1/* BEGIN_HEADER */ 2#include <stdint.h> 3 4#include "psa/crypto.h" 5 6typedef enum { 7 ERR_NONE = 0, 8 /* errors forced internally in the code */ 9 ERR_INJECT_UNINITIALIZED_ACCESS, 10 ERR_INJECT_DUPLICATE_SETUP, 11 ERR_INJECT_SET_USER, 12 ERR_INJECT_SET_PEER, 13 ERR_INJECT_SET_ROLE, 14 ERR_DUPLICATE_SET_USER, 15 ERR_DUPLICATE_SET_PEER, 16 ERR_INJECT_EMPTY_IO_BUFFER, 17 ERR_INJECT_UNKNOWN_STEP, 18 ERR_INJECT_INVALID_FIRST_STEP, 19 ERR_INJECT_WRONG_BUFFER_SIZE, 20 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE, 21 ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1, 22 ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2, 23 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1, 24 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1, 25 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1, 26 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2, 27 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2, 28 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2, 29 ERR_INJECT_ROUND2_CLIENT_KEY_SHARE, 30 ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC, 31 ERR_INJECT_ROUND2_CLIENT_ZK_PROOF, 32 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1, 33 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1, 34 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1, 35 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2, 36 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2, 37 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2, 38 ERR_INJECT_ROUND2_SERVER_KEY_SHARE, 39 ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC, 40 ERR_INJECT_ROUND2_SERVER_ZK_PROOF, 41 /* erros issued from the .data file */ 42 ERR_IN_SETUP, 43 ERR_IN_SET_USER, 44 ERR_IN_SET_PEER, 45 ERR_IN_SET_ROLE, 46 ERR_IN_SET_PASSWORD_KEY, 47 ERR_IN_INPUT, 48 ERR_IN_OUTPUT, 49} ecjpake_error_stage_t; 50 51typedef enum { 52 PAKE_ROUND_ONE, 53 PAKE_ROUND_TWO 54} pake_round_t; 55 56/* The only two JPAKE user/peer identifiers supported for the time being. */ 57static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 58static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; 59 60/* 61 * Inject an error on the specified buffer ONLY it this is the correct stage. 62 * Offset 7 is arbitrary, but chosen because it's "in the middle" of the part 63 * we're corrupting. 64 */ 65#define DO_ROUND_CONDITIONAL_INJECT(this_stage, buf) \ 66 if (this_stage == err_stage) \ 67 { \ 68 *(buf + 7) ^= 1; \ 69 } 70 71#define DO_ROUND_UPDATE_OFFSETS(main_buf_offset, step_offset, step_size) \ 72 { \ 73 step_offset = main_buf_offset; \ 74 main_buf_offset += step_size; \ 75 } 76 77#define DO_ROUND_CHECK_FAILURE() \ 78 if (err_stage != ERR_NONE && status != PSA_SUCCESS) \ 79 { \ 80 TEST_EQUAL(status, expected_error_arg); \ 81 break; \ 82 } \ 83 else \ 84 { \ 85 TEST_EQUAL(status, PSA_SUCCESS); \ 86 } 87 88#if defined(PSA_WANT_ALG_JPAKE) 89static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive, 90 psa_pake_operation_t *server, 91 psa_pake_operation_t *client, 92 int client_input_first, 93 pake_round_t round, 94 ecjpake_error_stage_t err_stage, 95 int expected_error_arg) 96{ 97 unsigned char *buffer0 = NULL, *buffer1 = NULL; 98 size_t buffer_length = ( 99 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + 100 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + 101 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; 102 /* The output should be exactly this size according to the spec */ 103 const size_t expected_size_key_share = 104 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); 105 /* The output should be exactly this size according to the spec */ 106 const size_t expected_size_zk_public = 107 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); 108 /* The output can be smaller: the spec allows stripping leading zeroes */ 109 const size_t max_expected_size_zk_proof = 110 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); 111 size_t buffer0_off = 0; 112 size_t buffer1_off = 0; 113 size_t s_g1_len, s_g2_len, s_a_len; 114 size_t s_g1_off, s_g2_off, s_a_off; 115 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len; 116 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off; 117 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len; 118 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off; 119 size_t c_g1_len, c_g2_len, c_a_len; 120 size_t c_g1_off, c_g2_off, c_a_off; 121 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len; 122 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; 123 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; 124 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; 125 psa_status_t status; 126 127 ASSERT_ALLOC(buffer0, buffer_length); 128 ASSERT_ALLOC(buffer1, buffer_length); 129 130 switch (round) { 131 case PAKE_ROUND_ONE: 132 /* Server first round Output */ 133 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 134 buffer0 + buffer0_off, 135 512 - buffer0_off, &s_g1_len)); 136 TEST_EQUAL(s_g1_len, expected_size_key_share); 137 DO_ROUND_CONDITIONAL_INJECT( 138 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1, 139 buffer0 + buffer0_off); 140 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_g1_off, s_g1_len); 141 142 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 143 buffer0 + buffer0_off, 144 512 - buffer0_off, &s_x1_pk_len)); 145 TEST_EQUAL(s_x1_pk_len, expected_size_zk_public); 146 DO_ROUND_CONDITIONAL_INJECT( 147 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1, 148 buffer0 + buffer0_off); 149 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x1_pk_off, s_x1_pk_len); 150 151 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 152 buffer0 + buffer0_off, 153 512 - buffer0_off, &s_x1_pr_len)); 154 TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof); 155 DO_ROUND_CONDITIONAL_INJECT( 156 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1, 157 buffer0 + buffer0_off); 158 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x1_pr_off, s_x1_pr_len); 159 160 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 161 buffer0 + buffer0_off, 162 512 - buffer0_off, &s_g2_len)); 163 TEST_EQUAL(s_g2_len, expected_size_key_share); 164 DO_ROUND_CONDITIONAL_INJECT( 165 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2, 166 buffer0 + buffer0_off); 167 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_g2_off, s_g2_len); 168 169 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 170 buffer0 + buffer0_off, 171 512 - buffer0_off, &s_x2_pk_len)); 172 TEST_EQUAL(s_x2_pk_len, expected_size_zk_public); 173 DO_ROUND_CONDITIONAL_INJECT( 174 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2, 175 buffer0 + buffer0_off); 176 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2_pk_off, s_x2_pk_len); 177 178 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 179 buffer0 + buffer0_off, 180 512 - buffer0_off, &s_x2_pr_len)); 181 TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof); 182 DO_ROUND_CONDITIONAL_INJECT( 183 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2, 184 buffer0 + buffer0_off); 185 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2_pr_off, s_x2_pr_len); 186 187 /* 188 * When injecting errors in inputs, the implementation is 189 * free to detect it right away of with a delay. 190 * This permits delaying the error until the end of the input 191 * sequence, if no error appears then, this will be treated 192 * as an error. 193 */ 194 if (client_input_first == 1) { 195 /* Client first round Input */ 196 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 197 buffer0 + s_g1_off, s_g1_len); 198 DO_ROUND_CHECK_FAILURE(); 199 200 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 201 buffer0 + s_x1_pk_off, 202 s_x1_pk_len); 203 DO_ROUND_CHECK_FAILURE(); 204 205 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 206 buffer0 + s_x1_pr_off, 207 s_x1_pr_len); 208 DO_ROUND_CHECK_FAILURE(); 209 210 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 211 buffer0 + s_g2_off, 212 s_g2_len); 213 DO_ROUND_CHECK_FAILURE(); 214 215 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 216 buffer0 + s_x2_pk_off, 217 s_x2_pk_len); 218 DO_ROUND_CHECK_FAILURE(); 219 220 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 221 buffer0 + s_x2_pr_off, 222 s_x2_pr_len); 223 DO_ROUND_CHECK_FAILURE(); 224 225 /* Error didn't trigger, make test fail */ 226 if ((err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1) && 227 (err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2)) { 228 TEST_ASSERT( 229 !"One of the last psa_pake_input() calls should have returned the expected error."); 230 } 231 } 232 233 /* Client first round Output */ 234 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 235 buffer1 + buffer1_off, 236 512 - buffer1_off, &c_g1_len)); 237 TEST_EQUAL(c_g1_len, expected_size_key_share); 238 DO_ROUND_CONDITIONAL_INJECT( 239 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1, 240 buffer1 + buffer1_off); 241 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_g1_off, c_g1_len); 242 243 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 244 buffer1 + buffer1_off, 245 512 - buffer1_off, &c_x1_pk_len)); 246 TEST_EQUAL(c_x1_pk_len, expected_size_zk_public); 247 DO_ROUND_CONDITIONAL_INJECT( 248 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1, 249 buffer1 + buffer1_off); 250 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x1_pk_off, c_x1_pk_len); 251 252 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 253 buffer1 + buffer1_off, 254 512 - buffer1_off, &c_x1_pr_len)); 255 TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof); 256 DO_ROUND_CONDITIONAL_INJECT( 257 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1, 258 buffer1 + buffer1_off); 259 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x1_pr_off, c_x1_pr_len); 260 261 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 262 buffer1 + buffer1_off, 263 512 - buffer1_off, &c_g2_len)); 264 TEST_EQUAL(c_g2_len, expected_size_key_share); 265 DO_ROUND_CONDITIONAL_INJECT( 266 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2, 267 buffer1 + buffer1_off); 268 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_g2_off, c_g2_len); 269 270 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 271 buffer1 + buffer1_off, 272 512 - buffer1_off, &c_x2_pk_len)); 273 TEST_EQUAL(c_x2_pk_len, expected_size_zk_public); 274 DO_ROUND_CONDITIONAL_INJECT( 275 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2, 276 buffer1 + buffer1_off); 277 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2_pk_off, c_x2_pk_len); 278 279 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 280 buffer1 + buffer1_off, 281 512 - buffer1_off, &c_x2_pr_len)); 282 TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof); 283 DO_ROUND_CONDITIONAL_INJECT( 284 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2, 285 buffer1 + buffer1_off); 286 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2_pr_off, buffer1_off); 287 288 if (client_input_first == 0) { 289 /* Client first round Input */ 290 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 291 buffer0 + s_g1_off, s_g1_len); 292 DO_ROUND_CHECK_FAILURE(); 293 294 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 295 buffer0 + s_x1_pk_off, 296 s_x1_pk_len); 297 DO_ROUND_CHECK_FAILURE(); 298 299 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 300 buffer0 + s_x1_pr_off, 301 s_x1_pr_len); 302 DO_ROUND_CHECK_FAILURE(); 303 304 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 305 buffer0 + s_g2_off, 306 s_g2_len); 307 DO_ROUND_CHECK_FAILURE(); 308 309 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 310 buffer0 + s_x2_pk_off, 311 s_x2_pk_len); 312 DO_ROUND_CHECK_FAILURE(); 313 314 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 315 buffer0 + s_x2_pr_off, 316 s_x2_pr_len); 317 DO_ROUND_CHECK_FAILURE(); 318 319 /* Error didn't trigger, make test fail */ 320 if ((err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1) && 321 (err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2)) { 322 TEST_ASSERT( 323 !"One of the last psa_pake_input() calls should have returned the expected error."); 324 } 325 } 326 327 /* Server first round Input */ 328 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 329 buffer1 + c_g1_off, c_g1_len); 330 DO_ROUND_CHECK_FAILURE(); 331 332 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 333 buffer1 + c_x1_pk_off, c_x1_pk_len); 334 DO_ROUND_CHECK_FAILURE(); 335 336 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 337 buffer1 + c_x1_pr_off, c_x1_pr_len); 338 DO_ROUND_CHECK_FAILURE(); 339 340 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 341 buffer1 + c_g2_off, c_g2_len); 342 DO_ROUND_CHECK_FAILURE(); 343 344 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 345 buffer1 + c_x2_pk_off, c_x2_pk_len); 346 DO_ROUND_CHECK_FAILURE(); 347 348 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 349 buffer1 + c_x2_pr_off, c_x2_pr_len); 350 DO_ROUND_CHECK_FAILURE(); 351 352 /* Error didn't trigger, make test fail */ 353 if ((err_stage >= ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1) && 354 (err_stage <= ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2)) { 355 TEST_ASSERT( 356 !"One of the last psa_pake_input() calls should have returned the expected error."); 357 } 358 359 break; 360 361 case PAKE_ROUND_TWO: 362 /* Server second round Output */ 363 buffer0_off = 0; 364 365 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE, 366 buffer0 + buffer0_off, 367 512 - buffer0_off, &s_a_len)); 368 TEST_EQUAL(s_a_len, expected_size_key_share); 369 DO_ROUND_CONDITIONAL_INJECT( 370 ERR_INJECT_ROUND2_SERVER_KEY_SHARE, 371 buffer0 + buffer0_off); 372 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_a_off, s_a_len); 373 374 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC, 375 buffer0 + buffer0_off, 376 512 - buffer0_off, &s_x2s_pk_len)); 377 TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public); 378 DO_ROUND_CONDITIONAL_INJECT( 379 ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC, 380 buffer0 + buffer0_off); 381 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2s_pk_off, s_x2s_pk_len); 382 383 PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF, 384 buffer0 + buffer0_off, 385 512 - buffer0_off, &s_x2s_pr_len)); 386 TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof); 387 DO_ROUND_CONDITIONAL_INJECT( 388 ERR_INJECT_ROUND2_SERVER_ZK_PROOF, 389 buffer0 + buffer0_off); 390 DO_ROUND_UPDATE_OFFSETS(buffer0_off, s_x2s_pr_off, s_x2s_pr_len); 391 392 if (client_input_first == 1) { 393 /* Client second round Input */ 394 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 395 buffer0 + s_a_off, s_a_len); 396 DO_ROUND_CHECK_FAILURE(); 397 398 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 399 buffer0 + s_x2s_pk_off, 400 s_x2s_pk_len); 401 DO_ROUND_CHECK_FAILURE(); 402 403 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 404 buffer0 + s_x2s_pr_off, 405 s_x2s_pr_len); 406 DO_ROUND_CHECK_FAILURE(); 407 408 /* Error didn't trigger, make test fail */ 409 if ((err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE) && 410 (err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF)) { 411 TEST_ASSERT( 412 !"One of the last psa_pake_input() calls should have returned the expected error."); 413 } 414 } 415 416 /* Client second round Output */ 417 buffer1_off = 0; 418 419 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE, 420 buffer1 + buffer1_off, 421 512 - buffer1_off, &c_a_len)); 422 TEST_EQUAL(c_a_len, expected_size_key_share); 423 DO_ROUND_CONDITIONAL_INJECT( 424 ERR_INJECT_ROUND2_CLIENT_KEY_SHARE, 425 buffer1 + buffer1_off); 426 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_a_off, c_a_len); 427 428 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC, 429 buffer1 + buffer1_off, 430 512 - buffer1_off, &c_x2s_pk_len)); 431 TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public); 432 DO_ROUND_CONDITIONAL_INJECT( 433 ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC, 434 buffer1 + buffer1_off); 435 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2s_pk_off, c_x2s_pk_len); 436 437 PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF, 438 buffer1 + buffer1_off, 439 512 - buffer1_off, &c_x2s_pr_len)); 440 TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof); 441 DO_ROUND_CONDITIONAL_INJECT( 442 ERR_INJECT_ROUND2_CLIENT_ZK_PROOF, 443 buffer1 + buffer1_off); 444 DO_ROUND_UPDATE_OFFSETS(buffer1_off, c_x2s_pr_off, c_x2s_pr_len); 445 446 if (client_input_first == 0) { 447 /* Client second round Input */ 448 status = psa_pake_input(client, PSA_PAKE_STEP_KEY_SHARE, 449 buffer0 + s_a_off, s_a_len); 450 DO_ROUND_CHECK_FAILURE(); 451 452 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PUBLIC, 453 buffer0 + s_x2s_pk_off, 454 s_x2s_pk_len); 455 DO_ROUND_CHECK_FAILURE(); 456 457 status = psa_pake_input(client, PSA_PAKE_STEP_ZK_PROOF, 458 buffer0 + s_x2s_pr_off, 459 s_x2s_pr_len); 460 DO_ROUND_CHECK_FAILURE(); 461 462 /* Error didn't trigger, make test fail */ 463 if ((err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE) && 464 (err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF)) { 465 TEST_ASSERT( 466 !"One of the last psa_pake_input() calls should have returned the expected error."); 467 } 468 } 469 470 /* Server second round Input */ 471 status = psa_pake_input(server, PSA_PAKE_STEP_KEY_SHARE, 472 buffer1 + c_a_off, c_a_len); 473 DO_ROUND_CHECK_FAILURE(); 474 475 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PUBLIC, 476 buffer1 + c_x2s_pk_off, c_x2s_pk_len); 477 DO_ROUND_CHECK_FAILURE(); 478 479 status = psa_pake_input(server, PSA_PAKE_STEP_ZK_PROOF, 480 buffer1 + c_x2s_pr_off, c_x2s_pr_len); 481 DO_ROUND_CHECK_FAILURE(); 482 483 /* Error didn't trigger, make test fail */ 484 if ((err_stage >= ERR_INJECT_ROUND2_CLIENT_KEY_SHARE) && 485 (err_stage <= ERR_INJECT_ROUND2_CLIENT_ZK_PROOF)) { 486 TEST_ASSERT( 487 !"One of the last psa_pake_input() calls should have returned the expected error."); 488 } 489 490 break; 491 492 } 493 494exit: 495 mbedtls_free(buffer0); 496 mbedtls_free(buffer1); 497} 498#endif /* PSA_WANT_ALG_JPAKE */ 499 500/* 501 * This check is used for functions that might either succeed or fail depending 502 * on the parameters that are passed in from the *.data file: 503 * - in case of success following functions depend on the current one 504 * - in case of failure the test is always terminated. There are two options 505 * here 506 * - terminated successfully if this exact error was expected at this stage 507 * - terminated with failure otherwise (either no error was expected at this 508 * stage or a different error code was expected) 509 */ 510#define SETUP_ALWAYS_CHECK_STEP(test_function, this_check_err_stage) \ 511 status = test_function; \ 512 if (err_stage != this_check_err_stage) \ 513 { \ 514 PSA_ASSERT(status); \ 515 } \ 516 else \ 517 { \ 518 TEST_EQUAL(status, expected_error); \ 519 goto exit; \ 520 } 521 522/* 523 * This check is used for failures that are injected at code level. There's only 524 * 1 input parameter that is relevant in this case and it's the stage at which 525 * the error should be injected. 526 * The check is conditional in this case because, once the error is triggered, 527 * the pake's context structure is compromised and the setup function cannot 528 * proceed further. As a consequence the test is terminated. 529 * The test succeeds if the returned error is exactly the expected one, 530 * otherwise it fails. 531 */ 532#define SETUP_CONDITIONAL_CHECK_STEP(test_function, this_check_err_stage) \ 533 if (err_stage == this_check_err_stage) \ 534 { \ 535 TEST_EQUAL(test_function, expected_error); \ 536 goto exit; \ 537 } 538/* END_HEADER */ 539 540/* BEGIN_DEPENDENCIES 541 * depends_on:MBEDTLS_PSA_CRYPTO_C 542 * END_DEPENDENCIES 543 */ 544 545/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 546void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, 547 int primitive_arg, int hash_arg, char *user_arg, char *peer_arg, 548 int test_input, 549 int err_stage_arg, 550 int expected_error_arg) 551{ 552 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 553 psa_pake_operation_t operation = psa_pake_operation_init(); 554 psa_algorithm_t alg = alg_arg; 555 psa_pake_primitive_t primitive = primitive_arg; 556 psa_key_type_t key_type_pw = key_type_pw_arg; 557 psa_key_usage_t key_usage_pw = key_usage_pw_arg; 558 psa_algorithm_t hash_alg = hash_arg; 559 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 560 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 561 ecjpake_error_stage_t err_stage = err_stage_arg; 562 psa_status_t expected_error = expected_error_arg; 563 psa_status_t status; 564 unsigned char *output_buffer = NULL; 565 size_t output_len = 0; 566 const uint8_t password[] = "abcd"; 567 uint8_t *user = (uint8_t *) user_arg; 568 uint8_t *peer = (uint8_t *) peer_arg; 569 size_t user_len = strlen(user_arg); 570 size_t peer_len = strlen(peer_arg); 571 572 psa_key_derivation_operation_t key_derivation = 573 PSA_KEY_DERIVATION_OPERATION_INIT; 574 575 PSA_INIT(); 576 577 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, 578 PSA_PAKE_STEP_KEY_SHARE); 579 ASSERT_ALLOC(output_buffer, buf_size); 580 581 psa_set_key_usage_flags(&attributes, key_usage_pw); 582 psa_set_key_algorithm(&attributes, alg); 583 psa_set_key_type(&attributes, key_type_pw); 584 PSA_ASSERT(psa_import_key(&attributes, password, sizeof(password), 585 &key)); 586 587 psa_pake_cs_set_algorithm(&cipher_suite, alg); 588 psa_pake_cs_set_primitive(&cipher_suite, primitive); 589 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 590 591 PSA_ASSERT(psa_pake_abort(&operation)); 592 593 if (err_stage == ERR_INJECT_UNINITIALIZED_ACCESS) { 594 TEST_EQUAL(psa_pake_set_user(&operation, user, user_len), 595 expected_error); 596 TEST_EQUAL(psa_pake_set_peer(&operation, peer, peer_len), 597 expected_error); 598 TEST_EQUAL(psa_pake_set_password_key(&operation, key), 599 expected_error); 600 TEST_EQUAL(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), 601 expected_error); 602 TEST_EQUAL(psa_pake_output(&operation, PSA_PAKE_STEP_KEY_SHARE, 603 output_buffer, 0, &output_len), 604 expected_error); 605 TEST_EQUAL(psa_pake_input(&operation, PSA_PAKE_STEP_KEY_SHARE, 606 output_buffer, 0), 607 expected_error); 608 TEST_EQUAL(psa_pake_get_implicit_key(&operation, &key_derivation), 609 expected_error); 610 goto exit; 611 } 612 613 SETUP_ALWAYS_CHECK_STEP(psa_pake_setup(&operation, &cipher_suite), 614 ERR_IN_SETUP); 615 616 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_setup(&operation, &cipher_suite), 617 ERR_INJECT_DUPLICATE_SETUP); 618 619 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_role(&operation, PSA_PAKE_ROLE_SERVER), 620 ERR_INJECT_SET_ROLE); 621 622 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_role(&operation, PSA_PAKE_ROLE_NONE), 623 ERR_IN_SET_ROLE); 624 625 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_user(&operation, user, user_len), 626 ERR_IN_SET_USER); 627 628 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_peer(&operation, peer, peer_len), 629 ERR_IN_SET_PEER); 630 631 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_user(&operation, user, user_len), 632 ERR_DUPLICATE_SET_USER); 633 634 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_set_peer(&operation, peer, peer_len), 635 ERR_DUPLICATE_SET_PEER); 636 637 SETUP_ALWAYS_CHECK_STEP(psa_pake_set_password_key(&operation, key), 638 ERR_IN_SET_PASSWORD_KEY); 639 640 const size_t size_key_share = PSA_PAKE_INPUT_SIZE(alg, primitive, 641 PSA_PAKE_STEP_KEY_SHARE); 642 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE(alg, primitive, 643 PSA_PAKE_STEP_ZK_PUBLIC); 644 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE(alg, primitive, 645 PSA_PAKE_STEP_ZK_PROOF); 646 647 if (test_input) { 648 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 649 PSA_PAKE_STEP_ZK_PROOF, 650 output_buffer, 0), 651 ERR_INJECT_EMPTY_IO_BUFFER); 652 653 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 654 PSA_PAKE_STEP_ZK_PROOF + 10, 655 output_buffer, size_zk_proof), 656 ERR_INJECT_UNKNOWN_STEP); 657 658 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 659 PSA_PAKE_STEP_ZK_PROOF, 660 output_buffer, size_zk_proof), 661 ERR_INJECT_INVALID_FIRST_STEP) 662 663 SETUP_ALWAYS_CHECK_STEP(psa_pake_input(&operation, 664 PSA_PAKE_STEP_KEY_SHARE, 665 output_buffer, size_key_share), 666 ERR_IN_INPUT); 667 668 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, 669 PSA_PAKE_STEP_ZK_PUBLIC, 670 output_buffer, size_zk_public + 1), 671 ERR_INJECT_WRONG_BUFFER_SIZE); 672 673 SETUP_CONDITIONAL_CHECK_STEP( 674 (psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 675 output_buffer, size_zk_public + 1), 676 psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 677 output_buffer, size_zk_public)), 678 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE); 679 } else { 680 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 681 PSA_PAKE_STEP_ZK_PROOF, 682 output_buffer, 0, 683 &output_len), 684 ERR_INJECT_EMPTY_IO_BUFFER); 685 686 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 687 PSA_PAKE_STEP_ZK_PROOF + 10, 688 output_buffer, buf_size, &output_len), 689 ERR_INJECT_UNKNOWN_STEP); 690 691 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 692 PSA_PAKE_STEP_ZK_PROOF, 693 output_buffer, buf_size, &output_len), 694 ERR_INJECT_INVALID_FIRST_STEP); 695 696 SETUP_ALWAYS_CHECK_STEP(psa_pake_output(&operation, 697 PSA_PAKE_STEP_KEY_SHARE, 698 output_buffer, buf_size, &output_len), 699 ERR_IN_OUTPUT); 700 701 TEST_ASSERT(output_len > 0); 702 703 SETUP_CONDITIONAL_CHECK_STEP(psa_pake_output(&operation, 704 PSA_PAKE_STEP_ZK_PUBLIC, 705 output_buffer, size_zk_public - 1, 706 &output_len), 707 ERR_INJECT_WRONG_BUFFER_SIZE); 708 709 SETUP_CONDITIONAL_CHECK_STEP( 710 (psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 711 output_buffer, size_zk_public - 1, &output_len), 712 psa_pake_output(&operation, PSA_PAKE_STEP_ZK_PUBLIC, 713 output_buffer, buf_size, &output_len)), 714 ERR_INJECT_VALID_OPERATION_AFTER_FAILURE); 715 } 716 717exit: 718 PSA_ASSERT(psa_destroy_key(key)); 719 PSA_ASSERT(psa_pake_abort(&operation)); 720 mbedtls_free(output_buffer); 721 PSA_DONE(); 722} 723/* END_CASE */ 724 725/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 726void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg, 727 int client_input_first, 728 data_t *pw_data, 729 int err_stage_arg, 730 int expected_error_arg) 731{ 732 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 733 psa_pake_operation_t server = psa_pake_operation_init(); 734 psa_pake_operation_t client = psa_pake_operation_init(); 735 psa_algorithm_t alg = alg_arg; 736 psa_algorithm_t hash_alg = hash_arg; 737 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 738 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 739 ecjpake_error_stage_t err_stage = err_stage_arg; 740 741 PSA_INIT(); 742 743 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 744 psa_set_key_algorithm(&attributes, alg); 745 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 746 747 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 748 &key)); 749 750 psa_pake_cs_set_algorithm(&cipher_suite, alg); 751 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 752 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 753 754 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 755 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 756 757 PSA_ASSERT(psa_pake_set_user(&server, jpake_server_id, sizeof(jpake_server_id))); 758 PSA_ASSERT(psa_pake_set_peer(&server, jpake_client_id, sizeof(jpake_client_id))); 759 PSA_ASSERT(psa_pake_set_user(&client, jpake_client_id, sizeof(jpake_client_id))); 760 PSA_ASSERT(psa_pake_set_peer(&client, jpake_server_id, sizeof(jpake_server_id))); 761 762 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 763 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 764 765 ecjpake_do_round(alg, primitive_arg, &server, &client, 766 client_input_first, PAKE_ROUND_ONE, 767 err_stage, expected_error_arg); 768 769 if (err_stage != ERR_NONE) { 770 goto exit; 771 } 772 773 ecjpake_do_round(alg, primitive_arg, &server, &client, 774 client_input_first, PAKE_ROUND_TWO, 775 err_stage, expected_error_arg); 776 777exit: 778 psa_destroy_key(key); 779 psa_pake_abort(&server); 780 psa_pake_abort(&client); 781 PSA_DONE(); 782} 783/* END_CASE */ 784 785/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 786void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, 787 int derive_alg_arg, data_t *pw_data, 788 int client_input_first, int destroy_key, 789 int err_stage_arg) 790{ 791 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 792 psa_pake_operation_t server = psa_pake_operation_init(); 793 psa_pake_operation_t client = psa_pake_operation_init(); 794 psa_algorithm_t alg = alg_arg; 795 psa_algorithm_t hash_alg = hash_arg; 796 psa_algorithm_t derive_alg = derive_alg_arg; 797 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 798 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 799 psa_key_derivation_operation_t server_derive = 800 PSA_KEY_DERIVATION_OPERATION_INIT; 801 psa_key_derivation_operation_t client_derive = 802 PSA_KEY_DERIVATION_OPERATION_INIT; 803 ecjpake_error_stage_t err_stage = err_stage_arg; 804 805 PSA_INIT(); 806 807 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 808 psa_set_key_algorithm(&attributes, alg); 809 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 810 PSA_ASSERT(psa_import_key(&attributes, pw_data->x, pw_data->len, 811 &key)); 812 813 psa_pake_cs_set_algorithm(&cipher_suite, alg); 814 psa_pake_cs_set_primitive(&cipher_suite, primitive_arg); 815 psa_pake_cs_set_hash(&cipher_suite, hash_alg); 816 817 /* Get shared key */ 818 PSA_ASSERT(psa_key_derivation_setup(&server_derive, derive_alg)); 819 PSA_ASSERT(psa_key_derivation_setup(&client_derive, derive_alg)); 820 821 if (PSA_ALG_IS_TLS12_PRF(derive_alg) || 822 PSA_ALG_IS_TLS12_PSK_TO_MS(derive_alg)) { 823 PSA_ASSERT(psa_key_derivation_input_bytes(&server_derive, 824 PSA_KEY_DERIVATION_INPUT_SEED, 825 (const uint8_t *) "", 0)); 826 PSA_ASSERT(psa_key_derivation_input_bytes(&client_derive, 827 PSA_KEY_DERIVATION_INPUT_SEED, 828 (const uint8_t *) "", 0)); 829 } 830 831 PSA_ASSERT(psa_pake_setup(&server, &cipher_suite)); 832 PSA_ASSERT(psa_pake_setup(&client, &cipher_suite)); 833 834 PSA_ASSERT(psa_pake_set_user(&server, jpake_server_id, sizeof(jpake_server_id))); 835 PSA_ASSERT(psa_pake_set_peer(&server, jpake_client_id, sizeof(jpake_client_id))); 836 PSA_ASSERT(psa_pake_set_user(&client, jpake_client_id, sizeof(jpake_client_id))); 837 PSA_ASSERT(psa_pake_set_peer(&client, jpake_server_id, sizeof(jpake_server_id))); 838 839 PSA_ASSERT(psa_pake_set_password_key(&server, key)); 840 PSA_ASSERT(psa_pake_set_password_key(&client, key)); 841 842 if (destroy_key == 1) { 843 psa_destroy_key(key); 844 } 845 846 if (err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1) { 847 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 848 PSA_ERROR_BAD_STATE); 849 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 850 PSA_ERROR_BAD_STATE); 851 goto exit; 852 } 853 854 /* First round */ 855 ecjpake_do_round(alg, primitive_arg, &server, &client, 856 client_input_first, PAKE_ROUND_ONE, 857 ERR_NONE, PSA_SUCCESS); 858 859 if (err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2) { 860 TEST_EQUAL(psa_pake_get_implicit_key(&server, &server_derive), 861 PSA_ERROR_BAD_STATE); 862 TEST_EQUAL(psa_pake_get_implicit_key(&client, &client_derive), 863 PSA_ERROR_BAD_STATE); 864 goto exit; 865 } 866 867 /* Second round */ 868 ecjpake_do_round(alg, primitive_arg, &server, &client, 869 client_input_first, PAKE_ROUND_TWO, 870 ERR_NONE, PSA_SUCCESS); 871 872 PSA_ASSERT(psa_pake_get_implicit_key(&server, &server_derive)); 873 PSA_ASSERT(psa_pake_get_implicit_key(&client, &client_derive)); 874 875exit: 876 psa_key_derivation_abort(&server_derive); 877 psa_key_derivation_abort(&client_derive); 878 psa_destroy_key(key); 879 psa_pake_abort(&server); 880 psa_pake_abort(&client); 881 PSA_DONE(); 882} 883/* END_CASE */ 884 885/* BEGIN_CASE */ 886void ecjpake_size_macros() 887{ 888 const psa_algorithm_t alg = PSA_ALG_JPAKE; 889 const size_t bits = 256; 890 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( 891 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits); 892 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( 893 PSA_ECC_FAMILY_SECP_R1); 894 895 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types 896 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */ 897 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 898 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 899 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 900 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)); 901 /* The output for ZK_PROOF is the same bitsize as the curve */ 902 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 903 PSA_BITS_TO_BYTES(bits)); 904 905 /* Input sizes are the same as output sizes */ 906 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 907 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE)); 908 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 909 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC)); 910 TEST_EQUAL(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 911 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF)); 912 913 /* These inequalities will always hold even when other PAKEs are added */ 914 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 915 PSA_PAKE_OUTPUT_MAX_SIZE); 916 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 917 PSA_PAKE_OUTPUT_MAX_SIZE); 918 TEST_LE_U(PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 919 PSA_PAKE_OUTPUT_MAX_SIZE); 920 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 921 PSA_PAKE_INPUT_MAX_SIZE); 922 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 923 PSA_PAKE_INPUT_MAX_SIZE); 924 TEST_LE_U(PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 925 PSA_PAKE_INPUT_MAX_SIZE); 926} 927/* END_CASE */ 928 929/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 930void pake_input_getters_password() 931{ 932 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 933 psa_pake_operation_t operation = psa_pake_operation_init(); 934 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 935 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 936 const char *password = "password"; 937 uint8_t password_ret[20] = { 0 }; // max key length is 20 bytes 938 size_t password_len_ret = 0; 939 size_t buffer_len_ret = 0; 940 941 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 942 PSA_PAKE_PRIMITIVE_TYPE_ECC, 943 PSA_ECC_FAMILY_SECP_R1, 256); 944 945 PSA_INIT(); 946 947 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 948 psa_pake_cs_set_primitive(&cipher_suite, primitive); 949 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 950 951 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 952 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 953 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 954 955 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 956 957 PSA_ASSERT(psa_import_key(&attributes, (uint8_t *) password, strlen(password), &key)); 958 959 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 960 (uint8_t *) &password_ret, 961 10, &buffer_len_ret), 962 PSA_ERROR_BAD_STATE); 963 964 TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), 965 PSA_ERROR_BAD_STATE); 966 967 PSA_ASSERT(psa_pake_set_password_key(&operation, key)); 968 969 TEST_EQUAL(psa_crypto_driver_pake_get_password_len(&operation.data.inputs, &password_len_ret), 970 PSA_SUCCESS); 971 972 TEST_EQUAL(password_len_ret, strlen(password)); 973 974 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 975 (uint8_t *) &password_ret, 976 password_len_ret - 1, 977 &buffer_len_ret), 978 PSA_ERROR_BUFFER_TOO_SMALL); 979 980 TEST_EQUAL(psa_crypto_driver_pake_get_password(&operation.data.inputs, 981 (uint8_t *) &password_ret, 982 password_len_ret, 983 &buffer_len_ret), 984 PSA_SUCCESS); 985 986 TEST_EQUAL(buffer_len_ret, strlen(password)); 987 PSA_ASSERT(memcmp(password_ret, password, buffer_len_ret)); 988exit: 989 PSA_ASSERT(psa_destroy_key(key)); 990 PSA_ASSERT(psa_pake_abort(&operation)); 991 PSA_DONE(); 992} 993/* END_CASE */ 994 995/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 996void pake_input_getters_cipher_suite() 997{ 998 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 999 psa_pake_operation_t operation = psa_pake_operation_init(); 1000 psa_pake_cipher_suite_t cipher_suite_ret = psa_pake_cipher_suite_init(); 1001 1002 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1003 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1004 PSA_ECC_FAMILY_SECP_R1, 256); 1005 1006 PSA_INIT(); 1007 1008 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1009 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1010 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1011 1012 TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), 1013 PSA_ERROR_BAD_STATE); 1014 1015 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1016 1017 TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), 1018 PSA_SUCCESS); 1019 1020 PSA_ASSERT(memcmp(&cipher_suite_ret, &cipher_suite, sizeof(cipher_suite))); 1021 1022exit: 1023 PSA_ASSERT(psa_pake_abort(&operation)); 1024 PSA_DONE(); 1025} 1026/* END_CASE */ 1027 1028/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1029void pake_input_getters_role() 1030{ 1031 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1032 psa_pake_operation_t operation = psa_pake_operation_init(); 1033 psa_pake_role_t role_ret = PSA_PAKE_ROLE_NONE; 1034 1035 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1036 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1037 PSA_ECC_FAMILY_SECP_R1, 256); 1038 1039 PSA_INIT(); 1040 1041 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1042 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1043 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1044 1045 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1046 1047 TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret), 1048 PSA_ERROR_BAD_STATE); 1049 1050 /* Role can not be set directly using psa_pake_set_role(). It is set by the core 1051 based on given user/peer identifiers. Simulate that Role is already set. */ 1052 operation.data.inputs.role = PSA_PAKE_ROLE_SERVER; 1053 TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret), 1054 PSA_SUCCESS); 1055 1056 TEST_EQUAL(role_ret, PSA_PAKE_ROLE_SERVER); 1057exit: 1058 PSA_ASSERT(psa_pake_abort(&operation)); 1059 PSA_DONE(); 1060} 1061/* END_CASE */ 1062 1063/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1064void pake_input_getters_user() 1065{ 1066 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1067 psa_pake_operation_t operation = psa_pake_operation_init(); 1068 const uint8_t user[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 1069 const size_t user_len = sizeof(user); 1070 uint8_t user_ret[20] = { 0 }; // max user length is 20 bytes 1071 size_t user_len_ret = 0; 1072 size_t buffer_len_ret = 0; 1073 1074 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1075 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1076 PSA_ECC_FAMILY_SECP_R1, 256); 1077 1078 PSA_INIT(); 1079 1080 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1081 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1082 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1083 1084 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1085 1086 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1087 (uint8_t *) &user_ret, 1088 10, &buffer_len_ret), 1089 PSA_ERROR_BAD_STATE); 1090 1091 TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret), 1092 PSA_ERROR_BAD_STATE); 1093 1094 PSA_ASSERT(psa_pake_set_user(&operation, user, user_len)); 1095 1096 TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret), 1097 PSA_SUCCESS); 1098 1099 TEST_EQUAL(user_len_ret, user_len); 1100 1101 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1102 (uint8_t *) &user_ret, 1103 user_len_ret - 1, 1104 &buffer_len_ret), 1105 PSA_ERROR_BUFFER_TOO_SMALL); 1106 1107 TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs, 1108 (uint8_t *) &user_ret, 1109 user_len_ret, 1110 &buffer_len_ret), 1111 PSA_SUCCESS); 1112 1113 TEST_EQUAL(buffer_len_ret, user_len); 1114 PSA_ASSERT(memcmp(user_ret, user, buffer_len_ret)); 1115exit: 1116 PSA_ASSERT(psa_pake_abort(&operation)); 1117 PSA_DONE(); 1118} 1119/* END_CASE */ 1120 1121/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 1122void pake_input_getters_peer() 1123{ 1124 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1125 psa_pake_operation_t operation = psa_pake_operation_init(); 1126 const uint8_t peer[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 1127 const size_t peer_len = sizeof(peer); 1128 uint8_t peer_ret[20] = { 0 }; // max peer length is 20 bytes 1129 size_t peer_len_ret = 0; 1130 size_t buffer_len_ret = 0; 1131 1132 psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( 1133 PSA_PAKE_PRIMITIVE_TYPE_ECC, 1134 PSA_ECC_FAMILY_SECP_R1, 256); 1135 1136 PSA_INIT(); 1137 1138 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1139 psa_pake_cs_set_primitive(&cipher_suite, primitive); 1140 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1141 1142 PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); 1143 1144 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1145 (uint8_t *) &peer_ret, 1146 10, &buffer_len_ret), 1147 PSA_ERROR_BAD_STATE); 1148 1149 TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret), 1150 PSA_ERROR_BAD_STATE); 1151 1152 PSA_ASSERT(psa_pake_set_peer(&operation, peer, peer_len)); 1153 1154 TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret), 1155 PSA_SUCCESS); 1156 1157 TEST_EQUAL(peer_len_ret, peer_len); 1158 1159 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1160 (uint8_t *) &peer_ret, 1161 peer_len_ret - 1, 1162 &buffer_len_ret), 1163 PSA_ERROR_BUFFER_TOO_SMALL); 1164 1165 TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs, 1166 (uint8_t *) &peer_ret, 1167 peer_len_ret, 1168 &buffer_len_ret), 1169 PSA_SUCCESS); 1170 1171 TEST_EQUAL(buffer_len_ret, peer_len); 1172 PSA_ASSERT(memcmp(peer_ret, peer, buffer_len_ret)); 1173exit: 1174 PSA_ASSERT(psa_pake_abort(&operation)); 1175 PSA_DONE(); 1176} 1177/* END_CASE */ 1178