Peskine4abf7412018-06-18 16:35:34 +02001775 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001776 psa_status_t expected_export_status = expected_export_status_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001777 psa_status_t status;
Archana4d7ae1d2021-07-07 02:50:22 +05301778 psa_key_lifetime_t lifetime = lifetime_arg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001779 unsigned char *exported = NULL;
1780 unsigned char *reexported = NULL;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001781 size_t export_size;
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001782 size_t exported_length = INVALID_EXPORT_LENGTH;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001783 size_t reexported_length;
Gilles Peskine4747d192019-04-17 15:05:45 +02001784 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001785 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001786
Moran Pekercb088e72018-07-17 17:36:59 +03001787 export_size = (ptrdiff_t) data->len + export_size_delta;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001788 TEST_CALLOC(exported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001789 if (!canonical_input) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001790 TEST_CALLOC(reexported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001791 }
1792 PSA_ASSERT(psa_crypto_init());
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001793
Gilles Peskine449bd832023-01-11 14:50:10 +01001794 psa_set_key_lifetime(&attributes, lifetime);
1795 psa_set_key_usage_flags(&attributes, usage_arg);
1796 psa_set_key_algorithm(&attributes, alg);
1797 psa_set_key_type(&attributes, type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07001798
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001799 if (PSA_KEY_TYPE_IS_DH(type) &&
1800 expected_export_status == PSA_ERROR_BUFFER_TOO_SMALL) {
Przemek Stekiel654bef02022-12-15 13:28:02 +01001801 /* Simulate that buffer is too small, by decreasing its size by 1 byte. */
1802 export_size -= 1;
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001803 }
1804
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001805 /* Import the key */
Przemek Stekiel1d9c2b62022-12-01 15:01:39 +01001806 TEST_EQUAL(psa_import_key(&attributes, data->x, data->len, &key),
Przemek Stekiel2e7c33d2023-04-27 12:29:45 +02001807 PSA_SUCCESS);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001808
1809 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01001810 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
1811 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
1812 TEST_EQUAL(psa_get_key_bits(&got_attributes), (size_t) expected_bits);
1813 ASSERT_NO_SLOT_NUMBER(&got_attributes);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001814
1815 /* Export the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001816 status = psa_export_key(key, exported, export_size, &exported_length);
1817 TEST_EQUAL(status, expected_export_status);
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001818
1819 /* The exported length must be set by psa_export_key() to a value between 0
1820 * and export_size. On errors, the exported length must be 0. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001821 TEST_ASSERT(exported_length != INVALID_EXPORT_LENGTH);
1822 TEST_ASSERT(status == PSA_SUCCESS || exported_length == 0);
1823 TEST_LE_U(exported_length, export_size);
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001824
Gilles Peskine449bd832023-01-11 14:50:10 +01001825 TEST_ASSERT(mem_is_char(exported + exported_length, 0,
1826 export_size - exported_length));
1827 if (status != PSA_SUCCESS) {
1828 TEST_EQUAL(exported_length, 0);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001829 goto destroy;
Gilles Peskinee66ca3b2018-06-20 00:11:45 +02001830 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001831
Gilles Peskineea38a922021-02-13 00:05:16 +01001832 /* Run sanity checks on the exported key. For non-canonical inputs,
1833 * this validates the canonical representations. For canonical inputs,
1834 * this doesn't directly validate the implementation, but it still helps
1835 * by cross-validating the test data with the sanity check code. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001836 if (!psa_key_lifetime_is_external(lifetime)) {
Ryan Everett0a271fd2024-03-12 16:34:02 +00001837 if (!mbedtls_test_psa_exercise_key(key, usage_arg, 0, 0)) {
Archana4d7ae1d2021-07-07 02:50:22 +05301838 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001839 }
Archana4d7ae1d2021-07-07 02:50:22 +05301840 }
Gilles Peskine8f609232018-08-11 01:24:55 +02001841
Gilles Peskine449bd832023-01-11 14:50:10 +01001842 if (canonical_input) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001843 TEST_MEMORY_COMPARE(data->x, data->len, exported, exported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01001844 } else {
Ronald Cron5425a212020-08-04 14:58:35 +02001845 mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +01001846 PSA_ASSERT(psa_import_key(&attributes, exported, exported_length,
1847 &key2));
1848 PSA_ASSERT(psa_export_key(key2,
1849 reexported,
1850 export_size,
1851 &reexported_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001852 TEST_MEMORY_COMPARE(exported, exported_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01001853 reexported, reexported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01001854 PSA_ASSERT(psa_destroy_key(key2));
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001855 }
Gilles Peskine449bd832023-01-11 14:50:10 +01001856 TEST_LE_U(exported_length,
1857 PSA_EXPORT_KEY_OUTPUT_SIZE(type,
1858 psa_get_key_bits(&got_attributes)));
Valerio Setti1eacae82023-07-28 16:07:03 +02001859 if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
1860 TEST_LE_U(exported_length, PSA_EXPORT_KEY_PAIR_MAX_SIZE);
1861 } else if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
1862 TEST_LE_U(exported_length, PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
1863 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001864
1865destroy:
1866 /* Destroy the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001867 PSA_ASSERT(psa_destroy_key(key));
1868 test_operations_on_invalid_key(key);
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001869
1870exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001871 /*
1872 * Key attributes may have been returned by psa_get_key_attributes()
1873 * thus reset them as required.
1874 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001875 psa_reset_key_attributes(&got_attributes);
1876 psa_destroy_key(key);
1877 mbedtls_free(exported);
1878 mbedtls_free(reexported);
1879 PSA_DONE();
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001880}
1881/* END_CASE */
Gilles Peskine20035e32018-02-03 22:44:14 +01001882
Moran Pekerf709f4a2018-06-06 17:26:04 +03001883/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01001884void import_export_public_key(data_t *data,
1885 int type_arg, // key pair or public key
1886 int alg_arg,
1887 int lifetime_arg,
1888 int export_size_delta,
1889 int expected_export_status_arg,
1890 data_t *expected_public_key)
Moran Pekerf709f4a2018-06-06 17:26:04 +03001891{
Ronald Cron5425a212020-08-04 14:58:35 +02001892 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001893 psa_key_type_t type = type_arg;
Gilles Peskine4abf7412018-06-18 16:35:34 +02001894 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02001895 psa_status_t expected_export_status = expected_export_status_arg;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001896 psa_status_t status;
Archana4d7ae1d2021-07-07 02:50:22 +05301897 psa_key_lifetime_t lifetime = lifetime_arg;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001898 unsigned char *exported = NULL;
Gilles Peskine49c25912018-10-29 15:15:31 +01001899 size_t export_size = expected_public_key->len + export_size_delta;
Jaeden Amero2a671e92018-06-27 17:47:40 +01001900 size_t exported_length = INVALID_EXPORT_LENGTH;
Gilles Peskine4747d192019-04-17 15:05:45 +02001901 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Moran Pekerf709f4a2018-06-06 17:26:04 +03001902
Gilles Peskine449bd832023-01-11 14:50:10 +01001903 PSA_ASSERT(psa_crypto_init());
Moran Pekerf709f4a2018-06-06 17:26:04 +03001904
Gilles Peskine449bd832023-01-11 14:50:10 +01001905 psa_set_key_lifetime(&attributes, lifetime);
1906 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
1907 psa_set_key_algorithm(&attributes, alg);
1908 psa_set_key_type(&attributes, type);
Moran Pekerf709f4a2018-06-06 17:26:04 +03001909
1910 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01001911 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key));
Moran Pekerf709f4a2018-06-06 17:26:04 +03001912
Gilles Peskine49c25912018-10-29 15:15:31 +01001913 /* Export the public key */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01001914 TEST_CALLOC(exported, export_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01001915 status = psa_export_public_key(key,
1916 exported, export_size,
1917 &exported_length);
1918 TEST_EQUAL(status, expected_export_status);
1919 if (status == PSA_SUCCESS) {
1920 psa_key_type_t public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type);
Gilles Peskined8b7d4f2018-10-29 15:18:41 +01001921 size_t bits;
Gilles Peskine449bd832023-01-11 14:50:10 +01001922 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
1923 bits = psa_get_key_bits(&attributes);
1924 TEST_LE_U(expected_public_key->len,
1925 PSA_EXPORT_KEY_OUTPUT_SIZE(public_type, bits));
1926 TEST_LE_U(expected_public_key->len,
1927 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(public_type, bits));
1928 TEST_LE_U(expected_public_key->len,
1929 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01001930 TEST_MEMORY_COMPARE(expected_public_key->x, expected_public_key->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01001931 exported, exported_length);
Gilles Peskined8b7d4f2018-10-29 15:18:41 +01001932 }
Moran Pekerf709f4a2018-06-06 17:26:04 +03001933exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001934 /*
1935 * Key attributes may have been returned by psa_get_key_attributes()
1936 * thus reset them as required.
1937 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001938 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01001939
Gilles Peskine449bd832023-01-11 14:50:10 +01001940 mbedtls_free(exported);
1941 psa_destroy_key(key);
1942 PSA_DONE();
Moran Pekerf709f4a2018-06-06 17:26:04 +03001943}
1944/* END_CASE */
1945
Ryan Everett50619992024-03-12 16:55:14 +00001946
1947#if defined(MBEDTLS_THREADING_PTHREAD)
1948/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_PSA_CRYPTO_STORAGE_C */
1949void concurrently_use_same_persistent_key(data_t *data,
1950 int type_arg,
1951 int bits_arg,
1952 int alg_arg,
1953 int thread_count_arg)
1954{
1955 size_t thread_count = (size_t) thread_count_arg;
1956 mbedtls_test_thread_t *threads = NULL;
1957 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1);
1958 same_key_context skc;
1959 skc.data = data;
1960 skc.key = key_id;
1961 skc.type = type_arg;
1962 skc.bits = bits_arg;
1963 skc.key_loaded = 0;
1964 mbedtls_mutex_init(&skc.key_loaded_mutex);
1965 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(skc.type, alg_arg);
1966 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1967
1968 PSA_ASSERT(psa_crypto_init());
1969
1970 psa_set_key_id(&attributes, key_id);
1971 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_PERSISTENT);
1972 psa_set_key_usage_flags(&attributes, usage);
1973 psa_set_key_algorithm(&attributes, alg_arg);
1974 psa_set_key_type(&attributes, type_arg);
1975 psa_set_key_bits(&attributes, bits_arg);
1976 skc.attributes = &attributes;
1977
1978 TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
1979
1980 /* Test that when multiple threads import the same key,
1981 * exactly one thread succeeds and the rest fail with valid errors.
1982 * Also test that all threads can use the key as soon as it has been
1983 * imported. */
1984 for (size_t i = 0; i < thread_count; i++) {
1985 TEST_EQUAL(
1986 mbedtls_test_thread_create(&threads[i], thread_import_key,
1987 (void *) &skc), 0);
1988 }
1989
1990 /* Join threads. */
1991 for (size_t i = 0; i < thread_count; i++) {
1992 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
1993 }
1994
1995 /* Test that when multiple threads use and destroy a key no corruption
1996 * occurs, and exactly one thread succeeds when destroying the key. */
1997 for (size_t i = 0; i < thread_count; i++) {
1998 TEST_EQUAL(
1999 mbedtls_test_thread_create(&threads[i], thread_use_and_destroy_key,
2000 (void *) &skc), 0);
2001 }
2002
2003 /* Join threads. */
2004 for (size_t i = 0; i < thread_count; i++) {
2005 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
2006 }
2007 /* Ensure that one thread succeeded in destroying the key. */
2008 TEST_ASSERT(!skc.key_loaded);
2009exit:
2010 psa_reset_key_attributes(&attributes);
2011 mbedtls_mutex_free(&skc.key_loaded_mutex);
2012 mbedtls_free(threads);
2013 PSA_DONE();
2014}
2015/* END_CASE */
2016#endif
2017
Gilles Peskine20035e32018-02-03 22:44:14 +01002018/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002019void import_and_exercise_key(data_t *data,
2020 int type_arg,
2021 int bits_arg,
2022 int alg_arg)
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002023{
Ronald Cron5425a212020-08-04 14:58:35 +02002024 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002025 psa_key_type_t type = type_arg;
2026 size_t bits = bits_arg;
2027 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01002028 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(type, alg);
Gilles Peskine4747d192019-04-17 15:05:45 +02002029 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02002030 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002031
Gilles Peskine449bd832023-01-11 14:50:10 +01002032 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002033
Gilles Peskine449bd832023-01-11 14:50:10 +01002034 psa_set_key_usage_flags(&attributes, usage);
2035 psa_set_key_algorithm(&attributes, alg);
2036 psa_set_key_type(&attributes, type);
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002037
2038 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01002039 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key));
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002040
2041 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01002042 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
2043 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
2044 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002045
2046 /* Do something with the key according to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +00002047 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
Gilles Peskine02b75072018-07-01 22:31:34 +02002048 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002049 }
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002050
Gilles Peskine449bd832023-01-11 14:50:10 +01002051 PSA_ASSERT(psa_destroy_key(key));
2052 test_operations_on_invalid_key(key);
Gilles Peskine4cf3a432019-04-18 22:28:52 +02002053
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002054exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002055 /*
2056 * Key attributes may have been returned by psa_get_key_attributes()
2057 * thus reset them as required.
2058 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002059 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002060
Gilles Peskine449bd832023-01-11 14:50:10 +01002061 psa_reset_key_attributes(&attributes);
2062 psa_destroy_key(key);
2063 PSA_DONE();
Gilles Peskinea680c7a2018-06-26 16:12:43 +02002064}
2065/* END_CASE */
2066
2067/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002068void effective_key_attributes(int type_arg, int expected_type_arg,
2069 int bits_arg, int expected_bits_arg,
2070 int usage_arg, int expected_usage_arg,
2071 int alg_arg, int expected_alg_arg)
Gilles Peskined5b33222018-06-18 22:20:03 +02002072{
Ronald Cron5425a212020-08-04 14:58:35 +02002073 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine1a960492019-11-26 17:12:21 +01002074 psa_key_type_t key_type = type_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01002075 psa_key_type_t expected_key_type = expected_type_arg;
Gilles Peskine1a960492019-11-26 17:12:21 +01002076 size_t bits = bits_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01002077 size_t expected_bits = expected_bits_arg;
Gilles Peskined5b33222018-06-18 22:20:03 +02002078 psa_algorithm_t alg = alg_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01002079 psa_algorithm_t expected_alg = expected_alg_arg;
Gilles Peskined5b33222018-06-18 22:20:03 +02002080 psa_key_usage_t usage = usage_arg;
Gilles Peskine06c28892019-11-26 18:07:46 +01002081 psa_key_usage_t expected_usage = expected_usage_arg;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02002082 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskined5b33222018-06-18 22:20:03 +02002083
Gilles Peskine449bd832023-01-11 14:50:10 +01002084 PSA_ASSERT(psa_crypto_init());
Gilles Peskined5b33222018-06-18 22:20:03 +02002085
Gilles Peskine449bd832023-01-11 14:50:10 +01002086 psa_set_key_usage_flags(&attributes, usage);
2087 psa_set_key_algorithm(&attributes, alg);
2088 psa_set_key_type(&attributes, key_type);
2089 psa_set_key_bits(&attributes, bits);
Gilles Peskined5b33222018-06-18 22:20:03 +02002090
Gilles Peskine449bd832023-01-11 14:50:10 +01002091 PSA_ASSERT(psa_generate_key(&attributes, &key));
2092 psa_reset_key_attributes(&attributes);
Gilles Peskined5b33222018-06-18 22:20:03 +02002093
Gilles Peskine449bd832023-01-11 14:50:10 +01002094 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
2095 TEST_EQUAL(psa_get_key_type(&attributes), expected_key_type);
2096 TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits);
2097 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
2098 TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg);
Gilles Peskined5b33222018-06-18 22:20:03 +02002099
2100exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002101 /*
2102 * Key attributes may have been returned by psa_get_key_attributes()
2103 * thus reset them as required.
2104 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002105 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002106
Gilles Peskine449bd832023-01-11 14:50:10 +01002107 psa_destroy_key(key);
2108 PSA_DONE();
Gilles Peskined5b33222018-06-18 22:20:03 +02002109}
2110/* END_CASE */
2111
2112/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002113void check_key_policy(int type_arg, int bits_arg,
2114 int usage_arg, int alg_arg)
Gilles Peskine06c28892019-11-26 18:07:46 +01002115{
Gilles Peskine449bd832023-01-11 14:50:10 +01002116 test_effective_key_attributes(type_arg, type_arg, bits_arg, bits_arg,
2117 usage_arg,
2118 mbedtls_test_update_key_usage_flags(usage_arg),
2119 alg_arg, alg_arg);
Gilles Peskine06c28892019-11-26 18:07:46 +01002120 goto exit;
2121}
2122/* END_CASE */
2123
2124/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002125void key_attributes_init()
Jaeden Amero70261c52019-01-04 11:47:20 +00002126{
2127 /* Test each valid way of initializing the object, except for `= {0}`, as
2128 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
2129 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08002130 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002131 psa_key_attributes_t func = psa_key_attributes_init();
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002132 psa_key_attributes_t init = PSA_KEY_ATTRIBUTES_INIT;
2133 psa_key_attributes_t zero;
Jaeden Amero70261c52019-01-04 11:47:20 +00002134
Gilles Peskine449bd832023-01-11 14:50:10 +01002135 memset(&zero, 0, sizeof(zero));
Jaeden Amero70261c52019-01-04 11:47:20 +00002136
Gilles Peskine449bd832023-01-11 14:50:10 +01002137 TEST_EQUAL(psa_get_key_lifetime(&func), PSA_KEY_LIFETIME_VOLATILE);
2138 TEST_EQUAL(psa_get_key_lifetime(&init), PSA_KEY_LIFETIME_VOLATILE);
2139 TEST_EQUAL(psa_get_key_lifetime(&zero), PSA_KEY_LIFETIME_VOLATILE);
Jaeden Amero5229bbb2019-02-07 16:33:37 +00002140
Gilles Peskine449bd832023-01-11 14:50:10 +01002141 TEST_EQUAL(psa_get_key_type(&func), 0);
2142 TEST_EQUAL(psa_get_key_type(&init), 0);
2143 TEST_EQUAL(psa_get_key_type(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002144
Gilles Peskine449bd832023-01-11 14:50:10 +01002145 TEST_EQUAL(psa_get_key_bits(&func), 0);
2146 TEST_EQUAL(psa_get_key_bits(&init), 0);
2147 TEST_EQUAL(psa_get_key_bits(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002148
Gilles Peskine449bd832023-01-11 14:50:10 +01002149 TEST_EQUAL(psa_get_key_usage_flags(&func), 0);
2150 TEST_EQUAL(psa_get_key_usage_flags(&init), 0);
2151 TEST_EQUAL(psa_get_key_usage_flags(&zero), 0);
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002152
Gilles Peskine449bd832023-01-11 14:50:10 +01002153 TEST_EQUAL(psa_get_key_algorithm(&func), 0);
2154 TEST_EQUAL(psa_get_key_algorithm(&init), 0);
2155 TEST_EQUAL(psa_get_key_algorithm(&zero), 0);
Jaeden Amero70261c52019-01-04 11:47:20 +00002156}
2157/* END_CASE */
2158
2159/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002160void mac_key_policy(int policy_usage_arg,
2161 int policy_alg_arg,
2162 int key_type_arg,
2163 data_t *key_data,
2164 int exercise_alg_arg,
2165 int expected_status_sign_arg,
2166 int expected_status_verify_arg)
Gilles Peskined5b33222018-06-18 22:20:03 +02002167{
Ronald Cron5425a212020-08-04 14:58:35 +02002168 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002169 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero769ce272019-01-04 11:48:03 +00002170 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002171 psa_key_type_t key_type = key_type_arg;
2172 psa_algorithm_t policy_alg = policy_alg_arg;
2173 psa_algorithm_t exercise_alg = exercise_alg_arg;
2174 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002175 psa_status_t status;
Mateusz Starzykd07f4fc2021-08-24 11:01:23 +02002176 psa_status_t expected_status_sign = expected_status_sign_arg;
2177 psa_status_t expected_status_verify = expected_status_verify_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002178 unsigned char mac[PSA_MAC_MAX_SIZE];
Gilles Peskined5b33222018-06-18 22:20:03 +02002179
Gilles Peskine449bd832023-01-11 14:50:10 +01002180 PSA_ASSERT(psa_crypto_init());
Gilles Peskined5b33222018-06-18 22:20:03 +02002181
Gilles Peskine449bd832023-01-11 14:50:10 +01002182 psa_set_key_usage_flags(&attributes, policy_usage);
2183 psa_set_key_algorithm(&attributes, policy_alg);
2184 psa_set_key_type(&attributes, key_type);
Gilles Peskined5b33222018-06-18 22:20:03 +02002185
Gilles Peskine449bd832023-01-11 14:50:10 +01002186 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2187 &key));
Gilles Peskined5b33222018-06-18 22:20:03 +02002188
Gilles Peskine449bd832023-01-11 14:50:10 +01002189 TEST_EQUAL(psa_get_key_usage_flags(&attributes),
2190 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002191
Gilles Peskine449bd832023-01-11 14:50:10 +01002192 status = psa_mac_sign_setup(&operation, key, exercise_alg);
2193 TEST_EQUAL(status, expected_status_sign);
Steven Cooremanb3ce8152021-02-18 12:03:50 +01002194
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002195 /* Calculate the MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002196 uint8_t input[128] = { 0 };
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002197 size_t mac_len;
Gilles Peskine449bd832023-01-11 14:50:10 +01002198 TEST_EQUAL(psa_mac_compute(key, exercise_alg,
2199 input, 128,
2200 mac, PSA_MAC_MAX_SIZE, &mac_len),
2201 expected_status_sign);
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002202
Neil Armstrong3af9b972022-02-07 12:20:21 +01002203 /* Calculate the MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002204 PSA_ASSERT(psa_mac_abort(&operation));
2205 status = psa_mac_sign_setup(&operation, key, exercise_alg);
2206 if (status == PSA_SUCCESS) {
2207 status = psa_mac_update(&operation, input, 128);
2208 if (status == PSA_SUCCESS) {
2209 TEST_EQUAL(psa_mac_sign_finish(&operation, mac, PSA_MAC_MAX_SIZE,
2210 &mac_len),
2211 expected_status_sign);
2212 } else {
2213 TEST_EQUAL(status, expected_status_sign);
2214 }
2215 } else {
2216 TEST_EQUAL(status, expected_status_sign);
Neil Armstrong3af9b972022-02-07 12:20:21 +01002217 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002218 PSA_ASSERT(psa_mac_abort(&operation));
Neil Armstrong3af9b972022-02-07 12:20:21 +01002219
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002220 /* Verify correct MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002221 status = psa_mac_verify(key, exercise_alg, input, 128,
2222 mac, mac_len);
Mateusz Starzyk1ebcd552021-08-30 17:09:03 +02002223
Gilles Peskine449bd832023-01-11 14:50:10 +01002224 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) {
2225 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2226 } else {
2227 TEST_EQUAL(status, expected_status_verify);
2228 }
Gilles Peskinefe11b722018-12-18 00:24:04 +01002229
Neil Armstrong3af9b972022-02-07 12:20:21 +01002230 /* Verify correct MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002231 status = psa_mac_verify_setup(&operation, key, exercise_alg);
2232 if (status == PSA_SUCCESS) {
2233 status = psa_mac_update(&operation, input, 128);
2234 if (status == PSA_SUCCESS) {
2235 status = psa_mac_verify_finish(&operation, mac, mac_len);
2236 if (expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS) {
2237 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2238 } else {
2239 TEST_EQUAL(status, expected_status_verify);
2240 }
2241 } else {
2242 TEST_EQUAL(status, expected_status_verify);
Neil Armstrong3af9b972022-02-07 12:20:21 +01002243 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002244 } else {
2245 TEST_EQUAL(status, expected_status_verify);
Neil Armstrong3af9b972022-02-07 12:20:21 +01002246 }
2247
Gilles Peskine449bd832023-01-11 14:50:10 +01002248 psa_mac_abort(&operation);
Gilles Peskined5b33222018-06-18 22:20:03 +02002249
Gilles Peskine449bd832023-01-11 14:50:10 +01002250 memset(mac, 0, sizeof(mac));
2251 status = psa_mac_verify_setup(&operation, key, exercise_alg);
2252 TEST_EQUAL(status, expected_status_verify);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002253
2254exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002255 psa_mac_abort(&operation);
2256 psa_destroy_key(key);
2257 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002258}
2259/* END_CASE */
2260
2261/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002262void cipher_key_policy(int policy_usage_arg,
2263 int policy_alg,
2264 int key_type,
2265 data_t *key_data,
2266 int exercise_alg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002267{
Ronald Cron5425a212020-08-04 14:58:35 +02002268 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002269 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero5bae2272019-01-04 11:48:27 +00002270 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002271 psa_key_usage_t policy_usage = policy_usage_arg;
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002272 size_t output_buffer_size = 0;
2273 size_t input_buffer_size = 0;
2274 size_t output_length = 0;
2275 uint8_t *output = NULL;
2276 uint8_t *input = NULL;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002277 psa_status_t status;
2278
Gilles Peskine449bd832023-01-11 14:50:10 +01002279 input_buffer_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(exercise_alg);
2280 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, exercise_alg,
2281 input_buffer_size);
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002282
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002283 TEST_CALLOC(input, input_buffer_size);
2284 TEST_CALLOC(output, output_buffer_size);
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002285
Gilles Peskine449bd832023-01-11 14:50:10 +01002286 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002287
Gilles Peskine449bd832023-01-11 14:50:10 +01002288 psa_set_key_usage_flags(&attributes, policy_usage);
2289 psa_set_key_algorithm(&attributes, policy_alg);
2290 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002291
Gilles Peskine449bd832023-01-11 14:50:10 +01002292 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2293 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002294
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002295 /* Check if no key usage flag implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002296 TEST_EQUAL(policy_usage,
2297 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002298
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002299 /* Encrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002300 status = psa_cipher_encrypt(key, exercise_alg, input, input_buffer_size,
2301 output, output_buffer_size,
2302 &output_length);
2303 if (policy_alg == exercise_alg &&
2304 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2305 PSA_ASSERT(status);
2306 } else {
2307 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2308 }
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002309
2310 /* Encrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002311 status = psa_cipher_encrypt_setup(&operation, key, exercise_alg);
2312 if (policy_alg == exercise_alg &&
2313 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2314 PSA_ASSERT(status);
2315 } else {
2316 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2317 }
2318 psa_cipher_abort(&operation);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002319
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002320 /* Decrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002321 status = psa_cipher_decrypt(key, exercise_alg, output, output_buffer_size,
2322 input, input_buffer_size,
2323 &output_length);
2324 if (policy_alg == exercise_alg &&
2325 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2326 PSA_ASSERT(status);
2327 } else {
2328 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2329 }
Neil Armstrong78aeaf82022-02-07 14:50:35 +01002330
2331 /* Decrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002332 status = psa_cipher_decrypt_setup(&operation, key, exercise_alg);
2333 if (policy_alg == exercise_alg &&
2334 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2335 PSA_ASSERT(status);
2336 } else {
2337 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2338 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002339
2340exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002341 psa_cipher_abort(&operation);
2342 mbedtls_free(input);
2343 mbedtls_free(output);
2344 psa_destroy_key(key);
2345 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002346}
2347/* END_CASE */
2348
2349/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002350void aead_key_policy(int policy_usage_arg,
2351 int policy_alg,
2352 int key_type,
2353 data_t *key_data,
2354 int nonce_length_arg,
2355 int tag_length_arg,
2356 int exercise_alg,
2357 int expected_status_arg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002358{
Ronald Cron5425a212020-08-04 14:58:35 +02002359 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002360 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Neil Armstrong752d8112022-02-07 14:51:11 +01002361 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002362 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002363 psa_status_t status;
Steven Cooremanb3ce8152021-02-18 12:03:50 +01002364 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01002365 unsigned char nonce[16] = { 0 };
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002366 size_t nonce_length = nonce_length_arg;
2367 unsigned char tag[16];
2368 size_t tag_length = tag_length_arg;
2369 size_t output_length;
2370
Gilles Peskine449bd832023-01-11 14:50:10 +01002371 TEST_LE_U(nonce_length, sizeof(nonce));
2372 TEST_LE_U(tag_length, sizeof(tag));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002373
Gilles Peskine449bd832023-01-11 14:50:10 +01002374 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002375
Gilles Peskine449bd832023-01-11 14:50:10 +01002376 psa_set_key_usage_flags(&attributes, policy_usage);
2377 psa_set_key_algorithm(&attributes, policy_alg);
2378 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002379
Gilles Peskine449bd832023-01-11 14:50:10 +01002380 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2381 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002382
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002383 /* Check if no key usage implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002384 TEST_EQUAL(policy_usage,
2385 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002386
Neil Armstrong752d8112022-02-07 14:51:11 +01002387 /* Encrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002388 status = psa_aead_encrypt(key, exercise_alg,
2389 nonce, nonce_length,
2390 NULL, 0,
2391 NULL, 0,
2392 tag, tag_length,
2393 &output_length);
2394 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2395 TEST_EQUAL(status, expected_status);
2396 } else {
2397 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2398 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002399
Neil Armstrong752d8112022-02-07 14:51:11 +01002400 /* Encrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002401 status = psa_aead_encrypt_setup(&operation, key, exercise_alg);
2402 if ((policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2403 TEST_EQUAL(status, expected_status);
2404 } else {
2405 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2406 }
Neil Armstrong752d8112022-02-07 14:51:11 +01002407
2408 /* Decrypt check, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002409 memset(tag, 0, sizeof(tag));
2410 status = psa_aead_decrypt(key, exercise_alg,
2411 nonce, nonce_length,
2412 NULL, 0,
2413 tag, tag_length,
2414 NULL, 0,
2415 &output_length);
2416 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) {
2417 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2418 } else if (expected_status == PSA_SUCCESS) {
2419 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2420 } else {
2421 TEST_EQUAL(status, expected_status);
2422 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002423
Neil Armstrong752d8112022-02-07 14:51:11 +01002424 /* Decrypt check, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002425 PSA_ASSERT(psa_aead_abort(&operation));
2426 status = psa_aead_decrypt_setup(&operation, key, exercise_alg);
2427 if ((policy_usage & PSA_KEY_USAGE_DECRYPT) == 0) {
2428 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2429 } else {
2430 TEST_EQUAL(status, expected_status);
2431 }
Neil Armstrong752d8112022-02-07 14:51:11 +01002432
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002433exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002434 PSA_ASSERT(psa_aead_abort(&operation));
2435 psa_destroy_key(key);
2436 PSA_DONE();
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002437}
2438/* END_CASE */
2439
2440/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002441void asymmetric_encryption_key_policy(int policy_usage_arg,
2442 int policy_alg,
2443 int key_type,
2444 data_t *key_data,
Valerio Settif202c292024-01-15 10:42:37 +01002445 int exercise_alg,
2446 int use_opaque_key)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002447{
Ronald Cron5425a212020-08-04 14:58:35 +02002448 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002449 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002450 psa_key_usage_t policy_usage = policy_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002451 psa_status_t status;
2452 size_t key_bits;
2453 size_t buffer_length;
2454 unsigned char *buffer = NULL;
2455 size_t output_length;
2456
Gilles Peskine449bd832023-01-11 14:50:10 +01002457 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002458
Gilles Peskine449bd832023-01-11 14:50:10 +01002459 psa_set_key_usage_flags(&attributes, policy_usage);
2460 psa_set_key_algorithm(&attributes, policy_alg);
2461 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002462
Valerio Settif202c292024-01-15 10:42:37 +01002463 if (use_opaque_key) {
2464 psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
2465 PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION));
2466 }
2467
Gilles Peskine449bd832023-01-11 14:50:10 +01002468 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2469 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002470
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002471 /* Check if no key usage implication is done */
Gilles Peskine449bd832023-01-11 14:50:10 +01002472 TEST_EQUAL(policy_usage,
2473 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002474
Gilles Peskine449bd832023-01-11 14:50:10 +01002475 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
2476 key_bits = psa_get_key_bits(&attributes);
2477 buffer_length = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits,
2478 exercise_alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002479 TEST_CALLOC(buffer, buffer_length);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002480
Gilles Peskine449bd832023-01-11 14:50:10 +01002481 status = psa_asymmetric_encrypt(key, exercise_alg,
2482 NULL, 0,
2483 NULL, 0,
2484 buffer, buffer_length,
2485 &output_length);
2486 if (policy_alg == exercise_alg &&
2487 (policy_usage & PSA_KEY_USAGE_ENCRYPT) != 0) {
2488 PSA_ASSERT(status);
2489 } else {
2490 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2491 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002492
Gilles Peskine449bd832023-01-11 14:50:10 +01002493 if (buffer_length != 0) {
2494 memset(buffer, 0, buffer_length);
2495 }
2496 status = psa_asymmetric_decrypt(key, exercise_alg,
2497 buffer, buffer_length,
2498 NULL, 0,
2499 buffer, buffer_length,
2500 &output_length);
2501 if (policy_alg == exercise_alg &&
2502 (policy_usage & PSA_KEY_USAGE_DECRYPT) != 0) {
2503 TEST_EQUAL(status, PSA_ERROR_INVALID_PADDING);
2504 } else {
2505 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2506 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002507
2508exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002509 /*
2510 * Key attributes may have been returned by psa_get_key_attributes()
2511 * thus reset them as required.
2512 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002513 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002514
Gilles Peskine449bd832023-01-11 14:50:10 +01002515 psa_destroy_key(key);
2516 PSA_DONE();
2517 mbedtls_free(buffer);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002518}
2519/* END_CASE */
2520
2521/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002522void asymmetric_signature_key_policy(int policy_usage_arg,
2523 int policy_alg,
2524 int key_type,
2525 data_t *key_data,
2526 int exercise_alg,
2527 int payload_length_arg,
2528 int expected_usage_arg)
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002529{
Ronald Cron5425a212020-08-04 14:58:35 +02002530 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002531 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002532 psa_key_usage_t policy_usage = policy_usage_arg;
2533 psa_key_usage_t expected_usage = expected_usage_arg;
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002534 psa_status_t status;
Gilles Peskine449bd832023-01-11 14:50:10 +01002535 unsigned char payload[PSA_HASH_MAX_SIZE] = { 1 };
Gilles Peskine30f77cd2019-01-14 16:06:39 +01002536 /* If `payload_length_arg > 0`, `exercise_alg` is supposed to be
2537 * compatible with the policy and `payload_length_arg` is supposed to be
2538 * a valid input length to sign. If `payload_length_arg <= 0`,
2539 * `exercise_alg` is supposed to be forbidden by the policy. */
2540 int compatible_alg = payload_length_arg > 0;
2541 size_t payload_length = compatible_alg ? payload_length_arg : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01002542 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = { 0 };
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002543 size_t signature_length;
2544
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002545 /* Check if all implicit usage flags are deployed
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002546 in the expected usage flags. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002547 TEST_EQUAL(expected_usage,
2548 mbedtls_test_update_key_usage_flags(policy_usage));
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002549
Gilles Peskine449bd832023-01-11 14:50:10 +01002550 PSA_ASSERT(psa_crypto_init());
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002551
Gilles Peskine449bd832023-01-11 14:50:10 +01002552 psa_set_key_usage_flags(&attributes, policy_usage);
2553 psa_set_key_algorithm(&attributes, policy_alg);
2554 psa_set_key_type(&attributes, key_type);
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002555
Gilles Peskine449bd832023-01-11 14:50:10 +01002556 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2557 &key));
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002558
Gilles Peskine449bd832023-01-11 14:50:10 +01002559 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002560
Gilles Peskine449bd832023-01-11 14:50:10 +01002561 status = psa_sign_hash(key, exercise_alg,
2562 payload, payload_length,
2563 signature, sizeof(signature),
2564 &signature_length);
2565 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_HASH) != 0) {
2566 PSA_ASSERT(status);
2567 } else {
2568 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2569 }
Gilles Peskine76f5c7b2018-07-06 16:53:09 +02002570
Gilles Peskine449bd832023-01-11 14:50:10 +01002571 memset(signature, 0, sizeof(signature));
2572 status = psa_verify_hash(key, exercise_alg,
2573 payload, payload_length,
2574 signature, sizeof(signature));
2575 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) != 0) {
2576 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2577 } else {
2578 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2579 }
Gilles Peskined5b33222018-06-18 22:20:03 +02002580
Gilles Peskine449bd832023-01-11 14:50:10 +01002581 if (PSA_ALG_IS_SIGN_HASH(exercise_alg) &&
2582 PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(exercise_alg))) {
2583 status = psa_sign_message(key, exercise_alg,
2584 payload, payload_length,
2585 signature, sizeof(signature),
2586 &signature_length);
2587 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) != 0) {
2588 PSA_ASSERT(status);
2589 } else {
2590 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2591 }
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002592
Gilles Peskine449bd832023-01-11 14:50:10 +01002593 memset(signature, 0, sizeof(signature));
2594 status = psa_verify_message(key, exercise_alg,
2595 payload, payload_length,
2596 signature, sizeof(signature));
2597 if (compatible_alg && (expected_usage & PSA_KEY_USAGE_VERIFY_MESSAGE) != 0) {
2598 TEST_EQUAL(status, PSA_ERROR_INVALID_SIGNATURE);
2599 } else {
2600 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2601 }
gabor-mezei-armedf2df82021-05-13 16:17:16 +02002602 }
2603
Gilles Peskined5b33222018-06-18 22:20:03 +02002604exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002605 psa_destroy_key(key);
2606 PSA_DONE();
Gilles Peskined5b33222018-06-18 22:20:03 +02002607}
2608/* END_CASE */
2609
Janos Follathba3fab92019-06-11 14:50:16 +01002610/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002611void derive_key_policy(int policy_usage,
2612 int policy_alg,
2613 int key_type,
2614 data_t *key_data,
2615 int exercise_alg)
Gilles Peskineea0fb492018-07-12 17:17:20 +02002616{
Ronald Cron5425a212020-08-04 14:58:35 +02002617 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002618 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002619 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineea0fb492018-07-12 17:17:20 +02002620 psa_status_t status;
2621
Gilles Peskine449bd832023-01-11 14:50:10 +01002622 PSA_ASSERT(psa_crypto_init());
Gilles Peskineea0fb492018-07-12 17:17:20 +02002623
Gilles Peskine449bd832023-01-11 14:50:10 +01002624 psa_set_key_usage_flags(&attributes, policy_usage);
2625 psa_set_key_algorithm(&attributes, policy_alg);
2626 psa_set_key_type(&attributes, key_type);
Gilles Peskineea0fb492018-07-12 17:17:20 +02002627
Gilles Peskine449bd832023-01-11 14:50:10 +01002628 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2629 &key));
Gilles Peskineea0fb492018-07-12 17:17:20 +02002630
Gilles Peskine449bd832023-01-11 14:50:10 +01002631 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg));
Janos Follathba3fab92019-06-11 14:50:16 +01002632
Gilles Peskine449bd832023-01-11 14:50:10 +01002633 if (PSA_ALG_IS_TLS12_PRF(exercise_alg) ||
2634 PSA_ALG_IS_TLS12_PSK_TO_MS(exercise_alg)) {
2635 PSA_ASSERT(psa_key_derivation_input_bytes(
2636 &operation,
2637 PSA_KEY_DERIVATION_INPUT_SEED,
2638 (const uint8_t *) "", 0));
Janos Follath0c1ed842019-06-28 13:35:36 +01002639 }
Janos Follathba3fab92019-06-11 14:50:16 +01002640
Gilles Peskine449bd832023-01-11 14:50:10 +01002641 status = psa_key_derivation_input_key(&operation,
2642 PSA_KEY_DERIVATION_INPUT_SECRET,
2643 key);
Janos Follathba3fab92019-06-11 14:50:16 +01002644
Gilles Peskine449bd832023-01-11 14:50:10 +01002645 if (policy_alg == exercise_alg &&
2646 (policy_usage & PSA_KEY_USAGE_DERIVE) != 0) {
2647 PSA_ASSERT(status);
2648 } else {
2649 TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
2650 }
Gilles Peskineea0fb492018-07-12 17:17:20 +02002651
2652exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002653 psa_key_derivation_abort(&operation);
2654 psa_destroy_key(key);
2655 PSA_DONE();
Gilles Peskineea0fb492018-07-12 17:17:20 +02002656}
2657/* END_CASE */
2658
2659/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002660void agreement_key_policy(int policy_usage,
2661 int policy_alg,
2662 int key_type_arg,
2663 data_t *key_data,
2664 int exercise_alg,
2665 int expected_status_arg)
Gilles Peskine01d718c2018-09-18 12:01:02 +02002666{
Ronald Cron5425a212020-08-04 14:58:35 +02002667 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002668 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002669 psa_key_type_t key_type = key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002670 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002671 psa_status_t status;
Steven Cooremance48e852020-10-05 16:02:45 +02002672 psa_status_t expected_status = expected_status_arg;
Gilles Peskine01d718c2018-09-18 12:01:02 +02002673
Gilles Peskine449bd832023-01-11 14:50:10 +01002674 PSA_ASSERT(psa_crypto_init());
Gilles Peskine01d718c2018-09-18 12:01:02 +02002675
Gilles Peskine449bd832023-01-11 14:50:10 +01002676 psa_set_key_usage_flags(&attributes, policy_usage);
2677 psa_set_key_algorithm(&attributes, policy_alg);
2678 psa_set_key_type(&attributes, key_type);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002679
Gilles Peskine449bd832023-01-11 14:50:10 +01002680 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2681 &key));
Gilles Peskine01d718c2018-09-18 12:01:02 +02002682
Gilles Peskine449bd832023-01-11 14:50:10 +01002683 PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg));
Ryan Everett73e4ea32024-03-12 16:29:55 +00002684 status = mbedtls_test_psa_key_agreement_with_self(&operation, key, 0);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002685
Gilles Peskine449bd832023-01-11 14:50:10 +01002686 TEST_EQUAL(status, expected_status);
Gilles Peskine01d718c2018-09-18 12:01:02 +02002687
2688exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002689 psa_key_derivation_abort(&operation);
2690 psa_destroy_key(key);
2691 PSA_DONE();
Gilles Peskine01d718c2018-09-18 12:01:02 +02002692}
2693/* END_CASE */
2694
2695/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002696void key_policy_alg2(int key_type_arg, data_t *key_data,
2697 int usage_arg, int alg_arg, int alg2_arg)
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002698{
Ronald Cron5425a212020-08-04 14:58:35 +02002699 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002700 psa_key_type_t key_type = key_type_arg;
2701 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2702 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
2703 psa_key_usage_t usage = usage_arg;
2704 psa_algorithm_t alg = alg_arg;
2705 psa_algorithm_t alg2 = alg2_arg;
2706
Gilles Peskine449bd832023-01-11 14:50:10 +01002707 PSA_ASSERT(psa_crypto_init());
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002708
Gilles Peskine449bd832023-01-11 14:50:10 +01002709 psa_set_key_usage_flags(&attributes, usage);
2710 psa_set_key_algorithm(&attributes, alg);
2711 psa_set_key_enrollment_algorithm(&attributes, alg2);
2712 psa_set_key_type(&attributes, key_type);
2713 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2714 &key));
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002715
gabor-mezei-arm98a34352021-06-28 14:05:00 +02002716 /* Update the usage flags to obtain implicit usage flags */
Gilles Peskine449bd832023-01-11 14:50:10 +01002717 usage = mbedtls_test_update_key_usage_flags(usage);
2718 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
2719 TEST_EQUAL(psa_get_key_usage_flags(&got_attributes), usage);
2720 TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg);
2721 TEST_EQUAL(psa_get_key_enrollment_algorithm(&got_attributes), alg2);
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002722
Ryan Everett0a271fd2024-03-12 16:34:02 +00002723 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002724 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002725 }
Ryan Everett0a271fd2024-03-12 16:34:02 +00002726 if (!mbedtls_test_psa_exercise_key(key, usage, alg2, 0)) {
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002727 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002728 }
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002729
2730exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002731 /*
2732 * Key attributes may have been returned by psa_get_key_attributes()
2733 * thus reset them as required.
2734 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002735 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002736
Gilles Peskine449bd832023-01-11 14:50:10 +01002737 psa_destroy_key(key);
2738 PSA_DONE();
Gilles Peskine96f0b3b2019-05-10 19:33:38 +02002739}
2740/* END_CASE */
2741
2742/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002743void raw_agreement_key_policy(int policy_usage,
2744 int policy_alg,
2745 int key_type_arg,
2746 data_t *key_data,
2747 int exercise_alg,
2748 int expected_status_arg)
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002749{
Ronald Cron5425a212020-08-04 14:58:35 +02002750 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02002751 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002752 psa_key_type_t key_type = key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02002753 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002754 psa_status_t status;
Steven Cooremance48e852020-10-05 16:02:45 +02002755 psa_status_t expected_status = expected_status_arg;
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002756
Gilles Peskine449bd832023-01-11 14:50:10 +01002757 PSA_ASSERT(psa_crypto_init());
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002758
Gilles Peskine449bd832023-01-11 14:50:10 +01002759 psa_set_key_usage_flags(&attributes, policy_usage);
2760 psa_set_key_algorithm(&attributes, policy_alg);
2761 psa_set_key_type(&attributes, key_type);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002762
Gilles Peskine449bd832023-01-11 14:50:10 +01002763 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
2764 &key));
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002765
Ryan Everett81630282024-03-12 16:21:12 +00002766 status = mbedtls_test_psa_raw_key_agreement_with_self(exercise_alg, key, 0);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002767
Gilles Peskine449bd832023-01-11 14:50:10 +01002768 TEST_EQUAL(status, expected_status);
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002769
2770exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002771 psa_key_derivation_abort(&operation);
2772 psa_destroy_key(key);
2773 PSA_DONE();
Gilles Peskine04ee2d22019-04-11 21:25:46 +02002774}
2775/* END_CASE */
2776
2777/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002778void copy_success(int source_usage_arg,
2779 int source_alg_arg, int source_alg2_arg,
Gilles Peskine4ea4ad02022-12-04 15:11:00 +01002780 int source_lifetime_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01002781 int type_arg, data_t *material,
2782 int copy_attributes,
2783 int target_usage_arg,
2784 int target_alg_arg, int target_alg2_arg,
Gilles Peskine4ea4ad02022-12-04 15:11:00 +01002785 int target_lifetime_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01002786 int expected_usage_arg,
2787 int expected_alg_arg, int expected_alg2_arg)
Gilles Peskine57ab7212019-01-28 13:03:09 +01002788{
Gilles Peskineca25db92019-04-19 11:43:08 +02002789 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT;
2790 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine57ab7212019-01-28 13:03:09 +01002791 psa_key_usage_t expected_usage = expected_usage_arg;
2792 psa_algorithm_t expected_alg = expected_alg_arg;
Gilles Peskinebcdd44b2019-05-20 17:28:11 +02002793 psa_algorithm_t expected_alg2 = expected_alg2_arg;
Archana8a180362021-07-05 02:18:48 +05302794 psa_key_lifetime_t source_lifetime = source_lifetime_arg;
2795 psa_key_lifetime_t target_lifetime = target_lifetime_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02002796 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT;
2797 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine57ab7212019-01-28 13:03:09 +01002798 uint8_t *export_buffer = NULL;
2799
Gilles Peskine449bd832023-01-11 14:50:10 +01002800 PSA_ASSERT(psa_crypto_init());
Gilles Peskine57ab7212019-01-28 13:03:09 +01002801
Gilles Peskineca25db92019-04-19 11:43:08 +02002802 /* Prepare the source key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002803 psa_set_key_usage_flags(&source_attributes, source_usage_arg);
2804 psa_set_key_algorithm(&source_attributes, source_alg_arg);
2805 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg);
2806 psa_set_key_type(&source_attributes, type_arg);
2807 psa_set_key_lifetime(&source_attributes, source_lifetime);
2808 PSA_ASSERT(psa_import_key(&source_attributes,
2809 material->x, material->len,
2810 &source_key));
2811 PSA_ASSERT(psa_get_key_attributes(source_key, &source_attributes));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002812
Gilles Peskineca25db92019-04-19 11:43:08 +02002813 /* Prepare the target attributes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002814 if (copy_attributes) {
Gilles Peskineca25db92019-04-19 11:43:08 +02002815 target_attributes = source_attributes;
Ronald Cron65f38a32020-10-23 17:11:13 +02002816 }
Gilles Peskine449bd832023-01-11 14:50:10 +01002817 psa_set_key_lifetime(&target_attributes, target_lifetime);
Ronald Cron65f38a32020-10-23 17:11:13 +02002818
Gilles Peskine449bd832023-01-11 14:50:10 +01002819 if (target_usage_arg != -1) {
2820 psa_set_key_usage_flags(&target_attributes, target_usage_arg);
2821 }
2822 if (target_alg_arg != -1) {
2823 psa_set_key_algorithm(&target_attributes, target_alg_arg);
2824 }
2825 if (target_alg2_arg != -1) {
2826 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg);
2827 }
Gilles Peskine57ab7212019-01-28 13:03:09 +01002828
Archana8a180362021-07-05 02:18:48 +05302829
Gilles Peskine57ab7212019-01-28 13:03:09 +01002830 /* Copy the key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002831 PSA_ASSERT(psa_copy_key(source_key,
2832 &target_attributes, &target_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002833
2834 /* Destroy the source to ensure that this doesn't affect the target. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002835 PSA_ASSERT(psa_destroy_key(source_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002836
2837 /* Test that the target slot has the expected content and policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002838 PSA_ASSERT(psa_get_key_attributes(target_key, &target_attributes));
2839 TEST_EQUAL(psa_get_key_type(&source_attributes),
2840 psa_get_key_type(&target_attributes));
2841 TEST_EQUAL(psa_get_key_bits(&source_attributes),
2842 psa_get_key_bits(&target_attributes));
2843 TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&target_attributes));
2844 TEST_EQUAL(expected_alg, psa_get_key_algorithm(&target_attributes));
2845 TEST_EQUAL(expected_alg2,
2846 psa_get_key_enrollment_algorithm(&target_attributes));
2847 if (expected_usage & PSA_KEY_USAGE_EXPORT) {
Gilles Peskine57ab7212019-01-28 13:03:09 +01002848 size_t length;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002849 TEST_CALLOC(export_buffer, material->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01002850 PSA_ASSERT(psa_export_key(target_key, export_buffer,
2851 material->len, &length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01002852 TEST_MEMORY_COMPARE(material->x, material->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01002853 export_buffer, length);
Gilles Peskine57ab7212019-01-28 13:03:09 +01002854 }
Steven Cooremanb3ce8152021-02-18 12:03:50 +01002855
Gilles Peskine449bd832023-01-11 14:50:10 +01002856 if (!psa_key_lifetime_is_external(target_lifetime)) {
Ryan Everett0a271fd2024-03-12 16:34:02 +00002857 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg, 0)) {
Archana8a180362021-07-05 02:18:48 +05302858 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002859 }
Ryan Everett0a271fd2024-03-12 16:34:02 +00002860 if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg2, 0)) {
Archana8a180362021-07-05 02:18:48 +05302861 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01002862 }
Archana8a180362021-07-05 02:18:48 +05302863 }
Gilles Peskine57ab7212019-01-28 13:03:09 +01002864
Gilles Peskine449bd832023-01-11 14:50:10 +01002865 PSA_ASSERT(psa_destroy_key(target_key));
Gilles Peskine57ab7212019-01-28 13:03:09 +01002866
2867exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002868 /*
2869 * Source and target key attributes may have been returned by
2870 * psa_get_key_attributes() thus reset them as required.
2871 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002872 psa_reset_key_attributes(&source_attributes);
2873 psa_reset_key_attributes(&target_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01002874
Gilles Peskine449bd832023-01-11 14:50:10 +01002875 PSA_DONE();
2876 mbedtls_free(export_buffer);
Gilles Peskine57ab7212019-01-28 13:03:09 +01002877}
2878/* END_CASE */
2879
2880/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002881void copy_fail(int source_usage_arg,
2882 int source_alg_arg, int source_alg2_arg,
2883 int source_lifetime_arg,
2884 int type_arg, data_t *material,
2885 int target_type_arg, int target_bits_arg,
2886 int target_usage_arg,
2887 int target_alg_arg, int target_alg2_arg,
2888 int target_id_arg, int target_lifetime_arg,
2889 int expected_status_arg)
Gilles Peskine4a644642019-05-03 17:14:08 +02002890{
2891 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT;
2892 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +02002893 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT;
2894 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +01002895 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, target_id_arg);
Gilles Peskine4a644642019-05-03 17:14:08 +02002896
Gilles Peskine449bd832023-01-11 14:50:10 +01002897 PSA_ASSERT(psa_crypto_init());
Gilles Peskine4a644642019-05-03 17:14:08 +02002898
2899 /* Prepare the source key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002900 psa_set_key_usage_flags(&source_attributes, source_usage_arg);
2901 psa_set_key_algorithm(&source_attributes, source_alg_arg);
2902 psa_set_key_enrollment_algorithm(&source_attributes, source_alg2_arg);
2903 psa_set_key_type(&source_attributes, type_arg);
2904 psa_set_key_lifetime(&source_attributes, source_lifetime_arg);
2905 PSA_ASSERT(psa_import_key(&source_attributes,
2906 material->x, material->len,
2907 &source_key));
Gilles Peskine4a644642019-05-03 17:14:08 +02002908
2909 /* Prepare the target attributes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002910 psa_set_key_id(&target_attributes, key_id);
2911 psa_set_key_lifetime(&target_attributes, target_lifetime_arg);
2912 psa_set_key_type(&target_attributes, target_type_arg);
2913 psa_set_key_bits(&target_attributes, target_bits_arg);
2914 psa_set_key_usage_flags(&target_attributes, target_usage_arg);
2915 psa_set_key_algorithm(&target_attributes, target_alg_arg);
2916 psa_set_key_enrollment_algorithm(&target_attributes, target_alg2_arg);
Gilles Peskine4a644642019-05-03 17:14:08 +02002917
2918 /* Try to copy the key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002919 TEST_EQUAL(psa_copy_key(source_key,
2920 &target_attributes, &target_key),
2921 expected_status_arg);
Gilles Peskine76b29a72019-05-28 14:08:50 +02002922
Gilles Peskine449bd832023-01-11 14:50:10 +01002923 PSA_ASSERT(psa_destroy_key(source_key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02002924
Gilles Peskine4a644642019-05-03 17:14:08 +02002925exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01002926 psa_reset_key_attributes(&source_attributes);
2927 psa_reset_key_attributes(&target_attributes);
2928 PSA_DONE();
Gilles Peskine4a644642019-05-03 17:14:08 +02002929}
2930/* END_CASE */
2931
2932/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002933void hash_operation_init()
Jaeden Amero6a25b412019-01-04 11:47:44 +00002934{
Jaeden Ameroa0f625a2019-02-15 13:52:25 +00002935 const uint8_t input[1] = { 0 };
Jaeden Amero6a25b412019-01-04 11:47:44 +00002936 /* Test each valid way of initializing the object, except for `= {0}`, as
2937 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
2938 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08002939 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002940 psa_hash_operation_t func = psa_hash_operation_init();
Jaeden Amero6a25b412019-01-04 11:47:44 +00002941 psa_hash_operation_t init = PSA_HASH_OPERATION_INIT;
2942 psa_hash_operation_t zero;
2943
Gilles Peskine449bd832023-01-11 14:50:10 +01002944 memset(&zero, 0, sizeof(zero));
Jaeden Amero6a25b412019-01-04 11:47:44 +00002945
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00002946 /* A freshly-initialized hash operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002947 TEST_EQUAL(psa_hash_update(&func, input, sizeof(input)),
2948 PSA_ERROR_BAD_STATE);
2949 TEST_EQUAL(psa_hash_update(&init, input, sizeof(input)),
2950 PSA_ERROR_BAD_STATE);
2951 TEST_EQUAL(psa_hash_update(&zero, input, sizeof(input)),
2952 PSA_ERROR_BAD_STATE);
Jaeden Ameroa0f625a2019-02-15 13:52:25 +00002953
Jaeden Amero5229bbb2019-02-07 16:33:37 +00002954 /* A default hash operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002955 PSA_ASSERT(psa_hash_abort(&func));
2956 PSA_ASSERT(psa_hash_abort(&init));
2957 PSA_ASSERT(psa_hash_abort(&zero));
Jaeden Amero6a25b412019-01-04 11:47:44 +00002958}
2959/* END_CASE */
2960
2961/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01002962void hash_setup(int alg_arg,
2963 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002964{
2965 psa_algorithm_t alg = alg_arg;
Neil Armstrongedb20862022-02-07 15:47:44 +01002966 uint8_t *output = NULL;
2967 size_t output_size = 0;
2968 size_t output_length = 0;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02002969 psa_status_t expected_status = expected_status_arg;
Jaeden Amero6a25b412019-01-04 11:47:44 +00002970 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002971 psa_status_t status;
2972
Gilles Peskine449bd832023-01-11 14:50:10 +01002973 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002974
Neil Armstrongedb20862022-02-07 15:47:44 +01002975 /* Hash Setup, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01002976 output_size = PSA_HASH_LENGTH(alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01002977 TEST_CALLOC(output, output_size);
Neil Armstrongedb20862022-02-07 15:47:44 +01002978
Gilles Peskine449bd832023-01-11 14:50:10 +01002979 status = psa_hash_compute(alg, NULL, 0,
2980 output, output_size, &output_length);
2981 TEST_EQUAL(status, expected_status);
Neil Armstrongedb20862022-02-07 15:47:44 +01002982
2983 /* Hash Setup, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01002984 status = psa_hash_setup(&operation, alg);
2985 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002986
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002987 /* Whether setup succeeded or failed, abort must succeed. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002988 PSA_ASSERT(psa_hash_abort(&operation));
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002989
2990 /* If setup failed, reproduce the failure, so as to
2991 * test the resulting state of the operation object. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002992 if (status != PSA_SUCCESS) {
2993 TEST_EQUAL(psa_hash_setup(&operation, alg), status);
2994 }
Gilles Peskine9e0a4a52019-02-25 22:11:18 +01002995
Gilles Peskinef426e0f2019-02-25 17:42:03 +01002996 /* Now the operation object should be reusable. */
2997#if defined(KNOWN_SUPPORTED_HASH_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01002998 PSA_ASSERT(psa_hash_setup(&operation, KNOWN_SUPPORTED_HASH_ALG));
2999 PSA_ASSERT(psa_hash_abort(&operation));
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003000#endif
3001
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003002exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003003 mbedtls_free(output);
3004 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003005}
3006/* END_CASE */
3007
3008/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003009void hash_compute_fail(int alg_arg, data_t *input,
3010 int output_size_arg, int expected_status_arg)
Gilles Peskine0a749c82019-11-28 19:33:58 +01003011{
3012 psa_algorithm_t alg = alg_arg;
3013 uint8_t *output = NULL;
3014 size_t output_size = output_size_arg;
3015 size_t output_length = INVALID_EXPORT_LENGTH;
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003016 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine0a749c82019-11-28 19:33:58 +01003017 psa_status_t expected_status = expected_status_arg;
3018 psa_status_t status;
3019
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003020 TEST_CALLOC(output, output_size);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003021
Gilles Peskine449bd832023-01-11 14:50:10 +01003022 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0a749c82019-11-28 19:33:58 +01003023
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003024 /* Hash Compute, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003025 status = psa_hash_compute(alg, input->x, input->len,
3026 output, output_size, &output_length);
3027 TEST_EQUAL(status, expected_status);
3028 TEST_LE_U(output_length, output_size);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003029
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003030 /* Hash Compute, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003031 status = psa_hash_setup(&operation, alg);
3032 if (status == PSA_SUCCESS) {
3033 status = psa_hash_update(&operation, input->x, input->len);
3034 if (status == PSA_SUCCESS) {
3035 status = psa_hash_finish(&operation, output, output_size,
3036 &output_length);
3037 if (status == PSA_SUCCESS) {
3038 TEST_LE_U(output_length, output_size);
3039 } else {
3040 TEST_EQUAL(status, expected_status);
3041 }
3042 } else {
3043 TEST_EQUAL(status, expected_status);
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003044 }
Gilles Peskine449bd832023-01-11 14:50:10 +01003045 } else {
3046 TEST_EQUAL(status, expected_status);
Neil Armstrong161ec5c2022-02-07 11:18:45 +01003047 }
3048
Gilles Peskine0a749c82019-11-28 19:33:58 +01003049exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003050 PSA_ASSERT(psa_hash_abort(&operation));
3051 mbedtls_free(output);
3052 PSA_DONE();
Gilles Peskine0a749c82019-11-28 19:33:58 +01003053}
3054/* END_CASE */
3055
3056/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003057void hash_compare_fail(int alg_arg, data_t *input,
3058 data_t *reference_hash,
3059 int expected_status_arg)
Gilles Peskine88e08462020-01-28 20:43:00 +01003060{
3061 psa_algorithm_t alg = alg_arg;
3062 psa_status_t expected_status = expected_status_arg;
Neil Armstrong55a1be12022-02-07 11:23:20 +01003063 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine88e08462020-01-28 20:43:00 +01003064 psa_status_t status;
3065
Gilles Peskine449bd832023-01-11 14:50:10 +01003066 PSA_ASSERT(psa_crypto_init());
Gilles Peskine88e08462020-01-28 20:43:00 +01003067
Neil Armstrong55a1be12022-02-07 11:23:20 +01003068 /* Hash Compare, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003069 status = psa_hash_compare(alg, input->x, input->len,
3070 reference_hash->x, reference_hash->len);
3071 TEST_EQUAL(status, expected_status);
Gilles Peskine88e08462020-01-28 20:43:00 +01003072
Neil Armstrong55a1be12022-02-07 11:23:20 +01003073 /* Hash Compare, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003074 status = psa_hash_setup(&operation, alg);
3075 if (status == PSA_SUCCESS) {
3076 status = psa_hash_update(&operation, input->x, input->len);
3077 if (status == PSA_SUCCESS) {
3078 status = psa_hash_verify(&operation, reference_hash->x,
3079 reference_hash->len);
3080 TEST_EQUAL(status, expected_status);
3081 } else {
3082 TEST_EQUAL(status, expected_status);
Neil Armstrong55a1be12022-02-07 11:23:20 +01003083 }
Gilles Peskine449bd832023-01-11 14:50:10 +01003084 } else {
3085 TEST_EQUAL(status, expected_status);
Neil Armstrong55a1be12022-02-07 11:23:20 +01003086 }
3087
Gilles Peskine88e08462020-01-28 20:43:00 +01003088exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003089 PSA_ASSERT(psa_hash_abort(&operation));
3090 PSA_DONE();
Gilles Peskine88e08462020-01-28 20:43:00 +01003091}
3092/* END_CASE */
3093
3094/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003095void hash_compute_compare(int alg_arg, data_t *input,
3096 data_t *expected_output)
Gilles Peskine0a749c82019-11-28 19:33:58 +01003097{
3098 psa_algorithm_t alg = alg_arg;
3099 uint8_t output[PSA_HASH_MAX_SIZE + 1];
3100 size_t output_length = INVALID_EXPORT_LENGTH;
Neil Armstrongca30a002022-02-07 11:40:23 +01003101 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
Gilles Peskine0a749c82019-11-28 19:33:58 +01003102 size_t i;
3103
Gilles Peskine449bd832023-01-11 14:50:10 +01003104 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0a749c82019-11-28 19:33:58 +01003105
Neil Armstrongca30a002022-02-07 11:40:23 +01003106 /* Compute with tight buffer, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003107 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len,
3108 output, PSA_HASH_LENGTH(alg),
3109 &output_length));
3110 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003111 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003112 expected_output->x, expected_output->len);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003113
Neil Armstrongca30a002022-02-07 11:40:23 +01003114 /* Compute with tight buffer, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003115 PSA_ASSERT(psa_hash_setup(&operation, alg));
3116 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3117 PSA_ASSERT(psa_hash_finish(&operation, output,
3118 PSA_HASH_LENGTH(alg),
3119 &output_length));
3120 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003121 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003122 expected_output->x, expected_output->len);
Neil Armstrongca30a002022-02-07 11:40:23 +01003123
3124 /* Compute with larger buffer, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003125 PSA_ASSERT(psa_hash_compute(alg, input->x, input->len,
3126 output, sizeof(output),
3127 &output_length));
3128 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003129 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003130 expected_output->x, expected_output->len);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003131
Neil Armstrongca30a002022-02-07 11:40:23 +01003132 /* Compute with larger buffer, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003133 PSA_ASSERT(psa_hash_setup(&operation, alg));
3134 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3135 PSA_ASSERT(psa_hash_finish(&operation, output,
3136 sizeof(output), &output_length));
3137 TEST_EQUAL(output_length, PSA_HASH_LENGTH(alg));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003138 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003139 expected_output->x, expected_output->len);
Neil Armstrongca30a002022-02-07 11:40:23 +01003140
3141 /* Compare with correct hash, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003142 PSA_ASSERT(psa_hash_compare(alg, input->x, input->len,
3143 output, output_length));
Gilles Peskine0a749c82019-11-28 19:33:58 +01003144
Neil Armstrongca30a002022-02-07 11:40:23 +01003145 /* Compare with correct hash, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003146 PSA_ASSERT(psa_hash_setup(&operation, alg));
3147 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3148 PSA_ASSERT(psa_hash_verify(&operation, output,
3149 output_length));
Neil Armstrongca30a002022-02-07 11:40:23 +01003150
3151 /* Compare with trailing garbage, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003152 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
3153 output, output_length + 1),
3154 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003155
Neil Armstrongca30a002022-02-07 11:40:23 +01003156 /* Compare with trailing garbage, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003157 PSA_ASSERT(psa_hash_setup(&operation, alg));
3158 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3159 TEST_EQUAL(psa_hash_verify(&operation, output, output_length + 1),
3160 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01003161
3162 /* Compare with truncated hash, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003163 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
3164 output, output_length - 1),
3165 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003166
Neil Armstrongca30a002022-02-07 11:40:23 +01003167 /* Compare with truncated hash, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003168 PSA_ASSERT(psa_hash_setup(&operation, alg));
3169 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3170 TEST_EQUAL(psa_hash_verify(&operation, output, output_length - 1),
3171 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01003172
Gilles Peskine0a749c82019-11-28 19:33:58 +01003173 /* Compare with corrupted value */
Gilles Peskine449bd832023-01-11 14:50:10 +01003174 for (i = 0; i < output_length; i++) {
3175 mbedtls_test_set_step(i);
Gilles Peskine0a749c82019-11-28 19:33:58 +01003176 output[i] ^= 1;
Neil Armstrongca30a002022-02-07 11:40:23 +01003177
3178 /* One-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01003179 TEST_EQUAL(psa_hash_compare(alg, input->x, input->len,
3180 output, output_length),
3181 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01003182
3183 /* Multi-Part */
Gilles Peskine449bd832023-01-11 14:50:10 +01003184 PSA_ASSERT(psa_hash_setup(&operation, alg));
3185 PSA_ASSERT(psa_hash_update(&operation, input->x, input->len));
3186 TEST_EQUAL(psa_hash_verify(&operation, output, output_length),
3187 PSA_ERROR_INVALID_SIGNATURE);
Neil Armstrongca30a002022-02-07 11:40:23 +01003188
Gilles Peskine0a749c82019-11-28 19:33:58 +01003189 output[i] ^= 1;
3190 }
3191
3192exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003193 PSA_ASSERT(psa_hash_abort(&operation));
3194 PSA_DONE();
Gilles Peskine0a749c82019-11-28 19:33:58 +01003195}
3196/* END_CASE */
3197
Gilles Peskined6dc40c2021-01-12 12:55:31 +01003198/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003199void hash_bad_order()
itayzafrirf86548d2018-11-01 10:44:32 +02003200{
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003201 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrirf86548d2018-11-01 10:44:32 +02003202 unsigned char input[] = "";
3203 /* SHA-256 hash of an empty string */
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003204 const unsigned char valid_hash[] = {
itayzafrirf86548d2018-11-01 10:44:32 +02003205 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8,
3206 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
Gilles Peskine449bd832023-01-11 14:50:10 +01003207 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
3208 };
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003209 unsigned char hash[sizeof(valid_hash)] = { 0 };
itayzafrirf86548d2018-11-01 10:44:32 +02003210 size_t hash_len;
Jaeden Amero6a25b412019-01-04 11:47:44 +00003211 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrirf86548d2018-11-01 10:44:32 +02003212
Gilles Peskine449bd832023-01-11 14:50:10 +01003213 PSA_ASSERT(psa_crypto_init());
itayzafrirf86548d2018-11-01 10:44:32 +02003214
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003215 /* Call setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003216 PSA_ASSERT(psa_hash_setup(&operation, alg));
3217 ASSERT_OPERATION_IS_ACTIVE(operation);
3218 TEST_EQUAL(psa_hash_setup(&operation, alg),
3219 PSA_ERROR_BAD_STATE);
3220 ASSERT_OPERATION_IS_INACTIVE(operation);
3221 PSA_ASSERT(psa_hash_abort(&operation));
3222 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003223
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003224 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003225 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
3226 PSA_ERROR_BAD_STATE);
3227 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02003228
Dave Rodgman5ae6f752021-06-24 11:36:14 +01003229 /* Check that update calls abort on error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003230 PSA_ASSERT(psa_hash_setup(&operation, alg));
Dave Rodgman6f710582021-06-24 18:14:52 +01003231 operation.id = UINT_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +01003232 ASSERT_OPERATION_IS_ACTIVE(operation);
3233 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
3234 PSA_ERROR_BAD_STATE);
3235 ASSERT_OPERATION_IS_INACTIVE(operation);
3236 PSA_ASSERT(psa_hash_abort(&operation));
3237 ASSERT_OPERATION_IS_INACTIVE(operation);
Dave Rodgman5ae6f752021-06-24 11:36:14 +01003238
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003239 /* Call update after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003240 PSA_ASSERT(psa_hash_setup(&operation, alg));
3241 PSA_ASSERT(psa_hash_finish(&operation,
3242 hash, sizeof(hash), &hash_len));
3243 TEST_EQUAL(psa_hash_update(&operation, input, sizeof(input)),
3244 PSA_ERROR_BAD_STATE);
3245 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02003246
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003247 /* Call verify without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003248 TEST_EQUAL(psa_hash_verify(&operation,
3249 valid_hash, sizeof(valid_hash)),
3250 PSA_ERROR_BAD_STATE);
3251 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003252
3253 /* Call verify after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003254 PSA_ASSERT(psa_hash_setup(&operation, alg));
3255 PSA_ASSERT(psa_hash_finish(&operation,
3256 hash, sizeof(hash), &hash_len));
3257 TEST_EQUAL(psa_hash_verify(&operation,
3258 valid_hash, sizeof(valid_hash)),
3259 PSA_ERROR_BAD_STATE);
3260 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003261
3262 /* Call verify twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003263 PSA_ASSERT(psa_hash_setup(&operation, alg));
3264 ASSERT_OPERATION_IS_ACTIVE(operation);
3265 PSA_ASSERT(psa_hash_verify(&operation,
3266 valid_hash, sizeof(valid_hash)));
3267 ASSERT_OPERATION_IS_INACTIVE(operation);
3268 TEST_EQUAL(psa_hash_verify(&operation,
3269 valid_hash, sizeof(valid_hash)),
3270 PSA_ERROR_BAD_STATE);
3271 ASSERT_OPERATION_IS_INACTIVE(operation);
3272 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003273
3274 /* Call finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003275 TEST_EQUAL(psa_hash_finish(&operation,
3276 hash, sizeof(hash), &hash_len),
3277 PSA_ERROR_BAD_STATE);
3278 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003279
3280 /* Call finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003281 PSA_ASSERT(psa_hash_setup(&operation, alg));
3282 PSA_ASSERT(psa_hash_finish(&operation,
3283 hash, sizeof(hash), &hash_len));
3284 TEST_EQUAL(psa_hash_finish(&operation,
3285 hash, sizeof(hash), &hash_len),
3286 PSA_ERROR_BAD_STATE);
3287 PSA_ASSERT(psa_hash_abort(&operation));
Jaeden Amero11aa7ee2019-02-19 11:44:55 +00003288
3289 /* Call finish after calling verify. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003290 PSA_ASSERT(psa_hash_setup(&operation, alg));
3291 PSA_ASSERT(psa_hash_verify(&operation,
3292 valid_hash, sizeof(valid_hash)));
3293 TEST_EQUAL(psa_hash_finish(&operation,
3294 hash, sizeof(hash), &hash_len),
3295 PSA_ERROR_BAD_STATE);
3296 PSA_ASSERT(psa_hash_abort(&operation));
itayzafrirf86548d2018-11-01 10:44:32 +02003297
3298exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003299 PSA_DONE();
itayzafrirf86548d2018-11-01 10:44:32 +02003300}
3301/* END_CASE */
3302
Gilles Peskined6dc40c2021-01-12 12:55:31 +01003303/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003304void hash_verify_bad_args()
itayzafrirec93d302018-10-18 18:01:10 +03003305{
3306 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrir27e69452018-11-01 14:26:34 +02003307 /* SHA-256 hash of an empty string with 2 extra bytes (0xaa and 0xbb)
3308 * appended to it */
3309 unsigned char hash[] = {
3310 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8,
3311 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
Gilles Peskine449bd832023-01-11 14:50:10 +01003312 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55, 0xaa, 0xbb
3313 };
3314 size_t expected_size = PSA_HASH_LENGTH(alg);
Jaeden Amero6a25b412019-01-04 11:47:44 +00003315 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrirec93d302018-10-18 18:01:10 +03003316
Gilles Peskine449bd832023-01-11 14:50:10 +01003317 PSA_ASSERT(psa_crypto_init());
itayzafrirec93d302018-10-18 18:01:10 +03003318
itayzafrir27e69452018-11-01 14:26:34 +02003319 /* psa_hash_verify with a smaller hash than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003320 PSA_ASSERT(psa_hash_setup(&operation, alg));
3321 ASSERT_OPERATION_IS_ACTIVE(operation);
3322 TEST_EQUAL(psa_hash_verify(&operation, hash, expected_size - 1),
3323 PSA_ERROR_INVALID_SIGNATURE);
3324 ASSERT_OPERATION_IS_INACTIVE(operation);
3325 PSA_ASSERT(psa_hash_abort(&operation));
3326 ASSERT_OPERATION_IS_INACTIVE(operation);
itayzafrirec93d302018-10-18 18:01:10 +03003327
itayzafrir27e69452018-11-01 14:26:34 +02003328 /* psa_hash_verify with a non-matching hash */
Gilles Peskine449bd832023-01-11 14:50:10 +01003329 PSA_ASSERT(psa_hash_setup(&operation, alg));
3330 TEST_EQUAL(psa_hash_verify(&operation, hash + 1, expected_size),
3331 PSA_ERROR_INVALID_SIGNATURE);
itayzafrirec93d302018-10-18 18:01:10 +03003332
itayzafrir27e69452018-11-01 14:26:34 +02003333 /* psa_hash_verify with a hash longer than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003334 PSA_ASSERT(psa_hash_setup(&operation, alg));
3335 TEST_EQUAL(psa_hash_verify(&operation, hash, sizeof(hash)),
3336 PSA_ERROR_INVALID_SIGNATURE);
itayzafrir4271df92018-10-24 18:16:19 +03003337
itayzafrirec93d302018-10-18 18:01:10 +03003338exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003339 PSA_DONE();
itayzafrirec93d302018-10-18 18:01:10 +03003340}
3341/* END_CASE */
3342
Ronald Cronee414c72021-03-18 18:50:08 +01003343/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003344void hash_finish_bad_args()
itayzafrir58028322018-10-25 10:22:01 +03003345{
3346 psa_algorithm_t alg = PSA_ALG_SHA_256;
itayzafrirb2dd5ed2018-11-01 11:58:59 +02003347 unsigned char hash[PSA_HASH_MAX_SIZE];
Gilles Peskine449bd832023-01-11 14:50:10 +01003348 size_t expected_size = PSA_HASH_LENGTH(alg);
Jaeden Amero6a25b412019-01-04 11:47:44 +00003349 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
itayzafrir58028322018-10-25 10:22:01 +03003350 size_t hash_len;
3351
Gilles Peskine449bd832023-01-11 14:50:10 +01003352 PSA_ASSERT(psa_crypto_init());
itayzafrir58028322018-10-25 10:22:01 +03003353
itayzafrir58028322018-10-25 10:22:01 +03003354 /* psa_hash_finish with a smaller hash buffer than expected */
Gilles Peskine449bd832023-01-11 14:50:10 +01003355 PSA_ASSERT(psa_hash_setup(&operation, alg));
3356 TEST_EQUAL(psa_hash_finish(&operation,
3357 hash, expected_size - 1, &hash_len),
3358 PSA_ERROR_BUFFER_TOO_SMALL);
itayzafrir58028322018-10-25 10:22:01 +03003359
3360exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003361 PSA_DONE();
itayzafrir58028322018-10-25 10:22:01 +03003362}
3363/* END_CASE */
3364
Ronald Cronee414c72021-03-18 18:50:08 +01003365/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003366void hash_clone_source_state()
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003367{
3368 psa_algorithm_t alg = PSA_ALG_SHA_256;
3369 unsigned char hash[PSA_HASH_MAX_SIZE];
3370 psa_hash_operation_t op_source = PSA_HASH_OPERATION_INIT;
3371 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT;
3372 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT;
3373 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT;
3374 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT;
3375 size_t hash_len;
3376
Gilles Peskine449bd832023-01-11 14:50:10 +01003377 PSA_ASSERT(psa_crypto_init());
3378 PSA_ASSERT(psa_hash_setup(&op_source, alg));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003379
Gilles Peskine449bd832023-01-11 14:50:10 +01003380 PSA_ASSERT(psa_hash_setup(&op_setup, alg));
3381 PSA_ASSERT(psa_hash_setup(&op_finished, alg));
3382 PSA_ASSERT(psa_hash_finish(&op_finished,
3383 hash, sizeof(hash), &hash_len));
3384 PSA_ASSERT(psa_hash_setup(&op_aborted, alg));
3385 PSA_ASSERT(psa_hash_abort(&op_aborted));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003386
Gilles Peskine449bd832023-01-11 14:50:10 +01003387 TEST_EQUAL(psa_hash_clone(&op_source, &op_setup),
3388 PSA_ERROR_BAD_STATE);
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003389
Gilles Peskine449bd832023-01-11 14:50:10 +01003390 PSA_ASSERT(psa_hash_clone(&op_source, &op_init));
3391 PSA_ASSERT(psa_hash_finish(&op_init,
3392 hash, sizeof(hash), &hash_len));
3393 PSA_ASSERT(psa_hash_clone(&op_source, &op_finished));
3394 PSA_ASSERT(psa_hash_finish(&op_finished,
3395 hash, sizeof(hash), &hash_len));
3396 PSA_ASSERT(psa_hash_clone(&op_source, &op_aborted));
3397 PSA_ASSERT(psa_hash_finish(&op_aborted,
3398 hash, sizeof(hash), &hash_len));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003399
3400exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003401 psa_hash_abort(&op_source);
3402 psa_hash_abort(&op_init);
3403 psa_hash_abort(&op_setup);
3404 psa_hash_abort(&op_finished);
3405 psa_hash_abort(&op_aborted);
3406 PSA_DONE();
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003407}
3408/* END_CASE */
3409
Ronald Cronee414c72021-03-18 18:50:08 +01003410/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003411void hash_clone_target_state()
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003412{
3413 psa_algorithm_t alg = PSA_ALG_SHA_256;
3414 unsigned char hash[PSA_HASH_MAX_SIZE];
3415 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT;
3416 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT;
3417 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT;
3418 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT;
3419 psa_hash_operation_t op_target = PSA_HASH_OPERATION_INIT;
3420 size_t hash_len;
3421
Gilles Peskine449bd832023-01-11 14:50:10 +01003422 PSA_ASSERT(psa_crypto_init());
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003423
Gilles Peskine449bd832023-01-11 14:50:10 +01003424 PSA_ASSERT(psa_hash_setup(&op_setup, alg));
3425 PSA_ASSERT(psa_hash_setup(&op_finished, alg));
3426 PSA_ASSERT(psa_hash_finish(&op_finished,
3427 hash, sizeof(hash), &hash_len));
3428 PSA_ASSERT(psa_hash_setup(&op_aborted, alg));
3429 PSA_ASSERT(psa_hash_abort(&op_aborted));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003430
Gilles Peskine449bd832023-01-11 14:50:10 +01003431 PSA_ASSERT(psa_hash_clone(&op_setup, &op_target));
3432 PSA_ASSERT(psa_hash_finish(&op_target,
3433 hash, sizeof(hash), &hash_len));
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003434
Gilles Peskine449bd832023-01-11 14:50:10 +01003435 TEST_EQUAL(psa_hash_clone(&op_init, &op_target), PSA_ERROR_BAD_STATE);
3436 TEST_EQUAL(psa_hash_clone(&op_finished, &op_target),
3437 PSA_ERROR_BAD_STATE);
3438 TEST_EQUAL(psa_hash_clone(&op_aborted, &op_target),
3439 PSA_ERROR_BAD_STATE);
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003440
3441exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003442 psa_hash_abort(&op_target);
3443 psa_hash_abort(&op_init);
3444 psa_hash_abort(&op_setup);
3445 psa_hash_abort(&op_finished);
3446 psa_hash_abort(&op_aborted);
3447 PSA_DONE();
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01003448}
3449/* END_CASE */
3450
itayzafrir58028322018-10-25 10:22:01 +03003451/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003452void mac_operation_init()
Jaeden Amero769ce272019-01-04 11:48:03 +00003453{
Jaeden Amero252ef282019-02-15 14:05:35 +00003454 const uint8_t input[1] = { 0 };
3455
Jaeden Amero769ce272019-01-04 11:48:03 +00003456 /* Test each valid way of initializing the object, except for `= {0}`, as
3457 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
3458 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08003459 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003460 psa_mac_operation_t func = psa_mac_operation_init();
Jaeden Amero769ce272019-01-04 11:48:03 +00003461 psa_mac_operation_t init = PSA_MAC_OPERATION_INIT;
3462 psa_mac_operation_t zero;
3463
Gilles Peskine449bd832023-01-11 14:50:10 +01003464 memset(&zero, 0, sizeof(zero));
Jaeden Amero769ce272019-01-04 11:48:03 +00003465
Jaeden Amero252ef282019-02-15 14:05:35 +00003466 /* A freshly-initialized MAC operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003467 TEST_EQUAL(psa_mac_update(&func,
3468 input, sizeof(input)),
3469 PSA_ERROR_BAD_STATE);
3470 TEST_EQUAL(psa_mac_update(&init,
3471 input, sizeof(input)),
3472 PSA_ERROR_BAD_STATE);
3473 TEST_EQUAL(psa_mac_update(&zero,
3474 input, sizeof(input)),
3475 PSA_ERROR_BAD_STATE);
Jaeden Amero252ef282019-02-15 14:05:35 +00003476
Jaeden Amero5229bbb2019-02-07 16:33:37 +00003477 /* A default MAC operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003478 PSA_ASSERT(psa_mac_abort(&func));
3479 PSA_ASSERT(psa_mac_abort(&init));
3480 PSA_ASSERT(psa_mac_abort(&zero));
Jaeden Amero769ce272019-01-04 11:48:03 +00003481}
3482/* END_CASE */
3483
3484/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003485void mac_setup(int key_type_arg,
3486 data_t *key,
3487 int alg_arg,
3488 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003489{
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003490 psa_key_type_t key_type = key_type_arg;
3491 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02003492 psa_status_t expected_status = expected_status_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003493 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003494 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3495#if defined(KNOWN_SUPPORTED_MAC_ALG)
3496 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk";
3497#endif
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003498
Gilles Peskine449bd832023-01-11 14:50:10 +01003499 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003500
Gilles Peskine449bd832023-01-11 14:50:10 +01003501 if (!exercise_mac_setup(key_type, key->x, key->len, alg,
3502 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003503 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003504 }
3505 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003506
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003507 /* The operation object should be reusable. */
3508#if defined(KNOWN_SUPPORTED_MAC_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01003509 if (!exercise_mac_setup(KNOWN_SUPPORTED_MAC_KEY_TYPE,
3510 smoke_test_key_data,
3511 sizeof(smoke_test_key_data),
3512 KNOWN_SUPPORTED_MAC_ALG,
3513 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003514 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003515 }
3516 TEST_EQUAL(status, PSA_SUCCESS);
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003517#endif
3518
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003519exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003520 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003521}
3522/* END_CASE */
3523
Gilles Peskined6dc40c2021-01-12 12:55:31 +01003524/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_HMAC:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003525void mac_bad_order()
Jaeden Amero252ef282019-02-15 14:05:35 +00003526{
Ronald Cron5425a212020-08-04 14:58:35 +02003527 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Jaeden Amero252ef282019-02-15 14:05:35 +00003528 psa_key_type_t key_type = PSA_KEY_TYPE_HMAC;
3529 psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256);
Ronald Cron5425a212020-08-04 14:58:35 +02003530 const uint8_t key_data[] = {
Jaeden Amero252ef282019-02-15 14:05:35 +00003531 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
3532 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
Gilles Peskine449bd832023-01-11 14:50:10 +01003533 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
3534 };
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003535 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Amero252ef282019-02-15 14:05:35 +00003536 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
3537 uint8_t sign_mac[PSA_MAC_MAX_SIZE + 10] = { 0 };
3538 size_t sign_mac_length = 0;
3539 const uint8_t input[] = { 0xbb, 0xbb, 0xbb, 0xbb };
3540 const uint8_t verify_mac[] = {
3541 0x74, 0x65, 0x93, 0x8c, 0xeb, 0x1d, 0xb3, 0x76, 0x5a, 0x38, 0xe7, 0xdd,
3542 0x85, 0xc5, 0xad, 0x4f, 0x07, 0xe7, 0xd5, 0xb2, 0x64, 0xf0, 0x1a, 0x1a,
Gilles Peskine449bd832023-01-11 14:50:10 +01003543 0x2c, 0xf9, 0x18, 0xca, 0x59, 0x7e, 0x5d, 0xf6
3544 };
Jaeden Amero252ef282019-02-15 14:05:35 +00003545
Gilles Peskine449bd832023-01-11 14:50:10 +01003546 PSA_ASSERT(psa_crypto_init());
3547 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
3548 psa_set_key_algorithm(&attributes, alg);
3549 psa_set_key_type(&attributes, key_type);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003550
Gilles Peskine449bd832023-01-11 14:50:10 +01003551 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data),
3552 &key));
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003553
Jaeden Amero252ef282019-02-15 14:05:35 +00003554 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003555 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3556 PSA_ERROR_BAD_STATE);
3557 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003558
3559 /* Call sign finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003560 TEST_EQUAL(psa_mac_sign_finish(&operation, sign_mac, sizeof(sign_mac),
3561 &sign_mac_length),
3562 PSA_ERROR_BAD_STATE);
3563 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003564
3565 /* Call verify finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003566 TEST_EQUAL(psa_mac_verify_finish(&operation,
3567 verify_mac, sizeof(verify_mac)),
3568 PSA_ERROR_BAD_STATE);
3569 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003570
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003571 /* Call setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003572 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3573 ASSERT_OPERATION_IS_ACTIVE(operation);
3574 TEST_EQUAL(psa_mac_sign_setup(&operation, key, alg),
3575 PSA_ERROR_BAD_STATE);
3576 ASSERT_OPERATION_IS_INACTIVE(operation);
3577 PSA_ASSERT(psa_mac_abort(&operation));
3578 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003579
Jaeden Amero252ef282019-02-15 14:05:35 +00003580 /* Call update after sign finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003581 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3582 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3583 PSA_ASSERT(psa_mac_sign_finish(&operation,
3584 sign_mac, sizeof(sign_mac),
3585 &sign_mac_length));
3586 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3587 PSA_ERROR_BAD_STATE);
3588 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003589
3590 /* Call update after verify finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003591 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3592 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3593 PSA_ASSERT(psa_mac_verify_finish(&operation,
3594 verify_mac, sizeof(verify_mac)));
3595 TEST_EQUAL(psa_mac_update(&operation, input, sizeof(input)),
3596 PSA_ERROR_BAD_STATE);
3597 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003598
3599 /* Call sign finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003600 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3601 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3602 PSA_ASSERT(psa_mac_sign_finish(&operation,
3603 sign_mac, sizeof(sign_mac),
3604 &sign_mac_length));
3605 TEST_EQUAL(psa_mac_sign_finish(&operation,
3606 sign_mac, sizeof(sign_mac),
3607 &sign_mac_length),
3608 PSA_ERROR_BAD_STATE);
3609 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003610
3611 /* Call verify finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003612 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3613 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3614 PSA_ASSERT(psa_mac_verify_finish(&operation,
3615 verify_mac, sizeof(verify_mac)));
3616 TEST_EQUAL(psa_mac_verify_finish(&operation,
3617 verify_mac, sizeof(verify_mac)),
3618 PSA_ERROR_BAD_STATE);
3619 PSA_ASSERT(psa_mac_abort(&operation));
Jaeden Amero252ef282019-02-15 14:05:35 +00003620
3621 /* Setup sign but try verify. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003622 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3623 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3624 ASSERT_OPERATION_IS_ACTIVE(operation);
3625 TEST_EQUAL(psa_mac_verify_finish(&operation,
3626 verify_mac, sizeof(verify_mac)),
3627 PSA_ERROR_BAD_STATE);
3628 ASSERT_OPERATION_IS_INACTIVE(operation);
3629 PSA_ASSERT(psa_mac_abort(&operation));
3630 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero252ef282019-02-15 14:05:35 +00003631
3632 /* Setup verify but try sign. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003633 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3634 PSA_ASSERT(psa_mac_update(&operation, input, sizeof(input)));
3635 ASSERT_OPERATION_IS_ACTIVE(operation);
3636 TEST_EQUAL(psa_mac_sign_finish(&operation,
3637 sign_mac, sizeof(sign_mac),
3638 &sign_mac_length),
3639 PSA_ERROR_BAD_STATE);
3640 ASSERT_OPERATION_IS_INACTIVE(operation);
3641 PSA_ASSERT(psa_mac_abort(&operation));
3642 ASSERT_OPERATION_IS_INACTIVE(operation);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003643
Gilles Peskine449bd832023-01-11 14:50:10 +01003644 PSA_ASSERT(psa_destroy_key(key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02003645
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003646exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003647 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003648}
3649/* END_CASE */
3650
3651/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003652void mac_sign_verify_multi(int key_type_arg,
3653 data_t *key_data,
3654 int alg_arg,
3655 data_t *input,
3656 int is_verify,
3657 data_t *expected_mac)
Neil Armstrong4766f992022-02-28 16:23:59 +01003658{
3659 size_t data_part_len = 0;
3660
Gilles Peskine449bd832023-01-11 14:50:10 +01003661 for (data_part_len = 1; data_part_len <= input->len; data_part_len++) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003662 /* Split data into length(data_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003663 mbedtls_test_set_step(2000 + data_part_len);
Neil Armstrong4766f992022-02-28 16:23:59 +01003664
Gilles Peskine449bd832023-01-11 14:50:10 +01003665 if (mac_multipart_internal_func(key_type_arg, key_data,
3666 alg_arg,
3667 input, data_part_len,
3668 expected_mac,
3669 is_verify, 0) == 0) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003670 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01003671 }
Neil Armstrong4766f992022-02-28 16:23:59 +01003672
3673 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01003674 mbedtls_test_set_step(3000 + data_part_len);
Neil Armstrong4766f992022-02-28 16:23:59 +01003675
Gilles Peskine449bd832023-01-11 14:50:10 +01003676 if (mac_multipart_internal_func(key_type_arg, key_data,
3677 alg_arg,
3678 input, data_part_len,
3679 expected_mac,
3680 is_verify, 1) == 0) {
Neil Armstrong4766f992022-02-28 16:23:59 +01003681 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01003682 }
Neil Armstrong4766f992022-02-28 16:23:59 +01003683 }
3684
3685 /* Goto is required to silence warnings about unused labels, as we
3686 * don't actually do any test assertions in this function. */
3687 goto exit;
3688}
3689/* END_CASE */
3690
3691/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003692void mac_sign(int key_type_arg,
3693 data_t *key_data,
3694 int alg_arg,
3695 data_t *input,
3696 data_t *expected_mac)
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003697{
Ronald Cron5425a212020-08-04 14:58:35 +02003698 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003699 psa_key_type_t key_type = key_type_arg;
3700 psa_algorithm_t alg = alg_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003701 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003702 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine5e65cec2020-08-25 23:38:39 +02003703 uint8_t *actual_mac = NULL;
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003704 size_t mac_buffer_size =
Gilles Peskine449bd832023-01-11 14:50:10 +01003705 PSA_MAC_LENGTH(key_type, PSA_BYTES_TO_BITS(key_data->len), alg);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003706 size_t mac_length = 0;
Gilles Peskine8b356b52020-08-25 23:44:59 +02003707 const size_t output_sizes_to_test[] = {
3708 0,
3709 1,
3710 expected_mac->len - 1,
3711 expected_mac->len,
3712 expected_mac->len + 1,
3713 };
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003714
Gilles Peskine449bd832023-01-11 14:50:10 +01003715 TEST_LE_U(mac_buffer_size, PSA_MAC_MAX_SIZE);
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003716 /* We expect PSA_MAC_LENGTH to be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003717 TEST_ASSERT(expected_mac->len == mac_buffer_size);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003718
Gilles Peskine449bd832023-01-11 14:50:10 +01003719 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003720
Gilles Peskine449bd832023-01-11 14:50:10 +01003721 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
3722 psa_set_key_algorithm(&attributes, alg);
3723 psa_set_key_type(&attributes, key_type);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003724
Gilles Peskine449bd832023-01-11 14:50:10 +01003725 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
3726 &key));
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003727
Gilles Peskine449bd832023-01-11 14:50:10 +01003728 for (size_t i = 0; i < ARRAY_LENGTH(output_sizes_to_test); i++) {
Gilles Peskine8b356b52020-08-25 23:44:59 +02003729 const size_t output_size = output_sizes_to_test[i];
3730 psa_status_t expected_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01003731 (output_size >= expected_mac->len ? PSA_SUCCESS :
3732 PSA_ERROR_BUFFER_TOO_SMALL);
Gilles Peskine5e65cec2020-08-25 23:38:39 +02003733
Gilles Peskine449bd832023-01-11 14:50:10 +01003734 mbedtls_test_set_step(output_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003735 TEST_CALLOC(actual_mac, output_size);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003736
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003737 /* Calculate the MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003738 TEST_EQUAL(psa_mac_compute(key, alg,
3739 input->x, input->len,
3740 actual_mac, output_size, &mac_length),
3741 expected_status);
3742 if (expected_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003743 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003744 actual_mac, mac_length);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003745 }
3746
Gilles Peskine449bd832023-01-11 14:50:10 +01003747 if (output_size > 0) {
3748 memset(actual_mac, 0, output_size);
3749 }
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003750
3751 /* Calculate the MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003752 PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
3753 PSA_ASSERT(psa_mac_update(&operation,
3754 input->x, input->len));
3755 TEST_EQUAL(psa_mac_sign_finish(&operation,
3756 actual_mac, output_size,
3757 &mac_length),
3758 expected_status);
3759 PSA_ASSERT(psa_mac_abort(&operation));
Gilles Peskine8b356b52020-08-25 23:44:59 +02003760
Gilles Peskine449bd832023-01-11 14:50:10 +01003761 if (expected_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01003762 TEST_MEMORY_COMPARE(expected_mac->x, expected_mac->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01003763 actual_mac, mac_length);
Gilles Peskine8b356b52020-08-25 23:44:59 +02003764 }
Gilles Peskine449bd832023-01-11 14:50:10 +01003765 mbedtls_free(actual_mac);
Gilles Peskine8b356b52020-08-25 23:44:59 +02003766 actual_mac = NULL;
3767 }
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003768
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003769exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003770 psa_mac_abort(&operation);
3771 psa_destroy_key(key);
3772 PSA_DONE();
3773 mbedtls_free(actual_mac);
Gilles Peskinea7aa4422018-08-14 15:17:54 +02003774}
3775/* END_CASE */
3776
3777/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003778void mac_verify(int key_type_arg,
3779 data_t *key_data,
3780 int alg_arg,
3781 data_t *input,
3782 data_t *expected_mac)
Gilles Peskine8c9def32018-02-08 10:02:12 +01003783{
Ronald Cron5425a212020-08-04 14:58:35 +02003784 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine8c9def32018-02-08 10:02:12 +01003785 psa_key_type_t key_type = key_type_arg;
3786 psa_algorithm_t alg = alg_arg;
Jaeden Amero769ce272019-01-04 11:48:03 +00003787 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003788 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003789 uint8_t *perturbed_mac = NULL;
Gilles Peskine8c9def32018-02-08 10:02:12 +01003790
Gilles Peskine449bd832023-01-11 14:50:10 +01003791 TEST_LE_U(expected_mac->len, PSA_MAC_MAX_SIZE);
Gilles Peskine69c12672018-06-28 00:07:19 +02003792
Gilles Peskine449bd832023-01-11 14:50:10 +01003793 PSA_ASSERT(psa_crypto_init());
Gilles Peskine8c9def32018-02-08 10:02:12 +01003794
Gilles Peskine449bd832023-01-11 14:50:10 +01003795 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
3796 psa_set_key_algorithm(&attributes, alg);
3797 psa_set_key_type(&attributes, key_type);
mohammad16036df908f2018-04-02 08:34:15 -07003798
Gilles Peskine449bd832023-01-11 14:50:10 +01003799 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
3800 &key));
Gilles Peskinec0ec9722018-06-18 17:03:37 +02003801
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003802 /* Verify correct MAC, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003803 PSA_ASSERT(psa_mac_verify(key, alg, input->x, input->len,
3804 expected_mac->x, expected_mac->len));
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003805
3806 /* Verify correct MAC, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003807 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3808 PSA_ASSERT(psa_mac_update(&operation,
3809 input->x, input->len));
3810 PSA_ASSERT(psa_mac_verify_finish(&operation,
3811 expected_mac->x,
3812 expected_mac->len));
Gilles Peskine8c9def32018-02-08 10:02:12 +01003813
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003814 /* Test a MAC that's too short, one-shot case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003815 TEST_EQUAL(psa_mac_verify(key, alg,
3816 input->x, input->len,
3817 expected_mac->x,
3818 expected_mac->len - 1),
3819 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003820
3821 /* Test a MAC that's too short, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003822 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3823 PSA_ASSERT(psa_mac_update(&operation,
3824 input->x, input->len));
3825 TEST_EQUAL(psa_mac_verify_finish(&operation,
3826 expected_mac->x,
3827 expected_mac->len - 1),
3828 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003829
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003830 /* Test a MAC that's too long, one-shot case. */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01003831 TEST_CALLOC(perturbed_mac, expected_mac->len + 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01003832 memcpy(perturbed_mac, expected_mac->x, expected_mac->len);
3833 TEST_EQUAL(psa_mac_verify(key, alg,
3834 input->x, input->len,
3835 perturbed_mac, expected_mac->len + 1),
3836 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003837
3838 /* Test a MAC that's too long, multi-part case. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003839 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3840 PSA_ASSERT(psa_mac_update(&operation,
3841 input->x, input->len));
3842 TEST_EQUAL(psa_mac_verify_finish(&operation,
3843 perturbed_mac,
3844 expected_mac->len + 1),
3845 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003846
3847 /* Test changing one byte. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003848 for (size_t i = 0; i < expected_mac->len; i++) {
3849 mbedtls_test_set_step(i);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003850 perturbed_mac[i] ^= 1;
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003851
Gilles Peskine449bd832023-01-11 14:50:10 +01003852 TEST_EQUAL(psa_mac_verify(key, alg,
3853 input->x, input->len,
3854 perturbed_mac, expected_mac->len),
3855 PSA_ERROR_INVALID_SIGNATURE);
gabor-mezei-arm534bb992021-03-01 15:35:48 +01003856
Gilles Peskine449bd832023-01-11 14:50:10 +01003857 PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
3858 PSA_ASSERT(psa_mac_update(&operation,
3859 input->x, input->len));
3860 TEST_EQUAL(psa_mac_verify_finish(&operation,
3861 perturbed_mac,
3862 expected_mac->len),
3863 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine29c4a6c2020-08-26 00:01:39 +02003864 perturbed_mac[i] ^= 1;
3865 }
3866
Gilles Peskine8c9def32018-02-08 10:02:12 +01003867exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003868 psa_mac_abort(&operation);
3869 psa_destroy_key(key);
3870 PSA_DONE();
3871 mbedtls_free(perturbed_mac);
Gilles Peskine8c9def32018-02-08 10:02:12 +01003872}
3873/* END_CASE */
3874
3875/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003876void cipher_operation_init()
Jaeden Amero5bae2272019-01-04 11:48:27 +00003877{
Jaeden Ameroab439972019-02-15 14:12:05 +00003878 const uint8_t input[1] = { 0 };
3879 unsigned char output[1] = { 0 };
3880 size_t output_length;
Jaeden Amero5bae2272019-01-04 11:48:27 +00003881 /* Test each valid way of initializing the object, except for `= {0}`, as
3882 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
3883 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08003884 * to suppress the Clang warning for the test. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003885 psa_cipher_operation_t func = psa_cipher_operation_init();
Jaeden Amero5bae2272019-01-04 11:48:27 +00003886 psa_cipher_operation_t init = PSA_CIPHER_OPERATION_INIT;
3887 psa_cipher_operation_t zero;
3888
Gilles Peskine449bd832023-01-11 14:50:10 +01003889 memset(&zero, 0, sizeof(zero));
Jaeden Amero5bae2272019-01-04 11:48:27 +00003890
Jaeden Ameroab439972019-02-15 14:12:05 +00003891 /* A freshly-initialized cipher operation should not be usable. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003892 TEST_EQUAL(psa_cipher_update(&func,
3893 input, sizeof(input),
3894 output, sizeof(output),
3895 &output_length),
3896 PSA_ERROR_BAD_STATE);
3897 TEST_EQUAL(psa_cipher_update(&init,
3898 input, sizeof(input),
3899 output, sizeof(output),
3900 &output_length),
3901 PSA_ERROR_BAD_STATE);
3902 TEST_EQUAL(psa_cipher_update(&zero,
3903 input, sizeof(input),
3904 output, sizeof(output),
3905 &output_length),
3906 PSA_ERROR_BAD_STATE);
Jaeden Ameroab439972019-02-15 14:12:05 +00003907
Jaeden Amero5229bbb2019-02-07 16:33:37 +00003908 /* A default cipher operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003909 PSA_ASSERT(psa_cipher_abort(&func));
3910 PSA_ASSERT(psa_cipher_abort(&init));
3911 PSA_ASSERT(psa_cipher_abort(&zero));
Jaeden Amero5bae2272019-01-04 11:48:27 +00003912}
3913/* END_CASE */
3914
3915/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01003916void cipher_setup(int key_type_arg,
3917 data_t *key,
3918 int alg_arg,
3919 int expected_status_arg)
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003920{
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003921 psa_key_type_t key_type = key_type_arg;
3922 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02003923 psa_status_t expected_status = expected_status_arg;
Jaeden Amero5bae2272019-01-04 11:48:27 +00003924 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003925 psa_status_t status;
Gilles Peskine612ffd22021-01-20 18:51:00 +01003926#if defined(KNOWN_SUPPORTED_CIPHER_ALG)
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003927 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk";
3928#endif
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003929
Gilles Peskine449bd832023-01-11 14:50:10 +01003930 PSA_ASSERT(psa_crypto_init());
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003931
Gilles Peskine449bd832023-01-11 14:50:10 +01003932 if (!exercise_cipher_setup(key_type, key->x, key->len, alg,
3933 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003934 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003935 }
3936 TEST_EQUAL(status, expected_status);
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003937
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003938 /* The operation object should be reusable. */
3939#if defined(KNOWN_SUPPORTED_CIPHER_ALG)
Gilles Peskine449bd832023-01-11 14:50:10 +01003940 if (!exercise_cipher_setup(KNOWN_SUPPORTED_CIPHER_KEY_TYPE,
3941 smoke_test_key_data,
3942 sizeof(smoke_test_key_data),
3943 KNOWN_SUPPORTED_CIPHER_ALG,
3944 &operation, &status)) {
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003945 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01003946 }
3947 TEST_EQUAL(status, PSA_SUCCESS);
Gilles Peskinef426e0f2019-02-25 17:42:03 +01003948#endif
3949
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003950exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01003951 psa_cipher_abort(&operation);
3952 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003953}
3954/* END_CASE */
3955
Ronald Cronee414c72021-03-18 18:50:08 +01003956/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_PKCS7 */
Gilles Peskine449bd832023-01-11 14:50:10 +01003957void cipher_bad_order()
Jaeden Ameroab439972019-02-15 14:12:05 +00003958{
Ronald Cron5425a212020-08-04 14:58:35 +02003959 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Jaeden Ameroab439972019-02-15 14:12:05 +00003960 psa_key_type_t key_type = PSA_KEY_TYPE_AES;
3961 psa_algorithm_t alg = PSA_ALG_CBC_PKCS7;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02003962 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jaeden Ameroab439972019-02-15 14:12:05 +00003963 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003964 unsigned char iv[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 };
Ronald Cron5425a212020-08-04 14:58:35 +02003965 const uint8_t key_data[] = {
Jaeden Ameroab439972019-02-15 14:12:05 +00003966 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
Gilles Peskine449bd832023-01-11 14:50:10 +01003967 0xaa, 0xaa, 0xaa, 0xaa
3968 };
Jaeden Ameroab439972019-02-15 14:12:05 +00003969 const uint8_t text[] = {
3970 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb,
Gilles Peskine449bd832023-01-11 14:50:10 +01003971 0xbb, 0xbb, 0xbb, 0xbb
3972 };
gabor-mezei-armcbcec212020-12-18 14:23:51 +01003973 uint8_t buffer[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 };
Jaeden Ameroab439972019-02-15 14:12:05 +00003974 size_t length = 0;
3975
Gilles Peskine449bd832023-01-11 14:50:10 +01003976 PSA_ASSERT(psa_crypto_init());
3977 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
3978 psa_set_key_algorithm(&attributes, alg);
3979 psa_set_key_type(&attributes, key_type);
3980 PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data),
3981 &key));
Jaeden Ameroab439972019-02-15 14:12:05 +00003982
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003983 /* Call encrypt setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003984 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
3985 ASSERT_OPERATION_IS_ACTIVE(operation);
3986 TEST_EQUAL(psa_cipher_encrypt_setup(&operation, key, alg),
3987 PSA_ERROR_BAD_STATE);
3988 ASSERT_OPERATION_IS_INACTIVE(operation);
3989 PSA_ASSERT(psa_cipher_abort(&operation));
3990 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003991
3992 /* Call decrypt setup twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01003993 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
3994 ASSERT_OPERATION_IS_ACTIVE(operation);
3995 TEST_EQUAL(psa_cipher_decrypt_setup(&operation, key, alg),
3996 PSA_ERROR_BAD_STATE);
3997 ASSERT_OPERATION_IS_INACTIVE(operation);
3998 PSA_ASSERT(psa_cipher_abort(&operation));
3999 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Amero36ee5d02019-02-19 09:25:10 +00004000
Jaeden Ameroab439972019-02-15 14:12:05 +00004001 /* Generate an IV without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004002 TEST_EQUAL(psa_cipher_generate_iv(&operation,
4003 buffer, sizeof(buffer),
4004 &length),
4005 PSA_ERROR_BAD_STATE);
4006 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004007
4008 /* Generate an IV twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004009 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4010 PSA_ASSERT(psa_cipher_generate_iv(&operation,
4011 buffer, sizeof(buffer),
4012 &length));
4013 ASSERT_OPERATION_IS_ACTIVE(operation);
4014 TEST_EQUAL(psa_cipher_generate_iv(&operation,
4015 buffer, sizeof(buffer),
4016 &length),
4017 PSA_ERROR_BAD_STATE);
4018 ASSERT_OPERATION_IS_INACTIVE(operation);
4019 PSA_ASSERT(psa_cipher_abort(&operation));
4020 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00004021
4022 /* Generate an IV after it's already set. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004023 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4024 PSA_ASSERT(psa_cipher_set_iv(&operation,
4025 iv, sizeof(iv)));
4026 TEST_EQUAL(psa_cipher_generate_iv(&operation,
4027 buffer, sizeof(buffer),
4028 &length),
4029 PSA_ERROR_BAD_STATE);
4030 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004031
4032 /* Set an IV without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004033 TEST_EQUAL(psa_cipher_set_iv(&operation,
4034 iv, sizeof(iv)),
4035 PSA_ERROR_BAD_STATE);
4036 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004037
4038 /* Set an IV after it's already set. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004039 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4040 PSA_ASSERT(psa_cipher_set_iv(&operation,
4041 iv, sizeof(iv)));
4042 ASSERT_OPERATION_IS_ACTIVE(operation);
4043 TEST_EQUAL(psa_cipher_set_iv(&operation,
4044 iv, sizeof(iv)),
4045 PSA_ERROR_BAD_STATE);
4046 ASSERT_OPERATION_IS_INACTIVE(operation);
4047 PSA_ASSERT(psa_cipher_abort(&operation));
4048 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00004049
4050 /* Set an IV after it's already generated. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004051 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4052 PSA_ASSERT(psa_cipher_generate_iv(&operation,
4053 buffer, sizeof(buffer),
4054 &length));
4055 TEST_EQUAL(psa_cipher_set_iv(&operation,
4056 iv, sizeof(iv)),
4057 PSA_ERROR_BAD_STATE);
4058 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004059
4060 /* Call update without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004061 TEST_EQUAL(psa_cipher_update(&operation,
4062 text, sizeof(text),
4063 buffer, sizeof(buffer),
4064 &length),
4065 PSA_ERROR_BAD_STATE);
4066 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004067
4068 /* Call update without an IV where an IV is required. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004069 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4070 ASSERT_OPERATION_IS_ACTIVE(operation);
4071 TEST_EQUAL(psa_cipher_update(&operation,
4072 text, sizeof(text),
4073 buffer, sizeof(buffer),
4074 &length),
4075 PSA_ERROR_BAD_STATE);
4076 ASSERT_OPERATION_IS_INACTIVE(operation);
4077 PSA_ASSERT(psa_cipher_abort(&operation));
4078 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00004079
4080 /* Call update after finish. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004081 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4082 PSA_ASSERT(psa_cipher_set_iv(&operation,
4083 iv, sizeof(iv)));
4084 PSA_ASSERT(psa_cipher_finish(&operation,
4085 buffer, sizeof(buffer), &length));
4086 TEST_EQUAL(psa_cipher_update(&operation,
4087 text, sizeof(text),
4088 buffer, sizeof(buffer),
4089 &length),
4090 PSA_ERROR_BAD_STATE);
4091 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004092
4093 /* Call finish without calling setup beforehand. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004094 TEST_EQUAL(psa_cipher_finish(&operation,
4095 buffer, sizeof(buffer), &length),
4096 PSA_ERROR_BAD_STATE);
4097 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004098
4099 /* Call finish without an IV where an IV is required. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004100 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Jaeden Ameroab439972019-02-15 14:12:05 +00004101 /* Not calling update means we are encrypting an empty buffer, which is OK
4102 * for cipher modes with padding. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004103 ASSERT_OPERATION_IS_ACTIVE(operation);
4104 TEST_EQUAL(psa_cipher_finish(&operation,
4105 buffer, sizeof(buffer), &length),
4106 PSA_ERROR_BAD_STATE);
4107 ASSERT_OPERATION_IS_INACTIVE(operation);
4108 PSA_ASSERT(psa_cipher_abort(&operation));
4109 ASSERT_OPERATION_IS_INACTIVE(operation);
Jaeden Ameroab439972019-02-15 14:12:05 +00004110
4111 /* Call finish twice in a row. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004112 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4113 PSA_ASSERT(psa_cipher_set_iv(&operation,
4114 iv, sizeof(iv)));
4115 PSA_ASSERT(psa_cipher_finish(&operation,
4116 buffer, sizeof(buffer), &length));
4117 TEST_EQUAL(psa_cipher_finish(&operation,
4118 buffer, sizeof(buffer), &length),
4119 PSA_ERROR_BAD_STATE);
4120 PSA_ASSERT(psa_cipher_abort(&operation));
Jaeden Ameroab439972019-02-15 14:12:05 +00004121
Gilles Peskine449bd832023-01-11 14:50:10 +01004122 PSA_ASSERT(psa_destroy_key(key));
Gilles Peskine76b29a72019-05-28 14:08:50 +02004123
Jaeden Ameroab439972019-02-15 14:12:05 +00004124exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004125 psa_cipher_abort(&operation);
4126 PSA_DONE();
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02004127}
4128/* END_CASE */
4129
4130/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004131void cipher_encrypt_fail(int alg_arg,
4132 int key_type_arg,
4133 data_t *key_data,
4134 data_t *input,
4135 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02004136{
Ronald Cron5425a212020-08-04 14:58:35 +02004137 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004138 psa_status_t status;
4139 psa_key_type_t key_type = key_type_arg;
4140 psa_algorithm_t alg = alg_arg;
Gilles Peskineb866e2b2018-06-21 09:25:10 +02004141 psa_status_t expected_status = expected_status_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01004142 unsigned char iv[PSA_CIPHER_IV_MAX_SIZE] = { 0 };
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004143 size_t iv_size = PSA_CIPHER_IV_MAX_SIZE;
4144 size_t iv_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004145 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004146 size_t output_buffer_size = 0;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004147 size_t output_length = 0;
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004148 size_t function_output_length;
4149 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004150 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4151
Gilles Peskine449bd832023-01-11 14:50:10 +01004152 if (PSA_ERROR_BAD_STATE != expected_status) {
4153 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004154
Gilles Peskine449bd832023-01-11 14:50:10 +01004155 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4156 psa_set_key_algorithm(&attributes, alg);
4157 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004158
Gilles Peskine449bd832023-01-11 14:50:10 +01004159 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg,
4160 input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004161 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004162
Gilles Peskine449bd832023-01-11 14:50:10 +01004163 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4164 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004165 }
4166
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004167 /* Encrypt, one-shot */
Gilles Peskine449bd832023-01-11 14:50:10 +01004168 status = psa_cipher_encrypt(key, alg, input->x, input->len, output,
4169 output_buffer_size, &output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004170
Gilles Peskine449bd832023-01-11 14:50:10 +01004171 TEST_EQUAL(status, expected_status);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004172
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004173 /* Encrypt, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01004174 status = psa_cipher_encrypt_setup(&operation, key, alg);
4175 if (status == PSA_SUCCESS) {
4176 if (alg != PSA_ALG_ECB_NO_PADDING) {
4177 PSA_ASSERT(psa_cipher_generate_iv(&operation,
4178 iv, iv_size,
4179 &iv_length));
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004180 }
4181
Gilles Peskine449bd832023-01-11 14:50:10 +01004182 status = psa_cipher_update(&operation, input->x, input->len,
4183 output, output_buffer_size,
4184 &function_output_length);
4185 if (status == PSA_SUCCESS) {
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004186 output_length += function_output_length;
4187
Gilles Peskine449bd832023-01-11 14:50:10 +01004188 status = psa_cipher_finish(&operation, output + output_length,
4189 output_buffer_size - output_length,
4190 &function_output_length);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004191
Gilles Peskine449bd832023-01-11 14:50:10 +01004192 TEST_EQUAL(status, expected_status);
4193 } else {
4194 TEST_EQUAL(status, expected_status);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004195 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004196 } else {
4197 TEST_EQUAL(status, expected_status);
Neil Armstrongd8dba4e2022-02-07 15:19:29 +01004198 }
4199
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004200exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004201 psa_cipher_abort(&operation);
4202 mbedtls_free(output);
4203 psa_destroy_key(key);
4204 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004205}
4206/* END_CASE */
4207
4208/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004209void cipher_encrypt_validate_iv_length(int alg, int key_type, data_t *key_data,
4210 data_t *input, int iv_length,
4211 int expected_result)
Mateusz Starzyked71e922021-10-21 10:04:57 +02004212{
4213 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4214 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
4215 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4216 size_t output_buffer_size = 0;
4217 unsigned char *output = NULL;
4218
Gilles Peskine449bd832023-01-11 14:50:10 +01004219 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004220 TEST_CALLOC(output, output_buffer_size);
Mateusz Starzyked71e922021-10-21 10:04:57 +02004221
Gilles Peskine449bd832023-01-11 14:50:10 +01004222 PSA_ASSERT(psa_crypto_init());
Mateusz Starzyked71e922021-10-21 10:04:57 +02004223
Gilles Peskine449bd832023-01-11 14:50:10 +01004224 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4225 psa_set_key_algorithm(&attributes, alg);
4226 psa_set_key_type(&attributes, key_type);
Mateusz Starzyked71e922021-10-21 10:04:57 +02004227
Gilles Peskine449bd832023-01-11 14:50:10 +01004228 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4229 &key));
4230 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4231 TEST_EQUAL(expected_result, psa_cipher_set_iv(&operation, output,
4232 iv_length));
Mateusz Starzyked71e922021-10-21 10:04:57 +02004233
4234exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004235 psa_cipher_abort(&operation);
4236 mbedtls_free(output);
4237 psa_destroy_key(key);
4238 PSA_DONE();
Mateusz Starzyked71e922021-10-21 10:04:57 +02004239}
4240/* END_CASE */
4241
4242/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004243void cipher_alg_without_iv(int alg_arg, int key_type_arg, data_t *key_data,
4244 data_t *plaintext, data_t *ciphertext)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004245{
4246 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4247 psa_key_type_t key_type = key_type_arg;
4248 psa_algorithm_t alg = alg_arg;
Ronald Cron6c9bb0f2021-07-15 09:38:11 +02004249 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
4250 uint8_t iv[1] = { 0x5a };
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004251 unsigned char *output = NULL;
4252 size_t output_buffer_size = 0;
Gilles Peskine286c3142022-04-20 17:09:38 +02004253 size_t output_length, length;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004254 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4255
Gilles Peskine449bd832023-01-11 14:50:10 +01004256 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004257
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004258 /* Validate size macros */
Gilles Peskine449bd832023-01-11 14:50:10 +01004259 TEST_LE_U(ciphertext->len,
4260 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len));
4261 TEST_LE_U(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext->len),
4262 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(plaintext->len));
4263 TEST_LE_U(plaintext->len,
4264 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len));
4265 TEST_LE_U(PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext->len),
4266 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(ciphertext->len));
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004267
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004268
4269 /* Set up key and output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +01004270 psa_set_key_usage_flags(&attributes,
4271 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4272 psa_set_key_algorithm(&attributes, alg);
4273 psa_set_key_type(&attributes, key_type);
4274 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4275 &key));
4276 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg,
4277 plaintext->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004278 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004279
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004280 /* set_iv() is not allowed */
Gilles Peskine449bd832023-01-11 14:50:10 +01004281 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4282 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)),
4283 PSA_ERROR_BAD_STATE);
4284 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
4285 TEST_EQUAL(psa_cipher_set_iv(&operation, iv, sizeof(iv)),
4286 PSA_ERROR_BAD_STATE);
Ronald Cron6c9bb0f2021-07-15 09:38:11 +02004287
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004288 /* generate_iv() is not allowed */
Gilles Peskine449bd832023-01-11 14:50:10 +01004289 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4290 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv),
4291 &length),
4292 PSA_ERROR_BAD_STATE);
4293 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
4294 TEST_EQUAL(psa_cipher_generate_iv(&operation, iv, sizeof(iv),
4295 &length),
4296 PSA_ERROR_BAD_STATE);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004297
Gilles Peskine286c3142022-04-20 17:09:38 +02004298 /* Multipart encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +01004299 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Gilles Peskine286c3142022-04-20 17:09:38 +02004300 output_length = 0;
4301 length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004302 PSA_ASSERT(psa_cipher_update(&operation,
4303 plaintext->x, plaintext->len,
4304 output, output_buffer_size,
4305 &length));
4306 TEST_LE_U(length, output_buffer_size);
Gilles Peskine286c3142022-04-20 17:09:38 +02004307 output_length += length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004308 PSA_ASSERT(psa_cipher_finish(&operation,
4309 mbedtls_buffer_offset(output, output_length),
4310 output_buffer_size - output_length,
4311 &length));
Gilles Peskine286c3142022-04-20 17:09:38 +02004312 output_length += length;
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004313 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004314 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004315
Gilles Peskine286c3142022-04-20 17:09:38 +02004316 /* Multipart encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +01004317 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
Gilles Peskine286c3142022-04-20 17:09:38 +02004318 output_length = 0;
4319 length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004320 PSA_ASSERT(psa_cipher_update(&operation,
4321 ciphertext->x, ciphertext->len,
4322 output, output_buffer_size,
4323 &length));
4324 TEST_LE_U(length, output_buffer_size);
Gilles Peskine286c3142022-04-20 17:09:38 +02004325 output_length += length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004326 PSA_ASSERT(psa_cipher_finish(&operation,
4327 mbedtls_buffer_offset(output, output_length),
4328 output_buffer_size - output_length,
4329 &length));
Gilles Peskine286c3142022-04-20 17:09:38 +02004330 output_length += length;
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004331 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004332 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004333
Gilles Peskine9b9b6142022-04-20 16:55:03 +02004334 /* One-shot encryption */
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004335 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004336 PSA_ASSERT(psa_cipher_encrypt(key, alg, plaintext->x, plaintext->len,
4337 output, output_buffer_size,
4338 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004339 TEST_MEMORY_COMPARE(ciphertext->x, ciphertext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004340 output, output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004341
Gilles Peskine9e38f2c2022-04-20 17:07:52 +02004342 /* One-shot decryption */
4343 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01004344 PSA_ASSERT(psa_cipher_decrypt(key, alg, ciphertext->x, ciphertext->len,
4345 output, output_buffer_size,
4346 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004347 TEST_MEMORY_COMPARE(plaintext->x, plaintext->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004348 output, output_length);
Neil Armstrong3ee335d2022-02-07 14:51:37 +01004349
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004350exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004351 PSA_ASSERT(psa_cipher_abort(&operation));
4352 mbedtls_free(output);
4353 psa_cipher_abort(&operation);
4354 psa_destroy_key(key);
4355 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004356}
4357/* END_CASE */
4358
4359/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004360void cipher_bad_key(int alg_arg, int key_type_arg, data_t *key_data)
Paul Elliotta417f562021-07-14 12:31:21 +01004361{
4362 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4363 psa_algorithm_t alg = alg_arg;
4364 psa_key_type_t key_type = key_type_arg;
4365 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4366 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
4367 psa_status_t status;
4368
Gilles Peskine449bd832023-01-11 14:50:10 +01004369 PSA_ASSERT(psa_crypto_init());
Paul Elliotta417f562021-07-14 12:31:21 +01004370
Gilles Peskine449bd832023-01-11 14:50:10 +01004371 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4372 psa_set_key_algorithm(&attributes, alg);
4373 psa_set_key_type(&attributes, key_type);
Paul Elliotta417f562021-07-14 12:31:21 +01004374
4375 /* Usage of either of these two size macros would cause divide by zero
4376 * with incorrect key types previously. Input length should be irrelevant
4377 * here. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004378 TEST_EQUAL(PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, 16),
4379 0);
4380 TEST_EQUAL(PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, 16), 0);
Paul Elliotta417f562021-07-14 12:31:21 +01004381
4382
Gilles Peskine449bd832023-01-11 14:50:10 +01004383 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4384 &key));
Paul Elliotta417f562021-07-14 12:31:21 +01004385
4386 /* Should fail due to invalid alg type (to support invalid key type).
4387 * Encrypt or decrypt will end up in the same place. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004388 status = psa_cipher_encrypt_setup(&operation, key, alg);
Paul Elliotta417f562021-07-14 12:31:21 +01004389
Gilles Peskine449bd832023-01-11 14:50:10 +01004390 TEST_EQUAL(status, PSA_ERROR_INVALID_ARGUMENT);
Paul Elliotta417f562021-07-14 12:31:21 +01004391
4392exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004393 psa_cipher_abort(&operation);
4394 psa_destroy_key(key);
4395 PSA_DONE();
Paul Elliotta417f562021-07-14 12:31:21 +01004396}
4397/* END_CASE */
4398
4399/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004400void cipher_encrypt_validation(int alg_arg,
4401 int key_type_arg,
4402 data_t *key_data,
4403 data_t *input)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004404{
4405 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4406 psa_key_type_t key_type = key_type_arg;
4407 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01004408 size_t iv_size = PSA_CIPHER_IV_LENGTH(key_type, alg);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004409 unsigned char *output1 = NULL;
4410 size_t output1_buffer_size = 0;
4411 size_t output1_length = 0;
4412 unsigned char *output2 = NULL;
4413 size_t output2_buffer_size = 0;
4414 size_t output2_length = 0;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004415 size_t function_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004416 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004417 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004418
Gilles Peskine449bd832023-01-11 14:50:10 +01004419 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004420
Gilles Peskine449bd832023-01-11 14:50:10 +01004421 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4422 psa_set_key_algorithm(&attributes, alg);
4423 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004424
Gilles Peskine449bd832023-01-11 14:50:10 +01004425 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
4426 output2_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4427 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004428 TEST_CALLOC(output1, output1_buffer_size);
4429 TEST_CALLOC(output2, output2_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004430
Gilles Peskine449bd832023-01-11 14:50:10 +01004431 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4432 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004433
gabor-mezei-arm50c86cf2021-06-25 15:47:50 +02004434 /* The one-shot cipher encryption uses generated iv so validating
4435 the output is not possible. Validating with multipart encryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +01004436 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len, output1,
4437 output1_buffer_size, &output1_length));
4438 TEST_LE_U(output1_length,
4439 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len));
4440 TEST_LE_U(output1_length,
4441 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004442
Gilles Peskine449bd832023-01-11 14:50:10 +01004443 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
4444 PSA_ASSERT(psa_cipher_set_iv(&operation, output1, iv_size));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004445
Gilles Peskine449bd832023-01-11 14:50:10 +01004446 PSA_ASSERT(psa_cipher_update(&operation,
4447 input->x, input->len,
4448 output2, output2_buffer_size,
4449 &function_output_length));
4450 TEST_LE_U(function_output_length,
4451 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len));
4452 TEST_LE_U(function_output_length,
4453 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004454 output2_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004455
Gilles Peskine449bd832023-01-11 14:50:10 +01004456 PSA_ASSERT(psa_cipher_finish(&operation,
4457 output2 + output2_length,
4458 output2_buffer_size - output2_length,
4459 &function_output_length));
4460 TEST_LE_U(function_output_length,
4461 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4462 TEST_LE_U(function_output_length,
4463 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004464 output2_length += function_output_length;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004465
Gilles Peskine449bd832023-01-11 14:50:10 +01004466 PSA_ASSERT(psa_cipher_abort(&operation));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004467 TEST_MEMORY_COMPARE(output1 + iv_size, output1_length - iv_size,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004468 output2, output2_length);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004469
Gilles Peskine50e586b2018-06-08 14:28:46 +02004470exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004471 psa_cipher_abort(&operation);
4472 mbedtls_free(output1);
4473 mbedtls_free(output2);
4474 psa_destroy_key(key);
4475 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004476}
4477/* END_CASE */
4478
4479/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004480void cipher_encrypt_multipart(int alg_arg, int key_type_arg,
4481 data_t *key_data, data_t *iv,
4482 data_t *input,
4483 int first_part_size_arg,
4484 int output1_length_arg, int output2_length_arg,
4485 data_t *expected_output,
4486 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02004487{
Ronald Cron5425a212020-08-04 14:58:35 +02004488 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004489 psa_key_type_t key_type = key_type_arg;
4490 psa_algorithm_t alg = alg_arg;
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004491 psa_status_t status;
4492 psa_status_t expected_status = expected_status_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004493 size_t first_part_size = first_part_size_arg;
4494 size_t output1_length = output1_length_arg;
4495 size_t output2_length = output2_length_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004496 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004497 size_t output_buffer_size = 0;
4498 size_t function_output_length = 0;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004499 size_t total_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004500 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004501 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004502
Gilles Peskine449bd832023-01-11 14:50:10 +01004503 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004504
Gilles Peskine449bd832023-01-11 14:50:10 +01004505 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
4506 psa_set_key_algorithm(&attributes, alg);
4507 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004508
Gilles Peskine449bd832023-01-11 14:50:10 +01004509 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4510 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004511
Gilles Peskine449bd832023-01-11 14:50:10 +01004512 PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004513
Gilles Peskine449bd832023-01-11 14:50:10 +01004514 if (iv->len > 0) {
4515 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004516 }
4517
Gilles Peskine449bd832023-01-11 14:50:10 +01004518 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4519 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004520 TEST_CALLOC(output, output_buffer_size);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004521
Gilles Peskine449bd832023-01-11 14:50:10 +01004522 TEST_LE_U(first_part_size, input->len);
4523 PSA_ASSERT(psa_cipher_update(&operation, input->x, first_part_size,
4524 output, output_buffer_size,
4525 &function_output_length));
4526 TEST_ASSERT(function_output_length == output1_length);
4527 TEST_LE_U(function_output_length,
4528 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4529 TEST_LE_U(function_output_length,
4530 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004531 total_output_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004532
Gilles Peskine449bd832023-01-11 14:50:10 +01004533 if (first_part_size < input->len) {
4534 PSA_ASSERT(psa_cipher_update(&operation,
4535 input->x + first_part_size,
4536 input->len - first_part_size,
4537 (output_buffer_size == 0 ? NULL :
4538 output + total_output_length),
4539 output_buffer_size - total_output_length,
4540 &function_output_length));
4541 TEST_ASSERT(function_output_length == output2_length);
4542 TEST_LE_U(function_output_length,
4543 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4544 alg,
4545 input->len - first_part_size));
4546 TEST_LE_U(function_output_length,
4547 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004548 total_output_length += function_output_length;
4549 }
gabor-mezei-armceface22021-01-21 12:26:17 +01004550
Gilles Peskine449bd832023-01-11 14:50:10 +01004551 status = psa_cipher_finish(&operation,
4552 (output_buffer_size == 0 ? NULL :
4553 output + total_output_length),
4554 output_buffer_size - total_output_length,
4555 &function_output_length);
4556 TEST_LE_U(function_output_length,
4557 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4558 TEST_LE_U(function_output_length,
4559 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004560 total_output_length += function_output_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004561 TEST_EQUAL(status, expected_status);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004562
Gilles Peskine449bd832023-01-11 14:50:10 +01004563 if (expected_status == PSA_SUCCESS) {
4564 PSA_ASSERT(psa_cipher_abort(&operation));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004565
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004566 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004567 output, total_output_length);
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004568 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004569
4570exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004571 psa_cipher_abort(&operation);
4572 mbedtls_free(output);
4573 psa_destroy_key(key);
4574 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004575}
4576/* END_CASE */
4577
4578/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004579void cipher_decrypt_multipart(int alg_arg, int key_type_arg,
4580 data_t *key_data, data_t *iv,
4581 data_t *input,
4582 int first_part_size_arg,
4583 int output1_length_arg, int output2_length_arg,
4584 data_t *expected_output,
4585 int expected_status_arg)
Gilles Peskine50e586b2018-06-08 14:28:46 +02004586{
Ronald Cron5425a212020-08-04 14:58:35 +02004587 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004588 psa_key_type_t key_type = key_type_arg;
4589 psa_algorithm_t alg = alg_arg;
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004590 psa_status_t status;
4591 psa_status_t expected_status = expected_status_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004592 size_t first_part_size = first_part_size_arg;
4593 size_t output1_length = output1_length_arg;
4594 size_t output2_length = output2_length_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004595 unsigned char *output = NULL;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004596 size_t output_buffer_size = 0;
4597 size_t function_output_length = 0;
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004598 size_t total_output_length = 0;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004599 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004600 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine50e586b2018-06-08 14:28:46 +02004601
Gilles Peskine449bd832023-01-11 14:50:10 +01004602 PSA_ASSERT(psa_crypto_init());
Gilles Peskine50e586b2018-06-08 14:28:46 +02004603
Gilles Peskine449bd832023-01-11 14:50:10 +01004604 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4605 psa_set_key_algorithm(&attributes, alg);
4606 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004607
Gilles Peskine449bd832023-01-11 14:50:10 +01004608 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4609 &key));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004610
Gilles Peskine449bd832023-01-11 14:50:10 +01004611 PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
Gilles Peskine50e586b2018-06-08 14:28:46 +02004612
Gilles Peskine449bd832023-01-11 14:50:10 +01004613 if (iv->len > 0) {
4614 PSA_ASSERT(psa_cipher_set_iv(&operation, iv->x, iv->len));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004615 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004616
Gilles Peskine449bd832023-01-11 14:50:10 +01004617 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input->len) +
4618 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004619 TEST_CALLOC(output, output_buffer_size);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004620
Gilles Peskine449bd832023-01-11 14:50:10 +01004621 TEST_LE_U(first_part_size, input->len);
4622 PSA_ASSERT(psa_cipher_update(&operation,
4623 input->x, first_part_size,
4624 output, output_buffer_size,
4625 &function_output_length));
4626 TEST_ASSERT(function_output_length == output1_length);
4627 TEST_LE_U(function_output_length,
4628 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4629 TEST_LE_U(function_output_length,
4630 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004631 total_output_length += function_output_length;
gabor-mezei-armceface22021-01-21 12:26:17 +01004632
Gilles Peskine449bd832023-01-11 14:50:10 +01004633 if (first_part_size < input->len) {
4634 PSA_ASSERT(psa_cipher_update(&operation,
4635 input->x + first_part_size,
4636 input->len - first_part_size,
4637 (output_buffer_size == 0 ? NULL :
4638 output + total_output_length),
4639 output_buffer_size - total_output_length,
4640 &function_output_length));
4641 TEST_ASSERT(function_output_length == output2_length);
4642 TEST_LE_U(function_output_length,
4643 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4644 alg,
4645 input->len - first_part_size));
4646 TEST_LE_U(function_output_length,
4647 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004648 total_output_length += function_output_length;
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004649 }
Gilles Peskine50e586b2018-06-08 14:28:46 +02004650
Gilles Peskine449bd832023-01-11 14:50:10 +01004651 status = psa_cipher_finish(&operation,
4652 (output_buffer_size == 0 ? NULL :
4653 output + total_output_length),
4654 output_buffer_size - total_output_length,
4655 &function_output_length);
4656 TEST_LE_U(function_output_length,
4657 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4658 TEST_LE_U(function_output_length,
4659 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskinea7ec95f2018-06-08 14:40:59 +02004660 total_output_length += function_output_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004661 TEST_EQUAL(status, expected_status);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004662
Gilles Peskine449bd832023-01-11 14:50:10 +01004663 if (expected_status == PSA_SUCCESS) {
4664 PSA_ASSERT(psa_cipher_abort(&operation));
gabor-mezei-arm95aad832021-06-25 18:21:33 +02004665
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004666 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004667 output, total_output_length);
Gilles Peskine50e586b2018-06-08 14:28:46 +02004668 }
4669
Gilles Peskine50e586b2018-06-08 14:28:46 +02004670exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004671 psa_cipher_abort(&operation);
4672 mbedtls_free(output);
4673 psa_destroy_key(key);
4674 PSA_DONE();
Gilles Peskine50e586b2018-06-08 14:28:46 +02004675}
4676/* END_CASE */
4677
Gilles Peskine50e586b2018-06-08 14:28:46 +02004678/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004679void cipher_decrypt_fail(int alg_arg,
4680 int key_type_arg,
4681 data_t *key_data,
4682 data_t *iv,
4683 data_t *input_arg,
4684 int expected_status_arg)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004685{
4686 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4687 psa_status_t status;
4688 psa_key_type_t key_type = key_type_arg;
4689 psa_algorithm_t alg = alg_arg;
4690 psa_status_t expected_status = expected_status_arg;
4691 unsigned char *input = NULL;
4692 size_t input_buffer_size = 0;
4693 unsigned char *output = NULL;
Neil Armstrong66a479f2022-02-07 15:41:19 +01004694 unsigned char *output_multi = NULL;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004695 size_t output_buffer_size = 0;
4696 size_t output_length = 0;
Neil Armstrong66a479f2022-02-07 15:41:19 +01004697 size_t function_output_length;
4698 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004699 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4700
Gilles Peskine449bd832023-01-11 14:50:10 +01004701 if (PSA_ERROR_BAD_STATE != expected_status) {
4702 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004703
Gilles Peskine449bd832023-01-11 14:50:10 +01004704 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4705 psa_set_key_algorithm(&attributes, alg);
4706 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004707
Gilles Peskine449bd832023-01-11 14:50:10 +01004708 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4709 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004710 }
4711
4712 /* Allocate input buffer and copy the iv and the plaintext */
Gilles Peskine449bd832023-01-11 14:50:10 +01004713 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len);
4714 if (input_buffer_size > 0) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004715 TEST_CALLOC(input, input_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01004716 memcpy(input, iv->x, iv->len);
4717 memcpy(input + iv->len, input_arg->x, input_arg->len);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004718 }
4719
Gilles Peskine449bd832023-01-11 14:50:10 +01004720 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004721 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004722
Neil Armstrong66a479f2022-02-07 15:41:19 +01004723 /* Decrypt, one-short */
Gilles Peskine449bd832023-01-11 14:50:10 +01004724 status = psa_cipher_decrypt(key, alg, input, input_buffer_size, output,
4725 output_buffer_size, &output_length);
4726 TEST_EQUAL(status, expected_status);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004727
Neil Armstrong66a479f2022-02-07 15:41:19 +01004728 /* Decrypt, multi-part */
Gilles Peskine449bd832023-01-11 14:50:10 +01004729 status = psa_cipher_decrypt_setup(&operation, key, alg);
4730 if (status == PSA_SUCCESS) {
4731 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg,
4732 input_arg->len) +
4733 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004734 TEST_CALLOC(output_multi, output_buffer_size);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004735
Gilles Peskine449bd832023-01-11 14:50:10 +01004736 if (iv->len > 0) {
4737 status = psa_cipher_set_iv(&operation, iv->x, iv->len);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004738
Gilles Peskine449bd832023-01-11 14:50:10 +01004739 if (status != PSA_SUCCESS) {
4740 TEST_EQUAL(status, expected_status);
4741 }
Neil Armstrong66a479f2022-02-07 15:41:19 +01004742 }
4743
Gilles Peskine449bd832023-01-11 14:50:10 +01004744 if (status == PSA_SUCCESS) {
4745 status = psa_cipher_update(&operation,
4746 input_arg->x, input_arg->len,
4747 output_multi, output_buffer_size,
4748 &function_output_length);
4749 if (status == PSA_SUCCESS) {
Neil Armstrong66a479f2022-02-07 15:41:19 +01004750 output_length = function_output_length;
4751
Gilles Peskine449bd832023-01-11 14:50:10 +01004752 status = psa_cipher_finish(&operation,
4753 output_multi + output_length,
4754 output_buffer_size - output_length,
4755 &function_output_length);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004756
Gilles Peskine449bd832023-01-11 14:50:10 +01004757 TEST_EQUAL(status, expected_status);
4758 } else {
4759 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004760 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004761 } else {
4762 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004763 }
Gilles Peskine449bd832023-01-11 14:50:10 +01004764 } else {
4765 TEST_EQUAL(status, expected_status);
Neil Armstrong66a479f2022-02-07 15:41:19 +01004766 }
4767
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004768exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004769 psa_cipher_abort(&operation);
4770 mbedtls_free(input);
4771 mbedtls_free(output);
4772 mbedtls_free(output_multi);
4773 psa_destroy_key(key);
4774 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004775}
4776/* END_CASE */
4777
4778/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004779void cipher_decrypt(int alg_arg,
4780 int key_type_arg,
4781 data_t *key_data,
4782 data_t *iv,
4783 data_t *input_arg,
4784 data_t *expected_output)
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004785{
4786 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
4787 psa_key_type_t key_type = key_type_arg;
4788 psa_algorithm_t alg = alg_arg;
4789 unsigned char *input = NULL;
4790 size_t input_buffer_size = 0;
4791 unsigned char *output = NULL;
4792 size_t output_buffer_size = 0;
4793 size_t output_length = 0;
4794 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
4795
Gilles Peskine449bd832023-01-11 14:50:10 +01004796 PSA_ASSERT(psa_crypto_init());
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004797
Gilles Peskine449bd832023-01-11 14:50:10 +01004798 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
4799 psa_set_key_algorithm(&attributes, alg);
4800 psa_set_key_type(&attributes, key_type);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004801
4802 /* Allocate input buffer and copy the iv and the plaintext */
Gilles Peskine449bd832023-01-11 14:50:10 +01004803 input_buffer_size = ((size_t) input_arg->len + (size_t) iv->len);
4804 if (input_buffer_size > 0) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004805 TEST_CALLOC(input, input_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01004806 memcpy(input, iv->x, iv->len);
4807 memcpy(input + iv->len, input_arg->x, input_arg->len);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004808 }
4809
Gilles Peskine449bd832023-01-11 14:50:10 +01004810 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004811 TEST_CALLOC(output, output_buffer_size);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004812
Gilles Peskine449bd832023-01-11 14:50:10 +01004813 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4814 &key));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004815
Gilles Peskine449bd832023-01-11 14:50:10 +01004816 PSA_ASSERT(psa_cipher_decrypt(key, alg, input, input_buffer_size, output,
4817 output_buffer_size, &output_length));
4818 TEST_LE_U(output_length,
4819 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_buffer_size));
4820 TEST_LE_U(output_length,
4821 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_buffer_size));
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004822
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004823 TEST_MEMORY_COMPARE(expected_output->x, expected_output->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01004824 output, output_length);
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004825exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004826 mbedtls_free(input);
4827 mbedtls_free(output);
4828 psa_destroy_key(key);
4829 PSA_DONE();
gabor-mezei-armf494bcd2021-03-01 15:11:46 +01004830}
4831/* END_CASE */
4832
4833/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004834void cipher_verify_output(int alg_arg,
4835 int key_type_arg,
4836 data_t *key_data,
4837 data_t *input)
mohammad1603d7d7ba52018-03-12 18:51:53 +02004838{
Ronald Cron5425a212020-08-04 14:58:35 +02004839 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004840 psa_key_type_t key_type = key_type_arg;
4841 psa_algorithm_t alg = alg_arg;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004842 unsigned char *output1 = NULL;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004843 size_t output1_size = 0;
4844 size_t output1_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004845 unsigned char *output2 = NULL;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004846 size_t output2_size = 0;
4847 size_t output2_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004848 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004849
Gilles Peskine449bd832023-01-11 14:50:10 +01004850 PSA_ASSERT(psa_crypto_init());
mohammad1603d7d7ba52018-03-12 18:51:53 +02004851
Gilles Peskine449bd832023-01-11 14:50:10 +01004852 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4853 psa_set_key_algorithm(&attributes, alg);
4854 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004855
Gilles Peskine449bd832023-01-11 14:50:10 +01004856 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4857 &key));
4858 output1_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004859 TEST_CALLOC(output1, output1_size);
Moran Pekerded84402018-06-06 16:36:50 +03004860
Gilles Peskine449bd832023-01-11 14:50:10 +01004861 PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len,
4862 output1, output1_size,
4863 &output1_length));
4864 TEST_LE_U(output1_length,
4865 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len));
4866 TEST_LE_U(output1_length,
4867 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
Moran Pekerded84402018-06-06 16:36:50 +03004868
4869 output2_size = output1_length;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004870 TEST_CALLOC(output2, output2_size);
Moran Pekerded84402018-06-06 16:36:50 +03004871
Gilles Peskine449bd832023-01-11 14:50:10 +01004872 PSA_ASSERT(psa_cipher_decrypt(key, alg, output1, output1_length,
4873 output2, output2_size,
4874 &output2_length));
4875 TEST_LE_U(output2_length,
4876 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length));
4877 TEST_LE_U(output2_length,
4878 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length));
Moran Pekerded84402018-06-06 16:36:50 +03004879
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01004880 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length);
Moran Pekerded84402018-06-06 16:36:50 +03004881
4882exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01004883 mbedtls_free(output1);
4884 mbedtls_free(output2);
4885 psa_destroy_key(key);
4886 PSA_DONE();
Moran Pekerded84402018-06-06 16:36:50 +03004887}
4888/* END_CASE */
4889
4890/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01004891void cipher_verify_output_multipart(int alg_arg,
4892 int key_type_arg,
4893 data_t *key_data,
4894 data_t *input,
4895 int first_part_size_arg)
Moran Pekerded84402018-06-06 16:36:50 +03004896{
Ronald Cron5425a212020-08-04 14:58:35 +02004897 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Moran Pekerded84402018-06-06 16:36:50 +03004898 psa_key_type_t key_type = key_type_arg;
4899 psa_algorithm_t alg = alg_arg;
Gilles Peskinee0866522019-02-19 19:44:00 +01004900 size_t first_part_size = first_part_size_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01004901 unsigned char iv[16] = { 0 };
Moran Pekerded84402018-06-06 16:36:50 +03004902 size_t iv_size = 16;
4903 size_t iv_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004904 unsigned char *output1 = NULL;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004905 size_t output1_buffer_size = 0;
Moran Pekerded84402018-06-06 16:36:50 +03004906 size_t output1_length = 0;
itayzafrir3e02b3b2018-06-12 17:06:52 +03004907 unsigned char *output2 = NULL;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004908 size_t output2_buffer_size = 0;
Moran Pekerded84402018-06-06 16:36:50 +03004909 size_t output2_length = 0;
Gilles Peskine048b7f02018-06-08 14:20:49 +02004910 size_t function_output_length;
Jaeden Amero5bae2272019-01-04 11:48:27 +00004911 psa_cipher_operation_t operation1 = PSA_CIPHER_OPERATION_INIT;
4912 psa_cipher_operation_t operation2 = PSA_CIPHER_OPERATION_INIT;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02004913 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Moran Pekerded84402018-06-06 16:36:50 +03004914
Gilles Peskine449bd832023-01-11 14:50:10 +01004915 PSA_ASSERT(psa_crypto_init());
Moran Pekerded84402018-06-06 16:36:50 +03004916
Gilles Peskine449bd832023-01-11 14:50:10 +01004917 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
4918 psa_set_key_algorithm(&attributes, alg);
4919 psa_set_key_type(&attributes, key_type);
Moran Pekered346952018-07-05 15:22:45 +03004920
Gilles Peskine449bd832023-01-11 14:50:10 +01004921 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
4922 &key));
Moran Pekerded84402018-06-06 16:36:50 +03004923
Gilles Peskine449bd832023-01-11 14:50:10 +01004924 PSA_ASSERT(psa_cipher_encrypt_setup(&operation1, key, alg));
4925 PSA_ASSERT(psa_cipher_decrypt_setup(&operation2, key, alg));
Moran Pekerded84402018-06-06 16:36:50 +03004926
Gilles Peskine449bd832023-01-11 14:50:10 +01004927 if (alg != PSA_ALG_ECB_NO_PADDING) {
4928 PSA_ASSERT(psa_cipher_generate_iv(&operation1,
4929 iv, iv_size,
4930 &iv_length));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004931 }
4932
Gilles Peskine449bd832023-01-11 14:50:10 +01004933 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input->len);
4934 TEST_LE_U(output1_buffer_size,
4935 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input->len));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004936 TEST_CALLOC(output1, output1_buffer_size);
Moran Pekerded84402018-06-06 16:36:50 +03004937
Gilles Peskine449bd832023-01-11 14:50:10 +01004938 TEST_LE_U(first_part_size, input->len);
Gilles Peskine4ca9c3f2018-06-06 18:44:09 +02004939
Gilles Peskine449bd832023-01-11 14:50:10 +01004940 PSA_ASSERT(psa_cipher_update(&operation1, input->x, first_part_size,
4941 output1, output1_buffer_size,
4942 &function_output_length));
4943 TEST_LE_U(function_output_length,
4944 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4945 TEST_LE_U(function_output_length,
4946 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004947 output1_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004948
Gilles Peskine449bd832023-01-11 14:50:10 +01004949 PSA_ASSERT(psa_cipher_update(&operation1,
4950 input->x + first_part_size,
4951 input->len - first_part_size,
David Horstmannb8dc2452024-02-06 17:03:13 +00004952 output1 + output1_length,
4953 output1_buffer_size - output1_length,
Gilles Peskine449bd832023-01-11 14:50:10 +01004954 &function_output_length));
4955 TEST_LE_U(function_output_length,
4956 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
4957 alg,
4958 input->len - first_part_size));
4959 TEST_LE_U(function_output_length,
4960 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input->len - first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004961 output1_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004962
Gilles Peskine449bd832023-01-11 14:50:10 +01004963 PSA_ASSERT(psa_cipher_finish(&operation1,
4964 output1 + output1_length,
4965 output1_buffer_size - output1_length,
4966 &function_output_length));
4967 TEST_LE_U(function_output_length,
4968 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
4969 TEST_LE_U(function_output_length,
4970 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskine048b7f02018-06-08 14:20:49 +02004971 output1_length += function_output_length;
mohammad1603d7d7ba52018-03-12 18:51:53 +02004972
Gilles Peskine449bd832023-01-11 14:50:10 +01004973 PSA_ASSERT(psa_cipher_abort(&operation1));
mohammad1603d7d7ba52018-03-12 18:51:53 +02004974
Gilles Peskine048b7f02018-06-08 14:20:49 +02004975 output2_buffer_size = output1_length;
Gilles Peskine449bd832023-01-11 14:50:10 +01004976 TEST_LE_U(output2_buffer_size,
4977 PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, output1_length));
4978 TEST_LE_U(output2_buffer_size,
4979 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(output1_length));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01004980 TEST_CALLOC(output2, output2_buffer_size);
mohammad1603d7d7ba52018-03-12 18:51:53 +02004981
Gilles Peskine449bd832023-01-11 14:50:10 +01004982 if (iv_length > 0) {
4983 PSA_ASSERT(psa_cipher_set_iv(&operation2,
4984 iv, iv_length));
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004985 }
Moran Pekerded84402018-06-06 16:36:50 +03004986
Gilles Peskine449bd832023-01-11 14:50:10 +01004987 PSA_ASSERT(psa_cipher_update(&operation2, output1, first_part_size,
4988 output2, output2_buffer_size,
4989 &function_output_length));
4990 TEST_LE_U(function_output_length,
4991 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, first_part_size));
4992 TEST_LE_U(function_output_length,
4993 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02004994 output2_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03004995
Gilles Peskine449bd832023-01-11 14:50:10 +01004996 PSA_ASSERT(psa_cipher_update(&operation2,
4997 output1 + first_part_size,
4998 output1_length - first_part_size,
David Horstmannb8dc2452024-02-06 17:03:13 +00004999 output2 + output2_length,
5000 output2_buffer_size - output2_length,
Gilles Peskine449bd832023-01-11 14:50:10 +01005001 &function_output_length));
5002 TEST_LE_U(function_output_length,
5003 PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
5004 alg,
5005 output1_length - first_part_size));
5006 TEST_LE_U(function_output_length,
5007 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(output1_length - first_part_size));
Gilles Peskine048b7f02018-06-08 14:20:49 +02005008 output2_length += function_output_length;
Moran Pekerded84402018-06-06 16:36:50 +03005009
Gilles Peskine449bd832023-01-11 14:50:10 +01005010 PSA_ASSERT(psa_cipher_finish(&operation2,
5011 output2 + output2_length,
5012 output2_buffer_size - output2_length,
5013 &function_output_length));
5014 TEST_LE_U(function_output_length,
5015 PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg));
5016 TEST_LE_U(function_output_length,
5017 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE);
Gilles Peskine048b7f02018-06-08 14:20:49 +02005018 output2_length += function_output_length;
Gilles Peskine4ca9c3f2018-06-06 18:44:09 +02005019
Gilles Peskine449bd832023-01-11 14:50:10 +01005020 PSA_ASSERT(psa_cipher_abort(&operation2));
mohammad1603d7d7ba52018-03-12 18:51:53 +02005021
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01005022 TEST_MEMORY_COMPARE(input->x, input->len, output2, output2_length);
mohammad1603d7d7ba52018-03-12 18:51:53 +02005023
5024exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005025 psa_cipher_abort(&operation1);
5026 psa_cipher_abort(&operation2);
5027 mbedtls_free(output1);
5028 mbedtls_free(output2);
5029 psa_destroy_key(key);
5030 PSA_DONE();
mohammad1603d7d7ba52018-03-12 18:51:53 +02005031}
5032/* END_CASE */
Gilles Peskine7268afc2018-06-06 15:19:24 +02005033
Gilles Peskine20035e32018-02-03 22:44:14 +01005034/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005035void aead_encrypt_decrypt(int key_type_arg, data_t *key_data,
5036 int alg_arg,
5037 data_t *nonce,
5038 data_t *additional_data,
5039 data_t *input_data,
5040 int expected_result_arg)
Gilles Peskinea1cac842018-06-11 19:33:02 +02005041{
Ronald Cron5425a212020-08-04 14:58:35 +02005042 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005043 psa_key_type_t key_type = key_type_arg;
5044 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01005045 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005046 unsigned char *output_data = NULL;
5047 size_t output_size = 0;
5048 size_t output_length = 0;
5049 unsigned char *output_data2 = NULL;
5050 size_t output_length2 = 0;
Steven Cooremanf49478b2021-02-15 15:19:25 +01005051 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskine4abf7412018-06-18 16:35:34 +02005052 psa_status_t expected_result = expected_result_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02005053 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005054
Gilles Peskine449bd832023-01-11 14:50:10 +01005055 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02005056
Gilles Peskine449bd832023-01-11 14:50:10 +01005057 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
5058 psa_set_key_algorithm(&attributes, alg);
5059 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005060
Gilles Peskine449bd832023-01-11 14:50:10 +01005061 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5062 &key));
5063 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
5064 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005065
Gilles Peskine449bd832023-01-11 14:50:10 +01005066 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits,
5067 alg);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005068 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE
5069 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005070 if (expected_result != PSA_ERROR_INVALID_ARGUMENT &&
5071 expected_result != PSA_ERROR_NOT_SUPPORTED) {
5072 TEST_EQUAL(output_size,
5073 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
5074 TEST_LE_U(output_size,
5075 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
Bence Szépkútiec174e22021-03-19 18:46:15 +01005076 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005077 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005078
Gilles Peskine449bd832023-01-11 14:50:10 +01005079 status = psa_aead_encrypt(key, alg,
5080 nonce->x, nonce->len,
5081 additional_data->x,
5082 additional_data->len,
5083 input_data->x, input_data->len,
5084 output_data, output_size,
5085 &output_length);
Steven Cooremanf49478b2021-02-15 15:19:25 +01005086
5087 /* If the operation is not supported, just skip and not fail in case the
5088 * encryption involves a common limitation of cryptography hardwares and
5089 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005090 if (status == PSA_ERROR_NOT_SUPPORTED) {
5091 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5092 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremanf49478b2021-02-15 15:19:25 +01005093 }
5094
Gilles Peskine449bd832023-01-11 14:50:10 +01005095 TEST_EQUAL(status, expected_result);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005096
Gilles Peskine449bd832023-01-11 14:50:10 +01005097 if (PSA_SUCCESS == expected_result) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005098 TEST_CALLOC(output_data2, output_length);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005099
Gilles Peskine003a4a92019-05-14 16:09:40 +02005100 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE
5101 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005102 TEST_EQUAL(input_data->len,
5103 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, output_length));
Gilles Peskine003a4a92019-05-14 16:09:40 +02005104
Gilles Peskine449bd832023-01-11 14:50:10 +01005105 TEST_LE_U(input_data->len,
5106 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(output_length));
gabor-mezei-armceface22021-01-21 12:26:17 +01005107
Gilles Peskine449bd832023-01-11 14:50:10 +01005108 TEST_EQUAL(psa_aead_decrypt(key, alg,
5109 nonce->x, nonce->len,
5110 additional_data->x,
5111 additional_data->len,
5112 output_data, output_length,
5113 output_data2, output_length,
5114 &output_length2),
5115 expected_result);
Gilles Peskine2d277862018-06-18 15:41:12 +02005116
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01005117 TEST_MEMORY_COMPARE(input_data->x, input_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01005118 output_data2, output_length2);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005119 }
Gilles Peskine2d277862018-06-18 15:41:12 +02005120
Gilles Peskinea1cac842018-06-11 19:33:02 +02005121exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005122 psa_destroy_key(key);
5123 mbedtls_free(output_data);
5124 mbedtls_free(output_data2);
5125 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02005126}
5127/* END_CASE */
5128
5129/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005130void aead_encrypt(int key_type_arg, data_t *key_data,
5131 int alg_arg,
5132 data_t *nonce,
5133 data_t *additional_data,
5134 data_t *input_data,
5135 data_t *expected_result)
Gilles Peskinea1cac842018-06-11 19:33:02 +02005136{
Ronald Cron5425a212020-08-04 14:58:35 +02005137 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005138 psa_key_type_t key_type = key_type_arg;
5139 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01005140 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005141 unsigned char *output_data = NULL;
5142 size_t output_size = 0;
5143 size_t output_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02005144 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Steven Cooremand588ea12021-01-11 19:36:04 +01005145 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005146
Gilles Peskine449bd832023-01-11 14:50:10 +01005147 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02005148
Gilles Peskine449bd832023-01-11 14:50:10 +01005149 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5150 psa_set_key_algorithm(&attributes, alg);
5151 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005152
Gilles Peskine449bd832023-01-11 14:50:10 +01005153 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5154 &key));
5155 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
5156 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005157
Gilles Peskine449bd832023-01-11 14:50:10 +01005158 output_size = input_data->len + PSA_AEAD_TAG_LENGTH(key_type, key_bits,
5159 alg);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005160 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE
5161 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005162 TEST_EQUAL(output_size,
5163 PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
5164 TEST_LE_U(output_size,
5165 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(input_data->len));
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005166 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005167
Gilles Peskine449bd832023-01-11 14:50:10 +01005168 status = psa_aead_encrypt(key, alg,
5169 nonce->x, nonce->len,
5170 additional_data->x, additional_data->len,
5171 input_data->x, input_data->len,
5172 output_data, output_size,
5173 &output_length);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005174
Ronald Cron28a45ed2021-02-09 20:35:42 +01005175 /* If the operation is not supported, just skip and not fail in case the
5176 * encryption involves a common limitation of cryptography hardwares and
5177 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005178 if (status == PSA_ERROR_NOT_SUPPORTED) {
5179 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5180 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremand588ea12021-01-11 19:36:04 +01005181 }
Steven Cooremand588ea12021-01-11 19:36:04 +01005182
Gilles Peskine449bd832023-01-11 14:50:10 +01005183 PSA_ASSERT(status);
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01005184 TEST_MEMORY_COMPARE(expected_result->x, expected_result->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01005185 output_data, output_length);
Gilles Peskine2d277862018-06-18 15:41:12 +02005186
Gilles Peskinea1cac842018-06-11 19:33:02 +02005187exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005188 psa_destroy_key(key);
5189 mbedtls_free(output_data);
5190 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02005191}
5192/* END_CASE */
5193
5194/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005195void aead_decrypt(int key_type_arg, data_t *key_data,
5196 int alg_arg,
5197 data_t *nonce,
5198 data_t *additional_data,
5199 data_t *input_data,
5200 data_t *expected_data,
5201 int expected_result_arg)
Gilles Peskinea1cac842018-06-11 19:33:02 +02005202{
Ronald Cron5425a212020-08-04 14:58:35 +02005203 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005204 psa_key_type_t key_type = key_type_arg;
5205 psa_algorithm_t alg = alg_arg;
Bence Szépkútiec174e22021-03-19 18:46:15 +01005206 size_t key_bits;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005207 unsigned char *output_data = NULL;
5208 size_t output_size = 0;
5209 size_t output_length = 0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02005210 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine4abf7412018-06-18 16:35:34 +02005211 psa_status_t expected_result = expected_result_arg;
Steven Cooremand588ea12021-01-11 19:36:04 +01005212 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskinea1cac842018-06-11 19:33:02 +02005213
Gilles Peskine449bd832023-01-11 14:50:10 +01005214 PSA_ASSERT(psa_crypto_init());
Gilles Peskinea1cac842018-06-11 19:33:02 +02005215
Gilles Peskine449bd832023-01-11 14:50:10 +01005216 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
5217 psa_set_key_algorithm(&attributes, alg);
5218 psa_set_key_type(&attributes, key_type);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005219
Gilles Peskine449bd832023-01-11 14:50:10 +01005220 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5221 &key));
5222 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
5223 key_bits = psa_get_key_bits(&attributes);
Bence Szépkútiec174e22021-03-19 18:46:15 +01005224
Gilles Peskine449bd832023-01-11 14:50:10 +01005225 output_size = input_data->len - PSA_AEAD_TAG_LENGTH(key_type, key_bits,
5226 alg);
5227 if (expected_result != PSA_ERROR_INVALID_ARGUMENT &&
5228 expected_result != PSA_ERROR_NOT_SUPPORTED) {
Bence Szépkútiec174e22021-03-19 18:46:15 +01005229 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE
5230 * should be exact. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005231 TEST_EQUAL(output_size,
5232 PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, input_data->len));
5233 TEST_LE_U(output_size,
5234 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(input_data->len));
Bence Szépkútiec174e22021-03-19 18:46:15 +01005235 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005236 TEST_CALLOC(output_data, output_size);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005237
Gilles Peskine449bd832023-01-11 14:50:10 +01005238 status = psa_aead_decrypt(key, alg,
5239 nonce->x, nonce->len,
5240 additional_data->x,
5241 additional_data->len,
5242 input_data->x, input_data->len,
5243 output_data, output_size,
5244 &output_length);
Steven Cooremand588ea12021-01-11 19:36:04 +01005245
Ronald Cron28a45ed2021-02-09 20:35:42 +01005246 /* If the operation is not supported, just skip and not fail in case the
5247 * decryption involves a common limitation of cryptography hardwares and
5248 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005249 if (status == PSA_ERROR_NOT_SUPPORTED) {
5250 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5251 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Steven Cooremand588ea12021-01-11 19:36:04 +01005252 }
Steven Cooremand588ea12021-01-11 19:36:04 +01005253
Gilles Peskine449bd832023-01-11 14:50:10 +01005254 TEST_EQUAL(status, expected_result);
Gilles Peskinea1cac842018-06-11 19:33:02 +02005255
Gilles Peskine449bd832023-01-11 14:50:10 +01005256 if (expected_result == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01005257 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01005258 output_data, output_length);
Gilles Peskine449bd832023-01-11 14:50:10 +01005259 }
Gilles Peskinea1cac842018-06-11 19:33:02 +02005260
Gilles Peskinea1cac842018-06-11 19:33:02 +02005261exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005262 psa_destroy_key(key);
5263 mbedtls_free(output_data);
5264 PSA_DONE();
Gilles Peskinea1cac842018-06-11 19:33:02 +02005265}
5266/* END_CASE */
5267
5268/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005269void aead_multipart_encrypt(int key_type_arg, data_t *key_data,
5270 int alg_arg,
5271 data_t *nonce,
5272 data_t *additional_data,
5273 data_t *input_data,
5274 int do_set_lengths,
5275 data_t *expected_output)
Paul Elliott0023e0a2021-04-27 10:06:22 +01005276{
Paul Elliottd3f82412021-06-16 16:52:21 +01005277 size_t ad_part_len = 0;
5278 size_t data_part_len = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005279 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005280
Gilles Peskine449bd832023-01-11 14:50:10 +01005281 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) {
5282 mbedtls_test_set_step(ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005283
Gilles Peskine449bd832023-01-11 14:50:10 +01005284 if (do_set_lengths) {
5285 if (ad_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005286 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005287 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005288 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005289 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005290 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005291
5292 /* Split ad into length(ad_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005293 if (!aead_multipart_internal_func(key_type_arg, key_data,
5294 alg_arg, nonce,
5295 additional_data,
5296 ad_part_len,
5297 input_data, -1,
5298 set_lengths_method,
5299 expected_output,
5300 1, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005301 break;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005302 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005303
Gilles Peskine449bd832023-01-11 14:50:10 +01005304 /* length(0) part, length(ad_part_len) part, length(0) part... */
5305 mbedtls_test_set_step(1000 + ad_part_len);
5306
5307 if (!aead_multipart_internal_func(key_type_arg, key_data,
5308 alg_arg, nonce,
5309 additional_data,
5310 ad_part_len,
5311 input_data, -1,
5312 set_lengths_method,
5313 expected_output,
5314 1, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005315 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005316 }
5317 }
5318
5319 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) {
5320 /* Split data into length(data_part_len) parts. */
5321 mbedtls_test_set_step(2000 + data_part_len);
5322
5323 if (do_set_lengths) {
5324 if (data_part_len & 0x01) {
5325 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
5326 } else {
5327 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
5328 }
5329 }
5330
5331 if (!aead_multipart_internal_func(key_type_arg, key_data,
5332 alg_arg, nonce,
5333 additional_data, -1,
5334 input_data, data_part_len,
5335 set_lengths_method,
5336 expected_output,
5337 1, 0)) {
5338 break;
5339 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005340
5341 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005342 mbedtls_test_set_step(3000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005343
Gilles Peskine449bd832023-01-11 14:50:10 +01005344 if (!aead_multipart_internal_func(key_type_arg, key_data,
5345 alg_arg, nonce,
5346 additional_data, -1,
5347 input_data, data_part_len,
5348 set_lengths_method,
5349 expected_output,
5350 1, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005351 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005352 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005353 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005354
Paul Elliott8fc45162021-06-23 16:06:01 +01005355 /* Goto is required to silence warnings about unused labels, as we
5356 * don't actually do any test assertions in this function. */
5357 goto exit;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005358}
5359/* END_CASE */
5360
5361/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005362void aead_multipart_decrypt(int key_type_arg, data_t *key_data,
5363 int alg_arg,
5364 data_t *nonce,
5365 data_t *additional_data,
5366 data_t *input_data,
5367 int do_set_lengths,
5368 data_t *expected_output)
Paul Elliott0023e0a2021-04-27 10:06:22 +01005369{
Paul Elliottd3f82412021-06-16 16:52:21 +01005370 size_t ad_part_len = 0;
5371 size_t data_part_len = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005372 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005373
Gilles Peskine449bd832023-01-11 14:50:10 +01005374 for (ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005375 /* Split ad into length(ad_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005376 mbedtls_test_set_step(ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005377
Gilles Peskine449bd832023-01-11 14:50:10 +01005378 if (do_set_lengths) {
5379 if (ad_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005380 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005381 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005382 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005383 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005384 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005385
Gilles Peskine449bd832023-01-11 14:50:10 +01005386 if (!aead_multipart_internal_func(key_type_arg, key_data,
5387 alg_arg, nonce,
5388 additional_data,
5389 ad_part_len,
5390 input_data, -1,
5391 set_lengths_method,
5392 expected_output,
5393 0, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005394 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005395 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005396
5397 /* length(0) part, length(ad_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005398 mbedtls_test_set_step(1000 + ad_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005399
Gilles Peskine449bd832023-01-11 14:50:10 +01005400 if (!aead_multipart_internal_func(key_type_arg, key_data,
5401 alg_arg, nonce,
5402 additional_data,
5403 ad_part_len,
5404 input_data, -1,
5405 set_lengths_method,
5406 expected_output,
5407 0, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005408 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005409 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005410 }
5411
Gilles Peskine449bd832023-01-11 14:50:10 +01005412 for (data_part_len = 1; data_part_len <= input_data->len; data_part_len++) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005413 /* Split data into length(data_part_len) parts. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005414 mbedtls_test_set_step(2000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005415
Gilles Peskine449bd832023-01-11 14:50:10 +01005416 if (do_set_lengths) {
5417 if (data_part_len & 0x01) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005418 set_lengths_method = SET_LENGTHS_AFTER_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005419 } else {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005420 set_lengths_method = SET_LENGTHS_BEFORE_NONCE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005421 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005422 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005423
Gilles Peskine449bd832023-01-11 14:50:10 +01005424 if (!aead_multipart_internal_func(key_type_arg, key_data,
5425 alg_arg, nonce,
5426 additional_data, -1,
5427 input_data, data_part_len,
5428 set_lengths_method,
5429 expected_output,
5430 0, 0)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005431 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005432 }
Paul Elliott32f46ba2021-09-23 18:24:36 +01005433
5434 /* length(0) part, length(data_part_len) part, length(0) part... */
Gilles Peskine449bd832023-01-11 14:50:10 +01005435 mbedtls_test_set_step(3000 + data_part_len);
Paul Elliott32f46ba2021-09-23 18:24:36 +01005436
Gilles Peskine449bd832023-01-11 14:50:10 +01005437 if (!aead_multipart_internal_func(key_type_arg, key_data,
5438 alg_arg, nonce,
5439 additional_data, -1,
5440 input_data, data_part_len,
5441 set_lengths_method,
5442 expected_output,
5443 0, 1)) {
Paul Elliott32f46ba2021-09-23 18:24:36 +01005444 break;
Gilles Peskine449bd832023-01-11 14:50:10 +01005445 }
Paul Elliott0023e0a2021-04-27 10:06:22 +01005446 }
5447
Paul Elliott8fc45162021-06-23 16:06:01 +01005448 /* Goto is required to silence warnings about unused labels, as we
5449 * don't actually do any test assertions in this function. */
Paul Elliottd3f82412021-06-16 16:52:21 +01005450 goto exit;
Paul Elliott0023e0a2021-04-27 10:06:22 +01005451}
5452/* END_CASE */
5453
5454/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005455void aead_multipart_generate_nonce(int key_type_arg, data_t *key_data,
5456 int alg_arg,
5457 int nonce_length,
5458 int expected_nonce_length_arg,
5459 data_t *additional_data,
5460 data_t *input_data,
5461 int expected_status_arg)
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005462{
5463
5464 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5465 psa_key_type_t key_type = key_type_arg;
5466 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005467 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
David Horstmann52402ec2023-12-11 15:09:46 +00005468 /* Some tests try to get more than the maximum nonce length,
5469 * so allocate double. */
5470 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE * 2];
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005471 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5472 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Paul Elliott693bf312021-07-23 17:40:41 +01005473 psa_status_t expected_status = expected_status_arg;
Paul Elliottf1277632021-08-24 18:11:37 +01005474 size_t actual_nonce_length = 0;
5475 size_t expected_nonce_length = expected_nonce_length_arg;
5476 unsigned char *output = NULL;
5477 unsigned char *ciphertext = NULL;
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005478 size_t output_size = 0;
Paul Elliottf1277632021-08-24 18:11:37 +01005479 size_t ciphertext_size = 0;
5480 size_t ciphertext_length = 0;
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005481 size_t tag_length = 0;
5482 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005483
Gilles Peskine449bd832023-01-11 14:50:10 +01005484 PSA_ASSERT(psa_crypto_init());
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005485
Gilles Peskine449bd832023-01-11 14:50:10 +01005486 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5487 psa_set_key_algorithm(&attributes, alg);
5488 psa_set_key_type(&attributes, key_type);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005489
Gilles Peskine449bd832023-01-11 14:50:10 +01005490 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5491 &key));
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005492
Gilles Peskine449bd832023-01-11 14:50:10 +01005493 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005494
Gilles Peskine449bd832023-01-11 14:50:10 +01005495 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005496
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005497 TEST_CALLOC(output, output_size);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005498
Gilles Peskine449bd832023-01-11 14:50:10 +01005499 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005500
Gilles Peskine449bd832023-01-11 14:50:10 +01005501 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005502
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005503 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005504
Gilles Peskine449bd832023-01-11 14:50:10 +01005505 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005506
5507 /* If the operation is not supported, just skip and not fail in case the
5508 * encryption involves a common limitation of cryptography hardwares and
5509 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005510 if (status == PSA_ERROR_NOT_SUPPORTED) {
5511 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5512 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005513 }
5514
Gilles Peskine449bd832023-01-11 14:50:10 +01005515 PSA_ASSERT(status);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005516
Gilles Peskine449bd832023-01-11 14:50:10 +01005517 status = psa_aead_generate_nonce(&operation, nonce_buffer,
5518 nonce_length,
5519 &actual_nonce_length);
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005520
Gilles Peskine449bd832023-01-11 14:50:10 +01005521 TEST_EQUAL(status, expected_status);
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005522
Gilles Peskine449bd832023-01-11 14:50:10 +01005523 TEST_EQUAL(actual_nonce_length, expected_nonce_length);
Paul Elliottd85f5472021-07-16 18:20:16 +01005524
Gilles Peskine449bd832023-01-11 14:50:10 +01005525 if (expected_status == PSA_SUCCESS) {
5526 TEST_EQUAL(actual_nonce_length, PSA_AEAD_NONCE_LENGTH(key_type,
5527 alg));
5528 }
Paul Elliott88ecbe12021-09-22 17:23:03 +01005529
Gilles Peskine449bd832023-01-11 14:50:10 +01005530 TEST_LE_U(actual_nonce_length, PSA_AEAD_NONCE_MAX_SIZE);
Paul Elliotte0fcb3b2021-07-16 18:52:03 +01005531
Gilles Peskine449bd832023-01-11 14:50:10 +01005532 if (expected_status == PSA_SUCCESS) {
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005533 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005534 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5535 input_data->len));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005536
Gilles Peskine449bd832023-01-11 14:50:10 +01005537 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5538 additional_data->len));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005539
Gilles Peskine449bd832023-01-11 14:50:10 +01005540 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len,
5541 output, output_size,
5542 &ciphertext_length));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005543
Gilles Peskine449bd832023-01-11 14:50:10 +01005544 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5545 &ciphertext_length, tag_buffer,
5546 PSA_AEAD_TAG_MAX_SIZE, &tag_length));
Paul Elliott3bd5dba2021-06-23 17:14:40 +01005547 }
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005548
5549exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005550 psa_destroy_key(key);
5551 mbedtls_free(output);
5552 mbedtls_free(ciphertext);
5553 psa_aead_abort(&operation);
5554 PSA_DONE();
Paul Elliott8eb9daf2021-06-04 16:42:21 +01005555}
5556/* END_CASE */
5557
5558/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005559void aead_multipart_set_nonce(int key_type_arg, data_t *key_data,
5560 int alg_arg,
5561 int nonce_length_arg,
5562 int set_lengths_method_arg,
5563 data_t *additional_data,
5564 data_t *input_data,
5565 int expected_status_arg)
Paul Elliott863864a2021-07-23 17:28:31 +01005566{
5567
5568 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5569 psa_key_type_t key_type = key_type_arg;
5570 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005571 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott863864a2021-07-23 17:28:31 +01005572 uint8_t *nonce_buffer = NULL;
5573 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5574 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5575 psa_status_t expected_status = expected_status_arg;
Paul Elliott6f0e7202021-08-25 12:57:18 +01005576 unsigned char *output = NULL;
5577 unsigned char *ciphertext = NULL;
Paul Elliott4023ffd2021-09-10 16:21:22 +01005578 size_t nonce_length;
Paul Elliott863864a2021-07-23 17:28:31 +01005579 size_t output_size = 0;
Paul Elliott6f0e7202021-08-25 12:57:18 +01005580 size_t ciphertext_size = 0;
5581 size_t ciphertext_length = 0;
Paul Elliott863864a2021-07-23 17:28:31 +01005582 size_t tag_length = 0;
5583 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
Paul Elliott4023ffd2021-09-10 16:21:22 +01005584 size_t index = 0;
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005585 set_lengths_method_t set_lengths_method = set_lengths_method_arg;
Paul Elliott863864a2021-07-23 17:28:31 +01005586
Gilles Peskine449bd832023-01-11 14:50:10 +01005587 PSA_ASSERT(psa_crypto_init());
Paul Elliott863864a2021-07-23 17:28:31 +01005588
Gilles Peskine449bd832023-01-11 14:50:10 +01005589 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5590 psa_set_key_algorithm(&attributes, alg);
5591 psa_set_key_type(&attributes, key_type);
Paul Elliott863864a2021-07-23 17:28:31 +01005592
Gilles Peskine449bd832023-01-11 14:50:10 +01005593 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5594 &key));
Paul Elliott863864a2021-07-23 17:28:31 +01005595
Gilles Peskine449bd832023-01-11 14:50:10 +01005596 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott863864a2021-07-23 17:28:31 +01005597
Gilles Peskine449bd832023-01-11 14:50:10 +01005598 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott863864a2021-07-23 17:28:31 +01005599
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005600 TEST_CALLOC(output, output_size);
Paul Elliott863864a2021-07-23 17:28:31 +01005601
Gilles Peskine449bd832023-01-11 14:50:10 +01005602 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott863864a2021-07-23 17:28:31 +01005603
Gilles Peskine449bd832023-01-11 14:50:10 +01005604 TEST_LE_U(ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliott863864a2021-07-23 17:28:31 +01005605
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005606 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott863864a2021-07-23 17:28:31 +01005607
Gilles Peskine449bd832023-01-11 14:50:10 +01005608 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott863864a2021-07-23 17:28:31 +01005609
5610 /* If the operation is not supported, just skip and not fail in case the
5611 * encryption involves a common limitation of cryptography hardwares and
5612 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005613 if (status == PSA_ERROR_NOT_SUPPORTED) {
5614 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5615 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce_length_arg);
Paul Elliott863864a2021-07-23 17:28:31 +01005616 }
5617
Gilles Peskine449bd832023-01-11 14:50:10 +01005618 PSA_ASSERT(status);
Paul Elliott863864a2021-07-23 17:28:31 +01005619
Paul Elliott4023ffd2021-09-10 16:21:22 +01005620 /* -1 == zero length and valid buffer, 0 = zero length and NULL buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005621 if (nonce_length_arg == -1) {
5622 /* Arbitrary size buffer, to test zero length valid buffer. */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005623 TEST_CALLOC(nonce_buffer, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +01005624 nonce_length = 0;
5625 } else {
Paul Elliott4023ffd2021-09-10 16:21:22 +01005626 /* If length is zero, then this will return NULL. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005627 nonce_length = (size_t) nonce_length_arg;
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005628 TEST_CALLOC(nonce_buffer, nonce_length);
Paul Elliott66696b52021-08-16 18:42:41 +01005629
Gilles Peskine449bd832023-01-11 14:50:10 +01005630 if (nonce_buffer) {
5631 for (index = 0; index < nonce_length - 1; ++index) {
Paul Elliott4023ffd2021-09-10 16:21:22 +01005632 nonce_buffer[index] = 'a' + index;
5633 }
Paul Elliott66696b52021-08-16 18:42:41 +01005634 }
Paul Elliott863864a2021-07-23 17:28:31 +01005635 }
5636
Gilles Peskine449bd832023-01-11 14:50:10 +01005637 if (set_lengths_method == SET_LENGTHS_BEFORE_NONCE) {
5638 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5639 input_data->len));
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005640 }
5641
Gilles Peskine449bd832023-01-11 14:50:10 +01005642 status = psa_aead_set_nonce(&operation, nonce_buffer, nonce_length);
Paul Elliott863864a2021-07-23 17:28:31 +01005643
Gilles Peskine449bd832023-01-11 14:50:10 +01005644 TEST_EQUAL(status, expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005645
Gilles Peskine449bd832023-01-11 14:50:10 +01005646 if (expected_status == PSA_SUCCESS) {
5647 if (set_lengths_method == SET_LENGTHS_AFTER_NONCE) {
5648 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5649 input_data->len));
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005650 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005651 if (operation.alg == PSA_ALG_CCM && set_lengths_method == DO_NOT_SET_LENGTHS) {
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005652 expected_status = PSA_ERROR_BAD_STATE;
Gilles Peskine449bd832023-01-11 14:50:10 +01005653 }
Paul Elliott863864a2021-07-23 17:28:31 +01005654
Andrzej Kureka2ce72e2021-12-25 17:21:47 +01005655 /* Ensure we can still complete operation, unless it's CCM and we didn't set lengths. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005656 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
5657 additional_data->len),
5658 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005659
Gilles Peskine449bd832023-01-11 14:50:10 +01005660 TEST_EQUAL(psa_aead_update(&operation, input_data->x, input_data->len,
5661 output, output_size,
5662 &ciphertext_length),
5663 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005664
Gilles Peskine449bd832023-01-11 14:50:10 +01005665 TEST_EQUAL(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5666 &ciphertext_length, tag_buffer,
5667 PSA_AEAD_TAG_MAX_SIZE, &tag_length),
5668 expected_status);
Paul Elliott863864a2021-07-23 17:28:31 +01005669 }
5670
5671exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005672 psa_destroy_key(key);
5673 mbedtls_free(output);
5674 mbedtls_free(ciphertext);
5675 mbedtls_free(nonce_buffer);
5676 psa_aead_abort(&operation);
5677 PSA_DONE();
Paul Elliott863864a2021-07-23 17:28:31 +01005678}
5679/* END_CASE */
5680
5681/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005682void aead_multipart_update_buffer_test(int key_type_arg, data_t *key_data,
Paul Elliott43fbda62021-07-23 18:30:59 +01005683 int alg_arg,
Paul Elliottc6d11d02021-09-01 12:04:23 +01005684 int output_size_arg,
Paul Elliott43fbda62021-07-23 18:30:59 +01005685 data_t *nonce,
5686 data_t *additional_data,
5687 data_t *input_data,
Gilles Peskine449bd832023-01-11 14:50:10 +01005688 int expected_status_arg)
Paul Elliott43fbda62021-07-23 18:30:59 +01005689{
5690
5691 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5692 psa_key_type_t key_type = key_type_arg;
5693 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005694 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott43fbda62021-07-23 18:30:59 +01005695 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5696 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5697 psa_status_t expected_status = expected_status_arg;
Paul Elliottc6d11d02021-09-01 12:04:23 +01005698 unsigned char *output = NULL;
5699 unsigned char *ciphertext = NULL;
5700 size_t output_size = output_size_arg;
5701 size_t ciphertext_size = 0;
5702 size_t ciphertext_length = 0;
Paul Elliott43fbda62021-07-23 18:30:59 +01005703 size_t tag_length = 0;
5704 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
5705
Gilles Peskine449bd832023-01-11 14:50:10 +01005706 PSA_ASSERT(psa_crypto_init());
Paul Elliott43fbda62021-07-23 18:30:59 +01005707
Gilles Peskine449bd832023-01-11 14:50:10 +01005708 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5709 psa_set_key_algorithm(&attributes, alg);
5710 psa_set_key_type(&attributes, key_type);
Paul Elliott43fbda62021-07-23 18:30:59 +01005711
Gilles Peskine449bd832023-01-11 14:50:10 +01005712 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5713 &key));
Paul Elliott43fbda62021-07-23 18:30:59 +01005714
Gilles Peskine449bd832023-01-11 14:50:10 +01005715 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott43fbda62021-07-23 18:30:59 +01005716
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005717 TEST_CALLOC(output, output_size);
Paul Elliott43fbda62021-07-23 18:30:59 +01005718
Gilles Peskine449bd832023-01-11 14:50:10 +01005719 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliott43fbda62021-07-23 18:30:59 +01005720
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005721 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott43fbda62021-07-23 18:30:59 +01005722
Gilles Peskine449bd832023-01-11 14:50:10 +01005723 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott43fbda62021-07-23 18:30:59 +01005724
5725 /* If the operation is not supported, just skip and not fail in case the
5726 * encryption involves a common limitation of cryptography hardwares and
5727 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005728 if (status == PSA_ERROR_NOT_SUPPORTED) {
5729 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5730 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott43fbda62021-07-23 18:30:59 +01005731 }
5732
Gilles Peskine449bd832023-01-11 14:50:10 +01005733 PSA_ASSERT(status);
Paul Elliott43fbda62021-07-23 18:30:59 +01005734
Gilles Peskine449bd832023-01-11 14:50:10 +01005735 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5736 input_data->len));
Paul Elliott47b9a142021-10-07 15:04:57 +01005737
Gilles Peskine449bd832023-01-11 14:50:10 +01005738 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott43fbda62021-07-23 18:30:59 +01005739
Gilles Peskine449bd832023-01-11 14:50:10 +01005740 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5741 additional_data->len));
Paul Elliott43fbda62021-07-23 18:30:59 +01005742
Gilles Peskine449bd832023-01-11 14:50:10 +01005743 status = psa_aead_update(&operation, input_data->x, input_data->len,
5744 output, output_size, &ciphertext_length);
Paul Elliott43fbda62021-07-23 18:30:59 +01005745
Gilles Peskine449bd832023-01-11 14:50:10 +01005746 TEST_EQUAL(status, expected_status);
Paul Elliott43fbda62021-07-23 18:30:59 +01005747
Gilles Peskine449bd832023-01-11 14:50:10 +01005748 if (expected_status == PSA_SUCCESS) {
Paul Elliott43fbda62021-07-23 18:30:59 +01005749 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005750 PSA_ASSERT(psa_aead_finish(&operation, ciphertext, ciphertext_size,
5751 &ciphertext_length, tag_buffer,
5752 PSA_AEAD_TAG_MAX_SIZE, &tag_length));
Paul Elliott43fbda62021-07-23 18:30:59 +01005753 }
5754
5755exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005756 psa_destroy_key(key);
5757 mbedtls_free(output);
5758 mbedtls_free(ciphertext);
5759 psa_aead_abort(&operation);
5760 PSA_DONE();
Paul Elliott43fbda62021-07-23 18:30:59 +01005761}
5762/* END_CASE */
5763
Paul Elliott91b021e2021-07-23 18:52:31 +01005764/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005765void aead_multipart_finish_buffer_test(int key_type_arg, data_t *key_data,
5766 int alg_arg,
5767 int finish_ciphertext_size_arg,
5768 int tag_size_arg,
5769 data_t *nonce,
5770 data_t *additional_data,
5771 data_t *input_data,
5772 int expected_status_arg)
Paul Elliott91b021e2021-07-23 18:52:31 +01005773{
5774
5775 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5776 psa_key_type_t key_type = key_type_arg;
5777 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005778 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott91b021e2021-07-23 18:52:31 +01005779 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5780 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5781 psa_status_t expected_status = expected_status_arg;
Paul Elliotte58cb1e2021-09-10 18:36:00 +01005782 unsigned char *ciphertext = NULL;
5783 unsigned char *finish_ciphertext = NULL;
Paul Elliott719c1322021-09-13 18:27:22 +01005784 unsigned char *tag_buffer = NULL;
Paul Elliotte58cb1e2021-09-10 18:36:00 +01005785 size_t ciphertext_size = 0;
5786 size_t ciphertext_length = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01005787 size_t finish_ciphertext_size = (size_t) finish_ciphertext_size_arg;
5788 size_t tag_size = (size_t) tag_size_arg;
Paul Elliott91b021e2021-07-23 18:52:31 +01005789 size_t tag_length = 0;
Paul Elliott91b021e2021-07-23 18:52:31 +01005790
Gilles Peskine449bd832023-01-11 14:50:10 +01005791 PSA_ASSERT(psa_crypto_init());
Paul Elliott91b021e2021-07-23 18:52:31 +01005792
Gilles Peskine449bd832023-01-11 14:50:10 +01005793 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
5794 psa_set_key_algorithm(&attributes, alg);
5795 psa_set_key_type(&attributes, key_type);
Paul Elliott91b021e2021-07-23 18:52:31 +01005796
Gilles Peskine449bd832023-01-11 14:50:10 +01005797 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5798 &key));
Paul Elliott91b021e2021-07-23 18:52:31 +01005799
Gilles Peskine449bd832023-01-11 14:50:10 +01005800 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott91b021e2021-07-23 18:52:31 +01005801
Gilles Peskine449bd832023-01-11 14:50:10 +01005802 ciphertext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliott91b021e2021-07-23 18:52:31 +01005803
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005804 TEST_CALLOC(ciphertext, ciphertext_size);
Paul Elliott91b021e2021-07-23 18:52:31 +01005805
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005806 TEST_CALLOC(finish_ciphertext, finish_ciphertext_size);
Paul Elliott91b021e2021-07-23 18:52:31 +01005807
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005808 TEST_CALLOC(tag_buffer, tag_size);
Paul Elliott719c1322021-09-13 18:27:22 +01005809
Gilles Peskine449bd832023-01-11 14:50:10 +01005810 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott91b021e2021-07-23 18:52:31 +01005811
5812 /* If the operation is not supported, just skip and not fail in case the
5813 * encryption involves a common limitation of cryptography hardwares and
5814 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005815 if (status == PSA_ERROR_NOT_SUPPORTED) {
5816 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5817 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott91b021e2021-07-23 18:52:31 +01005818 }
5819
Gilles Peskine449bd832023-01-11 14:50:10 +01005820 PSA_ASSERT(status);
Paul Elliott91b021e2021-07-23 18:52:31 +01005821
Gilles Peskine449bd832023-01-11 14:50:10 +01005822 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott91b021e2021-07-23 18:52:31 +01005823
Gilles Peskine449bd832023-01-11 14:50:10 +01005824 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
5825 input_data->len));
Paul Elliott76bda482021-10-07 17:07:23 +01005826
Gilles Peskine449bd832023-01-11 14:50:10 +01005827 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5828 additional_data->len));
Paul Elliott91b021e2021-07-23 18:52:31 +01005829
Gilles Peskine449bd832023-01-11 14:50:10 +01005830 PSA_ASSERT(psa_aead_update(&operation, input_data->x, input_data->len,
5831 ciphertext, ciphertext_size, &ciphertext_length));
Paul Elliott91b021e2021-07-23 18:52:31 +01005832
5833 /* Ensure we can still complete operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005834 status = psa_aead_finish(&operation, finish_ciphertext,
5835 finish_ciphertext_size,
5836 &ciphertext_length, tag_buffer,
5837 tag_size, &tag_length);
Paul Elliott91b021e2021-07-23 18:52:31 +01005838
Gilles Peskine449bd832023-01-11 14:50:10 +01005839 TEST_EQUAL(status, expected_status);
Paul Elliott91b021e2021-07-23 18:52:31 +01005840
5841exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005842 psa_destroy_key(key);
5843 mbedtls_free(ciphertext);
5844 mbedtls_free(finish_ciphertext);
5845 mbedtls_free(tag_buffer);
5846 psa_aead_abort(&operation);
5847 PSA_DONE();
Paul Elliott91b021e2021-07-23 18:52:31 +01005848}
5849/* END_CASE */
Paul Elliott43fbda62021-07-23 18:30:59 +01005850
5851/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005852void aead_multipart_verify(int key_type_arg, data_t *key_data,
5853 int alg_arg,
5854 data_t *nonce,
5855 data_t *additional_data,
5856 data_t *input_data,
5857 data_t *tag,
5858 int tag_usage_arg,
5859 int expected_setup_status_arg,
5860 int expected_status_arg)
Paul Elliott9961a662021-09-17 19:19:02 +01005861{
5862 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5863 psa_key_type_t key_type = key_type_arg;
5864 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005865 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott9961a662021-09-17 19:19:02 +01005866 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5867 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5868 psa_status_t expected_status = expected_status_arg;
Andrzej Kurekf8816012021-12-19 17:00:12 +01005869 psa_status_t expected_setup_status = expected_setup_status_arg;
Paul Elliott9961a662021-09-17 19:19:02 +01005870 unsigned char *plaintext = NULL;
5871 unsigned char *finish_plaintext = NULL;
5872 size_t plaintext_size = 0;
5873 size_t plaintext_length = 0;
5874 size_t verify_plaintext_size = 0;
Paul Elliottbb979e72021-09-22 12:54:42 +01005875 tag_usage_method_t tag_usage = tag_usage_arg;
Paul Elliott1c67e0b2021-09-19 13:11:50 +01005876 unsigned char *tag_buffer = NULL;
5877 size_t tag_size = 0;
Paul Elliott9961a662021-09-17 19:19:02 +01005878
Gilles Peskine449bd832023-01-11 14:50:10 +01005879 PSA_ASSERT(psa_crypto_init());
Paul Elliott9961a662021-09-17 19:19:02 +01005880
Gilles Peskine449bd832023-01-11 14:50:10 +01005881 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
5882 psa_set_key_algorithm(&attributes, alg);
5883 psa_set_key_type(&attributes, key_type);
Paul Elliott9961a662021-09-17 19:19:02 +01005884
Gilles Peskine449bd832023-01-11 14:50:10 +01005885 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5886 &key));
Paul Elliott9961a662021-09-17 19:19:02 +01005887
Gilles Peskine449bd832023-01-11 14:50:10 +01005888 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
Paul Elliott9961a662021-09-17 19:19:02 +01005889
Gilles Peskine449bd832023-01-11 14:50:10 +01005890 plaintext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg,
5891 input_data->len);
Paul Elliott9961a662021-09-17 19:19:02 +01005892
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005893 TEST_CALLOC(plaintext, plaintext_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005894
Gilles Peskine449bd832023-01-11 14:50:10 +01005895 verify_plaintext_size = PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg);
Paul Elliott9961a662021-09-17 19:19:02 +01005896
Tom Cosgrove05b2a872023-07-21 11:31:13 +01005897 TEST_CALLOC(finish_plaintext, verify_plaintext_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005898
Gilles Peskine449bd832023-01-11 14:50:10 +01005899 status = psa_aead_decrypt_setup(&operation, key, alg);
Paul Elliott9961a662021-09-17 19:19:02 +01005900
5901 /* If the operation is not supported, just skip and not fail in case the
5902 * encryption involves a common limitation of cryptography hardwares and
5903 * an alternative implementation. */
Gilles Peskine449bd832023-01-11 14:50:10 +01005904 if (status == PSA_ERROR_NOT_SUPPORTED) {
5905 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_data->len * 8);
5906 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE(alg, nonce->len);
Paul Elliott9961a662021-09-17 19:19:02 +01005907 }
Gilles Peskine449bd832023-01-11 14:50:10 +01005908 TEST_EQUAL(status, expected_setup_status);
Andrzej Kurekf8816012021-12-19 17:00:12 +01005909
Gilles Peskine449bd832023-01-11 14:50:10 +01005910 if (status != PSA_SUCCESS) {
Andrzej Kurekf8816012021-12-19 17:00:12 +01005911 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01005912 }
Paul Elliott9961a662021-09-17 19:19:02 +01005913
Gilles Peskine449bd832023-01-11 14:50:10 +01005914 PSA_ASSERT(status);
Paul Elliott9961a662021-09-17 19:19:02 +01005915
Gilles Peskine449bd832023-01-11 14:50:10 +01005916 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott9961a662021-09-17 19:19:02 +01005917
Gilles Peskine449bd832023-01-11 14:50:10 +01005918 status = psa_aead_set_lengths(&operation, additional_data->len,
5919 input_data->len);
5920 PSA_ASSERT(status);
Paul Elliottfec6f372021-10-06 17:15:02 +01005921
Gilles Peskine449bd832023-01-11 14:50:10 +01005922 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
5923 additional_data->len));
Paul Elliott9961a662021-09-17 19:19:02 +01005924
Gilles Peskine449bd832023-01-11 14:50:10 +01005925 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
5926 input_data->len,
5927 plaintext, plaintext_size,
5928 &plaintext_length));
Paul Elliott9961a662021-09-17 19:19:02 +01005929
Gilles Peskine449bd832023-01-11 14:50:10 +01005930 if (tag_usage == USE_GIVEN_TAG) {
Paul Elliott1c67e0b2021-09-19 13:11:50 +01005931 tag_buffer = tag->x;
5932 tag_size = tag->len;
5933 }
5934
Gilles Peskine449bd832023-01-11 14:50:10 +01005935 status = psa_aead_verify(&operation, finish_plaintext,
5936 verify_plaintext_size,
5937 &plaintext_length,
5938 tag_buffer, tag_size);
Paul Elliott9961a662021-09-17 19:19:02 +01005939
Gilles Peskine449bd832023-01-11 14:50:10 +01005940 TEST_EQUAL(status, expected_status);
Paul Elliott9961a662021-09-17 19:19:02 +01005941
5942exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005943 psa_destroy_key(key);
5944 mbedtls_free(plaintext);
5945 mbedtls_free(finish_plaintext);
5946 psa_aead_abort(&operation);
5947 PSA_DONE();
Paul Elliott9961a662021-09-17 19:19:02 +01005948}
5949/* END_CASE */
5950
Paul Elliott9961a662021-09-17 19:19:02 +01005951/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005952void aead_multipart_setup(int key_type_arg, data_t *key_data,
5953 int alg_arg, int expected_status_arg)
Paul Elliott5221ef62021-09-19 17:33:03 +01005954{
5955 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5956 psa_key_type_t key_type = key_type_arg;
5957 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01005958 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliott5221ef62021-09-19 17:33:03 +01005959 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5960 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
5961 psa_status_t expected_status = expected_status_arg;
5962
Gilles Peskine449bd832023-01-11 14:50:10 +01005963 PSA_ASSERT(psa_crypto_init());
Paul Elliott5221ef62021-09-19 17:33:03 +01005964
Gilles Peskine449bd832023-01-11 14:50:10 +01005965 psa_set_key_usage_flags(&attributes,
5966 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
5967 psa_set_key_algorithm(&attributes, alg);
5968 psa_set_key_type(&attributes, key_type);
Paul Elliott5221ef62021-09-19 17:33:03 +01005969
Gilles Peskine449bd832023-01-11 14:50:10 +01005970 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
5971 &key));
Paul Elliott5221ef62021-09-19 17:33:03 +01005972
Gilles Peskine449bd832023-01-11 14:50:10 +01005973 status = psa_aead_encrypt_setup(&operation, key, alg);
Paul Elliott5221ef62021-09-19 17:33:03 +01005974
Gilles Peskine449bd832023-01-11 14:50:10 +01005975 TEST_EQUAL(status, expected_status);
Paul Elliott5221ef62021-09-19 17:33:03 +01005976
Gilles Peskine449bd832023-01-11 14:50:10 +01005977 psa_aead_abort(&operation);
Paul Elliott5221ef62021-09-19 17:33:03 +01005978
Gilles Peskine449bd832023-01-11 14:50:10 +01005979 status = psa_aead_decrypt_setup(&operation, key, alg);
Paul Elliott5221ef62021-09-19 17:33:03 +01005980
Gilles Peskine449bd832023-01-11 14:50:10 +01005981 TEST_EQUAL(status, expected_status);
Paul Elliott5221ef62021-09-19 17:33:03 +01005982
5983exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01005984 psa_destroy_key(key);
5985 psa_aead_abort(&operation);
5986 PSA_DONE();
Paul Elliott5221ef62021-09-19 17:33:03 +01005987}
5988/* END_CASE */
5989
5990/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01005991void aead_multipart_state_test(int key_type_arg, data_t *key_data,
5992 int alg_arg,
5993 data_t *nonce,
5994 data_t *additional_data,
5995 data_t *input_data)
Paul Elliottc23a9a02021-06-21 18:32:46 +01005996{
5997 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
5998 psa_key_type_t key_type = key_type_arg;
5999 psa_algorithm_t alg = alg_arg;
Paul Elliottfbb4c6d2021-09-22 16:44:21 +01006000 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Paul Elliottc23a9a02021-06-21 18:32:46 +01006001 unsigned char *output_data = NULL;
6002 unsigned char *final_data = NULL;
6003 size_t output_size = 0;
6004 size_t finish_output_size = 0;
6005 size_t output_length = 0;
6006 size_t key_bits = 0;
6007 size_t tag_length = 0;
6008 size_t tag_size = 0;
6009 size_t nonce_length = 0;
6010 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE];
6011 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE];
6012 size_t output_part_length = 0;
6013 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
6014
Gilles Peskine449bd832023-01-11 14:50:10 +01006015 PSA_ASSERT(psa_crypto_init());
Paul Elliottc23a9a02021-06-21 18:32:46 +01006016
Gilles Peskine449bd832023-01-11 14:50:10 +01006017 psa_set_key_usage_flags(&attributes,
6018 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
6019 psa_set_key_algorithm(&attributes, alg);
6020 psa_set_key_type(&attributes, key_type);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006021
Gilles Peskine449bd832023-01-11 14:50:10 +01006022 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6023 &key));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006024
Gilles Peskine449bd832023-01-11 14:50:10 +01006025 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6026 key_bits = psa_get_key_bits(&attributes);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006027
Gilles Peskine449bd832023-01-11 14:50:10 +01006028 tag_length = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006029
Gilles Peskine449bd832023-01-11 14:50:10 +01006030 TEST_LE_U(tag_length, PSA_AEAD_TAG_MAX_SIZE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006031
Gilles Peskine449bd832023-01-11 14:50:10 +01006032 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_data->len);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006033
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006034 TEST_CALLOC(output_data, output_size);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006035
Gilles Peskine449bd832023-01-11 14:50:10 +01006036 finish_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006037
Gilles Peskine449bd832023-01-11 14:50:10 +01006038 TEST_LE_U(finish_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006039
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006040 TEST_CALLOC(final_data, finish_output_size);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006041
6042 /* Test all operations error without calling setup first. */
6043
Gilles Peskine449bd832023-01-11 14:50:10 +01006044 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6045 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006046
Gilles Peskine449bd832023-01-11 14:50:10 +01006047 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006048
Gilles Peskine449bd832023-01-11 14:50:10 +01006049 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6050 PSA_AEAD_NONCE_MAX_SIZE,
6051 &nonce_length),
6052 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006053
Gilles Peskine449bd832023-01-11 14:50:10 +01006054 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006055
Paul Elliott481be342021-07-16 17:38:47 +01006056 /* ------------------------------------------------------- */
6057
Gilles Peskine449bd832023-01-11 14:50:10 +01006058 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6059 input_data->len),
6060 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006061
Gilles Peskine449bd832023-01-11 14:50:10 +01006062 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006063
Paul Elliott481be342021-07-16 17:38:47 +01006064 /* ------------------------------------------------------- */
6065
Gilles Peskine449bd832023-01-11 14:50:10 +01006066 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6067 additional_data->len),
6068 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006069
Gilles Peskine449bd832023-01-11 14:50:10 +01006070 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006071
Paul Elliott481be342021-07-16 17:38:47 +01006072 /* ------------------------------------------------------- */
6073
Gilles Peskine449bd832023-01-11 14:50:10 +01006074 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6075 input_data->len, output_data,
6076 output_size, &output_length),
6077 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006078
Gilles Peskine449bd832023-01-11 14:50:10 +01006079 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006080
Paul Elliott481be342021-07-16 17:38:47 +01006081 /* ------------------------------------------------------- */
6082
Gilles Peskine449bd832023-01-11 14:50:10 +01006083 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6084 finish_output_size,
6085 &output_part_length,
6086 tag_buffer, tag_length,
6087 &tag_size),
6088 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006089
Gilles Peskine449bd832023-01-11 14:50:10 +01006090 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006091
Paul Elliott481be342021-07-16 17:38:47 +01006092 /* ------------------------------------------------------- */
6093
Gilles Peskine449bd832023-01-11 14:50:10 +01006094 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6095 finish_output_size,
6096 &output_part_length,
6097 tag_buffer,
6098 tag_length),
6099 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006100
Gilles Peskine449bd832023-01-11 14:50:10 +01006101 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006102
6103 /* Test for double setups. */
6104
Gilles Peskine449bd832023-01-11 14:50:10 +01006105 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006106
Gilles Peskine449bd832023-01-11 14:50:10 +01006107 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg),
6108 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006109
Gilles Peskine449bd832023-01-11 14:50:10 +01006110 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006111
Paul Elliott481be342021-07-16 17:38:47 +01006112 /* ------------------------------------------------------- */
6113
Gilles Peskine449bd832023-01-11 14:50:10 +01006114 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006115
Gilles Peskine449bd832023-01-11 14:50:10 +01006116 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg),
6117 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006118
Gilles Peskine449bd832023-01-11 14:50:10 +01006119 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006120
Paul Elliott374a2be2021-07-16 17:53:40 +01006121 /* ------------------------------------------------------- */
6122
Gilles Peskine449bd832023-01-11 14:50:10 +01006123 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006124
Gilles Peskine449bd832023-01-11 14:50:10 +01006125 TEST_EQUAL(psa_aead_decrypt_setup(&operation, key, alg),
6126 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006127
Gilles Peskine449bd832023-01-11 14:50:10 +01006128 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006129
6130 /* ------------------------------------------------------- */
6131
Gilles Peskine449bd832023-01-11 14:50:10 +01006132 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006133
Gilles Peskine449bd832023-01-11 14:50:10 +01006134 TEST_EQUAL(psa_aead_encrypt_setup(&operation, key, alg),
6135 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006136
Gilles Peskine449bd832023-01-11 14:50:10 +01006137 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006138
Paul Elliottc23a9a02021-06-21 18:32:46 +01006139 /* Test for not setting a nonce. */
6140
Gilles Peskine449bd832023-01-11 14:50:10 +01006141 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006142
Gilles Peskine449bd832023-01-11 14:50:10 +01006143 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6144 additional_data->len),
6145 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006146
Gilles Peskine449bd832023-01-11 14:50:10 +01006147 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006148
Paul Elliott7f628422021-09-01 12:08:29 +01006149 /* ------------------------------------------------------- */
6150
Gilles Peskine449bd832023-01-11 14:50:10 +01006151 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott7f628422021-09-01 12:08:29 +01006152
Gilles Peskine449bd832023-01-11 14:50:10 +01006153 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6154 input_data->len, output_data,
6155 output_size, &output_length),
6156 PSA_ERROR_BAD_STATE);
Paul Elliott7f628422021-09-01 12:08:29 +01006157
Gilles Peskine449bd832023-01-11 14:50:10 +01006158 psa_aead_abort(&operation);
Paul Elliott7f628422021-09-01 12:08:29 +01006159
Paul Elliottbdc2c682021-09-21 18:37:10 +01006160 /* ------------------------------------------------------- */
6161
Gilles Peskine449bd832023-01-11 14:50:10 +01006162 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottbdc2c682021-09-21 18:37:10 +01006163
Gilles Peskine449bd832023-01-11 14:50:10 +01006164 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6165 finish_output_size,
6166 &output_part_length,
6167 tag_buffer, tag_length,
6168 &tag_size),
6169 PSA_ERROR_BAD_STATE);
Paul Elliottbdc2c682021-09-21 18:37:10 +01006170
Gilles Peskine449bd832023-01-11 14:50:10 +01006171 psa_aead_abort(&operation);
Paul Elliottbdc2c682021-09-21 18:37:10 +01006172
6173 /* ------------------------------------------------------- */
6174
Gilles Peskine449bd832023-01-11 14:50:10 +01006175 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottbdc2c682021-09-21 18:37:10 +01006176
Gilles Peskine449bd832023-01-11 14:50:10 +01006177 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6178 finish_output_size,
6179 &output_part_length,
6180 tag_buffer,
6181 tag_length),
6182 PSA_ERROR_BAD_STATE);
Paul Elliottbdc2c682021-09-21 18:37:10 +01006183
Gilles Peskine449bd832023-01-11 14:50:10 +01006184 psa_aead_abort(&operation);
Paul Elliottbdc2c682021-09-21 18:37:10 +01006185
Paul Elliottc23a9a02021-06-21 18:32:46 +01006186 /* Test for double setting nonce. */
6187
Gilles Peskine449bd832023-01-11 14:50:10 +01006188 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006189
Gilles Peskine449bd832023-01-11 14:50:10 +01006190 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006191
Gilles Peskine449bd832023-01-11 14:50:10 +01006192 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6193 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006194
Gilles Peskine449bd832023-01-11 14:50:10 +01006195 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006196
Paul Elliott374a2be2021-07-16 17:53:40 +01006197 /* Test for double generating nonce. */
6198
Gilles Peskine449bd832023-01-11 14:50:10 +01006199 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006200
Gilles Peskine449bd832023-01-11 14:50:10 +01006201 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6202 PSA_AEAD_NONCE_MAX_SIZE,
6203 &nonce_length));
Paul Elliott374a2be2021-07-16 17:53:40 +01006204
Gilles Peskine449bd832023-01-11 14:50:10 +01006205 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6206 PSA_AEAD_NONCE_MAX_SIZE,
6207 &nonce_length),
6208 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006209
6210
Gilles Peskine449bd832023-01-11 14:50:10 +01006211 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006212
6213 /* Test for generate nonce then set and vice versa */
6214
Gilles Peskine449bd832023-01-11 14:50:10 +01006215 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006216
Gilles Peskine449bd832023-01-11 14:50:10 +01006217 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6218 PSA_AEAD_NONCE_MAX_SIZE,
6219 &nonce_length));
Paul Elliott374a2be2021-07-16 17:53:40 +01006220
Gilles Peskine449bd832023-01-11 14:50:10 +01006221 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6222 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006223
Gilles Peskine449bd832023-01-11 14:50:10 +01006224 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006225
Andrzej Kurekad837522021-12-15 15:28:49 +01006226 /* Test for generating nonce after calling set lengths */
6227
Gilles Peskine449bd832023-01-11 14:50:10 +01006228 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006229
Gilles Peskine449bd832023-01-11 14:50:10 +01006230 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6231 input_data->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01006232
Gilles Peskine449bd832023-01-11 14:50:10 +01006233 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6234 PSA_AEAD_NONCE_MAX_SIZE,
6235 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006236
Gilles Peskine449bd832023-01-11 14:50:10 +01006237 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006238
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006239 /* Test for generating nonce after calling set lengths with UINT32_MAX ad_data length */
Andrzej Kurekad837522021-12-15 15:28:49 +01006240
Gilles Peskine449bd832023-01-11 14:50:10 +01006241 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006242
Gilles Peskine449bd832023-01-11 14:50:10 +01006243 if (operation.alg == PSA_ALG_CCM) {
6244 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6245 input_data->len),
6246 PSA_ERROR_INVALID_ARGUMENT);
6247 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6248 PSA_AEAD_NONCE_MAX_SIZE,
6249 &nonce_length),
6250 PSA_ERROR_BAD_STATE);
6251 } else {
6252 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6253 input_data->len));
6254 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6255 PSA_AEAD_NONCE_MAX_SIZE,
6256 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006257 }
6258
Gilles Peskine449bd832023-01-11 14:50:10 +01006259 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006260
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006261 /* Test for generating nonce after calling set lengths with SIZE_MAX ad_data length */
Dave Rodgmand26d7442023-02-11 17:14:54 +00006262#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006263 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006264
Gilles Peskine449bd832023-01-11 14:50:10 +01006265 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) {
6266 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX,
6267 input_data->len),
6268 PSA_ERROR_INVALID_ARGUMENT);
6269 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6270 PSA_AEAD_NONCE_MAX_SIZE,
6271 &nonce_length),
6272 PSA_ERROR_BAD_STATE);
6273 } else {
6274 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX,
6275 input_data->len));
6276 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6277 PSA_AEAD_NONCE_MAX_SIZE,
6278 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006279 }
6280
Gilles Peskine449bd832023-01-11 14:50:10 +01006281 psa_aead_abort(&operation);
Dave Rodgmand26d7442023-02-11 17:14:54 +00006282#endif
Andrzej Kurekad837522021-12-15 15:28:49 +01006283
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006284 /* Test for calling set lengths with a UINT32_MAX ad_data length, after generating nonce */
Andrzej Kurekad837522021-12-15 15:28:49 +01006285
Gilles Peskine449bd832023-01-11 14:50:10 +01006286 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006287
Gilles Peskine449bd832023-01-11 14:50:10 +01006288 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6289 PSA_AEAD_NONCE_MAX_SIZE,
6290 &nonce_length));
Andrzej Kurekad837522021-12-15 15:28:49 +01006291
Gilles Peskine449bd832023-01-11 14:50:10 +01006292 if (operation.alg == PSA_ALG_CCM) {
6293 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6294 input_data->len),
6295 PSA_ERROR_INVALID_ARGUMENT);
6296 } else {
6297 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6298 input_data->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01006299 }
6300
Gilles Peskine449bd832023-01-11 14:50:10 +01006301 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006302
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006303 /* ------------------------------------------------------- */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006304 /* Test for setting nonce after calling set lengths */
6305
Gilles Peskine449bd832023-01-11 14:50:10 +01006306 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006307
Gilles Peskine449bd832023-01-11 14:50:10 +01006308 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6309 input_data->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006310
Gilles Peskine449bd832023-01-11 14:50:10 +01006311 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006312
Gilles Peskine449bd832023-01-11 14:50:10 +01006313 psa_aead_abort(&operation);
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006314
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006315 /* Test for setting nonce after calling set lengths with UINT32_MAX ad_data length */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006316
Gilles Peskine449bd832023-01-11 14:50:10 +01006317 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006318
Gilles Peskine449bd832023-01-11 14:50:10 +01006319 if (operation.alg == PSA_ALG_CCM) {
6320 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6321 input_data->len),
6322 PSA_ERROR_INVALID_ARGUMENT);
6323 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6324 PSA_ERROR_BAD_STATE);
6325 } else {
6326 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6327 input_data->len));
6328 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006329 }
6330
Gilles Peskine449bd832023-01-11 14:50:10 +01006331 psa_aead_abort(&operation);
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006332
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006333 /* Test for setting nonce after calling set lengths with SIZE_MAX ad_data length */
Dave Rodgmana4763632023-02-11 18:36:23 +00006334#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006335 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006336
Gilles Peskine449bd832023-01-11 14:50:10 +01006337 if (operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM) {
6338 TEST_EQUAL(psa_aead_set_lengths(&operation, SIZE_MAX,
6339 input_data->len),
6340 PSA_ERROR_INVALID_ARGUMENT);
6341 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6342 PSA_ERROR_BAD_STATE);
6343 } else {
6344 PSA_ASSERT(psa_aead_set_lengths(&operation, SIZE_MAX,
6345 input_data->len));
6346 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006347 }
6348
Gilles Peskine449bd832023-01-11 14:50:10 +01006349 psa_aead_abort(&operation);
Dave Rodgmana4763632023-02-11 18:36:23 +00006350#endif
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006351
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006352 /* Test for calling set lengths with an ad_data length of UINT32_MAX, after setting nonce */
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006353
Gilles Peskine449bd832023-01-11 14:50:10 +01006354 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006355
Gilles Peskine449bd832023-01-11 14:50:10 +01006356 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006357
Gilles Peskine449bd832023-01-11 14:50:10 +01006358 if (operation.alg == PSA_ALG_CCM) {
6359 TEST_EQUAL(psa_aead_set_lengths(&operation, UINT32_MAX,
6360 input_data->len),
6361 PSA_ERROR_INVALID_ARGUMENT);
6362 } else {
6363 PSA_ASSERT(psa_aead_set_lengths(&operation, UINT32_MAX,
6364 input_data->len));
Andrzej Kurek1e8e1742021-12-25 23:50:53 +01006365 }
6366
Gilles Peskine449bd832023-01-11 14:50:10 +01006367 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006368
Andrzej Kurek031df4a2022-01-19 12:44:49 -05006369 /* Test for setting nonce after calling set lengths with plaintext length of SIZE_MAX */
Dave Rodgman91e83212023-02-11 20:07:43 +00006370#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006371 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006372
Gilles Peskine449bd832023-01-11 14:50:10 +01006373 if (operation.alg == PSA_ALG_GCM) {
6374 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6375 SIZE_MAX),
6376 PSA_ERROR_INVALID_ARGUMENT);
6377 TEST_EQUAL(psa_aead_set_nonce(&operation, nonce->x, nonce->len),
6378 PSA_ERROR_BAD_STATE);
6379 } else if (operation.alg != PSA_ALG_CCM) {
6380 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6381 SIZE_MAX));
6382 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006383 }
6384
Gilles Peskine449bd832023-01-11 14:50:10 +01006385 psa_aead_abort(&operation);
Dave Rodgman91e83212023-02-11 20:07:43 +00006386#endif
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006387
Tom Cosgrove1797b052022-12-04 17:19:59 +00006388 /* Test for calling set lengths with a plaintext length of SIZE_MAX, after setting nonce */
Dave Rodgman641288b2023-02-11 22:02:04 +00006389#if SIZE_MAX > UINT32_MAX
Gilles Peskine449bd832023-01-11 14:50:10 +01006390 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006391
Gilles Peskine449bd832023-01-11 14:50:10 +01006392 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006393
Gilles Peskine449bd832023-01-11 14:50:10 +01006394 if (operation.alg == PSA_ALG_GCM) {
6395 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6396 SIZE_MAX),
6397 PSA_ERROR_INVALID_ARGUMENT);
6398 } else if (operation.alg != PSA_ALG_CCM) {
6399 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6400 SIZE_MAX));
Andrzej Kureke5f94fb2021-12-26 01:00:20 +01006401 }
6402
Gilles Peskine449bd832023-01-11 14:50:10 +01006403 psa_aead_abort(&operation);
Dave Rodgman641288b2023-02-11 22:02:04 +00006404#endif
Paul Elliott374a2be2021-07-16 17:53:40 +01006405
6406 /* ------------------------------------------------------- */
6407
Gilles Peskine449bd832023-01-11 14:50:10 +01006408 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott374a2be2021-07-16 17:53:40 +01006409
Gilles Peskine449bd832023-01-11 14:50:10 +01006410 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott374a2be2021-07-16 17:53:40 +01006411
Gilles Peskine449bd832023-01-11 14:50:10 +01006412 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6413 PSA_AEAD_NONCE_MAX_SIZE,
6414 &nonce_length),
6415 PSA_ERROR_BAD_STATE);
Paul Elliott374a2be2021-07-16 17:53:40 +01006416
Gilles Peskine449bd832023-01-11 14:50:10 +01006417 psa_aead_abort(&operation);
Paul Elliott374a2be2021-07-16 17:53:40 +01006418
Paul Elliott7220cae2021-06-22 17:25:57 +01006419 /* Test for generating nonce in decrypt setup. */
6420
Gilles Peskine449bd832023-01-11 14:50:10 +01006421 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott7220cae2021-06-22 17:25:57 +01006422
Gilles Peskine449bd832023-01-11 14:50:10 +01006423 TEST_EQUAL(psa_aead_generate_nonce(&operation, nonce_buffer,
6424 PSA_AEAD_NONCE_MAX_SIZE,
6425 &nonce_length),
6426 PSA_ERROR_BAD_STATE);
Paul Elliott7220cae2021-06-22 17:25:57 +01006427
Gilles Peskine449bd832023-01-11 14:50:10 +01006428 psa_aead_abort(&operation);
Paul Elliott7220cae2021-06-22 17:25:57 +01006429
Paul Elliottc23a9a02021-06-21 18:32:46 +01006430 /* Test for setting lengths twice. */
6431
Gilles Peskine449bd832023-01-11 14:50:10 +01006432 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006433
Gilles Peskine449bd832023-01-11 14:50:10 +01006434 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006435
Gilles Peskine449bd832023-01-11 14:50:10 +01006436 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6437 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006438
Gilles Peskine449bd832023-01-11 14:50:10 +01006439 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6440 input_data->len),
6441 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006442
Gilles Peskine449bd832023-01-11 14:50:10 +01006443 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006444
Andrzej Kurekad837522021-12-15 15:28:49 +01006445 /* Test for setting lengths after setting nonce + already starting data. */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006446
Gilles Peskine449bd832023-01-11 14:50:10 +01006447 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006448
Gilles Peskine449bd832023-01-11 14:50:10 +01006449 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006450
Gilles Peskine449bd832023-01-11 14:50:10 +01006451 if (operation.alg == PSA_ALG_CCM) {
Paul Elliottf94bd992021-09-19 18:15:59 +01006452
Gilles Peskine449bd832023-01-11 14:50:10 +01006453 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6454 additional_data->len),
6455 PSA_ERROR_BAD_STATE);
6456 } else {
6457 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6458 additional_data->len));
6459
6460 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6461 input_data->len),
6462 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006463 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006464 psa_aead_abort(&operation);
Paul Elliottf94bd992021-09-19 18:15:59 +01006465
6466 /* ------------------------------------------------------- */
6467
Gilles Peskine449bd832023-01-11 14:50:10 +01006468 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottf94bd992021-09-19 18:15:59 +01006469
Gilles Peskine449bd832023-01-11 14:50:10 +01006470 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006471
Gilles Peskine449bd832023-01-11 14:50:10 +01006472 if (operation.alg == PSA_ALG_CCM) {
6473 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6474 input_data->len, output_data,
6475 output_size, &output_length),
6476 PSA_ERROR_BAD_STATE);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006477
Gilles Peskine449bd832023-01-11 14:50:10 +01006478 } else {
6479 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6480 input_data->len, output_data,
6481 output_size, &output_length));
6482
6483 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6484 input_data->len),
6485 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006486 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006487 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006488
6489 /* ------------------------------------------------------- */
6490
Gilles Peskine449bd832023-01-11 14:50:10 +01006491 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006492
Gilles Peskine449bd832023-01-11 14:50:10 +01006493 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Andrzej Kurekad837522021-12-15 15:28:49 +01006494
Gilles Peskine449bd832023-01-11 14:50:10 +01006495 if (operation.alg == PSA_ALG_CCM) {
6496 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6497 finish_output_size,
6498 &output_part_length,
6499 tag_buffer, tag_length,
6500 &tag_size));
6501 } else {
6502 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6503 finish_output_size,
6504 &output_part_length,
6505 tag_buffer, tag_length,
6506 &tag_size));
6507
6508 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6509 input_data->len),
6510 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006511 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006512 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006513
6514 /* Test for setting lengths after generating nonce + already starting data. */
6515
Gilles Peskine449bd832023-01-11 14:50:10 +01006516 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006517
Gilles Peskine449bd832023-01-11 14:50:10 +01006518 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6519 PSA_AEAD_NONCE_MAX_SIZE,
6520 &nonce_length));
6521 if (operation.alg == PSA_ALG_CCM) {
Andrzej Kurekad837522021-12-15 15:28:49 +01006522
Gilles Peskine449bd832023-01-11 14:50:10 +01006523 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6524 additional_data->len),
6525 PSA_ERROR_BAD_STATE);
6526 } else {
6527 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6528 additional_data->len));
6529
6530 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6531 input_data->len),
6532 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006533 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006534 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006535
6536 /* ------------------------------------------------------- */
6537
Gilles Peskine449bd832023-01-11 14:50:10 +01006538 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006539
Gilles Peskine449bd832023-01-11 14:50:10 +01006540 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6541 PSA_AEAD_NONCE_MAX_SIZE,
6542 &nonce_length));
6543 if (operation.alg == PSA_ALG_CCM) {
6544 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6545 input_data->len, output_data,
6546 output_size, &output_length),
6547 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006548
Gilles Peskine449bd832023-01-11 14:50:10 +01006549 } else {
6550 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6551 input_data->len, output_data,
6552 output_size, &output_length));
6553
6554 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6555 input_data->len),
6556 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006557 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006558 psa_aead_abort(&operation);
Andrzej Kurekad837522021-12-15 15:28:49 +01006559
6560 /* ------------------------------------------------------- */
6561
Gilles Peskine449bd832023-01-11 14:50:10 +01006562 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Andrzej Kurekad837522021-12-15 15:28:49 +01006563
Gilles Peskine449bd832023-01-11 14:50:10 +01006564 PSA_ASSERT(psa_aead_generate_nonce(&operation, nonce_buffer,
6565 PSA_AEAD_NONCE_MAX_SIZE,
6566 &nonce_length));
6567 if (operation.alg == PSA_ALG_CCM) {
6568 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6569 finish_output_size,
6570 &output_part_length,
6571 tag_buffer, tag_length,
6572 &tag_size));
6573 } else {
6574 PSA_ASSERT(psa_aead_finish(&operation, final_data,
6575 finish_output_size,
6576 &output_part_length,
6577 tag_buffer, tag_length,
6578 &tag_size));
Andrzej Kurekad837522021-12-15 15:28:49 +01006579
Gilles Peskine449bd832023-01-11 14:50:10 +01006580 TEST_EQUAL(psa_aead_set_lengths(&operation, additional_data->len,
6581 input_data->len),
6582 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006583 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006584 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006585
Paul Elliott243080c2021-07-21 19:01:17 +01006586 /* Test for not sending any additional data or data after setting non zero
6587 * lengths for them. (encrypt) */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006588
Gilles Peskine449bd832023-01-11 14:50:10 +01006589 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006590
Gilles Peskine449bd832023-01-11 14:50:10 +01006591 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006592
Gilles Peskine449bd832023-01-11 14:50:10 +01006593 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6594 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006595
Gilles Peskine449bd832023-01-11 14:50:10 +01006596 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6597 finish_output_size,
6598 &output_part_length,
6599 tag_buffer, tag_length,
6600 &tag_size),
6601 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006602
Gilles Peskine449bd832023-01-11 14:50:10 +01006603 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006604
Paul Elliott243080c2021-07-21 19:01:17 +01006605 /* Test for not sending any additional data or data after setting non-zero
6606 * lengths for them. (decrypt) */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006607
Gilles Peskine449bd832023-01-11 14:50:10 +01006608 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006609
Gilles Peskine449bd832023-01-11 14:50:10 +01006610 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006611
Gilles Peskine449bd832023-01-11 14:50:10 +01006612 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6613 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006614
Gilles Peskine449bd832023-01-11 14:50:10 +01006615 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6616 finish_output_size,
6617 &output_part_length,
6618 tag_buffer,
6619 tag_length),
6620 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006621
Gilles Peskine449bd832023-01-11 14:50:10 +01006622 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006623
Paul Elliott243080c2021-07-21 19:01:17 +01006624 /* Test for not sending any additional data after setting a non-zero length
6625 * for it. */
Paul Elliottc23a9a02021-06-21 18:32:46 +01006626
Gilles Peskine449bd832023-01-11 14:50:10 +01006627 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006628
Gilles Peskine449bd832023-01-11 14:50:10 +01006629 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006630
Gilles Peskine449bd832023-01-11 14:50:10 +01006631 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6632 input_data->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006633
Gilles Peskine449bd832023-01-11 14:50:10 +01006634 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6635 input_data->len, output_data,
6636 output_size, &output_length),
6637 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006638
Gilles Peskine449bd832023-01-11 14:50:10 +01006639 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006640
Paul Elliottf94bd992021-09-19 18:15:59 +01006641 /* Test for not sending any data after setting a non-zero length for it.*/
6642
Gilles Peskine449bd832023-01-11 14:50:10 +01006643 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottf94bd992021-09-19 18:15:59 +01006644
Gilles Peskine449bd832023-01-11 14:50:10 +01006645 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006646
Gilles Peskine449bd832023-01-11 14:50:10 +01006647 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6648 input_data->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006649
Gilles Peskine449bd832023-01-11 14:50:10 +01006650 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6651 additional_data->len));
Paul Elliottf94bd992021-09-19 18:15:59 +01006652
Gilles Peskine449bd832023-01-11 14:50:10 +01006653 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6654 finish_output_size,
6655 &output_part_length,
6656 tag_buffer, tag_length,
6657 &tag_size),
6658 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottf94bd992021-09-19 18:15:59 +01006659
Gilles Peskine449bd832023-01-11 14:50:10 +01006660 psa_aead_abort(&operation);
Paul Elliottf94bd992021-09-19 18:15:59 +01006661
Paul Elliottb0450fe2021-09-01 15:06:26 +01006662 /* Test for sending too much additional data after setting lengths. */
6663
Gilles Peskine449bd832023-01-11 14:50:10 +01006664 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006665
Gilles Peskine449bd832023-01-11 14:50:10 +01006666 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006667
Gilles Peskine449bd832023-01-11 14:50:10 +01006668 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006669
6670
Gilles Peskine449bd832023-01-11 14:50:10 +01006671 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6672 additional_data->len),
6673 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006674
Gilles Peskine449bd832023-01-11 14:50:10 +01006675 psa_aead_abort(&operation);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006676
Paul Elliotta2a09b02021-09-22 14:56:40 +01006677 /* ------------------------------------------------------- */
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006678
Gilles Peskine449bd832023-01-11 14:50:10 +01006679 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006680
Gilles Peskine449bd832023-01-11 14:50:10 +01006681 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006682
Gilles Peskine449bd832023-01-11 14:50:10 +01006683 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6684 input_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006685
Gilles Peskine449bd832023-01-11 14:50:10 +01006686 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6687 additional_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006688
Gilles Peskine449bd832023-01-11 14:50:10 +01006689 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6690 1),
6691 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006692
Gilles Peskine449bd832023-01-11 14:50:10 +01006693 psa_aead_abort(&operation);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006694
Paul Elliottb0450fe2021-09-01 15:06:26 +01006695 /* Test for sending too much data after setting lengths. */
6696
Gilles Peskine449bd832023-01-11 14:50:10 +01006697 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006698
Gilles Peskine449bd832023-01-11 14:50:10 +01006699 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006700
Gilles Peskine449bd832023-01-11 14:50:10 +01006701 PSA_ASSERT(psa_aead_set_lengths(&operation, 0, 0));
Paul Elliottb0450fe2021-09-01 15:06:26 +01006702
Gilles Peskine449bd832023-01-11 14:50:10 +01006703 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6704 input_data->len, output_data,
6705 output_size, &output_length),
6706 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006707
Gilles Peskine449bd832023-01-11 14:50:10 +01006708 psa_aead_abort(&operation);
Paul Elliottb0450fe2021-09-01 15:06:26 +01006709
Paul Elliotta2a09b02021-09-22 14:56:40 +01006710 /* ------------------------------------------------------- */
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006711
Gilles Peskine449bd832023-01-11 14:50:10 +01006712 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006713
Gilles Peskine449bd832023-01-11 14:50:10 +01006714 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006715
Gilles Peskine449bd832023-01-11 14:50:10 +01006716 PSA_ASSERT(psa_aead_set_lengths(&operation, additional_data->len,
6717 input_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006718
Gilles Peskine449bd832023-01-11 14:50:10 +01006719 PSA_ASSERT(psa_aead_update_ad(&operation, additional_data->x,
6720 additional_data->len));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006721
Gilles Peskine449bd832023-01-11 14:50:10 +01006722 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6723 input_data->len, output_data,
6724 output_size, &output_length));
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006725
Gilles Peskine449bd832023-01-11 14:50:10 +01006726 TEST_EQUAL(psa_aead_update(&operation, input_data->x,
6727 1, output_data,
6728 output_size, &output_length),
6729 PSA_ERROR_INVALID_ARGUMENT);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006730
Gilles Peskine449bd832023-01-11 14:50:10 +01006731 psa_aead_abort(&operation);
Paul Elliottfd0c154c2021-09-17 18:03:52 +01006732
Paul Elliottc23a9a02021-06-21 18:32:46 +01006733 /* Test sending additional data after data. */
6734
Gilles Peskine449bd832023-01-11 14:50:10 +01006735 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006736
Gilles Peskine449bd832023-01-11 14:50:10 +01006737 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006738
Gilles Peskine449bd832023-01-11 14:50:10 +01006739 if (operation.alg != PSA_ALG_CCM) {
6740 PSA_ASSERT(psa_aead_update(&operation, input_data->x,
6741 input_data->len, output_data,
6742 output_size, &output_length));
Paul Elliottc23a9a02021-06-21 18:32:46 +01006743
Gilles Peskine449bd832023-01-11 14:50:10 +01006744 TEST_EQUAL(psa_aead_update_ad(&operation, additional_data->x,
6745 additional_data->len),
6746 PSA_ERROR_BAD_STATE);
Andrzej Kurekad837522021-12-15 15:28:49 +01006747 }
Gilles Peskine449bd832023-01-11 14:50:10 +01006748 psa_aead_abort(&operation);
Paul Elliottc23a9a02021-06-21 18:32:46 +01006749
Paul Elliott534d0b42021-06-22 19:15:20 +01006750 /* Test calling finish on decryption. */
6751
Gilles Peskine449bd832023-01-11 14:50:10 +01006752 PSA_ASSERT(psa_aead_decrypt_setup(&operation, key, alg));
Paul Elliott534d0b42021-06-22 19:15:20 +01006753
Gilles Peskine449bd832023-01-11 14:50:10 +01006754 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott534d0b42021-06-22 19:15:20 +01006755
Gilles Peskine449bd832023-01-11 14:50:10 +01006756 TEST_EQUAL(psa_aead_finish(&operation, final_data,
6757 finish_output_size,
6758 &output_part_length,
6759 tag_buffer, tag_length,
6760 &tag_size),
6761 PSA_ERROR_BAD_STATE);
Paul Elliott534d0b42021-06-22 19:15:20 +01006762
Gilles Peskine449bd832023-01-11 14:50:10 +01006763 psa_aead_abort(&operation);
Paul Elliott534d0b42021-06-22 19:15:20 +01006764
6765 /* Test calling verify on encryption. */
6766
Gilles Peskine449bd832023-01-11 14:50:10 +01006767 PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
Paul Elliott534d0b42021-06-22 19:15:20 +01006768
Gilles Peskine449bd832023-01-11 14:50:10 +01006769 PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
Paul Elliott534d0b42021-06-22 19:15:20 +01006770
Gilles Peskine449bd832023-01-11 14:50:10 +01006771 TEST_EQUAL(psa_aead_verify(&operation, final_data,
6772 finish_output_size,
6773 &output_part_length,
6774 tag_buffer,
6775 tag_length),
6776 PSA_ERROR_BAD_STATE);
Paul Elliott534d0b42021-06-22 19:15:20 +01006777
Gilles Peskine449bd832023-01-11 14:50:10 +01006778 psa_aead_abort(&operation);
Paul Elliott534d0b42021-06-22 19:15:20 +01006779
6780
Paul Elliottc23a9a02021-06-21 18:32:46 +01006781exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01006782 psa_destroy_key(key);
6783 psa_aead_abort(&operation);
6784 mbedtls_free(output_data);
6785 mbedtls_free(final_data);
6786 PSA_DONE();
Paul Elliottc23a9a02021-06-21 18:32:46 +01006787}
6788/* END_CASE */
6789
6790/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006791void signature_size(int type_arg,
6792 int bits,
6793 int alg_arg,
6794 int expected_size_arg)
Gilles Peskinee59236f2018-01-27 23:32:46 +01006795{
6796 psa_key_type_t type = type_arg;
6797 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01006798 size_t actual_size = PSA_SIGN_OUTPUT_SIZE(type, bits, alg);
Gilles Peskine841b14b2019-11-26 17:37:37 +01006799
Gilles Peskine449bd832023-01-11 14:50:10 +01006800 TEST_EQUAL(actual_size, (size_t) expected_size_arg);
Gilles Peskine841b14b2019-11-26 17:37:37 +01006801
Gilles Peskinee59236f2018-01-27 23:32:46 +01006802exit:
6803 ;
6804}
6805/* END_CASE */
6806
6807/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006808void sign_hash_deterministic(int key_type_arg, data_t *key_data,
6809 int alg_arg, data_t *input_data,
6810 data_t *output_data)
Gilles Peskinee59236f2018-01-27 23:32:46 +01006811{
Ronald Cron5425a212020-08-04 14:58:35 +02006812 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinee59236f2018-01-27 23:32:46 +01006813 psa_key_type_t key_type = key_type_arg;
6814 psa_algorithm_t alg = alg_arg;
Gilles Peskine20035e32018-02-03 22:44:14 +01006815 size_t key_bits;
Gilles Peskine20035e32018-02-03 22:44:14 +01006816 unsigned char *signature = NULL;
6817 size_t signature_size;
6818 size_t signature_length = 0xdeadbeef;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02006819 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01006820
Gilles Peskine449bd832023-01-11 14:50:10 +01006821 PSA_ASSERT(psa_crypto_init());
Gilles Peskine20035e32018-02-03 22:44:14 +01006822
Gilles Peskine449bd832023-01-11 14:50:10 +01006823 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6824 psa_set_key_algorithm(&attributes, alg);
6825 psa_set_key_type(&attributes, key_type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07006826
Gilles Peskine449bd832023-01-11 14:50:10 +01006827 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6828 &key));
6829 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6830 key_bits = psa_get_key_bits(&attributes);
Gilles Peskine20035e32018-02-03 22:44:14 +01006831
Shaun Case8b0ecbc2021-12-20 21:14:10 -08006832 /* Allocate a buffer which has the size advertised by the
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006833 * library. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006834 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
6835 key_bits, alg);
6836 TEST_ASSERT(signature_size != 0);
6837 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006838 TEST_CALLOC(signature, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01006839
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006840 /* Perform the signature. */
Gilles Peskine449bd832023-01-11 14:50:10 +01006841 PSA_ASSERT(psa_sign_hash(key, alg,
6842 input_data->x, input_data->len,
6843 signature, signature_size,
6844 &signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02006845 /* Verify that the signature is what is expected. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01006846 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01006847 signature, signature_length);
Gilles Peskine20035e32018-02-03 22:44:14 +01006848
6849exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01006850 /*
6851 * Key attributes may have been returned by psa_get_key_attributes()
6852 * thus reset them as required.
6853 */
Gilles Peskine449bd832023-01-11 14:50:10 +01006854 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01006855
Gilles Peskine449bd832023-01-11 14:50:10 +01006856 psa_destroy_key(key);
6857 mbedtls_free(signature);
6858 PSA_DONE();
Gilles Peskine20035e32018-02-03 22:44:14 +01006859}
6860/* END_CASE */
6861
Paul Elliott712d5122022-12-07 14:03:10 +00006862/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00006863/**
6864 * sign_hash_interruptible() test intentions:
6865 *
6866 * Note: This test can currently only handle ECDSA.
6867 *
6868 * 1. Test interruptible sign hash with known outcomes (deterministic ECDSA
Paul Elliott8c092052023-03-06 17:49:14 +00006869 * and private keys / keypairs only).
Paul Elliottc7f68822023-02-24 17:37:04 +00006870 *
6871 * 2. Test the number of calls to psa_sign_hash_complete() required are as
6872 * expected for different max_ops values.
6873 *
6874 * 3. Test that the number of ops done prior to start and after abort is zero
6875 * and that each successful stage completes some ops (this is not mandated by
6876 * the PSA specification, but is currently the case).
6877 *
6878 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between
6879 * complete() calls does not alter the number of ops returned.
6880 */
Paul Elliott712d5122022-12-07 14:03:10 +00006881void sign_hash_interruptible(int key_type_arg, data_t *key_data,
6882 int alg_arg, data_t *input_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00006883 data_t *output_data, int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00006884{
6885 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
6886 psa_key_type_t key_type = key_type_arg;
6887 psa_algorithm_t alg = alg_arg;
6888 size_t key_bits;
6889 unsigned char *signature = NULL;
6890 size_t signature_size;
6891 size_t signature_length = 0xdeadbeef;
6892 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
6893 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00006894 uint32_t num_ops = 0;
6895 uint32_t max_ops = max_ops_arg;
Paul Elliott712d5122022-12-07 14:03:10 +00006896 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00006897 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00006898 size_t min_completes = 0;
6899 size_t max_completes = 0;
Paul Elliottab7c5c82023-02-03 15:49:42 +00006900
Paul Elliott712d5122022-12-07 14:03:10 +00006901 psa_sign_hash_interruptible_operation_t operation =
6902 psa_sign_hash_interruptible_operation_init();
6903
6904 PSA_ASSERT(psa_crypto_init());
6905
6906 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
6907 psa_set_key_algorithm(&attributes, alg);
6908 psa_set_key_type(&attributes, key_type);
6909
6910 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
6911 &key));
6912 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
6913 key_bits = psa_get_key_bits(&attributes);
6914
6915 /* Allocate a buffer which has the size advertised by the
6916 * library. */
6917 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
6918 key_bits, alg);
6919 TEST_ASSERT(signature_size != 0);
6920 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01006921 TEST_CALLOC(signature, signature_size);
Paul Elliott712d5122022-12-07 14:03:10 +00006922
Paul Elliott0c683352022-12-16 19:16:56 +00006923 psa_interruptible_set_max_ops(max_ops);
6924
Paul Elliott6f600372023-02-06 18:41:05 +00006925 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
6926 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00006927
Paul Elliott712d5122022-12-07 14:03:10 +00006928 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
6929 TEST_ASSERT(num_ops_prior == 0);
6930
6931 /* Start performing the signature. */
6932 PSA_ASSERT(psa_sign_hash_start(&operation, key, alg,
6933 input_data->x, input_data->len));
6934
6935 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
6936 TEST_ASSERT(num_ops_prior == 0);
6937
6938 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00006939 do {
Paul Elliott712d5122022-12-07 14:03:10 +00006940 status = psa_sign_hash_complete(&operation, signature, signature_size,
6941 &signature_length);
6942
Paul Elliott0c683352022-12-16 19:16:56 +00006943 num_completes++;
6944
Paul Elliott712d5122022-12-07 14:03:10 +00006945 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
6946 num_ops = psa_sign_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00006947 /* We are asserting here that every complete makes progress
6948 * (completes some ops), which is true of the internal
6949 * implementation and probably any implementation, however this is
6950 * not mandated by the PSA specification. */
Paul Elliott712d5122022-12-07 14:03:10 +00006951 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00006952
Paul Elliott712d5122022-12-07 14:03:10 +00006953 num_ops_prior = num_ops;
Paul Elliottf8e5b562023-02-19 18:43:45 +00006954
6955 /* Ensure calling get_num_ops() twice still returns the same
6956 * number of ops as previously reported. */
6957 num_ops = psa_sign_hash_get_num_ops(&operation);
6958
6959 TEST_EQUAL(num_ops, num_ops_prior);
Paul Elliott712d5122022-12-07 14:03:10 +00006960 }
Paul Elliottedfc8832023-01-20 17:13:10 +00006961 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00006962
6963 TEST_ASSERT(status == PSA_SUCCESS);
6964
Paul Elliott0c683352022-12-16 19:16:56 +00006965 TEST_LE_U(min_completes, num_completes);
6966 TEST_LE_U(num_completes, max_completes);
6967
Paul Elliott712d5122022-12-07 14:03:10 +00006968 /* Verify that the signature is what is expected. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01006969 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01006970 signature, signature_length);
Paul Elliott712d5122022-12-07 14:03:10 +00006971
6972 PSA_ASSERT(psa_sign_hash_abort(&operation));
6973
Paul Elliott59ad9452022-12-18 15:09:02 +00006974 num_ops = psa_sign_hash_get_num_ops(&operation);
6975 TEST_ASSERT(num_ops == 0);
6976
Paul Elliott712d5122022-12-07 14:03:10 +00006977exit:
6978
6979 /*
6980 * Key attributes may have been returned by psa_get_key_attributes()
6981 * thus reset them as required.
6982 */
6983 psa_reset_key_attributes(&attributes);
6984
6985 psa_destroy_key(key);
6986 mbedtls_free(signature);
6987 PSA_DONE();
6988}
6989/* END_CASE */
6990
Gilles Peskine20035e32018-02-03 22:44:14 +01006991/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01006992void sign_hash_fail(int key_type_arg, data_t *key_data,
6993 int alg_arg, data_t *input_data,
6994 int signature_size_arg, int expected_status_arg)
Gilles Peskine20035e32018-02-03 22:44:14 +01006995{
Ronald Cron5425a212020-08-04 14:58:35 +02006996 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01006997 psa_key_type_t key_type = key_type_arg;
6998 psa_algorithm_t alg = alg_arg;
Gilles Peskine860ce9d2018-06-28 12:23:00 +02006999 size_t signature_size = signature_size_arg;
Gilles Peskine20035e32018-02-03 22:44:14 +01007000 psa_status_t actual_status;
7001 psa_status_t expected_status = expected_status_arg;
Gilles Peskine40f68b92018-03-07 16:43:36 +01007002 unsigned char *signature = NULL;
Gilles Peskine93aa0332018-02-03 23:58:03 +01007003 size_t signature_length = 0xdeadbeef;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02007004 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine20035e32018-02-03 22:44:14 +01007005
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007006 TEST_CALLOC(signature, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01007007
Gilles Peskine449bd832023-01-11 14:50:10 +01007008 PSA_ASSERT(psa_crypto_init());
Gilles Peskine20035e32018-02-03 22:44:14 +01007009
Gilles Peskine449bd832023-01-11 14:50:10 +01007010 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
7011 psa_set_key_algorithm(&attributes, alg);
7012 psa_set_key_type(&attributes, key_type);
mohammad1603a97cb8c2018-03-28 03:46:26 -07007013
Gilles Peskine449bd832023-01-11 14:50:10 +01007014 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7015 &key));
Gilles Peskine20035e32018-02-03 22:44:14 +01007016
Gilles Peskine449bd832023-01-11 14:50:10 +01007017 actual_status = psa_sign_hash(key, alg,
7018 input_data->x, input_data->len,
7019 signature, signature_size,
7020 &signature_length);
7021 TEST_EQUAL(actual_status, expected_status);
Gilles Peskine860ce9d2018-06-28 12:23:00 +02007022 /* The value of *signature_length is unspecified on error, but
7023 * whatever it is, it should be less than signature_size, so that
7024 * if the caller tries to read *signature_length bytes without
7025 * checking the error code then they don't overflow a buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007026 TEST_LE_U(signature_length, signature_size);
Gilles Peskine20035e32018-02-03 22:44:14 +01007027
7028exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007029 psa_reset_key_attributes(&attributes);
7030 psa_destroy_key(key);
7031 mbedtls_free(signature);
7032 PSA_DONE();
Gilles Peskine20035e32018-02-03 22:44:14 +01007033}
7034/* END_CASE */
mohammad16038cc1cee2018-03-28 01:21:33 +03007035
Paul Elliott91007972022-12-16 12:21:24 +00007036/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007037/**
7038 * sign_hash_fail_interruptible() test intentions:
7039 *
7040 * Note: This test can currently only handle ECDSA.
7041 *
7042 * 1. Test that various failure cases for interruptible sign hash fail with the
7043 * correct error codes, and at the correct point (at start or during
7044 * complete).
7045 *
7046 * 2. Test the number of calls to psa_sign_hash_complete() required are as
7047 * expected for different max_ops values.
7048 *
7049 * 3. Test that the number of ops done prior to start and after abort is zero
7050 * and that each successful stage completes some ops (this is not mandated by
7051 * the PSA specification, but is currently the case).
Paul Elliott587e7802023-02-27 09:53:08 +00007052 *
7053 * 4. Check that calling complete() when start() fails and complete()
7054 * after completion results in a BAD_STATE error.
7055 *
7056 * 5. Check that calling start() again after start fails results in a BAD_STATE
7057 * error.
Paul Elliottc7f68822023-02-24 17:37:04 +00007058 */
Paul Elliott91007972022-12-16 12:21:24 +00007059void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
7060 int alg_arg, data_t *input_data,
7061 int signature_size_arg,
7062 int expected_start_status_arg,
Paul Elliott0c683352022-12-16 19:16:56 +00007063 int expected_complete_status_arg,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007064 int max_ops_arg)
Paul Elliott91007972022-12-16 12:21:24 +00007065{
7066 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7067 psa_key_type_t key_type = key_type_arg;
7068 psa_algorithm_t alg = alg_arg;
7069 size_t signature_size = signature_size_arg;
7070 psa_status_t actual_status;
7071 psa_status_t expected_start_status = expected_start_status_arg;
7072 psa_status_t expected_complete_status = expected_complete_status_arg;
7073 unsigned char *signature = NULL;
7074 size_t signature_length = 0xdeadbeef;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007075 uint32_t num_ops = 0;
7076 uint32_t max_ops = max_ops_arg;
Paul Elliott91007972022-12-16 12:21:24 +00007077 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007078 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007079 size_t min_completes = 0;
7080 size_t max_completes = 0;
7081
Paul Elliott91007972022-12-16 12:21:24 +00007082 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7083 psa_sign_hash_interruptible_operation_t operation =
7084 psa_sign_hash_interruptible_operation_init();
7085
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007086 TEST_CALLOC(signature, signature_size);
Paul Elliott91007972022-12-16 12:21:24 +00007087
7088 PSA_ASSERT(psa_crypto_init());
7089
7090 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
7091 psa_set_key_algorithm(&attributes, alg);
7092 psa_set_key_type(&attributes, key_type);
7093
7094 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7095 &key));
7096
Paul Elliott0c683352022-12-16 19:16:56 +00007097 psa_interruptible_set_max_ops(max_ops);
7098
Paul Elliott6f600372023-02-06 18:41:05 +00007099 interruptible_signverify_get_minmax_completes(max_ops,
7100 expected_complete_status,
7101 &min_completes,
7102 &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007103
Paul Elliott91007972022-12-16 12:21:24 +00007104 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
7105 TEST_ASSERT(num_ops_prior == 0);
7106
7107 /* Start performing the signature. */
7108 actual_status = psa_sign_hash_start(&operation, key, alg,
7109 input_data->x, input_data->len);
7110
7111 TEST_EQUAL(actual_status, expected_start_status);
7112
Paul Elliottc9774412023-02-06 15:14:07 +00007113 if (expected_start_status != PSA_SUCCESS) {
Paul Elliottde7c31e2023-03-01 14:37:48 +00007114 /* Emulate poor application code, and call complete anyway, even though
Paul Elliott587e7802023-02-27 09:53:08 +00007115 * start failed. */
7116 actual_status = psa_sign_hash_complete(&operation, signature,
7117 signature_size,
7118 &signature_length);
7119
7120 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7121
7122 /* Test that calling start again after failure also causes BAD_STATE. */
Paul Elliottc9774412023-02-06 15:14:07 +00007123 actual_status = psa_sign_hash_start(&operation, key, alg,
7124 input_data->x, input_data->len);
7125
7126 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7127 }
7128
Paul Elliott91007972022-12-16 12:21:24 +00007129 num_ops_prior = psa_sign_hash_get_num_ops(&operation);
7130 TEST_ASSERT(num_ops_prior == 0);
7131
Paul Elliott91007972022-12-16 12:21:24 +00007132 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007133 do {
Paul Elliott91007972022-12-16 12:21:24 +00007134 actual_status = psa_sign_hash_complete(&operation, signature,
7135 signature_size,
7136 &signature_length);
7137
Paul Elliott0c683352022-12-16 19:16:56 +00007138 num_completes++;
7139
Paul Elliott334d7262023-01-20 17:29:41 +00007140 if (actual_status == PSA_SUCCESS ||
7141 actual_status == PSA_OPERATION_INCOMPLETE) {
Paul Elliott91007972022-12-16 12:21:24 +00007142 num_ops = psa_sign_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00007143 /* We are asserting here that every complete makes progress
7144 * (completes some ops), which is true of the internal
7145 * implementation and probably any implementation, however this is
7146 * not mandated by the PSA specification. */
Paul Elliott91007972022-12-16 12:21:24 +00007147 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00007148
Paul Elliott91007972022-12-16 12:21:24 +00007149 num_ops_prior = num_ops;
7150 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007151 } while (actual_status == PSA_OPERATION_INCOMPLETE);
Paul Elliott91007972022-12-16 12:21:24 +00007152
Paul Elliottc9774412023-02-06 15:14:07 +00007153 TEST_EQUAL(actual_status, expected_complete_status);
7154
Paul Elliottefebad02023-02-15 16:56:45 +00007155 /* Check that another complete returns BAD_STATE. */
7156 actual_status = psa_sign_hash_complete(&operation, signature,
7157 signature_size,
7158 &signature_length);
Paul Elliottc9774412023-02-06 15:14:07 +00007159
Paul Elliottefebad02023-02-15 16:56:45 +00007160 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
Paul Elliott334d7262023-01-20 17:29:41 +00007161
Paul Elliott91007972022-12-16 12:21:24 +00007162 PSA_ASSERT(psa_sign_hash_abort(&operation));
7163
Paul Elliott59ad9452022-12-18 15:09:02 +00007164 num_ops = psa_sign_hash_get_num_ops(&operation);
7165 TEST_ASSERT(num_ops == 0);
7166
Paul Elliott91007972022-12-16 12:21:24 +00007167 /* The value of *signature_length is unspecified on error, but
7168 * whatever it is, it should be less than signature_size, so that
7169 * if the caller tries to read *signature_length bytes without
7170 * checking the error code then they don't overflow a buffer. */
7171 TEST_LE_U(signature_length, signature_size);
7172
Paul Elliott0c683352022-12-16 19:16:56 +00007173 TEST_LE_U(min_completes, num_completes);
7174 TEST_LE_U(num_completes, max_completes);
7175
Paul Elliott91007972022-12-16 12:21:24 +00007176exit:
7177 psa_reset_key_attributes(&attributes);
7178 psa_destroy_key(key);
7179 mbedtls_free(signature);
7180 PSA_DONE();
7181}
7182/* END_CASE */
7183
mohammad16038cc1cee2018-03-28 01:21:33 +03007184/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007185void sign_verify_hash(int key_type_arg, data_t *key_data,
7186 int alg_arg, data_t *input_data)
Gilles Peskine9911b022018-06-29 17:30:48 +02007187{
Ronald Cron5425a212020-08-04 14:58:35 +02007188 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine9911b022018-06-29 17:30:48 +02007189 psa_key_type_t key_type = key_type_arg;
7190 psa_algorithm_t alg = alg_arg;
7191 size_t key_bits;
7192 unsigned char *signature = NULL;
7193 size_t signature_size;
7194 size_t signature_length = 0xdeadbeef;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02007195 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine9911b022018-06-29 17:30:48 +02007196
Gilles Peskine449bd832023-01-11 14:50:10 +01007197 PSA_ASSERT(psa_crypto_init());
Gilles Peskine9911b022018-06-29 17:30:48 +02007198
Gilles Peskine449bd832023-01-11 14:50:10 +01007199 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
7200 psa_set_key_algorithm(&attributes, alg);
7201 psa_set_key_type(&attributes, key_type);
Gilles Peskine9911b022018-06-29 17:30:48 +02007202
Gilles Peskine449bd832023-01-11 14:50:10 +01007203 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7204 &key));
7205 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7206 key_bits = psa_get_key_bits(&attributes);
Gilles Peskine9911b022018-06-29 17:30:48 +02007207
Shaun Case8b0ecbc2021-12-20 21:14:10 -08007208 /* Allocate a buffer which has the size advertised by the
Gilles Peskine9911b022018-06-29 17:30:48 +02007209 * library. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007210 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7211 key_bits, alg);
7212 TEST_ASSERT(signature_size != 0);
7213 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007214 TEST_CALLOC(signature, signature_size);
Gilles Peskine9911b022018-06-29 17:30:48 +02007215
7216 /* Perform the signature. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007217 PSA_ASSERT(psa_sign_hash(key, alg,
7218 input_data->x, input_data->len,
7219 signature, signature_size,
7220 &signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02007221 /* Check that the signature length looks sensible. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007222 TEST_LE_U(signature_length, signature_size);
7223 TEST_ASSERT(signature_length > 0);
Gilles Peskine9911b022018-06-29 17:30:48 +02007224
7225 /* Use the library to verify that the signature is correct. */
Gilles Peskine449bd832023-01-11 14:50:10 +01007226 PSA_ASSERT(psa_verify_hash(key, alg,
7227 input_data->x, input_data->len,
7228 signature, signature_length));
Gilles Peskine9911b022018-06-29 17:30:48 +02007229
Gilles Peskine449bd832023-01-11 14:50:10 +01007230 if (input_data->len != 0) {
Gilles Peskine9911b022018-06-29 17:30:48 +02007231 /* Flip a bit in the input and verify that the signature is now
7232 * detected as invalid. Flip a bit at the beginning, not at the end,
7233 * because ECDSA may ignore the last few bits of the input. */
7234 input_data->x[0] ^= 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01007235 TEST_EQUAL(psa_verify_hash(key, alg,
7236 input_data->x, input_data->len,
7237 signature, signature_length),
7238 PSA_ERROR_INVALID_SIGNATURE);
Gilles Peskine9911b022018-06-29 17:30:48 +02007239 }
7240
7241exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01007242 /*
7243 * Key attributes may have been returned by psa_get_key_attributes()
7244 * thus reset them as required.
7245 */
Gilles Peskine449bd832023-01-11 14:50:10 +01007246 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01007247
Gilles Peskine449bd832023-01-11 14:50:10 +01007248 psa_destroy_key(key);
7249 mbedtls_free(signature);
7250 PSA_DONE();
Gilles Peskine9911b022018-06-29 17:30:48 +02007251}
7252/* END_CASE */
7253
Paul Elliott712d5122022-12-07 14:03:10 +00007254/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007255/**
7256 * sign_verify_hash_interruptible() test intentions:
7257 *
7258 * Note: This test can currently only handle ECDSA.
7259 *
Paul Elliott8c092052023-03-06 17:49:14 +00007260 * 1. Test that we can sign an input hash with the given keypair and then
7261 * afterwards verify that signature. This is currently the only way to test
7262 * non deterministic ECDSA, but this test can also handle deterministic.
Paul Elliottc7f68822023-02-24 17:37:04 +00007263 *
7264 * 2. Test that after corrupting the hash, the verification detects an invalid
7265 * signature.
7266 *
7267 * 3. Test the number of calls to psa_sign_hash_complete() required are as
7268 * expected for different max_ops values.
Paul Elliott7c173082023-02-26 18:44:45 +00007269 *
7270 * 4. Test that the number of ops done prior to starting signing and after abort
7271 * is zero and that each successful signing stage completes some ops (this is
7272 * not mandated by the PSA specification, but is currently the case).
Paul Elliottc7f68822023-02-24 17:37:04 +00007273 */
Paul Elliott712d5122022-12-07 14:03:10 +00007274void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
Paul Elliott0c683352022-12-16 19:16:56 +00007275 int alg_arg, data_t *input_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007276 int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00007277{
7278 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7279 psa_key_type_t key_type = key_type_arg;
7280 psa_algorithm_t alg = alg_arg;
7281 size_t key_bits;
7282 unsigned char *signature = NULL;
7283 size_t signature_size;
7284 size_t signature_length = 0xdeadbeef;
7285 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7286 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007287 uint32_t max_ops = max_ops_arg;
Paul Elliott7c173082023-02-26 18:44:45 +00007288 uint32_t num_ops = 0;
7289 uint32_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007290 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007291 size_t min_completes = 0;
7292 size_t max_completes = 0;
7293
Paul Elliott712d5122022-12-07 14:03:10 +00007294 psa_sign_hash_interruptible_operation_t sign_operation =
7295 psa_sign_hash_interruptible_operation_init();
7296 psa_verify_hash_interruptible_operation_t verify_operation =
7297 psa_verify_hash_interruptible_operation_init();
7298
7299 PSA_ASSERT(psa_crypto_init());
7300
Paul Elliott0c683352022-12-16 19:16:56 +00007301 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7302 PSA_KEY_USAGE_VERIFY_HASH);
Paul Elliott712d5122022-12-07 14:03:10 +00007303 psa_set_key_algorithm(&attributes, alg);
7304 psa_set_key_type(&attributes, key_type);
7305
7306 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7307 &key));
7308 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7309 key_bits = psa_get_key_bits(&attributes);
7310
7311 /* Allocate a buffer which has the size advertised by the
7312 * library. */
7313 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7314 key_bits, alg);
7315 TEST_ASSERT(signature_size != 0);
7316 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007317 TEST_CALLOC(signature, signature_size);
Paul Elliott712d5122022-12-07 14:03:10 +00007318
Paul Elliott0c683352022-12-16 19:16:56 +00007319 psa_interruptible_set_max_ops(max_ops);
7320
Paul Elliott6f600372023-02-06 18:41:05 +00007321 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
7322 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007323
Paul Elliott7c173082023-02-26 18:44:45 +00007324 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation);
7325 TEST_ASSERT(num_ops_prior == 0);
7326
Paul Elliott712d5122022-12-07 14:03:10 +00007327 /* Start performing the signature. */
7328 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7329 input_data->x, input_data->len));
7330
Paul Elliott7c173082023-02-26 18:44:45 +00007331 num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation);
7332 TEST_ASSERT(num_ops_prior == 0);
7333
Paul Elliott712d5122022-12-07 14:03:10 +00007334 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007335 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007336
Paul Elliott0c683352022-12-16 19:16:56 +00007337 status = psa_sign_hash_complete(&sign_operation, signature,
7338 signature_size,
Paul Elliott712d5122022-12-07 14:03:10 +00007339 &signature_length);
Paul Elliott0c683352022-12-16 19:16:56 +00007340
7341 num_completes++;
Paul Elliott7c173082023-02-26 18:44:45 +00007342
7343 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
7344 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
7345 /* We are asserting here that every complete makes progress
7346 * (completes some ops), which is true of the internal
7347 * implementation and probably any implementation, however this is
7348 * not mandated by the PSA specification. */
7349 TEST_ASSERT(num_ops > num_ops_prior);
7350
7351 num_ops_prior = num_ops;
7352 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007353 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007354
7355 TEST_ASSERT(status == PSA_SUCCESS);
7356
Paul Elliott0c683352022-12-16 19:16:56 +00007357 TEST_LE_U(min_completes, num_completes);
7358 TEST_LE_U(num_completes, max_completes);
7359
Paul Elliott712d5122022-12-07 14:03:10 +00007360 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7361
Paul Elliott7c173082023-02-26 18:44:45 +00007362 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
7363 TEST_ASSERT(num_ops == 0);
7364
Paul Elliott712d5122022-12-07 14:03:10 +00007365 /* Check that the signature length looks sensible. */
7366 TEST_LE_U(signature_length, signature_size);
7367 TEST_ASSERT(signature_length > 0);
7368
Paul Elliott0c683352022-12-16 19:16:56 +00007369 num_completes = 0;
Paul Elliott712d5122022-12-07 14:03:10 +00007370
7371 /* Start verification. */
7372 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7373 input_data->x, input_data->len,
7374 signature, signature_length));
7375
7376 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007377 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007378 status = psa_verify_hash_complete(&verify_operation);
Paul Elliott0c683352022-12-16 19:16:56 +00007379
7380 num_completes++;
Paul Elliottedfc8832023-01-20 17:13:10 +00007381 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007382
7383 TEST_ASSERT(status == PSA_SUCCESS);
7384
Paul Elliott0c683352022-12-16 19:16:56 +00007385 TEST_LE_U(min_completes, num_completes);
7386 TEST_LE_U(num_completes, max_completes);
7387
Paul Elliott712d5122022-12-07 14:03:10 +00007388 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7389
7390 verify_operation = psa_verify_hash_interruptible_operation_init();
7391
7392 if (input_data->len != 0) {
7393 /* Flip a bit in the input and verify that the signature is now
7394 * detected as invalid. Flip a bit at the beginning, not at the end,
7395 * because ECDSA may ignore the last few bits of the input. */
7396 input_data->x[0] ^= 1;
7397
Paul Elliott712d5122022-12-07 14:03:10 +00007398 /* Start verification. */
7399 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7400 input_data->x, input_data->len,
7401 signature, signature_length));
7402
7403 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007404 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007405 status = psa_verify_hash_complete(&verify_operation);
Paul Elliottedfc8832023-01-20 17:13:10 +00007406 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007407
7408 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE);
7409 }
7410
7411 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7412
7413exit:
7414 /*
7415 * Key attributes may have been returned by psa_get_key_attributes()
7416 * thus reset them as required.
7417 */
7418 psa_reset_key_attributes(&attributes);
7419
7420 psa_destroy_key(key);
7421 mbedtls_free(signature);
7422 PSA_DONE();
7423}
7424/* END_CASE */
7425
Gilles Peskine9911b022018-06-29 17:30:48 +02007426/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007427void verify_hash(int key_type_arg, data_t *key_data,
7428 int alg_arg, data_t *hash_data,
7429 data_t *signature_data)
itayzafrir5c753392018-05-08 11:18:38 +03007430{
Ronald Cron5425a212020-08-04 14:58:35 +02007431 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
itayzafrir5c753392018-05-08 11:18:38 +03007432 psa_key_type_t key_type = key_type_arg;
7433 psa_algorithm_t alg = alg_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02007434 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
itayzafrir5c753392018-05-08 11:18:38 +03007435
Gilles Peskine449bd832023-01-11 14:50:10 +01007436 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
Gilles Peskine69c12672018-06-28 00:07:19 +02007437
Gilles Peskine449bd832023-01-11 14:50:10 +01007438 PSA_ASSERT(psa_crypto_init());
itayzafrir5c753392018-05-08 11:18:38 +03007439
Gilles Peskine449bd832023-01-11 14:50:10 +01007440 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7441 psa_set_key_algorithm(&attributes, alg);
7442 psa_set_key_type(&attributes, key_type);
itayzafrir5c753392018-05-08 11:18:38 +03007443
Gilles Peskine449bd832023-01-11 14:50:10 +01007444 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7445 &key));
itayzafrir5c753392018-05-08 11:18:38 +03007446
Gilles Peskine449bd832023-01-11 14:50:10 +01007447 PSA_ASSERT(psa_verify_hash(key, alg,
7448 hash_data->x, hash_data->len,
7449 signature_data->x, signature_data->len));
Gilles Peskine0627f982019-11-26 19:12:16 +01007450
itayzafrir5c753392018-05-08 11:18:38 +03007451exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007452 psa_reset_key_attributes(&attributes);
7453 psa_destroy_key(key);
7454 PSA_DONE();
itayzafrir5c753392018-05-08 11:18:38 +03007455}
7456/* END_CASE */
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007457
Paul Elliott712d5122022-12-07 14:03:10 +00007458/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007459/**
7460 * verify_hash_interruptible() test intentions:
7461 *
7462 * Note: This test can currently only handle ECDSA.
7463 *
7464 * 1. Test interruptible verify hash with known outcomes (deterministic ECDSA
Paul Elliott8c092052023-03-06 17:49:14 +00007465 * only). Given this test only does verification it can accept public keys as
7466 * well as private keys / keypairs.
Paul Elliottc7f68822023-02-24 17:37:04 +00007467 *
7468 * 2. Test the number of calls to psa_verify_hash_complete() required are as
7469 * expected for different max_ops values.
7470 *
7471 * 3. Test that the number of ops done prior to start and after abort is zero
7472 * and that each successful stage completes some ops (this is not mandated by
7473 * the PSA specification, but is currently the case).
Paul Elliott8359c142023-02-24 18:40:10 +00007474 *
7475 * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between
7476 * complete() calls does not alter the number of ops returned.
7477 *
7478 * 5. Test that after corrupting the hash, the verification detects an invalid
7479 * signature.
Paul Elliottc7f68822023-02-24 17:37:04 +00007480 */
Paul Elliott712d5122022-12-07 14:03:10 +00007481void verify_hash_interruptible(int key_type_arg, data_t *key_data,
7482 int alg_arg, data_t *hash_data,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007483 data_t *signature_data, int max_ops_arg)
Paul Elliott712d5122022-12-07 14:03:10 +00007484{
7485 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7486 psa_key_type_t key_type = key_type_arg;
7487 psa_algorithm_t alg = alg_arg;
7488 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7489 psa_status_t status = PSA_OPERATION_INCOMPLETE;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007490 uint32_t num_ops = 0;
7491 uint32_t max_ops = max_ops_arg;
Paul Elliott712d5122022-12-07 14:03:10 +00007492 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007493 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007494 size_t min_completes = 0;
7495 size_t max_completes = 0;
7496
Paul Elliott712d5122022-12-07 14:03:10 +00007497 psa_verify_hash_interruptible_operation_t operation =
7498 psa_verify_hash_interruptible_operation_init();
7499
7500 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
7501
7502 PSA_ASSERT(psa_crypto_init());
7503
7504 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7505 psa_set_key_algorithm(&attributes, alg);
7506 psa_set_key_type(&attributes, key_type);
7507
7508 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7509 &key));
7510
Paul Elliott0c683352022-12-16 19:16:56 +00007511 psa_interruptible_set_max_ops(max_ops);
7512
Paul Elliott6f600372023-02-06 18:41:05 +00007513 interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
7514 &min_completes, &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007515
Paul Elliott712d5122022-12-07 14:03:10 +00007516 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7517
7518 TEST_ASSERT(num_ops_prior == 0);
7519
7520 /* Start verification. */
7521 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
7522 hash_data->x, hash_data->len,
7523 signature_data->x, signature_data->len)
7524 );
7525
7526 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7527
7528 TEST_ASSERT(num_ops_prior == 0);
7529
7530 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007531 do {
Paul Elliott712d5122022-12-07 14:03:10 +00007532 status = psa_verify_hash_complete(&operation);
7533
Paul Elliott0c683352022-12-16 19:16:56 +00007534 num_completes++;
7535
Paul Elliott712d5122022-12-07 14:03:10 +00007536 if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
7537 num_ops = psa_verify_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00007538 /* We are asserting here that every complete makes progress
7539 * (completes some ops), which is true of the internal
7540 * implementation and probably any implementation, however this is
7541 * not mandated by the PSA specification. */
Paul Elliott712d5122022-12-07 14:03:10 +00007542 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00007543
Paul Elliott712d5122022-12-07 14:03:10 +00007544 num_ops_prior = num_ops;
Paul Elliottf8e5b562023-02-19 18:43:45 +00007545
7546 /* Ensure calling get_num_ops() twice still returns the same
7547 * number of ops as previously reported. */
7548 num_ops = psa_verify_hash_get_num_ops(&operation);
7549
7550 TEST_EQUAL(num_ops, num_ops_prior);
Paul Elliott712d5122022-12-07 14:03:10 +00007551 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007552 } while (status == PSA_OPERATION_INCOMPLETE);
Paul Elliott712d5122022-12-07 14:03:10 +00007553
7554 TEST_ASSERT(status == PSA_SUCCESS);
7555
Paul Elliott0c683352022-12-16 19:16:56 +00007556 TEST_LE_U(min_completes, num_completes);
7557 TEST_LE_U(num_completes, max_completes);
7558
Paul Elliott712d5122022-12-07 14:03:10 +00007559 PSA_ASSERT(psa_verify_hash_abort(&operation));
7560
Paul Elliott59ad9452022-12-18 15:09:02 +00007561 num_ops = psa_verify_hash_get_num_ops(&operation);
7562 TEST_ASSERT(num_ops == 0);
7563
Paul Elliott8359c142023-02-24 18:40:10 +00007564 if (hash_data->len != 0) {
7565 /* Flip a bit in the hash and verify that the signature is now detected
7566 * as invalid. Flip a bit at the beginning, not at the end, because
7567 * ECDSA may ignore the last few bits of the input. */
7568 hash_data->x[0] ^= 1;
7569
7570 /* Start verification. */
7571 PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
7572 hash_data->x, hash_data->len,
7573 signature_data->x, signature_data->len));
7574
7575 /* Continue performing the signature until complete. */
7576 do {
7577 status = psa_verify_hash_complete(&operation);
7578 } while (status == PSA_OPERATION_INCOMPLETE);
7579
7580 TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE);
7581 }
7582
Paul Elliott712d5122022-12-07 14:03:10 +00007583exit:
7584 psa_reset_key_attributes(&attributes);
7585 psa_destroy_key(key);
7586 PSA_DONE();
7587}
7588/* END_CASE */
7589
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007590/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01007591void verify_hash_fail(int key_type_arg, data_t *key_data,
7592 int alg_arg, data_t *hash_data,
7593 data_t *signature_data,
7594 int expected_status_arg)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007595{
Ronald Cron5425a212020-08-04 14:58:35 +02007596 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007597 psa_key_type_t key_type = key_type_arg;
7598 psa_algorithm_t alg = alg_arg;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007599 psa_status_t actual_status;
7600 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02007601 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007602
Gilles Peskine449bd832023-01-11 14:50:10 +01007603 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007604
Gilles Peskine449bd832023-01-11 14:50:10 +01007605 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7606 psa_set_key_algorithm(&attributes, alg);
7607 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03007608
Gilles Peskine449bd832023-01-11 14:50:10 +01007609 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7610 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007611
Gilles Peskine449bd832023-01-11 14:50:10 +01007612 actual_status = psa_verify_hash(key, alg,
7613 hash_data->x, hash_data->len,
7614 signature_data->x, signature_data->len);
7615 TEST_EQUAL(actual_status, expected_status);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007616
7617exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01007618 psa_reset_key_attributes(&attributes);
7619 psa_destroy_key(key);
7620 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03007621}
7622/* END_CASE */
7623
Paul Elliott91007972022-12-16 12:21:24 +00007624/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007625/**
7626 * verify_hash_fail_interruptible() test intentions:
7627 *
7628 * Note: This test can currently only handle ECDSA.
7629 *
7630 * 1. Test that various failure cases for interruptible verify hash fail with
7631 * the correct error codes, and at the correct point (at start or during
7632 * complete).
7633 *
7634 * 2. Test the number of calls to psa_verify_hash_complete() required are as
7635 * expected for different max_ops values.
7636 *
7637 * 3. Test that the number of ops done prior to start and after abort is zero
7638 * and that each successful stage completes some ops (this is not mandated by
7639 * the PSA specification, but is currently the case).
Paul Elliott587e7802023-02-27 09:53:08 +00007640 *
7641 * 4. Check that calling complete() when start() fails and complete()
7642 * after completion results in a BAD_STATE error.
7643 *
7644 * 5. Check that calling start() again after start fails results in a BAD_STATE
7645 * error.
Paul Elliottc7f68822023-02-24 17:37:04 +00007646 */
Paul Elliott91007972022-12-16 12:21:24 +00007647void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
7648 int alg_arg, data_t *hash_data,
7649 data_t *signature_data,
7650 int expected_start_status_arg,
Paul Elliott0c683352022-12-16 19:16:56 +00007651 int expected_complete_status_arg,
Paul Elliottab7c5c82023-02-03 15:49:42 +00007652 int max_ops_arg)
Paul Elliott91007972022-12-16 12:21:24 +00007653{
7654 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7655 psa_key_type_t key_type = key_type_arg;
7656 psa_algorithm_t alg = alg_arg;
7657 psa_status_t actual_status;
7658 psa_status_t expected_start_status = expected_start_status_arg;
7659 psa_status_t expected_complete_status = expected_complete_status_arg;
7660 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Paul Elliottab7c5c82023-02-03 15:49:42 +00007661 uint32_t num_ops = 0;
7662 uint32_t max_ops = max_ops_arg;
Paul Elliott91007972022-12-16 12:21:24 +00007663 size_t num_ops_prior = 0;
Paul Elliott0c683352022-12-16 19:16:56 +00007664 size_t num_completes = 0;
Paul Elliott97ac7d92023-01-23 18:09:06 +00007665 size_t min_completes = 0;
7666 size_t max_completes = 0;
Paul Elliott91007972022-12-16 12:21:24 +00007667 psa_verify_hash_interruptible_operation_t operation =
7668 psa_verify_hash_interruptible_operation_init();
7669
7670 PSA_ASSERT(psa_crypto_init());
7671
7672 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
7673 psa_set_key_algorithm(&attributes, alg);
7674 psa_set_key_type(&attributes, key_type);
7675
7676 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7677 &key));
7678
Paul Elliott0c683352022-12-16 19:16:56 +00007679 psa_interruptible_set_max_ops(max_ops);
7680
Paul Elliott6f600372023-02-06 18:41:05 +00007681 interruptible_signverify_get_minmax_completes(max_ops,
7682 expected_complete_status,
7683 &min_completes,
7684 &max_completes);
Paul Elliott97ac7d92023-01-23 18:09:06 +00007685
Paul Elliott91007972022-12-16 12:21:24 +00007686 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7687 TEST_ASSERT(num_ops_prior == 0);
7688
7689 /* Start verification. */
7690 actual_status = psa_verify_hash_start(&operation, key, alg,
7691 hash_data->x, hash_data->len,
7692 signature_data->x,
7693 signature_data->len);
7694
7695 TEST_EQUAL(actual_status, expected_start_status);
7696
Paul Elliottc9774412023-02-06 15:14:07 +00007697 if (expected_start_status != PSA_SUCCESS) {
Paul Elliottde7c31e2023-03-01 14:37:48 +00007698 /* Emulate poor application code, and call complete anyway, even though
Paul Elliott587e7802023-02-27 09:53:08 +00007699 * start failed. */
7700 actual_status = psa_verify_hash_complete(&operation);
7701
7702 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7703
7704 /* Test that calling start again after failure also causes BAD_STATE. */
Paul Elliottc9774412023-02-06 15:14:07 +00007705 actual_status = psa_verify_hash_start(&operation, key, alg,
7706 hash_data->x, hash_data->len,
7707 signature_data->x,
7708 signature_data->len);
7709
7710 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
7711 }
7712
Paul Elliott91007972022-12-16 12:21:24 +00007713 num_ops_prior = psa_verify_hash_get_num_ops(&operation);
7714 TEST_ASSERT(num_ops_prior == 0);
7715
Paul Elliott91007972022-12-16 12:21:24 +00007716 /* Continue performing the signature until complete. */
Paul Elliottedfc8832023-01-20 17:13:10 +00007717 do {
Paul Elliott91007972022-12-16 12:21:24 +00007718 actual_status = psa_verify_hash_complete(&operation);
7719
Paul Elliott0c683352022-12-16 19:16:56 +00007720 num_completes++;
7721
Paul Elliott334d7262023-01-20 17:29:41 +00007722 if (actual_status == PSA_SUCCESS ||
7723 actual_status == PSA_OPERATION_INCOMPLETE) {
Paul Elliott91007972022-12-16 12:21:24 +00007724 num_ops = psa_verify_hash_get_num_ops(&operation);
Paul Elliott96b89b22023-02-15 23:10:37 +00007725 /* We are asserting here that every complete makes progress
7726 * (completes some ops), which is true of the internal
7727 * implementation and probably any implementation, however this is
7728 * not mandated by the PSA specification. */
Paul Elliott91007972022-12-16 12:21:24 +00007729 TEST_ASSERT(num_ops > num_ops_prior);
Paul Elliott0c683352022-12-16 19:16:56 +00007730
Paul Elliott91007972022-12-16 12:21:24 +00007731 num_ops_prior = num_ops;
7732 }
Paul Elliottedfc8832023-01-20 17:13:10 +00007733 } while (actual_status == PSA_OPERATION_INCOMPLETE);
Paul Elliott91007972022-12-16 12:21:24 +00007734
Paul Elliottc9774412023-02-06 15:14:07 +00007735 TEST_EQUAL(actual_status, expected_complete_status);
7736
Paul Elliottefebad02023-02-15 16:56:45 +00007737 /* Check that another complete returns BAD_STATE. */
7738 actual_status = psa_verify_hash_complete(&operation);
7739 TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
Paul Elliott334d7262023-01-20 17:29:41 +00007740
Paul Elliott0c683352022-12-16 19:16:56 +00007741 TEST_LE_U(min_completes, num_completes);
7742 TEST_LE_U(num_completes, max_completes);
7743
Paul Elliott91007972022-12-16 12:21:24 +00007744 PSA_ASSERT(psa_verify_hash_abort(&operation));
7745
Paul Elliott59ad9452022-12-18 15:09:02 +00007746 num_ops = psa_verify_hash_get_num_ops(&operation);
7747 TEST_ASSERT(num_ops == 0);
7748
Paul Elliott91007972022-12-16 12:21:24 +00007749exit:
7750 psa_reset_key_attributes(&attributes);
7751 psa_destroy_key(key);
7752 PSA_DONE();
7753}
7754/* END_CASE */
7755
Paul Elliott20a36062022-12-18 13:21:25 +00007756/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007757/**
7758 * interruptible_signverify_hash_state_test() test intentions:
7759 *
7760 * Note: This test can currently only handle ECDSA.
7761 *
7762 * 1. Test that calling the various interruptible sign and verify hash functions
7763 * in incorrect orders returns BAD_STATE errors.
7764 */
Paul Elliott76d671a2023-02-07 17:45:18 +00007765void interruptible_signverify_hash_state_test(int key_type_arg,
7766 data_t *key_data, int alg_arg, data_t *input_data)
Paul Elliott20a36062022-12-18 13:21:25 +00007767{
7768 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7769 psa_key_type_t key_type = key_type_arg;
7770 psa_algorithm_t alg = alg_arg;
7771 size_t key_bits;
7772 unsigned char *signature = NULL;
7773 size_t signature_size;
7774 size_t signature_length = 0xdeadbeef;
7775 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7776 psa_sign_hash_interruptible_operation_t sign_operation =
7777 psa_sign_hash_interruptible_operation_init();
7778 psa_verify_hash_interruptible_operation_t verify_operation =
7779 psa_verify_hash_interruptible_operation_init();
7780
7781 PSA_ASSERT(psa_crypto_init());
7782
7783 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7784 PSA_KEY_USAGE_VERIFY_HASH);
7785 psa_set_key_algorithm(&attributes, alg);
7786 psa_set_key_type(&attributes, key_type);
7787
7788 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7789 &key));
7790 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7791 key_bits = psa_get_key_bits(&attributes);
7792
7793 /* Allocate a buffer which has the size advertised by the
7794 * library. */
7795 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7796 key_bits, alg);
7797 TEST_ASSERT(signature_size != 0);
7798 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007799 TEST_CALLOC(signature, signature_size);
Paul Elliott20a36062022-12-18 13:21:25 +00007800
7801 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7802
7803 /* --- Attempt completes prior to starts --- */
7804 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7805 signature_size,
7806 &signature_length),
7807 PSA_ERROR_BAD_STATE);
7808
7809 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7810
7811 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
7812 PSA_ERROR_BAD_STATE);
7813
7814 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7815
7816 /* --- Aborts in all other places. --- */
7817 psa_sign_hash_abort(&sign_operation);
7818
7819 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7820 input_data->x, input_data->len));
7821
7822 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7823
7824 psa_interruptible_set_max_ops(1);
7825
7826 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7827 input_data->x, input_data->len));
7828
7829 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7830 signature_size,
7831 &signature_length),
7832 PSA_OPERATION_INCOMPLETE);
7833
7834 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7835
7836 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7837
7838 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7839 input_data->x, input_data->len));
7840
7841 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
7842 signature_size,
7843 &signature_length));
7844
7845 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7846
7847 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7848
7849 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7850 input_data->x, input_data->len,
7851 signature, signature_length));
7852
7853 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7854
7855 psa_interruptible_set_max_ops(1);
7856
7857 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7858 input_data->x, input_data->len,
7859 signature, signature_length));
7860
7861 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
7862 PSA_OPERATION_INCOMPLETE);
7863
7864 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7865
7866 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7867
7868 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7869 input_data->x, input_data->len,
7870 signature, signature_length));
7871
7872 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
7873
7874 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7875
7876 /* --- Attempt double starts. --- */
7877
7878 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7879 input_data->x, input_data->len));
7880
7881 TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg,
7882 input_data->x, input_data->len),
7883 PSA_ERROR_BAD_STATE);
7884
7885 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7886
7887 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
7888 input_data->x, input_data->len,
7889 signature, signature_length));
7890
7891 TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg,
7892 input_data->x, input_data->len,
7893 signature, signature_length),
7894 PSA_ERROR_BAD_STATE);
7895
7896 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
7897
Paul Elliott76d671a2023-02-07 17:45:18 +00007898exit:
7899 /*
7900 * Key attributes may have been returned by psa_get_key_attributes()
7901 * thus reset them as required.
7902 */
7903 psa_reset_key_attributes(&attributes);
7904
7905 psa_destroy_key(key);
7906 mbedtls_free(signature);
7907 PSA_DONE();
7908}
7909/* END_CASE */
7910
7911/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00007912/**
Paul Elliottc2033502023-02-26 17:09:14 +00007913 * interruptible_signverify_hash_edgecase_tests() test intentions:
Paul Elliottc7f68822023-02-24 17:37:04 +00007914 *
7915 * Note: This test can currently only handle ECDSA.
7916 *
7917 * 1. Test various edge cases in the interruptible sign and verify hash
7918 * interfaces.
7919 */
Paul Elliottc2033502023-02-26 17:09:14 +00007920void interruptible_signverify_hash_edgecase_tests(int key_type_arg,
Paul Elliott76d671a2023-02-07 17:45:18 +00007921 data_t *key_data, int alg_arg, data_t *input_data)
7922{
7923 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
7924 psa_key_type_t key_type = key_type_arg;
7925 psa_algorithm_t alg = alg_arg;
7926 size_t key_bits;
7927 unsigned char *signature = NULL;
7928 size_t signature_size;
7929 size_t signature_length = 0xdeadbeef;
7930 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7931 uint8_t *input_buffer = NULL;
7932 psa_sign_hash_interruptible_operation_t sign_operation =
7933 psa_sign_hash_interruptible_operation_init();
7934 psa_verify_hash_interruptible_operation_t verify_operation =
7935 psa_verify_hash_interruptible_operation_init();
7936
7937 PSA_ASSERT(psa_crypto_init());
7938
7939 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
7940 PSA_KEY_USAGE_VERIFY_HASH);
7941 psa_set_key_algorithm(&attributes, alg);
7942 psa_set_key_type(&attributes, key_type);
7943
7944 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
7945 &key));
7946 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
7947 key_bits = psa_get_key_bits(&attributes);
7948
7949 /* Allocate a buffer which has the size advertised by the
7950 * library. */
7951 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
7952 key_bits, alg);
7953 TEST_ASSERT(signature_size != 0);
7954 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01007955 TEST_CALLOC(signature, signature_size);
Paul Elliott76d671a2023-02-07 17:45:18 +00007956
Paul Elliott20a36062022-12-18 13:21:25 +00007957 /* --- Change function inputs mid run, to cause an error (sign only,
7958 * verify passes all inputs to start. --- */
7959
7960 psa_interruptible_set_max_ops(1);
7961
7962 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7963 input_data->x, input_data->len));
7964
7965 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7966 signature_size,
7967 &signature_length),
7968 PSA_OPERATION_INCOMPLETE);
7969
7970 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7971 0,
7972 &signature_length),
7973 PSA_ERROR_BUFFER_TOO_SMALL);
7974
Paul Elliottc9774412023-02-06 15:14:07 +00007975 /* And test that this invalidates the operation. */
7976 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
7977 0,
7978 &signature_length),
7979 PSA_ERROR_BAD_STATE);
7980
Paul Elliott20a36062022-12-18 13:21:25 +00007981 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
7982
Paul Elliottf9c91a72023-02-05 18:06:38 +00007983 /* Trash the hash buffer in between start and complete, to ensure
7984 * no reliance on external buffers. */
7985 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
7986
Paul Elliott6c68df42023-10-23 15:33:37 +01007987 TEST_CALLOC(input_buffer, input_data->len);
Paul Elliottf9c91a72023-02-05 18:06:38 +00007988
7989 memcpy(input_buffer, input_data->x, input_data->len);
7990
7991 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
7992 input_buffer, input_data->len));
7993
7994 memset(input_buffer, '!', input_data->len);
7995 mbedtls_free(input_buffer);
7996 input_buffer = NULL;
7997
7998 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
7999 signature_size,
8000 &signature_length));
8001
8002 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8003
Paul Elliott6c68df42023-10-23 15:33:37 +01008004 TEST_CALLOC(input_buffer, input_data->len);
Paul Elliottf9c91a72023-02-05 18:06:38 +00008005
8006 memcpy(input_buffer, input_data->x, input_data->len);
8007
8008 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8009 input_buffer, input_data->len,
8010 signature, signature_length));
8011
8012 memset(input_buffer, '!', input_data->len);
8013 mbedtls_free(input_buffer);
8014 input_buffer = NULL;
8015
8016 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
8017
8018 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8019
Paul Elliott20a36062022-12-18 13:21:25 +00008020exit:
8021 /*
8022 * Key attributes may have been returned by psa_get_key_attributes()
8023 * thus reset them as required.
8024 */
8025 psa_reset_key_attributes(&attributes);
8026
8027 psa_destroy_key(key);
8028 mbedtls_free(signature);
Paul Elliott6c68df42023-10-23 15:33:37 +01008029 mbedtls_free(input_buffer);
Paul Elliott20a36062022-12-18 13:21:25 +00008030 PSA_DONE();
8031}
8032/* END_CASE */
8033
Paul Elliotta4cb9092023-02-07 18:01:55 +00008034/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
Paul Elliottc7f68822023-02-24 17:37:04 +00008035/**
Paul Elliott57702242023-02-26 20:36:10 +00008036 * interruptible_signverify_hash_ops_tests() test intentions:
Paul Elliottc7f68822023-02-24 17:37:04 +00008037 *
8038 * Note: This test can currently only handle ECDSA.
8039 *
8040 * 1. Test that setting max ops is reflected in both interruptible sign and
8041 * verify hash
Paul Elliott9e8819f2023-02-26 19:01:35 +00008042 * 2. Test that changing the value of max_ops to unlimited during an operation
8043 * causes that operation to complete in the next call.
Paul Elliottc1e04002023-02-26 20:27:23 +00008044 *
8045 * 3. Test that calling get_num_ops() between complete calls gives the same
8046 * result as calling get_num_ops() once at the end of the operation.
Paul Elliottc7f68822023-02-24 17:37:04 +00008047 */
Paul Elliott57702242023-02-26 20:36:10 +00008048void interruptible_signverify_hash_ops_tests(int key_type_arg,
8049 data_t *key_data, int alg_arg,
8050 data_t *input_data)
Paul Elliotta4cb9092023-02-07 18:01:55 +00008051{
8052 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8053 psa_key_type_t key_type = key_type_arg;
8054 psa_algorithm_t alg = alg_arg;
8055 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Paul Elliottf1743e22023-02-15 18:44:16 +00008056 size_t key_bits;
8057 unsigned char *signature = NULL;
8058 size_t signature_size;
Paul Elliott9e8819f2023-02-26 19:01:35 +00008059 size_t signature_length = 0xdeadbeef;
Paul Elliottc1e04002023-02-26 20:27:23 +00008060 uint32_t num_ops = 0;
8061 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8062
Paul Elliotta4cb9092023-02-07 18:01:55 +00008063 psa_sign_hash_interruptible_operation_t sign_operation =
8064 psa_sign_hash_interruptible_operation_init();
Paul Elliottf1743e22023-02-15 18:44:16 +00008065 psa_verify_hash_interruptible_operation_t verify_operation =
8066 psa_verify_hash_interruptible_operation_init();
Paul Elliotta4cb9092023-02-07 18:01:55 +00008067
8068 PSA_ASSERT(psa_crypto_init());
8069
8070 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
8071 PSA_KEY_USAGE_VERIFY_HASH);
8072 psa_set_key_algorithm(&attributes, alg);
8073 psa_set_key_type(&attributes, key_type);
8074
Paul Elliottf1743e22023-02-15 18:44:16 +00008075 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key));
8076 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8077 key_bits = psa_get_key_bits(&attributes);
8078
8079 /* Allocate a buffer which has the size advertised by the
8080 * library. */
8081 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
8082
8083 TEST_ASSERT(signature_size != 0);
8084 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008085 TEST_CALLOC(signature, signature_size);
Paul Elliotta4cb9092023-02-07 18:01:55 +00008086
8087 /* Check that default max ops gets set if we don't set it. */
8088 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
8089 input_data->x, input_data->len));
8090
8091 TEST_EQUAL(psa_interruptible_get_max_ops(),
8092 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
8093
8094 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8095
Paul Elliottf1743e22023-02-15 18:44:16 +00008096 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8097 input_data->x, input_data->len,
8098 signature, signature_size));
8099
8100 TEST_EQUAL(psa_interruptible_get_max_ops(),
8101 PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
8102
8103 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8104
Paul Elliotta4cb9092023-02-07 18:01:55 +00008105 /* Check that max ops gets set properly. */
8106
8107 psa_interruptible_set_max_ops(0xbeef);
8108
Paul Elliottf1743e22023-02-15 18:44:16 +00008109 TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef);
Paul Elliotta4cb9092023-02-07 18:01:55 +00008110
Paul Elliott9e8819f2023-02-26 19:01:35 +00008111 /* --- Ensure changing the max ops mid operation works (operation should
8112 * complete successfully after setting max ops to unlimited --- */
8113 psa_interruptible_set_max_ops(1);
8114
8115 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
8116 input_data->x, input_data->len));
8117
8118 TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
8119 signature_size,
8120 &signature_length),
8121 PSA_OPERATION_INCOMPLETE);
8122
8123 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
8124
8125 PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
8126 signature_size,
8127 &signature_length));
8128
8129 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8130
8131 psa_interruptible_set_max_ops(1);
8132
8133 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8134 input_data->x, input_data->len,
8135 signature, signature_length));
8136
8137 TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
8138 PSA_OPERATION_INCOMPLETE);
8139
8140 psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
8141
8142 PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
8143
8144 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8145
Paul Elliottc1e04002023-02-26 20:27:23 +00008146 /* --- Test that not calling get_num_ops inbetween complete calls does not
8147 * result in lost ops. ---*/
8148
8149 psa_interruptible_set_max_ops(1);
8150
8151 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
8152 input_data->x, input_data->len));
8153
8154 /* Continue performing the signature until complete. */
8155 do {
8156 status = psa_sign_hash_complete(&sign_operation, signature,
8157 signature_size,
8158 &signature_length);
8159
8160 num_ops = psa_sign_hash_get_num_ops(&sign_operation);
8161
8162 } while (status == PSA_OPERATION_INCOMPLETE);
8163
8164 PSA_ASSERT(status);
8165
8166 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8167
8168 PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
8169 input_data->x, input_data->len));
8170
8171 /* Continue performing the signature until complete. */
8172 do {
8173 status = psa_sign_hash_complete(&sign_operation, signature,
8174 signature_size,
8175 &signature_length);
8176 } while (status == PSA_OPERATION_INCOMPLETE);
8177
8178 PSA_ASSERT(status);
8179
8180 TEST_EQUAL(num_ops, psa_sign_hash_get_num_ops(&sign_operation));
8181
8182 PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
8183
8184 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8185 input_data->x, input_data->len,
8186 signature, signature_length));
8187
8188 /* Continue performing the verification until complete. */
8189 do {
8190 status = psa_verify_hash_complete(&verify_operation);
8191
8192 num_ops = psa_verify_hash_get_num_ops(&verify_operation);
8193
8194 } while (status == PSA_OPERATION_INCOMPLETE);
8195
8196 PSA_ASSERT(status);
8197
8198 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8199
8200 PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
8201 input_data->x, input_data->len,
8202 signature, signature_length));
8203
8204 /* Continue performing the verification until complete. */
8205 do {
8206 status = psa_verify_hash_complete(&verify_operation);
8207
8208 } while (status == PSA_OPERATION_INCOMPLETE);
8209
8210 PSA_ASSERT(status);
8211
8212 TEST_EQUAL(num_ops, psa_verify_hash_get_num_ops(&verify_operation));
8213
8214 PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
8215
Paul Elliotta4cb9092023-02-07 18:01:55 +00008216exit:
8217 /*
8218 * Key attributes may have been returned by psa_get_key_attributes()
8219 * thus reset them as required.
8220 */
8221 psa_reset_key_attributes(&attributes);
8222
8223 psa_destroy_key(key);
Paul Elliottf1743e22023-02-15 18:44:16 +00008224 mbedtls_free(signature);
Paul Elliotta4cb9092023-02-07 18:01:55 +00008225 PSA_DONE();
8226}
8227/* END_CASE */
Paul Elliott76d671a2023-02-07 17:45:18 +00008228
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008229/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008230void sign_message_deterministic(int key_type_arg,
8231 data_t *key_data,
8232 int alg_arg,
8233 data_t *input_data,
8234 data_t *output_data)
gabor-mezei-arm53028482021-04-15 18:19:50 +02008235{
8236 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8237 psa_key_type_t key_type = key_type_arg;
8238 psa_algorithm_t alg = alg_arg;
8239 size_t key_bits;
8240 unsigned char *signature = NULL;
8241 size_t signature_size;
8242 size_t signature_length = 0xdeadbeef;
8243 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8244
Gilles Peskine449bd832023-01-11 14:50:10 +01008245 PSA_ASSERT(psa_crypto_init());
gabor-mezei-arm53028482021-04-15 18:19:50 +02008246
Gilles Peskine449bd832023-01-11 14:50:10 +01008247 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8248 psa_set_key_algorithm(&attributes, alg);
8249 psa_set_key_type(&attributes, key_type);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008250
Gilles Peskine449bd832023-01-11 14:50:10 +01008251 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8252 &key));
8253 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8254 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008255
Gilles Peskine449bd832023-01-11 14:50:10 +01008256 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
8257 TEST_ASSERT(signature_size != 0);
8258 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008259 TEST_CALLOC(signature, signature_size);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008260
Gilles Peskine449bd832023-01-11 14:50:10 +01008261 PSA_ASSERT(psa_sign_message(key, alg,
8262 input_data->x, input_data->len,
8263 signature, signature_size,
8264 &signature_length));
gabor-mezei-arm53028482021-04-15 18:19:50 +02008265
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008266 TEST_MEMORY_COMPARE(output_data->x, output_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008267 signature, signature_length);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008268
8269exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008270 psa_reset_key_attributes(&attributes);
gabor-mezei-arm53028482021-04-15 18:19:50 +02008271
Gilles Peskine449bd832023-01-11 14:50:10 +01008272 psa_destroy_key(key);
8273 mbedtls_free(signature);
8274 PSA_DONE();
gabor-mezei-arm53028482021-04-15 18:19:50 +02008275
8276}
8277/* END_CASE */
8278
8279/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008280void sign_message_fail(int key_type_arg,
8281 data_t *key_data,
8282 int alg_arg,
8283 data_t *input_data,
8284 int signature_size_arg,
8285 int expected_status_arg)
8286{
8287 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8288 psa_key_type_t key_type = key_type_arg;
8289 psa_algorithm_t alg = alg_arg;
8290 size_t signature_size = signature_size_arg;
8291 psa_status_t actual_status;
8292 psa_status_t expected_status = expected_status_arg;
8293 unsigned char *signature = NULL;
8294 size_t signature_length = 0xdeadbeef;
8295 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8296
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008297 TEST_CALLOC(signature, signature_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01008298
8299 PSA_ASSERT(psa_crypto_init());
8300
8301 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8302 psa_set_key_algorithm(&attributes, alg);
8303 psa_set_key_type(&attributes, key_type);
8304
8305 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8306 &key));
8307
8308 actual_status = psa_sign_message(key, alg,
8309 input_data->x, input_data->len,
8310 signature, signature_size,
8311 &signature_length);
8312 TEST_EQUAL(actual_status, expected_status);
8313 /* The value of *signature_length is unspecified on error, but
8314 * whatever it is, it should be less than signature_size, so that
8315 * if the caller tries to read *signature_length bytes without
8316 * checking the error code then they don't overflow a buffer. */
8317 TEST_LE_U(signature_length, signature_size);
8318
8319exit:
8320 psa_reset_key_attributes(&attributes);
8321 psa_destroy_key(key);
8322 mbedtls_free(signature);
8323 PSA_DONE();
8324}
8325/* END_CASE */
8326
8327/* BEGIN_CASE */
8328void sign_verify_message(int key_type_arg,
8329 data_t *key_data,
8330 int alg_arg,
8331 data_t *input_data)
8332{
8333 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8334 psa_key_type_t key_type = key_type_arg;
8335 psa_algorithm_t alg = alg_arg;
8336 size_t key_bits;
8337 unsigned char *signature = NULL;
8338 size_t signature_size;
8339 size_t signature_length = 0xdeadbeef;
8340 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8341
8342 PSA_ASSERT(psa_crypto_init());
8343
8344 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE |
8345 PSA_KEY_USAGE_VERIFY_MESSAGE);
8346 psa_set_key_algorithm(&attributes, alg);
8347 psa_set_key_type(&attributes, key_type);
8348
8349 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8350 &key));
8351 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8352 key_bits = psa_get_key_bits(&attributes);
8353
8354 signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
8355 TEST_ASSERT(signature_size != 0);
8356 TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008357 TEST_CALLOC(signature, signature_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01008358
8359 PSA_ASSERT(psa_sign_message(key, alg,
8360 input_data->x, input_data->len,
8361 signature, signature_size,
8362 &signature_length));
8363 TEST_LE_U(signature_length, signature_size);
8364 TEST_ASSERT(signature_length > 0);
8365
8366 PSA_ASSERT(psa_verify_message(key, alg,
8367 input_data->x, input_data->len,
8368 signature, signature_length));
8369
8370 if (input_data->len != 0) {
8371 /* Flip a bit in the input and verify that the signature is now
8372 * detected as invalid. Flip a bit at the beginning, not at the end,
8373 * because ECDSA may ignore the last few bits of the input. */
8374 input_data->x[0] ^= 1;
8375 TEST_EQUAL(psa_verify_message(key, alg,
8376 input_data->x, input_data->len,
8377 signature, signature_length),
8378 PSA_ERROR_INVALID_SIGNATURE);
8379 }
8380
8381exit:
8382 psa_reset_key_attributes(&attributes);
8383
8384 psa_destroy_key(key);
8385 mbedtls_free(signature);
8386 PSA_DONE();
8387}
8388/* END_CASE */
8389
8390/* BEGIN_CASE */
8391void verify_message(int key_type_arg,
8392 data_t *key_data,
8393 int alg_arg,
8394 data_t *input_data,
8395 data_t *signature_data)
8396{
8397 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8398 psa_key_type_t key_type = key_type_arg;
8399 psa_algorithm_t alg = alg_arg;
8400 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8401
8402 TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
8403
8404 PSA_ASSERT(psa_crypto_init());
8405
8406 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);
8407 psa_set_key_algorithm(&attributes, alg);
8408 psa_set_key_type(&attributes, key_type);
8409
8410 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8411 &key));
8412
8413 PSA_ASSERT(psa_verify_message(key, alg,
8414 input_data->x, input_data->len,
8415 signature_data->x, signature_data->len));
8416
8417exit:
8418 psa_reset_key_attributes(&attributes);
8419 psa_destroy_key(key);
8420 PSA_DONE();
8421}
8422/* END_CASE */
8423
8424/* BEGIN_CASE */
8425void verify_message_fail(int key_type_arg,
8426 data_t *key_data,
8427 int alg_arg,
8428 data_t *hash_data,
8429 data_t *signature_data,
8430 int expected_status_arg)
8431{
8432 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
8433 psa_key_type_t key_type = key_type_arg;
8434 psa_algorithm_t alg = alg_arg;
8435 psa_status_t actual_status;
8436 psa_status_t expected_status = expected_status_arg;
8437 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8438
8439 PSA_ASSERT(psa_crypto_init());
8440
8441 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);
8442 psa_set_key_algorithm(&attributes, alg);
8443 psa_set_key_type(&attributes, key_type);
8444
8445 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8446 &key));
8447
8448 actual_status = psa_verify_message(key, alg,
8449 hash_data->x, hash_data->len,
8450 signature_data->x,
8451 signature_data->len);
8452 TEST_EQUAL(actual_status, expected_status);
8453
8454exit:
8455 psa_reset_key_attributes(&attributes);
8456 psa_destroy_key(key);
8457 PSA_DONE();
8458}
8459/* END_CASE */
8460
8461/* BEGIN_CASE */
8462void asymmetric_encrypt(int key_type_arg,
gabor-mezei-arm53028482021-04-15 18:19:50 +02008463 data_t *key_data,
8464 int alg_arg,
8465 data_t *input_data,
Gilles Peskine449bd832023-01-11 14:50:10 +01008466 data_t *label,
8467 int expected_output_length_arg,
8468 int expected_status_arg)
Gilles Peskine656896e2018-06-29 19:12:28 +02008469{
Ronald Cron5425a212020-08-04 14:58:35 +02008470 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine656896e2018-06-29 19:12:28 +02008471 psa_key_type_t key_type = key_type_arg;
8472 psa_algorithm_t alg = alg_arg;
8473 size_t expected_output_length = expected_output_length_arg;
8474 size_t key_bits;
8475 unsigned char *output = NULL;
8476 size_t output_size;
8477 size_t output_length = ~0;
8478 psa_status_t actual_status;
8479 psa_status_t expected_status = expected_status_arg;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02008480 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine656896e2018-06-29 19:12:28 +02008481
Gilles Peskine449bd832023-01-11 14:50:10 +01008482 PSA_ASSERT(psa_crypto_init());
Gilles Peskinebdf309c2018-12-03 15:36:32 +01008483
Gilles Peskine656896e2018-06-29 19:12:28 +02008484 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +01008485 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8486 psa_set_key_algorithm(&attributes, alg);
8487 psa_set_key_type(&attributes, key_type);
8488 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8489 &key));
Gilles Peskine656896e2018-06-29 19:12:28 +02008490
8491 /* Determine the maximum output length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008492 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8493 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008494
Gilles Peskine449bd832023-01-11 14:50:10 +01008495 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8496 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008497 TEST_CALLOC(output, output_size);
Gilles Peskine656896e2018-06-29 19:12:28 +02008498
8499 /* Encrypt the input */
Gilles Peskine449bd832023-01-11 14:50:10 +01008500 actual_status = psa_asymmetric_encrypt(key, alg,
8501 input_data->x, input_data->len,
8502 label->x, label->len,
8503 output, output_size,
8504 &output_length);
8505 TEST_EQUAL(actual_status, expected_status);
oberon-sk10c0f772023-02-13 13:42:02 +01008506 if (actual_status == PSA_SUCCESS) {
8507 TEST_EQUAL(output_length, expected_output_length);
Stephan Koch5819d2c2023-02-22 13:39:21 +01008508 } else {
8509 TEST_LE_U(output_length, output_size);
oberon-sk10c0f772023-02-13 13:42:02 +01008510 }
Gilles Peskine656896e2018-06-29 19:12:28 +02008511
Gilles Peskine68428122018-06-30 18:42:41 +02008512 /* If the label is empty, the test framework puts a non-null pointer
8513 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008514 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008515 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008516 if (output_size != 0) {
8517 memset(output, 0, output_size);
8518 }
8519 actual_status = psa_asymmetric_encrypt(key, alg,
8520 input_data->x, input_data->len,
8521 NULL, label->len,
8522 output, output_size,
8523 &output_length);
8524 TEST_EQUAL(actual_status, expected_status);
oberon-sk10c0f772023-02-13 13:42:02 +01008525 if (actual_status == PSA_SUCCESS) {
8526 TEST_EQUAL(output_length, expected_output_length);
Stephan Koch5819d2c2023-02-22 13:39:21 +01008527 } else {
8528 TEST_LE_U(output_length, output_size);
oberon-sk10c0f772023-02-13 13:42:02 +01008529 }
Gilles Peskine68428122018-06-30 18:42:41 +02008530 }
8531
Gilles Peskine656896e2018-06-29 19:12:28 +02008532exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008533 /*
8534 * Key attributes may have been returned by psa_get_key_attributes()
8535 * thus reset them as required.
8536 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008537 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008538
Gilles Peskine449bd832023-01-11 14:50:10 +01008539 psa_destroy_key(key);
8540 mbedtls_free(output);
8541 PSA_DONE();
Gilles Peskine656896e2018-06-29 19:12:28 +02008542}
8543/* END_CASE */
8544
8545/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008546void asymmetric_encrypt_decrypt(int key_type_arg,
8547 data_t *key_data,
8548 int alg_arg,
8549 data_t *input_data,
8550 data_t *label)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008551{
Ronald Cron5425a212020-08-04 14:58:35 +02008552 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008553 psa_key_type_t key_type = key_type_arg;
8554 psa_algorithm_t alg = alg_arg;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008555 size_t key_bits;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008556 unsigned char *output = NULL;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008557 size_t output_size;
8558 size_t output_length = ~0;
Nir Sonnenschein0f3bdbd2018-05-02 23:56:12 +03008559 unsigned char *output2 = NULL;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008560 size_t output2_size;
8561 size_t output2_length = ~0;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02008562 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008563
Gilles Peskine449bd832023-01-11 14:50:10 +01008564 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008565
Gilles Peskine449bd832023-01-11 14:50:10 +01008566 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
8567 psa_set_key_algorithm(&attributes, alg);
8568 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008569
Gilles Peskine449bd832023-01-11 14:50:10 +01008570 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8571 &key));
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008572
8573 /* Determine the maximum ciphertext length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008574 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8575 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008576
Gilles Peskine449bd832023-01-11 14:50:10 +01008577 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8578 TEST_LE_U(output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008579 TEST_CALLOC(output, output_size);
gabor-mezei-armceface22021-01-21 12:26:17 +01008580
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008581 output2_size = input_data->len;
Gilles Peskine449bd832023-01-11 14:50:10 +01008582 TEST_LE_U(output2_size,
8583 PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg));
8584 TEST_LE_U(output2_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008585 TEST_CALLOC(output2, output2_size);
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008586
Gilles Peskineeebd7382018-06-08 18:11:54 +02008587 /* We test encryption by checking that encrypt-then-decrypt gives back
8588 * the original plaintext because of the non-optional random
8589 * part of encryption process which prevents using fixed vectors. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008590 PSA_ASSERT(psa_asymmetric_encrypt(key, alg,
8591 input_data->x, input_data->len,
8592 label->x, label->len,
8593 output, output_size,
8594 &output_length));
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008595 /* We don't know what ciphertext length to expect, but check that
8596 * it looks sensible. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008597 TEST_LE_U(output_length, output_size);
Nir Sonnenschein0f3bdbd2018-05-02 23:56:12 +03008598
Gilles Peskine449bd832023-01-11 14:50:10 +01008599 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8600 output, output_length,
8601 label->x, label->len,
8602 output2, output2_size,
8603 &output2_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008604 TEST_MEMORY_COMPARE(input_data->x, input_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008605 output2, output2_length);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008606
8607exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008608 /*
8609 * Key attributes may have been returned by psa_get_key_attributes()
8610 * thus reset them as required.
8611 */
Gilles Peskine449bd832023-01-11 14:50:10 +01008612 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01008613
Gilles Peskine449bd832023-01-11 14:50:10 +01008614 psa_destroy_key(key);
8615 mbedtls_free(output);
8616 mbedtls_free(output2);
8617 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008618}
8619/* END_CASE */
8620
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008621/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008622void asymmetric_decrypt(int key_type_arg,
8623 data_t *key_data,
8624 int alg_arg,
8625 data_t *input_data,
8626 data_t *label,
8627 data_t *expected_data)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008628{
Ronald Cron5425a212020-08-04 14:58:35 +02008629 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008630 psa_key_type_t key_type = key_type_arg;
8631 psa_algorithm_t alg = alg_arg;
gabor-mezei-armceface22021-01-21 12:26:17 +01008632 size_t key_bits;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008633 unsigned char *output = NULL;
Nir Sonnenscheind70bc482018-06-04 16:31:13 +03008634 size_t output_size = 0;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008635 size_t output_length = ~0;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008636 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008637
Gilles Peskine449bd832023-01-11 14:50:10 +01008638 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008639
Gilles Peskine449bd832023-01-11 14:50:10 +01008640 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8641 psa_set_key_algorithm(&attributes, alg);
8642 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008643
Gilles Peskine449bd832023-01-11 14:50:10 +01008644 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8645 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008646
Gilles Peskine449bd832023-01-11 14:50:10 +01008647 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
8648 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01008649
8650 /* Determine the maximum ciphertext length */
Gilles Peskine449bd832023-01-11 14:50:10 +01008651 output_size = PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg);
8652 TEST_LE_U(output_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008653 TEST_CALLOC(output, output_size);
gabor-mezei-armceface22021-01-21 12:26:17 +01008654
Gilles Peskine449bd832023-01-11 14:50:10 +01008655 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8656 input_data->x, input_data->len,
8657 label->x, label->len,
8658 output,
8659 output_size,
8660 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008661 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008662 output, output_length);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008663
Gilles Peskine68428122018-06-30 18:42:41 +02008664 /* If the label is empty, the test framework puts a non-null pointer
8665 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008666 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008667 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008668 if (output_size != 0) {
8669 memset(output, 0, output_size);
8670 }
8671 PSA_ASSERT(psa_asymmetric_decrypt(key, alg,
8672 input_data->x, input_data->len,
8673 NULL, label->len,
8674 output,
8675 output_size,
8676 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01008677 TEST_MEMORY_COMPARE(expected_data->x, expected_data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01008678 output, output_length);
Gilles Peskine68428122018-06-30 18:42:41 +02008679 }
8680
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008681exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008682 psa_reset_key_attributes(&attributes);
8683 psa_destroy_key(key);
8684 mbedtls_free(output);
8685 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008686}
8687/* END_CASE */
8688
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008689/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008690void asymmetric_decrypt_fail(int key_type_arg,
8691 data_t *key_data,
8692 int alg_arg,
8693 data_t *input_data,
8694 data_t *label,
8695 int output_size_arg,
8696 int expected_status_arg)
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008697{
Ronald Cron5425a212020-08-04 14:58:35 +02008698 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008699 psa_key_type_t key_type = key_type_arg;
8700 psa_algorithm_t alg = alg_arg;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008701 unsigned char *output = NULL;
Jaeden Amerof8daab72019-02-06 12:57:46 +00008702 size_t output_size = output_size_arg;
Gilles Peskine55c94dd2018-06-30 18:54:48 +02008703 size_t output_length = ~0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008704 psa_status_t actual_status;
8705 psa_status_t expected_status = expected_status_arg;
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008706 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008707
Tom Cosgrove05b2a872023-07-21 11:31:13 +01008708 TEST_CALLOC(output, output_size);
Gilles Peskine5b051bc2018-05-31 13:25:48 +02008709
Gilles Peskine449bd832023-01-11 14:50:10 +01008710 PSA_ASSERT(psa_crypto_init());
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008711
Gilles Peskine449bd832023-01-11 14:50:10 +01008712 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8713 psa_set_key_algorithm(&attributes, alg);
8714 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheind7082602018-06-04 16:45:27 +03008715
Gilles Peskine449bd832023-01-11 14:50:10 +01008716 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
8717 &key));
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008718
Gilles Peskine449bd832023-01-11 14:50:10 +01008719 actual_status = psa_asymmetric_decrypt(key, alg,
8720 input_data->x, input_data->len,
8721 label->x, label->len,
8722 output, output_size,
8723 &output_length);
8724 TEST_EQUAL(actual_status, expected_status);
8725 TEST_LE_U(output_length, output_size);
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008726
Gilles Peskine68428122018-06-30 18:42:41 +02008727 /* If the label is empty, the test framework puts a non-null pointer
8728 * in label->x. Test that a null pointer works as well. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008729 if (label->len == 0) {
Gilles Peskine68428122018-06-30 18:42:41 +02008730 output_length = ~0;
Gilles Peskine449bd832023-01-11 14:50:10 +01008731 if (output_size != 0) {
8732 memset(output, 0, output_size);
8733 }
8734 actual_status = psa_asymmetric_decrypt(key, alg,
8735 input_data->x, input_data->len,
8736 NULL, label->len,
8737 output, output_size,
8738 &output_length);
8739 TEST_EQUAL(actual_status, expected_status);
8740 TEST_LE_U(output_length, output_size);
Gilles Peskine68428122018-06-30 18:42:41 +02008741 }
8742
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008743exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008744 psa_reset_key_attributes(&attributes);
8745 psa_destroy_key(key);
8746 mbedtls_free(output);
8747 PSA_DONE();
Nir Sonnenschein39e59142018-05-02 23:16:26 +03008748}
Gilles Peskine5b051bc2018-05-31 13:25:48 +02008749/* END_CASE */
Gilles Peskine05d69892018-06-19 22:00:52 +02008750
8751/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008752void key_derivation_init()
Jaeden Amerod94d6712019-01-04 14:11:48 +00008753{
8754 /* Test each valid way of initializing the object, except for `= {0}`, as
8755 * Clang 5 complains when `-Wmissing-field-initializers` is used, even
8756 * though it's OK by the C standard. We could test for this, but we'd need
Shaun Case8b0ecbc2021-12-20 21:14:10 -08008757 * to suppress the Clang warning for the test. */
Jaeden Amero5229bbb2019-02-07 16:33:37 +00008758 size_t capacity;
Gilles Peskine449bd832023-01-11 14:50:10 +01008759 psa_key_derivation_operation_t func = psa_key_derivation_operation_init();
Gilles Peskinea99d3fb2019-05-16 15:28:51 +02008760 psa_key_derivation_operation_t init = PSA_KEY_DERIVATION_OPERATION_INIT;
8761 psa_key_derivation_operation_t zero;
Jaeden Amerod94d6712019-01-04 14:11:48 +00008762
Gilles Peskine449bd832023-01-11 14:50:10 +01008763 memset(&zero, 0, sizeof(zero));
Jaeden Amerod94d6712019-01-04 14:11:48 +00008764
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008765 /* A default operation should not be able to report its capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008766 TEST_EQUAL(psa_key_derivation_get_capacity(&func, &capacity),
8767 PSA_ERROR_BAD_STATE);
8768 TEST_EQUAL(psa_key_derivation_get_capacity(&init, &capacity),
8769 PSA_ERROR_BAD_STATE);
8770 TEST_EQUAL(psa_key_derivation_get_capacity(&zero, &capacity),
8771 PSA_ERROR_BAD_STATE);
Jaeden Amero5229bbb2019-02-07 16:33:37 +00008772
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008773 /* A default operation should be abortable without error. */
Gilles Peskine449bd832023-01-11 14:50:10 +01008774 PSA_ASSERT(psa_key_derivation_abort(&func));
8775 PSA_ASSERT(psa_key_derivation_abort(&init));
8776 PSA_ASSERT(psa_key_derivation_abort(&zero));
Jaeden Amerod94d6712019-01-04 14:11:48 +00008777}
8778/* END_CASE */
8779
Janos Follath16de4a42019-06-13 16:32:24 +01008780/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008781void derive_setup(int alg_arg, int expected_status_arg)
Gilles Peskineea0fb492018-07-12 17:17:20 +02008782{
Gilles Peskineea0fb492018-07-12 17:17:20 +02008783 psa_algorithm_t alg = alg_arg;
Gilles Peskineea0fb492018-07-12 17:17:20 +02008784 psa_status_t expected_status = expected_status_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008785 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineea0fb492018-07-12 17:17:20 +02008786
Gilles Peskine449bd832023-01-11 14:50:10 +01008787 PSA_ASSERT(psa_crypto_init());
Gilles Peskineea0fb492018-07-12 17:17:20 +02008788
Gilles Peskine449bd832023-01-11 14:50:10 +01008789 TEST_EQUAL(psa_key_derivation_setup(&operation, alg),
8790 expected_status);
Gilles Peskineea0fb492018-07-12 17:17:20 +02008791
8792exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008793 psa_key_derivation_abort(&operation);
8794 PSA_DONE();
Gilles Peskineea0fb492018-07-12 17:17:20 +02008795}
8796/* END_CASE */
8797
Janos Follathaf3c2a02019-06-12 12:34:34 +01008798/* BEGIN_CASE */
Kusumit Ghoderao9ffd3972023-12-01 16:40:13 +05308799void derive_set_capacity(int alg_arg, int64_t capacity_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +01008800 int expected_status_arg)
Janos Follatha27c9272019-06-14 09:59:36 +01008801{
8802 psa_algorithm_t alg = alg_arg;
8803 size_t capacity = capacity_arg;
8804 psa_status_t expected_status = expected_status_arg;
8805 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8806
Gilles Peskine449bd832023-01-11 14:50:10 +01008807 PSA_ASSERT(psa_crypto_init());
Janos Follatha27c9272019-06-14 09:59:36 +01008808
Gilles Peskine449bd832023-01-11 14:50:10 +01008809 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
Janos Follatha27c9272019-06-14 09:59:36 +01008810
Gilles Peskine449bd832023-01-11 14:50:10 +01008811 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity),
8812 expected_status);
Janos Follatha27c9272019-06-14 09:59:36 +01008813
8814exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008815 psa_key_derivation_abort(&operation);
8816 PSA_DONE();
Janos Follatha27c9272019-06-14 09:59:36 +01008817}
8818/* END_CASE */
8819
8820/* BEGIN_CASE */
Kusumit Ghoderaod60dfc02023-05-01 17:39:27 +05308821void parse_binary_string_test(data_t *input, int output)
8822{
8823 uint64_t value;
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05308824 value = mbedtls_test_parse_binary_string(input);
Kusumit Ghoderaod60dfc02023-05-01 17:39:27 +05308825 TEST_EQUAL(value, output);
8826}
8827/* END_CASE */
8828
8829/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008830void derive_input(int alg_arg,
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308831 int step_arg1, int key_type_arg1, data_t *input1,
8832 int expected_status_arg1,
8833 int step_arg2, int key_type_arg2, data_t *input2,
8834 int expected_status_arg2,
8835 int step_arg3, int key_type_arg3, data_t *input3,
8836 int expected_status_arg3,
Gilles Peskine449bd832023-01-11 14:50:10 +01008837 int output_key_type_arg, int expected_output_status_arg)
Janos Follathaf3c2a02019-06-12 12:34:34 +01008838{
8839 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01008840 psa_key_derivation_step_t steps[] = { step_arg1, step_arg2, step_arg3 };
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308841 uint32_t key_types[] = { key_type_arg1, key_type_arg2, key_type_arg3 };
Gilles Peskine449bd832023-01-11 14:50:10 +01008842 psa_status_t expected_statuses[] = { expected_status_arg1,
8843 expected_status_arg2,
8844 expected_status_arg3 };
8845 data_t *inputs[] = { input1, input2, input3 };
Ronald Cron5425a212020-08-04 14:58:35 +02008846 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT,
8847 MBEDTLS_SVC_KEY_ID_INIT,
8848 MBEDTLS_SVC_KEY_ID_INIT };
Janos Follathaf3c2a02019-06-12 12:34:34 +01008849 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8850 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8851 size_t i;
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008852 psa_key_type_t output_key_type = output_key_type_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02008853 mbedtls_svc_key_id_t output_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008854 psa_status_t expected_output_status = expected_output_status_arg;
8855 psa_status_t actual_output_status;
Janos Follathaf3c2a02019-06-12 12:34:34 +01008856
Gilles Peskine449bd832023-01-11 14:50:10 +01008857 PSA_ASSERT(psa_crypto_init());
Janos Follathaf3c2a02019-06-12 12:34:34 +01008858
Gilles Peskine449bd832023-01-11 14:50:10 +01008859 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
8860 psa_set_key_algorithm(&attributes, alg);
Janos Follathaf3c2a02019-06-12 12:34:34 +01008861
Gilles Peskine449bd832023-01-11 14:50:10 +01008862 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
Janos Follathaf3c2a02019-06-12 12:34:34 +01008863
Gilles Peskine449bd832023-01-11 14:50:10 +01008864 for (i = 0; i < ARRAY_LENGTH(steps); i++) {
8865 mbedtls_test_set_step(i);
8866 if (steps[i] == 0) {
Gilles Peskine4023c012021-05-27 13:21:20 +02008867 /* Skip this step */
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308868 } else if (((psa_key_type_t) key_types[i]) != PSA_KEY_TYPE_NONE &&
8869 key_types[i] != INPUT_INTEGER) {
8870 psa_set_key_type(&attributes, ((psa_key_type_t) key_types[i]));
Gilles Peskine449bd832023-01-11 14:50:10 +01008871 PSA_ASSERT(psa_import_key(&attributes,
8872 inputs[i]->x, inputs[i]->len,
8873 &keys[i]));
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308874 if (PSA_KEY_TYPE_IS_KEY_PAIR((psa_key_type_t) key_types[i]) &&
Gilles Peskine449bd832023-01-11 14:50:10 +01008875 steps[i] == PSA_KEY_DERIVATION_INPUT_SECRET) {
Steven Cooreman0ee0d522020-10-05 16:03:42 +02008876 // When taking a private key as secret input, use key agreement
8877 // to add the shared secret to the derivation
Gilles Peskine449bd832023-01-11 14:50:10 +01008878 TEST_EQUAL(mbedtls_test_psa_key_agreement_with_self(
Ryan Everett73e4ea32024-03-12 16:29:55 +00008879 &operation, keys[i], 0),
Gilles Peskine449bd832023-01-11 14:50:10 +01008880 expected_statuses[i]);
8881 } else {
8882 TEST_EQUAL(psa_key_derivation_input_key(&operation, steps[i],
8883 keys[i]),
8884 expected_statuses[i]);
Steven Cooreman0ee0d522020-10-05 16:03:42 +02008885 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008886 } else {
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308887 if (key_types[i] == INPUT_INTEGER) {
8888 TEST_EQUAL(psa_key_derivation_input_integer(
8889 &operation, steps[i],
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05308890 mbedtls_test_parse_binary_string(inputs[i])),
Kusumit Ghoderao12e0b4b2023-04-27 16:58:23 +05308891 expected_statuses[i]);
8892 } else {
Kusumit Ghoderao02326d52023-04-06 17:47:59 +05308893 TEST_EQUAL(psa_key_derivation_input_bytes(
8894 &operation, steps[i],
8895 inputs[i]->x, inputs[i]->len),
8896 expected_statuses[i]);
Kusumit Ghoderao02326d52023-04-06 17:47:59 +05308897 }
Janos Follathaf3c2a02019-06-12 12:34:34 +01008898 }
8899 }
8900
Gilles Peskine449bd832023-01-11 14:50:10 +01008901 if (output_key_type != PSA_KEY_TYPE_NONE) {
8902 psa_reset_key_attributes(&attributes);
8903 psa_set_key_type(&attributes, output_key_type);
8904 psa_set_key_bits(&attributes, 8);
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008905 actual_output_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01008906 psa_key_derivation_output_key(&attributes, &operation,
8907 &output_key);
8908 } else {
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008909 uint8_t buffer[1];
8910 actual_output_status =
Gilles Peskine449bd832023-01-11 14:50:10 +01008911 psa_key_derivation_output_bytes(&operation,
8912 buffer, sizeof(buffer));
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008913 }
Gilles Peskine449bd832023-01-11 14:50:10 +01008914 TEST_EQUAL(actual_output_status, expected_output_status);
Gilles Peskine1a2904c2019-09-24 17:45:07 +02008915
Janos Follathaf3c2a02019-06-12 12:34:34 +01008916exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008917 psa_key_derivation_abort(&operation);
8918 for (i = 0; i < ARRAY_LENGTH(keys); i++) {
8919 psa_destroy_key(keys[i]);
8920 }
8921 psa_destroy_key(output_key);
8922 PSA_DONE();
Janos Follathaf3c2a02019-06-12 12:34:34 +01008923}
8924/* END_CASE */
8925
Kusumit Ghoderao42b02b92023-06-06 16:48:46 +05308926/* BEGIN_CASE*/
8927void derive_input_invalid_cost(int alg_arg, int64_t cost)
8928{
8929 psa_algorithm_t alg = alg_arg;
8930 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
8931
8932 PSA_ASSERT(psa_crypto_init());
8933 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
8934
8935 TEST_EQUAL(psa_key_derivation_input_integer(&operation,
8936 PSA_KEY_DERIVATION_INPUT_COST,
8937 cost),
8938 PSA_ERROR_NOT_SUPPORTED);
8939
8940exit:
8941 psa_key_derivation_abort(&operation);
8942 PSA_DONE();
8943}
8944/* END_CASE*/
8945
Janos Follathd958bb72019-07-03 15:02:16 +01008946/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008947void derive_over_capacity(int alg_arg)
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03008948{
Janos Follathd958bb72019-07-03 15:02:16 +01008949 psa_algorithm_t alg = alg_arg;
Ronald Cron5425a212020-08-04 14:58:35 +02008950 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Nir Sonnenschein4eda37b2018-10-31 12:15:58 +02008951 size_t key_type = PSA_KEY_TYPE_DERIVE;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008952 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Janos Follathd958bb72019-07-03 15:02:16 +01008953 unsigned char input1[] = "Input 1";
Gilles Peskine449bd832023-01-11 14:50:10 +01008954 size_t input1_length = sizeof(input1);
Janos Follathd958bb72019-07-03 15:02:16 +01008955 unsigned char input2[] = "Input 2";
Gilles Peskine449bd832023-01-11 14:50:10 +01008956 size_t input2_length = sizeof(input2);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008957 uint8_t buffer[42];
Gilles Peskine449bd832023-01-11 14:50:10 +01008958 size_t capacity = sizeof(buffer);
Nir Sonnenscheindd69d8b2018-11-01 12:24:23 +02008959 const uint8_t key_data[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
8960 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
Gilles Peskine449bd832023-01-11 14:50:10 +01008961 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
Gilles Peskine2c2cf0e2019-04-19 19:58:20 +02008962 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03008963
Gilles Peskine449bd832023-01-11 14:50:10 +01008964 PSA_ASSERT(psa_crypto_init());
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008965
Gilles Peskine449bd832023-01-11 14:50:10 +01008966 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
8967 psa_set_key_algorithm(&attributes, alg);
8968 psa_set_key_type(&attributes, key_type);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008969
Gilles Peskine449bd832023-01-11 14:50:10 +01008970 PSA_ASSERT(psa_import_key(&attributes,
8971 key_data, sizeof(key_data),
8972 &key));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008973
8974 /* valid key derivation */
Gilles Peskine449bd832023-01-11 14:50:10 +01008975 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
8976 input1, input1_length,
8977 input2, input2_length,
Ryan Everettc1cc6682024-03-12 16:17:43 +00008978 capacity, 0)) {
Janos Follathd958bb72019-07-03 15:02:16 +01008979 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01008980 }
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008981
Gilles Peskine51ae0e42019-05-16 17:31:03 +02008982 /* state of operation shouldn't allow additional generation */
Gilles Peskine449bd832023-01-11 14:50:10 +01008983 TEST_EQUAL(psa_key_derivation_setup(&operation, alg),
8984 PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008985
Gilles Peskine449bd832023-01-11 14:50:10 +01008986 PSA_ASSERT(psa_key_derivation_output_bytes(&operation, buffer, capacity));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008987
Gilles Peskine449bd832023-01-11 14:50:10 +01008988 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, buffer, capacity),
8989 PSA_ERROR_INSUFFICIENT_DATA);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008990
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008991exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01008992 psa_key_derivation_abort(&operation);
8993 psa_destroy_key(key);
8994 PSA_DONE();
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008995}
8996/* END_CASE */
8997
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03008998/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01008999void derive_actions_without_setup()
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009000{
9001 uint8_t output_buffer[16];
9002 size_t buffer_size = 16;
9003 size_t capacity = 0;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009004 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009005
Gilles Peskine449bd832023-01-11 14:50:10 +01009006 TEST_ASSERT(psa_key_derivation_output_bytes(&operation,
9007 output_buffer, buffer_size)
9008 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009009
Gilles Peskine449bd832023-01-11 14:50:10 +01009010 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity)
9011 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009012
Gilles Peskine449bd832023-01-11 14:50:10 +01009013 PSA_ASSERT(psa_key_derivation_abort(&operation));
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009014
Gilles Peskine449bd832023-01-11 14:50:10 +01009015 TEST_ASSERT(psa_key_derivation_output_bytes(&operation,
9016 output_buffer, buffer_size)
9017 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009018
Gilles Peskine449bd832023-01-11 14:50:10 +01009019 TEST_ASSERT(psa_key_derivation_get_capacity(&operation, &capacity)
9020 == PSA_ERROR_BAD_STATE);
Nir Sonnenscheinb46e7ca2018-10-25 14:46:09 +03009021
9022exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009023 psa_key_derivation_abort(&operation);
Nir Sonnenscheine5204c92018-10-22 17:24:55 +03009024}
9025/* END_CASE */
9026
9027/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009028void derive_output(int alg_arg,
9029 int step1_arg, data_t *input1, int expected_status_arg1,
9030 int step2_arg, data_t *input2, int expected_status_arg2,
9031 int step3_arg, data_t *input3, int expected_status_arg3,
9032 int step4_arg, data_t *input4, int expected_status_arg4,
9033 data_t *key_agreement_peer_key,
9034 int requested_capacity_arg,
9035 data_t *expected_output1,
9036 data_t *expected_output2,
9037 int other_key_input_type,
9038 int key_input_type,
9039 int derive_type)
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009040{
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009041 psa_algorithm_t alg = alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01009042 psa_key_derivation_step_t steps[] = { step1_arg, step2_arg, step3_arg, step4_arg };
9043 data_t *inputs[] = { input1, input2, input3, input4 };
9044 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT,
9045 MBEDTLS_SVC_KEY_ID_INIT,
9046 MBEDTLS_SVC_KEY_ID_INIT,
9047 MBEDTLS_SVC_KEY_ID_INIT };
9048 psa_status_t statuses[] = { expected_status_arg1, expected_status_arg2,
9049 expected_status_arg3, expected_status_arg4 };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009050 size_t requested_capacity = requested_capacity_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009051 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009052 uint8_t *expected_outputs[2] =
Gilles Peskine449bd832023-01-11 14:50:10 +01009053 { expected_output1->x, expected_output2->x };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009054 size_t output_sizes[2] =
Gilles Peskine449bd832023-01-11 14:50:10 +01009055 { expected_output1->len, expected_output2->len };
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009056 size_t output_buffer_size = 0;
9057 uint8_t *output_buffer = NULL;
9058 size_t expected_capacity;
9059 size_t current_capacity;
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009060 psa_key_attributes_t attributes1 = PSA_KEY_ATTRIBUTES_INIT;
9061 psa_key_attributes_t attributes2 = PSA_KEY_ATTRIBUTES_INIT;
9062 psa_key_attributes_t attributes3 = PSA_KEY_ATTRIBUTES_INIT;
9063 psa_key_attributes_t attributes4 = PSA_KEY_ATTRIBUTES_INIT;
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02009064 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009065 psa_status_t status;
Gilles Peskine1468da72019-05-29 17:35:49 +02009066 size_t i;
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009067
Gilles Peskine449bd832023-01-11 14:50:10 +01009068 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) {
9069 if (output_sizes[i] > output_buffer_size) {
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009070 output_buffer_size = output_sizes[i];
Gilles Peskine449bd832023-01-11 14:50:10 +01009071 }
9072 if (output_sizes[i] == 0) {
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009073 expected_outputs[i] = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01009074 }
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009075 }
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009076 TEST_CALLOC(output_buffer, output_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01009077 PSA_ASSERT(psa_crypto_init());
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009078
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009079 /* Extraction phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009080 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9081 PSA_ASSERT(psa_key_derivation_set_capacity(&operation,
9082 requested_capacity));
9083 for (i = 0; i < ARRAY_LENGTH(steps); i++) {
9084 switch (steps[i]) {
Gilles Peskine1468da72019-05-29 17:35:49 +02009085 case 0:
9086 break;
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05309087 case PSA_KEY_DERIVATION_INPUT_COST:
9088 TEST_EQUAL(psa_key_derivation_input_integer(
Kusumit Ghoderaof28e0f52023-06-06 15:03:22 +05309089 &operation, steps[i],
Kusumit Ghoderao7c61ffc2023-09-05 19:29:47 +05309090 mbedtls_test_parse_binary_string(inputs[i])),
Kusumit Ghoderaof28e0f52023-06-06 15:03:22 +05309091 statuses[i]);
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05309092 if (statuses[i] != PSA_SUCCESS) {
9093 goto exit;
9094 }
9095 break;
9096 case PSA_KEY_DERIVATION_INPUT_PASSWORD:
Gilles Peskine1468da72019-05-29 17:35:49 +02009097 case PSA_KEY_DERIVATION_INPUT_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +01009098 switch (key_input_type) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009099 case 0: // input bytes
Gilles Peskine449bd832023-01-11 14:50:10 +01009100 TEST_EQUAL(psa_key_derivation_input_bytes(
9101 &operation, steps[i],
9102 inputs[i]->x, inputs[i]->len),
9103 statuses[i]);
Przemek Stekielfcdd0232022-05-19 10:28:58 +02009104
Gilles Peskine449bd832023-01-11 14:50:10 +01009105 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielfcdd0232022-05-19 10:28:58 +02009106 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009107 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009108 break;
9109 case 1: // input key
Gilles Peskine449bd832023-01-11 14:50:10 +01009110 psa_set_key_usage_flags(&attributes1, PSA_KEY_USAGE_DERIVE);
9111 psa_set_key_algorithm(&attributes1, alg);
9112 psa_set_key_type(&attributes1, PSA_KEY_TYPE_DERIVE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009113
Gilles Peskine449bd832023-01-11 14:50:10 +01009114 PSA_ASSERT(psa_import_key(&attributes1,
9115 inputs[i]->x, inputs[i]->len,
9116 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009117
Gilles Peskine449bd832023-01-11 14:50:10 +01009118 if (PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
9119 PSA_ASSERT(psa_get_key_attributes(keys[i], &attributes1));
9120 TEST_LE_U(PSA_BITS_TO_BYTES(psa_get_key_bits(&attributes1)),
9121 PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009122 }
9123
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05309124 TEST_EQUAL(psa_key_derivation_input_key(&operation,
Gilles Peskine449bd832023-01-11 14:50:10 +01009125 steps[i],
Kusumit Ghoderao81797fc2023-06-05 15:05:09 +05309126 keys[i]),
9127 statuses[i]);
9128
9129 if (statuses[i] != PSA_SUCCESS) {
9130 goto exit;
9131 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009132 break;
9133 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +01009134 TEST_FAIL("default case not supported");
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009135 break;
9136 }
9137 break;
9138 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +01009139 switch (other_key_input_type) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009140 case 0: // input bytes
Gilles Peskine449bd832023-01-11 14:50:10 +01009141 TEST_EQUAL(psa_key_derivation_input_bytes(&operation,
9142 steps[i],
9143 inputs[i]->x,
9144 inputs[i]->len),
9145 statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009146 break;
Przemek Stekiele6654662022-04-20 09:14:51 +02009147 case 1: // input key, type DERIVE
9148 case 11: // input key, type RAW
Gilles Peskine449bd832023-01-11 14:50:10 +01009149 psa_set_key_usage_flags(&attributes2, PSA_KEY_USAGE_DERIVE);
9150 psa_set_key_algorithm(&attributes2, alg);
9151 psa_set_key_type(&attributes2, PSA_KEY_TYPE_DERIVE);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009152
9153 // other secret of type RAW_DATA passed with input_key
Gilles Peskine449bd832023-01-11 14:50:10 +01009154 if (other_key_input_type == 11) {
9155 psa_set_key_type(&attributes2, PSA_KEY_TYPE_RAW_DATA);
9156 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009157
Gilles Peskine449bd832023-01-11 14:50:10 +01009158 PSA_ASSERT(psa_import_key(&attributes2,
9159 inputs[i]->x, inputs[i]->len,
9160 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009161
Gilles Peskine449bd832023-01-11 14:50:10 +01009162 TEST_EQUAL(psa_key_derivation_input_key(&operation,
9163 steps[i],
9164 keys[i]),
9165 statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009166 break;
9167 case 2: // key agreement
Gilles Peskine449bd832023-01-11 14:50:10 +01009168 psa_set_key_usage_flags(&attributes3, PSA_KEY_USAGE_DERIVE);
9169 psa_set_key_algorithm(&attributes3, alg);
9170 psa_set_key_type(&attributes3,
9171 PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009172
Gilles Peskine449bd832023-01-11 14:50:10 +01009173 PSA_ASSERT(psa_import_key(&attributes3,
9174 inputs[i]->x, inputs[i]->len,
9175 &keys[i]));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009176
Gilles Peskine449bd832023-01-11 14:50:10 +01009177 TEST_EQUAL(psa_key_derivation_key_agreement(
9178 &operation,
9179 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
9180 keys[i], key_agreement_peer_key->x,
9181 key_agreement_peer_key->len), statuses[i]);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009182 break;
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009183 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +01009184 TEST_FAIL("default case not supported");
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009185 break;
gabor-mezei-armceface22021-01-21 12:26:17 +01009186 }
9187
Gilles Peskine449bd832023-01-11 14:50:10 +01009188 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009189 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009190 }
Gilles Peskine1468da72019-05-29 17:35:49 +02009191 break;
9192 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01009193 TEST_EQUAL(psa_key_derivation_input_bytes(
9194 &operation, steps[i],
9195 inputs[i]->x, inputs[i]->len), statuses[i]);
Przemek Stekielead1bb92022-05-11 12:22:57 +02009196
Gilles Peskine449bd832023-01-11 14:50:10 +01009197 if (statuses[i] != PSA_SUCCESS) {
Przemek Stekielead1bb92022-05-11 12:22:57 +02009198 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009199 }
Gilles Peskine1468da72019-05-29 17:35:49 +02009200 break;
9201 }
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01009202 }
Gilles Peskine1468da72019-05-29 17:35:49 +02009203
Gilles Peskine449bd832023-01-11 14:50:10 +01009204 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9205 &current_capacity));
9206 TEST_EQUAL(current_capacity, requested_capacity);
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009207 expected_capacity = requested_capacity;
9208
Gilles Peskine449bd832023-01-11 14:50:10 +01009209 if (derive_type == 1) { // output key
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02009210 psa_status_t expected_status = PSA_ERROR_NOT_PERMITTED;
9211
9212 /* For output key derivation secret must be provided using
9213 input key, otherwise operation is not permitted. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009214 if (key_input_type == 1) {
Przemek Stekiel4daaa2b2022-04-20 10:06:38 +02009215 expected_status = PSA_SUCCESS;
Gilles Peskine449bd832023-01-11 14:50:10 +01009216 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009217
Gilles Peskine449bd832023-01-11 14:50:10 +01009218 psa_set_key_usage_flags(&attributes4, PSA_KEY_USAGE_EXPORT);
9219 psa_set_key_algorithm(&attributes4, alg);
9220 psa_set_key_type(&attributes4, PSA_KEY_TYPE_DERIVE);
9221 psa_set_key_bits(&attributes4, PSA_BYTES_TO_BITS(requested_capacity));
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009222
Gilles Peskine449bd832023-01-11 14:50:10 +01009223 TEST_EQUAL(psa_key_derivation_output_key(&attributes4, &operation,
9224 &derived_key), expected_status);
9225 } else { // output bytes
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009226 /* Expansion phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009227 for (i = 0; i < ARRAY_LENGTH(expected_outputs); i++) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009228 /* Read some bytes. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009229 status = psa_key_derivation_output_bytes(&operation,
9230 output_buffer, output_sizes[i]);
9231 if (expected_capacity == 0 && output_sizes[i] == 0) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009232 /* Reading 0 bytes when 0 bytes are available can go either way. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009233 TEST_ASSERT(status == PSA_SUCCESS ||
9234 status == PSA_ERROR_INSUFFICIENT_DATA);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009235 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +01009236 } else if (expected_capacity == 0 ||
9237 output_sizes[i] > expected_capacity) {
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009238 /* Capacity exceeded. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009239 TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_DATA);
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009240 expected_capacity = 0;
9241 continue;
9242 }
9243 /* Success. Check the read data. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009244 PSA_ASSERT(status);
9245 if (output_sizes[i] != 0) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009246 TEST_MEMORY_COMPARE(output_buffer, output_sizes[i],
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009247 expected_outputs[i], output_sizes[i]);
Gilles Peskine449bd832023-01-11 14:50:10 +01009248 }
Przemek Stekielcd00d7f2022-04-01 13:40:48 +02009249 /* Check the operation status. */
9250 expected_capacity -= output_sizes[i];
Gilles Peskine449bd832023-01-11 14:50:10 +01009251 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9252 &current_capacity));
9253 TEST_EQUAL(expected_capacity, current_capacity);
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009254 }
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009255 }
Gilles Peskine449bd832023-01-11 14:50:10 +01009256 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009257
9258exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009259 mbedtls_free(output_buffer);
9260 psa_key_derivation_abort(&operation);
9261 for (i = 0; i < ARRAY_LENGTH(keys); i++) {
9262 psa_destroy_key(keys[i]);
9263 }
9264 psa_destroy_key(derived_key);
9265 PSA_DONE();
Gilles Peskine96ee5c72018-07-12 17:24:54 +02009266}
9267/* END_CASE */
9268
9269/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009270void derive_full(int alg_arg,
9271 data_t *key_data,
9272 data_t *input1,
9273 data_t *input2,
9274 int requested_capacity_arg)
Gilles Peskined54931c2018-07-17 21:06:59 +02009275{
Ronald Cron5425a212020-08-04 14:58:35 +02009276 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskined54931c2018-07-17 21:06:59 +02009277 psa_algorithm_t alg = alg_arg;
9278 size_t requested_capacity = requested_capacity_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009279 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Kusumit Ghoderao9ffd3972023-12-01 16:40:13 +05309280 unsigned char output_buffer[32];
Gilles Peskined54931c2018-07-17 21:06:59 +02009281 size_t expected_capacity = requested_capacity;
9282 size_t current_capacity;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009283 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskined54931c2018-07-17 21:06:59 +02009284
Gilles Peskine449bd832023-01-11 14:50:10 +01009285 PSA_ASSERT(psa_crypto_init());
Gilles Peskined54931c2018-07-17 21:06:59 +02009286
Gilles Peskine449bd832023-01-11 14:50:10 +01009287 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9288 psa_set_key_algorithm(&attributes, alg);
9289 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
Gilles Peskined54931c2018-07-17 21:06:59 +02009290
Gilles Peskine449bd832023-01-11 14:50:10 +01009291 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
9292 &key));
Gilles Peskined54931c2018-07-17 21:06:59 +02009293
Gilles Peskine449bd832023-01-11 14:50:10 +01009294 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
9295 input1->x, input1->len,
9296 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009297 requested_capacity, 0)) {
Janos Follathf2815ea2019-07-03 12:41:36 +01009298 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009299 }
Janos Follath47f27ed2019-06-25 13:24:52 +01009300
Gilles Peskine449bd832023-01-11 14:50:10 +01009301 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9302 &current_capacity));
9303 TEST_EQUAL(current_capacity, expected_capacity);
Gilles Peskined54931c2018-07-17 21:06:59 +02009304
9305 /* Expansion phase. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009306 while (current_capacity > 0) {
9307 size_t read_size = sizeof(output_buffer);
9308 if (read_size > current_capacity) {
Gilles Peskined54931c2018-07-17 21:06:59 +02009309 read_size = current_capacity;
Gilles Peskine449bd832023-01-11 14:50:10 +01009310 }
9311 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9312 output_buffer,
9313 read_size));
Gilles Peskined54931c2018-07-17 21:06:59 +02009314 expected_capacity -= read_size;
Gilles Peskine449bd832023-01-11 14:50:10 +01009315 PSA_ASSERT(psa_key_derivation_get_capacity(&operation,
9316 &current_capacity));
9317 TEST_EQUAL(current_capacity, expected_capacity);
Gilles Peskined54931c2018-07-17 21:06:59 +02009318 }
9319
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009320 /* Check that the operation refuses to go over capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009321 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output_buffer, 1),
9322 PSA_ERROR_INSUFFICIENT_DATA);
Gilles Peskined54931c2018-07-17 21:06:59 +02009323
Gilles Peskine449bd832023-01-11 14:50:10 +01009324 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskined54931c2018-07-17 21:06:59 +02009325
9326exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009327 psa_key_derivation_abort(&operation);
9328 psa_destroy_key(key);
9329 PSA_DONE();
Gilles Peskined54931c2018-07-17 21:06:59 +02009330}
9331/* END_CASE */
9332
Stephan Koch78109f52023-04-12 14:19:36 +02009333/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */
Gilles Peskine449bd832023-01-11 14:50:10 +01009334void derive_ecjpake_to_pms(data_t *input, int expected_input_status_arg,
9335 int derivation_step,
9336 int capacity, int expected_capacity_status_arg,
9337 data_t *expected_output,
9338 int expected_output_status_arg)
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009339{
9340 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
9341 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Andrzej Kurekd3785042022-09-16 06:45:44 -04009342 psa_key_derivation_step_t step = (psa_key_derivation_step_t) derivation_step;
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009343 uint8_t *output_buffer = NULL;
9344 psa_status_t status;
Andrzej Kurek3539f2c2022-09-26 10:56:02 -04009345 psa_status_t expected_input_status = (psa_status_t) expected_input_status_arg;
9346 psa_status_t expected_capacity_status = (psa_status_t) expected_capacity_status_arg;
9347 psa_status_t expected_output_status = (psa_status_t) expected_output_status_arg;
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009348
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009349 TEST_CALLOC(output_buffer, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009350 PSA_ASSERT(psa_crypto_init());
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009351
Gilles Peskine449bd832023-01-11 14:50:10 +01009352 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9353 TEST_EQUAL(psa_key_derivation_set_capacity(&operation, capacity),
9354 expected_capacity_status);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009355
Gilles Peskine449bd832023-01-11 14:50:10 +01009356 TEST_EQUAL(psa_key_derivation_input_bytes(&operation,
9357 step, input->x, input->len),
9358 expected_input_status);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009359
Gilles Peskine449bd832023-01-11 14:50:10 +01009360 if (((psa_status_t) expected_input_status) != PSA_SUCCESS) {
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009361 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009362 }
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009363
Gilles Peskine449bd832023-01-11 14:50:10 +01009364 status = psa_key_derivation_output_bytes(&operation, output_buffer,
9365 expected_output->len);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009366
Gilles Peskine449bd832023-01-11 14:50:10 +01009367 TEST_EQUAL(status, expected_output_status);
9368 if (expected_output->len != 0 && expected_output_status == PSA_SUCCESS) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009369 TEST_MEMORY_COMPARE(output_buffer, expected_output->len, expected_output->x,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009370 expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009371 }
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009372
9373exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009374 mbedtls_free(output_buffer);
9375 psa_key_derivation_abort(&operation);
Andrzej Kurekd8705bc2022-07-29 10:02:05 -04009376 PSA_DONE();
9377}
9378/* END_CASE */
9379
Janos Follathe60c9052019-07-03 13:51:30 +01009380/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009381void derive_key_exercise(int alg_arg,
9382 data_t *key_data,
9383 data_t *input1,
9384 data_t *input2,
9385 int derived_type_arg,
9386 int derived_bits_arg,
9387 int derived_usage_arg,
9388 int derived_alg_arg)
Gilles Peskine0386fba2018-07-12 17:29:22 +02009389{
Ronald Cron5425a212020-08-04 14:58:35 +02009390 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9391 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009392 psa_algorithm_t alg = alg_arg;
9393 psa_key_type_t derived_type = derived_type_arg;
9394 size_t derived_bits = derived_bits_arg;
9395 psa_key_usage_t derived_usage = derived_usage_arg;
9396 psa_algorithm_t derived_alg = derived_alg_arg;
Gilles Peskine449bd832023-01-11 14:50:10 +01009397 size_t capacity = PSA_BITS_TO_BYTES(derived_bits);
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009398 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009399 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02009400 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009401
Gilles Peskine449bd832023-01-11 14:50:10 +01009402 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0386fba2018-07-12 17:29:22 +02009403
Gilles Peskine449bd832023-01-11 14:50:10 +01009404 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9405 psa_set_key_algorithm(&attributes, alg);
9406 psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
9407 PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
9408 &base_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009409
9410 /* Derive a key. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009411 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9412 input1->x, input1->len,
9413 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009414 capacity, 0)) {
Janos Follathe60c9052019-07-03 13:51:30 +01009415 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009416 }
Janos Follathe60c9052019-07-03 13:51:30 +01009417
Gilles Peskine449bd832023-01-11 14:50:10 +01009418 psa_set_key_usage_flags(&attributes, derived_usage);
9419 psa_set_key_algorithm(&attributes, derived_alg);
9420 psa_set_key_type(&attributes, derived_type);
9421 psa_set_key_bits(&attributes, derived_bits);
9422 PSA_ASSERT(psa_key_derivation_output_key(&attributes, &operation,
9423 &derived_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009424
9425 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +01009426 PSA_ASSERT(psa_get_key_attributes(derived_key, &got_attributes));
9427 TEST_EQUAL(psa_get_key_type(&got_attributes), derived_type);
9428 TEST_EQUAL(psa_get_key_bits(&got_attributes), derived_bits);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009429
9430 /* Exercise the derived key. */
Ryan Everett0a271fd2024-03-12 16:34:02 +00009431 if (!mbedtls_test_psa_exercise_key(derived_key, derived_usage, derived_alg, 0)) {
Gilles Peskine0386fba2018-07-12 17:29:22 +02009432 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009433 }
Gilles Peskine0386fba2018-07-12 17:29:22 +02009434
9435exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009436 /*
9437 * Key attributes may have been returned by psa_get_key_attributes()
9438 * thus reset them as required.
9439 */
Gilles Peskine449bd832023-01-11 14:50:10 +01009440 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +01009441
Gilles Peskine449bd832023-01-11 14:50:10 +01009442 psa_key_derivation_abort(&operation);
9443 psa_destroy_key(base_key);
9444 psa_destroy_key(derived_key);
9445 PSA_DONE();
Gilles Peskine0386fba2018-07-12 17:29:22 +02009446}
9447/* END_CASE */
9448
Janos Follath42fd8882019-07-03 14:17:09 +01009449/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009450void derive_key_export(int alg_arg,
9451 data_t *key_data,
9452 data_t *input1,
9453 data_t *input2,
9454 int bytes1_arg,
9455 int bytes2_arg)
Gilles Peskine0386fba2018-07-12 17:29:22 +02009456{
Ronald Cron5425a212020-08-04 14:58:35 +02009457 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9458 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009459 psa_algorithm_t alg = alg_arg;
9460 size_t bytes1 = bytes1_arg;
9461 size_t bytes2 = bytes2_arg;
9462 size_t capacity = bytes1 + bytes2;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009463 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskine8cebbba2018-09-27 13:54:18 +02009464 uint8_t *output_buffer = NULL;
9465 uint8_t *export_buffer = NULL;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009466 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9467 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine0386fba2018-07-12 17:29:22 +02009468 size_t length;
9469
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009470 TEST_CALLOC(output_buffer, capacity);
9471 TEST_CALLOC(export_buffer, capacity);
Gilles Peskine449bd832023-01-11 14:50:10 +01009472 PSA_ASSERT(psa_crypto_init());
Gilles Peskine0386fba2018-07-12 17:29:22 +02009473
Gilles Peskine449bd832023-01-11 14:50:10 +01009474 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9475 psa_set_key_algorithm(&base_attributes, alg);
9476 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9477 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9478 &base_key));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009479
9480 /* Derive some material and output it. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009481 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9482 input1->x, input1->len,
9483 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009484 capacity, 0)) {
Janos Follath42fd8882019-07-03 14:17:09 +01009485 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009486 }
Janos Follath42fd8882019-07-03 14:17:09 +01009487
Gilles Peskine449bd832023-01-11 14:50:10 +01009488 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9489 output_buffer,
9490 capacity));
9491 PSA_ASSERT(psa_key_derivation_abort(&operation));
Gilles Peskine0386fba2018-07-12 17:29:22 +02009492
9493 /* Derive the same output again, but this time store it in key objects. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009494 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9495 input1->x, input1->len,
9496 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009497 capacity, 0)) {
Janos Follath42fd8882019-07-03 14:17:09 +01009498 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009499 }
Janos Follath42fd8882019-07-03 14:17:09 +01009500
Gilles Peskine449bd832023-01-11 14:50:10 +01009501 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9502 psa_set_key_algorithm(&derived_attributes, 0);
9503 psa_set_key_type(&derived_attributes, PSA_KEY_TYPE_RAW_DATA);
9504 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes1));
9505 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9506 &derived_key));
9507 PSA_ASSERT(psa_export_key(derived_key,
9508 export_buffer, bytes1,
9509 &length));
9510 TEST_EQUAL(length, bytes1);
9511 PSA_ASSERT(psa_destroy_key(derived_key));
9512 psa_set_key_bits(&derived_attributes, PSA_BYTES_TO_BITS(bytes2));
9513 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9514 &derived_key));
9515 PSA_ASSERT(psa_export_key(derived_key,
9516 export_buffer + bytes1, bytes2,
9517 &length));
9518 TEST_EQUAL(length, bytes2);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009519
9520 /* Compare the outputs from the two runs. */
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009521 TEST_MEMORY_COMPARE(output_buffer, bytes1 + bytes2,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009522 export_buffer, capacity);
Gilles Peskine0386fba2018-07-12 17:29:22 +02009523
9524exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009525 mbedtls_free(output_buffer);
9526 mbedtls_free(export_buffer);
9527 psa_key_derivation_abort(&operation);
9528 psa_destroy_key(base_key);
9529 psa_destroy_key(derived_key);
9530 PSA_DONE();
Gilles Peskine0386fba2018-07-12 17:29:22 +02009531}
9532/* END_CASE */
9533
9534/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009535void derive_key_type(int alg_arg,
9536 data_t *key_data,
9537 data_t *input1,
9538 data_t *input2,
9539 int key_type_arg, int bits_arg,
9540 data_t *expected_export)
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009541{
9542 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9543 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
9544 const psa_algorithm_t alg = alg_arg;
9545 const psa_key_type_t key_type = key_type_arg;
9546 const size_t bits = bits_arg;
9547 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9548 const size_t export_buffer_size =
Gilles Peskine449bd832023-01-11 14:50:10 +01009549 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009550 uint8_t *export_buffer = NULL;
9551 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9552 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9553 size_t export_length;
9554
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009555 TEST_CALLOC(export_buffer, export_buffer_size);
Gilles Peskine449bd832023-01-11 14:50:10 +01009556 PSA_ASSERT(psa_crypto_init());
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009557
Gilles Peskine449bd832023-01-11 14:50:10 +01009558 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9559 psa_set_key_algorithm(&base_attributes, alg);
9560 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9561 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9562 &base_key));
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009563
Gilles Peskine449bd832023-01-11 14:50:10 +01009564 if (mbedtls_test_psa_setup_key_derivation_wrap(
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009565 &operation, base_key, alg,
9566 input1->x, input1->len,
9567 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009568 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009569 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009570 }
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009571
Gilles Peskine449bd832023-01-11 14:50:10 +01009572 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9573 psa_set_key_algorithm(&derived_attributes, 0);
9574 psa_set_key_type(&derived_attributes, key_type);
9575 psa_set_key_bits(&derived_attributes, bits);
9576 PSA_ASSERT(psa_key_derivation_output_key(&derived_attributes, &operation,
9577 &derived_key));
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009578
Gilles Peskine449bd832023-01-11 14:50:10 +01009579 PSA_ASSERT(psa_export_key(derived_key,
9580 export_buffer, export_buffer_size,
9581 &export_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009582 TEST_MEMORY_COMPARE(export_buffer, export_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009583 expected_export->x, expected_export->len);
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009584
9585exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009586 mbedtls_free(export_buffer);
9587 psa_key_derivation_abort(&operation);
9588 psa_destroy_key(base_key);
9589 psa_destroy_key(derived_key);
9590 PSA_DONE();
Przemyslaw Stekiel696b1202021-11-24 16:29:10 +01009591}
9592/* END_CASE */
9593
9594/* BEGIN_CASE */
Gilles Peskinef36d7852024-06-06 21:11:44 +02009595void derive_key_custom(int alg_arg,
9596 data_t *key_data,
9597 data_t *input1,
9598 data_t *input2,
9599 int key_type_arg, int bits_arg,
9600 int flags_arg,
9601 data_t *custom_data,
9602 psa_status_t expected_status,
9603 data_t *expected_export)
9604{
9605 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9606 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
9607 const psa_algorithm_t alg = alg_arg;
9608 const psa_key_type_t key_type = key_type_arg;
9609 const size_t bits = bits_arg;
9610 psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT;
9611 custom.flags = flags_arg;
9612 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9613 const size_t export_buffer_size =
9614 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
9615 uint8_t *export_buffer = NULL;
9616 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9617 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9618 size_t export_length;
9619
9620 TEST_CALLOC(export_buffer, export_buffer_size);
9621 PSA_ASSERT(psa_crypto_init());
9622
9623 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9624 psa_set_key_algorithm(&base_attributes, alg);
9625 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9626 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9627 &base_key));
9628
9629 if (mbedtls_test_psa_setup_key_derivation_wrap(
9630 &operation, base_key, alg,
9631 input1->x, input1->len,
9632 input2->x, input2->len,
9633 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
9634 goto exit;
9635 }
9636
9637 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9638 psa_set_key_algorithm(&derived_attributes, 0);
9639 psa_set_key_type(&derived_attributes, key_type);
9640 psa_set_key_bits(&derived_attributes, bits);
9641
9642 TEST_EQUAL(psa_key_derivation_output_key_custom(
9643 &derived_attributes, &operation,
9644 &custom, custom_data->x, custom_data->len,
9645 &derived_key),
9646 expected_status);
9647
9648 if (expected_status == PSA_SUCCESS) {
9649 PSA_ASSERT(psa_export_key(derived_key,
9650 export_buffer, export_buffer_size,
9651 &export_length));
9652 TEST_MEMORY_COMPARE(export_buffer, export_length,
9653 expected_export->x, expected_export->len);
9654 }
9655
9656exit:
9657 mbedtls_free(export_buffer);
9658 psa_key_derivation_abort(&operation);
9659 psa_destroy_key(base_key);
9660 psa_destroy_key(derived_key);
9661 PSA_DONE();
9662}
9663/* END_CASE */
9664
9665/* BEGIN_CASE */
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009666void derive_key_ext(int alg_arg,
9667 data_t *key_data,
9668 data_t *input1,
9669 data_t *input2,
9670 int key_type_arg, int bits_arg,
Gilles Peskinec81393b2024-02-14 20:51:28 +01009671 int flags_arg,
Gilles Peskine092ce512024-02-20 12:31:24 +01009672 data_t *params_data,
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009673 psa_status_t expected_status,
9674 data_t *expected_export)
9675{
9676 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9677 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
9678 const psa_algorithm_t alg = alg_arg;
9679 const psa_key_type_t key_type = key_type_arg;
9680 const size_t bits = bits_arg;
Gilles Peskine092ce512024-02-20 12:31:24 +01009681 psa_key_production_parameters_t *params = NULL;
9682 size_t params_data_length = 0;
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009683 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9684 const size_t export_buffer_size =
9685 PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
9686 uint8_t *export_buffer = NULL;
9687 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9688 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9689 size_t export_length;
9690
9691 TEST_CALLOC(export_buffer, export_buffer_size);
9692 PSA_ASSERT(psa_crypto_init());
9693
9694 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9695 psa_set_key_algorithm(&base_attributes, alg);
9696 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9697 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9698 &base_key));
9699
9700 if (mbedtls_test_psa_setup_key_derivation_wrap(
9701 &operation, base_key, alg,
9702 input1->x, input1->len,
9703 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009704 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009705 goto exit;
9706 }
9707
9708 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9709 psa_set_key_algorithm(&derived_attributes, 0);
9710 psa_set_key_type(&derived_attributes, key_type);
9711 psa_set_key_bits(&derived_attributes, bits);
Gilles Peskine092ce512024-02-20 12:31:24 +01009712 if (!setup_key_production_parameters(&params, &params_data_length,
9713 flags_arg, params_data)) {
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009714 goto exit;
9715 }
9716
9717 TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation,
Gilles Peskine092ce512024-02-20 12:31:24 +01009718 params, params_data_length,
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009719 &derived_key),
9720 expected_status);
9721
9722 if (expected_status == PSA_SUCCESS) {
9723 PSA_ASSERT(psa_export_key(derived_key,
9724 export_buffer, export_buffer_size,
9725 &export_length));
9726 TEST_MEMORY_COMPARE(export_buffer, export_length,
9727 expected_export->x, expected_export->len);
9728 }
9729
9730exit:
9731 mbedtls_free(export_buffer);
Gilles Peskine092ce512024-02-20 12:31:24 +01009732 mbedtls_free(params);
Gilles Peskinef0765fa2024-02-12 16:46:16 +01009733 psa_key_derivation_abort(&operation);
9734 psa_destroy_key(base_key);
9735 psa_destroy_key(derived_key);
9736 PSA_DONE();
9737}
9738/* END_CASE */
9739
9740/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009741void derive_key(int alg_arg,
9742 data_t *key_data, data_t *input1, data_t *input2,
9743 int type_arg, int bits_arg,
9744 int expected_status_arg,
9745 int is_large_output)
Gilles Peskinec744d992019-07-30 17:26:54 +02009746{
Ronald Cron5425a212020-08-04 14:58:35 +02009747 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
9748 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinec744d992019-07-30 17:26:54 +02009749 psa_algorithm_t alg = alg_arg;
Gilles Peskine7c227ae2019-07-31 15:14:44 +02009750 psa_key_type_t type = type_arg;
Gilles Peskinec744d992019-07-30 17:26:54 +02009751 size_t bits = bits_arg;
9752 psa_status_t expected_status = expected_status_arg;
9753 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
9754 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
9755 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
9756
Gilles Peskine449bd832023-01-11 14:50:10 +01009757 PSA_ASSERT(psa_crypto_init());
Gilles Peskinec744d992019-07-30 17:26:54 +02009758
Gilles Peskine449bd832023-01-11 14:50:10 +01009759 psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
9760 psa_set_key_algorithm(&base_attributes, alg);
9761 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
9762 PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
9763 &base_key));
Gilles Peskinec744d992019-07-30 17:26:54 +02009764
Gilles Peskine449bd832023-01-11 14:50:10 +01009765 if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
9766 input1->x, input1->len,
9767 input2->x, input2->len,
Ryan Everettc1cc6682024-03-12 16:17:43 +00009768 SIZE_MAX, 0)) {
Gilles Peskinec744d992019-07-30 17:26:54 +02009769 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01009770 }
Gilles Peskinec744d992019-07-30 17:26:54 +02009771
Gilles Peskine449bd832023-01-11 14:50:10 +01009772 psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
9773 psa_set_key_algorithm(&derived_attributes, 0);
9774 psa_set_key_type(&derived_attributes, type);
9775 psa_set_key_bits(&derived_attributes, bits);
Steven Cooreman83fdb702021-01-21 14:24:39 +01009776
9777 psa_status_t status =
Gilles Peskine449bd832023-01-11 14:50:10 +01009778 psa_key_derivation_output_key(&derived_attributes,
9779 &operation,
9780 &derived_key);
9781 if (is_large_output > 0) {
9782 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
9783 }
9784 TEST_EQUAL(status, expected_status);
Gilles Peskinec744d992019-07-30 17:26:54 +02009785
9786exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009787 psa_key_derivation_abort(&operation);
9788 psa_destroy_key(base_key);
9789 psa_destroy_key(derived_key);
9790 PSA_DONE();
Gilles Peskinec744d992019-07-30 17:26:54 +02009791}
9792/* END_CASE */
9793
9794/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009795void key_agreement_setup(int alg_arg,
9796 int our_key_type_arg, int our_key_alg_arg,
9797 data_t *our_key_data, data_t *peer_key_data,
9798 int expected_status_arg)
Gilles Peskine01d718c2018-09-18 12:01:02 +02009799{
Ronald Cron5425a212020-08-04 14:58:35 +02009800 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009801 psa_algorithm_t alg = alg_arg;
Steven Cooremanfa5e6312020-10-15 17:07:12 +02009802 psa_algorithm_t our_key_alg = our_key_alg_arg;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009803 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009804 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009805 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine77f40d82019-04-11 21:27:06 +02009806 psa_status_t expected_status = expected_status_arg;
9807 psa_status_t status;
Gilles Peskine01d718c2018-09-18 12:01:02 +02009808
Gilles Peskine449bd832023-01-11 14:50:10 +01009809 PSA_ASSERT(psa_crypto_init());
Gilles Peskine01d718c2018-09-18 12:01:02 +02009810
Gilles Peskine449bd832023-01-11 14:50:10 +01009811 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9812 psa_set_key_algorithm(&attributes, our_key_alg);
9813 psa_set_key_type(&attributes, our_key_type);
9814 PSA_ASSERT(psa_import_key(&attributes,
9815 our_key_data->x, our_key_data->len,
9816 &our_key));
Gilles Peskine01d718c2018-09-18 12:01:02 +02009817
Gilles Peskine77f40d82019-04-11 21:27:06 +02009818 /* The tests currently include inputs that should fail at either step.
9819 * Test cases that fail at the setup step should be changed to call
9820 * key_derivation_setup instead, and this function should be renamed
9821 * to key_agreement_fail. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009822 status = psa_key_derivation_setup(&operation, alg);
9823 if (status == PSA_SUCCESS) {
9824 TEST_EQUAL(psa_key_derivation_key_agreement(
9825 &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
9826 our_key,
9827 peer_key_data->x, peer_key_data->len),
9828 expected_status);
9829 } else {
9830 TEST_ASSERT(status == expected_status);
Gilles Peskine77f40d82019-04-11 21:27:06 +02009831 }
Gilles Peskine01d718c2018-09-18 12:01:02 +02009832
9833exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009834 psa_key_derivation_abort(&operation);
9835 psa_destroy_key(our_key);
9836 PSA_DONE();
Gilles Peskine01d718c2018-09-18 12:01:02 +02009837}
9838/* END_CASE */
9839
9840/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009841void raw_key_agreement(int alg_arg,
9842 int our_key_type_arg, data_t *our_key_data,
9843 data_t *peer_key_data,
9844 data_t *expected_output)
Gilles Peskinef0cba732019-04-11 22:12:38 +02009845{
Ronald Cron5425a212020-08-04 14:58:35 +02009846 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009847 psa_algorithm_t alg = alg_arg;
9848 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009849 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009850 unsigned char *output = NULL;
9851 size_t output_length = ~0;
gabor-mezei-armceface22021-01-21 12:26:17 +01009852 size_t key_bits;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009853
Gilles Peskine449bd832023-01-11 14:50:10 +01009854 PSA_ASSERT(psa_crypto_init());
Gilles Peskinef0cba732019-04-11 22:12:38 +02009855
Gilles Peskine449bd832023-01-11 14:50:10 +01009856 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9857 psa_set_key_algorithm(&attributes, alg);
9858 psa_set_key_type(&attributes, our_key_type);
9859 PSA_ASSERT(psa_import_key(&attributes,
9860 our_key_data->x, our_key_data->len,
9861 &our_key));
Gilles Peskinef0cba732019-04-11 22:12:38 +02009862
Gilles Peskine449bd832023-01-11 14:50:10 +01009863 PSA_ASSERT(psa_get_key_attributes(our_key, &attributes));
9864 key_bits = psa_get_key_bits(&attributes);
gabor-mezei-armceface22021-01-21 12:26:17 +01009865
Gilles Peskine992bee82022-04-13 23:25:52 +02009866 /* Validate size macros */
Gilles Peskine449bd832023-01-11 14:50:10 +01009867 TEST_LE_U(expected_output->len,
9868 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits));
9869 TEST_LE_U(PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(our_key_type, key_bits),
9870 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE);
Gilles Peskine992bee82022-04-13 23:25:52 +02009871
9872 /* Good case with exact output size */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009873 TEST_CALLOC(output, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009874 PSA_ASSERT(psa_raw_key_agreement(alg, our_key,
9875 peer_key_data->x, peer_key_data->len,
9876 output, expected_output->len,
9877 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009878 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009879 expected_output->x, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009880 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009881 output = NULL;
9882 output_length = ~0;
9883
9884 /* Larger buffer */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009885 TEST_CALLOC(output, expected_output->len + 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01009886 PSA_ASSERT(psa_raw_key_agreement(alg, our_key,
9887 peer_key_data->x, peer_key_data->len,
9888 output, expected_output->len + 1,
9889 &output_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +01009890 TEST_MEMORY_COMPARE(output, output_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +01009891 expected_output->x, expected_output->len);
Gilles Peskine449bd832023-01-11 14:50:10 +01009892 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009893 output = NULL;
9894 output_length = ~0;
9895
9896 /* Buffer too small */
Tom Cosgrove05b2a872023-07-21 11:31:13 +01009897 TEST_CALLOC(output, expected_output->len - 1);
Gilles Peskine449bd832023-01-11 14:50:10 +01009898 TEST_EQUAL(psa_raw_key_agreement(alg, our_key,
9899 peer_key_data->x, peer_key_data->len,
9900 output, expected_output->len - 1,
9901 &output_length),
9902 PSA_ERROR_BUFFER_TOO_SMALL);
Gilles Peskine992bee82022-04-13 23:25:52 +02009903 /* Not required by the spec, but good robustness */
Gilles Peskine449bd832023-01-11 14:50:10 +01009904 TEST_LE_U(output_length, expected_output->len - 1);
9905 mbedtls_free(output);
Gilles Peskine992bee82022-04-13 23:25:52 +02009906 output = NULL;
Gilles Peskinef0cba732019-04-11 22:12:38 +02009907
9908exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009909 mbedtls_free(output);
9910 psa_destroy_key(our_key);
9911 PSA_DONE();
Gilles Peskinef0cba732019-04-11 22:12:38 +02009912}
9913/* END_CASE */
9914
9915/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +01009916void key_agreement_capacity(int alg_arg,
9917 int our_key_type_arg, data_t *our_key_data,
9918 data_t *peer_key_data,
9919 int expected_capacity_arg)
Gilles Peskine59685592018-09-18 12:11:34 +02009920{
Ronald Cron5425a212020-08-04 14:58:35 +02009921 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +02009922 psa_algorithm_t alg = alg_arg;
9923 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02009924 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +02009925 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +02009926 size_t actual_capacity;
Gilles Peskinebf491972018-10-25 22:36:12 +02009927 unsigned char output[16];
Gilles Peskine59685592018-09-18 12:11:34 +02009928
Gilles Peskine449bd832023-01-11 14:50:10 +01009929 PSA_ASSERT(psa_crypto_init());
Gilles Peskine59685592018-09-18 12:11:34 +02009930
Gilles Peskine449bd832023-01-11 14:50:10 +01009931 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
9932 psa_set_key_algorithm(&attributes, alg);
9933 psa_set_key_type(&attributes, our_key_type);
9934 PSA_ASSERT(psa_import_key(&attributes,
9935 our_key_data->x, our_key_data->len,
9936 &our_key));
Gilles Peskine59685592018-09-18 12:11:34 +02009937
Gilles Peskine449bd832023-01-11 14:50:10 +01009938 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
9939 PSA_ASSERT(psa_key_derivation_key_agreement(
9940 &operation,
9941 PSA_KEY_DERIVATION_INPUT_SECRET, our_key,
9942 peer_key_data->x, peer_key_data->len));
9943 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) {
Gilles Peskinef8a9d942019-04-11 22:13:20 +02009944 /* The test data is for info="" */
Gilles Peskine449bd832023-01-11 14:50:10 +01009945 PSA_ASSERT(psa_key_derivation_input_bytes(&operation,
9946 PSA_KEY_DERIVATION_INPUT_INFO,
9947 NULL, 0));
Gilles Peskinef8a9d942019-04-11 22:13:20 +02009948 }
Gilles Peskine59685592018-09-18 12:11:34 +02009949
Shaun Case8b0ecbc2021-12-20 21:14:10 -08009950 /* Test the advertised capacity. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009951 PSA_ASSERT(psa_key_derivation_get_capacity(
9952 &operation, &actual_capacity));
9953 TEST_EQUAL(actual_capacity, (size_t) expected_capacity_arg);
Gilles Peskine59685592018-09-18 12:11:34 +02009954
Gilles Peskinebf491972018-10-25 22:36:12 +02009955 /* Test the actual capacity by reading the output. */
Gilles Peskine449bd832023-01-11 14:50:10 +01009956 while (actual_capacity > sizeof(output)) {
9957 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9958 output, sizeof(output)));
9959 actual_capacity -= sizeof(output);
Gilles Peskinebf491972018-10-25 22:36:12 +02009960 }
Gilles Peskine449bd832023-01-11 14:50:10 +01009961 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
9962 output, actual_capacity));
9963 TEST_EQUAL(psa_key_derivation_output_bytes(&operation, output, 1),
9964 PSA_ERROR_INSUFFICIENT_DATA);
Gilles Peskinebf491972018-10-25 22:36:12 +02009965
Gilles Peskine59685592018-09-18 12:11:34 +02009966exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01009967 psa_key_derivation_abort(&operation);
9968 psa_destroy_key(our_key);
9969 PSA_DONE();
Gilles Peskine59685592018-09-18 12:11:34 +02009970}
9971/* END_CASE */
9972
Valerio Settiad819672023-12-29 12:14:41 +01009973/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
9974void ecc_conversion_functions(int grp_id_arg, int psa_family_arg, int bits_arg)
Valerio Settibf999cb2023-12-28 17:48:13 +01009975{
9976 mbedtls_ecp_group_id grp_id = grp_id_arg;
Valerio Settiad819672023-12-29 12:14:41 +01009977 psa_ecc_family_t ecc_family = psa_family_arg;
9978 size_t bits = bits_arg;
9979 size_t bits_tmp;
Valerio Settibf999cb2023-12-28 17:48:13 +01009980
Valerio Settiad819672023-12-29 12:14:41 +01009981 TEST_EQUAL(ecc_family, mbedtls_ecc_group_to_psa(grp_id, &bits_tmp));
9982 TEST_EQUAL(bits, bits_tmp);
Valerio Settiac739522024-01-04 10:22:01 +01009983 TEST_EQUAL(grp_id, mbedtls_ecc_group_from_psa(ecc_family, bits));
Valerio Settibf999cb2023-12-28 17:48:13 +01009984}
9985/* END_CASE */
9986
Valerio Settiac739522024-01-04 10:22:01 +01009987/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
9988void ecc_conversion_functions_fail()
9989{
9990 size_t bits;
9991
Valerio Settidb6e0292024-01-05 10:15:45 +01009992 /* Invalid legacy curve identifiers. */
9993 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_MAX, &bits));
9994 TEST_EQUAL(0, bits);
Valerio Settiac739522024-01-04 10:22:01 +01009995 TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_NONE, &bits));
9996 TEST_EQUAL(0, bits);
9997
9998 /* Invalid PSA EC family. */
9999 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(0, 192));
10000 /* Invalid bit-size for a valid EC family. */
10001 TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_SECP_R1, 512));
10002
10003 /* Twisted-Edward curves are not supported yet. */
10004 TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
10005 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 255));
10006 TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
10007 mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 448));
10008}
10009/* END_CASE */
10010
10011
Gilles Peskine59685592018-09-18 12:11:34 +020010012/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010013void key_agreement_output(int alg_arg,
10014 int our_key_type_arg, data_t *our_key_data,
10015 data_t *peer_key_data,
10016 data_t *expected_output1, data_t *expected_output2)
Gilles Peskine59685592018-09-18 12:11:34 +020010017{
Ronald Cron5425a212020-08-04 14:58:35 +020010018 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine59685592018-09-18 12:11:34 +020010019 psa_algorithm_t alg = alg_arg;
10020 psa_key_type_t our_key_type = our_key_type_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +020010021 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Gilles Peskineff5f0e72019-04-18 12:53:30 +020010022 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine3ec8ed82018-10-25 22:37:15 +020010023 uint8_t *actual_output = NULL;
Gilles Peskine59685592018-09-18 12:11:34 +020010024
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010025 TEST_CALLOC(actual_output, MAX(expected_output1->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010026 expected_output2->len));
Gilles Peskine59685592018-09-18 12:11:34 +020010027
Gilles Peskine449bd832023-01-11 14:50:10 +010010028 PSA_ASSERT(psa_crypto_init());
Gilles Peskine59685592018-09-18 12:11:34 +020010029
Gilles Peskine449bd832023-01-11 14:50:10 +010010030 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
10031 psa_set_key_algorithm(&attributes, alg);
10032 psa_set_key_type(&attributes, our_key_type);
10033 PSA_ASSERT(psa_import_key(&attributes,
10034 our_key_data->x, our_key_data->len,
10035 &our_key));
Gilles Peskine59685592018-09-18 12:11:34 +020010036
Gilles Peskine449bd832023-01-11 14:50:10 +010010037 PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
10038 PSA_ASSERT(psa_key_derivation_key_agreement(
10039 &operation,
10040 PSA_KEY_DERIVATION_INPUT_SECRET, our_key,
10041 peer_key_data->x, peer_key_data->len));
10042 if (PSA_ALG_IS_HKDF(PSA_ALG_KEY_AGREEMENT_GET_KDF(alg))) {
Gilles Peskinef8a9d942019-04-11 22:13:20 +020010043 /* The test data is for info="" */
Gilles Peskine449bd832023-01-11 14:50:10 +010010044 PSA_ASSERT(psa_key_derivation_input_bytes(&operation,
10045 PSA_KEY_DERIVATION_INPUT_INFO,
10046 NULL, 0));
Gilles Peskinef8a9d942019-04-11 22:13:20 +020010047 }
Gilles Peskine59685592018-09-18 12:11:34 +020010048
Gilles Peskine449bd832023-01-11 14:50:10 +010010049 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
10050 actual_output,
10051 expected_output1->len));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010052 TEST_MEMORY_COMPARE(actual_output, expected_output1->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010053 expected_output1->x, expected_output1->len);
Gilles Peskine449bd832023-01-11 14:50:10 +010010054 if (expected_output2->len != 0) {
10055 PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
10056 actual_output,
10057 expected_output2->len));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010058 TEST_MEMORY_COMPARE(actual_output, expected_output2->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010059 expected_output2->x, expected_output2->len);
Gilles Peskine3ec8ed82018-10-25 22:37:15 +020010060 }
Gilles Peskine59685592018-09-18 12:11:34 +020010061
10062exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010063 psa_key_derivation_abort(&operation);
10064 psa_destroy_key(our_key);
10065 PSA_DONE();
10066 mbedtls_free(actual_output);
Gilles Peskine59685592018-09-18 12:11:34 +020010067}
10068/* END_CASE */
10069
10070/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010071void generate_random(int bytes_arg)
Gilles Peskine05d69892018-06-19 22:00:52 +020010072{
Gilles Peskinea50d7392018-06-21 10:22:13 +020010073 size_t bytes = bytes_arg;
Gilles Peskine8cebbba2018-09-27 13:54:18 +020010074 unsigned char *output = NULL;
10075 unsigned char *changed = NULL;
Gilles Peskinea50d7392018-06-21 10:22:13 +020010076 size_t i;
10077 unsigned run;
Gilles Peskine05d69892018-06-19 22:00:52 +020010078
Gilles Peskine449bd832023-01-11 14:50:10 +010010079 TEST_ASSERT(bytes_arg >= 0);
Simon Butcher49f8e312020-03-03 15:51:50 +000010080
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010081 TEST_CALLOC(output, bytes);
10082 TEST_CALLOC(changed, bytes);
Gilles Peskine05d69892018-06-19 22:00:52 +020010083
Gilles Peskine449bd832023-01-11 14:50:10 +010010084 PSA_ASSERT(psa_crypto_init());
Gilles Peskine05d69892018-06-19 22:00:52 +020010085
Gilles Peskinea50d7392018-06-21 10:22:13 +020010086 /* Run several times, to ensure that every output byte will be
10087 * nonzero at least once with overwhelming probability
10088 * (2^(-8*number_of_runs)). */
Gilles Peskine449bd832023-01-11 14:50:10 +010010089 for (run = 0; run < 10; run++) {
10090 if (bytes != 0) {
10091 memset(output, 0, bytes);
10092 }
10093 PSA_ASSERT(psa_generate_random(output, bytes));
Gilles Peskinea50d7392018-06-21 10:22:13 +020010094
Gilles Peskine449bd832023-01-11 14:50:10 +010010095 for (i = 0; i < bytes; i++) {
10096 if (output[i] != 0) {
Gilles Peskinea50d7392018-06-21 10:22:13 +020010097 ++changed[i];
Gilles Peskine449bd832023-01-11 14:50:10 +010010098 }
Gilles Peskinea50d7392018-06-21 10:22:13 +020010099 }
Gilles Peskine05d69892018-06-19 22:00:52 +020010100 }
Gilles Peskinea50d7392018-06-21 10:22:13 +020010101
10102 /* Check that every byte was changed to nonzero at least once. This
10103 * validates that psa_generate_random is overwriting every byte of
10104 * the output buffer. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010105 for (i = 0; i < bytes; i++) {
10106 TEST_ASSERT(changed[i] != 0);
Gilles Peskinea50d7392018-06-21 10:22:13 +020010107 }
Gilles Peskine05d69892018-06-19 22:00:52 +020010108
10109exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010110 PSA_DONE();
10111 mbedtls_free(output);
10112 mbedtls_free(changed);
Gilles Peskine05d69892018-06-19 22:00:52 +020010113}
10114/* END_CASE */
Gilles Peskine12313cd2018-06-20 00:20:32 +020010115
Ryan3a1b7862024-03-01 17:24:04 +000010116#if defined MBEDTLS_THREADING_PTHREAD
10117
10118/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */
10119void concurrently_generate_keys(int type_arg,
10120 int bits_arg,
10121 int usage_arg,
10122 int alg_arg,
10123 int expected_status_arg,
10124 int is_large_key_arg,
10125 int arg_thread_count,
10126 int reps_arg)
10127{
10128 size_t thread_count = (size_t) arg_thread_count;
10129 mbedtls_test_thread_t *threads = NULL;
10130 generate_key_context gkc;
10131 gkc.type = type_arg;
10132 gkc.usage = usage_arg;
10133 gkc.bits = bits_arg;
10134 gkc.alg = alg_arg;
10135 gkc.expected_status = expected_status_arg;
10136 gkc.is_large_key = is_large_key_arg;
10137 gkc.reps = reps_arg;
10138 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10139
10140 PSA_ASSERT(psa_crypto_init());
10141
10142 psa_set_key_usage_flags(&attributes, usage_arg);
10143 psa_set_key_algorithm(&attributes, alg_arg);
10144 psa_set_key_type(&attributes, type_arg);
10145 psa_set_key_bits(&attributes, bits_arg);
10146 gkc.attributes = &attributes;
10147
10148 TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
10149
10150 /* Split threads to generate key then destroy key. */
10151 for (size_t i = 0; i < thread_count; i++) {
10152 TEST_EQUAL(
10153 mbedtls_test_thread_create(&threads[i], thread_generate_key,
10154 (void *) &gkc), 0);
10155 }
10156
10157 /* Join threads. */
10158 for (size_t i = 0; i < thread_count; i++) {
10159 TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
10160 }
10161
10162exit:
10163 mbedtls_free(threads);
10164 PSA_DONE();
10165}
10166/* END_CASE */
10167#endif
10168
Gilles Peskine12313cd2018-06-20 00:20:32 +020010169/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010170void generate_key(int type_arg,
10171 int bits_arg,
10172 int usage_arg,
10173 int alg_arg,
10174 int expected_status_arg,
10175 int is_large_key)
Gilles Peskine12313cd2018-06-20 00:20:32 +020010176{
Ronald Cron5425a212020-08-04 14:58:35 +020010177 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine12313cd2018-06-20 00:20:32 +020010178 psa_key_type_t type = type_arg;
10179 psa_key_usage_t usage = usage_arg;
10180 size_t bits = bits_arg;
10181 psa_algorithm_t alg = alg_arg;
10182 psa_status_t expected_status = expected_status_arg;
Gilles Peskineff5f0e72019-04-18 12:53:30 +020010183 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +020010184 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine12313cd2018-06-20 00:20:32 +020010185
Gilles Peskine449bd832023-01-11 14:50:10 +010010186 PSA_ASSERT(psa_crypto_init());
Gilles Peskine12313cd2018-06-20 00:20:32 +020010187
Gilles Peskine449bd832023-01-11 14:50:10 +010010188 psa_set_key_usage_flags(&attributes, usage);
10189 psa_set_key_algorithm(&attributes, alg);
10190 psa_set_key_type(&attributes, type);
10191 psa_set_key_bits(&attributes, bits);
Gilles Peskine12313cd2018-06-20 00:20:32 +020010192
10193 /* Generate a key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010194 psa_status_t status = psa_generate_key(&attributes, &key);
Steven Cooreman83fdb702021-01-21 14:24:39 +010010195
Gilles Peskine449bd832023-01-11 14:50:10 +010010196 if (is_large_key > 0) {
10197 TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
10198 }
10199 TEST_EQUAL(status, expected_status);
10200 if (expected_status != PSA_SUCCESS) {
Gilles Peskineff5f0e72019-04-18 12:53:30 +020010201 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010202 }
Gilles Peskine12313cd2018-06-20 00:20:32 +020010203
10204 /* Test the key information */
Gilles Peskine449bd832023-01-11 14:50:10 +010010205 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
10206 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
10207 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
Gilles Peskine12313cd2018-06-20 00:20:32 +020010208
Gilles Peskine818ca122018-06-20 18:16:48 +020010209 /* Do something with the key according to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +000010210 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
Gilles Peskine02b75072018-07-01 22:31:34 +020010211 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010212 }
Gilles Peskine12313cd2018-06-20 00:20:32 +020010213
10214exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010215 /*
10216 * Key attributes may have been returned by psa_get_key_attributes()
10217 * thus reset them as required.
10218 */
Gilles Peskine449bd832023-01-11 14:50:10 +010010219 psa_reset_key_attributes(&got_attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010220
Gilles Peskine449bd832023-01-11 14:50:10 +010010221 psa_destroy_key(key);
10222 PSA_DONE();
Gilles Peskine12313cd2018-06-20 00:20:32 +020010223}
10224/* END_CASE */
itayzafrir0adf0fc2018-09-06 16:24:41 +030010225
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010226/* BEGIN_CASE */
Gilles Peskinef36d7852024-06-06 21:11:44 +020010227void generate_key_custom(int type_arg,
10228 int bits_arg,
10229 int usage_arg,
10230 int alg_arg,
10231 int flags_arg,
10232 data_t *custom_data,
10233 int expected_status_arg)
10234{
10235 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10236 psa_key_type_t type = type_arg;
10237 psa_key_usage_t usage = usage_arg;
10238 size_t bits = bits_arg;
10239 psa_algorithm_t alg = alg_arg;
10240 psa_status_t expected_status = expected_status_arg;
10241 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10242 psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT;
10243 custom.flags = flags_arg;
10244 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
10245
10246 PSA_ASSERT(psa_crypto_init());
10247
10248 psa_set_key_usage_flags(&attributes, usage);
10249 psa_set_key_algorithm(&attributes, alg);
10250 psa_set_key_type(&attributes, type);
10251 psa_set_key_bits(&attributes, bits);
10252
10253 /* Generate a key */
10254 psa_status_t status =
10255 psa_generate_key_custom(&attributes,
10256 &custom, custom_data->x, custom_data->len,
10257 &key);
10258
10259 TEST_EQUAL(status, expected_status);
10260 if (expected_status != PSA_SUCCESS) {
10261 goto exit;
10262 }
10263
10264 /* Test the key information */
10265 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
10266 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
10267 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
10268
10269#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
10270 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
10271 TEST_ASSERT(rsa_test_e(key, bits, custom_data));
10272 }
10273#endif
10274
10275 /* Do something with the key according to its type and permitted usage. */
10276 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
10277 goto exit;
10278 }
10279
10280exit:
10281 /*
10282 * Key attributes may have been returned by psa_get_key_attributes()
10283 * thus reset them as required.
10284 */
10285 psa_reset_key_attributes(&got_attributes);
10286 psa_destroy_key(key);
10287 PSA_DONE();
10288}
10289/* END_CASE */
10290
10291/* BEGIN_CASE */
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010292void generate_key_ext(int type_arg,
10293 int bits_arg,
10294 int usage_arg,
10295 int alg_arg,
Gilles Peskinec81393b2024-02-14 20:51:28 +010010296 int flags_arg,
Gilles Peskine092ce512024-02-20 12:31:24 +010010297 data_t *params_data,
Gilles Peskine449bd832023-01-11 14:50:10 +010010298 int expected_status_arg)
Gilles Peskinee56e8782019-04-26 17:34:02 +020010299{
Ronald Cron5425a212020-08-04 14:58:35 +020010300 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010301 psa_key_type_t type = type_arg;
10302 psa_key_usage_t usage = usage_arg;
Gilles Peskinee56e8782019-04-26 17:34:02 +020010303 size_t bits = bits_arg;
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010304 psa_algorithm_t alg = alg_arg;
Gilles Peskinee56e8782019-04-26 17:34:02 +020010305 psa_status_t expected_status = expected_status_arg;
10306 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskine092ce512024-02-20 12:31:24 +010010307 psa_key_production_parameters_t *params = NULL;
10308 size_t params_data_length = 0;
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010309 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
Gilles Peskinee56e8782019-04-26 17:34:02 +020010310
Gilles Peskine449bd832023-01-11 14:50:10 +010010311 PSA_ASSERT(psa_crypto_init());
Gilles Peskinee56e8782019-04-26 17:34:02 +020010312
Gilles Peskine449bd832023-01-11 14:50:10 +010010313 psa_set_key_usage_flags(&attributes, usage);
10314 psa_set_key_algorithm(&attributes, alg);
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010315 psa_set_key_type(&attributes, type);
Gilles Peskine449bd832023-01-11 14:50:10 +010010316 psa_set_key_bits(&attributes, bits);
Gilles Peskinee56e8782019-04-26 17:34:02 +020010317
Gilles Peskine092ce512024-02-20 12:31:24 +010010318 if (!setup_key_production_parameters(&params, &params_data_length,
10319 flags_arg, params_data)) {
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010320 goto exit;
10321 }
10322
Gilles Peskinee56e8782019-04-26 17:34:02 +020010323 /* Generate a key */
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010324 psa_status_t status = psa_generate_key_ext(&attributes,
Gilles Peskine092ce512024-02-20 12:31:24 +010010325 params, params_data_length,
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010326 &key);
10327
10328 TEST_EQUAL(status, expected_status);
Gilles Peskine449bd832023-01-11 14:50:10 +010010329 if (expected_status != PSA_SUCCESS) {
Gilles Peskinee56e8782019-04-26 17:34:02 +020010330 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010331 }
Gilles Peskinee56e8782019-04-26 17:34:02 +020010332
10333 /* Test the key information */
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010334 PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
10335 TEST_EQUAL(psa_get_key_type(&got_attributes), type);
10336 TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
Pengyu Lvd90fbf72023-12-08 17:13:22 +080010337
Gilles Peskine7a18f962024-02-12 16:48:11 +010010338#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
10339 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
Gilles Peskine092ce512024-02-20 12:31:24 +010010340 TEST_ASSERT(rsa_test_e(key, bits, params_data));
Gilles Peskine449bd832023-01-11 14:50:10 +010010341 }
Pengyu Lv9e976f32023-12-06 16:58:05 +080010342#endif
Gilles Peskinee56e8782019-04-26 17:34:02 +020010343
10344 /* Do something with the key according to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +000010345 if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
Gilles Peskinee56e8782019-04-26 17:34:02 +020010346 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010347 }
Gilles Peskinee56e8782019-04-26 17:34:02 +020010348
Gilles Peskinee56e8782019-04-26 17:34:02 +020010349exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010350 /*
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010351 * Key attributes may have been returned by psa_get_key_attributes()
10352 * thus reset them as required.
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010353 */
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010354 psa_reset_key_attributes(&got_attributes);
Gilles Peskine092ce512024-02-20 12:31:24 +010010355 mbedtls_free(params);
Gilles Peskine449bd832023-01-11 14:50:10 +010010356 psa_destroy_key(key);
10357 PSA_DONE();
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010358}
10359/* END_CASE */
10360
10361/* BEGIN_CASE */
Gilles Peskine092ce512024-02-20 12:31:24 +010010362void key_production_parameters_init()
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010363{
Gilles Peskine092ce512024-02-20 12:31:24 +010010364 psa_key_production_parameters_t init = PSA_KEY_PRODUCTION_PARAMETERS_INIT;
10365 psa_key_production_parameters_t zero;
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010366 memset(&zero, 0, sizeof(zero));
10367
Gilles Peskinef0765fa2024-02-12 16:46:16 +010010368 TEST_EQUAL(init.flags, 0);
10369 TEST_EQUAL(zero.flags, 0);
Gilles Peskinee56e8782019-04-26 17:34:02 +020010370}
10371/* END_CASE */
10372
Darryl Greend49a4992018-06-18 17:27:26 +010010373/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */
Gilles Peskine449bd832023-01-11 14:50:10 +010010374void persistent_key_load_key_from_storage(data_t *data,
10375 int type_arg, int bits_arg,
10376 int usage_flags_arg, int alg_arg,
10377 int generation_method)
Darryl Greend49a4992018-06-18 17:27:26 +010010378{
Gilles Peskine449bd832023-01-11 14:50:10 +010010379 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1);
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010380 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Ronald Cron5425a212020-08-04 14:58:35 +020010381 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10382 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010383 psa_key_type_t type = type_arg;
10384 size_t bits = bits_arg;
10385 psa_key_usage_t usage_flags = usage_flags_arg;
10386 psa_algorithm_t alg = alg_arg;
Gilles Peskine51ae0e42019-05-16 17:31:03 +020010387 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Darryl Greend49a4992018-06-18 17:27:26 +010010388 unsigned char *first_export = NULL;
10389 unsigned char *second_export = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +010010390 size_t export_size = PSA_EXPORT_KEY_OUTPUT_SIZE(type, bits);
Sergeybef1f632023-03-06 15:25:06 -070010391 size_t first_exported_length = 0;
Darryl Greend49a4992018-06-18 17:27:26 +010010392 size_t second_exported_length;
10393
Gilles Peskine449bd832023-01-11 14:50:10 +010010394 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010395 TEST_CALLOC(first_export, export_size);
10396 TEST_CALLOC(second_export, export_size);
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010397 }
Darryl Greend49a4992018-06-18 17:27:26 +010010398
Gilles Peskine449bd832023-01-11 14:50:10 +010010399 PSA_ASSERT(psa_crypto_init());
Darryl Greend49a4992018-06-18 17:27:26 +010010400
Gilles Peskine449bd832023-01-11 14:50:10 +010010401 psa_set_key_id(&attributes, key_id);
10402 psa_set_key_usage_flags(&attributes, usage_flags);
10403 psa_set_key_algorithm(&attributes, alg);
10404 psa_set_key_type(&attributes, type);
10405 psa_set_key_bits(&attributes, bits);
Darryl Greend49a4992018-06-18 17:27:26 +010010406
Gilles Peskine449bd832023-01-11 14:50:10 +010010407 switch (generation_method) {
Darryl Green0c6575a2018-11-07 16:05:30 +000010408 case IMPORT_KEY:
10409 /* Import the key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010410 PSA_ASSERT(psa_import_key(&attributes, data->x, data->len,
10411 &key));
Darryl Green0c6575a2018-11-07 16:05:30 +000010412 break;
Darryl Greend49a4992018-06-18 17:27:26 +010010413
Darryl Green0c6575a2018-11-07 16:05:30 +000010414 case GENERATE_KEY:
10415 /* Generate a key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010416 PSA_ASSERT(psa_generate_key(&attributes, &key));
Darryl Green0c6575a2018-11-07 16:05:30 +000010417 break;
10418
10419 case DERIVE_KEY:
Steven Cooreman70f654a2021-02-15 10:51:43 +010010420#if defined(PSA_WANT_ALG_HKDF) && defined(PSA_WANT_ALG_SHA_256)
Gilles Peskine449bd832023-01-11 14:50:10 +010010421 {
10422 /* Create base key */
10423 psa_algorithm_t derive_alg = PSA_ALG_HKDF(PSA_ALG_SHA_256);
10424 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
10425 psa_set_key_usage_flags(&base_attributes,
10426 PSA_KEY_USAGE_DERIVE);
10427 psa_set_key_algorithm(&base_attributes, derive_alg);
10428 psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
10429 PSA_ASSERT(psa_import_key(&base_attributes,
10430 data->x, data->len,
10431 &base_key));
10432 /* Derive a key. */
10433 PSA_ASSERT(psa_key_derivation_setup(&operation, derive_alg));
10434 PSA_ASSERT(psa_key_derivation_input_key(
10435 &operation,
10436 PSA_KEY_DERIVATION_INPUT_SECRET, base_key));
10437 PSA_ASSERT(psa_key_derivation_input_bytes(
10438 &operation, PSA_KEY_DERIVATION_INPUT_INFO,
10439 NULL, 0));
10440 PSA_ASSERT(psa_key_derivation_output_key(&attributes,
10441 &operation,
10442 &key));
10443 PSA_ASSERT(psa_key_derivation_abort(&operation));
10444 PSA_ASSERT(psa_destroy_key(base_key));
10445 base_key = MBEDTLS_SVC_KEY_ID_INIT;
10446 }
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010447#else
Gilles Peskine449bd832023-01-11 14:50:10 +010010448 TEST_ASSUME(!"KDF not supported in this configuration");
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010449#endif
10450 break;
10451
10452 default:
Agathiyan Bragadeeshdc28a5a2023-07-18 11:45:28 +010010453 TEST_FAIL("generation_method not implemented in test");
Gilles Peskine6fea21d2021-01-12 00:02:15 +010010454 break;
Darryl Green0c6575a2018-11-07 16:05:30 +000010455 }
Gilles Peskine449bd832023-01-11 14:50:10 +010010456 psa_reset_key_attributes(&attributes);
Darryl Greend49a4992018-06-18 17:27:26 +010010457
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010458 /* Export the key if permitted by the key policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010459 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
10460 PSA_ASSERT(psa_export_key(key,
10461 first_export, export_size,
10462 &first_exported_length));
10463 if (generation_method == IMPORT_KEY) {
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010464 TEST_MEMORY_COMPARE(data->x, data->len,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010465 first_export, first_exported_length);
Gilles Peskine449bd832023-01-11 14:50:10 +010010466 }
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010467 }
Darryl Greend49a4992018-06-18 17:27:26 +010010468
10469 /* Shutdown and restart */
Gilles Peskine449bd832023-01-11 14:50:10 +010010470 PSA_ASSERT(psa_purge_key(key));
Gilles Peskine1153e7b2019-05-28 15:10:21 +020010471 PSA_DONE();
Gilles Peskine449bd832023-01-11 14:50:10 +010010472 PSA_ASSERT(psa_crypto_init());
Darryl Greend49a4992018-06-18 17:27:26 +010010473
Darryl Greend49a4992018-06-18 17:27:26 +010010474 /* Check key slot still contains key data */
Gilles Peskine449bd832023-01-11 14:50:10 +010010475 PSA_ASSERT(psa_get_key_attributes(key, &attributes));
10476 TEST_ASSERT(mbedtls_svc_key_id_equal(
10477 psa_get_key_id(&attributes), key_id));
10478 TEST_EQUAL(psa_get_key_lifetime(&attributes),
10479 PSA_KEY_LIFETIME_PERSISTENT);
10480 TEST_EQUAL(psa_get_key_type(&attributes), type);
10481 TEST_EQUAL(psa_get_key_bits(&attributes), bits);
10482 TEST_EQUAL(psa_get_key_usage_flags(&attributes),
10483 mbedtls_test_update_key_usage_flags(usage_flags));
10484 TEST_EQUAL(psa_get_key_algorithm(&attributes), alg);
Darryl Greend49a4992018-06-18 17:27:26 +010010485
Gilles Peskine5c648ab2019-04-19 14:06:53 +020010486 /* Export the key again if permitted by the key policy. */
Gilles Peskine449bd832023-01-11 14:50:10 +010010487 if (usage_flags & PSA_KEY_USAGE_EXPORT) {
10488 PSA_ASSERT(psa_export_key(key,
10489 second_export, export_size,
10490 &second_exported_length));
Tom Cosgrovee4e9e7d2023-07-21 11:40:20 +010010491 TEST_MEMORY_COMPARE(first_export, first_exported_length,
Tom Cosgrove0540fe72023-07-27 14:17:27 +010010492 second_export, second_exported_length);
Darryl Green0c6575a2018-11-07 16:05:30 +000010493 }
10494
10495 /* Do something with the key according to its type and permitted usage. */
Ryan Everett0a271fd2024-03-12 16:34:02 +000010496 if (!mbedtls_test_psa_exercise_key(key, usage_flags, alg, 0)) {
Darryl Green0c6575a2018-11-07 16:05:30 +000010497 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010498 }
Darryl Greend49a4992018-06-18 17:27:26 +010010499
10500exit:
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010501 /*
10502 * Key attributes may have been returned by psa_get_key_attributes()
10503 * thus reset them as required.
10504 */
Gilles Peskine449bd832023-01-11 14:50:10 +010010505 psa_reset_key_attributes(&attributes);
Ronald Cron3a4f0e32020-11-19 17:55:23 +010010506
Gilles Peskine449bd832023-01-11 14:50:10 +010010507 mbedtls_free(first_export);
10508 mbedtls_free(second_export);
10509 psa_key_derivation_abort(&operation);
10510 psa_destroy_key(base_key);
10511 psa_destroy_key(key);
Gilles Peskine1153e7b2019-05-28 15:10:21 +020010512 PSA_DONE();
Darryl Greend49a4992018-06-18 17:27:26 +010010513}
10514/* END_CASE */
Neil Armstrongd597bc72022-05-25 11:28:39 +020010515
Neil Armstronga557cb82022-06-10 08:58:32 +020010516/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010517void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
10518 int primitive_arg, int hash_arg, int role_arg,
10519 int test_input, data_t *pw_data,
10520 int inj_err_type_arg,
10521 int expected_error_arg)
Neil Armstrongd597bc72022-05-25 11:28:39 +020010522{
10523 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10524 psa_pake_operation_t operation = psa_pake_operation_init();
10525 psa_algorithm_t alg = alg_arg;
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010526 psa_pake_primitive_t primitive = primitive_arg;
Neil Armstrong2a73f212022-09-06 11:34:54 +020010527 psa_key_type_t key_type_pw = key_type_pw_arg;
10528 psa_key_usage_t key_usage_pw = key_usage_pw_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010529 psa_algorithm_t hash_alg = hash_arg;
10530 psa_pake_role_t role = role_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010531 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10532 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Setti1070aed2022-11-11 19:37:31 +010010533 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg;
10534 psa_status_t expected_error = expected_error_arg;
10535 psa_status_t status;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010536 unsigned char *output_buffer = NULL;
10537 size_t output_len = 0;
10538
Gilles Peskine449bd832023-01-11 14:50:10 +010010539 PSA_INIT();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010540
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010541 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg,
Gilles Peskine449bd832023-01-11 14:50:10 +010010542 PSA_PAKE_STEP_KEY_SHARE);
Tom Cosgrove05b2a872023-07-21 11:31:13 +010010543 TEST_CALLOC(output_buffer, buf_size);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010544
Gilles Peskine449bd832023-01-11 14:50:10 +010010545 if (pw_data->len > 0) {
10546 psa_set_key_usage_flags(&attributes, key_usage_pw);
10547 psa_set_key_algorithm(&attributes, alg);
10548 psa_set_key_type(&attributes, key_type_pw);
10549 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10550 &key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010551 }
10552
Gilles Peskine449bd832023-01-11 14:50:10 +010010553 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10554 psa_pake_cs_set_primitive(&cipher_suite, primitive);
10555 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010556
Gilles Peskine449bd832023-01-11 14:50:10 +010010557 PSA_ASSERT(psa_pake_abort(&operation));
Neil Armstrong645cccd2022-06-08 17:36:23 +020010558
Gilles Peskine449bd832023-01-11 14:50:10 +010010559 if (inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS) {
10560 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0),
10561 expected_error);
10562 PSA_ASSERT(psa_pake_abort(&operation));
10563 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0),
10564 expected_error);
10565 PSA_ASSERT(psa_pake_abort(&operation));
10566 TEST_EQUAL(psa_pake_set_password_key(&operation, key),
10567 expected_error);
10568 PSA_ASSERT(psa_pake_abort(&operation));
10569 TEST_EQUAL(psa_pake_set_role(&operation, role),
10570 expected_error);
10571 PSA_ASSERT(psa_pake_abort(&operation));
10572 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE,
10573 NULL, 0, NULL),
10574 expected_error);
10575 PSA_ASSERT(psa_pake_abort(&operation));
10576 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0),
10577 expected_error);
10578 PSA_ASSERT(psa_pake_abort(&operation));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010579 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010580 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010581
Gilles Peskine449bd832023-01-11 14:50:10 +010010582 status = psa_pake_setup(&operation, &cipher_suite);
10583 if (status != PSA_SUCCESS) {
10584 TEST_EQUAL(status, expected_error);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010585 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010586 }
10587
Gilles Peskine449bd832023-01-11 14:50:10 +010010588 if (inj_err_type == INJECT_ERR_DUPLICATE_SETUP) {
10589 TEST_EQUAL(psa_pake_setup(&operation, &cipher_suite),
10590 expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010591 goto exit;
10592 }
10593
Gilles Peskine449bd832023-01-11 14:50:10 +010010594 status = psa_pake_set_role(&operation, role);
10595 if (status != PSA_SUCCESS) {
10596 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010597 goto exit;
10598 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010599
Gilles Peskine449bd832023-01-11 14:50:10 +010010600 if (pw_data->len > 0) {
10601 status = psa_pake_set_password_key(&operation, key);
10602 if (status != PSA_SUCCESS) {
10603 TEST_EQUAL(status, expected_error);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010604 goto exit;
Valerio Setti1070aed2022-11-11 19:37:31 +010010605 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010606 }
10607
Gilles Peskine449bd832023-01-11 14:50:10 +010010608 if (inj_err_type == INJECT_ERR_INVALID_USER) {
10609 TEST_EQUAL(psa_pake_set_user(&operation, NULL, 0),
10610 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010611 goto exit;
10612 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010613
Gilles Peskine449bd832023-01-11 14:50:10 +010010614 if (inj_err_type == INJECT_ERR_INVALID_PEER) {
10615 TEST_EQUAL(psa_pake_set_peer(&operation, NULL, 0),
10616 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010617 goto exit;
10618 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010619
Gilles Peskine449bd832023-01-11 14:50:10 +010010620 if (inj_err_type == INJECT_ERR_SET_USER) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010621 const uint8_t unsupported_id[] = "abcd";
Gilles Peskine449bd832023-01-11 14:50:10 +010010622 TEST_EQUAL(psa_pake_set_user(&operation, unsupported_id, 4),
10623 PSA_ERROR_NOT_SUPPORTED);
Valerio Setti1070aed2022-11-11 19:37:31 +010010624 goto exit;
10625 }
10626
Gilles Peskine449bd832023-01-11 14:50:10 +010010627 if (inj_err_type == INJECT_ERR_SET_PEER) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010628 const uint8_t unsupported_id[] = "abcd";
Gilles Peskine449bd832023-01-11 14:50:10 +010010629 TEST_EQUAL(psa_pake_set_peer(&operation, unsupported_id, 4),
10630 PSA_ERROR_NOT_SUPPORTED);
Valerio Setti1070aed2022-11-11 19:37:31 +010010631 goto exit;
10632 }
Neil Armstrong707d9572022-06-08 17:31:49 +020010633
Gilles Peskine449bd832023-01-11 14:50:10 +010010634 const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive,
10635 PSA_PAKE_STEP_KEY_SHARE);
10636 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE(alg, primitive,
10637 PSA_PAKE_STEP_ZK_PUBLIC);
10638 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE(alg, primitive,
10639 PSA_PAKE_STEP_ZK_PROOF);
Manuel Pégourié-Gonnardb63a9ef2022-10-06 10:55:19 +020010640
Gilles Peskine449bd832023-01-11 14:50:10 +010010641 if (test_input) {
10642 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) {
10643 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0),
10644 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010645 goto exit;
10646 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010647
Gilles Peskine449bd832023-01-11 14:50:10 +010010648 if (inj_err_type == INJECT_UNKNOWN_STEP) {
10649 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF + 10,
10650 output_buffer, size_zk_proof),
10651 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010652 goto exit;
10653 }
10654
Gilles Peskine449bd832023-01-11 14:50:10 +010010655 if (inj_err_type == INJECT_INVALID_FIRST_STEP) {
10656 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PROOF,
10657 output_buffer, size_zk_proof),
10658 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010659 goto exit;
10660 }
10661
Gilles Peskine449bd832023-01-11 14:50:10 +010010662 status = psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE,
10663 output_buffer, size_key_share);
10664 if (status != PSA_SUCCESS) {
10665 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010666 goto exit;
10667 }
10668
Gilles Peskine449bd832023-01-11 14:50:10 +010010669 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) {
10670 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10671 output_buffer, size_zk_public + 1),
10672 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010673 goto exit;
10674 }
10675
Gilles Peskine449bd832023-01-11 14:50:10 +010010676 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010677 // Just trigger any kind of error. We don't care about the result here
Gilles Peskine449bd832023-01-11 14:50:10 +010010678 psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10679 output_buffer, size_zk_public + 1);
10680 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10681 output_buffer, size_zk_public),
10682 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010683 goto exit;
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010684 }
Valerio Setti1070aed2022-11-11 19:37:31 +010010685 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +010010686 if (inj_err_type == INJECT_EMPTY_IO_BUFFER) {
10687 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF,
10688 NULL, 0, NULL),
10689 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010690 goto exit;
10691 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010692
Gilles Peskine449bd832023-01-11 14:50:10 +010010693 if (inj_err_type == INJECT_UNKNOWN_STEP) {
10694 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF + 10,
10695 output_buffer, buf_size, &output_len),
10696 PSA_ERROR_INVALID_ARGUMENT);
Valerio Setti1070aed2022-11-11 19:37:31 +010010697 goto exit;
10698 }
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010699
Gilles Peskine449bd832023-01-11 14:50:10 +010010700 if (inj_err_type == INJECT_INVALID_FIRST_STEP) {
10701 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PROOF,
10702 output_buffer, buf_size, &output_len),
10703 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010704 goto exit;
10705 }
10706
Gilles Peskine449bd832023-01-11 14:50:10 +010010707 status = psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE,
10708 output_buffer, buf_size, &output_len);
10709 if (status != PSA_SUCCESS) {
10710 TEST_EQUAL(status, expected_error);
Valerio Setti1070aed2022-11-11 19:37:31 +010010711 goto exit;
10712 }
10713
Gilles Peskine449bd832023-01-11 14:50:10 +010010714 TEST_ASSERT(output_len > 0);
Valerio Setti1070aed2022-11-11 19:37:31 +010010715
Gilles Peskine449bd832023-01-11 14:50:10 +010010716 if (inj_err_type == INJECT_WRONG_BUFFER_SIZE) {
10717 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10718 output_buffer, size_zk_public - 1, &output_len),
10719 PSA_ERROR_BUFFER_TOO_SMALL);
Valerio Setti1070aed2022-11-11 19:37:31 +010010720 goto exit;
10721 }
10722
Gilles Peskine449bd832023-01-11 14:50:10 +010010723 if (inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE) {
Valerio Setti1070aed2022-11-11 19:37:31 +010010724 // Just trigger any kind of error. We don't care about the result here
Gilles Peskine449bd832023-01-11 14:50:10 +010010725 psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10726 output_buffer, size_zk_public - 1, &output_len);
10727 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC,
10728 output_buffer, buf_size, &output_len),
10729 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010730 goto exit;
Neil Armstrong9c8b4922022-06-08 17:59:07 +020010731 }
10732 }
Neil Armstrongd597bc72022-05-25 11:28:39 +020010733
10734exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010735 PSA_ASSERT(psa_destroy_key(key));
10736 PSA_ASSERT(psa_pake_abort(&operation));
10737 mbedtls_free(output_buffer);
10738 PSA_DONE();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010739}
10740/* END_CASE */
10741
Neil Armstronga557cb82022-06-10 08:58:32 +020010742/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010743void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg,
10744 int client_input_first, int inject_error,
10745 data_t *pw_data)
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010746{
10747 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10748 psa_pake_operation_t server = psa_pake_operation_init();
10749 psa_pake_operation_t client = psa_pake_operation_init();
10750 psa_algorithm_t alg = alg_arg;
10751 psa_algorithm_t hash_alg = hash_arg;
10752 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10753 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10754
Gilles Peskine449bd832023-01-11 14:50:10 +010010755 PSA_INIT();
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010756
Gilles Peskine449bd832023-01-11 14:50:10 +010010757 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
10758 psa_set_key_algorithm(&attributes, alg);
10759 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
10760 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10761 &key));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010762
Gilles Peskine449bd832023-01-11 14:50:10 +010010763 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10764 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg);
10765 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010766
10767
Gilles Peskine449bd832023-01-11 14:50:10 +010010768 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite));
10769 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010770
Gilles Peskine449bd832023-01-11 14:50:10 +010010771 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER));
10772 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010773
Gilles Peskine449bd832023-01-11 14:50:10 +010010774 PSA_ASSERT(psa_pake_set_password_key(&server, key));
10775 PSA_ASSERT(psa_pake_set_password_key(&client, key));
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010776
Gilles Peskine449bd832023-01-11 14:50:10 +010010777 ecjpake_do_round(alg, primitive_arg, &server, &client,
10778 client_input_first, 1, inject_error);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010779
Gilles Peskine449bd832023-01-11 14:50:10 +010010780 if (inject_error == 1 || inject_error == 2) {
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010781 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +010010782 }
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010783
Gilles Peskine449bd832023-01-11 14:50:10 +010010784 ecjpake_do_round(alg, primitive_arg, &server, &client,
10785 client_input_first, 2, inject_error);
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010786
10787exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010788 psa_destroy_key(key);
10789 psa_pake_abort(&server);
10790 psa_pake_abort(&client);
10791 PSA_DONE();
Neil Armstrong8c2e8a62022-06-15 15:28:32 +020010792}
10793/* END_CASE */
10794
10795/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010796void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg,
10797 int derive_alg_arg, data_t *pw_data,
10798 int client_input_first, int inj_err_type_arg)
Neil Armstrongd597bc72022-05-25 11:28:39 +020010799{
10800 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
10801 psa_pake_operation_t server = psa_pake_operation_init();
10802 psa_pake_operation_t client = psa_pake_operation_init();
10803 psa_algorithm_t alg = alg_arg;
10804 psa_algorithm_t hash_alg = hash_arg;
10805 psa_algorithm_t derive_alg = derive_alg_arg;
10806 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
10807 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
10808 psa_key_derivation_operation_t server_derive =
Gilles Peskine449bd832023-01-11 14:50:10 +010010809 PSA_KEY_DERIVATION_OPERATION_INIT;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010810 psa_key_derivation_operation_t client_derive =
Gilles Peskine449bd832023-01-11 14:50:10 +010010811 PSA_KEY_DERIVATION_OPERATION_INIT;
Valerio Setti1070aed2022-11-11 19:37:31 +010010812 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg;
Neil Armstrongd597bc72022-05-25 11:28:39 +020010813
Gilles Peskine449bd832023-01-11 14:50:10 +010010814 PSA_INIT();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010815
Gilles Peskine449bd832023-01-11 14:50:10 +010010816 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
10817 psa_set_key_algorithm(&attributes, alg);
10818 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
10819 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len,
10820 &key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010821
Gilles Peskine449bd832023-01-11 14:50:10 +010010822 psa_pake_cs_set_algorithm(&cipher_suite, alg);
10823 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg);
10824 psa_pake_cs_set_hash(&cipher_suite, hash_alg);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010825
Neil Armstrong1e855602022-06-15 11:32:11 +020010826 /* Get shared key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010827 PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg));
10828 PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg));
Neil Armstrong1e855602022-06-15 11:32:11 +020010829
Gilles Peskine449bd832023-01-11 14:50:10 +010010830 if (PSA_ALG_IS_TLS12_PRF(derive_alg) ||
10831 PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) {
10832 PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive,
10833 PSA_KEY_DERIVATION_INPUT_SEED,
10834 (const uint8_t *) "", 0));
10835 PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive,
10836 PSA_KEY_DERIVATION_INPUT_SEED,
10837 (const uint8_t *) "", 0));
Neil Armstrong1e855602022-06-15 11:32:11 +020010838 }
10839
Gilles Peskine449bd832023-01-11 14:50:10 +010010840 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite));
10841 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010842
Gilles Peskine449bd832023-01-11 14:50:10 +010010843 PSA_ASSERT(psa_pake_set_role(&server, PSA_PAKE_ROLE_SERVER));
10844 PSA_ASSERT(psa_pake_set_role(&client, PSA_PAKE_ROLE_CLIENT));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010845
Gilles Peskine449bd832023-01-11 14:50:10 +010010846 PSA_ASSERT(psa_pake_set_password_key(&server, key));
10847 PSA_ASSERT(psa_pake_set_password_key(&client, key));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010848
Gilles Peskine449bd832023-01-11 14:50:10 +010010849 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1) {
10850 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive),
10851 PSA_ERROR_BAD_STATE);
10852 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive),
10853 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010854 goto exit;
10855 }
Neil Armstrong1e855602022-06-15 11:32:11 +020010856
Neil Armstrongf983caf2022-06-15 15:27:48 +020010857 /* First round */
Gilles Peskine449bd832023-01-11 14:50:10 +010010858 ecjpake_do_round(alg, primitive_arg, &server, &client,
10859 client_input_first, 1, 0);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010860
Gilles Peskine449bd832023-01-11 14:50:10 +010010861 if (inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2) {
10862 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive),
10863 PSA_ERROR_BAD_STATE);
10864 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive),
10865 PSA_ERROR_BAD_STATE);
Valerio Setti1070aed2022-11-11 19:37:31 +010010866 goto exit;
10867 }
Neil Armstrong1e855602022-06-15 11:32:11 +020010868
Neil Armstrongf983caf2022-06-15 15:27:48 +020010869 /* Second round */
Gilles Peskine449bd832023-01-11 14:50:10 +010010870 ecjpake_do_round(alg, primitive_arg, &server, &client,
10871 client_input_first, 2, 0);
Neil Armstrongd597bc72022-05-25 11:28:39 +020010872
Gilles Peskine449bd832023-01-11 14:50:10 +010010873 PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive));
10874 PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive));
Neil Armstrongd597bc72022-05-25 11:28:39 +020010875
10876exit:
Gilles Peskine449bd832023-01-11 14:50:10 +010010877 psa_key_derivation_abort(&server_derive);
10878 psa_key_derivation_abort(&client_derive);
10879 psa_destroy_key(key);
10880 psa_pake_abort(&server);
10881 psa_pake_abort(&client);
10882 PSA_DONE();
Neil Armstrongd597bc72022-05-25 11:28:39 +020010883}
10884/* END_CASE */
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010885
10886/* BEGIN_CASE */
Gilles Peskine449bd832023-01-11 14:50:10 +010010887void ecjpake_size_macros()
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010888{
10889 const psa_algorithm_t alg = PSA_ALG_JPAKE;
10890 const size_t bits = 256;
10891 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE(
Gilles Peskine449bd832023-01-11 14:50:10 +010010892 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010893 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(
Gilles Peskine449bd832023-01-11 14:50:10 +010010894 PSA_ECC_FAMILY_SECP_R1);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010895
10896 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types
10897 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */
Gilles Peskine449bd832023-01-11 14:50:10 +010010898 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10899 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits));
10900 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10901 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010902 /* The output for ZK_PROOF is the same bitsize as the curve */
Gilles Peskine449bd832023-01-11 14:50:10 +010010903 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10904 PSA_BITS_TO_BYTES(bits));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010905
10906 /* Input sizes are the same as output sizes */
Gilles Peskine449bd832023-01-11 14:50:10 +010010907 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10908 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE));
10909 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10910 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC));
10911 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10912 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF));
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010913
10914 /* These inequalities will always hold even when other PAKEs are added */
Gilles Peskine449bd832023-01-11 14:50:10 +010010915 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10916 PSA_PAKE_OUTPUT_MAX_SIZE);
10917 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10918 PSA_PAKE_OUTPUT_MAX_SIZE);
10919 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10920 PSA_PAKE_OUTPUT_MAX_SIZE);
10921 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
10922 PSA_PAKE_INPUT_MAX_SIZE);
10923 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
10924 PSA_PAKE_INPUT_MAX_SIZE);
10925 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
10926 PSA_PAKE_INPUT_MAX_SIZE);
Manuel Pégourié-Gonnardec7012d2022-10-05 12:17:34 +020010927}
10928/* END_CASE */