1/* BEGIN_HEADER */ 2#include <stdint.h> 3 4#include "mbedtls/asn1.h" 5#include "mbedtls/asn1write.h" 6#include "mbedtls/oid.h" 7 8/* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random() 9 * uses mbedtls_ctr_drbg internally. */ 10#include "mbedtls/ctr_drbg.h" 11 12#include "psa/crypto.h" 13#include "psa_crypto_slot_management.h" 14 15#include "test/asn1_helpers.h" 16#include "test/psa_crypto_helpers.h" 17#include "test/psa_exercise_key.h" 18#if defined(PSA_CRYPTO_DRIVER_TEST) 19#include "test/drivers/test_driver.h" 20#define TEST_DRIVER_LOCATION PSA_CRYPTO_TEST_DRIVER_LOCATION 21#else 22#define TEST_DRIVER_LOCATION 0x7fffff 23#endif 24 25/* If this comes up, it's a bug in the test code or in the test data. */ 26#define UNUSED 0xdeadbeef 27 28/* Assert that an operation is (not) active. 29 * This serves as a proxy for checking if the operation is aborted. */ 30#define ASSERT_OPERATION_IS_ACTIVE( operation ) TEST_ASSERT( operation.id != 0 ) 31#define ASSERT_OPERATION_IS_INACTIVE( operation ) TEST_ASSERT( operation.id == 0 ) 32 33/** An invalid export length that will never be set by psa_export_key(). */ 34static const size_t INVALID_EXPORT_LENGTH = ~0U; 35 36/** Test if a buffer contains a constant byte value. 37 * 38 * `mem_is_char(buffer, c, size)` is true after `memset(buffer, c, size)`. 39 * 40 * \param buffer Pointer to the beginning of the buffer. 41 * \param c Expected value of every byte. 42 * \param size Size of the buffer in bytes. 43 * 44 * \return 1 if the buffer is all-bits-zero. 45 * \return 0 if there is at least one nonzero byte. 46 */ 47static int mem_is_char( void *buffer, unsigned char c, size_t size ) 48{ 49 size_t i; 50 for( i = 0; i < size; i++ ) 51 { 52 if( ( (unsigned char *) buffer )[i] != c ) 53 return( 0 ); 54 } 55 return( 1 ); 56} 57 58/* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */ 59static int asn1_write_10x( unsigned char **p, 60 unsigned char *start, 61 size_t bits, 62 unsigned char x ) 63{ 64 int ret; 65 int len = bits / 8 + 1; 66 if( bits == 0 ) 67 return( MBEDTLS_ERR_ASN1_INVALID_DATA ); 68 if( bits <= 8 && x >= 1 << ( bits - 1 ) ) 69 return( MBEDTLS_ERR_ASN1_INVALID_DATA ); 70 if( *p < start || *p - start < (ptrdiff_t) len ) 71 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 72 *p -= len; 73 ( *p )[len-1] = x; 74 if( bits % 8 == 0 ) 75 ( *p )[1] |= 1; 76 else 77 ( *p )[0] |= 1 << ( bits % 8 ); 78 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); 79 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, 80 MBEDTLS_ASN1_INTEGER ) ); 81 return( len ); 82} 83 84static int construct_fake_rsa_key( unsigned char *buffer, 85 size_t buffer_size, 86 unsigned char **p, 87 size_t bits, 88 int keypair ) 89{ 90 size_t half_bits = ( bits + 1 ) / 2; 91 int ret; 92 int len = 0; 93 /* Construct something that looks like a DER encoding of 94 * as defined by PKCS#1 v2.2 (RFC 8017) section A.1.2: 95 * RSAPrivateKey ::= SEQUENCE { 96 * version Version, 97 * modulus INTEGER, -- n 98 * publicExponent INTEGER, -- e 99 * privateExponent INTEGER, -- d 100 * prime1 INTEGER, -- p 101 * prime2 INTEGER, -- q 102 * exponent1 INTEGER, -- d mod (p-1) 103 * exponent2 INTEGER, -- d mod (q-1) 104 * coefficient INTEGER, -- (inverse of q) mod p 105 * otherPrimeInfos OtherPrimeInfos OPTIONAL 106 * } 107 * Or, for a public key, the same structure with only 108 * version, modulus and publicExponent. 109 */ 110 *p = buffer + buffer_size; 111 if( keypair ) 112 { 113 MBEDTLS_ASN1_CHK_ADD( len, /* pq */ 114 asn1_write_10x( p, buffer, half_bits, 1 ) ); 115 MBEDTLS_ASN1_CHK_ADD( len, /* dq */ 116 asn1_write_10x( p, buffer, half_bits, 1 ) ); 117 MBEDTLS_ASN1_CHK_ADD( len, /* dp */ 118 asn1_write_10x( p, buffer, half_bits, 1 ) ); 119 MBEDTLS_ASN1_CHK_ADD( len, /* q */ 120 asn1_write_10x( p, buffer, half_bits, 1 ) ); 121 MBEDTLS_ASN1_CHK_ADD( len, /* p != q to pass mbedtls sanity checks */ 122 asn1_write_10x( p, buffer, half_bits, 3 ) ); 123 MBEDTLS_ASN1_CHK_ADD( len, /* d */ 124 asn1_write_10x( p, buffer, bits, 1 ) ); 125 } 126 MBEDTLS_ASN1_CHK_ADD( len, /* e = 65537 */ 127 asn1_write_10x( p, buffer, 17, 1 ) ); 128 MBEDTLS_ASN1_CHK_ADD( len, /* n */ 129 asn1_write_10x( p, buffer, bits, 1 ) ); 130 if( keypair ) 131 MBEDTLS_ASN1_CHK_ADD( len, /* version = 0 */ 132 mbedtls_asn1_write_int( p, buffer, 0 ) ); 133 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, buffer, len ) ); 134 { 135 const unsigned char tag = 136 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE; 137 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, buffer, tag ) ); 138 } 139 return( len ); 140} 141 142int exercise_mac_setup( psa_key_type_t key_type, 143 const unsigned char *key_bytes, 144 size_t key_length, 145 psa_algorithm_t alg, 146 psa_mac_operation_t *operation, 147 psa_status_t *status ) 148{ 149 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 150 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 151 152 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 153 psa_set_key_algorithm( &attributes, alg ); 154 psa_set_key_type( &attributes, key_type ); 155 PSA_ASSERT( psa_import_key( &attributes, key_bytes, key_length, &key ) ); 156 157 *status = psa_mac_sign_setup( operation, key, alg ); 158 /* Whether setup succeeded or failed, abort must succeed. */ 159 PSA_ASSERT( psa_mac_abort( operation ) ); 160 /* If setup failed, reproduce the failure, so that the caller can 161 * test the resulting state of the operation object. */ 162 if( *status != PSA_SUCCESS ) 163 { 164 TEST_EQUAL( psa_mac_sign_setup( operation, key, alg ), *status ); 165 } 166 167 psa_destroy_key( key ); 168 return( 1 ); 169 170exit: 171 psa_destroy_key( key ); 172 return( 0 ); 173} 174 175int exercise_cipher_setup( psa_key_type_t key_type, 176 const unsigned char *key_bytes, 177 size_t key_length, 178 psa_algorithm_t alg, 179 psa_cipher_operation_t *operation, 180 psa_status_t *status ) 181{ 182 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 183 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 184 185 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 186 psa_set_key_algorithm( &attributes, alg ); 187 psa_set_key_type( &attributes, key_type ); 188 PSA_ASSERT( psa_import_key( &attributes, key_bytes, key_length, &key ) ); 189 190 *status = psa_cipher_encrypt_setup( operation, key, alg ); 191 /* Whether setup succeeded or failed, abort must succeed. */ 192 PSA_ASSERT( psa_cipher_abort( operation ) ); 193 /* If setup failed, reproduce the failure, so that the caller can 194 * test the resulting state of the operation object. */ 195 if( *status != PSA_SUCCESS ) 196 { 197 TEST_EQUAL( psa_cipher_encrypt_setup( operation, key, alg ), 198 *status ); 199 } 200 201 psa_destroy_key( key ); 202 return( 1 ); 203 204exit: 205 psa_destroy_key( key ); 206 return( 0 ); 207} 208 209static int test_operations_on_invalid_key( mbedtls_svc_key_id_t key ) 210{ 211 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 212 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, 0x6964 ); 213 uint8_t buffer[1]; 214 size_t length; 215 int ok = 0; 216 217 psa_set_key_id( &attributes, key_id ); 218 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 219 psa_set_key_algorithm( &attributes, PSA_ALG_CTR ); 220 psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); 221 TEST_EQUAL( psa_get_key_attributes( key, &attributes ), 222 PSA_ERROR_INVALID_HANDLE ); 223 TEST_EQUAL( 224 MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); 225 TEST_EQUAL( 226 MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); 227 TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); 228 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); 229 TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); 230 TEST_EQUAL( psa_get_key_type( &attributes ), 0 ); 231 TEST_EQUAL( psa_get_key_bits( &attributes ), 0 ); 232 233 TEST_EQUAL( psa_export_key( key, buffer, sizeof( buffer ), &length ), 234 PSA_ERROR_INVALID_HANDLE ); 235 TEST_EQUAL( psa_export_public_key( key, 236 buffer, sizeof( buffer ), &length ), 237 PSA_ERROR_INVALID_HANDLE ); 238 239 ok = 1; 240 241exit: 242 /* 243 * Key attributes may have been returned by psa_get_key_attributes() 244 * thus reset them as required. 245 */ 246 psa_reset_key_attributes( &attributes ); 247 248 return( ok ); 249} 250 251/* Assert that a key isn't reported as having a slot number. */ 252#if defined(MBEDTLS_PSA_CRYPTO_SE_C) 253#define ASSERT_NO_SLOT_NUMBER( attributes ) \ 254 do \ 255 { \ 256 psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \ 257 TEST_EQUAL( psa_get_key_slot_number( \ 258 attributes, \ 259 &ASSERT_NO_SLOT_NUMBER_slot_number ), \ 260 PSA_ERROR_INVALID_ARGUMENT ); \ 261 } \ 262 while( 0 ) 263#else /* MBEDTLS_PSA_CRYPTO_SE_C */ 264#define ASSERT_NO_SLOT_NUMBER( attributes ) \ 265 ( (void) 0 ) 266#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 267 268/* An overapproximation of the amount of storage needed for a key of the 269 * given type and with the given content. The API doesn't make it easy 270 * to find a good value for the size. The current implementation doesn't 271 * care about the value anyway. */ 272#define KEY_BITS_FROM_DATA( type, data ) \ 273 ( data )->len 274 275typedef enum { 276 IMPORT_KEY = 0, 277 GENERATE_KEY = 1, 278 DERIVE_KEY = 2 279} generate_method; 280 281typedef enum 282{ 283 DO_NOT_SET_LENGTHS = 0, 284 SET_LENGTHS_BEFORE_NONCE = 1, 285 SET_LENGTHS_AFTER_NONCE = 2 286} set_lengths_method_t; 287 288typedef enum 289{ 290 USE_NULL_TAG = 0, 291 USE_GIVEN_TAG = 1, 292} tag_usage_method_t; 293 294/*! 295 * \brief Internal Function for AEAD multipart tests. 296 * \param key_type_arg Type of key passed in 297 * \param key_data The encryption / decryption key data 298 * \param alg_arg The type of algorithm used 299 * \param nonce Nonce data 300 * \param additional_data Additional data 301 * \param ad_part_len_arg If not -1, the length of chunks to 302 * feed additional data in to be encrypted / 303 * decrypted. If -1, no chunking. 304 * \param input_data Data to encrypt / decrypt 305 * \param data_part_len_arg If not -1, the length of chunks to feed 306 * the data in to be encrypted / decrypted. If 307 * -1, no chunking 308 * \param set_lengths_method A member of the set_lengths_method_t enum is 309 * expected here, this controls whether or not 310 * to set lengths, and in what order with 311 * respect to set nonce. 312 * \param expected_output Expected output 313 * \param is_encrypt If non-zero this is an encryption operation. 314 * \param do_zero_parts If non-zero, interleave zero length chunks 315 * with normal length chunks. 316 * \return int Zero on failure, non-zero on success. 317 */ 318static int aead_multipart_internal_func( int key_type_arg, data_t *key_data, 319 int alg_arg, 320 data_t *nonce, 321 data_t *additional_data, 322 int ad_part_len_arg, 323 data_t *input_data, 324 int data_part_len_arg, 325 set_lengths_method_t set_lengths_method, 326 data_t *expected_output, 327 int is_encrypt, 328 int do_zero_parts ) 329{ 330 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 331 psa_key_type_t key_type = key_type_arg; 332 psa_algorithm_t alg = alg_arg; 333 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 334 unsigned char *output_data = NULL; 335 unsigned char *part_data = NULL; 336 unsigned char *final_data = NULL; 337 size_t data_true_size = 0; 338 size_t part_data_size = 0; 339 size_t output_size = 0; 340 size_t final_output_size = 0; 341 size_t output_length = 0; 342 size_t key_bits = 0; 343 size_t tag_length = 0; 344 size_t part_offset = 0; 345 size_t part_length = 0; 346 size_t output_part_length = 0; 347 size_t tag_size = 0; 348 size_t ad_part_len = 0; 349 size_t data_part_len = 0; 350 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 351 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 352 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 353 354 int test_ok = 0; 355 size_t part_count = 0; 356 357 PSA_ASSERT( psa_crypto_init( ) ); 358 359 if( is_encrypt ) 360 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 361 else 362 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 363 364 psa_set_key_algorithm( &attributes, alg ); 365 psa_set_key_type( &attributes, key_type ); 366 367 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 368 &key ) ); 369 370 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 371 key_bits = psa_get_key_bits( &attributes ); 372 373 tag_length = PSA_AEAD_TAG_LENGTH( key_type, key_bits, alg ); 374 375 if( is_encrypt ) 376 { 377 /* Tag gets written at end of buffer. */ 378 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, 379 ( input_data->len + 380 tag_length ) ); 381 data_true_size = input_data->len; 382 } 383 else 384 { 385 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, 386 ( input_data->len - 387 tag_length ) ); 388 389 /* Do not want to attempt to decrypt tag. */ 390 data_true_size = input_data->len - tag_length; 391 } 392 393 ASSERT_ALLOC( output_data, output_size ); 394 395 if( is_encrypt ) 396 { 397 final_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 398 TEST_ASSERT( final_output_size <= PSA_AEAD_FINISH_OUTPUT_MAX_SIZE ); 399 } 400 else 401 { 402 final_output_size = PSA_AEAD_VERIFY_OUTPUT_SIZE( key_type, alg ); 403 TEST_ASSERT( final_output_size <= PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE ); 404 } 405 406 ASSERT_ALLOC( final_data, final_output_size ); 407 408 if( is_encrypt ) 409 status = psa_aead_encrypt_setup( &operation, key, alg ); 410 else 411 status = psa_aead_decrypt_setup( &operation, key, alg ); 412 413 /* If the operation is not supported, just skip and not fail in case the 414 * encryption involves a common limitation of cryptography hardwares and 415 * an alternative implementation. */ 416 if( status == PSA_ERROR_NOT_SUPPORTED ) 417 { 418 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 419 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 420 } 421 422 PSA_ASSERT( status ); 423 424 if( set_lengths_method == DO_NOT_SET_LENGTHS ) 425 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 426 else if( set_lengths_method == SET_LENGTHS_BEFORE_NONCE ) 427 { 428 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 429 data_true_size ) ); 430 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 431 } 432 else if( set_lengths_method == SET_LENGTHS_AFTER_NONCE ) 433 { 434 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 435 436 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 437 data_true_size ) ); 438 } 439 440 if( ad_part_len_arg != -1 ) 441 { 442 /* Pass additional data in parts */ 443 ad_part_len = (size_t) ad_part_len_arg; 444 445 for( part_offset = 0, part_count = 0; 446 part_offset < additional_data->len; 447 part_offset += part_length, part_count++ ) 448 { 449 if( do_zero_parts && ( part_count & 0x01 ) ) 450 { 451 part_length = 0; 452 } 453 else if( additional_data->len - part_offset < ad_part_len ) 454 { 455 part_length = additional_data->len - part_offset; 456 } 457 else 458 { 459 part_length = ad_part_len; 460 } 461 462 PSA_ASSERT( psa_aead_update_ad( &operation, 463 additional_data->x + part_offset, 464 part_length ) ); 465 466 } 467 } 468 else 469 { 470 /* Pass additional data in one go. */ 471 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 472 additional_data->len ) ); 473 } 474 475 if( data_part_len_arg != -1 ) 476 { 477 /* Pass data in parts */ 478 data_part_len = ( size_t ) data_part_len_arg; 479 part_data_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, 480 ( size_t ) data_part_len ); 481 482 ASSERT_ALLOC( part_data, part_data_size ); 483 484 for( part_offset = 0, part_count = 0; 485 part_offset < data_true_size; 486 part_offset += part_length, part_count++ ) 487 { 488 if( do_zero_parts && ( part_count & 0x01 ) ) 489 { 490 part_length = 0; 491 } 492 else if( ( data_true_size - part_offset ) < data_part_len ) 493 { 494 part_length = ( data_true_size - part_offset ); 495 } 496 else 497 { 498 part_length = data_part_len; 499 } 500 501 PSA_ASSERT( psa_aead_update( &operation, 502 ( input_data->x + part_offset ), 503 part_length, part_data, 504 part_data_size, 505 &output_part_length ) ); 506 507 if( output_data && output_part_length ) 508 { 509 memcpy( ( output_data + part_offset ), part_data, 510 output_part_length ); 511 } 512 513 output_length += output_part_length; 514 } 515 } 516 else 517 { 518 /* Pass all data in one go. */ 519 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 520 data_true_size, output_data, 521 output_size, &output_length ) ); 522 } 523 524 if( is_encrypt ) 525 PSA_ASSERT( psa_aead_finish( &operation, final_data, 526 final_output_size, 527 &output_part_length, 528 tag_buffer, tag_length, 529 &tag_size ) ); 530 else 531 { 532 PSA_ASSERT( psa_aead_verify( &operation, final_data, 533 final_output_size, 534 &output_part_length, 535 ( input_data->x + data_true_size ), 536 tag_length ) ); 537 } 538 539 if( output_data && output_part_length ) 540 memcpy( ( output_data + output_length ), final_data, 541 output_part_length ); 542 543 output_length += output_part_length; 544 545 546 /* For all currently defined algorithms, PSA_AEAD_xxx_OUTPUT_SIZE 547 * should be exact.*/ 548 if( is_encrypt ) 549 { 550 TEST_EQUAL( tag_length, tag_size ); 551 552 if( output_data && tag_length ) 553 memcpy( ( output_data + output_length ), tag_buffer, 554 tag_length ); 555 556 output_length += tag_length; 557 558 TEST_EQUAL( output_length, 559 PSA_AEAD_ENCRYPT_OUTPUT_SIZE( key_type, alg, 560 input_data->len ) ); 561 TEST_ASSERT( output_length <= 562 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 563 } 564 else 565 { 566 TEST_EQUAL( output_length, 567 PSA_AEAD_DECRYPT_OUTPUT_SIZE( key_type, alg, 568 input_data->len ) ); 569 TEST_ASSERT( output_length <= 570 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 571 } 572 573 574 ASSERT_COMPARE( expected_output->x, expected_output->len, 575 output_data, output_length ); 576 577 578 test_ok = 1; 579 580exit: 581 psa_destroy_key( key ); 582 psa_aead_abort( &operation ); 583 mbedtls_free( output_data ); 584 mbedtls_free( part_data ); 585 mbedtls_free( final_data ); 586 PSA_DONE( ); 587 588 return( test_ok ); 589} 590 591/* END_HEADER */ 592 593/* BEGIN_DEPENDENCIES 594 * depends_on:MBEDTLS_PSA_CRYPTO_C 595 * END_DEPENDENCIES 596 */ 597 598/* BEGIN_CASE */ 599void static_checks( ) 600{ 601 size_t max_truncated_mac_size = 602 PSA_ALG_MAC_TRUNCATION_MASK >> PSA_MAC_TRUNCATION_OFFSET; 603 604 /* Check that the length for a truncated MAC always fits in the algorithm 605 * encoding. The shifted mask is the maximum truncated value. The 606 * untruncated algorithm may be one byte larger. */ 607 TEST_ASSERT( PSA_MAC_MAX_SIZE <= 1 + max_truncated_mac_size ); 608} 609/* END_CASE */ 610 611/* BEGIN_CASE */ 612void import_with_policy( int type_arg, 613 int usage_arg, int alg_arg, 614 int expected_status_arg ) 615{ 616 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 617 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 618 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 619 psa_key_type_t type = type_arg; 620 psa_key_usage_t usage = usage_arg; 621 psa_algorithm_t alg = alg_arg; 622 psa_status_t expected_status = expected_status_arg; 623 const uint8_t key_material[16] = {0}; 624 psa_status_t status; 625 626 PSA_ASSERT( psa_crypto_init( ) ); 627 628 psa_set_key_type( &attributes, type ); 629 psa_set_key_usage_flags( &attributes, usage ); 630 psa_set_key_algorithm( &attributes, alg ); 631 632 status = psa_import_key( &attributes, 633 key_material, sizeof( key_material ), 634 &key ); 635 TEST_EQUAL( status, expected_status ); 636 if( status != PSA_SUCCESS ) 637 goto exit; 638 639 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 640 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 641 TEST_EQUAL( psa_get_key_usage_flags( &got_attributes ), 642 mbedtls_test_update_key_usage_flags( usage ) ); 643 TEST_EQUAL( psa_get_key_algorithm( &got_attributes ), alg ); 644 ASSERT_NO_SLOT_NUMBER( &got_attributes ); 645 646 PSA_ASSERT( psa_destroy_key( key ) ); 647 test_operations_on_invalid_key( key ); 648 649exit: 650 /* 651 * Key attributes may have been returned by psa_get_key_attributes() 652 * thus reset them as required. 653 */ 654 psa_reset_key_attributes( &got_attributes ); 655 656 psa_destroy_key( key ); 657 PSA_DONE( ); 658} 659/* END_CASE */ 660 661/* BEGIN_CASE */ 662void import_with_data( data_t *data, int type_arg, 663 int attr_bits_arg, 664 int expected_status_arg ) 665{ 666 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 667 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 668 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 669 psa_key_type_t type = type_arg; 670 size_t attr_bits = attr_bits_arg; 671 psa_status_t expected_status = expected_status_arg; 672 psa_status_t status; 673 674 PSA_ASSERT( psa_crypto_init( ) ); 675 676 psa_set_key_type( &attributes, type ); 677 psa_set_key_bits( &attributes, attr_bits ); 678 679 status = psa_import_key( &attributes, data->x, data->len, &key ); 680 TEST_EQUAL( status, expected_status ); 681 if( status != PSA_SUCCESS ) 682 goto exit; 683 684 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 685 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 686 if( attr_bits != 0 ) 687 TEST_EQUAL( attr_bits, psa_get_key_bits( &got_attributes ) ); 688 ASSERT_NO_SLOT_NUMBER( &got_attributes ); 689 690 PSA_ASSERT( psa_destroy_key( key ) ); 691 test_operations_on_invalid_key( key ); 692 693exit: 694 /* 695 * Key attributes may have been returned by psa_get_key_attributes() 696 * thus reset them as required. 697 */ 698 psa_reset_key_attributes( &got_attributes ); 699 700 psa_destroy_key( key ); 701 PSA_DONE( ); 702} 703/* END_CASE */ 704 705/* BEGIN_CASE */ 706void import_large_key( int type_arg, int byte_size_arg, 707 int expected_status_arg ) 708{ 709 psa_key_type_t type = type_arg; 710 size_t byte_size = byte_size_arg; 711 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 712 psa_status_t expected_status = expected_status_arg; 713 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 714 psa_status_t status; 715 uint8_t *buffer = NULL; 716 size_t buffer_size = byte_size + 1; 717 size_t n; 718 719 /* Skip the test case if the target running the test cannot 720 * accomodate large keys due to heap size constraints */ 721 ASSERT_ALLOC_WEAK( buffer, buffer_size ); 722 memset( buffer, 'K', byte_size ); 723 724 PSA_ASSERT( psa_crypto_init( ) ); 725 726 /* Try importing the key */ 727 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT ); 728 psa_set_key_type( &attributes, type ); 729 status = psa_import_key( &attributes, buffer, byte_size, &key ); 730 TEST_ASSUME( status != PSA_ERROR_INSUFFICIENT_MEMORY ); 731 TEST_EQUAL( status, expected_status ); 732 733 if( status == PSA_SUCCESS ) 734 { 735 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 736 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 737 TEST_EQUAL( psa_get_key_bits( &attributes ), 738 PSA_BYTES_TO_BITS( byte_size ) ); 739 ASSERT_NO_SLOT_NUMBER( &attributes ); 740 memset( buffer, 0, byte_size + 1 ); 741 PSA_ASSERT( psa_export_key( key, buffer, byte_size, &n ) ); 742 for( n = 0; n < byte_size; n++ ) 743 TEST_EQUAL( buffer[n], 'K' ); 744 for( n = byte_size; n < buffer_size; n++ ) 745 TEST_EQUAL( buffer[n], 0 ); 746 } 747 748exit: 749 /* 750 * Key attributes may have been returned by psa_get_key_attributes() 751 * thus reset them as required. 752 */ 753 psa_reset_key_attributes( &attributes ); 754 755 psa_destroy_key( key ); 756 PSA_DONE( ); 757 mbedtls_free( buffer ); 758} 759/* END_CASE */ 760 761/* BEGIN_CASE */ 762void import_rsa_made_up( int bits_arg, int keypair, int expected_status_arg ) 763{ 764 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 765 size_t bits = bits_arg; 766 psa_status_t expected_status = expected_status_arg; 767 psa_status_t status; 768 psa_key_type_t type = 769 keypair ? PSA_KEY_TYPE_RSA_KEY_PAIR : PSA_KEY_TYPE_RSA_PUBLIC_KEY; 770 size_t buffer_size = /* Slight overapproximations */ 771 keypair ? bits * 9 / 16 + 80 : bits / 8 + 20; 772 unsigned char *buffer = NULL; 773 unsigned char *p; 774 int ret; 775 size_t length; 776 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 777 778 PSA_ASSERT( psa_crypto_init( ) ); 779 ASSERT_ALLOC( buffer, buffer_size ); 780 781 TEST_ASSERT( ( ret = construct_fake_rsa_key( buffer, buffer_size, &p, 782 bits, keypair ) ) >= 0 ); 783 length = ret; 784 785 /* Try importing the key */ 786 psa_set_key_type( &attributes, type ); 787 status = psa_import_key( &attributes, p, length, &key ); 788 TEST_EQUAL( status, expected_status ); 789 790 if( status == PSA_SUCCESS ) 791 PSA_ASSERT( psa_destroy_key( key ) ); 792 793exit: 794 mbedtls_free( buffer ); 795 PSA_DONE( ); 796} 797/* END_CASE */ 798 799/* BEGIN_CASE */ 800void import_export( data_t *data, 801 int type_arg, 802 int usage_arg, int alg_arg, 803 int lifetime_arg, 804 int expected_bits, 805 int export_size_delta, 806 int expected_export_status_arg, 807 int canonical_input ) 808{ 809 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 810 psa_key_type_t type = type_arg; 811 psa_algorithm_t alg = alg_arg; 812 psa_status_t expected_export_status = expected_export_status_arg; 813 psa_status_t status; 814 psa_key_lifetime_t lifetime = lifetime_arg; 815 unsigned char *exported = NULL; 816 unsigned char *reexported = NULL; 817 size_t export_size; 818 size_t exported_length = INVALID_EXPORT_LENGTH; 819 size_t reexported_length; 820 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 821 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 822 823 export_size = (ptrdiff_t) data->len + export_size_delta; 824 ASSERT_ALLOC( exported, export_size ); 825 if( ! canonical_input ) 826 ASSERT_ALLOC( reexported, export_size ); 827 PSA_ASSERT( psa_crypto_init( ) ); 828 829 psa_set_key_lifetime( &attributes, lifetime ); 830 psa_set_key_usage_flags( &attributes, usage_arg ); 831 psa_set_key_algorithm( &attributes, alg ); 832 psa_set_key_type( &attributes, type ); 833 834 /* Import the key */ 835 PSA_ASSERT( psa_import_key( &attributes, data->x, data->len, &key ) ); 836 837 /* Test the key information */ 838 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 839 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 840 TEST_EQUAL( psa_get_key_bits( &got_attributes ), (size_t) expected_bits ); 841 ASSERT_NO_SLOT_NUMBER( &got_attributes ); 842 843 /* Export the key */ 844 status = psa_export_key( key, exported, export_size, &exported_length ); 845 TEST_EQUAL( status, expected_export_status ); 846 847 /* The exported length must be set by psa_export_key() to a value between 0 848 * and export_size. On errors, the exported length must be 0. */ 849 TEST_ASSERT( exported_length != INVALID_EXPORT_LENGTH ); 850 TEST_ASSERT( status == PSA_SUCCESS || exported_length == 0 ); 851 TEST_ASSERT( exported_length <= export_size ); 852 853 TEST_ASSERT( mem_is_char( exported + exported_length, 0, 854 export_size - exported_length ) ); 855 if( status != PSA_SUCCESS ) 856 { 857 TEST_EQUAL( exported_length, 0 ); 858 goto destroy; 859 } 860 861 /* Run sanity checks on the exported key. For non-canonical inputs, 862 * this validates the canonical representations. For canonical inputs, 863 * this doesn't directly validate the implementation, but it still helps 864 * by cross-validating the test data with the sanity check code. */ 865 if( !psa_key_lifetime_is_external( lifetime ) ) 866 { 867 if( ! mbedtls_test_psa_exercise_key( key, usage_arg, 0 ) ) 868 goto exit; 869 } 870 871 if( canonical_input ) 872 ASSERT_COMPARE( data->x, data->len, exported, exported_length ); 873 else 874 { 875 mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT; 876 PSA_ASSERT( psa_import_key( &attributes, exported, exported_length, 877 &key2 ) ); 878 PSA_ASSERT( psa_export_key( key2, 879 reexported, 880 export_size, 881 &reexported_length ) ); 882 ASSERT_COMPARE( exported, exported_length, 883 reexported, reexported_length ); 884 PSA_ASSERT( psa_destroy_key( key2 ) ); 885 } 886 TEST_ASSERT( exported_length <= 887 PSA_EXPORT_KEY_OUTPUT_SIZE( type, 888 psa_get_key_bits( &got_attributes ) ) ); 889 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE ); 890 891destroy: 892 /* Destroy the key */ 893 PSA_ASSERT( psa_destroy_key( key ) ); 894 test_operations_on_invalid_key( key ); 895 896exit: 897 /* 898 * Key attributes may have been returned by psa_get_key_attributes() 899 * thus reset them as required. 900 */ 901 psa_reset_key_attributes( &got_attributes ); 902 psa_destroy_key( key ) ; 903 mbedtls_free( exported ); 904 mbedtls_free( reexported ); 905 PSA_DONE( ); 906} 907/* END_CASE */ 908 909/* BEGIN_CASE */ 910void import_export_public_key( data_t *data, 911 int type_arg, 912 int alg_arg, 913 int lifetime_arg, 914 int export_size_delta, 915 int expected_export_status_arg, 916 data_t *expected_public_key ) 917{ 918 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 919 psa_key_type_t type = type_arg; 920 psa_algorithm_t alg = alg_arg; 921 psa_status_t expected_export_status = expected_export_status_arg; 922 psa_status_t status; 923 psa_key_lifetime_t lifetime = lifetime_arg; 924 unsigned char *exported = NULL; 925 size_t export_size = expected_public_key->len + export_size_delta; 926 size_t exported_length = INVALID_EXPORT_LENGTH; 927 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 928 929 PSA_ASSERT( psa_crypto_init( ) ); 930 931 psa_set_key_lifetime( &attributes, lifetime ); 932 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT ); 933 psa_set_key_algorithm( &attributes, alg ); 934 psa_set_key_type( &attributes, type ); 935 936 /* Import the key */ 937 PSA_ASSERT( psa_import_key( &attributes, data->x, data->len, &key ) ); 938 939 /* Export the public key */ 940 ASSERT_ALLOC( exported, export_size ); 941 status = psa_export_public_key( key, 942 exported, export_size, 943 &exported_length ); 944 TEST_EQUAL( status, expected_export_status ); 945 if( status == PSA_SUCCESS ) 946 { 947 psa_key_type_t public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( type ); 948 size_t bits; 949 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 950 bits = psa_get_key_bits( &attributes ); 951 TEST_ASSERT( expected_public_key->len <= 952 PSA_EXPORT_KEY_OUTPUT_SIZE( public_type, bits ) ); 953 TEST_ASSERT( expected_public_key->len <= 954 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_type, bits ) ); 955 TEST_ASSERT( expected_public_key->len <= 956 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE ); 957 ASSERT_COMPARE( expected_public_key->x, expected_public_key->len, 958 exported, exported_length ); 959 } 960exit: 961 /* 962 * Key attributes may have been returned by psa_get_key_attributes() 963 * thus reset them as required. 964 */ 965 psa_reset_key_attributes( &attributes ); 966 967 mbedtls_free( exported ); 968 psa_destroy_key( key ); 969 PSA_DONE( ); 970} 971/* END_CASE */ 972 973/* BEGIN_CASE */ 974void import_and_exercise_key( data_t *data, 975 int type_arg, 976 int bits_arg, 977 int alg_arg ) 978{ 979 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 980 psa_key_type_t type = type_arg; 981 size_t bits = bits_arg; 982 psa_algorithm_t alg = alg_arg; 983 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise( type, alg ); 984 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 985 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 986 987 PSA_ASSERT( psa_crypto_init( ) ); 988 989 psa_set_key_usage_flags( &attributes, usage ); 990 psa_set_key_algorithm( &attributes, alg ); 991 psa_set_key_type( &attributes, type ); 992 993 /* Import the key */ 994 PSA_ASSERT( psa_import_key( &attributes, data->x, data->len, &key ) ); 995 996 /* Test the key information */ 997 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 998 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 999 TEST_EQUAL( psa_get_key_bits( &got_attributes ), bits ); 1000 1001 /* Do something with the key according to its type and permitted usage. */ 1002 if( ! mbedtls_test_psa_exercise_key( key, usage, alg ) ) 1003 goto exit; 1004 1005 PSA_ASSERT( psa_destroy_key( key ) ); 1006 test_operations_on_invalid_key( key ); 1007 1008exit: 1009 /* 1010 * Key attributes may have been returned by psa_get_key_attributes() 1011 * thus reset them as required. 1012 */ 1013 psa_reset_key_attributes( &got_attributes ); 1014 1015 psa_reset_key_attributes( &attributes ); 1016 psa_destroy_key( key ); 1017 PSA_DONE( ); 1018} 1019/* END_CASE */ 1020 1021/* BEGIN_CASE */ 1022void effective_key_attributes( int type_arg, int expected_type_arg, 1023 int bits_arg, int expected_bits_arg, 1024 int usage_arg, int expected_usage_arg, 1025 int alg_arg, int expected_alg_arg ) 1026{ 1027 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1028 psa_key_type_t key_type = type_arg; 1029 psa_key_type_t expected_key_type = expected_type_arg; 1030 size_t bits = bits_arg; 1031 size_t expected_bits = expected_bits_arg; 1032 psa_algorithm_t alg = alg_arg; 1033 psa_algorithm_t expected_alg = expected_alg_arg; 1034 psa_key_usage_t usage = usage_arg; 1035 psa_key_usage_t expected_usage = expected_usage_arg; 1036 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1037 1038 PSA_ASSERT( psa_crypto_init( ) ); 1039 1040 psa_set_key_usage_flags( &attributes, usage ); 1041 psa_set_key_algorithm( &attributes, alg ); 1042 psa_set_key_type( &attributes, key_type ); 1043 psa_set_key_bits( &attributes, bits ); 1044 1045 PSA_ASSERT( psa_generate_key( &attributes, &key ) ); 1046 psa_reset_key_attributes( &attributes ); 1047 1048 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 1049 TEST_EQUAL( psa_get_key_type( &attributes ), expected_key_type ); 1050 TEST_EQUAL( psa_get_key_bits( &attributes ), expected_bits ); 1051 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), expected_usage ); 1052 TEST_EQUAL( psa_get_key_algorithm( &attributes ), expected_alg ); 1053 1054exit: 1055 /* 1056 * Key attributes may have been returned by psa_get_key_attributes() 1057 * thus reset them as required. 1058 */ 1059 psa_reset_key_attributes( &attributes ); 1060 1061 psa_destroy_key( key ); 1062 PSA_DONE( ); 1063} 1064/* END_CASE */ 1065 1066/* BEGIN_CASE */ 1067void check_key_policy( int type_arg, int bits_arg, 1068 int usage_arg, int alg_arg ) 1069{ 1070 test_effective_key_attributes( type_arg, type_arg, bits_arg, bits_arg, 1071 usage_arg, 1072 mbedtls_test_update_key_usage_flags( usage_arg ), 1073 alg_arg, alg_arg ); 1074 goto exit; 1075} 1076/* END_CASE */ 1077 1078/* BEGIN_CASE */ 1079void key_attributes_init( ) 1080{ 1081 /* Test each valid way of initializing the object, except for `= {0}`, as 1082 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 1083 * though it's OK by the C standard. We could test for this, but we'd need 1084 * to supress the Clang warning for the test. */ 1085 psa_key_attributes_t func = psa_key_attributes_init( ); 1086 psa_key_attributes_t init = PSA_KEY_ATTRIBUTES_INIT; 1087 psa_key_attributes_t zero; 1088 1089 memset( &zero, 0, sizeof( zero ) ); 1090 1091 TEST_EQUAL( psa_get_key_lifetime( &func ), PSA_KEY_LIFETIME_VOLATILE ); 1092 TEST_EQUAL( psa_get_key_lifetime( &init ), PSA_KEY_LIFETIME_VOLATILE ); 1093 TEST_EQUAL( psa_get_key_lifetime( &zero ), PSA_KEY_LIFETIME_VOLATILE ); 1094 1095 TEST_EQUAL( psa_get_key_type( &func ), 0 ); 1096 TEST_EQUAL( psa_get_key_type( &init ), 0 ); 1097 TEST_EQUAL( psa_get_key_type( &zero ), 0 ); 1098 1099 TEST_EQUAL( psa_get_key_bits( &func ), 0 ); 1100 TEST_EQUAL( psa_get_key_bits( &init ), 0 ); 1101 TEST_EQUAL( psa_get_key_bits( &zero ), 0 ); 1102 1103 TEST_EQUAL( psa_get_key_usage_flags( &func ), 0 ); 1104 TEST_EQUAL( psa_get_key_usage_flags( &init ), 0 ); 1105 TEST_EQUAL( psa_get_key_usage_flags( &zero ), 0 ); 1106 1107 TEST_EQUAL( psa_get_key_algorithm( &func ), 0 ); 1108 TEST_EQUAL( psa_get_key_algorithm( &init ), 0 ); 1109 TEST_EQUAL( psa_get_key_algorithm( &zero ), 0 ); 1110} 1111/* END_CASE */ 1112 1113/* BEGIN_CASE */ 1114void mac_key_policy( int policy_usage_arg, 1115 int policy_alg_arg, 1116 int key_type_arg, 1117 data_t *key_data, 1118 int exercise_alg_arg, 1119 int expected_status_sign_arg, 1120 int expected_status_verify_arg ) 1121{ 1122 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1123 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1124 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 1125 psa_key_type_t key_type = key_type_arg; 1126 psa_algorithm_t policy_alg = policy_alg_arg; 1127 psa_algorithm_t exercise_alg = exercise_alg_arg; 1128 psa_key_usage_t policy_usage = policy_usage_arg; 1129 psa_status_t status; 1130 psa_status_t expected_status_sign = expected_status_sign_arg; 1131 psa_status_t expected_status_verify = expected_status_verify_arg; 1132 unsigned char mac[PSA_MAC_MAX_SIZE]; 1133 1134 PSA_ASSERT( psa_crypto_init( ) ); 1135 1136 psa_set_key_usage_flags( &attributes, policy_usage ); 1137 psa_set_key_algorithm( &attributes, policy_alg ); 1138 psa_set_key_type( &attributes, key_type ); 1139 1140 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1141 &key ) ); 1142 1143 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 1144 mbedtls_test_update_key_usage_flags( policy_usage ) ); 1145 1146 status = psa_mac_sign_setup( &operation, key, exercise_alg ); 1147 TEST_EQUAL( status, expected_status_sign ); 1148 1149 /* Calculate the MAC, one-shot case. */ 1150 uint8_t input[128] = {0}; 1151 size_t mac_len; 1152 TEST_EQUAL( psa_mac_compute( key, exercise_alg, 1153 input, 128, 1154 mac, PSA_MAC_MAX_SIZE, &mac_len ), 1155 expected_status_sign ); 1156 1157 /* Verify correct MAC, one-shot case. */ 1158 status = psa_mac_verify( key, exercise_alg, input, 128, 1159 mac, mac_len ); 1160 1161 if( expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS ) 1162 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 1163 else 1164 TEST_EQUAL( status, expected_status_verify ); 1165 1166 psa_mac_abort( &operation ); 1167 1168 memset( mac, 0, sizeof( mac ) ); 1169 status = psa_mac_verify_setup( &operation, key, exercise_alg ); 1170 TEST_EQUAL( status, expected_status_verify ); 1171 1172exit: 1173 psa_mac_abort( &operation ); 1174 psa_destroy_key( key ); 1175 PSA_DONE( ); 1176} 1177/* END_CASE */ 1178 1179/* BEGIN_CASE */ 1180void cipher_key_policy( int policy_usage_arg, 1181 int policy_alg, 1182 int key_type, 1183 data_t *key_data, 1184 int exercise_alg ) 1185{ 1186 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1187 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1188 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 1189 psa_key_usage_t policy_usage = policy_usage_arg; 1190 psa_status_t status; 1191 1192 PSA_ASSERT( psa_crypto_init( ) ); 1193 1194 psa_set_key_usage_flags( &attributes, policy_usage ); 1195 psa_set_key_algorithm( &attributes, policy_alg ); 1196 psa_set_key_type( &attributes, key_type ); 1197 1198 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1199 &key ) ); 1200 1201 /* Check if no key usage flag implication is done */ 1202 TEST_EQUAL( policy_usage, 1203 mbedtls_test_update_key_usage_flags( policy_usage ) ); 1204 1205 status = psa_cipher_encrypt_setup( &operation, key, exercise_alg ); 1206 if( policy_alg == exercise_alg && 1207 ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) 1208 PSA_ASSERT( status ); 1209 else 1210 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1211 psa_cipher_abort( &operation ); 1212 1213 status = psa_cipher_decrypt_setup( &operation, key, exercise_alg ); 1214 if( policy_alg == exercise_alg && 1215 ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 ) 1216 PSA_ASSERT( status ); 1217 else 1218 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1219 1220exit: 1221 psa_cipher_abort( &operation ); 1222 psa_destroy_key( key ); 1223 PSA_DONE( ); 1224} 1225/* END_CASE */ 1226 1227/* BEGIN_CASE */ 1228void aead_key_policy( int policy_usage_arg, 1229 int policy_alg, 1230 int key_type, 1231 data_t *key_data, 1232 int nonce_length_arg, 1233 int tag_length_arg, 1234 int exercise_alg, 1235 int expected_status_arg ) 1236{ 1237 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1238 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1239 psa_key_usage_t policy_usage = policy_usage_arg; 1240 psa_status_t status; 1241 psa_status_t expected_status = expected_status_arg; 1242 unsigned char nonce[16] = {0}; 1243 size_t nonce_length = nonce_length_arg; 1244 unsigned char tag[16]; 1245 size_t tag_length = tag_length_arg; 1246 size_t output_length; 1247 1248 TEST_ASSERT( nonce_length <= sizeof( nonce ) ); 1249 TEST_ASSERT( tag_length <= sizeof( tag ) ); 1250 1251 PSA_ASSERT( psa_crypto_init( ) ); 1252 1253 psa_set_key_usage_flags( &attributes, policy_usage ); 1254 psa_set_key_algorithm( &attributes, policy_alg ); 1255 psa_set_key_type( &attributes, key_type ); 1256 1257 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1258 &key ) ); 1259 1260 /* Check if no key usage implication is done */ 1261 TEST_EQUAL( policy_usage, 1262 mbedtls_test_update_key_usage_flags( policy_usage ) ); 1263 1264 status = psa_aead_encrypt( key, exercise_alg, 1265 nonce, nonce_length, 1266 NULL, 0, 1267 NULL, 0, 1268 tag, tag_length, 1269 &output_length ); 1270 if( ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) 1271 TEST_EQUAL( status, expected_status ); 1272 else 1273 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1274 1275 memset( tag, 0, sizeof( tag ) ); 1276 status = psa_aead_decrypt( key, exercise_alg, 1277 nonce, nonce_length, 1278 NULL, 0, 1279 tag, tag_length, 1280 NULL, 0, 1281 &output_length ); 1282 if( ( policy_usage & PSA_KEY_USAGE_DECRYPT ) == 0 ) 1283 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1284 else if( expected_status == PSA_SUCCESS ) 1285 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 1286 else 1287 TEST_EQUAL( status, expected_status ); 1288 1289exit: 1290 psa_destroy_key( key ); 1291 PSA_DONE( ); 1292} 1293/* END_CASE */ 1294 1295/* BEGIN_CASE */ 1296void asymmetric_encryption_key_policy( int policy_usage_arg, 1297 int policy_alg, 1298 int key_type, 1299 data_t *key_data, 1300 int exercise_alg ) 1301{ 1302 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1303 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1304 psa_key_usage_t policy_usage = policy_usage_arg; 1305 psa_status_t status; 1306 size_t key_bits; 1307 size_t buffer_length; 1308 unsigned char *buffer = NULL; 1309 size_t output_length; 1310 1311 PSA_ASSERT( psa_crypto_init( ) ); 1312 1313 psa_set_key_usage_flags( &attributes, policy_usage ); 1314 psa_set_key_algorithm( &attributes, policy_alg ); 1315 psa_set_key_type( &attributes, key_type ); 1316 1317 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1318 &key ) ); 1319 1320 /* Check if no key usage implication is done */ 1321 TEST_EQUAL( policy_usage, 1322 mbedtls_test_update_key_usage_flags( policy_usage ) ); 1323 1324 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 1325 key_bits = psa_get_key_bits( &attributes ); 1326 buffer_length = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE( key_type, key_bits, 1327 exercise_alg ); 1328 ASSERT_ALLOC( buffer, buffer_length ); 1329 1330 status = psa_asymmetric_encrypt( key, exercise_alg, 1331 NULL, 0, 1332 NULL, 0, 1333 buffer, buffer_length, 1334 &output_length ); 1335 if( policy_alg == exercise_alg && 1336 ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) 1337 PSA_ASSERT( status ); 1338 else 1339 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1340 1341 if( buffer_length != 0 ) 1342 memset( buffer, 0, buffer_length ); 1343 status = psa_asymmetric_decrypt( key, exercise_alg, 1344 buffer, buffer_length, 1345 NULL, 0, 1346 buffer, buffer_length, 1347 &output_length ); 1348 if( policy_alg == exercise_alg && 1349 ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 ) 1350 TEST_EQUAL( status, PSA_ERROR_INVALID_PADDING ); 1351 else 1352 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1353 1354exit: 1355 /* 1356 * Key attributes may have been returned by psa_get_key_attributes() 1357 * thus reset them as required. 1358 */ 1359 psa_reset_key_attributes( &attributes ); 1360 1361 psa_destroy_key( key ); 1362 PSA_DONE( ); 1363 mbedtls_free( buffer ); 1364} 1365/* END_CASE */ 1366 1367/* BEGIN_CASE */ 1368void asymmetric_signature_key_policy( int policy_usage_arg, 1369 int policy_alg, 1370 int key_type, 1371 data_t *key_data, 1372 int exercise_alg, 1373 int payload_length_arg, 1374 int expected_usage_arg ) 1375{ 1376 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1377 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1378 psa_key_usage_t policy_usage = policy_usage_arg; 1379 psa_key_usage_t expected_usage = expected_usage_arg; 1380 psa_status_t status; 1381 unsigned char payload[PSA_HASH_MAX_SIZE] = {1}; 1382 /* If `payload_length_arg > 0`, `exercise_alg` is supposed to be 1383 * compatible with the policy and `payload_length_arg` is supposed to be 1384 * a valid input length to sign. If `payload_length_arg <= 0`, 1385 * `exercise_alg` is supposed to be forbidden by the policy. */ 1386 int compatible_alg = payload_length_arg > 0; 1387 size_t payload_length = compatible_alg ? payload_length_arg : 0; 1388 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = {0}; 1389 size_t signature_length; 1390 1391 /* Check if all implicit usage flags are deployed 1392 in the expected usage flags. */ 1393 TEST_EQUAL( expected_usage, 1394 mbedtls_test_update_key_usage_flags( policy_usage ) ); 1395 1396 PSA_ASSERT( psa_crypto_init( ) ); 1397 1398 psa_set_key_usage_flags( &attributes, policy_usage ); 1399 psa_set_key_algorithm( &attributes, policy_alg ); 1400 psa_set_key_type( &attributes, key_type ); 1401 1402 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1403 &key ) ); 1404 1405 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), expected_usage ); 1406 1407 status = psa_sign_hash( key, exercise_alg, 1408 payload, payload_length, 1409 signature, sizeof( signature ), 1410 &signature_length ); 1411 if( compatible_alg && ( expected_usage & PSA_KEY_USAGE_SIGN_HASH ) != 0 ) 1412 PSA_ASSERT( status ); 1413 else 1414 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1415 1416 memset( signature, 0, sizeof( signature ) ); 1417 status = psa_verify_hash( key, exercise_alg, 1418 payload, payload_length, 1419 signature, sizeof( signature ) ); 1420 if( compatible_alg && ( expected_usage & PSA_KEY_USAGE_VERIFY_HASH ) != 0 ) 1421 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 1422 else 1423 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1424 1425 if( PSA_ALG_IS_SIGN_HASH( exercise_alg ) && 1426 PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( exercise_alg ) ) ) 1427 { 1428 status = psa_sign_message( key, exercise_alg, 1429 payload, payload_length, 1430 signature, sizeof( signature ), 1431 &signature_length ); 1432 if( compatible_alg && ( expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE ) != 0 ) 1433 PSA_ASSERT( status ); 1434 else 1435 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1436 1437 memset( signature, 0, sizeof( signature ) ); 1438 status = psa_verify_message( key, exercise_alg, 1439 payload, payload_length, 1440 signature, sizeof( signature ) ); 1441 if( compatible_alg && ( expected_usage & PSA_KEY_USAGE_VERIFY_MESSAGE ) != 0 ) 1442 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 1443 else 1444 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1445 } 1446 1447exit: 1448 psa_destroy_key( key ); 1449 PSA_DONE( ); 1450} 1451/* END_CASE */ 1452 1453/* BEGIN_CASE */ 1454void derive_key_policy( int policy_usage, 1455 int policy_alg, 1456 int key_type, 1457 data_t *key_data, 1458 int exercise_alg ) 1459{ 1460 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1461 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1462 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 1463 psa_status_t status; 1464 1465 PSA_ASSERT( psa_crypto_init( ) ); 1466 1467 psa_set_key_usage_flags( &attributes, policy_usage ); 1468 psa_set_key_algorithm( &attributes, policy_alg ); 1469 psa_set_key_type( &attributes, key_type ); 1470 1471 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1472 &key ) ); 1473 1474 PSA_ASSERT( psa_key_derivation_setup( &operation, exercise_alg ) ); 1475 1476 if( PSA_ALG_IS_TLS12_PRF( exercise_alg ) || 1477 PSA_ALG_IS_TLS12_PSK_TO_MS( exercise_alg ) ) 1478 { 1479 PSA_ASSERT( psa_key_derivation_input_bytes( 1480 &operation, 1481 PSA_KEY_DERIVATION_INPUT_SEED, 1482 (const uint8_t*) "", 0) ); 1483 } 1484 1485 status = psa_key_derivation_input_key( &operation, 1486 PSA_KEY_DERIVATION_INPUT_SECRET, 1487 key ); 1488 1489 if( policy_alg == exercise_alg && 1490 ( policy_usage & PSA_KEY_USAGE_DERIVE ) != 0 ) 1491 PSA_ASSERT( status ); 1492 else 1493 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 1494 1495exit: 1496 psa_key_derivation_abort( &operation ); 1497 psa_destroy_key( key ); 1498 PSA_DONE( ); 1499} 1500/* END_CASE */ 1501 1502/* BEGIN_CASE */ 1503void agreement_key_policy( int policy_usage, 1504 int policy_alg, 1505 int key_type_arg, 1506 data_t *key_data, 1507 int exercise_alg, 1508 int expected_status_arg ) 1509{ 1510 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1511 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1512 psa_key_type_t key_type = key_type_arg; 1513 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 1514 psa_status_t status; 1515 psa_status_t expected_status = expected_status_arg; 1516 1517 PSA_ASSERT( psa_crypto_init( ) ); 1518 1519 psa_set_key_usage_flags( &attributes, policy_usage ); 1520 psa_set_key_algorithm( &attributes, policy_alg ); 1521 psa_set_key_type( &attributes, key_type ); 1522 1523 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1524 &key ) ); 1525 1526 PSA_ASSERT( psa_key_derivation_setup( &operation, exercise_alg ) ); 1527 status = mbedtls_test_psa_key_agreement_with_self( &operation, key ); 1528 1529 TEST_EQUAL( status, expected_status ); 1530 1531exit: 1532 psa_key_derivation_abort( &operation ); 1533 psa_destroy_key( key ); 1534 PSA_DONE( ); 1535} 1536/* END_CASE */ 1537 1538/* BEGIN_CASE */ 1539void key_policy_alg2( int key_type_arg, data_t *key_data, 1540 int usage_arg, int alg_arg, int alg2_arg ) 1541{ 1542 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1543 psa_key_type_t key_type = key_type_arg; 1544 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1545 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1546 psa_key_usage_t usage = usage_arg; 1547 psa_algorithm_t alg = alg_arg; 1548 psa_algorithm_t alg2 = alg2_arg; 1549 1550 PSA_ASSERT( psa_crypto_init( ) ); 1551 1552 psa_set_key_usage_flags( &attributes, usage ); 1553 psa_set_key_algorithm( &attributes, alg ); 1554 psa_set_key_enrollment_algorithm( &attributes, alg2 ); 1555 psa_set_key_type( &attributes, key_type ); 1556 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1557 &key ) ); 1558 1559 /* Update the usage flags to obtain implicit usage flags */ 1560 usage = mbedtls_test_update_key_usage_flags( usage ); 1561 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 1562 TEST_EQUAL( psa_get_key_usage_flags( &got_attributes ), usage ); 1563 TEST_EQUAL( psa_get_key_algorithm( &got_attributes ), alg ); 1564 TEST_EQUAL( psa_get_key_enrollment_algorithm( &got_attributes ), alg2 ); 1565 1566 if( ! mbedtls_test_psa_exercise_key( key, usage, alg ) ) 1567 goto exit; 1568 if( ! mbedtls_test_psa_exercise_key( key, usage, alg2 ) ) 1569 goto exit; 1570 1571exit: 1572 /* 1573 * Key attributes may have been returned by psa_get_key_attributes() 1574 * thus reset them as required. 1575 */ 1576 psa_reset_key_attributes( &got_attributes ); 1577 1578 psa_destroy_key( key ); 1579 PSA_DONE( ); 1580} 1581/* END_CASE */ 1582 1583/* BEGIN_CASE */ 1584void raw_agreement_key_policy( int policy_usage, 1585 int policy_alg, 1586 int key_type_arg, 1587 data_t *key_data, 1588 int exercise_alg, 1589 int expected_status_arg ) 1590{ 1591 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1592 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1593 psa_key_type_t key_type = key_type_arg; 1594 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 1595 psa_status_t status; 1596 psa_status_t expected_status = expected_status_arg; 1597 1598 PSA_ASSERT( psa_crypto_init( ) ); 1599 1600 psa_set_key_usage_flags( &attributes, policy_usage ); 1601 psa_set_key_algorithm( &attributes, policy_alg ); 1602 psa_set_key_type( &attributes, key_type ); 1603 1604 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1605 &key ) ); 1606 1607 status = mbedtls_test_psa_raw_key_agreement_with_self( exercise_alg, key ); 1608 1609 TEST_EQUAL( status, expected_status ); 1610 1611exit: 1612 psa_key_derivation_abort( &operation ); 1613 psa_destroy_key( key ); 1614 PSA_DONE( ); 1615} 1616/* END_CASE */ 1617 1618/* BEGIN_CASE */ 1619void copy_success( int source_usage_arg, 1620 int source_alg_arg, int source_alg2_arg, 1621 unsigned int source_lifetime_arg, 1622 int type_arg, data_t *material, 1623 int copy_attributes, 1624 int target_usage_arg, 1625 int target_alg_arg, int target_alg2_arg, 1626 unsigned int target_lifetime_arg, 1627 int expected_usage_arg, 1628 int expected_alg_arg, int expected_alg2_arg ) 1629{ 1630 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 1631 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 1632 psa_key_usage_t expected_usage = expected_usage_arg; 1633 psa_algorithm_t expected_alg = expected_alg_arg; 1634 psa_algorithm_t expected_alg2 = expected_alg2_arg; 1635 psa_key_lifetime_t source_lifetime = source_lifetime_arg; 1636 psa_key_lifetime_t target_lifetime = target_lifetime_arg; 1637 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT; 1638 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT; 1639 uint8_t *export_buffer = NULL; 1640 1641 PSA_ASSERT( psa_crypto_init( ) ); 1642 1643 /* Prepare the source key. */ 1644 psa_set_key_usage_flags( &source_attributes, source_usage_arg ); 1645 psa_set_key_algorithm( &source_attributes, source_alg_arg ); 1646 psa_set_key_enrollment_algorithm( &source_attributes, source_alg2_arg ); 1647 psa_set_key_type( &source_attributes, type_arg ); 1648 psa_set_key_lifetime( &source_attributes, source_lifetime); 1649 PSA_ASSERT( psa_import_key( &source_attributes, 1650 material->x, material->len, 1651 &source_key ) ); 1652 PSA_ASSERT( psa_get_key_attributes( source_key, &source_attributes ) ); 1653 1654 /* Prepare the target attributes. */ 1655 if( copy_attributes ) 1656 { 1657 target_attributes = source_attributes; 1658 } 1659 psa_set_key_lifetime( &target_attributes, target_lifetime); 1660 1661 if( target_usage_arg != -1 ) 1662 psa_set_key_usage_flags( &target_attributes, target_usage_arg ); 1663 if( target_alg_arg != -1 ) 1664 psa_set_key_algorithm( &target_attributes, target_alg_arg ); 1665 if( target_alg2_arg != -1 ) 1666 psa_set_key_enrollment_algorithm( &target_attributes, target_alg2_arg ); 1667 1668 1669 /* Copy the key. */ 1670 PSA_ASSERT( psa_copy_key( source_key, 1671 &target_attributes, &target_key ) ); 1672 1673 /* Destroy the source to ensure that this doesn't affect the target. */ 1674 PSA_ASSERT( psa_destroy_key( source_key ) ); 1675 1676 /* Test that the target slot has the expected content and policy. */ 1677 PSA_ASSERT( psa_get_key_attributes( target_key, &target_attributes ) ); 1678 TEST_EQUAL( psa_get_key_type( &source_attributes ), 1679 psa_get_key_type( &target_attributes ) ); 1680 TEST_EQUAL( psa_get_key_bits( &source_attributes ), 1681 psa_get_key_bits( &target_attributes ) ); 1682 TEST_EQUAL( expected_usage, psa_get_key_usage_flags( &target_attributes ) ); 1683 TEST_EQUAL( expected_alg, psa_get_key_algorithm( &target_attributes ) ); 1684 TEST_EQUAL( expected_alg2, 1685 psa_get_key_enrollment_algorithm( &target_attributes ) ); 1686 if( expected_usage & PSA_KEY_USAGE_EXPORT ) 1687 { 1688 size_t length; 1689 ASSERT_ALLOC( export_buffer, material->len ); 1690 PSA_ASSERT( psa_export_key( target_key, export_buffer, 1691 material->len, &length ) ); 1692 ASSERT_COMPARE( material->x, material->len, 1693 export_buffer, length ); 1694 } 1695 1696 if( !psa_key_lifetime_is_external( target_lifetime ) ) 1697 { 1698 if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg ) ) 1699 goto exit; 1700 if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg2 ) ) 1701 goto exit; 1702 } 1703 1704 PSA_ASSERT( psa_destroy_key( target_key ) ); 1705 1706exit: 1707 /* 1708 * Source and target key attributes may have been returned by 1709 * psa_get_key_attributes() thus reset them as required. 1710 */ 1711 psa_reset_key_attributes( &source_attributes ); 1712 psa_reset_key_attributes( &target_attributes ); 1713 1714 PSA_DONE( ); 1715 mbedtls_free( export_buffer ); 1716} 1717/* END_CASE */ 1718 1719/* BEGIN_CASE */ 1720void copy_fail( int source_usage_arg, 1721 int source_alg_arg, int source_alg2_arg, 1722 int source_lifetime_arg, 1723 int type_arg, data_t *material, 1724 int target_type_arg, int target_bits_arg, 1725 int target_usage_arg, 1726 int target_alg_arg, int target_alg2_arg, 1727 int target_id_arg, int target_lifetime_arg, 1728 int expected_status_arg ) 1729{ 1730 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 1731 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 1732 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT; 1733 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT; 1734 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, target_id_arg ); 1735 1736 PSA_ASSERT( psa_crypto_init( ) ); 1737 1738 /* Prepare the source key. */ 1739 psa_set_key_usage_flags( &source_attributes, source_usage_arg ); 1740 psa_set_key_algorithm( &source_attributes, source_alg_arg ); 1741 psa_set_key_enrollment_algorithm( &source_attributes, source_alg2_arg ); 1742 psa_set_key_type( &source_attributes, type_arg ); 1743 psa_set_key_lifetime( &source_attributes, source_lifetime_arg ); 1744 PSA_ASSERT( psa_import_key( &source_attributes, 1745 material->x, material->len, 1746 &source_key ) ); 1747 1748 /* Prepare the target attributes. */ 1749 psa_set_key_id( &target_attributes, key_id ); 1750 psa_set_key_lifetime( &target_attributes, target_lifetime_arg ); 1751 psa_set_key_type( &target_attributes, target_type_arg ); 1752 psa_set_key_bits( &target_attributes, target_bits_arg ); 1753 psa_set_key_usage_flags( &target_attributes, target_usage_arg ); 1754 psa_set_key_algorithm( &target_attributes, target_alg_arg ); 1755 psa_set_key_enrollment_algorithm( &target_attributes, target_alg2_arg ); 1756 1757 /* Try to copy the key. */ 1758 TEST_EQUAL( psa_copy_key( source_key, 1759 &target_attributes, &target_key ), 1760 expected_status_arg ); 1761 1762 PSA_ASSERT( psa_destroy_key( source_key ) ); 1763 1764exit: 1765 psa_reset_key_attributes( &source_attributes ); 1766 psa_reset_key_attributes( &target_attributes ); 1767 PSA_DONE( ); 1768} 1769/* END_CASE */ 1770 1771/* BEGIN_CASE */ 1772void hash_operation_init( ) 1773{ 1774 const uint8_t input[1] = { 0 }; 1775 /* Test each valid way of initializing the object, except for `= {0}`, as 1776 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 1777 * though it's OK by the C standard. We could test for this, but we'd need 1778 * to supress the Clang warning for the test. */ 1779 psa_hash_operation_t func = psa_hash_operation_init( ); 1780 psa_hash_operation_t init = PSA_HASH_OPERATION_INIT; 1781 psa_hash_operation_t zero; 1782 1783 memset( &zero, 0, sizeof( zero ) ); 1784 1785 /* A freshly-initialized hash operation should not be usable. */ 1786 TEST_EQUAL( psa_hash_update( &func, input, sizeof( input ) ), 1787 PSA_ERROR_BAD_STATE ); 1788 TEST_EQUAL( psa_hash_update( &init, input, sizeof( input ) ), 1789 PSA_ERROR_BAD_STATE ); 1790 TEST_EQUAL( psa_hash_update( &zero, input, sizeof( input ) ), 1791 PSA_ERROR_BAD_STATE ); 1792 1793 /* A default hash operation should be abortable without error. */ 1794 PSA_ASSERT( psa_hash_abort( &func ) ); 1795 PSA_ASSERT( psa_hash_abort( &init ) ); 1796 PSA_ASSERT( psa_hash_abort( &zero ) ); 1797} 1798/* END_CASE */ 1799 1800/* BEGIN_CASE */ 1801void hash_setup( int alg_arg, 1802 int expected_status_arg ) 1803{ 1804 psa_algorithm_t alg = alg_arg; 1805 psa_status_t expected_status = expected_status_arg; 1806 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 1807 psa_status_t status; 1808 1809 PSA_ASSERT( psa_crypto_init( ) ); 1810 1811 status = psa_hash_setup( &operation, alg ); 1812 TEST_EQUAL( status, expected_status ); 1813 1814 /* Whether setup succeeded or failed, abort must succeed. */ 1815 PSA_ASSERT( psa_hash_abort( &operation ) ); 1816 1817 /* If setup failed, reproduce the failure, so as to 1818 * test the resulting state of the operation object. */ 1819 if( status != PSA_SUCCESS ) 1820 TEST_EQUAL( psa_hash_setup( &operation, alg ), status ); 1821 1822 /* Now the operation object should be reusable. */ 1823#if defined(KNOWN_SUPPORTED_HASH_ALG) 1824 PSA_ASSERT( psa_hash_setup( &operation, KNOWN_SUPPORTED_HASH_ALG ) ); 1825 PSA_ASSERT( psa_hash_abort( &operation ) ); 1826#endif 1827 1828exit: 1829 PSA_DONE( ); 1830} 1831/* END_CASE */ 1832 1833/* BEGIN_CASE */ 1834void hash_compute_fail( int alg_arg, data_t *input, 1835 int output_size_arg, int expected_status_arg ) 1836{ 1837 psa_algorithm_t alg = alg_arg; 1838 uint8_t *output = NULL; 1839 size_t output_size = output_size_arg; 1840 size_t output_length = INVALID_EXPORT_LENGTH; 1841 psa_status_t expected_status = expected_status_arg; 1842 psa_status_t status; 1843 1844 ASSERT_ALLOC( output, output_size ); 1845 1846 PSA_ASSERT( psa_crypto_init( ) ); 1847 1848 status = psa_hash_compute( alg, input->x, input->len, 1849 output, output_size, &output_length ); 1850 TEST_EQUAL( status, expected_status ); 1851 TEST_ASSERT( output_length <= output_size ); 1852 1853exit: 1854 mbedtls_free( output ); 1855 PSA_DONE( ); 1856} 1857/* END_CASE */ 1858 1859/* BEGIN_CASE */ 1860void hash_compare_fail( int alg_arg, data_t *input, 1861 data_t *reference_hash, 1862 int expected_status_arg ) 1863{ 1864 psa_algorithm_t alg = alg_arg; 1865 psa_status_t expected_status = expected_status_arg; 1866 psa_status_t status; 1867 1868 PSA_ASSERT( psa_crypto_init( ) ); 1869 1870 status = psa_hash_compare( alg, input->x, input->len, 1871 reference_hash->x, reference_hash->len ); 1872 TEST_EQUAL( status, expected_status ); 1873 1874exit: 1875 PSA_DONE( ); 1876} 1877/* END_CASE */ 1878 1879/* BEGIN_CASE */ 1880void hash_compute_compare( int alg_arg, data_t *input, 1881 data_t *expected_output ) 1882{ 1883 psa_algorithm_t alg = alg_arg; 1884 uint8_t output[PSA_HASH_MAX_SIZE + 1]; 1885 size_t output_length = INVALID_EXPORT_LENGTH; 1886 size_t i; 1887 1888 PSA_ASSERT( psa_crypto_init( ) ); 1889 1890 /* Compute with tight buffer */ 1891 PSA_ASSERT( psa_hash_compute( alg, input->x, input->len, 1892 output, PSA_HASH_LENGTH( alg ), 1893 &output_length ) ); 1894 TEST_EQUAL( output_length, PSA_HASH_LENGTH( alg ) ); 1895 ASSERT_COMPARE( output, output_length, 1896 expected_output->x, expected_output->len ); 1897 1898 /* Compute with larger buffer */ 1899 PSA_ASSERT( psa_hash_compute( alg, input->x, input->len, 1900 output, sizeof( output ), 1901 &output_length ) ); 1902 TEST_EQUAL( output_length, PSA_HASH_LENGTH( alg ) ); 1903 ASSERT_COMPARE( output, output_length, 1904 expected_output->x, expected_output->len ); 1905 1906 /* Compare with correct hash */ 1907 PSA_ASSERT( psa_hash_compare( alg, input->x, input->len, 1908 output, output_length ) ); 1909 1910 /* Compare with trailing garbage */ 1911 TEST_EQUAL( psa_hash_compare( alg, input->x, input->len, 1912 output, output_length + 1 ), 1913 PSA_ERROR_INVALID_SIGNATURE ); 1914 1915 /* Compare with truncated hash */ 1916 TEST_EQUAL( psa_hash_compare( alg, input->x, input->len, 1917 output, output_length - 1 ), 1918 PSA_ERROR_INVALID_SIGNATURE ); 1919 1920 /* Compare with corrupted value */ 1921 for( i = 0; i < output_length; i++ ) 1922 { 1923 mbedtls_test_set_step( i ); 1924 output[i] ^= 1; 1925 TEST_EQUAL( psa_hash_compare( alg, input->x, input->len, 1926 output, output_length ), 1927 PSA_ERROR_INVALID_SIGNATURE ); 1928 output[i] ^= 1; 1929 } 1930 1931exit: 1932 PSA_DONE( ); 1933} 1934/* END_CASE */ 1935 1936/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 1937void hash_bad_order( ) 1938{ 1939 psa_algorithm_t alg = PSA_ALG_SHA_256; 1940 unsigned char input[] = ""; 1941 /* SHA-256 hash of an empty string */ 1942 const unsigned char valid_hash[] = { 1943 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 1944 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 1945 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 }; 1946 unsigned char hash[sizeof(valid_hash)] = { 0 }; 1947 size_t hash_len; 1948 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 1949 1950 PSA_ASSERT( psa_crypto_init( ) ); 1951 1952 /* Call setup twice in a row. */ 1953 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 1954 ASSERT_OPERATION_IS_ACTIVE( operation ); 1955 TEST_EQUAL( psa_hash_setup( &operation, alg ), 1956 PSA_ERROR_BAD_STATE ); 1957 ASSERT_OPERATION_IS_INACTIVE( operation ); 1958 PSA_ASSERT( psa_hash_abort( &operation ) ); 1959 ASSERT_OPERATION_IS_INACTIVE( operation ); 1960 1961 /* Call update without calling setup beforehand. */ 1962 TEST_EQUAL( psa_hash_update( &operation, input, sizeof( input ) ), 1963 PSA_ERROR_BAD_STATE ); 1964 PSA_ASSERT( psa_hash_abort( &operation ) ); 1965 1966 /* Check that update calls abort on error. */ 1967 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 1968 operation.id = UINT_MAX; 1969 ASSERT_OPERATION_IS_ACTIVE( operation ); 1970 TEST_EQUAL( psa_hash_update( &operation, input, sizeof( input ) ), 1971 PSA_ERROR_BAD_STATE ); 1972 ASSERT_OPERATION_IS_INACTIVE( operation ); 1973 PSA_ASSERT( psa_hash_abort( &operation ) ); 1974 ASSERT_OPERATION_IS_INACTIVE( operation ); 1975 1976 /* Call update after finish. */ 1977 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 1978 PSA_ASSERT( psa_hash_finish( &operation, 1979 hash, sizeof( hash ), &hash_len ) ); 1980 TEST_EQUAL( psa_hash_update( &operation, input, sizeof( input ) ), 1981 PSA_ERROR_BAD_STATE ); 1982 PSA_ASSERT( psa_hash_abort( &operation ) ); 1983 1984 /* Call verify without calling setup beforehand. */ 1985 TEST_EQUAL( psa_hash_verify( &operation, 1986 valid_hash, sizeof( valid_hash ) ), 1987 PSA_ERROR_BAD_STATE ); 1988 PSA_ASSERT( psa_hash_abort( &operation ) ); 1989 1990 /* Call verify after finish. */ 1991 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 1992 PSA_ASSERT( psa_hash_finish( &operation, 1993 hash, sizeof( hash ), &hash_len ) ); 1994 TEST_EQUAL( psa_hash_verify( &operation, 1995 valid_hash, sizeof( valid_hash ) ), 1996 PSA_ERROR_BAD_STATE ); 1997 PSA_ASSERT( psa_hash_abort( &operation ) ); 1998 1999 /* Call verify twice in a row. */ 2000 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2001 ASSERT_OPERATION_IS_ACTIVE( operation ); 2002 PSA_ASSERT( psa_hash_verify( &operation, 2003 valid_hash, sizeof( valid_hash ) ) ); 2004 ASSERT_OPERATION_IS_INACTIVE( operation ); 2005 TEST_EQUAL( psa_hash_verify( &operation, 2006 valid_hash, sizeof( valid_hash ) ), 2007 PSA_ERROR_BAD_STATE ); 2008 ASSERT_OPERATION_IS_INACTIVE( operation ); 2009 PSA_ASSERT( psa_hash_abort( &operation ) ); 2010 2011 /* Call finish without calling setup beforehand. */ 2012 TEST_EQUAL( psa_hash_finish( &operation, 2013 hash, sizeof( hash ), &hash_len ), 2014 PSA_ERROR_BAD_STATE ); 2015 PSA_ASSERT( psa_hash_abort( &operation ) ); 2016 2017 /* Call finish twice in a row. */ 2018 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2019 PSA_ASSERT( psa_hash_finish( &operation, 2020 hash, sizeof( hash ), &hash_len ) ); 2021 TEST_EQUAL( psa_hash_finish( &operation, 2022 hash, sizeof( hash ), &hash_len ), 2023 PSA_ERROR_BAD_STATE ); 2024 PSA_ASSERT( psa_hash_abort( &operation ) ); 2025 2026 /* Call finish after calling verify. */ 2027 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2028 PSA_ASSERT( psa_hash_verify( &operation, 2029 valid_hash, sizeof( valid_hash ) ) ); 2030 TEST_EQUAL( psa_hash_finish( &operation, 2031 hash, sizeof( hash ), &hash_len ), 2032 PSA_ERROR_BAD_STATE ); 2033 PSA_ASSERT( psa_hash_abort( &operation ) ); 2034 2035exit: 2036 PSA_DONE( ); 2037} 2038/* END_CASE */ 2039 2040/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 2041void hash_verify_bad_args( ) 2042{ 2043 psa_algorithm_t alg = PSA_ALG_SHA_256; 2044 /* SHA-256 hash of an empty string with 2 extra bytes (0xaa and 0xbb) 2045 * appended to it */ 2046 unsigned char hash[] = { 2047 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 2048 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 2049 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55, 0xaa, 0xbb }; 2050 size_t expected_size = PSA_HASH_LENGTH( alg ); 2051 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2052 2053 PSA_ASSERT( psa_crypto_init( ) ); 2054 2055 /* psa_hash_verify with a smaller hash than expected */ 2056 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2057 ASSERT_OPERATION_IS_ACTIVE( operation ); 2058 TEST_EQUAL( psa_hash_verify( &operation, hash, expected_size - 1 ), 2059 PSA_ERROR_INVALID_SIGNATURE ); 2060 ASSERT_OPERATION_IS_INACTIVE( operation ); 2061 PSA_ASSERT( psa_hash_abort( &operation ) ); 2062 ASSERT_OPERATION_IS_INACTIVE( operation ); 2063 2064 /* psa_hash_verify with a non-matching hash */ 2065 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2066 TEST_EQUAL( psa_hash_verify( &operation, hash + 1, expected_size ), 2067 PSA_ERROR_INVALID_SIGNATURE ); 2068 2069 /* psa_hash_verify with a hash longer than expected */ 2070 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2071 TEST_EQUAL( psa_hash_verify( &operation, hash, sizeof( hash ) ), 2072 PSA_ERROR_INVALID_SIGNATURE ); 2073 2074exit: 2075 PSA_DONE( ); 2076} 2077/* END_CASE */ 2078 2079/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 2080void hash_finish_bad_args( ) 2081{ 2082 psa_algorithm_t alg = PSA_ALG_SHA_256; 2083 unsigned char hash[PSA_HASH_MAX_SIZE]; 2084 size_t expected_size = PSA_HASH_LENGTH( alg ); 2085 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2086 size_t hash_len; 2087 2088 PSA_ASSERT( psa_crypto_init( ) ); 2089 2090 /* psa_hash_finish with a smaller hash buffer than expected */ 2091 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2092 TEST_EQUAL( psa_hash_finish( &operation, 2093 hash, expected_size - 1, &hash_len ), 2094 PSA_ERROR_BUFFER_TOO_SMALL ); 2095 2096exit: 2097 PSA_DONE( ); 2098} 2099/* END_CASE */ 2100 2101/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 2102void hash_clone_source_state( ) 2103{ 2104 psa_algorithm_t alg = PSA_ALG_SHA_256; 2105 unsigned char hash[PSA_HASH_MAX_SIZE]; 2106 psa_hash_operation_t op_source = PSA_HASH_OPERATION_INIT; 2107 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT; 2108 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT; 2109 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT; 2110 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT; 2111 size_t hash_len; 2112 2113 PSA_ASSERT( psa_crypto_init( ) ); 2114 PSA_ASSERT( psa_hash_setup( &op_source, alg ) ); 2115 2116 PSA_ASSERT( psa_hash_setup( &op_setup, alg ) ); 2117 PSA_ASSERT( psa_hash_setup( &op_finished, alg ) ); 2118 PSA_ASSERT( psa_hash_finish( &op_finished, 2119 hash, sizeof( hash ), &hash_len ) ); 2120 PSA_ASSERT( psa_hash_setup( &op_aborted, alg ) ); 2121 PSA_ASSERT( psa_hash_abort( &op_aborted ) ); 2122 2123 TEST_EQUAL( psa_hash_clone( &op_source, &op_setup ), 2124 PSA_ERROR_BAD_STATE ); 2125 2126 PSA_ASSERT( psa_hash_clone( &op_source, &op_init ) ); 2127 PSA_ASSERT( psa_hash_finish( &op_init, 2128 hash, sizeof( hash ), &hash_len ) ); 2129 PSA_ASSERT( psa_hash_clone( &op_source, &op_finished ) ); 2130 PSA_ASSERT( psa_hash_finish( &op_finished, 2131 hash, sizeof( hash ), &hash_len ) ); 2132 PSA_ASSERT( psa_hash_clone( &op_source, &op_aborted ) ); 2133 PSA_ASSERT( psa_hash_finish( &op_aborted, 2134 hash, sizeof( hash ), &hash_len ) ); 2135 2136exit: 2137 psa_hash_abort( &op_source ); 2138 psa_hash_abort( &op_init ); 2139 psa_hash_abort( &op_setup ); 2140 psa_hash_abort( &op_finished ); 2141 psa_hash_abort( &op_aborted ); 2142 PSA_DONE( ); 2143} 2144/* END_CASE */ 2145 2146/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 2147void hash_clone_target_state( ) 2148{ 2149 psa_algorithm_t alg = PSA_ALG_SHA_256; 2150 unsigned char hash[PSA_HASH_MAX_SIZE]; 2151 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT; 2152 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT; 2153 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT; 2154 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT; 2155 psa_hash_operation_t op_target = PSA_HASH_OPERATION_INIT; 2156 size_t hash_len; 2157 2158 PSA_ASSERT( psa_crypto_init( ) ); 2159 2160 PSA_ASSERT( psa_hash_setup( &op_setup, alg ) ); 2161 PSA_ASSERT( psa_hash_setup( &op_finished, alg ) ); 2162 PSA_ASSERT( psa_hash_finish( &op_finished, 2163 hash, sizeof( hash ), &hash_len ) ); 2164 PSA_ASSERT( psa_hash_setup( &op_aborted, alg ) ); 2165 PSA_ASSERT( psa_hash_abort( &op_aborted ) ); 2166 2167 PSA_ASSERT( psa_hash_clone( &op_setup, &op_target ) ); 2168 PSA_ASSERT( psa_hash_finish( &op_target, 2169 hash, sizeof( hash ), &hash_len ) ); 2170 2171 TEST_EQUAL( psa_hash_clone( &op_init, &op_target ), PSA_ERROR_BAD_STATE ); 2172 TEST_EQUAL( psa_hash_clone( &op_finished, &op_target ), 2173 PSA_ERROR_BAD_STATE ); 2174 TEST_EQUAL( psa_hash_clone( &op_aborted, &op_target ), 2175 PSA_ERROR_BAD_STATE ); 2176 2177exit: 2178 psa_hash_abort( &op_target ); 2179 psa_hash_abort( &op_init ); 2180 psa_hash_abort( &op_setup ); 2181 psa_hash_abort( &op_finished ); 2182 psa_hash_abort( &op_aborted ); 2183 PSA_DONE( ); 2184} 2185/* END_CASE */ 2186 2187/* BEGIN_CASE */ 2188void mac_operation_init( ) 2189{ 2190 const uint8_t input[1] = { 0 }; 2191 2192 /* Test each valid way of initializing the object, except for `= {0}`, as 2193 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 2194 * though it's OK by the C standard. We could test for this, but we'd need 2195 * to supress the Clang warning for the test. */ 2196 psa_mac_operation_t func = psa_mac_operation_init( ); 2197 psa_mac_operation_t init = PSA_MAC_OPERATION_INIT; 2198 psa_mac_operation_t zero; 2199 2200 memset( &zero, 0, sizeof( zero ) ); 2201 2202 /* A freshly-initialized MAC operation should not be usable. */ 2203 TEST_EQUAL( psa_mac_update( &func, 2204 input, sizeof( input ) ), 2205 PSA_ERROR_BAD_STATE ); 2206 TEST_EQUAL( psa_mac_update( &init, 2207 input, sizeof( input ) ), 2208 PSA_ERROR_BAD_STATE ); 2209 TEST_EQUAL( psa_mac_update( &zero, 2210 input, sizeof( input ) ), 2211 PSA_ERROR_BAD_STATE ); 2212 2213 /* A default MAC operation should be abortable without error. */ 2214 PSA_ASSERT( psa_mac_abort( &func ) ); 2215 PSA_ASSERT( psa_mac_abort( &init ) ); 2216 PSA_ASSERT( psa_mac_abort( &zero ) ); 2217} 2218/* END_CASE */ 2219 2220/* BEGIN_CASE */ 2221void mac_setup( int key_type_arg, 2222 data_t *key, 2223 int alg_arg, 2224 int expected_status_arg ) 2225{ 2226 psa_key_type_t key_type = key_type_arg; 2227 psa_algorithm_t alg = alg_arg; 2228 psa_status_t expected_status = expected_status_arg; 2229 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 2230 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 2231#if defined(KNOWN_SUPPORTED_MAC_ALG) 2232 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk"; 2233#endif 2234 2235 PSA_ASSERT( psa_crypto_init( ) ); 2236 2237 if( ! exercise_mac_setup( key_type, key->x, key->len, alg, 2238 &operation, &status ) ) 2239 goto exit; 2240 TEST_EQUAL( status, expected_status ); 2241 2242 /* The operation object should be reusable. */ 2243#if defined(KNOWN_SUPPORTED_MAC_ALG) 2244 if( ! exercise_mac_setup( KNOWN_SUPPORTED_MAC_KEY_TYPE, 2245 smoke_test_key_data, 2246 sizeof( smoke_test_key_data ), 2247 KNOWN_SUPPORTED_MAC_ALG, 2248 &operation, &status ) ) 2249 goto exit; 2250 TEST_EQUAL( status, PSA_SUCCESS ); 2251#endif 2252 2253exit: 2254 PSA_DONE( ); 2255} 2256/* END_CASE */ 2257 2258/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_HMAC:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256 */ 2259void mac_bad_order( ) 2260{ 2261 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2262 psa_key_type_t key_type = PSA_KEY_TYPE_HMAC; 2263 psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256); 2264 const uint8_t key_data[] = { 2265 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 2266 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 2267 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }; 2268 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2269 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 2270 uint8_t sign_mac[PSA_MAC_MAX_SIZE + 10] = { 0 }; 2271 size_t sign_mac_length = 0; 2272 const uint8_t input[] = { 0xbb, 0xbb, 0xbb, 0xbb }; 2273 const uint8_t verify_mac[] = { 2274 0x74, 0x65, 0x93, 0x8c, 0xeb, 0x1d, 0xb3, 0x76, 0x5a, 0x38, 0xe7, 0xdd, 2275 0x85, 0xc5, 0xad, 0x4f, 0x07, 0xe7, 0xd5, 0xb2, 0x64, 0xf0, 0x1a, 0x1a, 2276 0x2c, 0xf9, 0x18, 0xca, 0x59, 0x7e, 0x5d, 0xf6 }; 2277 2278 PSA_ASSERT( psa_crypto_init( ) ); 2279 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH ); 2280 psa_set_key_algorithm( &attributes, alg ); 2281 psa_set_key_type( &attributes, key_type ); 2282 2283 PSA_ASSERT( psa_import_key( &attributes, key_data, sizeof( key_data ), 2284 &key ) ); 2285 2286 /* Call update without calling setup beforehand. */ 2287 TEST_EQUAL( psa_mac_update( &operation, input, sizeof( input ) ), 2288 PSA_ERROR_BAD_STATE ); 2289 PSA_ASSERT( psa_mac_abort( &operation ) ); 2290 2291 /* Call sign finish without calling setup beforehand. */ 2292 TEST_EQUAL( psa_mac_sign_finish( &operation, sign_mac, sizeof( sign_mac ), 2293 &sign_mac_length), 2294 PSA_ERROR_BAD_STATE ); 2295 PSA_ASSERT( psa_mac_abort( &operation ) ); 2296 2297 /* Call verify finish without calling setup beforehand. */ 2298 TEST_EQUAL( psa_mac_verify_finish( &operation, 2299 verify_mac, sizeof( verify_mac ) ), 2300 PSA_ERROR_BAD_STATE ); 2301 PSA_ASSERT( psa_mac_abort( &operation ) ); 2302 2303 /* Call setup twice in a row. */ 2304 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 2305 ASSERT_OPERATION_IS_ACTIVE( operation ); 2306 TEST_EQUAL( psa_mac_sign_setup( &operation, key, alg ), 2307 PSA_ERROR_BAD_STATE ); 2308 ASSERT_OPERATION_IS_INACTIVE( operation ); 2309 PSA_ASSERT( psa_mac_abort( &operation ) ); 2310 ASSERT_OPERATION_IS_INACTIVE( operation ); 2311 2312 /* Call update after sign finish. */ 2313 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 2314 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 2315 PSA_ASSERT( psa_mac_sign_finish( &operation, 2316 sign_mac, sizeof( sign_mac ), 2317 &sign_mac_length ) ); 2318 TEST_EQUAL( psa_mac_update( &operation, input, sizeof( input ) ), 2319 PSA_ERROR_BAD_STATE ); 2320 PSA_ASSERT( psa_mac_abort( &operation ) ); 2321 2322 /* Call update after verify finish. */ 2323 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 2324 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 2325 PSA_ASSERT( psa_mac_verify_finish( &operation, 2326 verify_mac, sizeof( verify_mac ) ) ); 2327 TEST_EQUAL( psa_mac_update( &operation, input, sizeof( input ) ), 2328 PSA_ERROR_BAD_STATE ); 2329 PSA_ASSERT( psa_mac_abort( &operation ) ); 2330 2331 /* Call sign finish twice in a row. */ 2332 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 2333 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 2334 PSA_ASSERT( psa_mac_sign_finish( &operation, 2335 sign_mac, sizeof( sign_mac ), 2336 &sign_mac_length ) ); 2337 TEST_EQUAL( psa_mac_sign_finish( &operation, 2338 sign_mac, sizeof( sign_mac ), 2339 &sign_mac_length ), 2340 PSA_ERROR_BAD_STATE ); 2341 PSA_ASSERT( psa_mac_abort( &operation ) ); 2342 2343 /* Call verify finish twice in a row. */ 2344 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 2345 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 2346 PSA_ASSERT( psa_mac_verify_finish( &operation, 2347 verify_mac, sizeof( verify_mac ) ) ); 2348 TEST_EQUAL( psa_mac_verify_finish( &operation, 2349 verify_mac, sizeof( verify_mac ) ), 2350 PSA_ERROR_BAD_STATE ); 2351 PSA_ASSERT( psa_mac_abort( &operation ) ); 2352 2353 /* Setup sign but try verify. */ 2354 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 2355 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 2356 ASSERT_OPERATION_IS_ACTIVE( operation ); 2357 TEST_EQUAL( psa_mac_verify_finish( &operation, 2358 verify_mac, sizeof( verify_mac ) ), 2359 PSA_ERROR_BAD_STATE ); 2360 ASSERT_OPERATION_IS_INACTIVE( operation ); 2361 PSA_ASSERT( psa_mac_abort( &operation ) ); 2362 ASSERT_OPERATION_IS_INACTIVE( operation ); 2363 2364 /* Setup verify but try sign. */ 2365 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 2366 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 2367 ASSERT_OPERATION_IS_ACTIVE( operation ); 2368 TEST_EQUAL( psa_mac_sign_finish( &operation, 2369 sign_mac, sizeof( sign_mac ), 2370 &sign_mac_length ), 2371 PSA_ERROR_BAD_STATE ); 2372 ASSERT_OPERATION_IS_INACTIVE( operation ); 2373 PSA_ASSERT( psa_mac_abort( &operation ) ); 2374 ASSERT_OPERATION_IS_INACTIVE( operation ); 2375 2376 PSA_ASSERT( psa_destroy_key( key ) ); 2377 2378exit: 2379 PSA_DONE( ); 2380} 2381/* END_CASE */ 2382 2383/* BEGIN_CASE */ 2384void mac_sign( int key_type_arg, 2385 data_t *key_data, 2386 int alg_arg, 2387 data_t *input, 2388 data_t *expected_mac ) 2389{ 2390 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2391 psa_key_type_t key_type = key_type_arg; 2392 psa_algorithm_t alg = alg_arg; 2393 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 2394 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2395 uint8_t *actual_mac = NULL; 2396 size_t mac_buffer_size = 2397 PSA_MAC_LENGTH( key_type, PSA_BYTES_TO_BITS( key_data->len ), alg ); 2398 size_t mac_length = 0; 2399 const size_t output_sizes_to_test[] = { 2400 0, 2401 1, 2402 expected_mac->len - 1, 2403 expected_mac->len, 2404 expected_mac->len + 1, 2405 }; 2406 2407 TEST_ASSERT( mac_buffer_size <= PSA_MAC_MAX_SIZE ); 2408 /* We expect PSA_MAC_LENGTH to be exact. */ 2409 TEST_ASSERT( expected_mac->len == mac_buffer_size ); 2410 2411 PSA_ASSERT( psa_crypto_init( ) ); 2412 2413 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 2414 psa_set_key_algorithm( &attributes, alg ); 2415 psa_set_key_type( &attributes, key_type ); 2416 2417 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2418 &key ) ); 2419 2420 for( size_t i = 0; i < ARRAY_LENGTH( output_sizes_to_test ); i++ ) 2421 { 2422 const size_t output_size = output_sizes_to_test[i]; 2423 psa_status_t expected_status = 2424 ( output_size >= expected_mac->len ? PSA_SUCCESS : 2425 PSA_ERROR_BUFFER_TOO_SMALL ); 2426 2427 mbedtls_test_set_step( output_size ); 2428 ASSERT_ALLOC( actual_mac, output_size ); 2429 2430 /* Calculate the MAC, one-shot case. */ 2431 TEST_EQUAL( psa_mac_compute( key, alg, 2432 input->x, input->len, 2433 actual_mac, output_size, &mac_length ), 2434 expected_status ); 2435 if( expected_status == PSA_SUCCESS ) 2436 { 2437 ASSERT_COMPARE( expected_mac->x, expected_mac->len, 2438 actual_mac, mac_length ); 2439 } 2440 2441 if( output_size > 0 ) 2442 memset( actual_mac, 0, output_size ); 2443 2444 /* Calculate the MAC, multi-part case. */ 2445 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 2446 PSA_ASSERT( psa_mac_update( &operation, 2447 input->x, input->len ) ); 2448 TEST_EQUAL( psa_mac_sign_finish( &operation, 2449 actual_mac, output_size, 2450 &mac_length ), 2451 expected_status ); 2452 PSA_ASSERT( psa_mac_abort( &operation ) ); 2453 2454 if( expected_status == PSA_SUCCESS ) 2455 { 2456 ASSERT_COMPARE( expected_mac->x, expected_mac->len, 2457 actual_mac, mac_length ); 2458 } 2459 mbedtls_free( actual_mac ); 2460 actual_mac = NULL; 2461 } 2462 2463exit: 2464 psa_mac_abort( &operation ); 2465 psa_destroy_key( key ); 2466 PSA_DONE( ); 2467 mbedtls_free( actual_mac ); 2468} 2469/* END_CASE */ 2470 2471/* BEGIN_CASE */ 2472void mac_verify( int key_type_arg, 2473 data_t *key_data, 2474 int alg_arg, 2475 data_t *input, 2476 data_t *expected_mac ) 2477{ 2478 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2479 psa_key_type_t key_type = key_type_arg; 2480 psa_algorithm_t alg = alg_arg; 2481 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 2482 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2483 uint8_t *perturbed_mac = NULL; 2484 2485 TEST_ASSERT( expected_mac->len <= PSA_MAC_MAX_SIZE ); 2486 2487 PSA_ASSERT( psa_crypto_init( ) ); 2488 2489 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 2490 psa_set_key_algorithm( &attributes, alg ); 2491 psa_set_key_type( &attributes, key_type ); 2492 2493 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2494 &key ) ); 2495 2496 /* Verify correct MAC, one-shot case. */ 2497 PSA_ASSERT( psa_mac_verify( key, alg, input->x, input->len, 2498 expected_mac->x, expected_mac->len ) ); 2499 2500 /* Verify correct MAC, multi-part case. */ 2501 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 2502 PSA_ASSERT( psa_mac_update( &operation, 2503 input->x, input->len ) ); 2504 PSA_ASSERT( psa_mac_verify_finish( &operation, 2505 expected_mac->x, 2506 expected_mac->len ) ); 2507 2508 /* Test a MAC that's too short, one-shot case. */ 2509 TEST_EQUAL( psa_mac_verify( key, alg, 2510 input->x, input->len, 2511 expected_mac->x, 2512 expected_mac->len - 1 ), 2513 PSA_ERROR_INVALID_SIGNATURE ); 2514 2515 /* Test a MAC that's too short, multi-part case. */ 2516 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 2517 PSA_ASSERT( psa_mac_update( &operation, 2518 input->x, input->len ) ); 2519 TEST_EQUAL( psa_mac_verify_finish( &operation, 2520 expected_mac->x, 2521 expected_mac->len - 1 ), 2522 PSA_ERROR_INVALID_SIGNATURE ); 2523 2524 /* Test a MAC that's too long, one-shot case. */ 2525 ASSERT_ALLOC( perturbed_mac, expected_mac->len + 1 ); 2526 memcpy( perturbed_mac, expected_mac->x, expected_mac->len ); 2527 TEST_EQUAL( psa_mac_verify( key, alg, 2528 input->x, input->len, 2529 perturbed_mac, expected_mac->len + 1 ), 2530 PSA_ERROR_INVALID_SIGNATURE ); 2531 2532 /* Test a MAC that's too long, multi-part case. */ 2533 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 2534 PSA_ASSERT( psa_mac_update( &operation, 2535 input->x, input->len ) ); 2536 TEST_EQUAL( psa_mac_verify_finish( &operation, 2537 perturbed_mac, 2538 expected_mac->len + 1 ), 2539 PSA_ERROR_INVALID_SIGNATURE ); 2540 2541 /* Test changing one byte. */ 2542 for( size_t i = 0; i < expected_mac->len; i++ ) 2543 { 2544 mbedtls_test_set_step( i ); 2545 perturbed_mac[i] ^= 1; 2546 2547 TEST_EQUAL( psa_mac_verify( key, alg, 2548 input->x, input->len, 2549 perturbed_mac, expected_mac->len ), 2550 PSA_ERROR_INVALID_SIGNATURE ); 2551 2552 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 2553 PSA_ASSERT( psa_mac_update( &operation, 2554 input->x, input->len ) ); 2555 TEST_EQUAL( psa_mac_verify_finish( &operation, 2556 perturbed_mac, 2557 expected_mac->len ), 2558 PSA_ERROR_INVALID_SIGNATURE ); 2559 perturbed_mac[i] ^= 1; 2560 } 2561 2562exit: 2563 psa_mac_abort( &operation ); 2564 psa_destroy_key( key ); 2565 PSA_DONE( ); 2566 mbedtls_free( perturbed_mac ); 2567} 2568/* END_CASE */ 2569 2570/* BEGIN_CASE */ 2571void cipher_operation_init( ) 2572{ 2573 const uint8_t input[1] = { 0 }; 2574 unsigned char output[1] = { 0 }; 2575 size_t output_length; 2576 /* Test each valid way of initializing the object, except for `= {0}`, as 2577 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 2578 * though it's OK by the C standard. We could test for this, but we'd need 2579 * to supress the Clang warning for the test. */ 2580 psa_cipher_operation_t func = psa_cipher_operation_init( ); 2581 psa_cipher_operation_t init = PSA_CIPHER_OPERATION_INIT; 2582 psa_cipher_operation_t zero; 2583 2584 memset( &zero, 0, sizeof( zero ) ); 2585 2586 /* A freshly-initialized cipher operation should not be usable. */ 2587 TEST_EQUAL( psa_cipher_update( &func, 2588 input, sizeof( input ), 2589 output, sizeof( output ), 2590 &output_length ), 2591 PSA_ERROR_BAD_STATE ); 2592 TEST_EQUAL( psa_cipher_update( &init, 2593 input, sizeof( input ), 2594 output, sizeof( output ), 2595 &output_length ), 2596 PSA_ERROR_BAD_STATE ); 2597 TEST_EQUAL( psa_cipher_update( &zero, 2598 input, sizeof( input ), 2599 output, sizeof( output ), 2600 &output_length ), 2601 PSA_ERROR_BAD_STATE ); 2602 2603 /* A default cipher operation should be abortable without error. */ 2604 PSA_ASSERT( psa_cipher_abort( &func ) ); 2605 PSA_ASSERT( psa_cipher_abort( &init ) ); 2606 PSA_ASSERT( psa_cipher_abort( &zero ) ); 2607} 2608/* END_CASE */ 2609 2610/* BEGIN_CASE */ 2611void cipher_setup( int key_type_arg, 2612 data_t *key, 2613 int alg_arg, 2614 int expected_status_arg ) 2615{ 2616 psa_key_type_t key_type = key_type_arg; 2617 psa_algorithm_t alg = alg_arg; 2618 psa_status_t expected_status = expected_status_arg; 2619 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 2620 psa_status_t status; 2621#if defined(KNOWN_SUPPORTED_CIPHER_ALG) 2622 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk"; 2623#endif 2624 2625 PSA_ASSERT( psa_crypto_init( ) ); 2626 2627 if( ! exercise_cipher_setup( key_type, key->x, key->len, alg, 2628 &operation, &status ) ) 2629 goto exit; 2630 TEST_EQUAL( status, expected_status ); 2631 2632 /* The operation object should be reusable. */ 2633#if defined(KNOWN_SUPPORTED_CIPHER_ALG) 2634 if( ! exercise_cipher_setup( KNOWN_SUPPORTED_CIPHER_KEY_TYPE, 2635 smoke_test_key_data, 2636 sizeof( smoke_test_key_data ), 2637 KNOWN_SUPPORTED_CIPHER_ALG, 2638 &operation, &status ) ) 2639 goto exit; 2640 TEST_EQUAL( status, PSA_SUCCESS ); 2641#endif 2642 2643exit: 2644 psa_cipher_abort( &operation ); 2645 PSA_DONE( ); 2646} 2647/* END_CASE */ 2648 2649/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_PKCS7 */ 2650void cipher_bad_order( ) 2651{ 2652 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2653 psa_key_type_t key_type = PSA_KEY_TYPE_AES; 2654 psa_algorithm_t alg = PSA_ALG_CBC_PKCS7; 2655 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2656 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 2657 unsigned char iv[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 }; 2658 const uint8_t key_data[] = { 2659 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 2660 0xaa, 0xaa, 0xaa, 0xaa }; 2661 const uint8_t text[] = { 2662 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 2663 0xbb, 0xbb, 0xbb, 0xbb }; 2664 uint8_t buffer[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 }; 2665 size_t length = 0; 2666 2667 PSA_ASSERT( psa_crypto_init( ) ); 2668 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 2669 psa_set_key_algorithm( &attributes, alg ); 2670 psa_set_key_type( &attributes, key_type ); 2671 PSA_ASSERT( psa_import_key( &attributes, key_data, sizeof( key_data ), 2672 &key ) ); 2673 2674 /* Call encrypt setup twice in a row. */ 2675 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2676 ASSERT_OPERATION_IS_ACTIVE( operation ); 2677 TEST_EQUAL( psa_cipher_encrypt_setup( &operation, key, alg ), 2678 PSA_ERROR_BAD_STATE ); 2679 ASSERT_OPERATION_IS_INACTIVE( operation ); 2680 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2681 ASSERT_OPERATION_IS_INACTIVE( operation ); 2682 2683 /* Call decrypt setup twice in a row. */ 2684 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) ); 2685 ASSERT_OPERATION_IS_ACTIVE( operation ); 2686 TEST_EQUAL( psa_cipher_decrypt_setup( &operation, key, alg ), 2687 PSA_ERROR_BAD_STATE ); 2688 ASSERT_OPERATION_IS_INACTIVE( operation ); 2689 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2690 ASSERT_OPERATION_IS_INACTIVE( operation ); 2691 2692 /* Generate an IV without calling setup beforehand. */ 2693 TEST_EQUAL( psa_cipher_generate_iv( &operation, 2694 buffer, sizeof( buffer ), 2695 &length ), 2696 PSA_ERROR_BAD_STATE ); 2697 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2698 2699 /* Generate an IV twice in a row. */ 2700 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2701 PSA_ASSERT( psa_cipher_generate_iv( &operation, 2702 buffer, sizeof( buffer ), 2703 &length ) ); 2704 ASSERT_OPERATION_IS_ACTIVE( operation ); 2705 TEST_EQUAL( psa_cipher_generate_iv( &operation, 2706 buffer, sizeof( buffer ), 2707 &length ), 2708 PSA_ERROR_BAD_STATE ); 2709 ASSERT_OPERATION_IS_INACTIVE( operation ); 2710 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2711 ASSERT_OPERATION_IS_INACTIVE( operation ); 2712 2713 /* Generate an IV after it's already set. */ 2714 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2715 PSA_ASSERT( psa_cipher_set_iv( &operation, 2716 iv, sizeof( iv ) ) ); 2717 TEST_EQUAL( psa_cipher_generate_iv( &operation, 2718 buffer, sizeof( buffer ), 2719 &length ), 2720 PSA_ERROR_BAD_STATE ); 2721 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2722 2723 /* Set an IV without calling setup beforehand. */ 2724 TEST_EQUAL( psa_cipher_set_iv( &operation, 2725 iv, sizeof( iv ) ), 2726 PSA_ERROR_BAD_STATE ); 2727 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2728 2729 /* Set an IV after it's already set. */ 2730 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2731 PSA_ASSERT( psa_cipher_set_iv( &operation, 2732 iv, sizeof( iv ) ) ); 2733 ASSERT_OPERATION_IS_ACTIVE( operation ); 2734 TEST_EQUAL( psa_cipher_set_iv( &operation, 2735 iv, sizeof( iv ) ), 2736 PSA_ERROR_BAD_STATE ); 2737 ASSERT_OPERATION_IS_INACTIVE( operation ); 2738 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2739 ASSERT_OPERATION_IS_INACTIVE( operation ); 2740 2741 /* Set an IV after it's already generated. */ 2742 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2743 PSA_ASSERT( psa_cipher_generate_iv( &operation, 2744 buffer, sizeof( buffer ), 2745 &length ) ); 2746 TEST_EQUAL( psa_cipher_set_iv( &operation, 2747 iv, sizeof( iv ) ), 2748 PSA_ERROR_BAD_STATE ); 2749 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2750 2751 /* Call update without calling setup beforehand. */ 2752 TEST_EQUAL( psa_cipher_update( &operation, 2753 text, sizeof( text ), 2754 buffer, sizeof( buffer ), 2755 &length ), 2756 PSA_ERROR_BAD_STATE ); 2757 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2758 2759 /* Call update without an IV where an IV is required. */ 2760 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2761 ASSERT_OPERATION_IS_ACTIVE( operation ); 2762 TEST_EQUAL( psa_cipher_update( &operation, 2763 text, sizeof( text ), 2764 buffer, sizeof( buffer ), 2765 &length ), 2766 PSA_ERROR_BAD_STATE ); 2767 ASSERT_OPERATION_IS_INACTIVE( operation ); 2768 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2769 ASSERT_OPERATION_IS_INACTIVE( operation ); 2770 2771 /* Call update after finish. */ 2772 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2773 PSA_ASSERT( psa_cipher_set_iv( &operation, 2774 iv, sizeof( iv ) ) ); 2775 PSA_ASSERT( psa_cipher_finish( &operation, 2776 buffer, sizeof( buffer ), &length ) ); 2777 TEST_EQUAL( psa_cipher_update( &operation, 2778 text, sizeof( text ), 2779 buffer, sizeof( buffer ), 2780 &length ), 2781 PSA_ERROR_BAD_STATE ); 2782 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2783 2784 /* Call finish without calling setup beforehand. */ 2785 TEST_EQUAL( psa_cipher_finish( &operation, 2786 buffer, sizeof( buffer ), &length ), 2787 PSA_ERROR_BAD_STATE ); 2788 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2789 2790 /* Call finish without an IV where an IV is required. */ 2791 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2792 /* Not calling update means we are encrypting an empty buffer, which is OK 2793 * for cipher modes with padding. */ 2794 ASSERT_OPERATION_IS_ACTIVE( operation ); 2795 TEST_EQUAL( psa_cipher_finish( &operation, 2796 buffer, sizeof( buffer ), &length ), 2797 PSA_ERROR_BAD_STATE ); 2798 ASSERT_OPERATION_IS_INACTIVE( operation ); 2799 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2800 ASSERT_OPERATION_IS_INACTIVE( operation ); 2801 2802 /* Call finish twice in a row. */ 2803 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2804 PSA_ASSERT( psa_cipher_set_iv( &operation, 2805 iv, sizeof( iv ) ) ); 2806 PSA_ASSERT( psa_cipher_finish( &operation, 2807 buffer, sizeof( buffer ), &length ) ); 2808 TEST_EQUAL( psa_cipher_finish( &operation, 2809 buffer, sizeof( buffer ), &length ), 2810 PSA_ERROR_BAD_STATE ); 2811 PSA_ASSERT( psa_cipher_abort( &operation ) ); 2812 2813 PSA_ASSERT( psa_destroy_key( key ) ); 2814 2815exit: 2816 psa_cipher_abort( &operation ); 2817 PSA_DONE( ); 2818} 2819/* END_CASE */ 2820 2821/* BEGIN_CASE */ 2822void cipher_encrypt_fail( int alg_arg, 2823 int key_type_arg, 2824 data_t *key_data, 2825 data_t *input, 2826 int expected_status_arg ) 2827{ 2828 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2829 psa_status_t status; 2830 psa_key_type_t key_type = key_type_arg; 2831 psa_algorithm_t alg = alg_arg; 2832 psa_status_t expected_status = expected_status_arg; 2833 unsigned char *output = NULL; 2834 size_t output_buffer_size = 0; 2835 size_t output_length = 0; 2836 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2837 2838 if ( PSA_ERROR_BAD_STATE != expected_status ) 2839 { 2840 PSA_ASSERT( psa_crypto_init( ) ); 2841 2842 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 2843 psa_set_key_algorithm( &attributes, alg ); 2844 psa_set_key_type( &attributes, key_type ); 2845 2846 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, 2847 input->len ); 2848 ASSERT_ALLOC( output, output_buffer_size ); 2849 2850 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2851 &key ) ); 2852 } 2853 2854 status = psa_cipher_encrypt( key, alg, input->x, input->len, output, 2855 output_buffer_size, &output_length ); 2856 2857 TEST_EQUAL( status, expected_status ); 2858 2859exit: 2860 mbedtls_free( output ); 2861 psa_destroy_key( key ); 2862 PSA_DONE( ); 2863} 2864/* END_CASE */ 2865 2866/* BEGIN_CASE */ 2867void cipher_encrypt_validate_iv_length( int alg, int key_type, data_t* key_data, 2868 data_t *input, int iv_length, 2869 int expected_result ) 2870{ 2871 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2872 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 2873 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2874 size_t output_buffer_size = 0; 2875 unsigned char *output = NULL; 2876 2877 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 2878 ASSERT_ALLOC( output, output_buffer_size ); 2879 2880 PSA_ASSERT( psa_crypto_init( ) ); 2881 2882 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 2883 psa_set_key_algorithm( &attributes, alg ); 2884 psa_set_key_type( &attributes, key_type ); 2885 2886 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2887 &key ) ); 2888 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2889 TEST_EQUAL( expected_result, psa_cipher_set_iv( &operation, output, 2890 iv_length ) ); 2891 2892exit: 2893 psa_cipher_abort( &operation ); 2894 mbedtls_free( output ); 2895 psa_destroy_key( key ); 2896 PSA_DONE( ); 2897} 2898/* END_CASE */ 2899 2900/* BEGIN_CASE */ 2901void cipher_encrypt_alg_without_iv( int alg_arg, 2902 int key_type_arg, 2903 data_t *key_data, 2904 data_t *input, 2905 data_t *expected_output ) 2906{ 2907 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2908 psa_key_type_t key_type = key_type_arg; 2909 psa_algorithm_t alg = alg_arg; 2910 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 2911 uint8_t iv[1] = { 0x5a }; 2912 size_t iv_length; 2913 unsigned char *output = NULL; 2914 size_t output_buffer_size = 0; 2915 size_t output_length = 0; 2916 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2917 2918 PSA_ASSERT( psa_crypto_init( ) ); 2919 2920 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 2921 psa_set_key_algorithm( &attributes, alg ); 2922 psa_set_key_type( &attributes, key_type ); 2923 2924 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 2925 ASSERT_ALLOC( output, output_buffer_size ); 2926 2927 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2928 &key ) ); 2929 2930 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2931 TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ), 2932 PSA_ERROR_BAD_STATE ); 2933 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 2934 TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ), 2935 &iv_length ), 2936 PSA_ERROR_BAD_STATE ); 2937 2938 PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output, 2939 output_buffer_size, &output_length ) ); 2940 TEST_ASSERT( output_length <= 2941 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ) ); 2942 TEST_ASSERT( output_length <= 2943 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) ); 2944 2945 ASSERT_COMPARE( expected_output->x, expected_output->len, 2946 output, output_length ); 2947exit: 2948 mbedtls_free( output ); 2949 psa_destroy_key( key ); 2950 PSA_DONE( ); 2951} 2952/* END_CASE */ 2953 2954/* BEGIN_CASE */ 2955void cipher_bad_key( int alg_arg, int key_type_arg, data_t *key_data ) 2956{ 2957 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2958 psa_algorithm_t alg = alg_arg; 2959 psa_key_type_t key_type = key_type_arg; 2960 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2961 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 2962 psa_status_t status; 2963 2964 PSA_ASSERT( psa_crypto_init( ) ); 2965 2966 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 2967 psa_set_key_algorithm( &attributes, alg ); 2968 psa_set_key_type( &attributes, key_type ); 2969 2970 /* Usage of either of these two size macros would cause divide by zero 2971 * with incorrect key types previously. Input length should be irrelevant 2972 * here. */ 2973 TEST_EQUAL( PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, 16 ), 2974 0 ); 2975 TEST_EQUAL( PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, 16 ), 0 ); 2976 2977 2978 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2979 &key ) ); 2980 2981 /* Should fail due to invalid alg type (to support invalid key type). 2982 * Encrypt or decrypt will end up in the same place. */ 2983 status = psa_cipher_encrypt_setup( &operation, key, alg ); 2984 2985 TEST_EQUAL( status, PSA_ERROR_INVALID_ARGUMENT ); 2986 2987exit: 2988 psa_cipher_abort( &operation ); 2989 psa_destroy_key( key ); 2990 PSA_DONE( ); 2991} 2992/* END_CASE */ 2993 2994/* BEGIN_CASE */ 2995void cipher_encrypt_validation( int alg_arg, 2996 int key_type_arg, 2997 data_t *key_data, 2998 data_t *input ) 2999{ 3000 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3001 psa_key_type_t key_type = key_type_arg; 3002 psa_algorithm_t alg = alg_arg; 3003 size_t iv_size = PSA_CIPHER_IV_LENGTH ( key_type, alg ); 3004 unsigned char *output1 = NULL; 3005 size_t output1_buffer_size = 0; 3006 size_t output1_length = 0; 3007 unsigned char *output2 = NULL; 3008 size_t output2_buffer_size = 0; 3009 size_t output2_length = 0; 3010 size_t function_output_length = 0; 3011 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3012 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3013 3014 PSA_ASSERT( psa_crypto_init( ) ); 3015 3016 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 3017 psa_set_key_algorithm( &attributes, alg ); 3018 psa_set_key_type( &attributes, key_type ); 3019 3020 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 3021 output2_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, input->len ) + 3022 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ); 3023 ASSERT_ALLOC( output1, output1_buffer_size ); 3024 ASSERT_ALLOC( output2, output2_buffer_size ); 3025 3026 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3027 &key ) ); 3028 3029 /* The one-shot cipher encryption uses generated iv so validating 3030 the output is not possible. Validating with multipart encryption. */ 3031 PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output1, 3032 output1_buffer_size, &output1_length ) ); 3033 TEST_ASSERT( output1_length <= 3034 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ) ); 3035 TEST_ASSERT( output1_length <= 3036 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) ); 3037 3038 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3039 PSA_ASSERT( psa_cipher_set_iv( &operation, output1, iv_size ) ); 3040 3041 PSA_ASSERT( psa_cipher_update( &operation, 3042 input->x, input->len, 3043 output2, output2_buffer_size, 3044 &function_output_length ) ); 3045 TEST_ASSERT( function_output_length <= 3046 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, input->len ) ); 3047 TEST_ASSERT( function_output_length <= 3048 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( input->len ) ); 3049 output2_length += function_output_length; 3050 3051 PSA_ASSERT( psa_cipher_finish( &operation, 3052 output2 + output2_length, 3053 output2_buffer_size - output2_length, 3054 &function_output_length ) ); 3055 TEST_ASSERT( function_output_length <= 3056 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 3057 TEST_ASSERT( function_output_length <= 3058 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 3059 output2_length += function_output_length; 3060 3061 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3062 ASSERT_COMPARE( output1 + iv_size, output1_length - iv_size, 3063 output2, output2_length ); 3064 3065exit: 3066 psa_cipher_abort( &operation ); 3067 mbedtls_free( output1 ); 3068 mbedtls_free( output2 ); 3069 psa_destroy_key( key ); 3070 PSA_DONE( ); 3071} 3072/* END_CASE */ 3073 3074/* BEGIN_CASE */ 3075void cipher_encrypt_multipart( int alg_arg, int key_type_arg, 3076 data_t *key_data, data_t *iv, 3077 data_t *input, 3078 int first_part_size_arg, 3079 int output1_length_arg, int output2_length_arg, 3080 data_t *expected_output, 3081 int expected_status_arg ) 3082{ 3083 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3084 psa_key_type_t key_type = key_type_arg; 3085 psa_algorithm_t alg = alg_arg; 3086 psa_status_t status; 3087 psa_status_t expected_status = expected_status_arg; 3088 size_t first_part_size = first_part_size_arg; 3089 size_t output1_length = output1_length_arg; 3090 size_t output2_length = output2_length_arg; 3091 unsigned char *output = NULL; 3092 size_t output_buffer_size = 0; 3093 size_t function_output_length = 0; 3094 size_t total_output_length = 0; 3095 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3096 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3097 3098 PSA_ASSERT( psa_crypto_init( ) ); 3099 3100 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 3101 psa_set_key_algorithm( &attributes, alg ); 3102 psa_set_key_type( &attributes, key_type ); 3103 3104 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3105 &key ) ); 3106 3107 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3108 3109 if( iv->len > 0 ) 3110 { 3111 PSA_ASSERT( psa_cipher_set_iv( &operation, iv->x, iv->len ) ); 3112 } 3113 3114 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, input->len ) + 3115 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ); 3116 ASSERT_ALLOC( output, output_buffer_size ); 3117 3118 TEST_ASSERT( first_part_size <= input->len ); 3119 PSA_ASSERT( psa_cipher_update( &operation, input->x, first_part_size, 3120 output, output_buffer_size, 3121 &function_output_length ) ); 3122 TEST_ASSERT( function_output_length == output1_length ); 3123 TEST_ASSERT( function_output_length <= 3124 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, first_part_size ) ); 3125 TEST_ASSERT( function_output_length <= 3126 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( first_part_size) ); 3127 total_output_length += function_output_length; 3128 3129 if( first_part_size < input->len ) 3130 { 3131 PSA_ASSERT( psa_cipher_update( &operation, 3132 input->x + first_part_size, 3133 input->len - first_part_size, 3134 ( output_buffer_size == 0 ? NULL : 3135 output + total_output_length ), 3136 output_buffer_size - total_output_length, 3137 &function_output_length ) ); 3138 TEST_ASSERT( function_output_length == output2_length ); 3139 TEST_ASSERT( function_output_length <= 3140 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, 3141 alg, 3142 input->len - first_part_size ) ); 3143 TEST_ASSERT( function_output_length <= 3144 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( input->len ) ); 3145 total_output_length += function_output_length; 3146 } 3147 3148 status = psa_cipher_finish( &operation, 3149 ( output_buffer_size == 0 ? NULL : 3150 output + total_output_length ), 3151 output_buffer_size - total_output_length, 3152 &function_output_length ); 3153 TEST_ASSERT( function_output_length <= 3154 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 3155 TEST_ASSERT( function_output_length <= 3156 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 3157 total_output_length += function_output_length; 3158 TEST_EQUAL( status, expected_status ); 3159 3160 if( expected_status == PSA_SUCCESS ) 3161 { 3162 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3163 3164 ASSERT_COMPARE( expected_output->x, expected_output->len, 3165 output, total_output_length ); 3166 } 3167 3168exit: 3169 psa_cipher_abort( &operation ); 3170 mbedtls_free( output ); 3171 psa_destroy_key( key ); 3172 PSA_DONE( ); 3173} 3174/* END_CASE */ 3175 3176/* BEGIN_CASE */ 3177void cipher_decrypt_multipart( int alg_arg, int key_type_arg, 3178 data_t *key_data, data_t *iv, 3179 data_t *input, 3180 int first_part_size_arg, 3181 int output1_length_arg, int output2_length_arg, 3182 data_t *expected_output, 3183 int expected_status_arg ) 3184{ 3185 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3186 psa_key_type_t key_type = key_type_arg; 3187 psa_algorithm_t alg = alg_arg; 3188 psa_status_t status; 3189 psa_status_t expected_status = expected_status_arg; 3190 size_t first_part_size = first_part_size_arg; 3191 size_t output1_length = output1_length_arg; 3192 size_t output2_length = output2_length_arg; 3193 unsigned char *output = NULL; 3194 size_t output_buffer_size = 0; 3195 size_t function_output_length = 0; 3196 size_t total_output_length = 0; 3197 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3198 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3199 3200 PSA_ASSERT( psa_crypto_init( ) ); 3201 3202 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 3203 psa_set_key_algorithm( &attributes, alg ); 3204 psa_set_key_type( &attributes, key_type ); 3205 3206 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3207 &key ) ); 3208 3209 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) ); 3210 3211 if( iv->len > 0 ) 3212 { 3213 PSA_ASSERT( psa_cipher_set_iv( &operation, iv->x, iv->len ) ); 3214 } 3215 3216 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, input->len ) + 3217 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ); 3218 ASSERT_ALLOC( output, output_buffer_size ); 3219 3220 TEST_ASSERT( first_part_size <= input->len ); 3221 PSA_ASSERT( psa_cipher_update( &operation, 3222 input->x, first_part_size, 3223 output, output_buffer_size, 3224 &function_output_length ) ); 3225 TEST_ASSERT( function_output_length == output1_length ); 3226 TEST_ASSERT( function_output_length <= 3227 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, first_part_size ) ); 3228 TEST_ASSERT( function_output_length <= 3229 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( first_part_size ) ); 3230 total_output_length += function_output_length; 3231 3232 if( first_part_size < input->len ) 3233 { 3234 PSA_ASSERT( psa_cipher_update( &operation, 3235 input->x + first_part_size, 3236 input->len - first_part_size, 3237 ( output_buffer_size == 0 ? NULL : 3238 output + total_output_length ), 3239 output_buffer_size - total_output_length, 3240 &function_output_length ) ); 3241 TEST_ASSERT( function_output_length == output2_length ); 3242 TEST_ASSERT( function_output_length <= 3243 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, 3244 alg, 3245 input->len - first_part_size ) ); 3246 TEST_ASSERT( function_output_length <= 3247 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( input->len ) ); 3248 total_output_length += function_output_length; 3249 } 3250 3251 status = psa_cipher_finish( &operation, 3252 ( output_buffer_size == 0 ? NULL : 3253 output + total_output_length ), 3254 output_buffer_size - total_output_length, 3255 &function_output_length ); 3256 TEST_ASSERT( function_output_length <= 3257 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 3258 TEST_ASSERT( function_output_length <= 3259 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 3260 total_output_length += function_output_length; 3261 TEST_EQUAL( status, expected_status ); 3262 3263 if( expected_status == PSA_SUCCESS ) 3264 { 3265 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3266 3267 ASSERT_COMPARE( expected_output->x, expected_output->len, 3268 output, total_output_length ); 3269 } 3270 3271exit: 3272 psa_cipher_abort( &operation ); 3273 mbedtls_free( output ); 3274 psa_destroy_key( key ); 3275 PSA_DONE( ); 3276} 3277/* END_CASE */ 3278 3279/* BEGIN_CASE */ 3280void cipher_decrypt_fail( int alg_arg, 3281 int key_type_arg, 3282 data_t *key_data, 3283 data_t *iv, 3284 data_t *input_arg, 3285 int expected_status_arg ) 3286{ 3287 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3288 psa_status_t status; 3289 psa_key_type_t key_type = key_type_arg; 3290 psa_algorithm_t alg = alg_arg; 3291 psa_status_t expected_status = expected_status_arg; 3292 unsigned char *input = NULL; 3293 size_t input_buffer_size = 0; 3294 unsigned char *output = NULL; 3295 size_t output_buffer_size = 0; 3296 size_t output_length = 0; 3297 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3298 3299 if ( PSA_ERROR_BAD_STATE != expected_status ) 3300 { 3301 PSA_ASSERT( psa_crypto_init( ) ); 3302 3303 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 3304 psa_set_key_algorithm( &attributes, alg ); 3305 psa_set_key_type( &attributes, key_type ); 3306 3307 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3308 &key ) ); 3309 } 3310 3311 /* Allocate input buffer and copy the iv and the plaintext */ 3312 input_buffer_size = ( (size_t) input_arg->len + (size_t) iv->len ); 3313 if ( input_buffer_size > 0 ) 3314 { 3315 ASSERT_ALLOC( input, input_buffer_size ); 3316 memcpy( input, iv->x, iv->len ); 3317 memcpy( input + iv->len, input_arg->x, input_arg->len ); 3318 } 3319 3320 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, input_buffer_size ); 3321 ASSERT_ALLOC( output, output_buffer_size ); 3322 3323 status = psa_cipher_decrypt( key, alg, input, input_buffer_size, output, 3324 output_buffer_size, &output_length ); 3325 TEST_EQUAL( status, expected_status ); 3326 3327exit: 3328 mbedtls_free( input ); 3329 mbedtls_free( output ); 3330 psa_destroy_key( key ); 3331 PSA_DONE( ); 3332} 3333/* END_CASE */ 3334 3335/* BEGIN_CASE */ 3336void cipher_decrypt( int alg_arg, 3337 int key_type_arg, 3338 data_t *key_data, 3339 data_t *iv, 3340 data_t *input_arg, 3341 data_t *expected_output ) 3342{ 3343 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3344 psa_key_type_t key_type = key_type_arg; 3345 psa_algorithm_t alg = alg_arg; 3346 unsigned char *input = NULL; 3347 size_t input_buffer_size = 0; 3348 unsigned char *output = NULL; 3349 size_t output_buffer_size = 0; 3350 size_t output_length = 0; 3351 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3352 3353 PSA_ASSERT( psa_crypto_init( ) ); 3354 3355 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 3356 psa_set_key_algorithm( &attributes, alg ); 3357 psa_set_key_type( &attributes, key_type ); 3358 3359 /* Allocate input buffer and copy the iv and the plaintext */ 3360 input_buffer_size = ( (size_t) input_arg->len + (size_t) iv->len ); 3361 if ( input_buffer_size > 0 ) 3362 { 3363 ASSERT_ALLOC( input, input_buffer_size ); 3364 memcpy( input, iv->x, iv->len ); 3365 memcpy( input + iv->len, input_arg->x, input_arg->len ); 3366 } 3367 3368 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, input_buffer_size ); 3369 ASSERT_ALLOC( output, output_buffer_size ); 3370 3371 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3372 &key ) ); 3373 3374 PSA_ASSERT( psa_cipher_decrypt( key, alg, input, input_buffer_size, output, 3375 output_buffer_size, &output_length ) ); 3376 TEST_ASSERT( output_length <= 3377 PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, input_buffer_size ) ); 3378 TEST_ASSERT( output_length <= 3379 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE( input_buffer_size ) ); 3380 3381 ASSERT_COMPARE( expected_output->x, expected_output->len, 3382 output, output_length ); 3383exit: 3384 mbedtls_free( input ); 3385 mbedtls_free( output ); 3386 psa_destroy_key( key ); 3387 PSA_DONE( ); 3388} 3389/* END_CASE */ 3390 3391/* BEGIN_CASE */ 3392void cipher_verify_output( int alg_arg, 3393 int key_type_arg, 3394 data_t *key_data, 3395 data_t *input ) 3396{ 3397 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3398 psa_key_type_t key_type = key_type_arg; 3399 psa_algorithm_t alg = alg_arg; 3400 unsigned char *output1 = NULL; 3401 size_t output1_size = 0; 3402 size_t output1_length = 0; 3403 unsigned char *output2 = NULL; 3404 size_t output2_size = 0; 3405 size_t output2_length = 0; 3406 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3407 3408 PSA_ASSERT( psa_crypto_init( ) ); 3409 3410 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 3411 psa_set_key_algorithm( &attributes, alg ); 3412 psa_set_key_type( &attributes, key_type ); 3413 3414 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3415 &key ) ); 3416 output1_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 3417 ASSERT_ALLOC( output1, output1_size ); 3418 3419 PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, 3420 output1, output1_size, 3421 &output1_length ) ); 3422 TEST_ASSERT( output1_length <= 3423 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ) ); 3424 TEST_ASSERT( output1_length <= 3425 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) ); 3426 3427 output2_size = output1_length; 3428 ASSERT_ALLOC( output2, output2_size ); 3429 3430 PSA_ASSERT( psa_cipher_decrypt( key, alg, output1, output1_length, 3431 output2, output2_size, 3432 &output2_length ) ); 3433 TEST_ASSERT( output2_length <= 3434 PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, output1_length ) ); 3435 TEST_ASSERT( output2_length <= 3436 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE( output1_length ) ); 3437 3438 ASSERT_COMPARE( input->x, input->len, output2, output2_length ); 3439 3440exit: 3441 mbedtls_free( output1 ); 3442 mbedtls_free( output2 ); 3443 psa_destroy_key( key ); 3444 PSA_DONE( ); 3445} 3446/* END_CASE */ 3447 3448/* BEGIN_CASE */ 3449void cipher_verify_output_multipart( int alg_arg, 3450 int key_type_arg, 3451 data_t *key_data, 3452 data_t *input, 3453 int first_part_size_arg ) 3454{ 3455 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3456 psa_key_type_t key_type = key_type_arg; 3457 psa_algorithm_t alg = alg_arg; 3458 size_t first_part_size = first_part_size_arg; 3459 unsigned char iv[16] = {0}; 3460 size_t iv_size = 16; 3461 size_t iv_length = 0; 3462 unsigned char *output1 = NULL; 3463 size_t output1_buffer_size = 0; 3464 size_t output1_length = 0; 3465 unsigned char *output2 = NULL; 3466 size_t output2_buffer_size = 0; 3467 size_t output2_length = 0; 3468 size_t function_output_length; 3469 psa_cipher_operation_t operation1 = PSA_CIPHER_OPERATION_INIT; 3470 psa_cipher_operation_t operation2 = PSA_CIPHER_OPERATION_INIT; 3471 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3472 3473 PSA_ASSERT( psa_crypto_init( ) ); 3474 3475 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 3476 psa_set_key_algorithm( &attributes, alg ); 3477 psa_set_key_type( &attributes, key_type ); 3478 3479 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3480 &key ) ); 3481 3482 PSA_ASSERT( psa_cipher_encrypt_setup( &operation1, key, alg ) ); 3483 PSA_ASSERT( psa_cipher_decrypt_setup( &operation2, key, alg ) ); 3484 3485 if( alg != PSA_ALG_ECB_NO_PADDING ) 3486 { 3487 PSA_ASSERT( psa_cipher_generate_iv( &operation1, 3488 iv, iv_size, 3489 &iv_length ) ); 3490 } 3491 3492 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 3493 TEST_ASSERT( output1_buffer_size <= 3494 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) ); 3495 ASSERT_ALLOC( output1, output1_buffer_size ); 3496 3497 TEST_ASSERT( first_part_size <= input->len ); 3498 3499 PSA_ASSERT( psa_cipher_update( &operation1, input->x, first_part_size, 3500 output1, output1_buffer_size, 3501 &function_output_length ) ); 3502 TEST_ASSERT( function_output_length <= 3503 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, first_part_size ) ); 3504 TEST_ASSERT( function_output_length <= 3505 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( first_part_size ) ); 3506 output1_length += function_output_length; 3507 3508 PSA_ASSERT( psa_cipher_update( &operation1, 3509 input->x + first_part_size, 3510 input->len - first_part_size, 3511 output1, output1_buffer_size, 3512 &function_output_length ) ); 3513 TEST_ASSERT( function_output_length <= 3514 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, 3515 alg, 3516 input->len - first_part_size ) ); 3517 TEST_ASSERT( function_output_length <= 3518 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( input->len - first_part_size ) ); 3519 output1_length += function_output_length; 3520 3521 PSA_ASSERT( psa_cipher_finish( &operation1, 3522 output1 + output1_length, 3523 output1_buffer_size - output1_length, 3524 &function_output_length ) ); 3525 TEST_ASSERT( function_output_length <= 3526 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 3527 TEST_ASSERT( function_output_length <= 3528 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 3529 output1_length += function_output_length; 3530 3531 PSA_ASSERT( psa_cipher_abort( &operation1 ) ); 3532 3533 output2_buffer_size = output1_length; 3534 TEST_ASSERT( output2_buffer_size <= 3535 PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, output1_length ) ); 3536 TEST_ASSERT( output2_buffer_size <= 3537 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE( output1_length ) ); 3538 ASSERT_ALLOC( output2, output2_buffer_size ); 3539 3540 if( iv_length > 0 ) 3541 { 3542 PSA_ASSERT( psa_cipher_set_iv( &operation2, 3543 iv, iv_length ) ); 3544 } 3545 3546 PSA_ASSERT( psa_cipher_update( &operation2, output1, first_part_size, 3547 output2, output2_buffer_size, 3548 &function_output_length ) ); 3549 TEST_ASSERT( function_output_length <= 3550 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, first_part_size ) ); 3551 TEST_ASSERT( function_output_length <= 3552 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( first_part_size ) ); 3553 output2_length += function_output_length; 3554 3555 PSA_ASSERT( psa_cipher_update( &operation2, 3556 output1 + first_part_size, 3557 output1_length - first_part_size, 3558 output2, output2_buffer_size, 3559 &function_output_length ) ); 3560 TEST_ASSERT( function_output_length <= 3561 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, 3562 alg, 3563 output1_length - first_part_size ) ); 3564 TEST_ASSERT( function_output_length <= 3565 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( output1_length - first_part_size ) ); 3566 output2_length += function_output_length; 3567 3568 PSA_ASSERT( psa_cipher_finish( &operation2, 3569 output2 + output2_length, 3570 output2_buffer_size - output2_length, 3571 &function_output_length ) ); 3572 TEST_ASSERT( function_output_length <= 3573 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 3574 TEST_ASSERT( function_output_length <= 3575 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 3576 output2_length += function_output_length; 3577 3578 PSA_ASSERT( psa_cipher_abort( &operation2 ) ); 3579 3580 ASSERT_COMPARE( input->x, input->len, output2, output2_length ); 3581 3582exit: 3583 psa_cipher_abort( &operation1 ); 3584 psa_cipher_abort( &operation2 ); 3585 mbedtls_free( output1 ); 3586 mbedtls_free( output2 ); 3587 psa_destroy_key( key ); 3588 PSA_DONE( ); 3589} 3590/* END_CASE */ 3591 3592/* BEGIN_CASE */ 3593void aead_encrypt_decrypt( int key_type_arg, data_t *key_data, 3594 int alg_arg, 3595 data_t *nonce, 3596 data_t *additional_data, 3597 data_t *input_data, 3598 int expected_result_arg ) 3599{ 3600 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3601 psa_key_type_t key_type = key_type_arg; 3602 psa_algorithm_t alg = alg_arg; 3603 size_t key_bits; 3604 unsigned char *output_data = NULL; 3605 size_t output_size = 0; 3606 size_t output_length = 0; 3607 unsigned char *output_data2 = NULL; 3608 size_t output_length2 = 0; 3609 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 3610 psa_status_t expected_result = expected_result_arg; 3611 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3612 3613 PSA_ASSERT( psa_crypto_init( ) ); 3614 3615 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 3616 psa_set_key_algorithm( &attributes, alg ); 3617 psa_set_key_type( &attributes, key_type ); 3618 3619 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3620 &key ) ); 3621 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 3622 key_bits = psa_get_key_bits( &attributes ); 3623 3624 output_size = input_data->len + PSA_AEAD_TAG_LENGTH( key_type, key_bits, 3625 alg ); 3626 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE 3627 * should be exact. */ 3628 if( expected_result != PSA_ERROR_INVALID_ARGUMENT && 3629 expected_result != PSA_ERROR_NOT_SUPPORTED ) 3630 { 3631 TEST_EQUAL( output_size, 3632 PSA_AEAD_ENCRYPT_OUTPUT_SIZE( key_type, alg, input_data->len ) ); 3633 TEST_ASSERT( output_size <= 3634 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 3635 } 3636 ASSERT_ALLOC( output_data, output_size ); 3637 3638 status = psa_aead_encrypt( key, alg, 3639 nonce->x, nonce->len, 3640 additional_data->x, 3641 additional_data->len, 3642 input_data->x, input_data->len, 3643 output_data, output_size, 3644 &output_length ); 3645 3646 /* If the operation is not supported, just skip and not fail in case the 3647 * encryption involves a common limitation of cryptography hardwares and 3648 * an alternative implementation. */ 3649 if( status == PSA_ERROR_NOT_SUPPORTED ) 3650 { 3651 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 3652 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 3653 } 3654 3655 TEST_EQUAL( status, expected_result ); 3656 3657 if( PSA_SUCCESS == expected_result ) 3658 { 3659 ASSERT_ALLOC( output_data2, output_length ); 3660 3661 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE 3662 * should be exact. */ 3663 TEST_EQUAL( input_data->len, 3664 PSA_AEAD_DECRYPT_OUTPUT_SIZE( key_type, alg, output_length ) ); 3665 3666 TEST_ASSERT( input_data->len <= 3667 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE( output_length ) ); 3668 3669 TEST_EQUAL( psa_aead_decrypt( key, alg, 3670 nonce->x, nonce->len, 3671 additional_data->x, 3672 additional_data->len, 3673 output_data, output_length, 3674 output_data2, output_length, 3675 &output_length2 ), 3676 expected_result ); 3677 3678 ASSERT_COMPARE( input_data->x, input_data->len, 3679 output_data2, output_length2 ); 3680 } 3681 3682exit: 3683 psa_destroy_key( key ); 3684 mbedtls_free( output_data ); 3685 mbedtls_free( output_data2 ); 3686 PSA_DONE( ); 3687} 3688/* END_CASE */ 3689 3690/* BEGIN_CASE */ 3691void aead_encrypt( int key_type_arg, data_t *key_data, 3692 int alg_arg, 3693 data_t *nonce, 3694 data_t *additional_data, 3695 data_t *input_data, 3696 data_t *expected_result ) 3697{ 3698 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3699 psa_key_type_t key_type = key_type_arg; 3700 psa_algorithm_t alg = alg_arg; 3701 size_t key_bits; 3702 unsigned char *output_data = NULL; 3703 size_t output_size = 0; 3704 size_t output_length = 0; 3705 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3706 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 3707 3708 PSA_ASSERT( psa_crypto_init( ) ); 3709 3710 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 3711 psa_set_key_algorithm( &attributes, alg ); 3712 psa_set_key_type( &attributes, key_type ); 3713 3714 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3715 &key ) ); 3716 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 3717 key_bits = psa_get_key_bits( &attributes ); 3718 3719 output_size = input_data->len + PSA_AEAD_TAG_LENGTH( key_type, key_bits, 3720 alg ); 3721 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE 3722 * should be exact. */ 3723 TEST_EQUAL( output_size, 3724 PSA_AEAD_ENCRYPT_OUTPUT_SIZE( key_type, alg, input_data->len ) ); 3725 TEST_ASSERT( output_size <= 3726 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 3727 ASSERT_ALLOC( output_data, output_size ); 3728 3729 status = psa_aead_encrypt( key, alg, 3730 nonce->x, nonce->len, 3731 additional_data->x, additional_data->len, 3732 input_data->x, input_data->len, 3733 output_data, output_size, 3734 &output_length ); 3735 3736 /* If the operation is not supported, just skip and not fail in case the 3737 * encryption involves a common limitation of cryptography hardwares and 3738 * an alternative implementation. */ 3739 if( status == PSA_ERROR_NOT_SUPPORTED ) 3740 { 3741 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 3742 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 3743 } 3744 3745 PSA_ASSERT( status ); 3746 ASSERT_COMPARE( expected_result->x, expected_result->len, 3747 output_data, output_length ); 3748 3749exit: 3750 psa_destroy_key( key ); 3751 mbedtls_free( output_data ); 3752 PSA_DONE( ); 3753} 3754/* END_CASE */ 3755 3756/* BEGIN_CASE */ 3757void aead_decrypt( int key_type_arg, data_t *key_data, 3758 int alg_arg, 3759 data_t *nonce, 3760 data_t *additional_data, 3761 data_t *input_data, 3762 data_t *expected_data, 3763 int expected_result_arg ) 3764{ 3765 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3766 psa_key_type_t key_type = key_type_arg; 3767 psa_algorithm_t alg = alg_arg; 3768 size_t key_bits; 3769 unsigned char *output_data = NULL; 3770 size_t output_size = 0; 3771 size_t output_length = 0; 3772 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3773 psa_status_t expected_result = expected_result_arg; 3774 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 3775 3776 PSA_ASSERT( psa_crypto_init( ) ); 3777 3778 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 3779 psa_set_key_algorithm( &attributes, alg ); 3780 psa_set_key_type( &attributes, key_type ); 3781 3782 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3783 &key ) ); 3784 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 3785 key_bits = psa_get_key_bits( &attributes ); 3786 3787 output_size = input_data->len - PSA_AEAD_TAG_LENGTH( key_type, key_bits, 3788 alg ); 3789 if( expected_result != PSA_ERROR_INVALID_ARGUMENT && 3790 expected_result != PSA_ERROR_NOT_SUPPORTED ) 3791 { 3792 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE 3793 * should be exact. */ 3794 TEST_EQUAL( output_size, 3795 PSA_AEAD_DECRYPT_OUTPUT_SIZE( key_type, alg, input_data->len ) ); 3796 TEST_ASSERT( output_size <= 3797 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 3798 } 3799 ASSERT_ALLOC( output_data, output_size ); 3800 3801 status = psa_aead_decrypt( key, alg, 3802 nonce->x, nonce->len, 3803 additional_data->x, 3804 additional_data->len, 3805 input_data->x, input_data->len, 3806 output_data, output_size, 3807 &output_length ); 3808 3809 /* If the operation is not supported, just skip and not fail in case the 3810 * decryption involves a common limitation of cryptography hardwares and 3811 * an alternative implementation. */ 3812 if( status == PSA_ERROR_NOT_SUPPORTED ) 3813 { 3814 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 3815 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 3816 } 3817 3818 TEST_EQUAL( status, expected_result ); 3819 3820 if( expected_result == PSA_SUCCESS ) 3821 ASSERT_COMPARE( expected_data->x, expected_data->len, 3822 output_data, output_length ); 3823 3824exit: 3825 psa_destroy_key( key ); 3826 mbedtls_free( output_data ); 3827 PSA_DONE( ); 3828} 3829/* END_CASE */ 3830 3831/* BEGIN_CASE */ 3832void aead_multipart_encrypt( int key_type_arg, data_t *key_data, 3833 int alg_arg, 3834 data_t *nonce, 3835 data_t *additional_data, 3836 data_t *input_data, 3837 int do_set_lengths, 3838 data_t *expected_output ) 3839{ 3840 size_t ad_part_len = 0; 3841 size_t data_part_len = 0; 3842 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS; 3843 3844 for( ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++ ) 3845 { 3846 mbedtls_test_set_step( ad_part_len ); 3847 3848 if( do_set_lengths ) 3849 { 3850 if( ad_part_len & 0x01 ) 3851 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 3852 else 3853 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 3854 } 3855 3856 /* Split ad into length(ad_part_len) parts. */ 3857 if( !aead_multipart_internal_func( key_type_arg, key_data, 3858 alg_arg, nonce, 3859 additional_data, 3860 ad_part_len, 3861 input_data, -1, 3862 set_lengths_method, 3863 expected_output, 3864 1, 0 ) ) 3865 break; 3866 3867 /* length(0) part, length(ad_part_len) part, length(0) part... */ 3868 mbedtls_test_set_step( 1000 + ad_part_len ); 3869 3870 if( !aead_multipart_internal_func( key_type_arg, key_data, 3871 alg_arg, nonce, 3872 additional_data, 3873 ad_part_len, 3874 input_data, -1, 3875 set_lengths_method, 3876 expected_output, 3877 1, 1 ) ) 3878 break; 3879 } 3880 3881 for( data_part_len = 1; data_part_len <= input_data->len; data_part_len++ ) 3882 { 3883 /* Split data into length(data_part_len) parts. */ 3884 mbedtls_test_set_step( 2000 + data_part_len ); 3885 3886 if( do_set_lengths ) 3887 { 3888 if( data_part_len & 0x01 ) 3889 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 3890 else 3891 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 3892 } 3893 3894 if( !aead_multipart_internal_func( key_type_arg, key_data, 3895 alg_arg, nonce, 3896 additional_data, -1, 3897 input_data, data_part_len, 3898 set_lengths_method, 3899 expected_output, 3900 1, 0 ) ) 3901 break; 3902 3903 /* length(0) part, length(data_part_len) part, length(0) part... */ 3904 mbedtls_test_set_step( 3000 + data_part_len ); 3905 3906 if( !aead_multipart_internal_func( key_type_arg, key_data, 3907 alg_arg, nonce, 3908 additional_data, -1, 3909 input_data, data_part_len, 3910 set_lengths_method, 3911 expected_output, 3912 1, 1 ) ) 3913 break; 3914 } 3915 3916 /* Goto is required to silence warnings about unused labels, as we 3917 * don't actually do any test assertions in this function. */ 3918 goto exit; 3919} 3920/* END_CASE */ 3921 3922/* BEGIN_CASE */ 3923void aead_multipart_decrypt( int key_type_arg, data_t *key_data, 3924 int alg_arg, 3925 data_t *nonce, 3926 data_t *additional_data, 3927 data_t *input_data, 3928 int do_set_lengths, 3929 data_t *expected_output ) 3930{ 3931 size_t ad_part_len = 0; 3932 size_t data_part_len = 0; 3933 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS; 3934 3935 for( ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++ ) 3936 { 3937 /* Split ad into length(ad_part_len) parts. */ 3938 mbedtls_test_set_step( ad_part_len ); 3939 3940 if( do_set_lengths ) 3941 { 3942 if( ad_part_len & 0x01 ) 3943 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 3944 else 3945 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 3946 } 3947 3948 if( !aead_multipart_internal_func( key_type_arg, key_data, 3949 alg_arg, nonce, 3950 additional_data, 3951 ad_part_len, 3952 input_data, -1, 3953 set_lengths_method, 3954 expected_output, 3955 0, 0 ) ) 3956 break; 3957 3958 /* length(0) part, length(ad_part_len) part, length(0) part... */ 3959 mbedtls_test_set_step( 1000 + ad_part_len ); 3960 3961 if( !aead_multipart_internal_func( key_type_arg, key_data, 3962 alg_arg, nonce, 3963 additional_data, 3964 ad_part_len, 3965 input_data, -1, 3966 set_lengths_method, 3967 expected_output, 3968 0, 1 ) ) 3969 break; 3970 } 3971 3972 for( data_part_len = 1; data_part_len <= input_data->len; data_part_len++ ) 3973 { 3974 /* Split data into length(data_part_len) parts. */ 3975 mbedtls_test_set_step( 2000 + data_part_len ); 3976 3977 if( do_set_lengths ) 3978 { 3979 if( data_part_len & 0x01 ) 3980 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 3981 else 3982 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 3983 } 3984 3985 if( !aead_multipart_internal_func( key_type_arg, key_data, 3986 alg_arg, nonce, 3987 additional_data, -1, 3988 input_data, data_part_len, 3989 set_lengths_method, 3990 expected_output, 3991 0, 0 ) ) 3992 break; 3993 3994 /* length(0) part, length(data_part_len) part, length(0) part... */ 3995 mbedtls_test_set_step( 3000 + data_part_len ); 3996 3997 if( !aead_multipart_internal_func( key_type_arg, key_data, 3998 alg_arg, nonce, 3999 additional_data, -1, 4000 input_data, data_part_len, 4001 set_lengths_method, 4002 expected_output, 4003 0, 1 ) ) 4004 break; 4005 } 4006 4007 /* Goto is required to silence warnings about unused labels, as we 4008 * don't actually do any test assertions in this function. */ 4009 goto exit; 4010} 4011/* END_CASE */ 4012 4013/* BEGIN_CASE */ 4014void aead_multipart_generate_nonce( int key_type_arg, data_t *key_data, 4015 int alg_arg, 4016 int nonce_length, 4017 int expected_nonce_length_arg, 4018 data_t *additional_data, 4019 data_t *input_data, 4020 int expected_status_arg ) 4021{ 4022 4023 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4024 psa_key_type_t key_type = key_type_arg; 4025 psa_algorithm_t alg = alg_arg; 4026 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 4027 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE]; 4028 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4029 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4030 psa_status_t expected_status = expected_status_arg; 4031 size_t actual_nonce_length = 0; 4032 size_t expected_nonce_length = expected_nonce_length_arg; 4033 unsigned char *output = NULL; 4034 unsigned char *ciphertext = NULL; 4035 size_t output_size = 0; 4036 size_t ciphertext_size = 0; 4037 size_t ciphertext_length = 0; 4038 size_t tag_length = 0; 4039 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 4040 4041 PSA_ASSERT( psa_crypto_init( ) ); 4042 4043 psa_set_key_usage_flags( & attributes, PSA_KEY_USAGE_ENCRYPT ); 4044 psa_set_key_algorithm( & attributes, alg ); 4045 psa_set_key_type( & attributes, key_type ); 4046 4047 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4048 &key ) ); 4049 4050 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4051 4052 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, input_data->len ); 4053 4054 ASSERT_ALLOC( output, output_size ); 4055 4056 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 4057 4058 TEST_ASSERT( ciphertext_size <= PSA_AEAD_FINISH_OUTPUT_MAX_SIZE ); 4059 4060 ASSERT_ALLOC( ciphertext, ciphertext_size ); 4061 4062 status = psa_aead_encrypt_setup( &operation, key, alg ); 4063 4064 /* If the operation is not supported, just skip and not fail in case the 4065 * encryption involves a common limitation of cryptography hardwares and 4066 * an alternative implementation. */ 4067 if( status == PSA_ERROR_NOT_SUPPORTED ) 4068 { 4069 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 4070 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce_length ); 4071 } 4072 4073 PSA_ASSERT( status ); 4074 4075 status = psa_aead_generate_nonce( &operation, nonce_buffer, 4076 nonce_length, 4077 &actual_nonce_length ); 4078 4079 TEST_EQUAL( status, expected_status ); 4080 4081 TEST_EQUAL( actual_nonce_length, expected_nonce_length ); 4082 4083 if( expected_status == PSA_SUCCESS ) 4084 TEST_EQUAL( actual_nonce_length, PSA_AEAD_NONCE_LENGTH( key_type, 4085 alg ) ); 4086 4087 TEST_ASSERT( actual_nonce_length <= PSA_AEAD_NONCE_MAX_SIZE ); 4088 4089 if( expected_status == PSA_SUCCESS ) 4090 { 4091 /* Ensure we can still complete operation. */ 4092 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4093 input_data->len ) ); 4094 4095 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4096 additional_data->len ) ); 4097 4098 PSA_ASSERT( psa_aead_update( &operation, input_data->x, input_data->len, 4099 output, output_size, 4100 &ciphertext_length ) ); 4101 4102 PSA_ASSERT( psa_aead_finish( &operation, ciphertext, ciphertext_size, 4103 &ciphertext_length, tag_buffer, 4104 PSA_AEAD_TAG_MAX_SIZE, &tag_length ) ); 4105 } 4106 4107exit: 4108 psa_destroy_key( key ); 4109 mbedtls_free( output ); 4110 mbedtls_free( ciphertext ); 4111 psa_aead_abort( &operation ); 4112 PSA_DONE( ); 4113} 4114/* END_CASE */ 4115 4116/* BEGIN_CASE */ 4117void aead_multipart_set_nonce( int key_type_arg, data_t *key_data, 4118 int alg_arg, 4119 int nonce_length_arg, 4120 data_t *additional_data, 4121 data_t *input_data, 4122 int expected_status_arg ) 4123{ 4124 4125 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4126 psa_key_type_t key_type = key_type_arg; 4127 psa_algorithm_t alg = alg_arg; 4128 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 4129 uint8_t *nonce_buffer = NULL; 4130 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4131 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4132 psa_status_t expected_status = expected_status_arg; 4133 unsigned char *output = NULL; 4134 unsigned char *ciphertext = NULL; 4135 size_t nonce_length; 4136 size_t output_size = 0; 4137 size_t ciphertext_size = 0; 4138 size_t ciphertext_length = 0; 4139 size_t tag_length = 0; 4140 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 4141 size_t index = 0; 4142 4143 PSA_ASSERT( psa_crypto_init( ) ); 4144 4145 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 4146 psa_set_key_algorithm( &attributes, alg ); 4147 psa_set_key_type( &attributes, key_type ); 4148 4149 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4150 &key ) ); 4151 4152 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4153 4154 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, input_data->len ); 4155 4156 ASSERT_ALLOC( output, output_size ); 4157 4158 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 4159 4160 TEST_ASSERT( ciphertext_size <= PSA_AEAD_FINISH_OUTPUT_MAX_SIZE ); 4161 4162 ASSERT_ALLOC( ciphertext, ciphertext_size ); 4163 4164 status = psa_aead_encrypt_setup( &operation, key, alg ); 4165 4166 /* If the operation is not supported, just skip and not fail in case the 4167 * encryption involves a common limitation of cryptography hardwares and 4168 * an alternative implementation. */ 4169 if( status == PSA_ERROR_NOT_SUPPORTED ) 4170 { 4171 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 4172 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce_length_arg ); 4173 } 4174 4175 PSA_ASSERT( status ); 4176 4177 /* -1 == zero length and valid buffer, 0 = zero length and NULL buffer. */ 4178 if( nonce_length_arg == -1 ) 4179 { 4180 /* Arbitrary size buffer, to test zero length valid buffer. */ 4181 ASSERT_ALLOC( nonce_buffer, 4 ); 4182 nonce_length = 0; 4183 } 4184 else 4185 { 4186 /* If length is zero, then this will return NULL. */ 4187 nonce_length = ( size_t ) nonce_length_arg; 4188 ASSERT_ALLOC( nonce_buffer, nonce_length ); 4189 4190 if( nonce_buffer ) 4191 { 4192 for( index = 0; index < nonce_length - 1; ++index ) 4193 { 4194 nonce_buffer[index] = 'a' + index; 4195 } 4196 } 4197 } 4198 4199 status = psa_aead_set_nonce( &operation, nonce_buffer, nonce_length ); 4200 4201 TEST_EQUAL( status, expected_status ); 4202 4203 if( expected_status == PSA_SUCCESS ) 4204 { 4205 /* Ensure we can still complete operation. */ 4206 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4207 input_data->len ) ); 4208 4209 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4210 additional_data->len ) ); 4211 4212 PSA_ASSERT( psa_aead_update( &operation, input_data->x, input_data->len, 4213 output, output_size, 4214 &ciphertext_length ) ); 4215 4216 PSA_ASSERT( psa_aead_finish( &operation, ciphertext, ciphertext_size, 4217 &ciphertext_length, tag_buffer, 4218 PSA_AEAD_TAG_MAX_SIZE, &tag_length ) ); 4219 } 4220 4221exit: 4222 psa_destroy_key( key ); 4223 mbedtls_free( output ); 4224 mbedtls_free( ciphertext ); 4225 mbedtls_free( nonce_buffer ); 4226 psa_aead_abort( &operation ); 4227 PSA_DONE( ); 4228} 4229/* END_CASE */ 4230 4231/* BEGIN_CASE */ 4232void aead_multipart_update_buffer_test( int key_type_arg, data_t *key_data, 4233 int alg_arg, 4234 int output_size_arg, 4235 data_t *nonce, 4236 data_t *additional_data, 4237 data_t *input_data, 4238 int expected_status_arg ) 4239{ 4240 4241 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4242 psa_key_type_t key_type = key_type_arg; 4243 psa_algorithm_t alg = alg_arg; 4244 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 4245 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4246 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4247 psa_status_t expected_status = expected_status_arg; 4248 unsigned char *output = NULL; 4249 unsigned char *ciphertext = NULL; 4250 size_t output_size = output_size_arg; 4251 size_t ciphertext_size = 0; 4252 size_t ciphertext_length = 0; 4253 size_t tag_length = 0; 4254 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 4255 4256 PSA_ASSERT( psa_crypto_init( ) ); 4257 4258 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 4259 psa_set_key_algorithm( &attributes, alg ); 4260 psa_set_key_type( &attributes, key_type ); 4261 4262 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4263 &key ) ); 4264 4265 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4266 4267 ASSERT_ALLOC( output, output_size ); 4268 4269 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 4270 4271 ASSERT_ALLOC( ciphertext, ciphertext_size ); 4272 4273 status = psa_aead_encrypt_setup( &operation, key, alg ); 4274 4275 /* If the operation is not supported, just skip and not fail in case the 4276 * encryption involves a common limitation of cryptography hardwares and 4277 * an alternative implementation. */ 4278 if( status == PSA_ERROR_NOT_SUPPORTED ) 4279 { 4280 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 4281 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 4282 } 4283 4284 PSA_ASSERT( status ); 4285 4286 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4287 input_data->len ) ); 4288 4289 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4290 4291 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4292 additional_data->len ) ); 4293 4294 status = psa_aead_update( &operation, input_data->x, input_data->len, 4295 output, output_size, &ciphertext_length ); 4296 4297 TEST_EQUAL( status, expected_status ); 4298 4299 if( expected_status == PSA_SUCCESS ) 4300 { 4301 /* Ensure we can still complete operation. */ 4302 PSA_ASSERT( psa_aead_finish( &operation, ciphertext, ciphertext_size, 4303 &ciphertext_length, tag_buffer, 4304 PSA_AEAD_TAG_MAX_SIZE, &tag_length ) ); 4305 } 4306 4307exit: 4308 psa_destroy_key( key ); 4309 mbedtls_free( output ); 4310 mbedtls_free( ciphertext ); 4311 psa_aead_abort( &operation ); 4312 PSA_DONE( ); 4313} 4314/* END_CASE */ 4315 4316/* BEGIN_CASE */ 4317void aead_multipart_finish_buffer_test( int key_type_arg, data_t *key_data, 4318 int alg_arg, 4319 int finish_ciphertext_size_arg, 4320 int tag_size_arg, 4321 data_t *nonce, 4322 data_t *additional_data, 4323 data_t *input_data, 4324 int expected_status_arg ) 4325{ 4326 4327 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4328 psa_key_type_t key_type = key_type_arg; 4329 psa_algorithm_t alg = alg_arg; 4330 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 4331 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4332 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4333 psa_status_t expected_status = expected_status_arg; 4334 unsigned char *ciphertext = NULL; 4335 unsigned char *finish_ciphertext = NULL; 4336 unsigned char *tag_buffer = NULL; 4337 size_t ciphertext_size = 0; 4338 size_t ciphertext_length = 0; 4339 size_t finish_ciphertext_size = ( size_t ) finish_ciphertext_size_arg; 4340 size_t tag_size = ( size_t ) tag_size_arg; 4341 size_t tag_length = 0; 4342 4343 PSA_ASSERT( psa_crypto_init( ) ); 4344 4345 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 4346 psa_set_key_algorithm( &attributes, alg ); 4347 psa_set_key_type( &attributes, key_type ); 4348 4349 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4350 &key ) ); 4351 4352 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4353 4354 ciphertext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, input_data->len ); 4355 4356 ASSERT_ALLOC( ciphertext, ciphertext_size ); 4357 4358 ASSERT_ALLOC( finish_ciphertext, finish_ciphertext_size ); 4359 4360 ASSERT_ALLOC( tag_buffer, tag_size ); 4361 4362 status = psa_aead_encrypt_setup( &operation, key, alg ); 4363 4364 /* If the operation is not supported, just skip and not fail in case the 4365 * encryption involves a common limitation of cryptography hardwares and 4366 * an alternative implementation. */ 4367 if( status == PSA_ERROR_NOT_SUPPORTED ) 4368 { 4369 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 4370 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 4371 } 4372 4373 PSA_ASSERT( status ); 4374 4375 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4376 4377 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4378 input_data->len ) ); 4379 4380 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4381 additional_data->len ) ); 4382 4383 PSA_ASSERT( psa_aead_update( &operation, input_data->x, input_data->len, 4384 ciphertext, ciphertext_size, &ciphertext_length ) ); 4385 4386 /* Ensure we can still complete operation. */ 4387 status = psa_aead_finish( &operation, finish_ciphertext, 4388 finish_ciphertext_size, 4389 &ciphertext_length, tag_buffer, 4390 tag_size, &tag_length ); 4391 4392 TEST_EQUAL( status, expected_status ); 4393 4394exit: 4395 psa_destroy_key( key ); 4396 mbedtls_free( ciphertext ); 4397 mbedtls_free( finish_ciphertext ); 4398 mbedtls_free( tag_buffer ); 4399 psa_aead_abort( &operation ); 4400 PSA_DONE( ); 4401} 4402/* END_CASE */ 4403 4404/* BEGIN_CASE */ 4405void aead_multipart_verify( int key_type_arg, data_t *key_data, 4406 int alg_arg, 4407 data_t *nonce, 4408 data_t *additional_data, 4409 data_t *input_data, 4410 data_t *tag, 4411 int tag_usage_arg, 4412 int expected_status_arg ) 4413{ 4414 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4415 psa_key_type_t key_type = key_type_arg; 4416 psa_algorithm_t alg = alg_arg; 4417 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 4418 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4419 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4420 psa_status_t expected_status = expected_status_arg; 4421 unsigned char *plaintext = NULL; 4422 unsigned char *finish_plaintext = NULL; 4423 size_t plaintext_size = 0; 4424 size_t plaintext_length = 0; 4425 size_t verify_plaintext_size = 0; 4426 tag_usage_method_t tag_usage = tag_usage_arg; 4427 unsigned char *tag_buffer = NULL; 4428 size_t tag_size = 0; 4429 4430 PSA_ASSERT( psa_crypto_init( ) ); 4431 4432 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 4433 psa_set_key_algorithm( &attributes, alg ); 4434 psa_set_key_type( &attributes, key_type ); 4435 4436 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4437 &key ) ); 4438 4439 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4440 4441 plaintext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, 4442 input_data->len ); 4443 4444 ASSERT_ALLOC( plaintext, plaintext_size ); 4445 4446 verify_plaintext_size = PSA_AEAD_VERIFY_OUTPUT_SIZE( key_type, alg ); 4447 4448 ASSERT_ALLOC( finish_plaintext, verify_plaintext_size ); 4449 4450 status = psa_aead_decrypt_setup( &operation, key, alg ); 4451 4452 /* If the operation is not supported, just skip and not fail in case the 4453 * encryption involves a common limitation of cryptography hardwares and 4454 * an alternative implementation. */ 4455 if( status == PSA_ERROR_NOT_SUPPORTED ) 4456 { 4457 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 4458 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 4459 } 4460 4461 PSA_ASSERT( status ); 4462 4463 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4464 4465 status = psa_aead_set_lengths( &operation, additional_data->len, 4466 input_data->len ); 4467 4468 if( status != PSA_SUCCESS ) 4469 { 4470 /* Invalid tag lengths are detected in CCM at this point, as they 4471 * would be written into the first block. They should really be 4472 * detected in psa_aead_encrypt/decrypt_setup, and will be fixed 4473 * to do so in the future, until that point, this is a 4474 * workaround.*/ 4475 TEST_EQUAL( status, expected_status ); 4476 goto exit; 4477 } 4478 4479 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4480 additional_data->len ) ); 4481 4482 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 4483 input_data->len, 4484 plaintext, plaintext_size, 4485 &plaintext_length ) ); 4486 4487 if( tag_usage == USE_GIVEN_TAG ) 4488 { 4489 tag_buffer = tag->x; 4490 tag_size = tag->len; 4491 } 4492 4493 status = psa_aead_verify( &operation, finish_plaintext, 4494 verify_plaintext_size, 4495 &plaintext_length, 4496 tag_buffer, tag_size ); 4497 4498 TEST_EQUAL( status, expected_status ); 4499 4500exit: 4501 psa_destroy_key( key ); 4502 mbedtls_free( plaintext ); 4503 mbedtls_free( finish_plaintext ); 4504 psa_aead_abort( &operation ); 4505 PSA_DONE( ); 4506} 4507/* END_CASE */ 4508 4509/* BEGIN_CASE */ 4510void aead_multipart_setup( int key_type_arg, data_t *key_data, 4511 int alg_arg, int expected_status_arg ) 4512{ 4513 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4514 psa_key_type_t key_type = key_type_arg; 4515 psa_algorithm_t alg = alg_arg; 4516 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 4517 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4518 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4519 psa_status_t expected_status = expected_status_arg; 4520 4521 PSA_ASSERT( psa_crypto_init( ) ); 4522 4523 psa_set_key_usage_flags( &attributes, 4524 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 4525 psa_set_key_algorithm( &attributes, alg ); 4526 psa_set_key_type( &attributes, key_type ); 4527 4528 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4529 &key ) ); 4530 4531 status = psa_aead_encrypt_setup( &operation, key, alg ); 4532 4533 TEST_EQUAL( status, expected_status ); 4534 4535 psa_aead_abort( &operation ); 4536 4537 status = psa_aead_decrypt_setup( &operation, key, alg ); 4538 4539 TEST_EQUAL(status, expected_status ); 4540 4541exit: 4542 psa_destroy_key( key ); 4543 psa_aead_abort( &operation ); 4544 PSA_DONE( ); 4545} 4546/* END_CASE */ 4547 4548/* BEGIN_CASE */ 4549void aead_multipart_state_test( int key_type_arg, data_t *key_data, 4550 int alg_arg, 4551 data_t *nonce, 4552 data_t *additional_data, 4553 data_t *input_data ) 4554{ 4555 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4556 psa_key_type_t key_type = key_type_arg; 4557 psa_algorithm_t alg = alg_arg; 4558 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 4559 unsigned char *output_data = NULL; 4560 unsigned char *final_data = NULL; 4561 size_t output_size = 0; 4562 size_t finish_output_size = 0; 4563 size_t output_length = 0; 4564 size_t key_bits = 0; 4565 size_t tag_length = 0; 4566 size_t tag_size = 0; 4567 size_t nonce_length = 0; 4568 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE]; 4569 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 4570 size_t output_part_length = 0; 4571 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4572 4573 PSA_ASSERT( psa_crypto_init( ) ); 4574 4575 psa_set_key_usage_flags( & attributes, 4576 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 4577 psa_set_key_algorithm( & attributes, alg ); 4578 psa_set_key_type( & attributes, key_type ); 4579 4580 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4581 &key ) ); 4582 4583 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4584 key_bits = psa_get_key_bits( &attributes ); 4585 4586 tag_length = PSA_AEAD_TAG_LENGTH( key_type, key_bits, alg ); 4587 4588 TEST_ASSERT( tag_length <= PSA_AEAD_TAG_MAX_SIZE ); 4589 4590 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, input_data->len ); 4591 4592 ASSERT_ALLOC( output_data, output_size ); 4593 4594 finish_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 4595 4596 TEST_ASSERT( finish_output_size <= PSA_AEAD_FINISH_OUTPUT_MAX_SIZE ); 4597 4598 ASSERT_ALLOC( final_data, finish_output_size ); 4599 4600 /* Test all operations error without calling setup first. */ 4601 4602 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 4603 PSA_ERROR_BAD_STATE ); 4604 4605 psa_aead_abort( &operation ); 4606 4607 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 4608 PSA_AEAD_NONCE_MAX_SIZE, 4609 &nonce_length ), 4610 PSA_ERROR_BAD_STATE ); 4611 4612 psa_aead_abort( &operation ); 4613 4614 /* ------------------------------------------------------- */ 4615 4616 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 4617 input_data->len ), 4618 PSA_ERROR_BAD_STATE ); 4619 4620 psa_aead_abort( &operation ); 4621 4622 /* ------------------------------------------------------- */ 4623 4624 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 4625 additional_data->len ), 4626 PSA_ERROR_BAD_STATE ); 4627 4628 psa_aead_abort( &operation ); 4629 4630 /* ------------------------------------------------------- */ 4631 4632 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 4633 input_data->len, output_data, 4634 output_size, &output_length ), 4635 PSA_ERROR_BAD_STATE ); 4636 4637 psa_aead_abort( &operation ); 4638 4639 /* ------------------------------------------------------- */ 4640 4641 TEST_EQUAL( psa_aead_finish( &operation, final_data, 4642 finish_output_size, 4643 &output_part_length, 4644 tag_buffer, tag_length, 4645 &tag_size ), 4646 PSA_ERROR_BAD_STATE ); 4647 4648 psa_aead_abort( &operation ); 4649 4650 /* ------------------------------------------------------- */ 4651 4652 TEST_EQUAL( psa_aead_verify( &operation, final_data, 4653 finish_output_size, 4654 &output_part_length, 4655 tag_buffer, 4656 tag_length ), 4657 PSA_ERROR_BAD_STATE ); 4658 4659 psa_aead_abort( &operation ); 4660 4661 /* Test for double setups. */ 4662 4663 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4664 4665 TEST_EQUAL( psa_aead_encrypt_setup( &operation, key, alg ), 4666 PSA_ERROR_BAD_STATE ); 4667 4668 psa_aead_abort( &operation ); 4669 4670 /* ------------------------------------------------------- */ 4671 4672 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 4673 4674 TEST_EQUAL( psa_aead_decrypt_setup( &operation, key, alg ), 4675 PSA_ERROR_BAD_STATE ); 4676 4677 psa_aead_abort( &operation ); 4678 4679 /* ------------------------------------------------------- */ 4680 4681 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4682 4683 TEST_EQUAL( psa_aead_decrypt_setup( &operation, key, alg ), 4684 PSA_ERROR_BAD_STATE ); 4685 4686 psa_aead_abort( &operation ); 4687 4688 /* ------------------------------------------------------- */ 4689 4690 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 4691 4692 TEST_EQUAL( psa_aead_encrypt_setup( &operation, key, alg ), 4693 PSA_ERROR_BAD_STATE ); 4694 4695 psa_aead_abort( &operation ); 4696 4697 /* Test for not setting a nonce. */ 4698 4699 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4700 4701 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 4702 additional_data->len ), 4703 PSA_ERROR_BAD_STATE ); 4704 4705 psa_aead_abort( &operation ); 4706 4707 /* ------------------------------------------------------- */ 4708 4709 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4710 4711 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 4712 input_data->len, output_data, 4713 output_size, &output_length ), 4714 PSA_ERROR_BAD_STATE ); 4715 4716 psa_aead_abort( &operation ); 4717 4718 /* ------------------------------------------------------- */ 4719 4720 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4721 4722 TEST_EQUAL( psa_aead_finish( &operation, final_data, 4723 finish_output_size, 4724 &output_part_length, 4725 tag_buffer, tag_length, 4726 &tag_size ), 4727 PSA_ERROR_BAD_STATE ); 4728 4729 psa_aead_abort( &operation ); 4730 4731 /* ------------------------------------------------------- */ 4732 4733 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 4734 4735 TEST_EQUAL( psa_aead_verify( &operation, final_data, 4736 finish_output_size, 4737 &output_part_length, 4738 tag_buffer, 4739 tag_length ), 4740 PSA_ERROR_BAD_STATE ); 4741 4742 psa_aead_abort( &operation ); 4743 4744 /* Test for double setting nonce. */ 4745 4746 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4747 4748 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4749 4750 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 4751 PSA_ERROR_BAD_STATE ); 4752 4753 psa_aead_abort( &operation ); 4754 4755 /* Test for double generating nonce. */ 4756 4757 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4758 4759 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 4760 PSA_AEAD_NONCE_MAX_SIZE, 4761 &nonce_length ) ); 4762 4763 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 4764 PSA_AEAD_NONCE_MAX_SIZE, 4765 &nonce_length ), 4766 PSA_ERROR_BAD_STATE ); 4767 4768 4769 psa_aead_abort( &operation ); 4770 4771 /* Test for generate nonce then set and vice versa */ 4772 4773 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4774 4775 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 4776 PSA_AEAD_NONCE_MAX_SIZE, 4777 &nonce_length ) ); 4778 4779 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 4780 PSA_ERROR_BAD_STATE ); 4781 4782 psa_aead_abort( &operation ); 4783 4784 /* ------------------------------------------------------- */ 4785 4786 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4787 4788 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4789 4790 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 4791 PSA_AEAD_NONCE_MAX_SIZE, 4792 &nonce_length ), 4793 PSA_ERROR_BAD_STATE ); 4794 4795 psa_aead_abort( &operation ); 4796 4797 /* Test for generating nonce in decrypt setup. */ 4798 4799 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 4800 4801 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 4802 PSA_AEAD_NONCE_MAX_SIZE, 4803 &nonce_length ), 4804 PSA_ERROR_BAD_STATE ); 4805 4806 psa_aead_abort( &operation ); 4807 4808 /* Test for setting lengths twice. */ 4809 4810 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4811 4812 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4813 4814 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4815 input_data->len ) ); 4816 4817 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 4818 input_data->len ), 4819 PSA_ERROR_BAD_STATE ); 4820 4821 psa_aead_abort( &operation ); 4822 4823 /* Test for setting lengths after already starting data. */ 4824 4825 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4826 4827 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4828 4829 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4830 additional_data->len ) ); 4831 4832 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 4833 input_data->len ), 4834 PSA_ERROR_BAD_STATE ); 4835 4836 psa_aead_abort( &operation ); 4837 4838 /* ------------------------------------------------------- */ 4839 4840 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4841 4842 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4843 4844 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 4845 input_data->len, output_data, 4846 output_size, &output_length ) ); 4847 4848 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 4849 input_data->len ), 4850 PSA_ERROR_BAD_STATE ); 4851 4852 psa_aead_abort( &operation ); 4853 4854 /* Test for not sending any additional data or data after setting non zero 4855 * lengths for them. (encrypt) */ 4856 4857 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4858 4859 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4860 4861 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4862 input_data->len ) ); 4863 4864 TEST_EQUAL( psa_aead_finish( &operation, final_data, 4865 finish_output_size, 4866 &output_part_length, 4867 tag_buffer, tag_length, 4868 &tag_size ), 4869 PSA_ERROR_INVALID_ARGUMENT ); 4870 4871 psa_aead_abort( &operation ); 4872 4873 /* Test for not sending any additional data or data after setting non-zero 4874 * lengths for them. (decrypt) */ 4875 4876 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 4877 4878 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4879 4880 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4881 input_data->len ) ); 4882 4883 TEST_EQUAL( psa_aead_verify( &operation, final_data, 4884 finish_output_size, 4885 &output_part_length, 4886 tag_buffer, 4887 tag_length ), 4888 PSA_ERROR_INVALID_ARGUMENT ); 4889 4890 psa_aead_abort( &operation ); 4891 4892 /* Test for not sending any additional data after setting a non-zero length 4893 * for it. */ 4894 4895 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4896 4897 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4898 4899 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4900 input_data->len ) ); 4901 4902 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 4903 input_data->len, output_data, 4904 output_size, &output_length ), 4905 PSA_ERROR_INVALID_ARGUMENT ); 4906 4907 psa_aead_abort( &operation ); 4908 4909 /* Test for not sending any data after setting a non-zero length for it.*/ 4910 4911 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4912 4913 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4914 4915 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4916 input_data->len ) ); 4917 4918 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4919 additional_data->len ) ); 4920 4921 TEST_EQUAL( psa_aead_finish( &operation, final_data, 4922 finish_output_size, 4923 &output_part_length, 4924 tag_buffer, tag_length, 4925 &tag_size ), 4926 PSA_ERROR_INVALID_ARGUMENT ); 4927 4928 psa_aead_abort( &operation ); 4929 4930 /* Test for sending too much additional data after setting lengths. */ 4931 4932 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4933 4934 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4935 4936 PSA_ASSERT( psa_aead_set_lengths( &operation, 0, 0 ) ); 4937 4938 4939 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 4940 additional_data->len ), 4941 PSA_ERROR_INVALID_ARGUMENT ); 4942 4943 psa_aead_abort( &operation ); 4944 4945 /* ------------------------------------------------------- */ 4946 4947 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4948 4949 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4950 4951 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4952 input_data->len ) ); 4953 4954 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4955 additional_data->len ) ); 4956 4957 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 4958 1 ), 4959 PSA_ERROR_INVALID_ARGUMENT ); 4960 4961 psa_aead_abort( &operation ); 4962 4963 /* Test for sending too much data after setting lengths. */ 4964 4965 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4966 4967 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4968 4969 PSA_ASSERT( psa_aead_set_lengths( &operation, 0, 0 ) ); 4970 4971 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 4972 input_data->len, output_data, 4973 output_size, &output_length ), 4974 PSA_ERROR_INVALID_ARGUMENT ); 4975 4976 psa_aead_abort( &operation ); 4977 4978 /* ------------------------------------------------------- */ 4979 4980 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 4981 4982 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 4983 4984 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 4985 input_data->len ) ); 4986 4987 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 4988 additional_data->len ) ); 4989 4990 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 4991 input_data->len, output_data, 4992 output_size, &output_length ) ); 4993 4994 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 4995 1, output_data, 4996 output_size, &output_length ), 4997 PSA_ERROR_INVALID_ARGUMENT ); 4998 4999 psa_aead_abort( &operation ); 5000 5001 /* Test sending additional data after data. */ 5002 5003 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5004 5005 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 5006 5007 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 5008 input_data->len, output_data, 5009 output_size, &output_length ) ); 5010 5011 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 5012 additional_data->len ), 5013 PSA_ERROR_BAD_STATE ); 5014 5015 psa_aead_abort( &operation ); 5016 5017 /* Test calling finish on decryption. */ 5018 5019 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 5020 5021 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 5022 5023 TEST_EQUAL( psa_aead_finish( &operation, final_data, 5024 finish_output_size, 5025 &output_part_length, 5026 tag_buffer, tag_length, 5027 &tag_size ), 5028 PSA_ERROR_BAD_STATE ); 5029 5030 psa_aead_abort( &operation ); 5031 5032 /* Test calling verify on encryption. */ 5033 5034 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5035 5036 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 5037 5038 TEST_EQUAL( psa_aead_verify( &operation, final_data, 5039 finish_output_size, 5040 &output_part_length, 5041 tag_buffer, 5042 tag_length ), 5043 PSA_ERROR_BAD_STATE ); 5044 5045 psa_aead_abort( &operation ); 5046 5047 5048exit: 5049 psa_destroy_key( key ); 5050 psa_aead_abort( &operation ); 5051 mbedtls_free( output_data ); 5052 mbedtls_free( final_data ); 5053 PSA_DONE( ); 5054} 5055/* END_CASE */ 5056 5057/* BEGIN_CASE */ 5058void signature_size( int type_arg, 5059 int bits, 5060 int alg_arg, 5061 int expected_size_arg ) 5062{ 5063 psa_key_type_t type = type_arg; 5064 psa_algorithm_t alg = alg_arg; 5065 size_t actual_size = PSA_SIGN_OUTPUT_SIZE( type, bits, alg ); 5066 5067 TEST_EQUAL( actual_size, (size_t) expected_size_arg ); 5068 5069exit: 5070 ; 5071} 5072/* END_CASE */ 5073 5074/* BEGIN_CASE */ 5075void sign_hash_deterministic( int key_type_arg, data_t *key_data, 5076 int alg_arg, data_t *input_data, 5077 data_t *output_data ) 5078{ 5079 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5080 psa_key_type_t key_type = key_type_arg; 5081 psa_algorithm_t alg = alg_arg; 5082 size_t key_bits; 5083 unsigned char *signature = NULL; 5084 size_t signature_size; 5085 size_t signature_length = 0xdeadbeef; 5086 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5087 5088 PSA_ASSERT( psa_crypto_init( ) ); 5089 5090 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 5091 psa_set_key_algorithm( &attributes, alg ); 5092 psa_set_key_type( &attributes, key_type ); 5093 5094 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5095 &key ) ); 5096 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5097 key_bits = psa_get_key_bits( &attributes ); 5098 5099 /* Allocate a buffer which has the size advertized by the 5100 * library. */ 5101 signature_size = PSA_SIGN_OUTPUT_SIZE( key_type, 5102 key_bits, alg ); 5103 TEST_ASSERT( signature_size != 0 ); 5104 TEST_ASSERT( signature_size <= PSA_SIGNATURE_MAX_SIZE ); 5105 ASSERT_ALLOC( signature, signature_size ); 5106 5107 /* Perform the signature. */ 5108 PSA_ASSERT( psa_sign_hash( key, alg, 5109 input_data->x, input_data->len, 5110 signature, signature_size, 5111 &signature_length ) ); 5112 /* Verify that the signature is what is expected. */ 5113 ASSERT_COMPARE( output_data->x, output_data->len, 5114 signature, signature_length ); 5115 5116exit: 5117 /* 5118 * Key attributes may have been returned by psa_get_key_attributes() 5119 * thus reset them as required. 5120 */ 5121 psa_reset_key_attributes( &attributes ); 5122 5123 psa_destroy_key( key ); 5124 mbedtls_free( signature ); 5125 PSA_DONE( ); 5126} 5127/* END_CASE */ 5128 5129/* BEGIN_CASE */ 5130void sign_hash_fail( int key_type_arg, data_t *key_data, 5131 int alg_arg, data_t *input_data, 5132 int signature_size_arg, int expected_status_arg ) 5133{ 5134 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5135 psa_key_type_t key_type = key_type_arg; 5136 psa_algorithm_t alg = alg_arg; 5137 size_t signature_size = signature_size_arg; 5138 psa_status_t actual_status; 5139 psa_status_t expected_status = expected_status_arg; 5140 unsigned char *signature = NULL; 5141 size_t signature_length = 0xdeadbeef; 5142 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5143 5144 ASSERT_ALLOC( signature, signature_size ); 5145 5146 PSA_ASSERT( psa_crypto_init( ) ); 5147 5148 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 5149 psa_set_key_algorithm( &attributes, alg ); 5150 psa_set_key_type( &attributes, key_type ); 5151 5152 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5153 &key ) ); 5154 5155 actual_status = psa_sign_hash( key, alg, 5156 input_data->x, input_data->len, 5157 signature, signature_size, 5158 &signature_length ); 5159 TEST_EQUAL( actual_status, expected_status ); 5160 /* The value of *signature_length is unspecified on error, but 5161 * whatever it is, it should be less than signature_size, so that 5162 * if the caller tries to read *signature_length bytes without 5163 * checking the error code then they don't overflow a buffer. */ 5164 TEST_ASSERT( signature_length <= signature_size ); 5165 5166exit: 5167 psa_reset_key_attributes( &attributes ); 5168 psa_destroy_key( key ); 5169 mbedtls_free( signature ); 5170 PSA_DONE( ); 5171} 5172/* END_CASE */ 5173 5174/* BEGIN_CASE */ 5175void sign_verify_hash( int key_type_arg, data_t *key_data, 5176 int alg_arg, data_t *input_data ) 5177{ 5178 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5179 psa_key_type_t key_type = key_type_arg; 5180 psa_algorithm_t alg = alg_arg; 5181 size_t key_bits; 5182 unsigned char *signature = NULL; 5183 size_t signature_size; 5184 size_t signature_length = 0xdeadbeef; 5185 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5186 5187 PSA_ASSERT( psa_crypto_init( ) ); 5188 5189 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH ); 5190 psa_set_key_algorithm( &attributes, alg ); 5191 psa_set_key_type( &attributes, key_type ); 5192 5193 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5194 &key ) ); 5195 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5196 key_bits = psa_get_key_bits( &attributes ); 5197 5198 /* Allocate a buffer which has the size advertized by the 5199 * library. */ 5200 signature_size = PSA_SIGN_OUTPUT_SIZE( key_type, 5201 key_bits, alg ); 5202 TEST_ASSERT( signature_size != 0 ); 5203 TEST_ASSERT( signature_size <= PSA_SIGNATURE_MAX_SIZE ); 5204 ASSERT_ALLOC( signature, signature_size ); 5205 5206 /* Perform the signature. */ 5207 PSA_ASSERT( psa_sign_hash( key, alg, 5208 input_data->x, input_data->len, 5209 signature, signature_size, 5210 &signature_length ) ); 5211 /* Check that the signature length looks sensible. */ 5212 TEST_ASSERT( signature_length <= signature_size ); 5213 TEST_ASSERT( signature_length > 0 ); 5214 5215 /* Use the library to verify that the signature is correct. */ 5216 PSA_ASSERT( psa_verify_hash( key, alg, 5217 input_data->x, input_data->len, 5218 signature, signature_length ) ); 5219 5220 if( input_data->len != 0 ) 5221 { 5222 /* Flip a bit in the input and verify that the signature is now 5223 * detected as invalid. Flip a bit at the beginning, not at the end, 5224 * because ECDSA may ignore the last few bits of the input. */ 5225 input_data->x[0] ^= 1; 5226 TEST_EQUAL( psa_verify_hash( key, alg, 5227 input_data->x, input_data->len, 5228 signature, signature_length ), 5229 PSA_ERROR_INVALID_SIGNATURE ); 5230 } 5231 5232exit: 5233 /* 5234 * Key attributes may have been returned by psa_get_key_attributes() 5235 * thus reset them as required. 5236 */ 5237 psa_reset_key_attributes( &attributes ); 5238 5239 psa_destroy_key( key ); 5240 mbedtls_free( signature ); 5241 PSA_DONE( ); 5242} 5243/* END_CASE */ 5244 5245/* BEGIN_CASE */ 5246void verify_hash( int key_type_arg, data_t *key_data, 5247 int alg_arg, data_t *hash_data, 5248 data_t *signature_data ) 5249{ 5250 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5251 psa_key_type_t key_type = key_type_arg; 5252 psa_algorithm_t alg = alg_arg; 5253 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5254 5255 TEST_ASSERT( signature_data->len <= PSA_SIGNATURE_MAX_SIZE ); 5256 5257 PSA_ASSERT( psa_crypto_init( ) ); 5258 5259 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 5260 psa_set_key_algorithm( &attributes, alg ); 5261 psa_set_key_type( &attributes, key_type ); 5262 5263 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5264 &key ) ); 5265 5266 PSA_ASSERT( psa_verify_hash( key, alg, 5267 hash_data->x, hash_data->len, 5268 signature_data->x, signature_data->len ) ); 5269 5270exit: 5271 psa_reset_key_attributes( &attributes ); 5272 psa_destroy_key( key ); 5273 PSA_DONE( ); 5274} 5275/* END_CASE */ 5276 5277/* BEGIN_CASE */ 5278void verify_hash_fail( int key_type_arg, data_t *key_data, 5279 int alg_arg, data_t *hash_data, 5280 data_t *signature_data, 5281 int expected_status_arg ) 5282{ 5283 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5284 psa_key_type_t key_type = key_type_arg; 5285 psa_algorithm_t alg = alg_arg; 5286 psa_status_t actual_status; 5287 psa_status_t expected_status = expected_status_arg; 5288 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5289 5290 PSA_ASSERT( psa_crypto_init( ) ); 5291 5292 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 5293 psa_set_key_algorithm( &attributes, alg ); 5294 psa_set_key_type( &attributes, key_type ); 5295 5296 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5297 &key ) ); 5298 5299 actual_status = psa_verify_hash( key, alg, 5300 hash_data->x, hash_data->len, 5301 signature_data->x, signature_data->len ); 5302 TEST_EQUAL( actual_status, expected_status ); 5303 5304exit: 5305 psa_reset_key_attributes( &attributes ); 5306 psa_destroy_key( key ); 5307 PSA_DONE( ); 5308} 5309/* END_CASE */ 5310 5311/* BEGIN_CASE */ 5312void sign_message_deterministic( int key_type_arg, 5313 data_t *key_data, 5314 int alg_arg, 5315 data_t *input_data, 5316 data_t *output_data ) 5317{ 5318 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5319 psa_key_type_t key_type = key_type_arg; 5320 psa_algorithm_t alg = alg_arg; 5321 size_t key_bits; 5322 unsigned char *signature = NULL; 5323 size_t signature_size; 5324 size_t signature_length = 0xdeadbeef; 5325 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5326 5327 PSA_ASSERT( psa_crypto_init( ) ); 5328 5329 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); 5330 psa_set_key_algorithm( &attributes, alg ); 5331 psa_set_key_type( &attributes, key_type ); 5332 5333 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5334 &key ) ); 5335 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5336 key_bits = psa_get_key_bits( &attributes ); 5337 5338 signature_size = PSA_SIGN_OUTPUT_SIZE( key_type, key_bits, alg ); 5339 TEST_ASSERT( signature_size != 0 ); 5340 TEST_ASSERT( signature_size <= PSA_SIGNATURE_MAX_SIZE ); 5341 ASSERT_ALLOC( signature, signature_size ); 5342 5343 PSA_ASSERT( psa_sign_message( key, alg, 5344 input_data->x, input_data->len, 5345 signature, signature_size, 5346 &signature_length ) ); 5347 5348 ASSERT_COMPARE( output_data->x, output_data->len, 5349 signature, signature_length ); 5350 5351exit: 5352 psa_reset_key_attributes( &attributes ); 5353 5354 psa_destroy_key( key ); 5355 mbedtls_free( signature ); 5356 PSA_DONE( ); 5357 5358} 5359/* END_CASE */ 5360 5361/* BEGIN_CASE */ 5362void sign_message_fail( int key_type_arg, 5363 data_t *key_data, 5364 int alg_arg, 5365 data_t *input_data, 5366 int signature_size_arg, 5367 int expected_status_arg ) 5368{ 5369 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5370 psa_key_type_t key_type = key_type_arg; 5371 psa_algorithm_t alg = alg_arg; 5372 size_t signature_size = signature_size_arg; 5373 psa_status_t actual_status; 5374 psa_status_t expected_status = expected_status_arg; 5375 unsigned char *signature = NULL; 5376 size_t signature_length = 0xdeadbeef; 5377 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5378 5379 ASSERT_ALLOC( signature, signature_size ); 5380 5381 PSA_ASSERT( psa_crypto_init( ) ); 5382 5383 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); 5384 psa_set_key_algorithm( &attributes, alg ); 5385 psa_set_key_type( &attributes, key_type ); 5386 5387 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5388 &key ) ); 5389 5390 actual_status = psa_sign_message( key, alg, 5391 input_data->x, input_data->len, 5392 signature, signature_size, 5393 &signature_length ); 5394 TEST_EQUAL( actual_status, expected_status ); 5395 /* The value of *signature_length is unspecified on error, but 5396 * whatever it is, it should be less than signature_size, so that 5397 * if the caller tries to read *signature_length bytes without 5398 * checking the error code then they don't overflow a buffer. */ 5399 TEST_ASSERT( signature_length <= signature_size ); 5400 5401exit: 5402 psa_reset_key_attributes( &attributes ); 5403 psa_destroy_key( key ); 5404 mbedtls_free( signature ); 5405 PSA_DONE( ); 5406} 5407/* END_CASE */ 5408 5409/* BEGIN_CASE */ 5410void sign_verify_message( int key_type_arg, 5411 data_t *key_data, 5412 int alg_arg, 5413 data_t *input_data ) 5414{ 5415 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5416 psa_key_type_t key_type = key_type_arg; 5417 psa_algorithm_t alg = alg_arg; 5418 size_t key_bits; 5419 unsigned char *signature = NULL; 5420 size_t signature_size; 5421 size_t signature_length = 0xdeadbeef; 5422 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5423 5424 PSA_ASSERT( psa_crypto_init( ) ); 5425 5426 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE | 5427 PSA_KEY_USAGE_VERIFY_MESSAGE ); 5428 psa_set_key_algorithm( &attributes, alg ); 5429 psa_set_key_type( &attributes, key_type ); 5430 5431 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5432 &key ) ); 5433 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5434 key_bits = psa_get_key_bits( &attributes ); 5435 5436 signature_size = PSA_SIGN_OUTPUT_SIZE( key_type, key_bits, alg ); 5437 TEST_ASSERT( signature_size != 0 ); 5438 TEST_ASSERT( signature_size <= PSA_SIGNATURE_MAX_SIZE ); 5439 ASSERT_ALLOC( signature, signature_size ); 5440 5441 PSA_ASSERT( psa_sign_message( key, alg, 5442 input_data->x, input_data->len, 5443 signature, signature_size, 5444 &signature_length ) ); 5445 TEST_ASSERT( signature_length <= signature_size ); 5446 TEST_ASSERT( signature_length > 0 ); 5447 5448 PSA_ASSERT( psa_verify_message( key, alg, 5449 input_data->x, input_data->len, 5450 signature, signature_length ) ); 5451 5452 if( input_data->len != 0 ) 5453 { 5454 /* Flip a bit in the input and verify that the signature is now 5455 * detected as invalid. Flip a bit at the beginning, not at the end, 5456 * because ECDSA may ignore the last few bits of the input. */ 5457 input_data->x[0] ^= 1; 5458 TEST_EQUAL( psa_verify_message( key, alg, 5459 input_data->x, input_data->len, 5460 signature, signature_length ), 5461 PSA_ERROR_INVALID_SIGNATURE ); 5462 } 5463 5464exit: 5465 psa_reset_key_attributes( &attributes ); 5466 5467 psa_destroy_key( key ); 5468 mbedtls_free( signature ); 5469 PSA_DONE( ); 5470} 5471/* END_CASE */ 5472 5473/* BEGIN_CASE */ 5474void verify_message( int key_type_arg, 5475 data_t *key_data, 5476 int alg_arg, 5477 data_t *input_data, 5478 data_t *signature_data ) 5479{ 5480 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5481 psa_key_type_t key_type = key_type_arg; 5482 psa_algorithm_t alg = alg_arg; 5483 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5484 5485 TEST_ASSERT( signature_data->len <= PSA_SIGNATURE_MAX_SIZE ); 5486 5487 PSA_ASSERT( psa_crypto_init( ) ); 5488 5489 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_MESSAGE ); 5490 psa_set_key_algorithm( &attributes, alg ); 5491 psa_set_key_type( &attributes, key_type ); 5492 5493 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5494 &key ) ); 5495 5496 PSA_ASSERT( psa_verify_message( key, alg, 5497 input_data->x, input_data->len, 5498 signature_data->x, signature_data->len ) ); 5499 5500exit: 5501 psa_reset_key_attributes( &attributes ); 5502 psa_destroy_key( key ); 5503 PSA_DONE( ); 5504} 5505/* END_CASE */ 5506 5507/* BEGIN_CASE */ 5508void verify_message_fail( int key_type_arg, 5509 data_t *key_data, 5510 int alg_arg, 5511 data_t *hash_data, 5512 data_t *signature_data, 5513 int expected_status_arg ) 5514{ 5515 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5516 psa_key_type_t key_type = key_type_arg; 5517 psa_algorithm_t alg = alg_arg; 5518 psa_status_t actual_status; 5519 psa_status_t expected_status = expected_status_arg; 5520 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5521 5522 PSA_ASSERT( psa_crypto_init( ) ); 5523 5524 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_MESSAGE ); 5525 psa_set_key_algorithm( &attributes, alg ); 5526 psa_set_key_type( &attributes, key_type ); 5527 5528 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5529 &key ) ); 5530 5531 actual_status = psa_verify_message( key, alg, 5532 hash_data->x, hash_data->len, 5533 signature_data->x, 5534 signature_data->len ); 5535 TEST_EQUAL( actual_status, expected_status ); 5536 5537exit: 5538 psa_reset_key_attributes( &attributes ); 5539 psa_destroy_key( key ); 5540 PSA_DONE( ); 5541} 5542/* END_CASE */ 5543 5544/* BEGIN_CASE */ 5545void asymmetric_encrypt( int key_type_arg, 5546 data_t *key_data, 5547 int alg_arg, 5548 data_t *input_data, 5549 data_t *label, 5550 int expected_output_length_arg, 5551 int expected_status_arg ) 5552{ 5553 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5554 psa_key_type_t key_type = key_type_arg; 5555 psa_algorithm_t alg = alg_arg; 5556 size_t expected_output_length = expected_output_length_arg; 5557 size_t key_bits; 5558 unsigned char *output = NULL; 5559 size_t output_size; 5560 size_t output_length = ~0; 5561 psa_status_t actual_status; 5562 psa_status_t expected_status = expected_status_arg; 5563 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5564 5565 PSA_ASSERT( psa_crypto_init( ) ); 5566 5567 /* Import the key */ 5568 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 5569 psa_set_key_algorithm( &attributes, alg ); 5570 psa_set_key_type( &attributes, key_type ); 5571 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5572 &key ) ); 5573 5574 /* Determine the maximum output length */ 5575 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5576 key_bits = psa_get_key_bits( &attributes ); 5577 5578 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE( key_type, key_bits, alg ); 5579 TEST_ASSERT( output_size <= PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE ); 5580 ASSERT_ALLOC( output, output_size ); 5581 5582 /* Encrypt the input */ 5583 actual_status = psa_asymmetric_encrypt( key, alg, 5584 input_data->x, input_data->len, 5585 label->x, label->len, 5586 output, output_size, 5587 &output_length ); 5588 TEST_EQUAL( actual_status, expected_status ); 5589 TEST_EQUAL( output_length, expected_output_length ); 5590 5591 /* If the label is empty, the test framework puts a non-null pointer 5592 * in label->x. Test that a null pointer works as well. */ 5593 if( label->len == 0 ) 5594 { 5595 output_length = ~0; 5596 if( output_size != 0 ) 5597 memset( output, 0, output_size ); 5598 actual_status = psa_asymmetric_encrypt( key, alg, 5599 input_data->x, input_data->len, 5600 NULL, label->len, 5601 output, output_size, 5602 &output_length ); 5603 TEST_EQUAL( actual_status, expected_status ); 5604 TEST_EQUAL( output_length, expected_output_length ); 5605 } 5606 5607exit: 5608 /* 5609 * Key attributes may have been returned by psa_get_key_attributes() 5610 * thus reset them as required. 5611 */ 5612 psa_reset_key_attributes( &attributes ); 5613 5614 psa_destroy_key( key ); 5615 mbedtls_free( output ); 5616 PSA_DONE( ); 5617} 5618/* END_CASE */ 5619 5620/* BEGIN_CASE */ 5621void asymmetric_encrypt_decrypt( int key_type_arg, 5622 data_t *key_data, 5623 int alg_arg, 5624 data_t *input_data, 5625 data_t *label ) 5626{ 5627 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5628 psa_key_type_t key_type = key_type_arg; 5629 psa_algorithm_t alg = alg_arg; 5630 size_t key_bits; 5631 unsigned char *output = NULL; 5632 size_t output_size; 5633 size_t output_length = ~0; 5634 unsigned char *output2 = NULL; 5635 size_t output2_size; 5636 size_t output2_length = ~0; 5637 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5638 5639 PSA_ASSERT( psa_crypto_init( ) ); 5640 5641 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 5642 psa_set_key_algorithm( &attributes, alg ); 5643 psa_set_key_type( &attributes, key_type ); 5644 5645 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5646 &key ) ); 5647 5648 /* Determine the maximum ciphertext length */ 5649 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5650 key_bits = psa_get_key_bits( &attributes ); 5651 5652 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE( key_type, key_bits, alg ); 5653 TEST_ASSERT( output_size <= PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE ); 5654 ASSERT_ALLOC( output, output_size ); 5655 5656 output2_size = input_data->len; 5657 TEST_ASSERT( output2_size <= 5658 PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE( key_type, key_bits, alg ) ); 5659 TEST_ASSERT( output2_size <= PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE ); 5660 ASSERT_ALLOC( output2, output2_size ); 5661 5662 /* We test encryption by checking that encrypt-then-decrypt gives back 5663 * the original plaintext because of the non-optional random 5664 * part of encryption process which prevents using fixed vectors. */ 5665 PSA_ASSERT( psa_asymmetric_encrypt( key, alg, 5666 input_data->x, input_data->len, 5667 label->x, label->len, 5668 output, output_size, 5669 &output_length ) ); 5670 /* We don't know what ciphertext length to expect, but check that 5671 * it looks sensible. */ 5672 TEST_ASSERT( output_length <= output_size ); 5673 5674 PSA_ASSERT( psa_asymmetric_decrypt( key, alg, 5675 output, output_length, 5676 label->x, label->len, 5677 output2, output2_size, 5678 &output2_length ) ); 5679 ASSERT_COMPARE( input_data->x, input_data->len, 5680 output2, output2_length ); 5681 5682exit: 5683 /* 5684 * Key attributes may have been returned by psa_get_key_attributes() 5685 * thus reset them as required. 5686 */ 5687 psa_reset_key_attributes( &attributes ); 5688 5689 psa_destroy_key( key ); 5690 mbedtls_free( output ); 5691 mbedtls_free( output2 ); 5692 PSA_DONE( ); 5693} 5694/* END_CASE */ 5695 5696/* BEGIN_CASE */ 5697void asymmetric_decrypt( int key_type_arg, 5698 data_t *key_data, 5699 int alg_arg, 5700 data_t *input_data, 5701 data_t *label, 5702 data_t *expected_data ) 5703{ 5704 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5705 psa_key_type_t key_type = key_type_arg; 5706 psa_algorithm_t alg = alg_arg; 5707 size_t key_bits; 5708 unsigned char *output = NULL; 5709 size_t output_size = 0; 5710 size_t output_length = ~0; 5711 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5712 5713 PSA_ASSERT( psa_crypto_init( ) ); 5714 5715 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 5716 psa_set_key_algorithm( &attributes, alg ); 5717 psa_set_key_type( &attributes, key_type ); 5718 5719 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5720 &key ) ); 5721 5722 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5723 key_bits = psa_get_key_bits( &attributes ); 5724 5725 /* Determine the maximum ciphertext length */ 5726 output_size = PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE( key_type, key_bits, alg ); 5727 TEST_ASSERT( output_size <= PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE ); 5728 ASSERT_ALLOC( output, output_size ); 5729 5730 PSA_ASSERT( psa_asymmetric_decrypt( key, alg, 5731 input_data->x, input_data->len, 5732 label->x, label->len, 5733 output, 5734 output_size, 5735 &output_length ) ); 5736 ASSERT_COMPARE( expected_data->x, expected_data->len, 5737 output, output_length ); 5738 5739 /* If the label is empty, the test framework puts a non-null pointer 5740 * in label->x. Test that a null pointer works as well. */ 5741 if( label->len == 0 ) 5742 { 5743 output_length = ~0; 5744 if( output_size != 0 ) 5745 memset( output, 0, output_size ); 5746 PSA_ASSERT( psa_asymmetric_decrypt( key, alg, 5747 input_data->x, input_data->len, 5748 NULL, label->len, 5749 output, 5750 output_size, 5751 &output_length ) ); 5752 ASSERT_COMPARE( expected_data->x, expected_data->len, 5753 output, output_length ); 5754 } 5755 5756exit: 5757 psa_reset_key_attributes( &attributes ); 5758 psa_destroy_key( key ); 5759 mbedtls_free( output ); 5760 PSA_DONE( ); 5761} 5762/* END_CASE */ 5763 5764/* BEGIN_CASE */ 5765void asymmetric_decrypt_fail( int key_type_arg, 5766 data_t *key_data, 5767 int alg_arg, 5768 data_t *input_data, 5769 data_t *label, 5770 int output_size_arg, 5771 int expected_status_arg ) 5772{ 5773 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5774 psa_key_type_t key_type = key_type_arg; 5775 psa_algorithm_t alg = alg_arg; 5776 unsigned char *output = NULL; 5777 size_t output_size = output_size_arg; 5778 size_t output_length = ~0; 5779 psa_status_t actual_status; 5780 psa_status_t expected_status = expected_status_arg; 5781 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5782 5783 ASSERT_ALLOC( output, output_size ); 5784 5785 PSA_ASSERT( psa_crypto_init( ) ); 5786 5787 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 5788 psa_set_key_algorithm( &attributes, alg ); 5789 psa_set_key_type( &attributes, key_type ); 5790 5791 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5792 &key ) ); 5793 5794 actual_status = psa_asymmetric_decrypt( key, alg, 5795 input_data->x, input_data->len, 5796 label->x, label->len, 5797 output, output_size, 5798 &output_length ); 5799 TEST_EQUAL( actual_status, expected_status ); 5800 TEST_ASSERT( output_length <= output_size ); 5801 5802 /* If the label is empty, the test framework puts a non-null pointer 5803 * in label->x. Test that a null pointer works as well. */ 5804 if( label->len == 0 ) 5805 { 5806 output_length = ~0; 5807 if( output_size != 0 ) 5808 memset( output, 0, output_size ); 5809 actual_status = psa_asymmetric_decrypt( key, alg, 5810 input_data->x, input_data->len, 5811 NULL, label->len, 5812 output, output_size, 5813 &output_length ); 5814 TEST_EQUAL( actual_status, expected_status ); 5815 TEST_ASSERT( output_length <= output_size ); 5816 } 5817 5818exit: 5819 psa_reset_key_attributes( &attributes ); 5820 psa_destroy_key( key ); 5821 mbedtls_free( output ); 5822 PSA_DONE( ); 5823} 5824/* END_CASE */ 5825 5826/* BEGIN_CASE */ 5827void key_derivation_init( ) 5828{ 5829 /* Test each valid way of initializing the object, except for `= {0}`, as 5830 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 5831 * though it's OK by the C standard. We could test for this, but we'd need 5832 * to supress the Clang warning for the test. */ 5833 size_t capacity; 5834 psa_key_derivation_operation_t func = psa_key_derivation_operation_init( ); 5835 psa_key_derivation_operation_t init = PSA_KEY_DERIVATION_OPERATION_INIT; 5836 psa_key_derivation_operation_t zero; 5837 5838 memset( &zero, 0, sizeof( zero ) ); 5839 5840 /* A default operation should not be able to report its capacity. */ 5841 TEST_EQUAL( psa_key_derivation_get_capacity( &func, &capacity ), 5842 PSA_ERROR_BAD_STATE ); 5843 TEST_EQUAL( psa_key_derivation_get_capacity( &init, &capacity ), 5844 PSA_ERROR_BAD_STATE ); 5845 TEST_EQUAL( psa_key_derivation_get_capacity( &zero, &capacity ), 5846 PSA_ERROR_BAD_STATE ); 5847 5848 /* A default operation should be abortable without error. */ 5849 PSA_ASSERT( psa_key_derivation_abort(&func) ); 5850 PSA_ASSERT( psa_key_derivation_abort(&init) ); 5851 PSA_ASSERT( psa_key_derivation_abort(&zero) ); 5852} 5853/* END_CASE */ 5854 5855/* BEGIN_CASE */ 5856void derive_setup( int alg_arg, int expected_status_arg ) 5857{ 5858 psa_algorithm_t alg = alg_arg; 5859 psa_status_t expected_status = expected_status_arg; 5860 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 5861 5862 PSA_ASSERT( psa_crypto_init( ) ); 5863 5864 TEST_EQUAL( psa_key_derivation_setup( &operation, alg ), 5865 expected_status ); 5866 5867exit: 5868 psa_key_derivation_abort( &operation ); 5869 PSA_DONE( ); 5870} 5871/* END_CASE */ 5872 5873/* BEGIN_CASE */ 5874void derive_set_capacity( int alg_arg, int capacity_arg, 5875 int expected_status_arg ) 5876{ 5877 psa_algorithm_t alg = alg_arg; 5878 size_t capacity = capacity_arg; 5879 psa_status_t expected_status = expected_status_arg; 5880 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 5881 5882 PSA_ASSERT( psa_crypto_init( ) ); 5883 5884 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 5885 5886 TEST_EQUAL( psa_key_derivation_set_capacity( &operation, capacity ), 5887 expected_status ); 5888 5889exit: 5890 psa_key_derivation_abort( &operation ); 5891 PSA_DONE( ); 5892} 5893/* END_CASE */ 5894 5895/* BEGIN_CASE */ 5896void derive_input( int alg_arg, 5897 int step_arg1, int key_type_arg1, data_t *input1, 5898 int expected_status_arg1, 5899 int step_arg2, int key_type_arg2, data_t *input2, 5900 int expected_status_arg2, 5901 int step_arg3, int key_type_arg3, data_t *input3, 5902 int expected_status_arg3, 5903 int output_key_type_arg, int expected_output_status_arg ) 5904{ 5905 psa_algorithm_t alg = alg_arg; 5906 psa_key_derivation_step_t steps[] = {step_arg1, step_arg2, step_arg3}; 5907 psa_key_type_t key_types[] = {key_type_arg1, key_type_arg2, key_type_arg3}; 5908 psa_status_t expected_statuses[] = {expected_status_arg1, 5909 expected_status_arg2, 5910 expected_status_arg3}; 5911 data_t *inputs[] = {input1, input2, input3}; 5912 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT, 5913 MBEDTLS_SVC_KEY_ID_INIT, 5914 MBEDTLS_SVC_KEY_ID_INIT }; 5915 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 5916 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5917 size_t i; 5918 psa_key_type_t output_key_type = output_key_type_arg; 5919 mbedtls_svc_key_id_t output_key = MBEDTLS_SVC_KEY_ID_INIT; 5920 psa_status_t expected_output_status = expected_output_status_arg; 5921 psa_status_t actual_output_status; 5922 5923 PSA_ASSERT( psa_crypto_init( ) ); 5924 5925 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 5926 psa_set_key_algorithm( &attributes, alg ); 5927 5928 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 5929 5930 for( i = 0; i < ARRAY_LENGTH( steps ); i++ ) 5931 { 5932 mbedtls_test_set_step( i ); 5933 if( steps[i] == 0 ) 5934 { 5935 /* Skip this step */ 5936 } 5937 else if( key_types[i] != PSA_KEY_TYPE_NONE ) 5938 { 5939 psa_set_key_type( &attributes, key_types[i] ); 5940 PSA_ASSERT( psa_import_key( &attributes, 5941 inputs[i]->x, inputs[i]->len, 5942 &keys[i] ) ); 5943 if( PSA_KEY_TYPE_IS_KEY_PAIR( key_types[i] ) && 5944 steps[i] == PSA_KEY_DERIVATION_INPUT_SECRET ) 5945 { 5946 // When taking a private key as secret input, use key agreement 5947 // to add the shared secret to the derivation 5948 TEST_EQUAL( mbedtls_test_psa_key_agreement_with_self( 5949 &operation, keys[i] ), 5950 expected_statuses[i] ); 5951 } 5952 else 5953 { 5954 TEST_EQUAL( psa_key_derivation_input_key( &operation, steps[i], 5955 keys[i] ), 5956 expected_statuses[i] ); 5957 } 5958 } 5959 else 5960 { 5961 TEST_EQUAL( psa_key_derivation_input_bytes( 5962 &operation, steps[i], 5963 inputs[i]->x, inputs[i]->len ), 5964 expected_statuses[i] ); 5965 } 5966 } 5967 5968 if( output_key_type != PSA_KEY_TYPE_NONE ) 5969 { 5970 psa_reset_key_attributes( &attributes ); 5971 psa_set_key_type( &attributes, output_key_type ); 5972 psa_set_key_bits( &attributes, 8 ); 5973 actual_output_status = 5974 psa_key_derivation_output_key( &attributes, &operation, 5975 &output_key ); 5976 } 5977 else 5978 { 5979 uint8_t buffer[1]; 5980 actual_output_status = 5981 psa_key_derivation_output_bytes( &operation, 5982 buffer, sizeof( buffer ) ); 5983 } 5984 TEST_EQUAL( actual_output_status, expected_output_status ); 5985 5986exit: 5987 psa_key_derivation_abort( &operation ); 5988 for( i = 0; i < ARRAY_LENGTH( keys ); i++ ) 5989 psa_destroy_key( keys[i] ); 5990 psa_destroy_key( output_key ); 5991 PSA_DONE( ); 5992} 5993/* END_CASE */ 5994 5995/* BEGIN_CASE */ 5996void derive_over_capacity( int alg_arg ) 5997{ 5998 psa_algorithm_t alg = alg_arg; 5999 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6000 size_t key_type = PSA_KEY_TYPE_DERIVE; 6001 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6002 unsigned char input1[] = "Input 1"; 6003 size_t input1_length = sizeof( input1 ); 6004 unsigned char input2[] = "Input 2"; 6005 size_t input2_length = sizeof( input2 ); 6006 uint8_t buffer[42]; 6007 size_t capacity = sizeof( buffer ); 6008 const uint8_t key_data[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 6009 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 6010 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b}; 6011 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6012 6013 PSA_ASSERT( psa_crypto_init( ) ); 6014 6015 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 6016 psa_set_key_algorithm( &attributes, alg ); 6017 psa_set_key_type( &attributes, key_type ); 6018 6019 PSA_ASSERT( psa_import_key( &attributes, 6020 key_data, sizeof( key_data ), 6021 &key ) ); 6022 6023 /* valid key derivation */ 6024 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, key, alg, 6025 input1, input1_length, 6026 input2, input2_length, 6027 capacity ) ) 6028 goto exit; 6029 6030 /* state of operation shouldn't allow additional generation */ 6031 TEST_EQUAL( psa_key_derivation_setup( &operation, alg ), 6032 PSA_ERROR_BAD_STATE ); 6033 6034 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, buffer, capacity ) ); 6035 6036 TEST_EQUAL( psa_key_derivation_output_bytes( &operation, buffer, capacity ), 6037 PSA_ERROR_INSUFFICIENT_DATA ); 6038 6039exit: 6040 psa_key_derivation_abort( &operation ); 6041 psa_destroy_key( key ); 6042 PSA_DONE( ); 6043} 6044/* END_CASE */ 6045 6046/* BEGIN_CASE */ 6047void derive_actions_without_setup( ) 6048{ 6049 uint8_t output_buffer[16]; 6050 size_t buffer_size = 16; 6051 size_t capacity = 0; 6052 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6053 6054 TEST_ASSERT( psa_key_derivation_output_bytes( &operation, 6055 output_buffer, buffer_size ) 6056 == PSA_ERROR_BAD_STATE ); 6057 6058 TEST_ASSERT( psa_key_derivation_get_capacity( &operation, &capacity ) 6059 == PSA_ERROR_BAD_STATE ); 6060 6061 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 6062 6063 TEST_ASSERT( psa_key_derivation_output_bytes( &operation, 6064 output_buffer, buffer_size ) 6065 == PSA_ERROR_BAD_STATE ); 6066 6067 TEST_ASSERT( psa_key_derivation_get_capacity( &operation, &capacity ) 6068 == PSA_ERROR_BAD_STATE ); 6069 6070exit: 6071 psa_key_derivation_abort( &operation ); 6072} 6073/* END_CASE */ 6074 6075/* BEGIN_CASE */ 6076void derive_output( int alg_arg, 6077 int step1_arg, data_t *input1, 6078 int step2_arg, data_t *input2, 6079 int step3_arg, data_t *input3, 6080 int requested_capacity_arg, 6081 data_t *expected_output1, 6082 data_t *expected_output2 ) 6083{ 6084 psa_algorithm_t alg = alg_arg; 6085 psa_key_derivation_step_t steps[] = {step1_arg, step2_arg, step3_arg}; 6086 data_t *inputs[] = {input1, input2, input3}; 6087 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT, 6088 MBEDTLS_SVC_KEY_ID_INIT, 6089 MBEDTLS_SVC_KEY_ID_INIT }; 6090 size_t requested_capacity = requested_capacity_arg; 6091 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6092 uint8_t *expected_outputs[2] = 6093 {expected_output1->x, expected_output2->x}; 6094 size_t output_sizes[2] = 6095 {expected_output1->len, expected_output2->len}; 6096 size_t output_buffer_size = 0; 6097 uint8_t *output_buffer = NULL; 6098 size_t expected_capacity; 6099 size_t current_capacity; 6100 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6101 psa_status_t status; 6102 size_t i; 6103 6104 for( i = 0; i < ARRAY_LENGTH( expected_outputs ); i++ ) 6105 { 6106 if( output_sizes[i] > output_buffer_size ) 6107 output_buffer_size = output_sizes[i]; 6108 if( output_sizes[i] == 0 ) 6109 expected_outputs[i] = NULL; 6110 } 6111 ASSERT_ALLOC( output_buffer, output_buffer_size ); 6112 PSA_ASSERT( psa_crypto_init( ) ); 6113 6114 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 6115 psa_set_key_algorithm( &attributes, alg ); 6116 psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); 6117 6118 /* Extraction phase. */ 6119 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 6120 PSA_ASSERT( psa_key_derivation_set_capacity( &operation, 6121 requested_capacity ) ); 6122 for( i = 0; i < ARRAY_LENGTH( steps ); i++ ) 6123 { 6124 switch( steps[i] ) 6125 { 6126 case 0: 6127 break; 6128 case PSA_KEY_DERIVATION_INPUT_SECRET: 6129 PSA_ASSERT( psa_import_key( &attributes, 6130 inputs[i]->x, inputs[i]->len, 6131 &keys[i] ) ); 6132 6133 if ( PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) ) 6134 { 6135 PSA_ASSERT( psa_get_key_attributes( keys[i], &attributes ) ); 6136 TEST_ASSERT( PSA_BITS_TO_BYTES( psa_get_key_bits( &attributes ) ) <= 6137 PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE ); 6138 } 6139 6140 PSA_ASSERT( psa_key_derivation_input_key( 6141 &operation, steps[i], keys[i] ) ); 6142 break; 6143 default: 6144 PSA_ASSERT( psa_key_derivation_input_bytes( 6145 &operation, steps[i], 6146 inputs[i]->x, inputs[i]->len ) ); 6147 break; 6148 } 6149 } 6150 6151 PSA_ASSERT( psa_key_derivation_get_capacity( &operation, 6152 ¤t_capacity ) ); 6153 TEST_EQUAL( current_capacity, requested_capacity ); 6154 expected_capacity = requested_capacity; 6155 6156 /* Expansion phase. */ 6157 for( i = 0; i < ARRAY_LENGTH( expected_outputs ); i++ ) 6158 { 6159 /* Read some bytes. */ 6160 status = psa_key_derivation_output_bytes( &operation, 6161 output_buffer, output_sizes[i] ); 6162 if( expected_capacity == 0 && output_sizes[i] == 0 ) 6163 { 6164 /* Reading 0 bytes when 0 bytes are available can go either way. */ 6165 TEST_ASSERT( status == PSA_SUCCESS || 6166 status == PSA_ERROR_INSUFFICIENT_DATA ); 6167 continue; 6168 } 6169 else if( expected_capacity == 0 || 6170 output_sizes[i] > expected_capacity ) 6171 { 6172 /* Capacity exceeded. */ 6173 TEST_EQUAL( status, PSA_ERROR_INSUFFICIENT_DATA ); 6174 expected_capacity = 0; 6175 continue; 6176 } 6177 /* Success. Check the read data. */ 6178 PSA_ASSERT( status ); 6179 if( output_sizes[i] != 0 ) 6180 ASSERT_COMPARE( output_buffer, output_sizes[i], 6181 expected_outputs[i], output_sizes[i] ); 6182 /* Check the operation status. */ 6183 expected_capacity -= output_sizes[i]; 6184 PSA_ASSERT( psa_key_derivation_get_capacity( &operation, 6185 ¤t_capacity ) ); 6186 TEST_EQUAL( expected_capacity, current_capacity ); 6187 } 6188 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 6189 6190exit: 6191 mbedtls_free( output_buffer ); 6192 psa_key_derivation_abort( &operation ); 6193 for( i = 0; i < ARRAY_LENGTH( keys ); i++ ) 6194 psa_destroy_key( keys[i] ); 6195 PSA_DONE( ); 6196} 6197/* END_CASE */ 6198 6199/* BEGIN_CASE */ 6200void derive_full( int alg_arg, 6201 data_t *key_data, 6202 data_t *input1, 6203 data_t *input2, 6204 int requested_capacity_arg ) 6205{ 6206 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6207 psa_algorithm_t alg = alg_arg; 6208 size_t requested_capacity = requested_capacity_arg; 6209 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6210 unsigned char output_buffer[16]; 6211 size_t expected_capacity = requested_capacity; 6212 size_t current_capacity; 6213 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6214 6215 PSA_ASSERT( psa_crypto_init( ) ); 6216 6217 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 6218 psa_set_key_algorithm( &attributes, alg ); 6219 psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); 6220 6221 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6222 &key ) ); 6223 6224 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, key, alg, 6225 input1->x, input1->len, 6226 input2->x, input2->len, 6227 requested_capacity ) ) 6228 goto exit; 6229 6230 PSA_ASSERT( psa_key_derivation_get_capacity( &operation, 6231 ¤t_capacity ) ); 6232 TEST_EQUAL( current_capacity, expected_capacity ); 6233 6234 /* Expansion phase. */ 6235 while( current_capacity > 0 ) 6236 { 6237 size_t read_size = sizeof( output_buffer ); 6238 if( read_size > current_capacity ) 6239 read_size = current_capacity; 6240 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 6241 output_buffer, 6242 read_size ) ); 6243 expected_capacity -= read_size; 6244 PSA_ASSERT( psa_key_derivation_get_capacity( &operation, 6245 ¤t_capacity ) ); 6246 TEST_EQUAL( current_capacity, expected_capacity ); 6247 } 6248 6249 /* Check that the operation refuses to go over capacity. */ 6250 TEST_EQUAL( psa_key_derivation_output_bytes( &operation, output_buffer, 1 ), 6251 PSA_ERROR_INSUFFICIENT_DATA ); 6252 6253 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 6254 6255exit: 6256 psa_key_derivation_abort( &operation ); 6257 psa_destroy_key( key ); 6258 PSA_DONE( ); 6259} 6260/* END_CASE */ 6261 6262/* BEGIN_CASE */ 6263void derive_key_exercise( int alg_arg, 6264 data_t *key_data, 6265 data_t *input1, 6266 data_t *input2, 6267 int derived_type_arg, 6268 int derived_bits_arg, 6269 int derived_usage_arg, 6270 int derived_alg_arg ) 6271{ 6272 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 6273 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 6274 psa_algorithm_t alg = alg_arg; 6275 psa_key_type_t derived_type = derived_type_arg; 6276 size_t derived_bits = derived_bits_arg; 6277 psa_key_usage_t derived_usage = derived_usage_arg; 6278 psa_algorithm_t derived_alg = derived_alg_arg; 6279 size_t capacity = PSA_BITS_TO_BYTES( derived_bits ); 6280 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6281 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6282 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 6283 6284 PSA_ASSERT( psa_crypto_init( ) ); 6285 6286 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 6287 psa_set_key_algorithm( &attributes, alg ); 6288 psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); 6289 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6290 &base_key ) ); 6291 6292 /* Derive a key. */ 6293 if ( mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, 6294 input1->x, input1->len, 6295 input2->x, input2->len, 6296 capacity ) ) 6297 goto exit; 6298 6299 psa_set_key_usage_flags( &attributes, derived_usage ); 6300 psa_set_key_algorithm( &attributes, derived_alg ); 6301 psa_set_key_type( &attributes, derived_type ); 6302 psa_set_key_bits( &attributes, derived_bits ); 6303 PSA_ASSERT( psa_key_derivation_output_key( &attributes, &operation, 6304 &derived_key ) ); 6305 6306 /* Test the key information */ 6307 PSA_ASSERT( psa_get_key_attributes( derived_key, &got_attributes ) ); 6308 TEST_EQUAL( psa_get_key_type( &got_attributes ), derived_type ); 6309 TEST_EQUAL( psa_get_key_bits( &got_attributes ), derived_bits ); 6310 6311 /* Exercise the derived key. */ 6312 if( ! mbedtls_test_psa_exercise_key( derived_key, derived_usage, derived_alg ) ) 6313 goto exit; 6314 6315exit: 6316 /* 6317 * Key attributes may have been returned by psa_get_key_attributes() 6318 * thus reset them as required. 6319 */ 6320 psa_reset_key_attributes( &got_attributes ); 6321 6322 psa_key_derivation_abort( &operation ); 6323 psa_destroy_key( base_key ); 6324 psa_destroy_key( derived_key ); 6325 PSA_DONE( ); 6326} 6327/* END_CASE */ 6328 6329/* BEGIN_CASE */ 6330void derive_key_export( int alg_arg, 6331 data_t *key_data, 6332 data_t *input1, 6333 data_t *input2, 6334 int bytes1_arg, 6335 int bytes2_arg ) 6336{ 6337 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 6338 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 6339 psa_algorithm_t alg = alg_arg; 6340 size_t bytes1 = bytes1_arg; 6341 size_t bytes2 = bytes2_arg; 6342 size_t capacity = bytes1 + bytes2; 6343 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6344 uint8_t *output_buffer = NULL; 6345 uint8_t *export_buffer = NULL; 6346 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 6347 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 6348 size_t length; 6349 6350 ASSERT_ALLOC( output_buffer, capacity ); 6351 ASSERT_ALLOC( export_buffer, capacity ); 6352 PSA_ASSERT( psa_crypto_init( ) ); 6353 6354 psa_set_key_usage_flags( &base_attributes, PSA_KEY_USAGE_DERIVE ); 6355 psa_set_key_algorithm( &base_attributes, alg ); 6356 psa_set_key_type( &base_attributes, PSA_KEY_TYPE_DERIVE ); 6357 PSA_ASSERT( psa_import_key( &base_attributes, key_data->x, key_data->len, 6358 &base_key ) ); 6359 6360 /* Derive some material and output it. */ 6361 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, 6362 input1->x, input1->len, 6363 input2->x, input2->len, 6364 capacity ) ) 6365 goto exit; 6366 6367 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 6368 output_buffer, 6369 capacity ) ); 6370 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 6371 6372 /* Derive the same output again, but this time store it in key objects. */ 6373 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, 6374 input1->x, input1->len, 6375 input2->x, input2->len, 6376 capacity ) ) 6377 goto exit; 6378 6379 psa_set_key_usage_flags( &derived_attributes, PSA_KEY_USAGE_EXPORT ); 6380 psa_set_key_algorithm( &derived_attributes, 0 ); 6381 psa_set_key_type( &derived_attributes, PSA_KEY_TYPE_RAW_DATA ); 6382 psa_set_key_bits( &derived_attributes, PSA_BYTES_TO_BITS( bytes1 ) ); 6383 PSA_ASSERT( psa_key_derivation_output_key( &derived_attributes, &operation, 6384 &derived_key ) ); 6385 PSA_ASSERT( psa_export_key( derived_key, 6386 export_buffer, bytes1, 6387 &length ) ); 6388 TEST_EQUAL( length, bytes1 ); 6389 PSA_ASSERT( psa_destroy_key( derived_key ) ); 6390 psa_set_key_bits( &derived_attributes, PSA_BYTES_TO_BITS( bytes2 ) ); 6391 PSA_ASSERT( psa_key_derivation_output_key( &derived_attributes, &operation, 6392 &derived_key ) ); 6393 PSA_ASSERT( psa_export_key( derived_key, 6394 export_buffer + bytes1, bytes2, 6395 &length ) ); 6396 TEST_EQUAL( length, bytes2 ); 6397 6398 /* Compare the outputs from the two runs. */ 6399 ASSERT_COMPARE( output_buffer, bytes1 + bytes2, 6400 export_buffer, capacity ); 6401 6402exit: 6403 mbedtls_free( output_buffer ); 6404 mbedtls_free( export_buffer ); 6405 psa_key_derivation_abort( &operation ); 6406 psa_destroy_key( base_key ); 6407 psa_destroy_key( derived_key ); 6408 PSA_DONE( ); 6409} 6410/* END_CASE */ 6411 6412/* BEGIN_CASE */ 6413void derive_key( int alg_arg, 6414 data_t *key_data, data_t *input1, data_t *input2, 6415 int type_arg, int bits_arg, 6416 int expected_status_arg, 6417 int is_large_output ) 6418{ 6419 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 6420 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 6421 psa_algorithm_t alg = alg_arg; 6422 psa_key_type_t type = type_arg; 6423 size_t bits = bits_arg; 6424 psa_status_t expected_status = expected_status_arg; 6425 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6426 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 6427 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 6428 6429 PSA_ASSERT( psa_crypto_init( ) ); 6430 6431 psa_set_key_usage_flags( &base_attributes, PSA_KEY_USAGE_DERIVE ); 6432 psa_set_key_algorithm( &base_attributes, alg ); 6433 psa_set_key_type( &base_attributes, PSA_KEY_TYPE_DERIVE ); 6434 PSA_ASSERT( psa_import_key( &base_attributes, key_data->x, key_data->len, 6435 &base_key ) ); 6436 6437 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, 6438 input1->x, input1->len, 6439 input2->x, input2->len, 6440 SIZE_MAX ) ) 6441 goto exit; 6442 6443 psa_set_key_usage_flags( &derived_attributes, PSA_KEY_USAGE_EXPORT ); 6444 psa_set_key_algorithm( &derived_attributes, 0 ); 6445 psa_set_key_type( &derived_attributes, type ); 6446 psa_set_key_bits( &derived_attributes, bits ); 6447 6448 psa_status_t status = 6449 psa_key_derivation_output_key( &derived_attributes, 6450 &operation, 6451 &derived_key ); 6452 if( is_large_output > 0 ) 6453 TEST_ASSUME( status != PSA_ERROR_INSUFFICIENT_MEMORY ); 6454 TEST_EQUAL( status, expected_status ); 6455 6456exit: 6457 psa_key_derivation_abort( &operation ); 6458 psa_destroy_key( base_key ); 6459 psa_destroy_key( derived_key ); 6460 PSA_DONE( ); 6461} 6462/* END_CASE */ 6463 6464/* BEGIN_CASE */ 6465void key_agreement_setup( int alg_arg, 6466 int our_key_type_arg, int our_key_alg_arg, 6467 data_t *our_key_data, data_t *peer_key_data, 6468 int expected_status_arg ) 6469{ 6470 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 6471 psa_algorithm_t alg = alg_arg; 6472 psa_algorithm_t our_key_alg = our_key_alg_arg; 6473 psa_key_type_t our_key_type = our_key_type_arg; 6474 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6475 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6476 psa_status_t expected_status = expected_status_arg; 6477 psa_status_t status; 6478 6479 PSA_ASSERT( psa_crypto_init( ) ); 6480 6481 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 6482 psa_set_key_algorithm( &attributes, our_key_alg ); 6483 psa_set_key_type( &attributes, our_key_type ); 6484 PSA_ASSERT( psa_import_key( &attributes, 6485 our_key_data->x, our_key_data->len, 6486 &our_key ) ); 6487 6488 /* The tests currently include inputs that should fail at either step. 6489 * Test cases that fail at the setup step should be changed to call 6490 * key_derivation_setup instead, and this function should be renamed 6491 * to key_agreement_fail. */ 6492 status = psa_key_derivation_setup( &operation, alg ); 6493 if( status == PSA_SUCCESS ) 6494 { 6495 TEST_EQUAL( psa_key_derivation_key_agreement( 6496 &operation, PSA_KEY_DERIVATION_INPUT_SECRET, 6497 our_key, 6498 peer_key_data->x, peer_key_data->len ), 6499 expected_status ); 6500 } 6501 else 6502 { 6503 TEST_ASSERT( status == expected_status ); 6504 } 6505 6506exit: 6507 psa_key_derivation_abort( &operation ); 6508 psa_destroy_key( our_key ); 6509 PSA_DONE( ); 6510} 6511/* END_CASE */ 6512 6513/* BEGIN_CASE */ 6514void raw_key_agreement( int alg_arg, 6515 int our_key_type_arg, data_t *our_key_data, 6516 data_t *peer_key_data, 6517 data_t *expected_output ) 6518{ 6519 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 6520 psa_algorithm_t alg = alg_arg; 6521 psa_key_type_t our_key_type = our_key_type_arg; 6522 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6523 unsigned char *output = NULL; 6524 size_t output_length = ~0; 6525 size_t key_bits; 6526 6527 ASSERT_ALLOC( output, expected_output->len ); 6528 PSA_ASSERT( psa_crypto_init( ) ); 6529 6530 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 6531 psa_set_key_algorithm( &attributes, alg ); 6532 psa_set_key_type( &attributes, our_key_type ); 6533 PSA_ASSERT( psa_import_key( &attributes, 6534 our_key_data->x, our_key_data->len, 6535 &our_key ) ); 6536 6537 PSA_ASSERT( psa_get_key_attributes( our_key, &attributes ) ); 6538 key_bits = psa_get_key_bits( &attributes ); 6539 6540 PSA_ASSERT( psa_raw_key_agreement( alg, our_key, 6541 peer_key_data->x, peer_key_data->len, 6542 output, expected_output->len, 6543 &output_length ) ); 6544 ASSERT_COMPARE( output, output_length, 6545 expected_output->x, expected_output->len ); 6546 TEST_ASSERT( output_length <= 6547 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE( our_key_type, key_bits ) ); 6548 TEST_ASSERT( output_length <= 6549 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE ); 6550 6551exit: 6552 mbedtls_free( output ); 6553 psa_destroy_key( our_key ); 6554 PSA_DONE( ); 6555} 6556/* END_CASE */ 6557 6558/* BEGIN_CASE */ 6559void key_agreement_capacity( int alg_arg, 6560 int our_key_type_arg, data_t *our_key_data, 6561 data_t *peer_key_data, 6562 int expected_capacity_arg ) 6563{ 6564 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 6565 psa_algorithm_t alg = alg_arg; 6566 psa_key_type_t our_key_type = our_key_type_arg; 6567 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6568 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6569 size_t actual_capacity; 6570 unsigned char output[16]; 6571 6572 PSA_ASSERT( psa_crypto_init( ) ); 6573 6574 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 6575 psa_set_key_algorithm( &attributes, alg ); 6576 psa_set_key_type( &attributes, our_key_type ); 6577 PSA_ASSERT( psa_import_key( &attributes, 6578 our_key_data->x, our_key_data->len, 6579 &our_key ) ); 6580 6581 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 6582 PSA_ASSERT( psa_key_derivation_key_agreement( 6583 &operation, 6584 PSA_KEY_DERIVATION_INPUT_SECRET, our_key, 6585 peer_key_data->x, peer_key_data->len ) ); 6586 if( PSA_ALG_IS_HKDF( PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ) ) ) 6587 { 6588 /* The test data is for info="" */ 6589 PSA_ASSERT( psa_key_derivation_input_bytes( &operation, 6590 PSA_KEY_DERIVATION_INPUT_INFO, 6591 NULL, 0 ) ); 6592 } 6593 6594 /* Test the advertized capacity. */ 6595 PSA_ASSERT( psa_key_derivation_get_capacity( 6596 &operation, &actual_capacity ) ); 6597 TEST_EQUAL( actual_capacity, (size_t) expected_capacity_arg ); 6598 6599 /* Test the actual capacity by reading the output. */ 6600 while( actual_capacity > sizeof( output ) ) 6601 { 6602 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 6603 output, sizeof( output ) ) ); 6604 actual_capacity -= sizeof( output ); 6605 } 6606 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 6607 output, actual_capacity ) ); 6608 TEST_EQUAL( psa_key_derivation_output_bytes( &operation, output, 1 ), 6609 PSA_ERROR_INSUFFICIENT_DATA ); 6610 6611exit: 6612 psa_key_derivation_abort( &operation ); 6613 psa_destroy_key( our_key ); 6614 PSA_DONE( ); 6615} 6616/* END_CASE */ 6617 6618/* BEGIN_CASE */ 6619void key_agreement_output( int alg_arg, 6620 int our_key_type_arg, data_t *our_key_data, 6621 data_t *peer_key_data, 6622 data_t *expected_output1, data_t *expected_output2 ) 6623{ 6624 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 6625 psa_algorithm_t alg = alg_arg; 6626 psa_key_type_t our_key_type = our_key_type_arg; 6627 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6628 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6629 uint8_t *actual_output = NULL; 6630 6631 ASSERT_ALLOC( actual_output, MAX( expected_output1->len, 6632 expected_output2->len ) ); 6633 6634 PSA_ASSERT( psa_crypto_init( ) ); 6635 6636 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 6637 psa_set_key_algorithm( &attributes, alg ); 6638 psa_set_key_type( &attributes, our_key_type ); 6639 PSA_ASSERT( psa_import_key( &attributes, 6640 our_key_data->x, our_key_data->len, 6641 &our_key ) ); 6642 6643 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 6644 PSA_ASSERT( psa_key_derivation_key_agreement( 6645 &operation, 6646 PSA_KEY_DERIVATION_INPUT_SECRET, our_key, 6647 peer_key_data->x, peer_key_data->len ) ); 6648 if( PSA_ALG_IS_HKDF( PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ) ) ) 6649 { 6650 /* The test data is for info="" */ 6651 PSA_ASSERT( psa_key_derivation_input_bytes( &operation, 6652 PSA_KEY_DERIVATION_INPUT_INFO, 6653 NULL, 0 ) ); 6654 } 6655 6656 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 6657 actual_output, 6658 expected_output1->len ) ); 6659 ASSERT_COMPARE( actual_output, expected_output1->len, 6660 expected_output1->x, expected_output1->len ); 6661 if( expected_output2->len != 0 ) 6662 { 6663 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 6664 actual_output, 6665 expected_output2->len ) ); 6666 ASSERT_COMPARE( actual_output, expected_output2->len, 6667 expected_output2->x, expected_output2->len ); 6668 } 6669 6670exit: 6671 psa_key_derivation_abort( &operation ); 6672 psa_destroy_key( our_key ); 6673 PSA_DONE( ); 6674 mbedtls_free( actual_output ); 6675} 6676/* END_CASE */ 6677 6678/* BEGIN_CASE */ 6679void generate_random( int bytes_arg ) 6680{ 6681 size_t bytes = bytes_arg; 6682 unsigned char *output = NULL; 6683 unsigned char *changed = NULL; 6684 size_t i; 6685 unsigned run; 6686 6687 TEST_ASSERT( bytes_arg >= 0 ); 6688 6689 ASSERT_ALLOC( output, bytes ); 6690 ASSERT_ALLOC( changed, bytes ); 6691 6692 PSA_ASSERT( psa_crypto_init( ) ); 6693 6694 /* Run several times, to ensure that every output byte will be 6695 * nonzero at least once with overwhelming probability 6696 * (2^(-8*number_of_runs)). */ 6697 for( run = 0; run < 10; run++ ) 6698 { 6699 if( bytes != 0 ) 6700 memset( output, 0, bytes ); 6701 PSA_ASSERT( psa_generate_random( output, bytes ) ); 6702 6703 for( i = 0; i < bytes; i++ ) 6704 { 6705 if( output[i] != 0 ) 6706 ++changed[i]; 6707 } 6708 } 6709 6710 /* Check that every byte was changed to nonzero at least once. This 6711 * validates that psa_generate_random is overwriting every byte of 6712 * the output buffer. */ 6713 for( i = 0; i < bytes; i++ ) 6714 { 6715 TEST_ASSERT( changed[i] != 0 ); 6716 } 6717 6718exit: 6719 PSA_DONE( ); 6720 mbedtls_free( output ); 6721 mbedtls_free( changed ); 6722} 6723/* END_CASE */ 6724 6725/* BEGIN_CASE */ 6726void generate_key( int type_arg, 6727 int bits_arg, 6728 int usage_arg, 6729 int alg_arg, 6730 int expected_status_arg, 6731 int is_large_key ) 6732{ 6733 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6734 psa_key_type_t type = type_arg; 6735 psa_key_usage_t usage = usage_arg; 6736 size_t bits = bits_arg; 6737 psa_algorithm_t alg = alg_arg; 6738 psa_status_t expected_status = expected_status_arg; 6739 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6740 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 6741 6742 PSA_ASSERT( psa_crypto_init( ) ); 6743 6744 psa_set_key_usage_flags( &attributes, usage ); 6745 psa_set_key_algorithm( &attributes, alg ); 6746 psa_set_key_type( &attributes, type ); 6747 psa_set_key_bits( &attributes, bits ); 6748 6749 /* Generate a key */ 6750 psa_status_t status = psa_generate_key( &attributes, &key ); 6751 6752 if( is_large_key > 0 ) 6753 TEST_ASSUME( status != PSA_ERROR_INSUFFICIENT_MEMORY ); 6754 TEST_EQUAL( status , expected_status ); 6755 if( expected_status != PSA_SUCCESS ) 6756 goto exit; 6757 6758 /* Test the key information */ 6759 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 6760 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 6761 TEST_EQUAL( psa_get_key_bits( &got_attributes ), bits ); 6762 6763 /* Do something with the key according to its type and permitted usage. */ 6764 if( ! mbedtls_test_psa_exercise_key( key, usage, alg ) ) 6765 goto exit; 6766 6767exit: 6768 /* 6769 * Key attributes may have been returned by psa_get_key_attributes() 6770 * thus reset them as required. 6771 */ 6772 psa_reset_key_attributes( &got_attributes ); 6773 6774 psa_destroy_key( key ); 6775 PSA_DONE( ); 6776} 6777/* END_CASE */ 6778 6779/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_GENPRIME */ 6780void generate_key_rsa( int bits_arg, 6781 data_t *e_arg, 6782 int expected_status_arg ) 6783{ 6784 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6785 psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR; 6786 size_t bits = bits_arg; 6787 psa_key_usage_t usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT; 6788 psa_algorithm_t alg = PSA_ALG_RSA_PKCS1V15_SIGN_RAW; 6789 psa_status_t expected_status = expected_status_arg; 6790 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6791 uint8_t *exported = NULL; 6792 size_t exported_size = 6793 PSA_EXPORT_KEY_OUTPUT_SIZE( PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits ); 6794 size_t exported_length = SIZE_MAX; 6795 uint8_t *e_read_buffer = NULL; 6796 int is_default_public_exponent = 0; 6797 size_t e_read_size = PSA_KEY_DOMAIN_PARAMETERS_SIZE( type, bits ); 6798 size_t e_read_length = SIZE_MAX; 6799 6800 if( e_arg->len == 0 || 6801 ( e_arg->len == 3 && 6802 e_arg->x[0] == 1 && e_arg->x[1] == 0 && e_arg->x[2] == 1 ) ) 6803 { 6804 is_default_public_exponent = 1; 6805 e_read_size = 0; 6806 } 6807 ASSERT_ALLOC( e_read_buffer, e_read_size ); 6808 ASSERT_ALLOC( exported, exported_size ); 6809 6810 PSA_ASSERT( psa_crypto_init( ) ); 6811 6812 psa_set_key_usage_flags( &attributes, usage ); 6813 psa_set_key_algorithm( &attributes, alg ); 6814 PSA_ASSERT( psa_set_key_domain_parameters( &attributes, type, 6815 e_arg->x, e_arg->len ) ); 6816 psa_set_key_bits( &attributes, bits ); 6817 6818 /* Generate a key */ 6819 TEST_EQUAL( psa_generate_key( &attributes, &key ), expected_status ); 6820 if( expected_status != PSA_SUCCESS ) 6821 goto exit; 6822 6823 /* Test the key information */ 6824 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 6825 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 6826 TEST_EQUAL( psa_get_key_bits( &attributes ), bits ); 6827 PSA_ASSERT( psa_get_key_domain_parameters( &attributes, 6828 e_read_buffer, e_read_size, 6829 &e_read_length ) ); 6830 if( is_default_public_exponent ) 6831 TEST_EQUAL( e_read_length, 0 ); 6832 else 6833 ASSERT_COMPARE( e_read_buffer, e_read_length, e_arg->x, e_arg->len ); 6834 6835 /* Do something with the key according to its type and permitted usage. */ 6836 if( ! mbedtls_test_psa_exercise_key( key, usage, alg ) ) 6837 goto exit; 6838 6839 /* Export the key and check the public exponent. */ 6840 PSA_ASSERT( psa_export_public_key( key, 6841 exported, exported_size, 6842 &exported_length ) ); 6843 { 6844 uint8_t *p = exported; 6845 uint8_t *end = exported + exported_length; 6846 size_t len; 6847 /* RSAPublicKey ::= SEQUENCE { 6848 * modulus INTEGER, -- n 6849 * publicExponent INTEGER } -- e 6850 */ 6851 TEST_EQUAL( 0, mbedtls_asn1_get_tag( &p, end, &len, 6852 MBEDTLS_ASN1_SEQUENCE | 6853 MBEDTLS_ASN1_CONSTRUCTED ) ); 6854 TEST_ASSERT( mbedtls_test_asn1_skip_integer( &p, end, bits, bits, 1 ) ); 6855 TEST_EQUAL( 0, mbedtls_asn1_get_tag( &p, end, &len, 6856 MBEDTLS_ASN1_INTEGER ) ); 6857 if( len >= 1 && p[0] == 0 ) 6858 { 6859 ++p; 6860 --len; 6861 } 6862 if( e_arg->len == 0 ) 6863 { 6864 TEST_EQUAL( len, 3 ); 6865 TEST_EQUAL( p[0], 1 ); 6866 TEST_EQUAL( p[1], 0 ); 6867 TEST_EQUAL( p[2], 1 ); 6868 } 6869 else 6870 ASSERT_COMPARE( p, len, e_arg->x, e_arg->len ); 6871 } 6872 6873exit: 6874 /* 6875 * Key attributes may have been returned by psa_get_key_attributes() or 6876 * set by psa_set_key_domain_parameters() thus reset them as required. 6877 */ 6878 psa_reset_key_attributes( &attributes ); 6879 6880 psa_destroy_key( key ); 6881 PSA_DONE( ); 6882 mbedtls_free( e_read_buffer ); 6883 mbedtls_free( exported ); 6884} 6885/* END_CASE */ 6886 6887/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 6888void persistent_key_load_key_from_storage( data_t *data, 6889 int type_arg, int bits_arg, 6890 int usage_flags_arg, int alg_arg, 6891 int generation_method ) 6892{ 6893 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, 1 ); 6894 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6895 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6896 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 6897 psa_key_type_t type = type_arg; 6898 size_t bits = bits_arg; 6899 psa_key_usage_t usage_flags = usage_flags_arg; 6900 psa_algorithm_t alg = alg_arg; 6901 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 6902 unsigned char *first_export = NULL; 6903 unsigned char *second_export = NULL; 6904 size_t export_size = PSA_EXPORT_KEY_OUTPUT_SIZE( type, bits ); 6905 size_t first_exported_length; 6906 size_t second_exported_length; 6907 6908 if( usage_flags & PSA_KEY_USAGE_EXPORT ) 6909 { 6910 ASSERT_ALLOC( first_export, export_size ); 6911 ASSERT_ALLOC( second_export, export_size ); 6912 } 6913 6914 PSA_ASSERT( psa_crypto_init() ); 6915 6916 psa_set_key_id( &attributes, key_id ); 6917 psa_set_key_usage_flags( &attributes, usage_flags ); 6918 psa_set_key_algorithm( &attributes, alg ); 6919 psa_set_key_type( &attributes, type ); 6920 psa_set_key_bits( &attributes, bits ); 6921 6922 switch( generation_method ) 6923 { 6924 case IMPORT_KEY: 6925 /* Import the key */ 6926 PSA_ASSERT( psa_import_key( &attributes, data->x, data->len, 6927 &key ) ); 6928 break; 6929 6930 case GENERATE_KEY: 6931 /* Generate a key */ 6932 PSA_ASSERT( psa_generate_key( &attributes, &key ) ); 6933 break; 6934 6935 case DERIVE_KEY: 6936#if defined(PSA_WANT_ALG_HKDF) && defined(PSA_WANT_ALG_SHA_256) 6937 { 6938 /* Create base key */ 6939 psa_algorithm_t derive_alg = PSA_ALG_HKDF( PSA_ALG_SHA_256 ); 6940 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 6941 psa_set_key_usage_flags( &base_attributes, 6942 PSA_KEY_USAGE_DERIVE ); 6943 psa_set_key_algorithm( &base_attributes, derive_alg ); 6944 psa_set_key_type( &base_attributes, PSA_KEY_TYPE_DERIVE ); 6945 PSA_ASSERT( psa_import_key( &base_attributes, 6946 data->x, data->len, 6947 &base_key ) ); 6948 /* Derive a key. */ 6949 PSA_ASSERT( psa_key_derivation_setup( &operation, derive_alg ) ); 6950 PSA_ASSERT( psa_key_derivation_input_key( 6951 &operation, 6952 PSA_KEY_DERIVATION_INPUT_SECRET, base_key ) ); 6953 PSA_ASSERT( psa_key_derivation_input_bytes( 6954 &operation, PSA_KEY_DERIVATION_INPUT_INFO, 6955 NULL, 0 ) ); 6956 PSA_ASSERT( psa_key_derivation_output_key( &attributes, 6957 &operation, 6958 &key ) ); 6959 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 6960 PSA_ASSERT( psa_destroy_key( base_key ) ); 6961 base_key = MBEDTLS_SVC_KEY_ID_INIT; 6962 } 6963#else 6964 TEST_ASSUME( ! "KDF not supported in this configuration" ); 6965#endif 6966 break; 6967 6968 default: 6969 TEST_ASSERT( ! "generation_method not implemented in test" ); 6970 break; 6971 } 6972 psa_reset_key_attributes( &attributes ); 6973 6974 /* Export the key if permitted by the key policy. */ 6975 if( usage_flags & PSA_KEY_USAGE_EXPORT ) 6976 { 6977 PSA_ASSERT( psa_export_key( key, 6978 first_export, export_size, 6979 &first_exported_length ) ); 6980 if( generation_method == IMPORT_KEY ) 6981 ASSERT_COMPARE( data->x, data->len, 6982 first_export, first_exported_length ); 6983 } 6984 6985 /* Shutdown and restart */ 6986 PSA_ASSERT( psa_purge_key( key ) ); 6987 PSA_DONE(); 6988 PSA_ASSERT( psa_crypto_init() ); 6989 6990 /* Check key slot still contains key data */ 6991 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 6992 TEST_ASSERT( mbedtls_svc_key_id_equal( 6993 psa_get_key_id( &attributes ), key_id ) ); 6994 TEST_EQUAL( psa_get_key_lifetime( &attributes ), 6995 PSA_KEY_LIFETIME_PERSISTENT ); 6996 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 6997 TEST_EQUAL( psa_get_key_bits( &attributes ), bits ); 6998 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 6999 mbedtls_test_update_key_usage_flags( usage_flags ) ); 7000 TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); 7001 7002 /* Export the key again if permitted by the key policy. */ 7003 if( usage_flags & PSA_KEY_USAGE_EXPORT ) 7004 { 7005 PSA_ASSERT( psa_export_key( key, 7006 second_export, export_size, 7007 &second_exported_length ) ); 7008 ASSERT_COMPARE( first_export, first_exported_length, 7009 second_export, second_exported_length ); 7010 } 7011 7012 /* Do something with the key according to its type and permitted usage. */ 7013 if( ! mbedtls_test_psa_exercise_key( key, usage_flags, alg ) ) 7014 goto exit; 7015 7016exit: 7017 /* 7018 * Key attributes may have been returned by psa_get_key_attributes() 7019 * thus reset them as required. 7020 */ 7021 psa_reset_key_attributes( &attributes ); 7022 7023 mbedtls_free( first_export ); 7024 mbedtls_free( second_export ); 7025 psa_key_derivation_abort( &operation ); 7026 psa_destroy_key( base_key ); 7027 psa_destroy_key( key ); 7028 PSA_DONE(); 7029} 7030/* END_CASE */ 7031