1/* BEGIN_HEADER */ 2#include <stdint.h> 3 4#include "mbedtls/asn1.h" 5#include "mbedtls/asn1write.h" 6#include "mbedtls/oid.h" 7#include "common.h" 8 9/* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random() 10 * uses mbedtls_ctr_drbg internally. */ 11#include "mbedtls/ctr_drbg.h" 12 13#include "psa/crypto.h" 14#include "psa_crypto_slot_management.h" 15 16#include "test/asn1_helpers.h" 17#include "test/psa_crypto_helpers.h" 18#include "test/psa_exercise_key.h" 19#if defined(PSA_CRYPTO_DRIVER_TEST) 20#include "test/drivers/test_driver.h" 21#define TEST_DRIVER_LOCATION PSA_CRYPTO_TEST_DRIVER_LOCATION 22#else 23#define TEST_DRIVER_LOCATION 0x7fffff 24#endif 25#include "mbedtls/legacy_or_psa.h" 26 27/* If this comes up, it's a bug in the test code or in the test data. */ 28#define UNUSED 0xdeadbeef 29 30/* Assert that an operation is (not) active. 31 * This serves as a proxy for checking if the operation is aborted. */ 32#define ASSERT_OPERATION_IS_ACTIVE( operation ) TEST_ASSERT( operation.id != 0 ) 33#define ASSERT_OPERATION_IS_INACTIVE( operation ) TEST_ASSERT( operation.id == 0 ) 34 35#if defined(PSA_WANT_ALG_JPAKE) 36int ecjpake_operation_setup( psa_pake_operation_t *operation, 37 psa_pake_cipher_suite_t *cipher_suite, 38 psa_pake_role_t role, 39 mbedtls_svc_key_id_t key, 40 size_t key_available ) 41{ 42 PSA_ASSERT( psa_pake_abort( operation ) ); 43 44 PSA_ASSERT( psa_pake_setup( operation, cipher_suite ) ); 45 46 PSA_ASSERT( psa_pake_set_role( operation, role) ); 47 48 if( key_available ) 49 PSA_ASSERT( psa_pake_set_password_key( operation, key ) ); 50 return 0; 51exit: 52 return 1; 53} 54#endif 55 56/** An invalid export length that will never be set by psa_export_key(). */ 57static const size_t INVALID_EXPORT_LENGTH = ~0U; 58 59/** Test if a buffer contains a constant byte value. 60 * 61 * `mem_is_char(buffer, c, size)` is true after `memset(buffer, c, size)`. 62 * 63 * \param buffer Pointer to the beginning of the buffer. 64 * \param c Expected value of every byte. 65 * \param size Size of the buffer in bytes. 66 * 67 * \return 1 if the buffer is all-bits-zero. 68 * \return 0 if there is at least one nonzero byte. 69 */ 70static int mem_is_char( void *buffer, unsigned char c, size_t size ) 71{ 72 size_t i; 73 for( i = 0; i < size; i++ ) 74 { 75 if( ( (unsigned char *) buffer )[i] != c ) 76 return( 0 ); 77 } 78 return( 1 ); 79} 80#if defined(MBEDTLS_ASN1_WRITE_C) 81/* Write the ASN.1 INTEGER with the value 2^(bits-1)+x backwards from *p. */ 82static int asn1_write_10x( unsigned char **p, 83 unsigned char *start, 84 size_t bits, 85 unsigned char x ) 86{ 87 int ret; 88 int len = bits / 8 + 1; 89 if( bits == 0 ) 90 return( MBEDTLS_ERR_ASN1_INVALID_DATA ); 91 if( bits <= 8 && x >= 1 << ( bits - 1 ) ) 92 return( MBEDTLS_ERR_ASN1_INVALID_DATA ); 93 if( *p < start || *p - start < (ptrdiff_t) len ) 94 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 95 *p -= len; 96 ( *p )[len-1] = x; 97 if( bits % 8 == 0 ) 98 ( *p )[1] |= 1; 99 else 100 ( *p )[0] |= 1 << ( bits % 8 ); 101 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); 102 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, 103 MBEDTLS_ASN1_INTEGER ) ); 104 return( len ); 105} 106 107static int construct_fake_rsa_key( unsigned char *buffer, 108 size_t buffer_size, 109 unsigned char **p, 110 size_t bits, 111 int keypair ) 112{ 113 size_t half_bits = ( bits + 1 ) / 2; 114 int ret; 115 int len = 0; 116 /* Construct something that looks like a DER encoding of 117 * as defined by PKCS#1 v2.2 (RFC 8017) section A.1.2: 118 * RSAPrivateKey ::= SEQUENCE { 119 * version Version, 120 * modulus INTEGER, -- n 121 * publicExponent INTEGER, -- e 122 * privateExponent INTEGER, -- d 123 * prime1 INTEGER, -- p 124 * prime2 INTEGER, -- q 125 * exponent1 INTEGER, -- d mod (p-1) 126 * exponent2 INTEGER, -- d mod (q-1) 127 * coefficient INTEGER, -- (inverse of q) mod p 128 * otherPrimeInfos OtherPrimeInfos OPTIONAL 129 * } 130 * Or, for a public key, the same structure with only 131 * version, modulus and publicExponent. 132 */ 133 *p = buffer + buffer_size; 134 if( keypair ) 135 { 136 MBEDTLS_ASN1_CHK_ADD( len, /* pq */ 137 asn1_write_10x( p, buffer, half_bits, 1 ) ); 138 MBEDTLS_ASN1_CHK_ADD( len, /* dq */ 139 asn1_write_10x( p, buffer, half_bits, 1 ) ); 140 MBEDTLS_ASN1_CHK_ADD( len, /* dp */ 141 asn1_write_10x( p, buffer, half_bits, 1 ) ); 142 MBEDTLS_ASN1_CHK_ADD( len, /* q */ 143 asn1_write_10x( p, buffer, half_bits, 1 ) ); 144 MBEDTLS_ASN1_CHK_ADD( len, /* p != q to pass mbedtls sanity checks */ 145 asn1_write_10x( p, buffer, half_bits, 3 ) ); 146 MBEDTLS_ASN1_CHK_ADD( len, /* d */ 147 asn1_write_10x( p, buffer, bits, 1 ) ); 148 } 149 MBEDTLS_ASN1_CHK_ADD( len, /* e = 65537 */ 150 asn1_write_10x( p, buffer, 17, 1 ) ); 151 MBEDTLS_ASN1_CHK_ADD( len, /* n */ 152 asn1_write_10x( p, buffer, bits, 1 ) ); 153 if( keypair ) 154 MBEDTLS_ASN1_CHK_ADD( len, /* version = 0 */ 155 mbedtls_asn1_write_int( p, buffer, 0 ) ); 156 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, buffer, len ) ); 157 { 158 const unsigned char tag = 159 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE; 160 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, buffer, tag ) ); 161 } 162 return( len ); 163} 164#endif /* MBEDTLS_ASN1_WRITE_C */ 165 166int exercise_mac_setup( psa_key_type_t key_type, 167 const unsigned char *key_bytes, 168 size_t key_length, 169 psa_algorithm_t alg, 170 psa_mac_operation_t *operation, 171 psa_status_t *status ) 172{ 173 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 174 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 175 176 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 177 psa_set_key_algorithm( &attributes, alg ); 178 psa_set_key_type( &attributes, key_type ); 179 PSA_ASSERT( psa_import_key( &attributes, key_bytes, key_length, &key ) ); 180 181 *status = psa_mac_sign_setup( operation, key, alg ); 182 /* Whether setup succeeded or failed, abort must succeed. */ 183 PSA_ASSERT( psa_mac_abort( operation ) ); 184 /* If setup failed, reproduce the failure, so that the caller can 185 * test the resulting state of the operation object. */ 186 if( *status != PSA_SUCCESS ) 187 { 188 TEST_EQUAL( psa_mac_sign_setup( operation, key, alg ), *status ); 189 } 190 191 psa_destroy_key( key ); 192 return( 1 ); 193 194exit: 195 psa_destroy_key( key ); 196 return( 0 ); 197} 198 199int exercise_cipher_setup( psa_key_type_t key_type, 200 const unsigned char *key_bytes, 201 size_t key_length, 202 psa_algorithm_t alg, 203 psa_cipher_operation_t *operation, 204 psa_status_t *status ) 205{ 206 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 207 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 208 209 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 210 psa_set_key_algorithm( &attributes, alg ); 211 psa_set_key_type( &attributes, key_type ); 212 PSA_ASSERT( psa_import_key( &attributes, key_bytes, key_length, &key ) ); 213 214 *status = psa_cipher_encrypt_setup( operation, key, alg ); 215 /* Whether setup succeeded or failed, abort must succeed. */ 216 PSA_ASSERT( psa_cipher_abort( operation ) ); 217 /* If setup failed, reproduce the failure, so that the caller can 218 * test the resulting state of the operation object. */ 219 if( *status != PSA_SUCCESS ) 220 { 221 TEST_EQUAL( psa_cipher_encrypt_setup( operation, key, alg ), 222 *status ); 223 } 224 225 psa_destroy_key( key ); 226 return( 1 ); 227 228exit: 229 psa_destroy_key( key ); 230 return( 0 ); 231} 232 233static int test_operations_on_invalid_key( mbedtls_svc_key_id_t key ) 234{ 235 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 236 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, 0x6964 ); 237 uint8_t buffer[1]; 238 size_t length; 239 int ok = 0; 240 241 psa_set_key_id( &attributes, key_id ); 242 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 243 psa_set_key_algorithm( &attributes, PSA_ALG_CTR ); 244 psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); 245 TEST_EQUAL( psa_get_key_attributes( key, &attributes ), 246 PSA_ERROR_INVALID_HANDLE ); 247 TEST_EQUAL( 248 MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); 249 TEST_EQUAL( 250 MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); 251 TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); 252 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); 253 TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); 254 TEST_EQUAL( psa_get_key_type( &attributes ), 0 ); 255 TEST_EQUAL( psa_get_key_bits( &attributes ), 0 ); 256 257 TEST_EQUAL( psa_export_key( key, buffer, sizeof( buffer ), &length ), 258 PSA_ERROR_INVALID_HANDLE ); 259 TEST_EQUAL( psa_export_public_key( key, 260 buffer, sizeof( buffer ), &length ), 261 PSA_ERROR_INVALID_HANDLE ); 262 263 ok = 1; 264 265exit: 266 /* 267 * Key attributes may have been returned by psa_get_key_attributes() 268 * thus reset them as required. 269 */ 270 psa_reset_key_attributes( &attributes ); 271 272 return( ok ); 273} 274 275/* Assert that a key isn't reported as having a slot number. */ 276#if defined(MBEDTLS_PSA_CRYPTO_SE_C) 277#define ASSERT_NO_SLOT_NUMBER( attributes ) \ 278 do \ 279 { \ 280 psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \ 281 TEST_EQUAL( psa_get_key_slot_number( \ 282 attributes, \ 283 &ASSERT_NO_SLOT_NUMBER_slot_number ), \ 284 PSA_ERROR_INVALID_ARGUMENT ); \ 285 } \ 286 while( 0 ) 287#else /* MBEDTLS_PSA_CRYPTO_SE_C */ 288#define ASSERT_NO_SLOT_NUMBER( attributes ) \ 289 ( (void) 0 ) 290#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 291 292/* An overapproximation of the amount of storage needed for a key of the 293 * given type and with the given content. The API doesn't make it easy 294 * to find a good value for the size. The current implementation doesn't 295 * care about the value anyway. */ 296#define KEY_BITS_FROM_DATA( type, data ) \ 297 ( data )->len 298 299typedef enum { 300 IMPORT_KEY = 0, 301 GENERATE_KEY = 1, 302 DERIVE_KEY = 2 303} generate_method; 304 305typedef enum 306{ 307 DO_NOT_SET_LENGTHS = 0, 308 SET_LENGTHS_BEFORE_NONCE = 1, 309 SET_LENGTHS_AFTER_NONCE = 2 310} set_lengths_method_t; 311 312typedef enum 313{ 314 USE_NULL_TAG = 0, 315 USE_GIVEN_TAG = 1, 316} tag_usage_method_t; 317 318/*! 319 * \brief Internal Function for AEAD multipart tests. 320 * \param key_type_arg Type of key passed in 321 * \param key_data The encryption / decryption key data 322 * \param alg_arg The type of algorithm used 323 * \param nonce Nonce data 324 * \param additional_data Additional data 325 * \param ad_part_len_arg If not -1, the length of chunks to 326 * feed additional data in to be encrypted / 327 * decrypted. If -1, no chunking. 328 * \param input_data Data to encrypt / decrypt 329 * \param data_part_len_arg If not -1, the length of chunks to feed 330 * the data in to be encrypted / decrypted. If 331 * -1, no chunking 332 * \param set_lengths_method A member of the set_lengths_method_t enum is 333 * expected here, this controls whether or not 334 * to set lengths, and in what order with 335 * respect to set nonce. 336 * \param expected_output Expected output 337 * \param is_encrypt If non-zero this is an encryption operation. 338 * \param do_zero_parts If non-zero, interleave zero length chunks 339 * with normal length chunks. 340 * \return int Zero on failure, non-zero on success. 341 */ 342static int aead_multipart_internal_func( int key_type_arg, data_t *key_data, 343 int alg_arg, 344 data_t *nonce, 345 data_t *additional_data, 346 int ad_part_len_arg, 347 data_t *input_data, 348 int data_part_len_arg, 349 set_lengths_method_t set_lengths_method, 350 data_t *expected_output, 351 int is_encrypt, 352 int do_zero_parts ) 353{ 354 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 355 psa_key_type_t key_type = key_type_arg; 356 psa_algorithm_t alg = alg_arg; 357 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 358 unsigned char *output_data = NULL; 359 unsigned char *part_data = NULL; 360 unsigned char *final_data = NULL; 361 size_t data_true_size = 0; 362 size_t part_data_size = 0; 363 size_t output_size = 0; 364 size_t final_output_size = 0; 365 size_t output_length = 0; 366 size_t key_bits = 0; 367 size_t tag_length = 0; 368 size_t part_offset = 0; 369 size_t part_length = 0; 370 size_t output_part_length = 0; 371 size_t tag_size = 0; 372 size_t ad_part_len = 0; 373 size_t data_part_len = 0; 374 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 375 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 376 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 377 378 int test_ok = 0; 379 size_t part_count = 0; 380 381 PSA_ASSERT( psa_crypto_init( ) ); 382 383 if( is_encrypt ) 384 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 385 else 386 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 387 388 psa_set_key_algorithm( &attributes, alg ); 389 psa_set_key_type( &attributes, key_type ); 390 391 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 392 &key ) ); 393 394 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 395 key_bits = psa_get_key_bits( &attributes ); 396 397 tag_length = PSA_AEAD_TAG_LENGTH( key_type, key_bits, alg ); 398 399 if( is_encrypt ) 400 { 401 /* Tag gets written at end of buffer. */ 402 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, 403 ( input_data->len + 404 tag_length ) ); 405 data_true_size = input_data->len; 406 } 407 else 408 { 409 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, 410 ( input_data->len - 411 tag_length ) ); 412 413 /* Do not want to attempt to decrypt tag. */ 414 data_true_size = input_data->len - tag_length; 415 } 416 417 ASSERT_ALLOC( output_data, output_size ); 418 419 if( is_encrypt ) 420 { 421 final_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 422 TEST_LE_U( final_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE ); 423 } 424 else 425 { 426 final_output_size = PSA_AEAD_VERIFY_OUTPUT_SIZE( key_type, alg ); 427 TEST_LE_U( final_output_size, PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE ); 428 } 429 430 ASSERT_ALLOC( final_data, final_output_size ); 431 432 if( is_encrypt ) 433 status = psa_aead_encrypt_setup( &operation, key, alg ); 434 else 435 status = psa_aead_decrypt_setup( &operation, key, alg ); 436 437 /* If the operation is not supported, just skip and not fail in case the 438 * encryption involves a common limitation of cryptography hardwares and 439 * an alternative implementation. */ 440 if( status == PSA_ERROR_NOT_SUPPORTED ) 441 { 442 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 443 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 444 } 445 446 PSA_ASSERT( status ); 447 448 if( set_lengths_method == DO_NOT_SET_LENGTHS ) 449 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 450 else if( set_lengths_method == SET_LENGTHS_BEFORE_NONCE ) 451 { 452 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 453 data_true_size ) ); 454 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 455 } 456 else if( set_lengths_method == SET_LENGTHS_AFTER_NONCE ) 457 { 458 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 459 460 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 461 data_true_size ) ); 462 } 463 464 if( ad_part_len_arg != -1 ) 465 { 466 /* Pass additional data in parts */ 467 ad_part_len = (size_t) ad_part_len_arg; 468 469 for( part_offset = 0, part_count = 0; 470 part_offset < additional_data->len; 471 part_offset += part_length, part_count++ ) 472 { 473 if( do_zero_parts && ( part_count & 0x01 ) ) 474 { 475 part_length = 0; 476 } 477 else if( additional_data->len - part_offset < ad_part_len ) 478 { 479 part_length = additional_data->len - part_offset; 480 } 481 else 482 { 483 part_length = ad_part_len; 484 } 485 486 PSA_ASSERT( psa_aead_update_ad( &operation, 487 additional_data->x + part_offset, 488 part_length ) ); 489 490 } 491 } 492 else 493 { 494 /* Pass additional data in one go. */ 495 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 496 additional_data->len ) ); 497 } 498 499 if( data_part_len_arg != -1 ) 500 { 501 /* Pass data in parts */ 502 data_part_len = ( size_t ) data_part_len_arg; 503 part_data_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, 504 ( size_t ) data_part_len ); 505 506 ASSERT_ALLOC( part_data, part_data_size ); 507 508 for( part_offset = 0, part_count = 0; 509 part_offset < data_true_size; 510 part_offset += part_length, part_count++ ) 511 { 512 if( do_zero_parts && ( part_count & 0x01 ) ) 513 { 514 part_length = 0; 515 } 516 else if( ( data_true_size - part_offset ) < data_part_len ) 517 { 518 part_length = ( data_true_size - part_offset ); 519 } 520 else 521 { 522 part_length = data_part_len; 523 } 524 525 PSA_ASSERT( psa_aead_update( &operation, 526 ( input_data->x + part_offset ), 527 part_length, part_data, 528 part_data_size, 529 &output_part_length ) ); 530 531 if( output_data && output_part_length ) 532 { 533 memcpy( ( output_data + output_length ), part_data, 534 output_part_length ); 535 } 536 537 output_length += output_part_length; 538 } 539 } 540 else 541 { 542 /* Pass all data in one go. */ 543 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 544 data_true_size, output_data, 545 output_size, &output_length ) ); 546 } 547 548 if( is_encrypt ) 549 PSA_ASSERT( psa_aead_finish( &operation, final_data, 550 final_output_size, 551 &output_part_length, 552 tag_buffer, tag_length, 553 &tag_size ) ); 554 else 555 { 556 PSA_ASSERT( psa_aead_verify( &operation, final_data, 557 final_output_size, 558 &output_part_length, 559 ( input_data->x + data_true_size ), 560 tag_length ) ); 561 } 562 563 if( output_data && output_part_length ) 564 memcpy( ( output_data + output_length ), final_data, 565 output_part_length ); 566 567 output_length += output_part_length; 568 569 570 /* For all currently defined algorithms, PSA_AEAD_xxx_OUTPUT_SIZE 571 * should be exact.*/ 572 if( is_encrypt ) 573 { 574 TEST_EQUAL( tag_length, tag_size ); 575 576 if( output_data && tag_length ) 577 memcpy( ( output_data + output_length ), tag_buffer, 578 tag_length ); 579 580 output_length += tag_length; 581 582 TEST_EQUAL( output_length, 583 PSA_AEAD_ENCRYPT_OUTPUT_SIZE( key_type, alg, 584 input_data->len ) ); 585 TEST_LE_U( output_length, 586 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 587 } 588 else 589 { 590 TEST_EQUAL( output_length, 591 PSA_AEAD_DECRYPT_OUTPUT_SIZE( key_type, alg, 592 input_data->len ) ); 593 TEST_LE_U( output_length, 594 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 595 } 596 597 598 ASSERT_COMPARE( expected_output->x, expected_output->len, 599 output_data, output_length ); 600 601 602 test_ok = 1; 603 604exit: 605 psa_destroy_key( key ); 606 psa_aead_abort( &operation ); 607 mbedtls_free( output_data ); 608 mbedtls_free( part_data ); 609 mbedtls_free( final_data ); 610 PSA_DONE( ); 611 612 return( test_ok ); 613} 614 615/*! 616 * \brief Internal Function for MAC multipart tests. 617 * \param key_type_arg Type of key passed in 618 * \param key_data The encryption / decryption key data 619 * \param alg_arg The type of algorithm used 620 * \param input_data Data to encrypt / decrypt 621 * \param data_part_len_arg If not -1, the length of chunks to feed 622 * the data in to be encrypted / decrypted. If 623 * -1, no chunking 624 * \param expected_output Expected output 625 * \param is_verify If non-zero this is a verify operation. 626 * \param do_zero_parts If non-zero, interleave zero length chunks 627 * with normal length chunks. 628 * \return int Zero on failure, non-zero on success. 629 */ 630static int mac_multipart_internal_func( int key_type_arg, data_t *key_data, 631 int alg_arg, 632 data_t *input_data, 633 int data_part_len_arg, 634 data_t *expected_output, 635 int is_verify, 636 int do_zero_parts ) 637{ 638 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 639 psa_key_type_t key_type = key_type_arg; 640 psa_algorithm_t alg = alg_arg; 641 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 642 unsigned char mac[PSA_MAC_MAX_SIZE]; 643 size_t part_offset = 0; 644 size_t part_length = 0; 645 size_t data_part_len = 0; 646 size_t mac_len = 0; 647 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 648 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 649 650 int test_ok = 0; 651 size_t part_count = 0; 652 653 PSA_INIT( ); 654 655 if( is_verify ) 656 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 657 else 658 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 659 660 psa_set_key_algorithm( &attributes, alg ); 661 psa_set_key_type( &attributes, key_type ); 662 663 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 664 &key ) ); 665 666 if( is_verify ) 667 status = psa_mac_verify_setup( &operation, key, alg ); 668 else 669 status = psa_mac_sign_setup( &operation, key, alg ); 670 671 PSA_ASSERT( status ); 672 673 if( data_part_len_arg != -1 ) 674 { 675 /* Pass data in parts */ 676 data_part_len = ( size_t ) data_part_len_arg; 677 678 for( part_offset = 0, part_count = 0; 679 part_offset < input_data->len; 680 part_offset += part_length, part_count++ ) 681 { 682 if( do_zero_parts && ( part_count & 0x01 ) ) 683 { 684 part_length = 0; 685 } 686 else if( ( input_data->len - part_offset ) < data_part_len ) 687 { 688 part_length = ( input_data->len - part_offset ); 689 } 690 else 691 { 692 part_length = data_part_len; 693 } 694 695 PSA_ASSERT( psa_mac_update( &operation, 696 ( input_data->x + part_offset ), 697 part_length ) ); 698 } 699 } 700 else 701 { 702 /* Pass all data in one go. */ 703 PSA_ASSERT( psa_mac_update( &operation, input_data->x, 704 input_data->len ) ); 705 } 706 707 if( is_verify ) 708 { 709 PSA_ASSERT( psa_mac_verify_finish( &operation, expected_output->x, 710 expected_output->len ) ); 711 } 712 else 713 { 714 PSA_ASSERT( psa_mac_sign_finish( &operation, mac, 715 PSA_MAC_MAX_SIZE, &mac_len ) ); 716 717 ASSERT_COMPARE( expected_output->x, expected_output->len, 718 mac, mac_len ); 719 } 720 721 test_ok = 1; 722 723exit: 724 psa_destroy_key( key ); 725 psa_mac_abort( &operation ); 726 PSA_DONE( ); 727 728 return( test_ok ); 729} 730 731#if defined(PSA_WANT_ALG_JPAKE) 732static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, 733 psa_pake_operation_t *server, 734 psa_pake_operation_t *client, 735 int client_input_first, 736 int round, int inject_error ) 737{ 738 unsigned char *buffer0 = NULL, *buffer1 = NULL; 739 size_t buffer_length = ( 740 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + 741 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + 742 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; 743 /* The output should be exactly this size according to the spec */ 744 const size_t expected_size_key_share = 745 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); 746 /* The output should be exactly this size according to the spec */ 747 const size_t expected_size_zk_public = 748 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); 749 /* The output can be smaller: the spec allows stripping leading zeroes */ 750 const size_t max_expected_size_zk_proof = 751 PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); 752 size_t buffer0_off = 0; 753 size_t buffer1_off = 0; 754 size_t s_g1_len, s_g2_len, s_a_len; 755 size_t s_g1_off, s_g2_off, s_a_off; 756 size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len; 757 size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off; 758 size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len; 759 size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off; 760 size_t c_g1_len, c_g2_len, c_a_len; 761 size_t c_g1_off, c_g2_off, c_a_off; 762 size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len; 763 size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; 764 size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; 765 size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; 766 psa_status_t expected_status = PSA_SUCCESS; 767 psa_status_t status; 768 769 ASSERT_ALLOC( buffer0, buffer_length ); 770 ASSERT_ALLOC( buffer1, buffer_length ); 771 772 switch( round ) 773 { 774 case 1: 775 /* Server first round Output */ 776 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, 777 buffer0 + buffer0_off, 778 512 - buffer0_off, &s_g1_len ) ); 779 TEST_EQUAL( s_g1_len, expected_size_key_share ); 780 s_g1_off = buffer0_off; 781 buffer0_off += s_g1_len; 782 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, 783 buffer0 + buffer0_off, 784 512 - buffer0_off, &s_x1_pk_len ) ); 785 TEST_EQUAL( s_x1_pk_len, expected_size_zk_public ); 786 s_x1_pk_off = buffer0_off; 787 buffer0_off += s_x1_pk_len; 788 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, 789 buffer0 + buffer0_off, 790 512 - buffer0_off, &s_x1_pr_len ) ); 791 TEST_LE_U( s_x1_pr_len, max_expected_size_zk_proof ); 792 s_x1_pr_off = buffer0_off; 793 buffer0_off += s_x1_pr_len; 794 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, 795 buffer0 + buffer0_off, 796 512 - buffer0_off, &s_g2_len ) ); 797 TEST_EQUAL( s_g2_len, expected_size_key_share ); 798 s_g2_off = buffer0_off; 799 buffer0_off += s_g2_len; 800 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, 801 buffer0 + buffer0_off, 802 512 - buffer0_off, &s_x2_pk_len ) ); 803 TEST_EQUAL( s_x2_pk_len, expected_size_zk_public ); 804 s_x2_pk_off = buffer0_off; 805 buffer0_off += s_x2_pk_len; 806 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, 807 buffer0 + buffer0_off, 808 512 - buffer0_off, &s_x2_pr_len ) ); 809 TEST_LE_U( s_x2_pr_len, max_expected_size_zk_proof ); 810 s_x2_pr_off = buffer0_off; 811 buffer0_off += s_x2_pr_len; 812 813 if( inject_error == 1 ) 814 { 815 buffer0[s_x1_pr_off + 8] ^= 1; 816 buffer0[s_x2_pr_off + 7] ^= 1; 817 expected_status = PSA_ERROR_DATA_INVALID; 818 } 819 820 /* 821 * When injecting errors in inputs, the implementation is 822 * free to detect it right away of with a delay. 823 * This permits delaying the error until the end of the input 824 * sequence, if no error appears then, this will be treated 825 * as an error. 826 */ 827 828 if( client_input_first == 1 ) 829 { 830 /* Client first round Input */ 831 status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, 832 buffer0 + s_g1_off, s_g1_len ); 833 if( inject_error == 1 && status != PSA_SUCCESS ) 834 { 835 TEST_EQUAL( status, expected_status ); 836 break; 837 } 838 else 839 { 840 TEST_EQUAL( status, PSA_SUCCESS ); 841 } 842 843 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, 844 buffer0 + s_x1_pk_off, 845 s_x1_pk_len ); 846 if( inject_error == 1 && status != PSA_SUCCESS ) 847 { 848 TEST_EQUAL( status, expected_status ); 849 break; 850 } 851 else 852 { 853 TEST_EQUAL( status, PSA_SUCCESS ); 854 } 855 856 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, 857 buffer0 + s_x1_pr_off, 858 s_x1_pr_len ); 859 if( inject_error == 1 && status != PSA_SUCCESS ) 860 { 861 TEST_EQUAL( status, expected_status ); 862 break; 863 } 864 else 865 { 866 TEST_EQUAL( status, PSA_SUCCESS ); 867 } 868 869 status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, 870 buffer0 + s_g2_off, 871 s_g2_len ); 872 if( inject_error == 1 && status != PSA_SUCCESS ) 873 { 874 TEST_EQUAL( status, expected_status ); 875 break; 876 } 877 else 878 { 879 TEST_EQUAL( status, PSA_SUCCESS ); 880 } 881 882 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, 883 buffer0 + s_x2_pk_off, 884 s_x2_pk_len ); 885 if( inject_error == 1 && status != PSA_SUCCESS ) 886 { 887 TEST_EQUAL( status, expected_status ); 888 break; 889 } 890 else 891 { 892 TEST_EQUAL( status, PSA_SUCCESS ); 893 } 894 895 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, 896 buffer0 + s_x2_pr_off, 897 s_x2_pr_len ); 898 if( inject_error == 1 && status != PSA_SUCCESS ) 899 { 900 TEST_EQUAL( status, expected_status ); 901 break; 902 } 903 else 904 { 905 TEST_EQUAL( status, PSA_SUCCESS ); 906 } 907 908 /* Error didn't trigger, make test fail */ 909 if( inject_error == 1 ) 910 TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); 911 } 912 913 /* Client first round Output */ 914 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, 915 buffer1 + buffer1_off, 916 512 - buffer1_off, &c_g1_len ) ); 917 TEST_EQUAL( c_g1_len, expected_size_key_share ); 918 c_g1_off = buffer1_off; 919 buffer1_off += c_g1_len; 920 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, 921 buffer1 + buffer1_off, 922 512 - buffer1_off, &c_x1_pk_len ) ); 923 TEST_EQUAL( c_x1_pk_len, expected_size_zk_public ); 924 c_x1_pk_off = buffer1_off; 925 buffer1_off += c_x1_pk_len; 926 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, 927 buffer1 + buffer1_off, 928 512 - buffer1_off, &c_x1_pr_len ) ); 929 TEST_LE_U( c_x1_pr_len, max_expected_size_zk_proof ); 930 c_x1_pr_off = buffer1_off; 931 buffer1_off += c_x1_pr_len; 932 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, 933 buffer1 + buffer1_off, 934 512 - buffer1_off, &c_g2_len ) ); 935 TEST_EQUAL( c_g2_len, expected_size_key_share ); 936 c_g2_off = buffer1_off; 937 buffer1_off += c_g2_len; 938 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, 939 buffer1 + buffer1_off, 940 512 - buffer1_off, &c_x2_pk_len ) ); 941 TEST_EQUAL( c_x2_pk_len, expected_size_zk_public ); 942 c_x2_pk_off = buffer1_off; 943 buffer1_off += c_x2_pk_len; 944 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, 945 buffer1 + buffer1_off, 946 512 - buffer1_off, &c_x2_pr_len ) ); 947 TEST_LE_U( c_x2_pr_len, max_expected_size_zk_proof ); 948 c_x2_pr_off = buffer1_off; 949 buffer1_off += c_x2_pr_len; 950 951 if( client_input_first == 0 ) 952 { 953 /* Client first round Input */ 954 status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, 955 buffer0 + s_g1_off, s_g1_len ); 956 if( inject_error == 1 && status != PSA_SUCCESS ) 957 { 958 TEST_EQUAL( status, expected_status ); 959 break; 960 } 961 else 962 { 963 TEST_EQUAL( status, PSA_SUCCESS ); 964 } 965 966 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, 967 buffer0 + s_x1_pk_off, 968 s_x1_pk_len ); 969 if( inject_error == 1 && status != PSA_SUCCESS ) 970 { 971 TEST_EQUAL( status, expected_status ); 972 break; 973 } 974 else 975 { 976 TEST_EQUAL( status, PSA_SUCCESS ); 977 } 978 979 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, 980 buffer0 + s_x1_pr_off, 981 s_x1_pr_len ); 982 if( inject_error == 1 && status != PSA_SUCCESS ) 983 { 984 TEST_EQUAL( status, expected_status ); 985 break; 986 } 987 else 988 { 989 TEST_EQUAL( status, PSA_SUCCESS ); 990 } 991 992 status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, 993 buffer0 + s_g2_off, 994 s_g2_len ); 995 if( inject_error == 1 && status != PSA_SUCCESS ) 996 { 997 TEST_EQUAL( status, expected_status ); 998 break; 999 } 1000 else 1001 { 1002 TEST_EQUAL( status, PSA_SUCCESS ); 1003 } 1004 1005 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, 1006 buffer0 + s_x2_pk_off, 1007 s_x2_pk_len ); 1008 if( inject_error == 1 && status != PSA_SUCCESS ) 1009 { 1010 TEST_EQUAL( status, expected_status ); 1011 break; 1012 } 1013 else 1014 { 1015 TEST_EQUAL( status, PSA_SUCCESS ); 1016 } 1017 1018 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, 1019 buffer0 + s_x2_pr_off, 1020 s_x2_pr_len ); 1021 if( inject_error == 1 && status != PSA_SUCCESS ) 1022 { 1023 TEST_EQUAL( status, expected_status ); 1024 break; 1025 } 1026 else 1027 { 1028 TEST_EQUAL( status, PSA_SUCCESS ); 1029 } 1030 1031 /* Error didn't trigger, make test fail */ 1032 if( inject_error == 1 ) 1033 TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); 1034 } 1035 1036 if( inject_error == 2 ) 1037 { 1038 buffer1[c_x1_pr_off + 12] ^= 1; 1039 buffer1[c_x2_pr_off + 7] ^= 1; 1040 expected_status = PSA_ERROR_DATA_INVALID; 1041 } 1042 1043 /* Server first round Input */ 1044 status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, 1045 buffer1 + c_g1_off, c_g1_len ); 1046 if( inject_error == 2 && status != PSA_SUCCESS ) 1047 { 1048 TEST_EQUAL( status, expected_status ); 1049 break; 1050 } 1051 else 1052 { 1053 TEST_EQUAL( status, PSA_SUCCESS ); 1054 } 1055 1056 status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, 1057 buffer1 + c_x1_pk_off, c_x1_pk_len ); 1058 if( inject_error == 2 && status != PSA_SUCCESS ) 1059 { 1060 TEST_EQUAL( status, expected_status ); 1061 break; 1062 } 1063 else 1064 { 1065 TEST_EQUAL( status, PSA_SUCCESS ); 1066 } 1067 1068 status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, 1069 buffer1 + c_x1_pr_off, c_x1_pr_len ); 1070 if( inject_error == 2 && status != PSA_SUCCESS ) 1071 { 1072 TEST_EQUAL( status, expected_status ); 1073 break; 1074 } 1075 else 1076 { 1077 TEST_EQUAL( status, PSA_SUCCESS ); 1078 } 1079 1080 status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, 1081 buffer1 + c_g2_off, c_g2_len ); 1082 if( inject_error == 2 && status != PSA_SUCCESS ) 1083 { 1084 TEST_EQUAL( status, expected_status ); 1085 break; 1086 } 1087 else 1088 { 1089 TEST_EQUAL( status, PSA_SUCCESS ); 1090 } 1091 1092 status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, 1093 buffer1 + c_x2_pk_off, c_x2_pk_len ); 1094 if( inject_error == 2 && status != PSA_SUCCESS ) 1095 { 1096 TEST_EQUAL( status, expected_status ); 1097 break; 1098 } 1099 else 1100 { 1101 TEST_EQUAL( status, PSA_SUCCESS ); 1102 } 1103 1104 status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, 1105 buffer1 + c_x2_pr_off, c_x2_pr_len ); 1106 if( inject_error == 2 && status != PSA_SUCCESS ) 1107 { 1108 TEST_EQUAL( status, expected_status ); 1109 break; 1110 } 1111 else 1112 { 1113 TEST_EQUAL( status, PSA_SUCCESS ); 1114 } 1115 1116 /* Error didn't trigger, make test fail */ 1117 if( inject_error == 2 ) 1118 TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); 1119 1120 break; 1121 1122 case 2: 1123 /* Server second round Output */ 1124 buffer0_off = 0; 1125 1126 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, 1127 buffer0 + buffer0_off, 1128 512 - buffer0_off, &s_a_len ) ); 1129 TEST_EQUAL( s_a_len, expected_size_key_share ); 1130 s_a_off = buffer0_off; 1131 buffer0_off += s_a_len; 1132 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, 1133 buffer0 + buffer0_off, 1134 512 - buffer0_off, &s_x2s_pk_len ) ); 1135 TEST_EQUAL( s_x2s_pk_len, expected_size_zk_public ); 1136 s_x2s_pk_off = buffer0_off; 1137 buffer0_off += s_x2s_pk_len; 1138 PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, 1139 buffer0 + buffer0_off, 1140 512 - buffer0_off, &s_x2s_pr_len ) ); 1141 TEST_LE_U( s_x2s_pr_len, max_expected_size_zk_proof ); 1142 s_x2s_pr_off = buffer0_off; 1143 buffer0_off += s_x2s_pr_len; 1144 1145 if( inject_error == 3 ) 1146 { 1147 buffer0[s_x2s_pk_off + 12] += 0x33; 1148 expected_status = PSA_ERROR_DATA_INVALID; 1149 } 1150 1151 if( client_input_first == 1 ) 1152 { 1153 /* Client second round Input */ 1154 status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, 1155 buffer0 + s_a_off, s_a_len ); 1156 if( inject_error == 3 && status != PSA_SUCCESS ) 1157 { 1158 TEST_EQUAL( status, expected_status ); 1159 break; 1160 } 1161 else 1162 { 1163 TEST_EQUAL( status, PSA_SUCCESS ); 1164 } 1165 1166 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, 1167 buffer0 + s_x2s_pk_off, 1168 s_x2s_pk_len ); 1169 if( inject_error == 3 && status != PSA_SUCCESS ) 1170 { 1171 TEST_EQUAL( status, expected_status ); 1172 break; 1173 } 1174 else 1175 { 1176 TEST_EQUAL( status, PSA_SUCCESS ); 1177 } 1178 1179 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, 1180 buffer0 + s_x2s_pr_off, 1181 s_x2s_pr_len ); 1182 if( inject_error == 3 && status != PSA_SUCCESS ) 1183 { 1184 TEST_EQUAL( status, expected_status ); 1185 break; 1186 } 1187 else 1188 { 1189 TEST_EQUAL( status, PSA_SUCCESS ); 1190 } 1191 1192 /* Error didn't trigger, make test fail */ 1193 if( inject_error == 3 ) 1194 TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); 1195 } 1196 1197 /* Client second round Output */ 1198 buffer1_off = 0; 1199 1200 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, 1201 buffer1 + buffer1_off, 1202 512 - buffer1_off, &c_a_len ) ); 1203 TEST_EQUAL( c_a_len, expected_size_key_share ); 1204 c_a_off = buffer1_off; 1205 buffer1_off += c_a_len; 1206 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, 1207 buffer1 + buffer1_off, 1208 512 - buffer1_off, &c_x2s_pk_len ) ); 1209 TEST_EQUAL( c_x2s_pk_len, expected_size_zk_public ); 1210 c_x2s_pk_off = buffer1_off; 1211 buffer1_off += c_x2s_pk_len; 1212 PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, 1213 buffer1 + buffer1_off, 1214 512 - buffer1_off, &c_x2s_pr_len ) ); 1215 TEST_LE_U( c_x2s_pr_len, max_expected_size_zk_proof ); 1216 c_x2s_pr_off = buffer1_off; 1217 buffer1_off += c_x2s_pr_len; 1218 1219 if( client_input_first == 0 ) 1220 { 1221 /* Client second round Input */ 1222 status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, 1223 buffer0 + s_a_off, s_a_len ); 1224 if( inject_error == 3 && status != PSA_SUCCESS ) 1225 { 1226 TEST_EQUAL( status, expected_status ); 1227 break; 1228 } 1229 else 1230 { 1231 TEST_EQUAL( status, PSA_SUCCESS ); 1232 } 1233 1234 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, 1235 buffer0 + s_x2s_pk_off, 1236 s_x2s_pk_len ); 1237 if( inject_error == 3 && status != PSA_SUCCESS ) 1238 { 1239 TEST_EQUAL( status, expected_status ); 1240 break; 1241 } 1242 else 1243 { 1244 TEST_EQUAL( status, PSA_SUCCESS ); 1245 } 1246 1247 status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, 1248 buffer0 + s_x2s_pr_off, 1249 s_x2s_pr_len ); 1250 if( inject_error == 3 && status != PSA_SUCCESS ) 1251 { 1252 TEST_EQUAL( status, expected_status ); 1253 break; 1254 } 1255 else 1256 { 1257 TEST_EQUAL( status, PSA_SUCCESS ); 1258 } 1259 1260 /* Error didn't trigger, make test fail */ 1261 if( inject_error == 3 ) 1262 TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); 1263 } 1264 1265 if( inject_error == 4 ) 1266 { 1267 buffer1[c_x2s_pk_off + 7] += 0x28; 1268 expected_status = PSA_ERROR_DATA_INVALID; 1269 } 1270 1271 /* Server second round Input */ 1272 status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, 1273 buffer1 + c_a_off, c_a_len ); 1274 if( inject_error == 4 && status != PSA_SUCCESS ) 1275 { 1276 TEST_EQUAL( status, expected_status ); 1277 break; 1278 } 1279 else 1280 { 1281 TEST_EQUAL( status, PSA_SUCCESS ); 1282 } 1283 1284 status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, 1285 buffer1 + c_x2s_pk_off, c_x2s_pk_len ); 1286 if( inject_error == 4 && status != PSA_SUCCESS ) 1287 { 1288 TEST_EQUAL( status, expected_status ); 1289 break; 1290 } 1291 else 1292 { 1293 TEST_EQUAL( status, PSA_SUCCESS ); 1294 } 1295 1296 status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, 1297 buffer1 + c_x2s_pr_off, c_x2s_pr_len ); 1298 if( inject_error == 4 && status != PSA_SUCCESS ) 1299 { 1300 TEST_EQUAL( status, expected_status ); 1301 break; 1302 } 1303 else 1304 { 1305 TEST_EQUAL( status, PSA_SUCCESS ); 1306 } 1307 1308 /* Error didn't trigger, make test fail */ 1309 if( inject_error == 4 ) 1310 TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); 1311 1312 break; 1313 1314 } 1315 1316exit: 1317 mbedtls_free( buffer0 ); 1318 mbedtls_free( buffer1 ); 1319} 1320#endif /* PSA_WANT_ALG_JPAKE */ 1321 1322typedef enum 1323{ 1324 INJECT_ERR_NONE = 0, 1325 INJECT_ERR_UNINITIALIZED_ACCESS, 1326 INJECT_ERR_DUPLICATE_SETUP, 1327 INJECT_ERR_INVALID_USER, 1328 INJECT_ERR_INVALID_PEER, 1329 INJECT_ERR_SET_USER, 1330 INJECT_ERR_SET_PEER, 1331 INJECT_EMPTY_IO_BUFFER, 1332 INJECT_UNKNOWN_STEP, 1333 INJECT_INVALID_FIRST_STEP, 1334 INJECT_WRONG_BUFFER_SIZE, 1335 INJECT_VALID_OPERATION_AFTER_FAILURE, 1336 INJECT_ANTICIPATE_KEY_DERIVATION_1, 1337 INJECT_ANTICIPATE_KEY_DERIVATION_2, 1338} ecjpake_injected_failure_t; 1339 1340/* END_HEADER */ 1341 1342/* BEGIN_DEPENDENCIES 1343 * depends_on:MBEDTLS_PSA_CRYPTO_C 1344 * END_DEPENDENCIES 1345 */ 1346 1347/* BEGIN_CASE */ 1348void static_checks( ) 1349{ 1350 size_t max_truncated_mac_size = 1351 PSA_ALG_MAC_TRUNCATION_MASK >> PSA_MAC_TRUNCATION_OFFSET; 1352 1353 /* Check that the length for a truncated MAC always fits in the algorithm 1354 * encoding. The shifted mask is the maximum truncated value. The 1355 * untruncated algorithm may be one byte larger. */ 1356 TEST_LE_U( PSA_MAC_MAX_SIZE, 1 + max_truncated_mac_size ); 1357} 1358/* END_CASE */ 1359 1360/* BEGIN_CASE */ 1361void import_with_policy( int type_arg, 1362 int usage_arg, int alg_arg, 1363 int expected_status_arg ) 1364{ 1365 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1366 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1367 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1368 psa_key_type_t type = type_arg; 1369 psa_key_usage_t usage = usage_arg; 1370 psa_algorithm_t alg = alg_arg; 1371 psa_status_t expected_status = expected_status_arg; 1372 const uint8_t key_material[16] = {0}; 1373 psa_status_t status; 1374 1375 PSA_ASSERT( psa_crypto_init( ) ); 1376 1377 psa_set_key_type( &attributes, type ); 1378 psa_set_key_usage_flags( &attributes, usage ); 1379 psa_set_key_algorithm( &attributes, alg ); 1380 1381 status = psa_import_key( &attributes, 1382 key_material, sizeof( key_material ), 1383 &key ); 1384 TEST_EQUAL( status, expected_status ); 1385 if( status != PSA_SUCCESS ) 1386 goto exit; 1387 1388 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 1389 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 1390 TEST_EQUAL( psa_get_key_usage_flags( &got_attributes ), 1391 mbedtls_test_update_key_usage_flags( usage ) ); 1392 TEST_EQUAL( psa_get_key_algorithm( &got_attributes ), alg ); 1393 ASSERT_NO_SLOT_NUMBER( &got_attributes ); 1394 1395 PSA_ASSERT( psa_destroy_key( key ) ); 1396 test_operations_on_invalid_key( key ); 1397 1398exit: 1399 /* 1400 * Key attributes may have been returned by psa_get_key_attributes() 1401 * thus reset them as required. 1402 */ 1403 psa_reset_key_attributes( &got_attributes ); 1404 1405 psa_destroy_key( key ); 1406 PSA_DONE( ); 1407} 1408/* END_CASE */ 1409 1410/* BEGIN_CASE */ 1411void import_with_data( data_t *data, int type_arg, 1412 int attr_bits_arg, 1413 int expected_status_arg ) 1414{ 1415 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1416 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1417 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1418 psa_key_type_t type = type_arg; 1419 size_t attr_bits = attr_bits_arg; 1420 psa_status_t expected_status = expected_status_arg; 1421 psa_status_t status; 1422 1423 PSA_ASSERT( psa_crypto_init( ) ); 1424 1425 psa_set_key_type( &attributes, type ); 1426 psa_set_key_bits( &attributes, attr_bits ); 1427 1428 status = psa_import_key( &attributes, data->x, data->len, &key ); 1429 TEST_EQUAL( status, expected_status ); 1430 if( status != PSA_SUCCESS ) 1431 goto exit; 1432 1433 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 1434 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 1435 if( attr_bits != 0 ) 1436 TEST_EQUAL( attr_bits, psa_get_key_bits( &got_attributes ) ); 1437 ASSERT_NO_SLOT_NUMBER( &got_attributes ); 1438 1439 PSA_ASSERT( psa_destroy_key( key ) ); 1440 test_operations_on_invalid_key( key ); 1441 1442exit: 1443 /* 1444 * Key attributes may have been returned by psa_get_key_attributes() 1445 * thus reset them as required. 1446 */ 1447 psa_reset_key_attributes( &got_attributes ); 1448 1449 psa_destroy_key( key ); 1450 PSA_DONE( ); 1451} 1452/* END_CASE */ 1453 1454/* BEGIN_CASE */ 1455void import_large_key( int type_arg, int byte_size_arg, 1456 int expected_status_arg ) 1457{ 1458 psa_key_type_t type = type_arg; 1459 size_t byte_size = byte_size_arg; 1460 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1461 psa_status_t expected_status = expected_status_arg; 1462 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1463 psa_status_t status; 1464 uint8_t *buffer = NULL; 1465 size_t buffer_size = byte_size + 1; 1466 size_t n; 1467 1468 /* Skip the test case if the target running the test cannot 1469 * accommodate large keys due to heap size constraints */ 1470 ASSERT_ALLOC_WEAK( buffer, buffer_size ); 1471 memset( buffer, 'K', byte_size ); 1472 1473 PSA_ASSERT( psa_crypto_init( ) ); 1474 1475 /* Try importing the key */ 1476 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT ); 1477 psa_set_key_type( &attributes, type ); 1478 status = psa_import_key( &attributes, buffer, byte_size, &key ); 1479 TEST_ASSUME( status != PSA_ERROR_INSUFFICIENT_MEMORY ); 1480 TEST_EQUAL( status, expected_status ); 1481 1482 if( status == PSA_SUCCESS ) 1483 { 1484 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 1485 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 1486 TEST_EQUAL( psa_get_key_bits( &attributes ), 1487 PSA_BYTES_TO_BITS( byte_size ) ); 1488 ASSERT_NO_SLOT_NUMBER( &attributes ); 1489 memset( buffer, 0, byte_size + 1 ); 1490 PSA_ASSERT( psa_export_key( key, buffer, byte_size, &n ) ); 1491 for( n = 0; n < byte_size; n++ ) 1492 TEST_EQUAL( buffer[n], 'K' ); 1493 for( n = byte_size; n < buffer_size; n++ ) 1494 TEST_EQUAL( buffer[n], 0 ); 1495 } 1496 1497exit: 1498 /* 1499 * Key attributes may have been returned by psa_get_key_attributes() 1500 * thus reset them as required. 1501 */ 1502 psa_reset_key_attributes( &attributes ); 1503 1504 psa_destroy_key( key ); 1505 PSA_DONE( ); 1506 mbedtls_free( buffer ); 1507} 1508/* END_CASE */ 1509 1510/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */ 1511void import_rsa_made_up( int bits_arg, int keypair, int expected_status_arg ) 1512{ 1513 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1514 size_t bits = bits_arg; 1515 psa_status_t expected_status = expected_status_arg; 1516 psa_status_t status; 1517 psa_key_type_t type = 1518 keypair ? PSA_KEY_TYPE_RSA_KEY_PAIR : PSA_KEY_TYPE_RSA_PUBLIC_KEY; 1519 size_t buffer_size = /* Slight overapproximations */ 1520 keypair ? bits * 9 / 16 + 80 : bits / 8 + 20; 1521 unsigned char *buffer = NULL; 1522 unsigned char *p; 1523 int ret; 1524 size_t length; 1525 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1526 1527 PSA_ASSERT( psa_crypto_init( ) ); 1528 ASSERT_ALLOC( buffer, buffer_size ); 1529 1530 TEST_ASSERT( ( ret = construct_fake_rsa_key( buffer, buffer_size, &p, 1531 bits, keypair ) ) >= 0 ); 1532 length = ret; 1533 1534 /* Try importing the key */ 1535 psa_set_key_type( &attributes, type ); 1536 status = psa_import_key( &attributes, p, length, &key ); 1537 TEST_EQUAL( status, expected_status ); 1538 1539 if( status == PSA_SUCCESS ) 1540 PSA_ASSERT( psa_destroy_key( key ) ); 1541 1542exit: 1543 mbedtls_free( buffer ); 1544 PSA_DONE( ); 1545} 1546/* END_CASE */ 1547 1548/* BEGIN_CASE */ 1549void import_export( data_t *data, 1550 int type_arg, 1551 int usage_arg, int alg_arg, 1552 int lifetime_arg, 1553 int expected_bits, 1554 int export_size_delta, 1555 int expected_export_status_arg, 1556 int canonical_input ) 1557{ 1558 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1559 psa_key_type_t type = type_arg; 1560 psa_algorithm_t alg = alg_arg; 1561 psa_status_t expected_export_status = expected_export_status_arg; 1562 psa_status_t status; 1563 psa_key_lifetime_t lifetime = lifetime_arg; 1564 unsigned char *exported = NULL; 1565 unsigned char *reexported = NULL; 1566 size_t export_size; 1567 size_t exported_length = INVALID_EXPORT_LENGTH; 1568 size_t reexported_length; 1569 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1570 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1571 1572 export_size = (ptrdiff_t) data->len + export_size_delta; 1573 ASSERT_ALLOC( exported, export_size ); 1574 if( ! canonical_input ) 1575 ASSERT_ALLOC( reexported, export_size ); 1576 PSA_ASSERT( psa_crypto_init( ) ); 1577 1578 psa_set_key_lifetime( &attributes, lifetime ); 1579 psa_set_key_usage_flags( &attributes, usage_arg ); 1580 psa_set_key_algorithm( &attributes, alg ); 1581 psa_set_key_type( &attributes, type ); 1582 1583 /* Import the key */ 1584 PSA_ASSERT( psa_import_key( &attributes, data->x, data->len, &key ) ); 1585 1586 /* Test the key information */ 1587 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 1588 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 1589 TEST_EQUAL( psa_get_key_bits( &got_attributes ), (size_t) expected_bits ); 1590 ASSERT_NO_SLOT_NUMBER( &got_attributes ); 1591 1592 /* Export the key */ 1593 status = psa_export_key( key, exported, export_size, &exported_length ); 1594 TEST_EQUAL( status, expected_export_status ); 1595 1596 /* The exported length must be set by psa_export_key() to a value between 0 1597 * and export_size. On errors, the exported length must be 0. */ 1598 TEST_ASSERT( exported_length != INVALID_EXPORT_LENGTH ); 1599 TEST_ASSERT( status == PSA_SUCCESS || exported_length == 0 ); 1600 TEST_LE_U( exported_length, export_size ); 1601 1602 TEST_ASSERT( mem_is_char( exported + exported_length, 0, 1603 export_size - exported_length ) ); 1604 if( status != PSA_SUCCESS ) 1605 { 1606 TEST_EQUAL( exported_length, 0 ); 1607 goto destroy; 1608 } 1609 1610 /* Run sanity checks on the exported key. For non-canonical inputs, 1611 * this validates the canonical representations. For canonical inputs, 1612 * this doesn't directly validate the implementation, but it still helps 1613 * by cross-validating the test data with the sanity check code. */ 1614 if( !psa_key_lifetime_is_external( lifetime ) ) 1615 { 1616 if( ! mbedtls_test_psa_exercise_key( key, usage_arg, 0 ) ) 1617 goto exit; 1618 } 1619 1620 if( canonical_input ) 1621 ASSERT_COMPARE( data->x, data->len, exported, exported_length ); 1622 else 1623 { 1624 mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT; 1625 PSA_ASSERT( psa_import_key( &attributes, exported, exported_length, 1626 &key2 ) ); 1627 PSA_ASSERT( psa_export_key( key2, 1628 reexported, 1629 export_size, 1630 &reexported_length ) ); 1631 ASSERT_COMPARE( exported, exported_length, 1632 reexported, reexported_length ); 1633 PSA_ASSERT( psa_destroy_key( key2 ) ); 1634 } 1635 TEST_LE_U( exported_length, 1636 PSA_EXPORT_KEY_OUTPUT_SIZE( type, 1637 psa_get_key_bits( &got_attributes ) ) ); 1638 TEST_LE_U( exported_length, PSA_EXPORT_KEY_PAIR_MAX_SIZE ); 1639 1640destroy: 1641 /* Destroy the key */ 1642 PSA_ASSERT( psa_destroy_key( key ) ); 1643 test_operations_on_invalid_key( key ); 1644 1645exit: 1646 /* 1647 * Key attributes may have been returned by psa_get_key_attributes() 1648 * thus reset them as required. 1649 */ 1650 psa_reset_key_attributes( &got_attributes ); 1651 psa_destroy_key( key ) ; 1652 mbedtls_free( exported ); 1653 mbedtls_free( reexported ); 1654 PSA_DONE( ); 1655} 1656/* END_CASE */ 1657 1658/* BEGIN_CASE */ 1659void import_export_public_key( data_t *data, 1660 int type_arg, 1661 int alg_arg, 1662 int lifetime_arg, 1663 int export_size_delta, 1664 int expected_export_status_arg, 1665 data_t *expected_public_key ) 1666{ 1667 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1668 psa_key_type_t type = type_arg; 1669 psa_algorithm_t alg = alg_arg; 1670 psa_status_t expected_export_status = expected_export_status_arg; 1671 psa_status_t status; 1672 psa_key_lifetime_t lifetime = lifetime_arg; 1673 unsigned char *exported = NULL; 1674 size_t export_size = expected_public_key->len + export_size_delta; 1675 size_t exported_length = INVALID_EXPORT_LENGTH; 1676 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1677 1678 PSA_ASSERT( psa_crypto_init( ) ); 1679 1680 psa_set_key_lifetime( &attributes, lifetime ); 1681 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT ); 1682 psa_set_key_algorithm( &attributes, alg ); 1683 psa_set_key_type( &attributes, type ); 1684 1685 /* Import the key */ 1686 PSA_ASSERT( psa_import_key( &attributes, data->x, data->len, &key ) ); 1687 1688 /* Export the public key */ 1689 ASSERT_ALLOC( exported, export_size ); 1690 status = psa_export_public_key( key, 1691 exported, export_size, 1692 &exported_length ); 1693 TEST_EQUAL( status, expected_export_status ); 1694 if( status == PSA_SUCCESS ) 1695 { 1696 psa_key_type_t public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( type ); 1697 size_t bits; 1698 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 1699 bits = psa_get_key_bits( &attributes ); 1700 TEST_LE_U( expected_public_key->len, 1701 PSA_EXPORT_KEY_OUTPUT_SIZE( public_type, bits ) ); 1702 TEST_LE_U( expected_public_key->len, 1703 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_type, bits ) ); 1704 TEST_LE_U( expected_public_key->len, 1705 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE ); 1706 ASSERT_COMPARE( expected_public_key->x, expected_public_key->len, 1707 exported, exported_length ); 1708 } 1709exit: 1710 /* 1711 * Key attributes may have been returned by psa_get_key_attributes() 1712 * thus reset them as required. 1713 */ 1714 psa_reset_key_attributes( &attributes ); 1715 1716 mbedtls_free( exported ); 1717 psa_destroy_key( key ); 1718 PSA_DONE( ); 1719} 1720/* END_CASE */ 1721 1722/* BEGIN_CASE */ 1723void import_and_exercise_key( data_t *data, 1724 int type_arg, 1725 int bits_arg, 1726 int alg_arg ) 1727{ 1728 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1729 psa_key_type_t type = type_arg; 1730 size_t bits = bits_arg; 1731 psa_algorithm_t alg = alg_arg; 1732 psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise( type, alg ); 1733 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1734 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 1735 1736 PSA_ASSERT( psa_crypto_init( ) ); 1737 1738 psa_set_key_usage_flags( &attributes, usage ); 1739 psa_set_key_algorithm( &attributes, alg ); 1740 psa_set_key_type( &attributes, type ); 1741 1742 /* Import the key */ 1743 PSA_ASSERT( psa_import_key( &attributes, data->x, data->len, &key ) ); 1744 1745 /* Test the key information */ 1746 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 1747 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 1748 TEST_EQUAL( psa_get_key_bits( &got_attributes ), bits ); 1749 1750 /* Do something with the key according to its type and permitted usage. */ 1751 if( ! mbedtls_test_psa_exercise_key( key, usage, alg ) ) 1752 goto exit; 1753 1754 PSA_ASSERT( psa_destroy_key( key ) ); 1755 test_operations_on_invalid_key( key ); 1756 1757exit: 1758 /* 1759 * Key attributes may have been returned by psa_get_key_attributes() 1760 * thus reset them as required. 1761 */ 1762 psa_reset_key_attributes( &got_attributes ); 1763 1764 psa_reset_key_attributes( &attributes ); 1765 psa_destroy_key( key ); 1766 PSA_DONE( ); 1767} 1768/* END_CASE */ 1769 1770/* BEGIN_CASE */ 1771void effective_key_attributes( int type_arg, int expected_type_arg, 1772 int bits_arg, int expected_bits_arg, 1773 int usage_arg, int expected_usage_arg, 1774 int alg_arg, int expected_alg_arg ) 1775{ 1776 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1777 psa_key_type_t key_type = type_arg; 1778 psa_key_type_t expected_key_type = expected_type_arg; 1779 size_t bits = bits_arg; 1780 size_t expected_bits = expected_bits_arg; 1781 psa_algorithm_t alg = alg_arg; 1782 psa_algorithm_t expected_alg = expected_alg_arg; 1783 psa_key_usage_t usage = usage_arg; 1784 psa_key_usage_t expected_usage = expected_usage_arg; 1785 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1786 1787 PSA_ASSERT( psa_crypto_init( ) ); 1788 1789 psa_set_key_usage_flags( &attributes, usage ); 1790 psa_set_key_algorithm( &attributes, alg ); 1791 psa_set_key_type( &attributes, key_type ); 1792 psa_set_key_bits( &attributes, bits ); 1793 1794 PSA_ASSERT( psa_generate_key( &attributes, &key ) ); 1795 psa_reset_key_attributes( &attributes ); 1796 1797 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 1798 TEST_EQUAL( psa_get_key_type( &attributes ), expected_key_type ); 1799 TEST_EQUAL( psa_get_key_bits( &attributes ), expected_bits ); 1800 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), expected_usage ); 1801 TEST_EQUAL( psa_get_key_algorithm( &attributes ), expected_alg ); 1802 1803exit: 1804 /* 1805 * Key attributes may have been returned by psa_get_key_attributes() 1806 * thus reset them as required. 1807 */ 1808 psa_reset_key_attributes( &attributes ); 1809 1810 psa_destroy_key( key ); 1811 PSA_DONE( ); 1812} 1813/* END_CASE */ 1814 1815/* BEGIN_CASE */ 1816void check_key_policy( int type_arg, int bits_arg, 1817 int usage_arg, int alg_arg ) 1818{ 1819 test_effective_key_attributes( type_arg, type_arg, bits_arg, bits_arg, 1820 usage_arg, 1821 mbedtls_test_update_key_usage_flags( usage_arg ), 1822 alg_arg, alg_arg ); 1823 goto exit; 1824} 1825/* END_CASE */ 1826 1827/* BEGIN_CASE */ 1828void key_attributes_init( ) 1829{ 1830 /* Test each valid way of initializing the object, except for `= {0}`, as 1831 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 1832 * though it's OK by the C standard. We could test for this, but we'd need 1833 * to suppress the Clang warning for the test. */ 1834 psa_key_attributes_t func = psa_key_attributes_init( ); 1835 psa_key_attributes_t init = PSA_KEY_ATTRIBUTES_INIT; 1836 psa_key_attributes_t zero; 1837 1838 memset( &zero, 0, sizeof( zero ) ); 1839 1840 TEST_EQUAL( psa_get_key_lifetime( &func ), PSA_KEY_LIFETIME_VOLATILE ); 1841 TEST_EQUAL( psa_get_key_lifetime( &init ), PSA_KEY_LIFETIME_VOLATILE ); 1842 TEST_EQUAL( psa_get_key_lifetime( &zero ), PSA_KEY_LIFETIME_VOLATILE ); 1843 1844 TEST_EQUAL( psa_get_key_type( &func ), 0 ); 1845 TEST_EQUAL( psa_get_key_type( &init ), 0 ); 1846 TEST_EQUAL( psa_get_key_type( &zero ), 0 ); 1847 1848 TEST_EQUAL( psa_get_key_bits( &func ), 0 ); 1849 TEST_EQUAL( psa_get_key_bits( &init ), 0 ); 1850 TEST_EQUAL( psa_get_key_bits( &zero ), 0 ); 1851 1852 TEST_EQUAL( psa_get_key_usage_flags( &func ), 0 ); 1853 TEST_EQUAL( psa_get_key_usage_flags( &init ), 0 ); 1854 TEST_EQUAL( psa_get_key_usage_flags( &zero ), 0 ); 1855 1856 TEST_EQUAL( psa_get_key_algorithm( &func ), 0 ); 1857 TEST_EQUAL( psa_get_key_algorithm( &init ), 0 ); 1858 TEST_EQUAL( psa_get_key_algorithm( &zero ), 0 ); 1859} 1860/* END_CASE */ 1861 1862/* BEGIN_CASE */ 1863void mac_key_policy( int policy_usage_arg, 1864 int policy_alg_arg, 1865 int key_type_arg, 1866 data_t *key_data, 1867 int exercise_alg_arg, 1868 int expected_status_sign_arg, 1869 int expected_status_verify_arg ) 1870{ 1871 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1872 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1873 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 1874 psa_key_type_t key_type = key_type_arg; 1875 psa_algorithm_t policy_alg = policy_alg_arg; 1876 psa_algorithm_t exercise_alg = exercise_alg_arg; 1877 psa_key_usage_t policy_usage = policy_usage_arg; 1878 psa_status_t status; 1879 psa_status_t expected_status_sign = expected_status_sign_arg; 1880 psa_status_t expected_status_verify = expected_status_verify_arg; 1881 unsigned char mac[PSA_MAC_MAX_SIZE]; 1882 1883 PSA_ASSERT( psa_crypto_init( ) ); 1884 1885 psa_set_key_usage_flags( &attributes, policy_usage ); 1886 psa_set_key_algorithm( &attributes, policy_alg ); 1887 psa_set_key_type( &attributes, key_type ); 1888 1889 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 1890 &key ) ); 1891 1892 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 1893 mbedtls_test_update_key_usage_flags( policy_usage ) ); 1894 1895 status = psa_mac_sign_setup( &operation, key, exercise_alg ); 1896 TEST_EQUAL( status, expected_status_sign ); 1897 1898 /* Calculate the MAC, one-shot case. */ 1899 uint8_t input[128] = {0}; 1900 size_t mac_len; 1901 TEST_EQUAL( psa_mac_compute( key, exercise_alg, 1902 input, 128, 1903 mac, PSA_MAC_MAX_SIZE, &mac_len ), 1904 expected_status_sign ); 1905 1906 /* Calculate the MAC, multi-part case. */ 1907 PSA_ASSERT( psa_mac_abort( &operation ) ); 1908 status = psa_mac_sign_setup( &operation, key, exercise_alg ); 1909 if( status == PSA_SUCCESS ) 1910 { 1911 status = psa_mac_update( &operation, input, 128 ); 1912 if( status == PSA_SUCCESS ) 1913 TEST_EQUAL( psa_mac_sign_finish( &operation, mac, PSA_MAC_MAX_SIZE, 1914 &mac_len ), 1915 expected_status_sign ); 1916 else 1917 TEST_EQUAL( status, expected_status_sign ); 1918 } 1919 else 1920 { 1921 TEST_EQUAL( status, expected_status_sign ); 1922 } 1923 PSA_ASSERT( psa_mac_abort( &operation ) ); 1924 1925 /* Verify correct MAC, one-shot case. */ 1926 status = psa_mac_verify( key, exercise_alg, input, 128, 1927 mac, mac_len ); 1928 1929 if( expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS ) 1930 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 1931 else 1932 TEST_EQUAL( status, expected_status_verify ); 1933 1934 /* Verify correct MAC, multi-part case. */ 1935 status = psa_mac_verify_setup( &operation, key, exercise_alg ); 1936 if( status == PSA_SUCCESS ) 1937 { 1938 status = psa_mac_update( &operation, input, 128 ); 1939 if( status == PSA_SUCCESS ) 1940 { 1941 status = psa_mac_verify_finish( &operation, mac, mac_len ); 1942 if( expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS ) 1943 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 1944 else 1945 TEST_EQUAL( status, expected_status_verify ); 1946 } 1947 else 1948 { 1949 TEST_EQUAL( status, expected_status_verify ); 1950 } 1951 } 1952 else 1953 { 1954 TEST_EQUAL( status, expected_status_verify ); 1955 } 1956 1957 psa_mac_abort( &operation ); 1958 1959 memset( mac, 0, sizeof( mac ) ); 1960 status = psa_mac_verify_setup( &operation, key, exercise_alg ); 1961 TEST_EQUAL( status, expected_status_verify ); 1962 1963exit: 1964 psa_mac_abort( &operation ); 1965 psa_destroy_key( key ); 1966 PSA_DONE( ); 1967} 1968/* END_CASE */ 1969 1970/* BEGIN_CASE */ 1971void cipher_key_policy( int policy_usage_arg, 1972 int policy_alg, 1973 int key_type, 1974 data_t *key_data, 1975 int exercise_alg ) 1976{ 1977 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 1978 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1979 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 1980 psa_key_usage_t policy_usage = policy_usage_arg; 1981 size_t output_buffer_size = 0; 1982 size_t input_buffer_size = 0; 1983 size_t output_length = 0; 1984 uint8_t *output = NULL; 1985 uint8_t *input = NULL; 1986 psa_status_t status; 1987 1988 input_buffer_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( exercise_alg ); 1989 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, exercise_alg, 1990 input_buffer_size ); 1991 1992 ASSERT_ALLOC( input, input_buffer_size ); 1993 ASSERT_ALLOC( output, output_buffer_size ); 1994 1995 PSA_ASSERT( psa_crypto_init( ) ); 1996 1997 psa_set_key_usage_flags( &attributes, policy_usage ); 1998 psa_set_key_algorithm( &attributes, policy_alg ); 1999 psa_set_key_type( &attributes, key_type ); 2000 2001 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2002 &key ) ); 2003 2004 /* Check if no key usage flag implication is done */ 2005 TEST_EQUAL( policy_usage, 2006 mbedtls_test_update_key_usage_flags( policy_usage ) ); 2007 2008 /* Encrypt check, one-shot */ 2009 status = psa_cipher_encrypt( key, exercise_alg, input, input_buffer_size, 2010 output, output_buffer_size, 2011 &output_length); 2012 if( policy_alg == exercise_alg && 2013 ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) 2014 PSA_ASSERT( status ); 2015 else 2016 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2017 2018 /* Encrypt check, multi-part */ 2019 status = psa_cipher_encrypt_setup( &operation, key, exercise_alg ); 2020 if( policy_alg == exercise_alg && 2021 ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) 2022 PSA_ASSERT( status ); 2023 else 2024 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2025 psa_cipher_abort( &operation ); 2026 2027 /* Decrypt check, one-shot */ 2028 status = psa_cipher_decrypt( key, exercise_alg, output, output_buffer_size, 2029 input, input_buffer_size, 2030 &output_length); 2031 if( policy_alg == exercise_alg && 2032 ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 ) 2033 PSA_ASSERT( status ); 2034 else 2035 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2036 2037 /* Decrypt check, multi-part */ 2038 status = psa_cipher_decrypt_setup( &operation, key, exercise_alg ); 2039 if( policy_alg == exercise_alg && 2040 ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 ) 2041 PSA_ASSERT( status ); 2042 else 2043 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2044 2045exit: 2046 psa_cipher_abort( &operation ); 2047 mbedtls_free( input ); 2048 mbedtls_free( output ); 2049 psa_destroy_key( key ); 2050 PSA_DONE( ); 2051} 2052/* END_CASE */ 2053 2054/* BEGIN_CASE */ 2055void aead_key_policy( int policy_usage_arg, 2056 int policy_alg, 2057 int key_type, 2058 data_t *key_data, 2059 int nonce_length_arg, 2060 int tag_length_arg, 2061 int exercise_alg, 2062 int expected_status_arg ) 2063{ 2064 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2065 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2066 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 2067 psa_key_usage_t policy_usage = policy_usage_arg; 2068 psa_status_t status; 2069 psa_status_t expected_status = expected_status_arg; 2070 unsigned char nonce[16] = {0}; 2071 size_t nonce_length = nonce_length_arg; 2072 unsigned char tag[16]; 2073 size_t tag_length = tag_length_arg; 2074 size_t output_length; 2075 2076 TEST_LE_U( nonce_length, sizeof( nonce ) ); 2077 TEST_LE_U( tag_length, sizeof( tag ) ); 2078 2079 PSA_ASSERT( psa_crypto_init( ) ); 2080 2081 psa_set_key_usage_flags( &attributes, policy_usage ); 2082 psa_set_key_algorithm( &attributes, policy_alg ); 2083 psa_set_key_type( &attributes, key_type ); 2084 2085 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2086 &key ) ); 2087 2088 /* Check if no key usage implication is done */ 2089 TEST_EQUAL( policy_usage, 2090 mbedtls_test_update_key_usage_flags( policy_usage ) ); 2091 2092 /* Encrypt check, one-shot */ 2093 status = psa_aead_encrypt( key, exercise_alg, 2094 nonce, nonce_length, 2095 NULL, 0, 2096 NULL, 0, 2097 tag, tag_length, 2098 &output_length ); 2099 if( ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) 2100 TEST_EQUAL( status, expected_status ); 2101 else 2102 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2103 2104 /* Encrypt check, multi-part */ 2105 status = psa_aead_encrypt_setup( &operation, key, exercise_alg ); 2106 if( ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) 2107 TEST_EQUAL( status, expected_status ); 2108 else 2109 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2110 2111 /* Decrypt check, one-shot */ 2112 memset( tag, 0, sizeof( tag ) ); 2113 status = psa_aead_decrypt( key, exercise_alg, 2114 nonce, nonce_length, 2115 NULL, 0, 2116 tag, tag_length, 2117 NULL, 0, 2118 &output_length ); 2119 if( ( policy_usage & PSA_KEY_USAGE_DECRYPT ) == 0 ) 2120 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2121 else if( expected_status == PSA_SUCCESS ) 2122 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 2123 else 2124 TEST_EQUAL( status, expected_status ); 2125 2126 /* Decrypt check, multi-part */ 2127 PSA_ASSERT( psa_aead_abort( &operation ) ); 2128 status = psa_aead_decrypt_setup( &operation, key, exercise_alg ); 2129 if( ( policy_usage & PSA_KEY_USAGE_DECRYPT ) == 0 ) 2130 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2131 else 2132 TEST_EQUAL( status, expected_status ); 2133 2134exit: 2135 PSA_ASSERT( psa_aead_abort( &operation ) ); 2136 psa_destroy_key( key ); 2137 PSA_DONE( ); 2138} 2139/* END_CASE */ 2140 2141/* BEGIN_CASE */ 2142void asymmetric_encryption_key_policy( int policy_usage_arg, 2143 int policy_alg, 2144 int key_type, 2145 data_t *key_data, 2146 int exercise_alg ) 2147{ 2148 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2149 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2150 psa_key_usage_t policy_usage = policy_usage_arg; 2151 psa_status_t status; 2152 size_t key_bits; 2153 size_t buffer_length; 2154 unsigned char *buffer = NULL; 2155 size_t output_length; 2156 2157 PSA_ASSERT( psa_crypto_init( ) ); 2158 2159 psa_set_key_usage_flags( &attributes, policy_usage ); 2160 psa_set_key_algorithm( &attributes, policy_alg ); 2161 psa_set_key_type( &attributes, key_type ); 2162 2163 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2164 &key ) ); 2165 2166 /* Check if no key usage implication is done */ 2167 TEST_EQUAL( policy_usage, 2168 mbedtls_test_update_key_usage_flags( policy_usage ) ); 2169 2170 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 2171 key_bits = psa_get_key_bits( &attributes ); 2172 buffer_length = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE( key_type, key_bits, 2173 exercise_alg ); 2174 ASSERT_ALLOC( buffer, buffer_length ); 2175 2176 status = psa_asymmetric_encrypt( key, exercise_alg, 2177 NULL, 0, 2178 NULL, 0, 2179 buffer, buffer_length, 2180 &output_length ); 2181 if( policy_alg == exercise_alg && 2182 ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 ) 2183 PSA_ASSERT( status ); 2184 else 2185 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2186 2187 if( buffer_length != 0 ) 2188 memset( buffer, 0, buffer_length ); 2189 status = psa_asymmetric_decrypt( key, exercise_alg, 2190 buffer, buffer_length, 2191 NULL, 0, 2192 buffer, buffer_length, 2193 &output_length ); 2194 if( policy_alg == exercise_alg && 2195 ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 ) 2196 TEST_EQUAL( status, PSA_ERROR_INVALID_PADDING ); 2197 else 2198 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2199 2200exit: 2201 /* 2202 * Key attributes may have been returned by psa_get_key_attributes() 2203 * thus reset them as required. 2204 */ 2205 psa_reset_key_attributes( &attributes ); 2206 2207 psa_destroy_key( key ); 2208 PSA_DONE( ); 2209 mbedtls_free( buffer ); 2210} 2211/* END_CASE */ 2212 2213/* BEGIN_CASE */ 2214void asymmetric_signature_key_policy( int policy_usage_arg, 2215 int policy_alg, 2216 int key_type, 2217 data_t *key_data, 2218 int exercise_alg, 2219 int payload_length_arg, 2220 int expected_usage_arg ) 2221{ 2222 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2223 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2224 psa_key_usage_t policy_usage = policy_usage_arg; 2225 psa_key_usage_t expected_usage = expected_usage_arg; 2226 psa_status_t status; 2227 unsigned char payload[PSA_HASH_MAX_SIZE] = {1}; 2228 /* If `payload_length_arg > 0`, `exercise_alg` is supposed to be 2229 * compatible with the policy and `payload_length_arg` is supposed to be 2230 * a valid input length to sign. If `payload_length_arg <= 0`, 2231 * `exercise_alg` is supposed to be forbidden by the policy. */ 2232 int compatible_alg = payload_length_arg > 0; 2233 size_t payload_length = compatible_alg ? payload_length_arg : 0; 2234 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = {0}; 2235 size_t signature_length; 2236 2237 /* Check if all implicit usage flags are deployed 2238 in the expected usage flags. */ 2239 TEST_EQUAL( expected_usage, 2240 mbedtls_test_update_key_usage_flags( policy_usage ) ); 2241 2242 PSA_ASSERT( psa_crypto_init( ) ); 2243 2244 psa_set_key_usage_flags( &attributes, policy_usage ); 2245 psa_set_key_algorithm( &attributes, policy_alg ); 2246 psa_set_key_type( &attributes, key_type ); 2247 2248 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2249 &key ) ); 2250 2251 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), expected_usage ); 2252 2253 status = psa_sign_hash( key, exercise_alg, 2254 payload, payload_length, 2255 signature, sizeof( signature ), 2256 &signature_length ); 2257 if( compatible_alg && ( expected_usage & PSA_KEY_USAGE_SIGN_HASH ) != 0 ) 2258 PSA_ASSERT( status ); 2259 else 2260 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2261 2262 memset( signature, 0, sizeof( signature ) ); 2263 status = psa_verify_hash( key, exercise_alg, 2264 payload, payload_length, 2265 signature, sizeof( signature ) ); 2266 if( compatible_alg && ( expected_usage & PSA_KEY_USAGE_VERIFY_HASH ) != 0 ) 2267 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 2268 else 2269 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2270 2271 if( PSA_ALG_IS_SIGN_HASH( exercise_alg ) && 2272 PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( exercise_alg ) ) ) 2273 { 2274 status = psa_sign_message( key, exercise_alg, 2275 payload, payload_length, 2276 signature, sizeof( signature ), 2277 &signature_length ); 2278 if( compatible_alg && ( expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE ) != 0 ) 2279 PSA_ASSERT( status ); 2280 else 2281 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2282 2283 memset( signature, 0, sizeof( signature ) ); 2284 status = psa_verify_message( key, exercise_alg, 2285 payload, payload_length, 2286 signature, sizeof( signature ) ); 2287 if( compatible_alg && ( expected_usage & PSA_KEY_USAGE_VERIFY_MESSAGE ) != 0 ) 2288 TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE ); 2289 else 2290 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2291 } 2292 2293exit: 2294 psa_destroy_key( key ); 2295 PSA_DONE( ); 2296} 2297/* END_CASE */ 2298 2299/* BEGIN_CASE */ 2300void derive_key_policy( int policy_usage, 2301 int policy_alg, 2302 int key_type, 2303 data_t *key_data, 2304 int exercise_alg ) 2305{ 2306 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2307 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2308 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 2309 psa_status_t status; 2310 2311 PSA_ASSERT( psa_crypto_init( ) ); 2312 2313 psa_set_key_usage_flags( &attributes, policy_usage ); 2314 psa_set_key_algorithm( &attributes, policy_alg ); 2315 psa_set_key_type( &attributes, key_type ); 2316 2317 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2318 &key ) ); 2319 2320 PSA_ASSERT( psa_key_derivation_setup( &operation, exercise_alg ) ); 2321 2322 if( PSA_ALG_IS_TLS12_PRF( exercise_alg ) || 2323 PSA_ALG_IS_TLS12_PSK_TO_MS( exercise_alg ) ) 2324 { 2325 PSA_ASSERT( psa_key_derivation_input_bytes( 2326 &operation, 2327 PSA_KEY_DERIVATION_INPUT_SEED, 2328 (const uint8_t*) "", 0) ); 2329 } 2330 2331 status = psa_key_derivation_input_key( &operation, 2332 PSA_KEY_DERIVATION_INPUT_SECRET, 2333 key ); 2334 2335 if( policy_alg == exercise_alg && 2336 ( policy_usage & PSA_KEY_USAGE_DERIVE ) != 0 ) 2337 PSA_ASSERT( status ); 2338 else 2339 TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); 2340 2341exit: 2342 psa_key_derivation_abort( &operation ); 2343 psa_destroy_key( key ); 2344 PSA_DONE( ); 2345} 2346/* END_CASE */ 2347 2348/* BEGIN_CASE */ 2349void agreement_key_policy( int policy_usage, 2350 int policy_alg, 2351 int key_type_arg, 2352 data_t *key_data, 2353 int exercise_alg, 2354 int expected_status_arg ) 2355{ 2356 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2357 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2358 psa_key_type_t key_type = key_type_arg; 2359 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 2360 psa_status_t status; 2361 psa_status_t expected_status = expected_status_arg; 2362 2363 PSA_ASSERT( psa_crypto_init( ) ); 2364 2365 psa_set_key_usage_flags( &attributes, policy_usage ); 2366 psa_set_key_algorithm( &attributes, policy_alg ); 2367 psa_set_key_type( &attributes, key_type ); 2368 2369 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2370 &key ) ); 2371 2372 PSA_ASSERT( psa_key_derivation_setup( &operation, exercise_alg ) ); 2373 status = mbedtls_test_psa_key_agreement_with_self( &operation, key ); 2374 2375 TEST_EQUAL( status, expected_status ); 2376 2377exit: 2378 psa_key_derivation_abort( &operation ); 2379 psa_destroy_key( key ); 2380 PSA_DONE( ); 2381} 2382/* END_CASE */ 2383 2384/* BEGIN_CASE */ 2385void key_policy_alg2( int key_type_arg, data_t *key_data, 2386 int usage_arg, int alg_arg, int alg2_arg ) 2387{ 2388 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2389 psa_key_type_t key_type = key_type_arg; 2390 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2391 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 2392 psa_key_usage_t usage = usage_arg; 2393 psa_algorithm_t alg = alg_arg; 2394 psa_algorithm_t alg2 = alg2_arg; 2395 2396 PSA_ASSERT( psa_crypto_init( ) ); 2397 2398 psa_set_key_usage_flags( &attributes, usage ); 2399 psa_set_key_algorithm( &attributes, alg ); 2400 psa_set_key_enrollment_algorithm( &attributes, alg2 ); 2401 psa_set_key_type( &attributes, key_type ); 2402 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2403 &key ) ); 2404 2405 /* Update the usage flags to obtain implicit usage flags */ 2406 usage = mbedtls_test_update_key_usage_flags( usage ); 2407 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 2408 TEST_EQUAL( psa_get_key_usage_flags( &got_attributes ), usage ); 2409 TEST_EQUAL( psa_get_key_algorithm( &got_attributes ), alg ); 2410 TEST_EQUAL( psa_get_key_enrollment_algorithm( &got_attributes ), alg2 ); 2411 2412 if( ! mbedtls_test_psa_exercise_key( key, usage, alg ) ) 2413 goto exit; 2414 if( ! mbedtls_test_psa_exercise_key( key, usage, alg2 ) ) 2415 goto exit; 2416 2417exit: 2418 /* 2419 * Key attributes may have been returned by psa_get_key_attributes() 2420 * thus reset them as required. 2421 */ 2422 psa_reset_key_attributes( &got_attributes ); 2423 2424 psa_destroy_key( key ); 2425 PSA_DONE( ); 2426} 2427/* END_CASE */ 2428 2429/* BEGIN_CASE */ 2430void raw_agreement_key_policy( int policy_usage, 2431 int policy_alg, 2432 int key_type_arg, 2433 data_t *key_data, 2434 int exercise_alg, 2435 int expected_status_arg ) 2436{ 2437 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2438 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2439 psa_key_type_t key_type = key_type_arg; 2440 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 2441 psa_status_t status; 2442 psa_status_t expected_status = expected_status_arg; 2443 2444 PSA_ASSERT( psa_crypto_init( ) ); 2445 2446 psa_set_key_usage_flags( &attributes, policy_usage ); 2447 psa_set_key_algorithm( &attributes, policy_alg ); 2448 psa_set_key_type( &attributes, key_type ); 2449 2450 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 2451 &key ) ); 2452 2453 status = mbedtls_test_psa_raw_key_agreement_with_self( exercise_alg, key ); 2454 2455 TEST_EQUAL( status, expected_status ); 2456 2457exit: 2458 psa_key_derivation_abort( &operation ); 2459 psa_destroy_key( key ); 2460 PSA_DONE( ); 2461} 2462/* END_CASE */ 2463 2464/* BEGIN_CASE */ 2465void copy_success( int source_usage_arg, 2466 int source_alg_arg, int source_alg2_arg, 2467 unsigned int source_lifetime_arg, 2468 int type_arg, data_t *material, 2469 int copy_attributes, 2470 int target_usage_arg, 2471 int target_alg_arg, int target_alg2_arg, 2472 unsigned int target_lifetime_arg, 2473 int expected_usage_arg, 2474 int expected_alg_arg, int expected_alg2_arg ) 2475{ 2476 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 2477 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 2478 psa_key_usage_t expected_usage = expected_usage_arg; 2479 psa_algorithm_t expected_alg = expected_alg_arg; 2480 psa_algorithm_t expected_alg2 = expected_alg2_arg; 2481 psa_key_lifetime_t source_lifetime = source_lifetime_arg; 2482 psa_key_lifetime_t target_lifetime = target_lifetime_arg; 2483 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT; 2484 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT; 2485 uint8_t *export_buffer = NULL; 2486 2487 PSA_ASSERT( psa_crypto_init( ) ); 2488 2489 /* Prepare the source key. */ 2490 psa_set_key_usage_flags( &source_attributes, source_usage_arg ); 2491 psa_set_key_algorithm( &source_attributes, source_alg_arg ); 2492 psa_set_key_enrollment_algorithm( &source_attributes, source_alg2_arg ); 2493 psa_set_key_type( &source_attributes, type_arg ); 2494 psa_set_key_lifetime( &source_attributes, source_lifetime); 2495 PSA_ASSERT( psa_import_key( &source_attributes, 2496 material->x, material->len, 2497 &source_key ) ); 2498 PSA_ASSERT( psa_get_key_attributes( source_key, &source_attributes ) ); 2499 2500 /* Prepare the target attributes. */ 2501 if( copy_attributes ) 2502 { 2503 target_attributes = source_attributes; 2504 } 2505 psa_set_key_lifetime( &target_attributes, target_lifetime); 2506 2507 if( target_usage_arg != -1 ) 2508 psa_set_key_usage_flags( &target_attributes, target_usage_arg ); 2509 if( target_alg_arg != -1 ) 2510 psa_set_key_algorithm( &target_attributes, target_alg_arg ); 2511 if( target_alg2_arg != -1 ) 2512 psa_set_key_enrollment_algorithm( &target_attributes, target_alg2_arg ); 2513 2514 2515 /* Copy the key. */ 2516 PSA_ASSERT( psa_copy_key( source_key, 2517 &target_attributes, &target_key ) ); 2518 2519 /* Destroy the source to ensure that this doesn't affect the target. */ 2520 PSA_ASSERT( psa_destroy_key( source_key ) ); 2521 2522 /* Test that the target slot has the expected content and policy. */ 2523 PSA_ASSERT( psa_get_key_attributes( target_key, &target_attributes ) ); 2524 TEST_EQUAL( psa_get_key_type( &source_attributes ), 2525 psa_get_key_type( &target_attributes ) ); 2526 TEST_EQUAL( psa_get_key_bits( &source_attributes ), 2527 psa_get_key_bits( &target_attributes ) ); 2528 TEST_EQUAL( expected_usage, psa_get_key_usage_flags( &target_attributes ) ); 2529 TEST_EQUAL( expected_alg, psa_get_key_algorithm( &target_attributes ) ); 2530 TEST_EQUAL( expected_alg2, 2531 psa_get_key_enrollment_algorithm( &target_attributes ) ); 2532 if( expected_usage & PSA_KEY_USAGE_EXPORT ) 2533 { 2534 size_t length; 2535 ASSERT_ALLOC( export_buffer, material->len ); 2536 PSA_ASSERT( psa_export_key( target_key, export_buffer, 2537 material->len, &length ) ); 2538 ASSERT_COMPARE( material->x, material->len, 2539 export_buffer, length ); 2540 } 2541 2542 if( !psa_key_lifetime_is_external( target_lifetime ) ) 2543 { 2544 if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg ) ) 2545 goto exit; 2546 if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg2 ) ) 2547 goto exit; 2548 } 2549 2550 PSA_ASSERT( psa_destroy_key( target_key ) ); 2551 2552exit: 2553 /* 2554 * Source and target key attributes may have been returned by 2555 * psa_get_key_attributes() thus reset them as required. 2556 */ 2557 psa_reset_key_attributes( &source_attributes ); 2558 psa_reset_key_attributes( &target_attributes ); 2559 2560 PSA_DONE( ); 2561 mbedtls_free( export_buffer ); 2562} 2563/* END_CASE */ 2564 2565/* BEGIN_CASE */ 2566void copy_fail( int source_usage_arg, 2567 int source_alg_arg, int source_alg2_arg, 2568 int source_lifetime_arg, 2569 int type_arg, data_t *material, 2570 int target_type_arg, int target_bits_arg, 2571 int target_usage_arg, 2572 int target_alg_arg, int target_alg2_arg, 2573 int target_id_arg, int target_lifetime_arg, 2574 int expected_status_arg ) 2575{ 2576 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 2577 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 2578 mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT; 2579 mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT; 2580 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, target_id_arg ); 2581 2582 PSA_ASSERT( psa_crypto_init( ) ); 2583 2584 /* Prepare the source key. */ 2585 psa_set_key_usage_flags( &source_attributes, source_usage_arg ); 2586 psa_set_key_algorithm( &source_attributes, source_alg_arg ); 2587 psa_set_key_enrollment_algorithm( &source_attributes, source_alg2_arg ); 2588 psa_set_key_type( &source_attributes, type_arg ); 2589 psa_set_key_lifetime( &source_attributes, source_lifetime_arg ); 2590 PSA_ASSERT( psa_import_key( &source_attributes, 2591 material->x, material->len, 2592 &source_key ) ); 2593 2594 /* Prepare the target attributes. */ 2595 psa_set_key_id( &target_attributes, key_id ); 2596 psa_set_key_lifetime( &target_attributes, target_lifetime_arg ); 2597 psa_set_key_type( &target_attributes, target_type_arg ); 2598 psa_set_key_bits( &target_attributes, target_bits_arg ); 2599 psa_set_key_usage_flags( &target_attributes, target_usage_arg ); 2600 psa_set_key_algorithm( &target_attributes, target_alg_arg ); 2601 psa_set_key_enrollment_algorithm( &target_attributes, target_alg2_arg ); 2602 2603 /* Try to copy the key. */ 2604 TEST_EQUAL( psa_copy_key( source_key, 2605 &target_attributes, &target_key ), 2606 expected_status_arg ); 2607 2608 PSA_ASSERT( psa_destroy_key( source_key ) ); 2609 2610exit: 2611 psa_reset_key_attributes( &source_attributes ); 2612 psa_reset_key_attributes( &target_attributes ); 2613 PSA_DONE( ); 2614} 2615/* END_CASE */ 2616 2617/* BEGIN_CASE */ 2618void hash_operation_init( ) 2619{ 2620 const uint8_t input[1] = { 0 }; 2621 /* Test each valid way of initializing the object, except for `= {0}`, as 2622 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 2623 * though it's OK by the C standard. We could test for this, but we'd need 2624 * to suppress the Clang warning for the test. */ 2625 psa_hash_operation_t func = psa_hash_operation_init( ); 2626 psa_hash_operation_t init = PSA_HASH_OPERATION_INIT; 2627 psa_hash_operation_t zero; 2628 2629 memset( &zero, 0, sizeof( zero ) ); 2630 2631 /* A freshly-initialized hash operation should not be usable. */ 2632 TEST_EQUAL( psa_hash_update( &func, input, sizeof( input ) ), 2633 PSA_ERROR_BAD_STATE ); 2634 TEST_EQUAL( psa_hash_update( &init, input, sizeof( input ) ), 2635 PSA_ERROR_BAD_STATE ); 2636 TEST_EQUAL( psa_hash_update( &zero, input, sizeof( input ) ), 2637 PSA_ERROR_BAD_STATE ); 2638 2639 /* A default hash operation should be abortable without error. */ 2640 PSA_ASSERT( psa_hash_abort( &func ) ); 2641 PSA_ASSERT( psa_hash_abort( &init ) ); 2642 PSA_ASSERT( psa_hash_abort( &zero ) ); 2643} 2644/* END_CASE */ 2645 2646/* BEGIN_CASE */ 2647void hash_setup( int alg_arg, 2648 int expected_status_arg ) 2649{ 2650 psa_algorithm_t alg = alg_arg; 2651 uint8_t *output = NULL; 2652 size_t output_size = 0; 2653 size_t output_length = 0; 2654 psa_status_t expected_status = expected_status_arg; 2655 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2656 psa_status_t status; 2657 2658 PSA_ASSERT( psa_crypto_init( ) ); 2659 2660 /* Hash Setup, one-shot */ 2661 output_size = PSA_HASH_LENGTH( alg ); 2662 ASSERT_ALLOC( output, output_size ); 2663 2664 status = psa_hash_compute( alg, NULL, 0, 2665 output, output_size, &output_length ); 2666 TEST_EQUAL( status, expected_status ); 2667 2668 /* Hash Setup, multi-part */ 2669 status = psa_hash_setup( &operation, alg ); 2670 TEST_EQUAL( status, expected_status ); 2671 2672 /* Whether setup succeeded or failed, abort must succeed. */ 2673 PSA_ASSERT( psa_hash_abort( &operation ) ); 2674 2675 /* If setup failed, reproduce the failure, so as to 2676 * test the resulting state of the operation object. */ 2677 if( status != PSA_SUCCESS ) 2678 TEST_EQUAL( psa_hash_setup( &operation, alg ), status ); 2679 2680 /* Now the operation object should be reusable. */ 2681#if defined(KNOWN_SUPPORTED_HASH_ALG) 2682 PSA_ASSERT( psa_hash_setup( &operation, KNOWN_SUPPORTED_HASH_ALG ) ); 2683 PSA_ASSERT( psa_hash_abort( &operation ) ); 2684#endif 2685 2686exit: 2687 mbedtls_free( output ); 2688 PSA_DONE( ); 2689} 2690/* END_CASE */ 2691 2692/* BEGIN_CASE */ 2693void hash_compute_fail( int alg_arg, data_t *input, 2694 int output_size_arg, int expected_status_arg ) 2695{ 2696 psa_algorithm_t alg = alg_arg; 2697 uint8_t *output = NULL; 2698 size_t output_size = output_size_arg; 2699 size_t output_length = INVALID_EXPORT_LENGTH; 2700 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2701 psa_status_t expected_status = expected_status_arg; 2702 psa_status_t status; 2703 2704 ASSERT_ALLOC( output, output_size ); 2705 2706 PSA_ASSERT( psa_crypto_init( ) ); 2707 2708 /* Hash Compute, one-shot */ 2709 status = psa_hash_compute( alg, input->x, input->len, 2710 output, output_size, &output_length ); 2711 TEST_EQUAL( status, expected_status ); 2712 TEST_LE_U( output_length, output_size ); 2713 2714 /* Hash Compute, multi-part */ 2715 status = psa_hash_setup( &operation, alg ); 2716 if( status == PSA_SUCCESS ) 2717 { 2718 status = psa_hash_update( &operation, input->x, input->len ); 2719 if( status == PSA_SUCCESS ) 2720 { 2721 status = psa_hash_finish( &operation, output, output_size, 2722 &output_length ); 2723 if( status == PSA_SUCCESS ) 2724 TEST_LE_U( output_length, output_size ); 2725 else 2726 TEST_EQUAL( status, expected_status ); 2727 } 2728 else 2729 { 2730 TEST_EQUAL( status, expected_status ); 2731 } 2732 } 2733 else 2734 { 2735 TEST_EQUAL( status, expected_status ); 2736 } 2737 2738exit: 2739 PSA_ASSERT( psa_hash_abort( &operation ) ); 2740 mbedtls_free( output ); 2741 PSA_DONE( ); 2742} 2743/* END_CASE */ 2744 2745/* BEGIN_CASE */ 2746void hash_compare_fail( int alg_arg, data_t *input, 2747 data_t *reference_hash, 2748 int expected_status_arg ) 2749{ 2750 psa_algorithm_t alg = alg_arg; 2751 psa_status_t expected_status = expected_status_arg; 2752 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2753 psa_status_t status; 2754 2755 PSA_ASSERT( psa_crypto_init( ) ); 2756 2757 /* Hash Compare, one-shot */ 2758 status = psa_hash_compare( alg, input->x, input->len, 2759 reference_hash->x, reference_hash->len ); 2760 TEST_EQUAL( status, expected_status ); 2761 2762 /* Hash Compare, multi-part */ 2763 status = psa_hash_setup( &operation, alg ); 2764 if( status == PSA_SUCCESS ) 2765 { 2766 status = psa_hash_update( &operation, input->x, input->len ); 2767 if( status == PSA_SUCCESS ) 2768 { 2769 status = psa_hash_verify( &operation, reference_hash->x, 2770 reference_hash->len ); 2771 TEST_EQUAL( status, expected_status ); 2772 } 2773 else 2774 { 2775 TEST_EQUAL( status, expected_status ); 2776 } 2777 } 2778 else 2779 { 2780 TEST_EQUAL( status, expected_status ); 2781 } 2782 2783exit: 2784 PSA_ASSERT( psa_hash_abort( &operation ) ); 2785 PSA_DONE( ); 2786} 2787/* END_CASE */ 2788 2789/* BEGIN_CASE */ 2790void hash_compute_compare( int alg_arg, data_t *input, 2791 data_t *expected_output ) 2792{ 2793 psa_algorithm_t alg = alg_arg; 2794 uint8_t output[PSA_HASH_MAX_SIZE + 1]; 2795 size_t output_length = INVALID_EXPORT_LENGTH; 2796 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2797 size_t i; 2798 2799 PSA_ASSERT( psa_crypto_init( ) ); 2800 2801 /* Compute with tight buffer, one-shot */ 2802 PSA_ASSERT( psa_hash_compute( alg, input->x, input->len, 2803 output, PSA_HASH_LENGTH( alg ), 2804 &output_length ) ); 2805 TEST_EQUAL( output_length, PSA_HASH_LENGTH( alg ) ); 2806 ASSERT_COMPARE( output, output_length, 2807 expected_output->x, expected_output->len ); 2808 2809 /* Compute with tight buffer, multi-part */ 2810 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2811 PSA_ASSERT( psa_hash_update( &operation, input->x, input->len ) ); 2812 PSA_ASSERT( psa_hash_finish( &operation, output, 2813 PSA_HASH_LENGTH( alg ), 2814 &output_length ) ); 2815 TEST_EQUAL( output_length, PSA_HASH_LENGTH( alg ) ); 2816 ASSERT_COMPARE( output, output_length, 2817 expected_output->x, expected_output->len ); 2818 2819 /* Compute with larger buffer, one-shot */ 2820 PSA_ASSERT( psa_hash_compute( alg, input->x, input->len, 2821 output, sizeof( output ), 2822 &output_length ) ); 2823 TEST_EQUAL( output_length, PSA_HASH_LENGTH( alg ) ); 2824 ASSERT_COMPARE( output, output_length, 2825 expected_output->x, expected_output->len ); 2826 2827 /* Compute with larger buffer, multi-part */ 2828 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2829 PSA_ASSERT( psa_hash_update( &operation, input->x, input->len ) ); 2830 PSA_ASSERT( psa_hash_finish( &operation, output, 2831 sizeof( output ), &output_length ) ); 2832 TEST_EQUAL( output_length, PSA_HASH_LENGTH( alg ) ); 2833 ASSERT_COMPARE( output, output_length, 2834 expected_output->x, expected_output->len ); 2835 2836 /* Compare with correct hash, one-shot */ 2837 PSA_ASSERT( psa_hash_compare( alg, input->x, input->len, 2838 output, output_length ) ); 2839 2840 /* Compare with correct hash, multi-part */ 2841 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2842 PSA_ASSERT( psa_hash_update( &operation, input->x, input->len ) ); 2843 PSA_ASSERT( psa_hash_verify( &operation, output, 2844 output_length ) ); 2845 2846 /* Compare with trailing garbage, one-shot */ 2847 TEST_EQUAL( psa_hash_compare( alg, input->x, input->len, 2848 output, output_length + 1 ), 2849 PSA_ERROR_INVALID_SIGNATURE ); 2850 2851 /* Compare with trailing garbage, multi-part */ 2852 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2853 PSA_ASSERT( psa_hash_update( &operation, input->x, input->len ) ); 2854 TEST_EQUAL( psa_hash_verify( &operation, output, output_length + 1 ), 2855 PSA_ERROR_INVALID_SIGNATURE ); 2856 2857 /* Compare with truncated hash, one-shot */ 2858 TEST_EQUAL( psa_hash_compare( alg, input->x, input->len, 2859 output, output_length - 1 ), 2860 PSA_ERROR_INVALID_SIGNATURE ); 2861 2862 /* Compare with truncated hash, multi-part */ 2863 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2864 PSA_ASSERT( psa_hash_update( &operation, input->x, input->len ) ); 2865 TEST_EQUAL( psa_hash_verify( &operation, output, output_length - 1 ), 2866 PSA_ERROR_INVALID_SIGNATURE ); 2867 2868 /* Compare with corrupted value */ 2869 for( i = 0; i < output_length; i++ ) 2870 { 2871 mbedtls_test_set_step( i ); 2872 output[i] ^= 1; 2873 2874 /* One-shot */ 2875 TEST_EQUAL( psa_hash_compare( alg, input->x, input->len, 2876 output, output_length ), 2877 PSA_ERROR_INVALID_SIGNATURE ); 2878 2879 /* Multi-Part */ 2880 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2881 PSA_ASSERT( psa_hash_update( &operation, input->x, input->len ) ); 2882 TEST_EQUAL( psa_hash_verify( &operation, output, output_length ), 2883 PSA_ERROR_INVALID_SIGNATURE ); 2884 2885 output[i] ^= 1; 2886 } 2887 2888exit: 2889 PSA_ASSERT( psa_hash_abort( &operation ) ); 2890 PSA_DONE( ); 2891} 2892/* END_CASE */ 2893 2894/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 2895void hash_bad_order( ) 2896{ 2897 psa_algorithm_t alg = PSA_ALG_SHA_256; 2898 unsigned char input[] = ""; 2899 /* SHA-256 hash of an empty string */ 2900 const unsigned char valid_hash[] = { 2901 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 2902 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 2903 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 }; 2904 unsigned char hash[sizeof(valid_hash)] = { 0 }; 2905 size_t hash_len; 2906 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 2907 2908 PSA_ASSERT( psa_crypto_init( ) ); 2909 2910 /* Call setup twice in a row. */ 2911 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2912 ASSERT_OPERATION_IS_ACTIVE( operation ); 2913 TEST_EQUAL( psa_hash_setup( &operation, alg ), 2914 PSA_ERROR_BAD_STATE ); 2915 ASSERT_OPERATION_IS_INACTIVE( operation ); 2916 PSA_ASSERT( psa_hash_abort( &operation ) ); 2917 ASSERT_OPERATION_IS_INACTIVE( operation ); 2918 2919 /* Call update without calling setup beforehand. */ 2920 TEST_EQUAL( psa_hash_update( &operation, input, sizeof( input ) ), 2921 PSA_ERROR_BAD_STATE ); 2922 PSA_ASSERT( psa_hash_abort( &operation ) ); 2923 2924 /* Check that update calls abort on error. */ 2925 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2926 operation.id = UINT_MAX; 2927 ASSERT_OPERATION_IS_ACTIVE( operation ); 2928 TEST_EQUAL( psa_hash_update( &operation, input, sizeof( input ) ), 2929 PSA_ERROR_BAD_STATE ); 2930 ASSERT_OPERATION_IS_INACTIVE( operation ); 2931 PSA_ASSERT( psa_hash_abort( &operation ) ); 2932 ASSERT_OPERATION_IS_INACTIVE( operation ); 2933 2934 /* Call update after finish. */ 2935 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2936 PSA_ASSERT( psa_hash_finish( &operation, 2937 hash, sizeof( hash ), &hash_len ) ); 2938 TEST_EQUAL( psa_hash_update( &operation, input, sizeof( input ) ), 2939 PSA_ERROR_BAD_STATE ); 2940 PSA_ASSERT( psa_hash_abort( &operation ) ); 2941 2942 /* Call verify without calling setup beforehand. */ 2943 TEST_EQUAL( psa_hash_verify( &operation, 2944 valid_hash, sizeof( valid_hash ) ), 2945 PSA_ERROR_BAD_STATE ); 2946 PSA_ASSERT( psa_hash_abort( &operation ) ); 2947 2948 /* Call verify after finish. */ 2949 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2950 PSA_ASSERT( psa_hash_finish( &operation, 2951 hash, sizeof( hash ), &hash_len ) ); 2952 TEST_EQUAL( psa_hash_verify( &operation, 2953 valid_hash, sizeof( valid_hash ) ), 2954 PSA_ERROR_BAD_STATE ); 2955 PSA_ASSERT( psa_hash_abort( &operation ) ); 2956 2957 /* Call verify twice in a row. */ 2958 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2959 ASSERT_OPERATION_IS_ACTIVE( operation ); 2960 PSA_ASSERT( psa_hash_verify( &operation, 2961 valid_hash, sizeof( valid_hash ) ) ); 2962 ASSERT_OPERATION_IS_INACTIVE( operation ); 2963 TEST_EQUAL( psa_hash_verify( &operation, 2964 valid_hash, sizeof( valid_hash ) ), 2965 PSA_ERROR_BAD_STATE ); 2966 ASSERT_OPERATION_IS_INACTIVE( operation ); 2967 PSA_ASSERT( psa_hash_abort( &operation ) ); 2968 2969 /* Call finish without calling setup beforehand. */ 2970 TEST_EQUAL( psa_hash_finish( &operation, 2971 hash, sizeof( hash ), &hash_len ), 2972 PSA_ERROR_BAD_STATE ); 2973 PSA_ASSERT( psa_hash_abort( &operation ) ); 2974 2975 /* Call finish twice in a row. */ 2976 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2977 PSA_ASSERT( psa_hash_finish( &operation, 2978 hash, sizeof( hash ), &hash_len ) ); 2979 TEST_EQUAL( psa_hash_finish( &operation, 2980 hash, sizeof( hash ), &hash_len ), 2981 PSA_ERROR_BAD_STATE ); 2982 PSA_ASSERT( psa_hash_abort( &operation ) ); 2983 2984 /* Call finish after calling verify. */ 2985 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 2986 PSA_ASSERT( psa_hash_verify( &operation, 2987 valid_hash, sizeof( valid_hash ) ) ); 2988 TEST_EQUAL( psa_hash_finish( &operation, 2989 hash, sizeof( hash ), &hash_len ), 2990 PSA_ERROR_BAD_STATE ); 2991 PSA_ASSERT( psa_hash_abort( &operation ) ); 2992 2993exit: 2994 PSA_DONE( ); 2995} 2996/* END_CASE */ 2997 2998/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 2999void hash_verify_bad_args( ) 3000{ 3001 psa_algorithm_t alg = PSA_ALG_SHA_256; 3002 /* SHA-256 hash of an empty string with 2 extra bytes (0xaa and 0xbb) 3003 * appended to it */ 3004 unsigned char hash[] = { 3005 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 3006 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 3007 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55, 0xaa, 0xbb }; 3008 size_t expected_size = PSA_HASH_LENGTH( alg ); 3009 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 3010 3011 PSA_ASSERT( psa_crypto_init( ) ); 3012 3013 /* psa_hash_verify with a smaller hash than expected */ 3014 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 3015 ASSERT_OPERATION_IS_ACTIVE( operation ); 3016 TEST_EQUAL( psa_hash_verify( &operation, hash, expected_size - 1 ), 3017 PSA_ERROR_INVALID_SIGNATURE ); 3018 ASSERT_OPERATION_IS_INACTIVE( operation ); 3019 PSA_ASSERT( psa_hash_abort( &operation ) ); 3020 ASSERT_OPERATION_IS_INACTIVE( operation ); 3021 3022 /* psa_hash_verify with a non-matching hash */ 3023 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 3024 TEST_EQUAL( psa_hash_verify( &operation, hash + 1, expected_size ), 3025 PSA_ERROR_INVALID_SIGNATURE ); 3026 3027 /* psa_hash_verify with a hash longer than expected */ 3028 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 3029 TEST_EQUAL( psa_hash_verify( &operation, hash, sizeof( hash ) ), 3030 PSA_ERROR_INVALID_SIGNATURE ); 3031 3032exit: 3033 PSA_DONE( ); 3034} 3035/* END_CASE */ 3036 3037/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3038void hash_finish_bad_args( ) 3039{ 3040 psa_algorithm_t alg = PSA_ALG_SHA_256; 3041 unsigned char hash[PSA_HASH_MAX_SIZE]; 3042 size_t expected_size = PSA_HASH_LENGTH( alg ); 3043 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 3044 size_t hash_len; 3045 3046 PSA_ASSERT( psa_crypto_init( ) ); 3047 3048 /* psa_hash_finish with a smaller hash buffer than expected */ 3049 PSA_ASSERT( psa_hash_setup( &operation, alg ) ); 3050 TEST_EQUAL( psa_hash_finish( &operation, 3051 hash, expected_size - 1, &hash_len ), 3052 PSA_ERROR_BUFFER_TOO_SMALL ); 3053 3054exit: 3055 PSA_DONE( ); 3056} 3057/* END_CASE */ 3058 3059/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3060void hash_clone_source_state( ) 3061{ 3062 psa_algorithm_t alg = PSA_ALG_SHA_256; 3063 unsigned char hash[PSA_HASH_MAX_SIZE]; 3064 psa_hash_operation_t op_source = PSA_HASH_OPERATION_INIT; 3065 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT; 3066 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT; 3067 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT; 3068 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT; 3069 size_t hash_len; 3070 3071 PSA_ASSERT( psa_crypto_init( ) ); 3072 PSA_ASSERT( psa_hash_setup( &op_source, alg ) ); 3073 3074 PSA_ASSERT( psa_hash_setup( &op_setup, alg ) ); 3075 PSA_ASSERT( psa_hash_setup( &op_finished, alg ) ); 3076 PSA_ASSERT( psa_hash_finish( &op_finished, 3077 hash, sizeof( hash ), &hash_len ) ); 3078 PSA_ASSERT( psa_hash_setup( &op_aborted, alg ) ); 3079 PSA_ASSERT( psa_hash_abort( &op_aborted ) ); 3080 3081 TEST_EQUAL( psa_hash_clone( &op_source, &op_setup ), 3082 PSA_ERROR_BAD_STATE ); 3083 3084 PSA_ASSERT( psa_hash_clone( &op_source, &op_init ) ); 3085 PSA_ASSERT( psa_hash_finish( &op_init, 3086 hash, sizeof( hash ), &hash_len ) ); 3087 PSA_ASSERT( psa_hash_clone( &op_source, &op_finished ) ); 3088 PSA_ASSERT( psa_hash_finish( &op_finished, 3089 hash, sizeof( hash ), &hash_len ) ); 3090 PSA_ASSERT( psa_hash_clone( &op_source, &op_aborted ) ); 3091 PSA_ASSERT( psa_hash_finish( &op_aborted, 3092 hash, sizeof( hash ), &hash_len ) ); 3093 3094exit: 3095 psa_hash_abort( &op_source ); 3096 psa_hash_abort( &op_init ); 3097 psa_hash_abort( &op_setup ); 3098 psa_hash_abort( &op_finished ); 3099 psa_hash_abort( &op_aborted ); 3100 PSA_DONE( ); 3101} 3102/* END_CASE */ 3103 3104/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256 */ 3105void hash_clone_target_state( ) 3106{ 3107 psa_algorithm_t alg = PSA_ALG_SHA_256; 3108 unsigned char hash[PSA_HASH_MAX_SIZE]; 3109 psa_hash_operation_t op_init = PSA_HASH_OPERATION_INIT; 3110 psa_hash_operation_t op_setup = PSA_HASH_OPERATION_INIT; 3111 psa_hash_operation_t op_finished = PSA_HASH_OPERATION_INIT; 3112 psa_hash_operation_t op_aborted = PSA_HASH_OPERATION_INIT; 3113 psa_hash_operation_t op_target = PSA_HASH_OPERATION_INIT; 3114 size_t hash_len; 3115 3116 PSA_ASSERT( psa_crypto_init( ) ); 3117 3118 PSA_ASSERT( psa_hash_setup( &op_setup, alg ) ); 3119 PSA_ASSERT( psa_hash_setup( &op_finished, alg ) ); 3120 PSA_ASSERT( psa_hash_finish( &op_finished, 3121 hash, sizeof( hash ), &hash_len ) ); 3122 PSA_ASSERT( psa_hash_setup( &op_aborted, alg ) ); 3123 PSA_ASSERT( psa_hash_abort( &op_aborted ) ); 3124 3125 PSA_ASSERT( psa_hash_clone( &op_setup, &op_target ) ); 3126 PSA_ASSERT( psa_hash_finish( &op_target, 3127 hash, sizeof( hash ), &hash_len ) ); 3128 3129 TEST_EQUAL( psa_hash_clone( &op_init, &op_target ), PSA_ERROR_BAD_STATE ); 3130 TEST_EQUAL( psa_hash_clone( &op_finished, &op_target ), 3131 PSA_ERROR_BAD_STATE ); 3132 TEST_EQUAL( psa_hash_clone( &op_aborted, &op_target ), 3133 PSA_ERROR_BAD_STATE ); 3134 3135exit: 3136 psa_hash_abort( &op_target ); 3137 psa_hash_abort( &op_init ); 3138 psa_hash_abort( &op_setup ); 3139 psa_hash_abort( &op_finished ); 3140 psa_hash_abort( &op_aborted ); 3141 PSA_DONE( ); 3142} 3143/* END_CASE */ 3144 3145/* BEGIN_CASE */ 3146void mac_operation_init( ) 3147{ 3148 const uint8_t input[1] = { 0 }; 3149 3150 /* Test each valid way of initializing the object, except for `= {0}`, as 3151 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 3152 * though it's OK by the C standard. We could test for this, but we'd need 3153 * to suppress the Clang warning for the test. */ 3154 psa_mac_operation_t func = psa_mac_operation_init( ); 3155 psa_mac_operation_t init = PSA_MAC_OPERATION_INIT; 3156 psa_mac_operation_t zero; 3157 3158 memset( &zero, 0, sizeof( zero ) ); 3159 3160 /* A freshly-initialized MAC operation should not be usable. */ 3161 TEST_EQUAL( psa_mac_update( &func, 3162 input, sizeof( input ) ), 3163 PSA_ERROR_BAD_STATE ); 3164 TEST_EQUAL( psa_mac_update( &init, 3165 input, sizeof( input ) ), 3166 PSA_ERROR_BAD_STATE ); 3167 TEST_EQUAL( psa_mac_update( &zero, 3168 input, sizeof( input ) ), 3169 PSA_ERROR_BAD_STATE ); 3170 3171 /* A default MAC operation should be abortable without error. */ 3172 PSA_ASSERT( psa_mac_abort( &func ) ); 3173 PSA_ASSERT( psa_mac_abort( &init ) ); 3174 PSA_ASSERT( psa_mac_abort( &zero ) ); 3175} 3176/* END_CASE */ 3177 3178/* BEGIN_CASE */ 3179void mac_setup( int key_type_arg, 3180 data_t *key, 3181 int alg_arg, 3182 int expected_status_arg ) 3183{ 3184 psa_key_type_t key_type = key_type_arg; 3185 psa_algorithm_t alg = alg_arg; 3186 psa_status_t expected_status = expected_status_arg; 3187 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 3188 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 3189#if defined(KNOWN_SUPPORTED_MAC_ALG) 3190 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk"; 3191#endif 3192 3193 PSA_ASSERT( psa_crypto_init( ) ); 3194 3195 if( ! exercise_mac_setup( key_type, key->x, key->len, alg, 3196 &operation, &status ) ) 3197 goto exit; 3198 TEST_EQUAL( status, expected_status ); 3199 3200 /* The operation object should be reusable. */ 3201#if defined(KNOWN_SUPPORTED_MAC_ALG) 3202 if( ! exercise_mac_setup( KNOWN_SUPPORTED_MAC_KEY_TYPE, 3203 smoke_test_key_data, 3204 sizeof( smoke_test_key_data ), 3205 KNOWN_SUPPORTED_MAC_ALG, 3206 &operation, &status ) ) 3207 goto exit; 3208 TEST_EQUAL( status, PSA_SUCCESS ); 3209#endif 3210 3211exit: 3212 PSA_DONE( ); 3213} 3214/* END_CASE */ 3215 3216/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_HMAC:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256 */ 3217void mac_bad_order( ) 3218{ 3219 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3220 psa_key_type_t key_type = PSA_KEY_TYPE_HMAC; 3221 psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256); 3222 const uint8_t key_data[] = { 3223 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3224 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3225 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }; 3226 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3227 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 3228 uint8_t sign_mac[PSA_MAC_MAX_SIZE + 10] = { 0 }; 3229 size_t sign_mac_length = 0; 3230 const uint8_t input[] = { 0xbb, 0xbb, 0xbb, 0xbb }; 3231 const uint8_t verify_mac[] = { 3232 0x74, 0x65, 0x93, 0x8c, 0xeb, 0x1d, 0xb3, 0x76, 0x5a, 0x38, 0xe7, 0xdd, 3233 0x85, 0xc5, 0xad, 0x4f, 0x07, 0xe7, 0xd5, 0xb2, 0x64, 0xf0, 0x1a, 0x1a, 3234 0x2c, 0xf9, 0x18, 0xca, 0x59, 0x7e, 0x5d, 0xf6 }; 3235 3236 PSA_ASSERT( psa_crypto_init( ) ); 3237 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH ); 3238 psa_set_key_algorithm( &attributes, alg ); 3239 psa_set_key_type( &attributes, key_type ); 3240 3241 PSA_ASSERT( psa_import_key( &attributes, key_data, sizeof( key_data ), 3242 &key ) ); 3243 3244 /* Call update without calling setup beforehand. */ 3245 TEST_EQUAL( psa_mac_update( &operation, input, sizeof( input ) ), 3246 PSA_ERROR_BAD_STATE ); 3247 PSA_ASSERT( psa_mac_abort( &operation ) ); 3248 3249 /* Call sign finish without calling setup beforehand. */ 3250 TEST_EQUAL( psa_mac_sign_finish( &operation, sign_mac, sizeof( sign_mac ), 3251 &sign_mac_length), 3252 PSA_ERROR_BAD_STATE ); 3253 PSA_ASSERT( psa_mac_abort( &operation ) ); 3254 3255 /* Call verify finish without calling setup beforehand. */ 3256 TEST_EQUAL( psa_mac_verify_finish( &operation, 3257 verify_mac, sizeof( verify_mac ) ), 3258 PSA_ERROR_BAD_STATE ); 3259 PSA_ASSERT( psa_mac_abort( &operation ) ); 3260 3261 /* Call setup twice in a row. */ 3262 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 3263 ASSERT_OPERATION_IS_ACTIVE( operation ); 3264 TEST_EQUAL( psa_mac_sign_setup( &operation, key, alg ), 3265 PSA_ERROR_BAD_STATE ); 3266 ASSERT_OPERATION_IS_INACTIVE( operation ); 3267 PSA_ASSERT( psa_mac_abort( &operation ) ); 3268 ASSERT_OPERATION_IS_INACTIVE( operation ); 3269 3270 /* Call update after sign finish. */ 3271 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 3272 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 3273 PSA_ASSERT( psa_mac_sign_finish( &operation, 3274 sign_mac, sizeof( sign_mac ), 3275 &sign_mac_length ) ); 3276 TEST_EQUAL( psa_mac_update( &operation, input, sizeof( input ) ), 3277 PSA_ERROR_BAD_STATE ); 3278 PSA_ASSERT( psa_mac_abort( &operation ) ); 3279 3280 /* Call update after verify finish. */ 3281 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 3282 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 3283 PSA_ASSERT( psa_mac_verify_finish( &operation, 3284 verify_mac, sizeof( verify_mac ) ) ); 3285 TEST_EQUAL( psa_mac_update( &operation, input, sizeof( input ) ), 3286 PSA_ERROR_BAD_STATE ); 3287 PSA_ASSERT( psa_mac_abort( &operation ) ); 3288 3289 /* Call sign finish twice in a row. */ 3290 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 3291 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 3292 PSA_ASSERT( psa_mac_sign_finish( &operation, 3293 sign_mac, sizeof( sign_mac ), 3294 &sign_mac_length ) ); 3295 TEST_EQUAL( psa_mac_sign_finish( &operation, 3296 sign_mac, sizeof( sign_mac ), 3297 &sign_mac_length ), 3298 PSA_ERROR_BAD_STATE ); 3299 PSA_ASSERT( psa_mac_abort( &operation ) ); 3300 3301 /* Call verify finish twice in a row. */ 3302 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 3303 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 3304 PSA_ASSERT( psa_mac_verify_finish( &operation, 3305 verify_mac, sizeof( verify_mac ) ) ); 3306 TEST_EQUAL( psa_mac_verify_finish( &operation, 3307 verify_mac, sizeof( verify_mac ) ), 3308 PSA_ERROR_BAD_STATE ); 3309 PSA_ASSERT( psa_mac_abort( &operation ) ); 3310 3311 /* Setup sign but try verify. */ 3312 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 3313 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 3314 ASSERT_OPERATION_IS_ACTIVE( operation ); 3315 TEST_EQUAL( psa_mac_verify_finish( &operation, 3316 verify_mac, sizeof( verify_mac ) ), 3317 PSA_ERROR_BAD_STATE ); 3318 ASSERT_OPERATION_IS_INACTIVE( operation ); 3319 PSA_ASSERT( psa_mac_abort( &operation ) ); 3320 ASSERT_OPERATION_IS_INACTIVE( operation ); 3321 3322 /* Setup verify but try sign. */ 3323 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 3324 PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); 3325 ASSERT_OPERATION_IS_ACTIVE( operation ); 3326 TEST_EQUAL( psa_mac_sign_finish( &operation, 3327 sign_mac, sizeof( sign_mac ), 3328 &sign_mac_length ), 3329 PSA_ERROR_BAD_STATE ); 3330 ASSERT_OPERATION_IS_INACTIVE( operation ); 3331 PSA_ASSERT( psa_mac_abort( &operation ) ); 3332 ASSERT_OPERATION_IS_INACTIVE( operation ); 3333 3334 PSA_ASSERT( psa_destroy_key( key ) ); 3335 3336exit: 3337 PSA_DONE( ); 3338} 3339/* END_CASE */ 3340 3341/* BEGIN_CASE */ 3342void mac_sign_verify_multi( int key_type_arg, 3343 data_t *key_data, 3344 int alg_arg, 3345 data_t *input, 3346 int is_verify, 3347 data_t *expected_mac ) 3348{ 3349 size_t data_part_len = 0; 3350 3351 for( data_part_len = 1; data_part_len <= input->len; data_part_len++ ) 3352 { 3353 /* Split data into length(data_part_len) parts. */ 3354 mbedtls_test_set_step( 2000 + data_part_len ); 3355 3356 if( mac_multipart_internal_func( key_type_arg, key_data, 3357 alg_arg, 3358 input, data_part_len, 3359 expected_mac, 3360 is_verify, 0 ) == 0 ) 3361 break; 3362 3363 /* length(0) part, length(data_part_len) part, length(0) part... */ 3364 mbedtls_test_set_step( 3000 + data_part_len ); 3365 3366 if( mac_multipart_internal_func( key_type_arg, key_data, 3367 alg_arg, 3368 input, data_part_len, 3369 expected_mac, 3370 is_verify, 1 ) == 0 ) 3371 break; 3372 } 3373 3374 /* Goto is required to silence warnings about unused labels, as we 3375 * don't actually do any test assertions in this function. */ 3376 goto exit; 3377} 3378/* END_CASE */ 3379 3380/* BEGIN_CASE */ 3381void mac_sign( int key_type_arg, 3382 data_t *key_data, 3383 int alg_arg, 3384 data_t *input, 3385 data_t *expected_mac ) 3386{ 3387 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3388 psa_key_type_t key_type = key_type_arg; 3389 psa_algorithm_t alg = alg_arg; 3390 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 3391 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3392 uint8_t *actual_mac = NULL; 3393 size_t mac_buffer_size = 3394 PSA_MAC_LENGTH( key_type, PSA_BYTES_TO_BITS( key_data->len ), alg ); 3395 size_t mac_length = 0; 3396 const size_t output_sizes_to_test[] = { 3397 0, 3398 1, 3399 expected_mac->len - 1, 3400 expected_mac->len, 3401 expected_mac->len + 1, 3402 }; 3403 3404 TEST_LE_U( mac_buffer_size, PSA_MAC_MAX_SIZE ); 3405 /* We expect PSA_MAC_LENGTH to be exact. */ 3406 TEST_ASSERT( expected_mac->len == mac_buffer_size ); 3407 3408 PSA_ASSERT( psa_crypto_init( ) ); 3409 3410 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 3411 psa_set_key_algorithm( &attributes, alg ); 3412 psa_set_key_type( &attributes, key_type ); 3413 3414 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3415 &key ) ); 3416 3417 for( size_t i = 0; i < ARRAY_LENGTH( output_sizes_to_test ); i++ ) 3418 { 3419 const size_t output_size = output_sizes_to_test[i]; 3420 psa_status_t expected_status = 3421 ( output_size >= expected_mac->len ? PSA_SUCCESS : 3422 PSA_ERROR_BUFFER_TOO_SMALL ); 3423 3424 mbedtls_test_set_step( output_size ); 3425 ASSERT_ALLOC( actual_mac, output_size ); 3426 3427 /* Calculate the MAC, one-shot case. */ 3428 TEST_EQUAL( psa_mac_compute( key, alg, 3429 input->x, input->len, 3430 actual_mac, output_size, &mac_length ), 3431 expected_status ); 3432 if( expected_status == PSA_SUCCESS ) 3433 { 3434 ASSERT_COMPARE( expected_mac->x, expected_mac->len, 3435 actual_mac, mac_length ); 3436 } 3437 3438 if( output_size > 0 ) 3439 memset( actual_mac, 0, output_size ); 3440 3441 /* Calculate the MAC, multi-part case. */ 3442 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) ); 3443 PSA_ASSERT( psa_mac_update( &operation, 3444 input->x, input->len ) ); 3445 TEST_EQUAL( psa_mac_sign_finish( &operation, 3446 actual_mac, output_size, 3447 &mac_length ), 3448 expected_status ); 3449 PSA_ASSERT( psa_mac_abort( &operation ) ); 3450 3451 if( expected_status == PSA_SUCCESS ) 3452 { 3453 ASSERT_COMPARE( expected_mac->x, expected_mac->len, 3454 actual_mac, mac_length ); 3455 } 3456 mbedtls_free( actual_mac ); 3457 actual_mac = NULL; 3458 } 3459 3460exit: 3461 psa_mac_abort( &operation ); 3462 psa_destroy_key( key ); 3463 PSA_DONE( ); 3464 mbedtls_free( actual_mac ); 3465} 3466/* END_CASE */ 3467 3468/* BEGIN_CASE */ 3469void mac_verify( int key_type_arg, 3470 data_t *key_data, 3471 int alg_arg, 3472 data_t *input, 3473 data_t *expected_mac ) 3474{ 3475 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3476 psa_key_type_t key_type = key_type_arg; 3477 psa_algorithm_t alg = alg_arg; 3478 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; 3479 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3480 uint8_t *perturbed_mac = NULL; 3481 3482 TEST_LE_U( expected_mac->len, PSA_MAC_MAX_SIZE ); 3483 3484 PSA_ASSERT( psa_crypto_init( ) ); 3485 3486 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 3487 psa_set_key_algorithm( &attributes, alg ); 3488 psa_set_key_type( &attributes, key_type ); 3489 3490 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3491 &key ) ); 3492 3493 /* Verify correct MAC, one-shot case. */ 3494 PSA_ASSERT( psa_mac_verify( key, alg, input->x, input->len, 3495 expected_mac->x, expected_mac->len ) ); 3496 3497 /* Verify correct MAC, multi-part case. */ 3498 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 3499 PSA_ASSERT( psa_mac_update( &operation, 3500 input->x, input->len ) ); 3501 PSA_ASSERT( psa_mac_verify_finish( &operation, 3502 expected_mac->x, 3503 expected_mac->len ) ); 3504 3505 /* Test a MAC that's too short, one-shot case. */ 3506 TEST_EQUAL( psa_mac_verify( key, alg, 3507 input->x, input->len, 3508 expected_mac->x, 3509 expected_mac->len - 1 ), 3510 PSA_ERROR_INVALID_SIGNATURE ); 3511 3512 /* Test a MAC that's too short, multi-part case. */ 3513 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 3514 PSA_ASSERT( psa_mac_update( &operation, 3515 input->x, input->len ) ); 3516 TEST_EQUAL( psa_mac_verify_finish( &operation, 3517 expected_mac->x, 3518 expected_mac->len - 1 ), 3519 PSA_ERROR_INVALID_SIGNATURE ); 3520 3521 /* Test a MAC that's too long, one-shot case. */ 3522 ASSERT_ALLOC( perturbed_mac, expected_mac->len + 1 ); 3523 memcpy( perturbed_mac, expected_mac->x, expected_mac->len ); 3524 TEST_EQUAL( psa_mac_verify( key, alg, 3525 input->x, input->len, 3526 perturbed_mac, expected_mac->len + 1 ), 3527 PSA_ERROR_INVALID_SIGNATURE ); 3528 3529 /* Test a MAC that's too long, multi-part case. */ 3530 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 3531 PSA_ASSERT( psa_mac_update( &operation, 3532 input->x, input->len ) ); 3533 TEST_EQUAL( psa_mac_verify_finish( &operation, 3534 perturbed_mac, 3535 expected_mac->len + 1 ), 3536 PSA_ERROR_INVALID_SIGNATURE ); 3537 3538 /* Test changing one byte. */ 3539 for( size_t i = 0; i < expected_mac->len; i++ ) 3540 { 3541 mbedtls_test_set_step( i ); 3542 perturbed_mac[i] ^= 1; 3543 3544 TEST_EQUAL( psa_mac_verify( key, alg, 3545 input->x, input->len, 3546 perturbed_mac, expected_mac->len ), 3547 PSA_ERROR_INVALID_SIGNATURE ); 3548 3549 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) ); 3550 PSA_ASSERT( psa_mac_update( &operation, 3551 input->x, input->len ) ); 3552 TEST_EQUAL( psa_mac_verify_finish( &operation, 3553 perturbed_mac, 3554 expected_mac->len ), 3555 PSA_ERROR_INVALID_SIGNATURE ); 3556 perturbed_mac[i] ^= 1; 3557 } 3558 3559exit: 3560 psa_mac_abort( &operation ); 3561 psa_destroy_key( key ); 3562 PSA_DONE( ); 3563 mbedtls_free( perturbed_mac ); 3564} 3565/* END_CASE */ 3566 3567/* BEGIN_CASE */ 3568void cipher_operation_init( ) 3569{ 3570 const uint8_t input[1] = { 0 }; 3571 unsigned char output[1] = { 0 }; 3572 size_t output_length; 3573 /* Test each valid way of initializing the object, except for `= {0}`, as 3574 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 3575 * though it's OK by the C standard. We could test for this, but we'd need 3576 * to suppress the Clang warning for the test. */ 3577 psa_cipher_operation_t func = psa_cipher_operation_init( ); 3578 psa_cipher_operation_t init = PSA_CIPHER_OPERATION_INIT; 3579 psa_cipher_operation_t zero; 3580 3581 memset( &zero, 0, sizeof( zero ) ); 3582 3583 /* A freshly-initialized cipher operation should not be usable. */ 3584 TEST_EQUAL( psa_cipher_update( &func, 3585 input, sizeof( input ), 3586 output, sizeof( output ), 3587 &output_length ), 3588 PSA_ERROR_BAD_STATE ); 3589 TEST_EQUAL( psa_cipher_update( &init, 3590 input, sizeof( input ), 3591 output, sizeof( output ), 3592 &output_length ), 3593 PSA_ERROR_BAD_STATE ); 3594 TEST_EQUAL( psa_cipher_update( &zero, 3595 input, sizeof( input ), 3596 output, sizeof( output ), 3597 &output_length ), 3598 PSA_ERROR_BAD_STATE ); 3599 3600 /* A default cipher operation should be abortable without error. */ 3601 PSA_ASSERT( psa_cipher_abort( &func ) ); 3602 PSA_ASSERT( psa_cipher_abort( &init ) ); 3603 PSA_ASSERT( psa_cipher_abort( &zero ) ); 3604} 3605/* END_CASE */ 3606 3607/* BEGIN_CASE */ 3608void cipher_setup( int key_type_arg, 3609 data_t *key, 3610 int alg_arg, 3611 int expected_status_arg ) 3612{ 3613 psa_key_type_t key_type = key_type_arg; 3614 psa_algorithm_t alg = alg_arg; 3615 psa_status_t expected_status = expected_status_arg; 3616 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3617 psa_status_t status; 3618#if defined(KNOWN_SUPPORTED_CIPHER_ALG) 3619 const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk"; 3620#endif 3621 3622 PSA_ASSERT( psa_crypto_init( ) ); 3623 3624 if( ! exercise_cipher_setup( key_type, key->x, key->len, alg, 3625 &operation, &status ) ) 3626 goto exit; 3627 TEST_EQUAL( status, expected_status ); 3628 3629 /* The operation object should be reusable. */ 3630#if defined(KNOWN_SUPPORTED_CIPHER_ALG) 3631 if( ! exercise_cipher_setup( KNOWN_SUPPORTED_CIPHER_KEY_TYPE, 3632 smoke_test_key_data, 3633 sizeof( smoke_test_key_data ), 3634 KNOWN_SUPPORTED_CIPHER_ALG, 3635 &operation, &status ) ) 3636 goto exit; 3637 TEST_EQUAL( status, PSA_SUCCESS ); 3638#endif 3639 3640exit: 3641 psa_cipher_abort( &operation ); 3642 PSA_DONE( ); 3643} 3644/* END_CASE */ 3645 3646/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_PKCS7 */ 3647void cipher_bad_order( ) 3648{ 3649 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3650 psa_key_type_t key_type = PSA_KEY_TYPE_AES; 3651 psa_algorithm_t alg = PSA_ALG_CBC_PKCS7; 3652 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3653 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3654 unsigned char iv[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 }; 3655 const uint8_t key_data[] = { 3656 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 3657 0xaa, 0xaa, 0xaa, 0xaa }; 3658 const uint8_t text[] = { 3659 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 3660 0xbb, 0xbb, 0xbb, 0xbb }; 3661 uint8_t buffer[PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES)] = { 0 }; 3662 size_t length = 0; 3663 3664 PSA_ASSERT( psa_crypto_init( ) ); 3665 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 3666 psa_set_key_algorithm( &attributes, alg ); 3667 psa_set_key_type( &attributes, key_type ); 3668 PSA_ASSERT( psa_import_key( &attributes, key_data, sizeof( key_data ), 3669 &key ) ); 3670 3671 /* Call encrypt setup twice in a row. */ 3672 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3673 ASSERT_OPERATION_IS_ACTIVE( operation ); 3674 TEST_EQUAL( psa_cipher_encrypt_setup( &operation, key, alg ), 3675 PSA_ERROR_BAD_STATE ); 3676 ASSERT_OPERATION_IS_INACTIVE( operation ); 3677 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3678 ASSERT_OPERATION_IS_INACTIVE( operation ); 3679 3680 /* Call decrypt setup twice in a row. */ 3681 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) ); 3682 ASSERT_OPERATION_IS_ACTIVE( operation ); 3683 TEST_EQUAL( psa_cipher_decrypt_setup( &operation, key, alg ), 3684 PSA_ERROR_BAD_STATE ); 3685 ASSERT_OPERATION_IS_INACTIVE( operation ); 3686 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3687 ASSERT_OPERATION_IS_INACTIVE( operation ); 3688 3689 /* Generate an IV without calling setup beforehand. */ 3690 TEST_EQUAL( psa_cipher_generate_iv( &operation, 3691 buffer, sizeof( buffer ), 3692 &length ), 3693 PSA_ERROR_BAD_STATE ); 3694 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3695 3696 /* Generate an IV twice in a row. */ 3697 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3698 PSA_ASSERT( psa_cipher_generate_iv( &operation, 3699 buffer, sizeof( buffer ), 3700 &length ) ); 3701 ASSERT_OPERATION_IS_ACTIVE( operation ); 3702 TEST_EQUAL( psa_cipher_generate_iv( &operation, 3703 buffer, sizeof( buffer ), 3704 &length ), 3705 PSA_ERROR_BAD_STATE ); 3706 ASSERT_OPERATION_IS_INACTIVE( operation ); 3707 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3708 ASSERT_OPERATION_IS_INACTIVE( operation ); 3709 3710 /* Generate an IV after it's already set. */ 3711 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3712 PSA_ASSERT( psa_cipher_set_iv( &operation, 3713 iv, sizeof( iv ) ) ); 3714 TEST_EQUAL( psa_cipher_generate_iv( &operation, 3715 buffer, sizeof( buffer ), 3716 &length ), 3717 PSA_ERROR_BAD_STATE ); 3718 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3719 3720 /* Set an IV without calling setup beforehand. */ 3721 TEST_EQUAL( psa_cipher_set_iv( &operation, 3722 iv, sizeof( iv ) ), 3723 PSA_ERROR_BAD_STATE ); 3724 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3725 3726 /* Set an IV after it's already set. */ 3727 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3728 PSA_ASSERT( psa_cipher_set_iv( &operation, 3729 iv, sizeof( iv ) ) ); 3730 ASSERT_OPERATION_IS_ACTIVE( operation ); 3731 TEST_EQUAL( psa_cipher_set_iv( &operation, 3732 iv, sizeof( iv ) ), 3733 PSA_ERROR_BAD_STATE ); 3734 ASSERT_OPERATION_IS_INACTIVE( operation ); 3735 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3736 ASSERT_OPERATION_IS_INACTIVE( operation ); 3737 3738 /* Set an IV after it's already generated. */ 3739 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3740 PSA_ASSERT( psa_cipher_generate_iv( &operation, 3741 buffer, sizeof( buffer ), 3742 &length ) ); 3743 TEST_EQUAL( psa_cipher_set_iv( &operation, 3744 iv, sizeof( iv ) ), 3745 PSA_ERROR_BAD_STATE ); 3746 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3747 3748 /* Call update without calling setup beforehand. */ 3749 TEST_EQUAL( psa_cipher_update( &operation, 3750 text, sizeof( text ), 3751 buffer, sizeof( buffer ), 3752 &length ), 3753 PSA_ERROR_BAD_STATE ); 3754 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3755 3756 /* Call update without an IV where an IV is required. */ 3757 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3758 ASSERT_OPERATION_IS_ACTIVE( operation ); 3759 TEST_EQUAL( psa_cipher_update( &operation, 3760 text, sizeof( text ), 3761 buffer, sizeof( buffer ), 3762 &length ), 3763 PSA_ERROR_BAD_STATE ); 3764 ASSERT_OPERATION_IS_INACTIVE( operation ); 3765 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3766 ASSERT_OPERATION_IS_INACTIVE( operation ); 3767 3768 /* Call update after finish. */ 3769 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3770 PSA_ASSERT( psa_cipher_set_iv( &operation, 3771 iv, sizeof( iv ) ) ); 3772 PSA_ASSERT( psa_cipher_finish( &operation, 3773 buffer, sizeof( buffer ), &length ) ); 3774 TEST_EQUAL( psa_cipher_update( &operation, 3775 text, sizeof( text ), 3776 buffer, sizeof( buffer ), 3777 &length ), 3778 PSA_ERROR_BAD_STATE ); 3779 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3780 3781 /* Call finish without calling setup beforehand. */ 3782 TEST_EQUAL( psa_cipher_finish( &operation, 3783 buffer, sizeof( buffer ), &length ), 3784 PSA_ERROR_BAD_STATE ); 3785 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3786 3787 /* Call finish without an IV where an IV is required. */ 3788 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3789 /* Not calling update means we are encrypting an empty buffer, which is OK 3790 * for cipher modes with padding. */ 3791 ASSERT_OPERATION_IS_ACTIVE( operation ); 3792 TEST_EQUAL( psa_cipher_finish( &operation, 3793 buffer, sizeof( buffer ), &length ), 3794 PSA_ERROR_BAD_STATE ); 3795 ASSERT_OPERATION_IS_INACTIVE( operation ); 3796 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3797 ASSERT_OPERATION_IS_INACTIVE( operation ); 3798 3799 /* Call finish twice in a row. */ 3800 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3801 PSA_ASSERT( psa_cipher_set_iv( &operation, 3802 iv, sizeof( iv ) ) ); 3803 PSA_ASSERT( psa_cipher_finish( &operation, 3804 buffer, sizeof( buffer ), &length ) ); 3805 TEST_EQUAL( psa_cipher_finish( &operation, 3806 buffer, sizeof( buffer ), &length ), 3807 PSA_ERROR_BAD_STATE ); 3808 PSA_ASSERT( psa_cipher_abort( &operation ) ); 3809 3810 PSA_ASSERT( psa_destroy_key( key ) ); 3811 3812exit: 3813 psa_cipher_abort( &operation ); 3814 PSA_DONE( ); 3815} 3816/* END_CASE */ 3817 3818/* BEGIN_CASE */ 3819void cipher_encrypt_fail( int alg_arg, 3820 int key_type_arg, 3821 data_t *key_data, 3822 data_t *input, 3823 int expected_status_arg ) 3824{ 3825 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3826 psa_status_t status; 3827 psa_key_type_t key_type = key_type_arg; 3828 psa_algorithm_t alg = alg_arg; 3829 psa_status_t expected_status = expected_status_arg; 3830 unsigned char iv[PSA_CIPHER_IV_MAX_SIZE] = {0}; 3831 size_t iv_size = PSA_CIPHER_IV_MAX_SIZE; 3832 size_t iv_length = 0; 3833 unsigned char *output = NULL; 3834 size_t output_buffer_size = 0; 3835 size_t output_length = 0; 3836 size_t function_output_length; 3837 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3838 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3839 3840 if ( PSA_ERROR_BAD_STATE != expected_status ) 3841 { 3842 PSA_ASSERT( psa_crypto_init( ) ); 3843 3844 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 3845 psa_set_key_algorithm( &attributes, alg ); 3846 psa_set_key_type( &attributes, key_type ); 3847 3848 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, 3849 input->len ); 3850 ASSERT_ALLOC( output, output_buffer_size ); 3851 3852 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3853 &key ) ); 3854 } 3855 3856 /* Encrypt, one-shot */ 3857 status = psa_cipher_encrypt( key, alg, input->x, input->len, output, 3858 output_buffer_size, &output_length ); 3859 3860 TEST_EQUAL( status, expected_status ); 3861 3862 /* Encrypt, multi-part */ 3863 status = psa_cipher_encrypt_setup( &operation, key, alg ); 3864 if( status == PSA_SUCCESS ) 3865 { 3866 if( alg != PSA_ALG_ECB_NO_PADDING ) 3867 { 3868 PSA_ASSERT( psa_cipher_generate_iv( &operation, 3869 iv, iv_size, 3870 &iv_length ) ); 3871 } 3872 3873 status = psa_cipher_update( &operation, input->x, input->len, 3874 output, output_buffer_size, 3875 &function_output_length ); 3876 if( status == PSA_SUCCESS ) 3877 { 3878 output_length += function_output_length; 3879 3880 status = psa_cipher_finish( &operation, output + output_length, 3881 output_buffer_size - output_length, 3882 &function_output_length ); 3883 3884 TEST_EQUAL( status, expected_status ); 3885 } 3886 else 3887 { 3888 TEST_EQUAL( status, expected_status ); 3889 } 3890 } 3891 else 3892 { 3893 TEST_EQUAL( status, expected_status ); 3894 } 3895 3896exit: 3897 psa_cipher_abort( &operation ); 3898 mbedtls_free( output ); 3899 psa_destroy_key( key ); 3900 PSA_DONE( ); 3901} 3902/* END_CASE */ 3903 3904/* BEGIN_CASE */ 3905void cipher_encrypt_validate_iv_length( int alg, int key_type, data_t* key_data, 3906 data_t *input, int iv_length, 3907 int expected_result ) 3908{ 3909 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3910 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3911 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3912 size_t output_buffer_size = 0; 3913 unsigned char *output = NULL; 3914 3915 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 3916 ASSERT_ALLOC( output, output_buffer_size ); 3917 3918 PSA_ASSERT( psa_crypto_init( ) ); 3919 3920 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 3921 psa_set_key_algorithm( &attributes, alg ); 3922 psa_set_key_type( &attributes, key_type ); 3923 3924 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3925 &key ) ); 3926 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3927 TEST_EQUAL( expected_result, psa_cipher_set_iv( &operation, output, 3928 iv_length ) ); 3929 3930exit: 3931 psa_cipher_abort( &operation ); 3932 mbedtls_free( output ); 3933 psa_destroy_key( key ); 3934 PSA_DONE( ); 3935} 3936/* END_CASE */ 3937 3938/* BEGIN_CASE */ 3939void cipher_alg_without_iv( int alg_arg, int key_type_arg, data_t *key_data, 3940 data_t *plaintext, data_t *ciphertext ) 3941{ 3942 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 3943 psa_key_type_t key_type = key_type_arg; 3944 psa_algorithm_t alg = alg_arg; 3945 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 3946 uint8_t iv[1] = { 0x5a }; 3947 unsigned char *output = NULL; 3948 size_t output_buffer_size = 0; 3949 size_t output_length, length; 3950 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3951 3952 PSA_ASSERT( psa_crypto_init( ) ); 3953 3954 /* Validate size macros */ 3955 TEST_LE_U( ciphertext->len, 3956 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, plaintext->len ) ); 3957 TEST_LE_U( PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, plaintext->len ), 3958 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( plaintext->len ) ); 3959 TEST_LE_U( plaintext->len, 3960 PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, ciphertext->len ) ); 3961 TEST_LE_U( PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, ciphertext->len ), 3962 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE( ciphertext->len ) ); 3963 3964 3965 /* Set up key and output buffer */ 3966 psa_set_key_usage_flags( &attributes, 3967 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 3968 psa_set_key_algorithm( &attributes, alg ); 3969 psa_set_key_type( &attributes, key_type ); 3970 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 3971 &key ) ); 3972 output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, 3973 plaintext->len ); 3974 ASSERT_ALLOC( output, output_buffer_size ); 3975 3976 /* set_iv() is not allowed */ 3977 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3978 TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ), 3979 PSA_ERROR_BAD_STATE ); 3980 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) ); 3981 TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ), 3982 PSA_ERROR_BAD_STATE ); 3983 3984 /* generate_iv() is not allowed */ 3985 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3986 TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ), 3987 &length ), 3988 PSA_ERROR_BAD_STATE ); 3989 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) ); 3990 TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ), 3991 &length ), 3992 PSA_ERROR_BAD_STATE ); 3993 3994 /* Multipart encryption */ 3995 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 3996 output_length = 0; 3997 length = ~0; 3998 PSA_ASSERT( psa_cipher_update( &operation, 3999 plaintext->x, plaintext->len, 4000 output, output_buffer_size, 4001 &length ) ); 4002 TEST_LE_U( length, output_buffer_size ); 4003 output_length += length; 4004 PSA_ASSERT( psa_cipher_finish( &operation, 4005 mbedtls_buffer_offset( output, output_length ), 4006 output_buffer_size - output_length, 4007 &length ) ); 4008 output_length += length; 4009 ASSERT_COMPARE( ciphertext->x, ciphertext->len, 4010 output, output_length ); 4011 4012 /* Multipart encryption */ 4013 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) ); 4014 output_length = 0; 4015 length = ~0; 4016 PSA_ASSERT( psa_cipher_update( &operation, 4017 ciphertext->x, ciphertext->len, 4018 output, output_buffer_size, 4019 &length ) ); 4020 TEST_LE_U( length, output_buffer_size ); 4021 output_length += length; 4022 PSA_ASSERT( psa_cipher_finish( &operation, 4023 mbedtls_buffer_offset( output, output_length ), 4024 output_buffer_size - output_length, 4025 &length ) ); 4026 output_length += length; 4027 ASSERT_COMPARE( plaintext->x, plaintext->len, 4028 output, output_length ); 4029 4030 /* One-shot encryption */ 4031 output_length = ~0; 4032 PSA_ASSERT( psa_cipher_encrypt( key, alg, plaintext->x, plaintext->len, 4033 output, output_buffer_size, 4034 &output_length ) ); 4035 ASSERT_COMPARE( ciphertext->x, ciphertext->len, 4036 output, output_length ); 4037 4038 /* One-shot decryption */ 4039 output_length = ~0; 4040 PSA_ASSERT( psa_cipher_decrypt( key, alg, ciphertext->x, ciphertext->len, 4041 output, output_buffer_size, 4042 &output_length ) ); 4043 ASSERT_COMPARE( plaintext->x, plaintext->len, 4044 output, output_length ); 4045 4046exit: 4047 PSA_ASSERT( psa_cipher_abort( &operation ) ); 4048 mbedtls_free( output ); 4049 psa_cipher_abort( &operation ); 4050 psa_destroy_key( key ); 4051 PSA_DONE( ); 4052} 4053/* END_CASE */ 4054 4055/* BEGIN_CASE */ 4056void cipher_bad_key( int alg_arg, int key_type_arg, data_t *key_data ) 4057{ 4058 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4059 psa_algorithm_t alg = alg_arg; 4060 psa_key_type_t key_type = key_type_arg; 4061 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4062 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4063 psa_status_t status; 4064 4065 PSA_ASSERT( psa_crypto_init( ) ); 4066 4067 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 4068 psa_set_key_algorithm( &attributes, alg ); 4069 psa_set_key_type( &attributes, key_type ); 4070 4071 /* Usage of either of these two size macros would cause divide by zero 4072 * with incorrect key types previously. Input length should be irrelevant 4073 * here. */ 4074 TEST_EQUAL( PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, 16 ), 4075 0 ); 4076 TEST_EQUAL( PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, 16 ), 0 ); 4077 4078 4079 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4080 &key ) ); 4081 4082 /* Should fail due to invalid alg type (to support invalid key type). 4083 * Encrypt or decrypt will end up in the same place. */ 4084 status = psa_cipher_encrypt_setup( &operation, key, alg ); 4085 4086 TEST_EQUAL( status, PSA_ERROR_INVALID_ARGUMENT ); 4087 4088exit: 4089 psa_cipher_abort( &operation ); 4090 psa_destroy_key( key ); 4091 PSA_DONE( ); 4092} 4093/* END_CASE */ 4094 4095/* BEGIN_CASE */ 4096void cipher_encrypt_validation( int alg_arg, 4097 int key_type_arg, 4098 data_t *key_data, 4099 data_t *input ) 4100{ 4101 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4102 psa_key_type_t key_type = key_type_arg; 4103 psa_algorithm_t alg = alg_arg; 4104 size_t iv_size = PSA_CIPHER_IV_LENGTH ( key_type, alg ); 4105 unsigned char *output1 = NULL; 4106 size_t output1_buffer_size = 0; 4107 size_t output1_length = 0; 4108 unsigned char *output2 = NULL; 4109 size_t output2_buffer_size = 0; 4110 size_t output2_length = 0; 4111 size_t function_output_length = 0; 4112 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4113 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4114 4115 PSA_ASSERT( psa_crypto_init( ) ); 4116 4117 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 4118 psa_set_key_algorithm( &attributes, alg ); 4119 psa_set_key_type( &attributes, key_type ); 4120 4121 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 4122 output2_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, input->len ) + 4123 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ); 4124 ASSERT_ALLOC( output1, output1_buffer_size ); 4125 ASSERT_ALLOC( output2, output2_buffer_size ); 4126 4127 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4128 &key ) ); 4129 4130 /* The one-shot cipher encryption uses generated iv so validating 4131 the output is not possible. Validating with multipart encryption. */ 4132 PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output1, 4133 output1_buffer_size, &output1_length ) ); 4134 TEST_LE_U( output1_length, 4135 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ) ); 4136 TEST_LE_U( output1_length, 4137 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) ); 4138 4139 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 4140 PSA_ASSERT( psa_cipher_set_iv( &operation, output1, iv_size ) ); 4141 4142 PSA_ASSERT( psa_cipher_update( &operation, 4143 input->x, input->len, 4144 output2, output2_buffer_size, 4145 &function_output_length ) ); 4146 TEST_LE_U( function_output_length, 4147 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, input->len ) ); 4148 TEST_LE_U( function_output_length, 4149 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( input->len ) ); 4150 output2_length += function_output_length; 4151 4152 PSA_ASSERT( psa_cipher_finish( &operation, 4153 output2 + output2_length, 4154 output2_buffer_size - output2_length, 4155 &function_output_length ) ); 4156 TEST_LE_U( function_output_length, 4157 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 4158 TEST_LE_U( function_output_length, 4159 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 4160 output2_length += function_output_length; 4161 4162 PSA_ASSERT( psa_cipher_abort( &operation ) ); 4163 ASSERT_COMPARE( output1 + iv_size, output1_length - iv_size, 4164 output2, output2_length ); 4165 4166exit: 4167 psa_cipher_abort( &operation ); 4168 mbedtls_free( output1 ); 4169 mbedtls_free( output2 ); 4170 psa_destroy_key( key ); 4171 PSA_DONE( ); 4172} 4173/* END_CASE */ 4174 4175/* BEGIN_CASE */ 4176void cipher_encrypt_multipart( int alg_arg, int key_type_arg, 4177 data_t *key_data, data_t *iv, 4178 data_t *input, 4179 int first_part_size_arg, 4180 int output1_length_arg, int output2_length_arg, 4181 data_t *expected_output, 4182 int expected_status_arg ) 4183{ 4184 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4185 psa_key_type_t key_type = key_type_arg; 4186 psa_algorithm_t alg = alg_arg; 4187 psa_status_t status; 4188 psa_status_t expected_status = expected_status_arg; 4189 size_t first_part_size = first_part_size_arg; 4190 size_t output1_length = output1_length_arg; 4191 size_t output2_length = output2_length_arg; 4192 unsigned char *output = NULL; 4193 size_t output_buffer_size = 0; 4194 size_t function_output_length = 0; 4195 size_t total_output_length = 0; 4196 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4197 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4198 4199 PSA_ASSERT( psa_crypto_init( ) ); 4200 4201 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 4202 psa_set_key_algorithm( &attributes, alg ); 4203 psa_set_key_type( &attributes, key_type ); 4204 4205 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4206 &key ) ); 4207 4208 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); 4209 4210 if( iv->len > 0 ) 4211 { 4212 PSA_ASSERT( psa_cipher_set_iv( &operation, iv->x, iv->len ) ); 4213 } 4214 4215 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, input->len ) + 4216 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ); 4217 ASSERT_ALLOC( output, output_buffer_size ); 4218 4219 TEST_LE_U( first_part_size, input->len ); 4220 PSA_ASSERT( psa_cipher_update( &operation, input->x, first_part_size, 4221 output, output_buffer_size, 4222 &function_output_length ) ); 4223 TEST_ASSERT( function_output_length == output1_length ); 4224 TEST_LE_U( function_output_length, 4225 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, first_part_size ) ); 4226 TEST_LE_U( function_output_length, 4227 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( first_part_size) ); 4228 total_output_length += function_output_length; 4229 4230 if( first_part_size < input->len ) 4231 { 4232 PSA_ASSERT( psa_cipher_update( &operation, 4233 input->x + first_part_size, 4234 input->len - first_part_size, 4235 ( output_buffer_size == 0 ? NULL : 4236 output + total_output_length ), 4237 output_buffer_size - total_output_length, 4238 &function_output_length ) ); 4239 TEST_ASSERT( function_output_length == output2_length ); 4240 TEST_LE_U( function_output_length, 4241 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, 4242 alg, 4243 input->len - first_part_size ) ); 4244 TEST_LE_U( function_output_length, 4245 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( input->len ) ); 4246 total_output_length += function_output_length; 4247 } 4248 4249 status = psa_cipher_finish( &operation, 4250 ( output_buffer_size == 0 ? NULL : 4251 output + total_output_length ), 4252 output_buffer_size - total_output_length, 4253 &function_output_length ); 4254 TEST_LE_U( function_output_length, 4255 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 4256 TEST_LE_U( function_output_length, 4257 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 4258 total_output_length += function_output_length; 4259 TEST_EQUAL( status, expected_status ); 4260 4261 if( expected_status == PSA_SUCCESS ) 4262 { 4263 PSA_ASSERT( psa_cipher_abort( &operation ) ); 4264 4265 ASSERT_COMPARE( expected_output->x, expected_output->len, 4266 output, total_output_length ); 4267 } 4268 4269exit: 4270 psa_cipher_abort( &operation ); 4271 mbedtls_free( output ); 4272 psa_destroy_key( key ); 4273 PSA_DONE( ); 4274} 4275/* END_CASE */ 4276 4277/* BEGIN_CASE */ 4278void cipher_decrypt_multipart( int alg_arg, int key_type_arg, 4279 data_t *key_data, data_t *iv, 4280 data_t *input, 4281 int first_part_size_arg, 4282 int output1_length_arg, int output2_length_arg, 4283 data_t *expected_output, 4284 int expected_status_arg ) 4285{ 4286 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4287 psa_key_type_t key_type = key_type_arg; 4288 psa_algorithm_t alg = alg_arg; 4289 psa_status_t status; 4290 psa_status_t expected_status = expected_status_arg; 4291 size_t first_part_size = first_part_size_arg; 4292 size_t output1_length = output1_length_arg; 4293 size_t output2_length = output2_length_arg; 4294 unsigned char *output = NULL; 4295 size_t output_buffer_size = 0; 4296 size_t function_output_length = 0; 4297 size_t total_output_length = 0; 4298 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4299 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4300 4301 PSA_ASSERT( psa_crypto_init( ) ); 4302 4303 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 4304 psa_set_key_algorithm( &attributes, alg ); 4305 psa_set_key_type( &attributes, key_type ); 4306 4307 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4308 &key ) ); 4309 4310 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) ); 4311 4312 if( iv->len > 0 ) 4313 { 4314 PSA_ASSERT( psa_cipher_set_iv( &operation, iv->x, iv->len ) ); 4315 } 4316 4317 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, input->len ) + 4318 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ); 4319 ASSERT_ALLOC( output, output_buffer_size ); 4320 4321 TEST_LE_U( first_part_size, input->len ); 4322 PSA_ASSERT( psa_cipher_update( &operation, 4323 input->x, first_part_size, 4324 output, output_buffer_size, 4325 &function_output_length ) ); 4326 TEST_ASSERT( function_output_length == output1_length ); 4327 TEST_LE_U( function_output_length, 4328 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, first_part_size ) ); 4329 TEST_LE_U( function_output_length, 4330 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( first_part_size ) ); 4331 total_output_length += function_output_length; 4332 4333 if( first_part_size < input->len ) 4334 { 4335 PSA_ASSERT( psa_cipher_update( &operation, 4336 input->x + first_part_size, 4337 input->len - first_part_size, 4338 ( output_buffer_size == 0 ? NULL : 4339 output + total_output_length ), 4340 output_buffer_size - total_output_length, 4341 &function_output_length ) ); 4342 TEST_ASSERT( function_output_length == output2_length ); 4343 TEST_LE_U( function_output_length, 4344 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, 4345 alg, 4346 input->len - first_part_size ) ); 4347 TEST_LE_U( function_output_length, 4348 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( input->len ) ); 4349 total_output_length += function_output_length; 4350 } 4351 4352 status = psa_cipher_finish( &operation, 4353 ( output_buffer_size == 0 ? NULL : 4354 output + total_output_length ), 4355 output_buffer_size - total_output_length, 4356 &function_output_length ); 4357 TEST_LE_U( function_output_length, 4358 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 4359 TEST_LE_U( function_output_length, 4360 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 4361 total_output_length += function_output_length; 4362 TEST_EQUAL( status, expected_status ); 4363 4364 if( expected_status == PSA_SUCCESS ) 4365 { 4366 PSA_ASSERT( psa_cipher_abort( &operation ) ); 4367 4368 ASSERT_COMPARE( expected_output->x, expected_output->len, 4369 output, total_output_length ); 4370 } 4371 4372exit: 4373 psa_cipher_abort( &operation ); 4374 mbedtls_free( output ); 4375 psa_destroy_key( key ); 4376 PSA_DONE( ); 4377} 4378/* END_CASE */ 4379 4380/* BEGIN_CASE */ 4381void cipher_decrypt_fail( int alg_arg, 4382 int key_type_arg, 4383 data_t *key_data, 4384 data_t *iv, 4385 data_t *input_arg, 4386 int expected_status_arg ) 4387{ 4388 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4389 psa_status_t status; 4390 psa_key_type_t key_type = key_type_arg; 4391 psa_algorithm_t alg = alg_arg; 4392 psa_status_t expected_status = expected_status_arg; 4393 unsigned char *input = NULL; 4394 size_t input_buffer_size = 0; 4395 unsigned char *output = NULL; 4396 unsigned char *output_multi = NULL; 4397 size_t output_buffer_size = 0; 4398 size_t output_length = 0; 4399 size_t function_output_length; 4400 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; 4401 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4402 4403 if ( PSA_ERROR_BAD_STATE != expected_status ) 4404 { 4405 PSA_ASSERT( psa_crypto_init( ) ); 4406 4407 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 4408 psa_set_key_algorithm( &attributes, alg ); 4409 psa_set_key_type( &attributes, key_type ); 4410 4411 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4412 &key ) ); 4413 } 4414 4415 /* Allocate input buffer and copy the iv and the plaintext */ 4416 input_buffer_size = ( (size_t) input_arg->len + (size_t) iv->len ); 4417 if ( input_buffer_size > 0 ) 4418 { 4419 ASSERT_ALLOC( input, input_buffer_size ); 4420 memcpy( input, iv->x, iv->len ); 4421 memcpy( input + iv->len, input_arg->x, input_arg->len ); 4422 } 4423 4424 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, input_buffer_size ); 4425 ASSERT_ALLOC( output, output_buffer_size ); 4426 4427 /* Decrypt, one-short */ 4428 status = psa_cipher_decrypt( key, alg, input, input_buffer_size, output, 4429 output_buffer_size, &output_length ); 4430 TEST_EQUAL( status, expected_status ); 4431 4432 /* Decrypt, multi-part */ 4433 status = psa_cipher_decrypt_setup( &operation, key, alg ); 4434 if( status == PSA_SUCCESS ) 4435 { 4436 output_buffer_size = PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, 4437 input_arg->len ) + 4438 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ); 4439 ASSERT_ALLOC( output_multi, output_buffer_size ); 4440 4441 if( iv->len > 0 ) 4442 { 4443 status = psa_cipher_set_iv( &operation, iv->x, iv->len ); 4444 4445 if( status != PSA_SUCCESS ) 4446 TEST_EQUAL( status, expected_status ); 4447 } 4448 4449 if( status == PSA_SUCCESS ) 4450 { 4451 status = psa_cipher_update( &operation, 4452 input_arg->x, input_arg->len, 4453 output_multi, output_buffer_size, 4454 &function_output_length ); 4455 if( status == PSA_SUCCESS ) 4456 { 4457 output_length = function_output_length; 4458 4459 status = psa_cipher_finish( &operation, 4460 output_multi + output_length, 4461 output_buffer_size - output_length, 4462 &function_output_length ); 4463 4464 TEST_EQUAL( status, expected_status ); 4465 } 4466 else 4467 { 4468 TEST_EQUAL( status, expected_status ); 4469 } 4470 } 4471 else 4472 { 4473 TEST_EQUAL( status, expected_status ); 4474 } 4475 } 4476 else 4477 { 4478 TEST_EQUAL( status, expected_status ); 4479 } 4480 4481exit: 4482 psa_cipher_abort( &operation ); 4483 mbedtls_free( input ); 4484 mbedtls_free( output ); 4485 mbedtls_free( output_multi ); 4486 psa_destroy_key( key ); 4487 PSA_DONE( ); 4488} 4489/* END_CASE */ 4490 4491/* BEGIN_CASE */ 4492void cipher_decrypt( int alg_arg, 4493 int key_type_arg, 4494 data_t *key_data, 4495 data_t *iv, 4496 data_t *input_arg, 4497 data_t *expected_output ) 4498{ 4499 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4500 psa_key_type_t key_type = key_type_arg; 4501 psa_algorithm_t alg = alg_arg; 4502 unsigned char *input = NULL; 4503 size_t input_buffer_size = 0; 4504 unsigned char *output = NULL; 4505 size_t output_buffer_size = 0; 4506 size_t output_length = 0; 4507 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4508 4509 PSA_ASSERT( psa_crypto_init( ) ); 4510 4511 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 4512 psa_set_key_algorithm( &attributes, alg ); 4513 psa_set_key_type( &attributes, key_type ); 4514 4515 /* Allocate input buffer and copy the iv and the plaintext */ 4516 input_buffer_size = ( (size_t) input_arg->len + (size_t) iv->len ); 4517 if ( input_buffer_size > 0 ) 4518 { 4519 ASSERT_ALLOC( input, input_buffer_size ); 4520 memcpy( input, iv->x, iv->len ); 4521 memcpy( input + iv->len, input_arg->x, input_arg->len ); 4522 } 4523 4524 output_buffer_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, input_buffer_size ); 4525 ASSERT_ALLOC( output, output_buffer_size ); 4526 4527 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4528 &key ) ); 4529 4530 PSA_ASSERT( psa_cipher_decrypt( key, alg, input, input_buffer_size, output, 4531 output_buffer_size, &output_length ) ); 4532 TEST_LE_U( output_length, 4533 PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, input_buffer_size ) ); 4534 TEST_LE_U( output_length, 4535 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE( input_buffer_size ) ); 4536 4537 ASSERT_COMPARE( expected_output->x, expected_output->len, 4538 output, output_length ); 4539exit: 4540 mbedtls_free( input ); 4541 mbedtls_free( output ); 4542 psa_destroy_key( key ); 4543 PSA_DONE( ); 4544} 4545/* END_CASE */ 4546 4547/* BEGIN_CASE */ 4548void cipher_verify_output( int alg_arg, 4549 int key_type_arg, 4550 data_t *key_data, 4551 data_t *input ) 4552{ 4553 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4554 psa_key_type_t key_type = key_type_arg; 4555 psa_algorithm_t alg = alg_arg; 4556 unsigned char *output1 = NULL; 4557 size_t output1_size = 0; 4558 size_t output1_length = 0; 4559 unsigned char *output2 = NULL; 4560 size_t output2_size = 0; 4561 size_t output2_length = 0; 4562 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4563 4564 PSA_ASSERT( psa_crypto_init( ) ); 4565 4566 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 4567 psa_set_key_algorithm( &attributes, alg ); 4568 psa_set_key_type( &attributes, key_type ); 4569 4570 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4571 &key ) ); 4572 output1_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 4573 ASSERT_ALLOC( output1, output1_size ); 4574 4575 PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, 4576 output1, output1_size, 4577 &output1_length ) ); 4578 TEST_LE_U( output1_length, 4579 PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ) ); 4580 TEST_LE_U( output1_length, 4581 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) ); 4582 4583 output2_size = output1_length; 4584 ASSERT_ALLOC( output2, output2_size ); 4585 4586 PSA_ASSERT( psa_cipher_decrypt( key, alg, output1, output1_length, 4587 output2, output2_size, 4588 &output2_length ) ); 4589 TEST_LE_U( output2_length, 4590 PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, output1_length ) ); 4591 TEST_LE_U( output2_length, 4592 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE( output1_length ) ); 4593 4594 ASSERT_COMPARE( input->x, input->len, output2, output2_length ); 4595 4596exit: 4597 mbedtls_free( output1 ); 4598 mbedtls_free( output2 ); 4599 psa_destroy_key( key ); 4600 PSA_DONE( ); 4601} 4602/* END_CASE */ 4603 4604/* BEGIN_CASE */ 4605void cipher_verify_output_multipart( int alg_arg, 4606 int key_type_arg, 4607 data_t *key_data, 4608 data_t *input, 4609 int first_part_size_arg ) 4610{ 4611 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4612 psa_key_type_t key_type = key_type_arg; 4613 psa_algorithm_t alg = alg_arg; 4614 size_t first_part_size = first_part_size_arg; 4615 unsigned char iv[16] = {0}; 4616 size_t iv_size = 16; 4617 size_t iv_length = 0; 4618 unsigned char *output1 = NULL; 4619 size_t output1_buffer_size = 0; 4620 size_t output1_length = 0; 4621 unsigned char *output2 = NULL; 4622 size_t output2_buffer_size = 0; 4623 size_t output2_length = 0; 4624 size_t function_output_length; 4625 psa_cipher_operation_t operation1 = PSA_CIPHER_OPERATION_INIT; 4626 psa_cipher_operation_t operation2 = PSA_CIPHER_OPERATION_INIT; 4627 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4628 4629 PSA_ASSERT( psa_crypto_init( ) ); 4630 4631 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 4632 psa_set_key_algorithm( &attributes, alg ); 4633 psa_set_key_type( &attributes, key_type ); 4634 4635 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4636 &key ) ); 4637 4638 PSA_ASSERT( psa_cipher_encrypt_setup( &operation1, key, alg ) ); 4639 PSA_ASSERT( psa_cipher_decrypt_setup( &operation2, key, alg ) ); 4640 4641 if( alg != PSA_ALG_ECB_NO_PADDING ) 4642 { 4643 PSA_ASSERT( psa_cipher_generate_iv( &operation1, 4644 iv, iv_size, 4645 &iv_length ) ); 4646 } 4647 4648 output1_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); 4649 TEST_LE_U( output1_buffer_size, 4650 PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE( input->len ) ); 4651 ASSERT_ALLOC( output1, output1_buffer_size ); 4652 4653 TEST_LE_U( first_part_size, input->len ); 4654 4655 PSA_ASSERT( psa_cipher_update( &operation1, input->x, first_part_size, 4656 output1, output1_buffer_size, 4657 &function_output_length ) ); 4658 TEST_LE_U( function_output_length, 4659 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, first_part_size ) ); 4660 TEST_LE_U( function_output_length, 4661 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( first_part_size ) ); 4662 output1_length += function_output_length; 4663 4664 PSA_ASSERT( psa_cipher_update( &operation1, 4665 input->x + first_part_size, 4666 input->len - first_part_size, 4667 output1, output1_buffer_size, 4668 &function_output_length ) ); 4669 TEST_LE_U( function_output_length, 4670 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, 4671 alg, 4672 input->len - first_part_size ) ); 4673 TEST_LE_U( function_output_length, 4674 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( input->len - first_part_size ) ); 4675 output1_length += function_output_length; 4676 4677 PSA_ASSERT( psa_cipher_finish( &operation1, 4678 output1 + output1_length, 4679 output1_buffer_size - output1_length, 4680 &function_output_length ) ); 4681 TEST_LE_U( function_output_length, 4682 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 4683 TEST_LE_U( function_output_length, 4684 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 4685 output1_length += function_output_length; 4686 4687 PSA_ASSERT( psa_cipher_abort( &operation1 ) ); 4688 4689 output2_buffer_size = output1_length; 4690 TEST_LE_U( output2_buffer_size, 4691 PSA_CIPHER_DECRYPT_OUTPUT_SIZE( key_type, alg, output1_length ) ); 4692 TEST_LE_U( output2_buffer_size, 4693 PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE( output1_length ) ); 4694 ASSERT_ALLOC( output2, output2_buffer_size ); 4695 4696 if( iv_length > 0 ) 4697 { 4698 PSA_ASSERT( psa_cipher_set_iv( &operation2, 4699 iv, iv_length ) ); 4700 } 4701 4702 PSA_ASSERT( psa_cipher_update( &operation2, output1, first_part_size, 4703 output2, output2_buffer_size, 4704 &function_output_length ) ); 4705 TEST_LE_U( function_output_length, 4706 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, alg, first_part_size ) ); 4707 TEST_LE_U( function_output_length, 4708 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( first_part_size ) ); 4709 output2_length += function_output_length; 4710 4711 PSA_ASSERT( psa_cipher_update( &operation2, 4712 output1 + first_part_size, 4713 output1_length - first_part_size, 4714 output2, output2_buffer_size, 4715 &function_output_length ) ); 4716 TEST_LE_U( function_output_length, 4717 PSA_CIPHER_UPDATE_OUTPUT_SIZE( key_type, 4718 alg, 4719 output1_length - first_part_size ) ); 4720 TEST_LE_U( function_output_length, 4721 PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE( output1_length - first_part_size ) ); 4722 output2_length += function_output_length; 4723 4724 PSA_ASSERT( psa_cipher_finish( &operation2, 4725 output2 + output2_length, 4726 output2_buffer_size - output2_length, 4727 &function_output_length ) ); 4728 TEST_LE_U( function_output_length, 4729 PSA_CIPHER_FINISH_OUTPUT_SIZE( key_type, alg ) ); 4730 TEST_LE_U( function_output_length, 4731 PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE ); 4732 output2_length += function_output_length; 4733 4734 PSA_ASSERT( psa_cipher_abort( &operation2 ) ); 4735 4736 ASSERT_COMPARE( input->x, input->len, output2, output2_length ); 4737 4738exit: 4739 psa_cipher_abort( &operation1 ); 4740 psa_cipher_abort( &operation2 ); 4741 mbedtls_free( output1 ); 4742 mbedtls_free( output2 ); 4743 psa_destroy_key( key ); 4744 PSA_DONE( ); 4745} 4746/* END_CASE */ 4747 4748/* BEGIN_CASE */ 4749void aead_encrypt_decrypt( int key_type_arg, data_t *key_data, 4750 int alg_arg, 4751 data_t *nonce, 4752 data_t *additional_data, 4753 data_t *input_data, 4754 int expected_result_arg ) 4755{ 4756 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4757 psa_key_type_t key_type = key_type_arg; 4758 psa_algorithm_t alg = alg_arg; 4759 size_t key_bits; 4760 unsigned char *output_data = NULL; 4761 size_t output_size = 0; 4762 size_t output_length = 0; 4763 unsigned char *output_data2 = NULL; 4764 size_t output_length2 = 0; 4765 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4766 psa_status_t expected_result = expected_result_arg; 4767 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4768 4769 PSA_ASSERT( psa_crypto_init( ) ); 4770 4771 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 4772 psa_set_key_algorithm( &attributes, alg ); 4773 psa_set_key_type( &attributes, key_type ); 4774 4775 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4776 &key ) ); 4777 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4778 key_bits = psa_get_key_bits( &attributes ); 4779 4780 output_size = input_data->len + PSA_AEAD_TAG_LENGTH( key_type, key_bits, 4781 alg ); 4782 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE 4783 * should be exact. */ 4784 if( expected_result != PSA_ERROR_INVALID_ARGUMENT && 4785 expected_result != PSA_ERROR_NOT_SUPPORTED ) 4786 { 4787 TEST_EQUAL( output_size, 4788 PSA_AEAD_ENCRYPT_OUTPUT_SIZE( key_type, alg, input_data->len ) ); 4789 TEST_LE_U( output_size, 4790 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 4791 } 4792 ASSERT_ALLOC( output_data, output_size ); 4793 4794 status = psa_aead_encrypt( key, alg, 4795 nonce->x, nonce->len, 4796 additional_data->x, 4797 additional_data->len, 4798 input_data->x, input_data->len, 4799 output_data, output_size, 4800 &output_length ); 4801 4802 /* If the operation is not supported, just skip and not fail in case the 4803 * encryption involves a common limitation of cryptography hardwares and 4804 * an alternative implementation. */ 4805 if( status == PSA_ERROR_NOT_SUPPORTED ) 4806 { 4807 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 4808 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 4809 } 4810 4811 TEST_EQUAL( status, expected_result ); 4812 4813 if( PSA_SUCCESS == expected_result ) 4814 { 4815 ASSERT_ALLOC( output_data2, output_length ); 4816 4817 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE 4818 * should be exact. */ 4819 TEST_EQUAL( input_data->len, 4820 PSA_AEAD_DECRYPT_OUTPUT_SIZE( key_type, alg, output_length ) ); 4821 4822 TEST_LE_U( input_data->len, 4823 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE( output_length ) ); 4824 4825 TEST_EQUAL( psa_aead_decrypt( key, alg, 4826 nonce->x, nonce->len, 4827 additional_data->x, 4828 additional_data->len, 4829 output_data, output_length, 4830 output_data2, output_length, 4831 &output_length2 ), 4832 expected_result ); 4833 4834 ASSERT_COMPARE( input_data->x, input_data->len, 4835 output_data2, output_length2 ); 4836 } 4837 4838exit: 4839 psa_destroy_key( key ); 4840 mbedtls_free( output_data ); 4841 mbedtls_free( output_data2 ); 4842 PSA_DONE( ); 4843} 4844/* END_CASE */ 4845 4846/* BEGIN_CASE */ 4847void aead_encrypt( int key_type_arg, data_t *key_data, 4848 int alg_arg, 4849 data_t *nonce, 4850 data_t *additional_data, 4851 data_t *input_data, 4852 data_t *expected_result ) 4853{ 4854 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4855 psa_key_type_t key_type = key_type_arg; 4856 psa_algorithm_t alg = alg_arg; 4857 size_t key_bits; 4858 unsigned char *output_data = NULL; 4859 size_t output_size = 0; 4860 size_t output_length = 0; 4861 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4862 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4863 4864 PSA_ASSERT( psa_crypto_init( ) ); 4865 4866 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 4867 psa_set_key_algorithm( &attributes, alg ); 4868 psa_set_key_type( &attributes, key_type ); 4869 4870 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4871 &key ) ); 4872 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4873 key_bits = psa_get_key_bits( &attributes ); 4874 4875 output_size = input_data->len + PSA_AEAD_TAG_LENGTH( key_type, key_bits, 4876 alg ); 4877 /* For all currently defined algorithms, PSA_AEAD_ENCRYPT_OUTPUT_SIZE 4878 * should be exact. */ 4879 TEST_EQUAL( output_size, 4880 PSA_AEAD_ENCRYPT_OUTPUT_SIZE( key_type, alg, input_data->len ) ); 4881 TEST_LE_U( output_size, 4882 PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 4883 ASSERT_ALLOC( output_data, output_size ); 4884 4885 status = psa_aead_encrypt( key, alg, 4886 nonce->x, nonce->len, 4887 additional_data->x, additional_data->len, 4888 input_data->x, input_data->len, 4889 output_data, output_size, 4890 &output_length ); 4891 4892 /* If the operation is not supported, just skip and not fail in case the 4893 * encryption involves a common limitation of cryptography hardwares and 4894 * an alternative implementation. */ 4895 if( status == PSA_ERROR_NOT_SUPPORTED ) 4896 { 4897 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 4898 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 4899 } 4900 4901 PSA_ASSERT( status ); 4902 ASSERT_COMPARE( expected_result->x, expected_result->len, 4903 output_data, output_length ); 4904 4905exit: 4906 psa_destroy_key( key ); 4907 mbedtls_free( output_data ); 4908 PSA_DONE( ); 4909} 4910/* END_CASE */ 4911 4912/* BEGIN_CASE */ 4913void aead_decrypt( int key_type_arg, data_t *key_data, 4914 int alg_arg, 4915 data_t *nonce, 4916 data_t *additional_data, 4917 data_t *input_data, 4918 data_t *expected_data, 4919 int expected_result_arg ) 4920{ 4921 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 4922 psa_key_type_t key_type = key_type_arg; 4923 psa_algorithm_t alg = alg_arg; 4924 size_t key_bits; 4925 unsigned char *output_data = NULL; 4926 size_t output_size = 0; 4927 size_t output_length = 0; 4928 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4929 psa_status_t expected_result = expected_result_arg; 4930 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4931 4932 PSA_ASSERT( psa_crypto_init( ) ); 4933 4934 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 4935 psa_set_key_algorithm( &attributes, alg ); 4936 psa_set_key_type( &attributes, key_type ); 4937 4938 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 4939 &key ) ); 4940 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 4941 key_bits = psa_get_key_bits( &attributes ); 4942 4943 output_size = input_data->len - PSA_AEAD_TAG_LENGTH( key_type, key_bits, 4944 alg ); 4945 if( expected_result != PSA_ERROR_INVALID_ARGUMENT && 4946 expected_result != PSA_ERROR_NOT_SUPPORTED ) 4947 { 4948 /* For all currently defined algorithms, PSA_AEAD_DECRYPT_OUTPUT_SIZE 4949 * should be exact. */ 4950 TEST_EQUAL( output_size, 4951 PSA_AEAD_DECRYPT_OUTPUT_SIZE( key_type, alg, input_data->len ) ); 4952 TEST_LE_U( output_size, 4953 PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE( input_data->len ) ); 4954 } 4955 ASSERT_ALLOC( output_data, output_size ); 4956 4957 status = psa_aead_decrypt( key, alg, 4958 nonce->x, nonce->len, 4959 additional_data->x, 4960 additional_data->len, 4961 input_data->x, input_data->len, 4962 output_data, output_size, 4963 &output_length ); 4964 4965 /* If the operation is not supported, just skip and not fail in case the 4966 * decryption involves a common limitation of cryptography hardwares and 4967 * an alternative implementation. */ 4968 if( status == PSA_ERROR_NOT_SUPPORTED ) 4969 { 4970 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 4971 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 4972 } 4973 4974 TEST_EQUAL( status, expected_result ); 4975 4976 if( expected_result == PSA_SUCCESS ) 4977 ASSERT_COMPARE( expected_data->x, expected_data->len, 4978 output_data, output_length ); 4979 4980exit: 4981 psa_destroy_key( key ); 4982 mbedtls_free( output_data ); 4983 PSA_DONE( ); 4984} 4985/* END_CASE */ 4986 4987/* BEGIN_CASE */ 4988void aead_multipart_encrypt( int key_type_arg, data_t *key_data, 4989 int alg_arg, 4990 data_t *nonce, 4991 data_t *additional_data, 4992 data_t *input_data, 4993 int do_set_lengths, 4994 data_t *expected_output ) 4995{ 4996 size_t ad_part_len = 0; 4997 size_t data_part_len = 0; 4998 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS; 4999 5000 for( ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++ ) 5001 { 5002 mbedtls_test_set_step( ad_part_len ); 5003 5004 if( do_set_lengths ) 5005 { 5006 if( ad_part_len & 0x01 ) 5007 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5008 else 5009 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5010 } 5011 5012 /* Split ad into length(ad_part_len) parts. */ 5013 if( !aead_multipart_internal_func( key_type_arg, key_data, 5014 alg_arg, nonce, 5015 additional_data, 5016 ad_part_len, 5017 input_data, -1, 5018 set_lengths_method, 5019 expected_output, 5020 1, 0 ) ) 5021 break; 5022 5023 /* length(0) part, length(ad_part_len) part, length(0) part... */ 5024 mbedtls_test_set_step( 1000 + ad_part_len ); 5025 5026 if( !aead_multipart_internal_func( key_type_arg, key_data, 5027 alg_arg, nonce, 5028 additional_data, 5029 ad_part_len, 5030 input_data, -1, 5031 set_lengths_method, 5032 expected_output, 5033 1, 1 ) ) 5034 break; 5035 } 5036 5037 for( data_part_len = 1; data_part_len <= input_data->len; data_part_len++ ) 5038 { 5039 /* Split data into length(data_part_len) parts. */ 5040 mbedtls_test_set_step( 2000 + data_part_len ); 5041 5042 if( do_set_lengths ) 5043 { 5044 if( data_part_len & 0x01 ) 5045 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5046 else 5047 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5048 } 5049 5050 if( !aead_multipart_internal_func( key_type_arg, key_data, 5051 alg_arg, nonce, 5052 additional_data, -1, 5053 input_data, data_part_len, 5054 set_lengths_method, 5055 expected_output, 5056 1, 0 ) ) 5057 break; 5058 5059 /* length(0) part, length(data_part_len) part, length(0) part... */ 5060 mbedtls_test_set_step( 3000 + data_part_len ); 5061 5062 if( !aead_multipart_internal_func( key_type_arg, key_data, 5063 alg_arg, nonce, 5064 additional_data, -1, 5065 input_data, data_part_len, 5066 set_lengths_method, 5067 expected_output, 5068 1, 1 ) ) 5069 break; 5070 } 5071 5072 /* Goto is required to silence warnings about unused labels, as we 5073 * don't actually do any test assertions in this function. */ 5074 goto exit; 5075} 5076/* END_CASE */ 5077 5078/* BEGIN_CASE */ 5079void aead_multipart_decrypt( int key_type_arg, data_t *key_data, 5080 int alg_arg, 5081 data_t *nonce, 5082 data_t *additional_data, 5083 data_t *input_data, 5084 int do_set_lengths, 5085 data_t *expected_output ) 5086{ 5087 size_t ad_part_len = 0; 5088 size_t data_part_len = 0; 5089 set_lengths_method_t set_lengths_method = DO_NOT_SET_LENGTHS; 5090 5091 for( ad_part_len = 1; ad_part_len <= additional_data->len; ad_part_len++ ) 5092 { 5093 /* Split ad into length(ad_part_len) parts. */ 5094 mbedtls_test_set_step( ad_part_len ); 5095 5096 if( do_set_lengths ) 5097 { 5098 if( ad_part_len & 0x01 ) 5099 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5100 else 5101 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5102 } 5103 5104 if( !aead_multipart_internal_func( key_type_arg, key_data, 5105 alg_arg, nonce, 5106 additional_data, 5107 ad_part_len, 5108 input_data, -1, 5109 set_lengths_method, 5110 expected_output, 5111 0, 0 ) ) 5112 break; 5113 5114 /* length(0) part, length(ad_part_len) part, length(0) part... */ 5115 mbedtls_test_set_step( 1000 + ad_part_len ); 5116 5117 if( !aead_multipart_internal_func( key_type_arg, key_data, 5118 alg_arg, nonce, 5119 additional_data, 5120 ad_part_len, 5121 input_data, -1, 5122 set_lengths_method, 5123 expected_output, 5124 0, 1 ) ) 5125 break; 5126 } 5127 5128 for( data_part_len = 1; data_part_len <= input_data->len; data_part_len++ ) 5129 { 5130 /* Split data into length(data_part_len) parts. */ 5131 mbedtls_test_set_step( 2000 + data_part_len ); 5132 5133 if( do_set_lengths ) 5134 { 5135 if( data_part_len & 0x01 ) 5136 set_lengths_method = SET_LENGTHS_AFTER_NONCE; 5137 else 5138 set_lengths_method = SET_LENGTHS_BEFORE_NONCE; 5139 } 5140 5141 if( !aead_multipart_internal_func( key_type_arg, key_data, 5142 alg_arg, nonce, 5143 additional_data, -1, 5144 input_data, data_part_len, 5145 set_lengths_method, 5146 expected_output, 5147 0, 0 ) ) 5148 break; 5149 5150 /* length(0) part, length(data_part_len) part, length(0) part... */ 5151 mbedtls_test_set_step( 3000 + data_part_len ); 5152 5153 if( !aead_multipart_internal_func( key_type_arg, key_data, 5154 alg_arg, nonce, 5155 additional_data, -1, 5156 input_data, data_part_len, 5157 set_lengths_method, 5158 expected_output, 5159 0, 1 ) ) 5160 break; 5161 } 5162 5163 /* Goto is required to silence warnings about unused labels, as we 5164 * don't actually do any test assertions in this function. */ 5165 goto exit; 5166} 5167/* END_CASE */ 5168 5169/* BEGIN_CASE */ 5170void aead_multipart_generate_nonce( int key_type_arg, data_t *key_data, 5171 int alg_arg, 5172 int nonce_length, 5173 int expected_nonce_length_arg, 5174 data_t *additional_data, 5175 data_t *input_data, 5176 int expected_status_arg ) 5177{ 5178 5179 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5180 psa_key_type_t key_type = key_type_arg; 5181 psa_algorithm_t alg = alg_arg; 5182 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5183 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE]; 5184 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5185 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5186 psa_status_t expected_status = expected_status_arg; 5187 size_t actual_nonce_length = 0; 5188 size_t expected_nonce_length = expected_nonce_length_arg; 5189 unsigned char *output = NULL; 5190 unsigned char *ciphertext = NULL; 5191 size_t output_size = 0; 5192 size_t ciphertext_size = 0; 5193 size_t ciphertext_length = 0; 5194 size_t tag_length = 0; 5195 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5196 5197 PSA_ASSERT( psa_crypto_init( ) ); 5198 5199 psa_set_key_usage_flags( & attributes, PSA_KEY_USAGE_ENCRYPT ); 5200 psa_set_key_algorithm( & attributes, alg ); 5201 psa_set_key_type( & attributes, key_type ); 5202 5203 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5204 &key ) ); 5205 5206 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5207 5208 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, input_data->len ); 5209 5210 ASSERT_ALLOC( output, output_size ); 5211 5212 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 5213 5214 TEST_LE_U( ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE ); 5215 5216 ASSERT_ALLOC( ciphertext, ciphertext_size ); 5217 5218 status = psa_aead_encrypt_setup( &operation, key, alg ); 5219 5220 /* If the operation is not supported, just skip and not fail in case the 5221 * encryption involves a common limitation of cryptography hardwares and 5222 * an alternative implementation. */ 5223 if( status == PSA_ERROR_NOT_SUPPORTED ) 5224 { 5225 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 5226 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce_length ); 5227 } 5228 5229 PSA_ASSERT( status ); 5230 5231 status = psa_aead_generate_nonce( &operation, nonce_buffer, 5232 nonce_length, 5233 &actual_nonce_length ); 5234 5235 TEST_EQUAL( status, expected_status ); 5236 5237 TEST_EQUAL( actual_nonce_length, expected_nonce_length ); 5238 5239 if( expected_status == PSA_SUCCESS ) 5240 TEST_EQUAL( actual_nonce_length, PSA_AEAD_NONCE_LENGTH( key_type, 5241 alg ) ); 5242 5243 TEST_LE_U( actual_nonce_length, PSA_AEAD_NONCE_MAX_SIZE ); 5244 5245 if( expected_status == PSA_SUCCESS ) 5246 { 5247 /* Ensure we can still complete operation. */ 5248 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 5249 input_data->len ) ); 5250 5251 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 5252 additional_data->len ) ); 5253 5254 PSA_ASSERT( psa_aead_update( &operation, input_data->x, input_data->len, 5255 output, output_size, 5256 &ciphertext_length ) ); 5257 5258 PSA_ASSERT( psa_aead_finish( &operation, ciphertext, ciphertext_size, 5259 &ciphertext_length, tag_buffer, 5260 PSA_AEAD_TAG_MAX_SIZE, &tag_length ) ); 5261 } 5262 5263exit: 5264 psa_destroy_key( key ); 5265 mbedtls_free( output ); 5266 mbedtls_free( ciphertext ); 5267 psa_aead_abort( &operation ); 5268 PSA_DONE( ); 5269} 5270/* END_CASE */ 5271 5272/* BEGIN_CASE */ 5273void aead_multipart_set_nonce( int key_type_arg, data_t *key_data, 5274 int alg_arg, 5275 int nonce_length_arg, 5276 int set_lengths_method_arg, 5277 data_t *additional_data, 5278 data_t *input_data, 5279 int expected_status_arg ) 5280{ 5281 5282 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5283 psa_key_type_t key_type = key_type_arg; 5284 psa_algorithm_t alg = alg_arg; 5285 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5286 uint8_t *nonce_buffer = NULL; 5287 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5288 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5289 psa_status_t expected_status = expected_status_arg; 5290 unsigned char *output = NULL; 5291 unsigned char *ciphertext = NULL; 5292 size_t nonce_length; 5293 size_t output_size = 0; 5294 size_t ciphertext_size = 0; 5295 size_t ciphertext_length = 0; 5296 size_t tag_length = 0; 5297 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5298 size_t index = 0; 5299 set_lengths_method_t set_lengths_method = set_lengths_method_arg; 5300 5301 PSA_ASSERT( psa_crypto_init( ) ); 5302 5303 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 5304 psa_set_key_algorithm( &attributes, alg ); 5305 psa_set_key_type( &attributes, key_type ); 5306 5307 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5308 &key ) ); 5309 5310 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5311 5312 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, input_data->len ); 5313 5314 ASSERT_ALLOC( output, output_size ); 5315 5316 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 5317 5318 TEST_LE_U( ciphertext_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE ); 5319 5320 ASSERT_ALLOC( ciphertext, ciphertext_size ); 5321 5322 status = psa_aead_encrypt_setup( &operation, key, alg ); 5323 5324 /* If the operation is not supported, just skip and not fail in case the 5325 * encryption involves a common limitation of cryptography hardwares and 5326 * an alternative implementation. */ 5327 if( status == PSA_ERROR_NOT_SUPPORTED ) 5328 { 5329 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 5330 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce_length_arg ); 5331 } 5332 5333 PSA_ASSERT( status ); 5334 5335 /* -1 == zero length and valid buffer, 0 = zero length and NULL buffer. */ 5336 if( nonce_length_arg == -1 ) 5337 { 5338 /* Arbitrary size buffer, to test zero length valid buffer. */ 5339 ASSERT_ALLOC( nonce_buffer, 4 ); 5340 nonce_length = 0; 5341 } 5342 else 5343 { 5344 /* If length is zero, then this will return NULL. */ 5345 nonce_length = ( size_t ) nonce_length_arg; 5346 ASSERT_ALLOC( nonce_buffer, nonce_length ); 5347 5348 if( nonce_buffer ) 5349 { 5350 for( index = 0; index < nonce_length - 1; ++index ) 5351 { 5352 nonce_buffer[index] = 'a' + index; 5353 } 5354 } 5355 } 5356 5357 if( set_lengths_method == SET_LENGTHS_BEFORE_NONCE ) 5358 { 5359 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 5360 input_data->len ) ); 5361 } 5362 5363 status = psa_aead_set_nonce( &operation, nonce_buffer, nonce_length ); 5364 5365 TEST_EQUAL( status, expected_status ); 5366 5367 if( expected_status == PSA_SUCCESS ) 5368 { 5369 if( set_lengths_method == SET_LENGTHS_AFTER_NONCE ) 5370 { 5371 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 5372 input_data->len ) ); 5373 } 5374 if( operation.alg == PSA_ALG_CCM && set_lengths_method == DO_NOT_SET_LENGTHS ) 5375 expected_status = PSA_ERROR_BAD_STATE; 5376 5377 /* Ensure we can still complete operation, unless it's CCM and we didn't set lengths. */ 5378 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 5379 additional_data->len ), 5380 expected_status ); 5381 5382 TEST_EQUAL( psa_aead_update( &operation, input_data->x, input_data->len, 5383 output, output_size, 5384 &ciphertext_length ), 5385 expected_status ); 5386 5387 TEST_EQUAL( psa_aead_finish( &operation, ciphertext, ciphertext_size, 5388 &ciphertext_length, tag_buffer, 5389 PSA_AEAD_TAG_MAX_SIZE, &tag_length ), 5390 expected_status ); 5391 } 5392 5393exit: 5394 psa_destroy_key( key ); 5395 mbedtls_free( output ); 5396 mbedtls_free( ciphertext ); 5397 mbedtls_free( nonce_buffer ); 5398 psa_aead_abort( &operation ); 5399 PSA_DONE( ); 5400} 5401/* END_CASE */ 5402 5403/* BEGIN_CASE */ 5404void aead_multipart_update_buffer_test( int key_type_arg, data_t *key_data, 5405 int alg_arg, 5406 int output_size_arg, 5407 data_t *nonce, 5408 data_t *additional_data, 5409 data_t *input_data, 5410 int expected_status_arg ) 5411{ 5412 5413 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5414 psa_key_type_t key_type = key_type_arg; 5415 psa_algorithm_t alg = alg_arg; 5416 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5417 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5418 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5419 psa_status_t expected_status = expected_status_arg; 5420 unsigned char *output = NULL; 5421 unsigned char *ciphertext = NULL; 5422 size_t output_size = output_size_arg; 5423 size_t ciphertext_size = 0; 5424 size_t ciphertext_length = 0; 5425 size_t tag_length = 0; 5426 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5427 5428 PSA_ASSERT( psa_crypto_init( ) ); 5429 5430 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 5431 psa_set_key_algorithm( &attributes, alg ); 5432 psa_set_key_type( &attributes, key_type ); 5433 5434 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5435 &key ) ); 5436 5437 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5438 5439 ASSERT_ALLOC( output, output_size ); 5440 5441 ciphertext_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 5442 5443 ASSERT_ALLOC( ciphertext, ciphertext_size ); 5444 5445 status = psa_aead_encrypt_setup( &operation, key, alg ); 5446 5447 /* If the operation is not supported, just skip and not fail in case the 5448 * encryption involves a common limitation of cryptography hardwares and 5449 * an alternative implementation. */ 5450 if( status == PSA_ERROR_NOT_SUPPORTED ) 5451 { 5452 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 5453 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 5454 } 5455 5456 PSA_ASSERT( status ); 5457 5458 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 5459 input_data->len ) ); 5460 5461 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 5462 5463 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 5464 additional_data->len ) ); 5465 5466 status = psa_aead_update( &operation, input_data->x, input_data->len, 5467 output, output_size, &ciphertext_length ); 5468 5469 TEST_EQUAL( status, expected_status ); 5470 5471 if( expected_status == PSA_SUCCESS ) 5472 { 5473 /* Ensure we can still complete operation. */ 5474 PSA_ASSERT( psa_aead_finish( &operation, ciphertext, ciphertext_size, 5475 &ciphertext_length, tag_buffer, 5476 PSA_AEAD_TAG_MAX_SIZE, &tag_length ) ); 5477 } 5478 5479exit: 5480 psa_destroy_key( key ); 5481 mbedtls_free( output ); 5482 mbedtls_free( ciphertext ); 5483 psa_aead_abort( &operation ); 5484 PSA_DONE( ); 5485} 5486/* END_CASE */ 5487 5488/* BEGIN_CASE */ 5489void aead_multipart_finish_buffer_test( int key_type_arg, data_t *key_data, 5490 int alg_arg, 5491 int finish_ciphertext_size_arg, 5492 int tag_size_arg, 5493 data_t *nonce, 5494 data_t *additional_data, 5495 data_t *input_data, 5496 int expected_status_arg ) 5497{ 5498 5499 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5500 psa_key_type_t key_type = key_type_arg; 5501 psa_algorithm_t alg = alg_arg; 5502 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5503 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5504 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5505 psa_status_t expected_status = expected_status_arg; 5506 unsigned char *ciphertext = NULL; 5507 unsigned char *finish_ciphertext = NULL; 5508 unsigned char *tag_buffer = NULL; 5509 size_t ciphertext_size = 0; 5510 size_t ciphertext_length = 0; 5511 size_t finish_ciphertext_size = ( size_t ) finish_ciphertext_size_arg; 5512 size_t tag_size = ( size_t ) tag_size_arg; 5513 size_t tag_length = 0; 5514 5515 PSA_ASSERT( psa_crypto_init( ) ); 5516 5517 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 5518 psa_set_key_algorithm( &attributes, alg ); 5519 psa_set_key_type( &attributes, key_type ); 5520 5521 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5522 &key ) ); 5523 5524 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5525 5526 ciphertext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, input_data->len ); 5527 5528 ASSERT_ALLOC( ciphertext, ciphertext_size ); 5529 5530 ASSERT_ALLOC( finish_ciphertext, finish_ciphertext_size ); 5531 5532 ASSERT_ALLOC( tag_buffer, tag_size ); 5533 5534 status = psa_aead_encrypt_setup( &operation, key, alg ); 5535 5536 /* If the operation is not supported, just skip and not fail in case the 5537 * encryption involves a common limitation of cryptography hardwares and 5538 * an alternative implementation. */ 5539 if( status == PSA_ERROR_NOT_SUPPORTED ) 5540 { 5541 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 5542 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 5543 } 5544 5545 PSA_ASSERT( status ); 5546 5547 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 5548 5549 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 5550 input_data->len ) ); 5551 5552 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 5553 additional_data->len ) ); 5554 5555 PSA_ASSERT( psa_aead_update( &operation, input_data->x, input_data->len, 5556 ciphertext, ciphertext_size, &ciphertext_length ) ); 5557 5558 /* Ensure we can still complete operation. */ 5559 status = psa_aead_finish( &operation, finish_ciphertext, 5560 finish_ciphertext_size, 5561 &ciphertext_length, tag_buffer, 5562 tag_size, &tag_length ); 5563 5564 TEST_EQUAL( status, expected_status ); 5565 5566exit: 5567 psa_destroy_key( key ); 5568 mbedtls_free( ciphertext ); 5569 mbedtls_free( finish_ciphertext ); 5570 mbedtls_free( tag_buffer ); 5571 psa_aead_abort( &operation ); 5572 PSA_DONE( ); 5573} 5574/* END_CASE */ 5575 5576/* BEGIN_CASE */ 5577void aead_multipart_verify( int key_type_arg, data_t *key_data, 5578 int alg_arg, 5579 data_t *nonce, 5580 data_t *additional_data, 5581 data_t *input_data, 5582 data_t *tag, 5583 int tag_usage_arg, 5584 int expected_setup_status_arg, 5585 int expected_status_arg ) 5586{ 5587 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5588 psa_key_type_t key_type = key_type_arg; 5589 psa_algorithm_t alg = alg_arg; 5590 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5591 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5592 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5593 psa_status_t expected_status = expected_status_arg; 5594 psa_status_t expected_setup_status = expected_setup_status_arg; 5595 unsigned char *plaintext = NULL; 5596 unsigned char *finish_plaintext = NULL; 5597 size_t plaintext_size = 0; 5598 size_t plaintext_length = 0; 5599 size_t verify_plaintext_size = 0; 5600 tag_usage_method_t tag_usage = tag_usage_arg; 5601 unsigned char *tag_buffer = NULL; 5602 size_t tag_size = 0; 5603 5604 PSA_ASSERT( psa_crypto_init( ) ); 5605 5606 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 5607 psa_set_key_algorithm( &attributes, alg ); 5608 psa_set_key_type( &attributes, key_type ); 5609 5610 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5611 &key ) ); 5612 5613 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5614 5615 plaintext_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, 5616 input_data->len ); 5617 5618 ASSERT_ALLOC( plaintext, plaintext_size ); 5619 5620 verify_plaintext_size = PSA_AEAD_VERIFY_OUTPUT_SIZE( key_type, alg ); 5621 5622 ASSERT_ALLOC( finish_plaintext, verify_plaintext_size ); 5623 5624 status = psa_aead_decrypt_setup( &operation, key, alg ); 5625 5626 /* If the operation is not supported, just skip and not fail in case the 5627 * encryption involves a common limitation of cryptography hardwares and 5628 * an alternative implementation. */ 5629 if( status == PSA_ERROR_NOT_SUPPORTED ) 5630 { 5631 MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192( key_type, key_data->len * 8 ); 5632 MBEDTLS_TEST_PSA_SKIP_IF_ALT_GCM_NOT_12BYTES_NONCE( alg, nonce->len ); 5633 } 5634 TEST_EQUAL( status, expected_setup_status ); 5635 5636 if( status != PSA_SUCCESS ) 5637 goto exit; 5638 5639 PSA_ASSERT( status ); 5640 5641 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 5642 5643 status = psa_aead_set_lengths( &operation, additional_data->len, 5644 input_data->len ); 5645 PSA_ASSERT( status ); 5646 5647 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 5648 additional_data->len ) ); 5649 5650 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 5651 input_data->len, 5652 plaintext, plaintext_size, 5653 &plaintext_length ) ); 5654 5655 if( tag_usage == USE_GIVEN_TAG ) 5656 { 5657 tag_buffer = tag->x; 5658 tag_size = tag->len; 5659 } 5660 5661 status = psa_aead_verify( &operation, finish_plaintext, 5662 verify_plaintext_size, 5663 &plaintext_length, 5664 tag_buffer, tag_size ); 5665 5666 TEST_EQUAL( status, expected_status ); 5667 5668exit: 5669 psa_destroy_key( key ); 5670 mbedtls_free( plaintext ); 5671 mbedtls_free( finish_plaintext ); 5672 psa_aead_abort( &operation ); 5673 PSA_DONE( ); 5674} 5675/* END_CASE */ 5676 5677/* BEGIN_CASE */ 5678void aead_multipart_setup( int key_type_arg, data_t *key_data, 5679 int alg_arg, int expected_status_arg ) 5680{ 5681 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5682 psa_key_type_t key_type = key_type_arg; 5683 psa_algorithm_t alg = alg_arg; 5684 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5685 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5686 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 5687 psa_status_t expected_status = expected_status_arg; 5688 5689 PSA_ASSERT( psa_crypto_init( ) ); 5690 5691 psa_set_key_usage_flags( &attributes, 5692 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 5693 psa_set_key_algorithm( &attributes, alg ); 5694 psa_set_key_type( &attributes, key_type ); 5695 5696 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5697 &key ) ); 5698 5699 status = psa_aead_encrypt_setup( &operation, key, alg ); 5700 5701 TEST_EQUAL( status, expected_status ); 5702 5703 psa_aead_abort( &operation ); 5704 5705 status = psa_aead_decrypt_setup( &operation, key, alg ); 5706 5707 TEST_EQUAL(status, expected_status ); 5708 5709exit: 5710 psa_destroy_key( key ); 5711 psa_aead_abort( &operation ); 5712 PSA_DONE( ); 5713} 5714/* END_CASE */ 5715 5716/* BEGIN_CASE */ 5717void aead_multipart_state_test( int key_type_arg, data_t *key_data, 5718 int alg_arg, 5719 data_t *nonce, 5720 data_t *additional_data, 5721 data_t *input_data ) 5722{ 5723 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 5724 psa_key_type_t key_type = key_type_arg; 5725 psa_algorithm_t alg = alg_arg; 5726 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT; 5727 unsigned char *output_data = NULL; 5728 unsigned char *final_data = NULL; 5729 size_t output_size = 0; 5730 size_t finish_output_size = 0; 5731 size_t output_length = 0; 5732 size_t key_bits = 0; 5733 size_t tag_length = 0; 5734 size_t tag_size = 0; 5735 size_t nonce_length = 0; 5736 uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE]; 5737 uint8_t tag_buffer[PSA_AEAD_TAG_MAX_SIZE]; 5738 size_t output_part_length = 0; 5739 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5740 5741 PSA_ASSERT( psa_crypto_init( ) ); 5742 5743 psa_set_key_usage_flags( & attributes, 5744 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 5745 psa_set_key_algorithm( & attributes, alg ); 5746 psa_set_key_type( & attributes, key_type ); 5747 5748 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 5749 &key ) ); 5750 5751 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 5752 key_bits = psa_get_key_bits( &attributes ); 5753 5754 tag_length = PSA_AEAD_TAG_LENGTH( key_type, key_bits, alg ); 5755 5756 TEST_LE_U( tag_length, PSA_AEAD_TAG_MAX_SIZE ); 5757 5758 output_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( key_type, alg, input_data->len ); 5759 5760 ASSERT_ALLOC( output_data, output_size ); 5761 5762 finish_output_size = PSA_AEAD_FINISH_OUTPUT_SIZE( key_type, alg ); 5763 5764 TEST_LE_U( finish_output_size, PSA_AEAD_FINISH_OUTPUT_MAX_SIZE ); 5765 5766 ASSERT_ALLOC( final_data, finish_output_size ); 5767 5768 /* Test all operations error without calling setup first. */ 5769 5770 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 5771 PSA_ERROR_BAD_STATE ); 5772 5773 psa_aead_abort( &operation ); 5774 5775 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 5776 PSA_AEAD_NONCE_MAX_SIZE, 5777 &nonce_length ), 5778 PSA_ERROR_BAD_STATE ); 5779 5780 psa_aead_abort( &operation ); 5781 5782 /* ------------------------------------------------------- */ 5783 5784 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 5785 input_data->len ), 5786 PSA_ERROR_BAD_STATE ); 5787 5788 psa_aead_abort( &operation ); 5789 5790 /* ------------------------------------------------------- */ 5791 5792 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 5793 additional_data->len ), 5794 PSA_ERROR_BAD_STATE ); 5795 5796 psa_aead_abort( &operation ); 5797 5798 /* ------------------------------------------------------- */ 5799 5800 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 5801 input_data->len, output_data, 5802 output_size, &output_length ), 5803 PSA_ERROR_BAD_STATE ); 5804 5805 psa_aead_abort( &operation ); 5806 5807 /* ------------------------------------------------------- */ 5808 5809 TEST_EQUAL( psa_aead_finish( &operation, final_data, 5810 finish_output_size, 5811 &output_part_length, 5812 tag_buffer, tag_length, 5813 &tag_size ), 5814 PSA_ERROR_BAD_STATE ); 5815 5816 psa_aead_abort( &operation ); 5817 5818 /* ------------------------------------------------------- */ 5819 5820 TEST_EQUAL( psa_aead_verify( &operation, final_data, 5821 finish_output_size, 5822 &output_part_length, 5823 tag_buffer, 5824 tag_length ), 5825 PSA_ERROR_BAD_STATE ); 5826 5827 psa_aead_abort( &operation ); 5828 5829 /* Test for double setups. */ 5830 5831 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5832 5833 TEST_EQUAL( psa_aead_encrypt_setup( &operation, key, alg ), 5834 PSA_ERROR_BAD_STATE ); 5835 5836 psa_aead_abort( &operation ); 5837 5838 /* ------------------------------------------------------- */ 5839 5840 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 5841 5842 TEST_EQUAL( psa_aead_decrypt_setup( &operation, key, alg ), 5843 PSA_ERROR_BAD_STATE ); 5844 5845 psa_aead_abort( &operation ); 5846 5847 /* ------------------------------------------------------- */ 5848 5849 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5850 5851 TEST_EQUAL( psa_aead_decrypt_setup( &operation, key, alg ), 5852 PSA_ERROR_BAD_STATE ); 5853 5854 psa_aead_abort( &operation ); 5855 5856 /* ------------------------------------------------------- */ 5857 5858 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 5859 5860 TEST_EQUAL( psa_aead_encrypt_setup( &operation, key, alg ), 5861 PSA_ERROR_BAD_STATE ); 5862 5863 psa_aead_abort( &operation ); 5864 5865 /* Test for not setting a nonce. */ 5866 5867 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5868 5869 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 5870 additional_data->len ), 5871 PSA_ERROR_BAD_STATE ); 5872 5873 psa_aead_abort( &operation ); 5874 5875 /* ------------------------------------------------------- */ 5876 5877 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5878 5879 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 5880 input_data->len, output_data, 5881 output_size, &output_length ), 5882 PSA_ERROR_BAD_STATE ); 5883 5884 psa_aead_abort( &operation ); 5885 5886 /* ------------------------------------------------------- */ 5887 5888 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5889 5890 TEST_EQUAL( psa_aead_finish( &operation, final_data, 5891 finish_output_size, 5892 &output_part_length, 5893 tag_buffer, tag_length, 5894 &tag_size ), 5895 PSA_ERROR_BAD_STATE ); 5896 5897 psa_aead_abort( &operation ); 5898 5899 /* ------------------------------------------------------- */ 5900 5901 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 5902 5903 TEST_EQUAL( psa_aead_verify( &operation, final_data, 5904 finish_output_size, 5905 &output_part_length, 5906 tag_buffer, 5907 tag_length ), 5908 PSA_ERROR_BAD_STATE ); 5909 5910 psa_aead_abort( &operation ); 5911 5912 /* Test for double setting nonce. */ 5913 5914 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5915 5916 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 5917 5918 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 5919 PSA_ERROR_BAD_STATE ); 5920 5921 psa_aead_abort( &operation ); 5922 5923 /* Test for double generating nonce. */ 5924 5925 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5926 5927 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 5928 PSA_AEAD_NONCE_MAX_SIZE, 5929 &nonce_length ) ); 5930 5931 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 5932 PSA_AEAD_NONCE_MAX_SIZE, 5933 &nonce_length ), 5934 PSA_ERROR_BAD_STATE ); 5935 5936 5937 psa_aead_abort( &operation ); 5938 5939 /* Test for generate nonce then set and vice versa */ 5940 5941 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5942 5943 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 5944 PSA_AEAD_NONCE_MAX_SIZE, 5945 &nonce_length ) ); 5946 5947 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 5948 PSA_ERROR_BAD_STATE ); 5949 5950 psa_aead_abort( &operation ); 5951 5952 /* Test for generating nonce after calling set lengths */ 5953 5954 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5955 5956 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 5957 input_data->len ) ); 5958 5959 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 5960 PSA_AEAD_NONCE_MAX_SIZE, 5961 &nonce_length ) ); 5962 5963 psa_aead_abort( &operation ); 5964 5965 /* Test for generating nonce after calling set lengths with UINT32_MAX ad_data length */ 5966 5967 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5968 5969 if( operation.alg == PSA_ALG_CCM ) 5970 { 5971 TEST_EQUAL( psa_aead_set_lengths( &operation, UINT32_MAX, 5972 input_data->len ), 5973 PSA_ERROR_INVALID_ARGUMENT ); 5974 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 5975 PSA_AEAD_NONCE_MAX_SIZE, 5976 &nonce_length ), 5977 PSA_ERROR_BAD_STATE ); 5978 } 5979 else 5980 { 5981 PSA_ASSERT( psa_aead_set_lengths( &operation, UINT32_MAX, 5982 input_data->len ) ); 5983 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 5984 PSA_AEAD_NONCE_MAX_SIZE, 5985 &nonce_length ) ); 5986 } 5987 5988 psa_aead_abort( &operation ); 5989 5990 /* Test for generating nonce after calling set lengths with SIZE_MAX ad_data length */ 5991#if SIZE_MAX > UINT32_MAX 5992 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 5993 5994 if( operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM ) 5995 { 5996 TEST_EQUAL( psa_aead_set_lengths( &operation, SIZE_MAX, 5997 input_data->len ), 5998 PSA_ERROR_INVALID_ARGUMENT ); 5999 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 6000 PSA_AEAD_NONCE_MAX_SIZE, 6001 &nonce_length ), 6002 PSA_ERROR_BAD_STATE ); 6003 } 6004 else 6005 { 6006 PSA_ASSERT( psa_aead_set_lengths( &operation, SIZE_MAX, 6007 input_data->len ) ); 6008 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 6009 PSA_AEAD_NONCE_MAX_SIZE, 6010 &nonce_length ) ); 6011 } 6012 6013 psa_aead_abort( &operation ); 6014#endif 6015 6016 /* Test for calling set lengths with a UINT32_MAX ad_data length, after generating nonce */ 6017 6018 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6019 6020 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 6021 PSA_AEAD_NONCE_MAX_SIZE, 6022 &nonce_length ) ); 6023 6024 if( operation.alg == PSA_ALG_CCM ) 6025 { 6026 TEST_EQUAL( psa_aead_set_lengths( &operation, UINT32_MAX, 6027 input_data->len ), 6028 PSA_ERROR_INVALID_ARGUMENT ); 6029 } 6030 else 6031 { 6032 PSA_ASSERT( psa_aead_set_lengths( &operation, UINT32_MAX, 6033 input_data->len ) ); 6034 } 6035 6036 psa_aead_abort( &operation ); 6037 6038 /* ------------------------------------------------------- */ 6039 /* Test for setting nonce after calling set lengths */ 6040 6041 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6042 6043 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6044 input_data->len ) ); 6045 6046 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6047 6048 psa_aead_abort( &operation ); 6049 6050 /* Test for setting nonce after calling set lengths with UINT32_MAX ad_data length */ 6051 6052 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6053 6054 if( operation.alg == PSA_ALG_CCM ) 6055 { 6056 TEST_EQUAL( psa_aead_set_lengths( &operation, UINT32_MAX, 6057 input_data->len ), 6058 PSA_ERROR_INVALID_ARGUMENT ); 6059 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 6060 PSA_ERROR_BAD_STATE ); 6061 } 6062 else 6063 { 6064 PSA_ASSERT( psa_aead_set_lengths( &operation, UINT32_MAX, 6065 input_data->len ) ); 6066 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6067 } 6068 6069 psa_aead_abort( &operation ); 6070 6071 /* Test for setting nonce after calling set lengths with SIZE_MAX ad_data length */ 6072#if SIZE_MAX > UINT32_MAX 6073 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6074 6075 if( operation.alg == PSA_ALG_CCM || operation.alg == PSA_ALG_GCM ) 6076 { 6077 TEST_EQUAL( psa_aead_set_lengths( &operation, SIZE_MAX, 6078 input_data->len ), 6079 PSA_ERROR_INVALID_ARGUMENT ); 6080 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 6081 PSA_ERROR_BAD_STATE ); 6082 } 6083 else 6084 { 6085 PSA_ASSERT( psa_aead_set_lengths( &operation, SIZE_MAX, 6086 input_data->len ) ); 6087 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6088 } 6089 6090 psa_aead_abort( &operation ); 6091#endif 6092 6093 /* Test for calling set lengths with an ad_data length of UINT32_MAX, after setting nonce */ 6094 6095 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6096 6097 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6098 6099 if( operation.alg == PSA_ALG_CCM ) 6100 { 6101 TEST_EQUAL( psa_aead_set_lengths( &operation, UINT32_MAX, 6102 input_data->len ), 6103 PSA_ERROR_INVALID_ARGUMENT ); 6104 } 6105 else 6106 { 6107 PSA_ASSERT( psa_aead_set_lengths( &operation, UINT32_MAX, 6108 input_data->len ) ); 6109 } 6110 6111 psa_aead_abort( &operation ); 6112 6113 /* Test for setting nonce after calling set lengths with plaintext length of SIZE_MAX */ 6114#if SIZE_MAX > UINT32_MAX 6115 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6116 6117 if( operation.alg == PSA_ALG_GCM ) 6118 { 6119 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6120 SIZE_MAX ), 6121 PSA_ERROR_INVALID_ARGUMENT ); 6122 TEST_EQUAL( psa_aead_set_nonce( &operation, nonce->x, nonce->len ), 6123 PSA_ERROR_BAD_STATE ); 6124 } 6125 else if ( operation.alg != PSA_ALG_CCM ) 6126 { 6127 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6128 SIZE_MAX ) ); 6129 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6130 } 6131 6132 psa_aead_abort( &operation ); 6133 6134 /* Test for calling set lengths with a plaintext length of SIZE_MAX, after setting nonce */ 6135 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6136 6137 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6138 6139 if( operation.alg == PSA_ALG_GCM ) 6140 { 6141 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6142 SIZE_MAX ), 6143 PSA_ERROR_INVALID_ARGUMENT ); 6144 } 6145 else if ( operation.alg != PSA_ALG_CCM ) 6146 { 6147 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6148 SIZE_MAX ) ); 6149 } 6150 6151 psa_aead_abort( &operation ); 6152#endif 6153 6154 /* ------------------------------------------------------- */ 6155 6156 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6157 6158 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6159 6160 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 6161 PSA_AEAD_NONCE_MAX_SIZE, 6162 &nonce_length ), 6163 PSA_ERROR_BAD_STATE ); 6164 6165 psa_aead_abort( &operation ); 6166 6167 /* Test for generating nonce in decrypt setup. */ 6168 6169 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 6170 6171 TEST_EQUAL( psa_aead_generate_nonce( &operation, nonce_buffer, 6172 PSA_AEAD_NONCE_MAX_SIZE, 6173 &nonce_length ), 6174 PSA_ERROR_BAD_STATE ); 6175 6176 psa_aead_abort( &operation ); 6177 6178 /* Test for setting lengths twice. */ 6179 6180 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6181 6182 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6183 6184 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6185 input_data->len ) ); 6186 6187 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6188 input_data->len ), 6189 PSA_ERROR_BAD_STATE ); 6190 6191 psa_aead_abort( &operation ); 6192 6193 /* Test for setting lengths after setting nonce + already starting data. */ 6194 6195 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6196 6197 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6198 6199 if( operation.alg == PSA_ALG_CCM ) 6200 { 6201 6202 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 6203 additional_data->len ), 6204 PSA_ERROR_BAD_STATE ); 6205 } 6206 else 6207 { 6208 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 6209 additional_data->len ) ); 6210 6211 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6212 input_data->len ), 6213 PSA_ERROR_BAD_STATE ); 6214 } 6215 psa_aead_abort( &operation ); 6216 6217 /* ------------------------------------------------------- */ 6218 6219 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6220 6221 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6222 6223 if( operation.alg == PSA_ALG_CCM ) 6224 { 6225 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 6226 input_data->len, output_data, 6227 output_size, &output_length ), 6228 PSA_ERROR_BAD_STATE ); 6229 6230 } 6231 else 6232 { 6233 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 6234 input_data->len, output_data, 6235 output_size, &output_length ) ); 6236 6237 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6238 input_data->len ), 6239 PSA_ERROR_BAD_STATE ); 6240 } 6241 psa_aead_abort( &operation ); 6242 6243 /* ------------------------------------------------------- */ 6244 6245 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6246 6247 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6248 6249 if( operation.alg == PSA_ALG_CCM ) 6250 { 6251 PSA_ASSERT( psa_aead_finish( &operation, final_data, 6252 finish_output_size, 6253 &output_part_length, 6254 tag_buffer, tag_length, 6255 &tag_size ) ); 6256 } 6257 else 6258 { 6259 PSA_ASSERT( psa_aead_finish( &operation, final_data, 6260 finish_output_size, 6261 &output_part_length, 6262 tag_buffer, tag_length, 6263 &tag_size ) ); 6264 6265 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6266 input_data->len ), 6267 PSA_ERROR_BAD_STATE ); 6268 } 6269 psa_aead_abort( &operation ); 6270 6271 /* Test for setting lengths after generating nonce + already starting data. */ 6272 6273 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6274 6275 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 6276 PSA_AEAD_NONCE_MAX_SIZE, 6277 &nonce_length ) ); 6278 if( operation.alg == PSA_ALG_CCM ) 6279 { 6280 6281 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 6282 additional_data->len ), 6283 PSA_ERROR_BAD_STATE ); 6284 } 6285 else 6286 { 6287 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 6288 additional_data->len ) ); 6289 6290 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6291 input_data->len ), 6292 PSA_ERROR_BAD_STATE ); 6293 } 6294 psa_aead_abort( &operation ); 6295 6296 /* ------------------------------------------------------- */ 6297 6298 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6299 6300 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 6301 PSA_AEAD_NONCE_MAX_SIZE, 6302 &nonce_length ) ); 6303 if( operation.alg == PSA_ALG_CCM ) 6304 { 6305 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 6306 input_data->len, output_data, 6307 output_size, &output_length ), 6308 PSA_ERROR_BAD_STATE ); 6309 6310 } 6311 else 6312 { 6313 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 6314 input_data->len, output_data, 6315 output_size, &output_length ) ); 6316 6317 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6318 input_data->len ), 6319 PSA_ERROR_BAD_STATE ); 6320 } 6321 psa_aead_abort( &operation ); 6322 6323 /* ------------------------------------------------------- */ 6324 6325 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6326 6327 PSA_ASSERT( psa_aead_generate_nonce( &operation, nonce_buffer, 6328 PSA_AEAD_NONCE_MAX_SIZE, 6329 &nonce_length ) ); 6330 if( operation.alg == PSA_ALG_CCM ) 6331 { 6332 PSA_ASSERT( psa_aead_finish( &operation, final_data, 6333 finish_output_size, 6334 &output_part_length, 6335 tag_buffer, tag_length, 6336 &tag_size ) ); 6337 } 6338 else 6339 { 6340 PSA_ASSERT( psa_aead_finish( &operation, final_data, 6341 finish_output_size, 6342 &output_part_length, 6343 tag_buffer, tag_length, 6344 &tag_size ) ); 6345 6346 TEST_EQUAL( psa_aead_set_lengths( &operation, additional_data->len, 6347 input_data->len ), 6348 PSA_ERROR_BAD_STATE ); 6349 } 6350 psa_aead_abort( &operation ); 6351 6352 /* Test for not sending any additional data or data after setting non zero 6353 * lengths for them. (encrypt) */ 6354 6355 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6356 6357 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6358 6359 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6360 input_data->len ) ); 6361 6362 TEST_EQUAL( psa_aead_finish( &operation, final_data, 6363 finish_output_size, 6364 &output_part_length, 6365 tag_buffer, tag_length, 6366 &tag_size ), 6367 PSA_ERROR_INVALID_ARGUMENT ); 6368 6369 psa_aead_abort( &operation ); 6370 6371 /* Test for not sending any additional data or data after setting non-zero 6372 * lengths for them. (decrypt) */ 6373 6374 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 6375 6376 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6377 6378 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6379 input_data->len ) ); 6380 6381 TEST_EQUAL( psa_aead_verify( &operation, final_data, 6382 finish_output_size, 6383 &output_part_length, 6384 tag_buffer, 6385 tag_length ), 6386 PSA_ERROR_INVALID_ARGUMENT ); 6387 6388 psa_aead_abort( &operation ); 6389 6390 /* Test for not sending any additional data after setting a non-zero length 6391 * for it. */ 6392 6393 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6394 6395 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6396 6397 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6398 input_data->len ) ); 6399 6400 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 6401 input_data->len, output_data, 6402 output_size, &output_length ), 6403 PSA_ERROR_INVALID_ARGUMENT ); 6404 6405 psa_aead_abort( &operation ); 6406 6407 /* Test for not sending any data after setting a non-zero length for it.*/ 6408 6409 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6410 6411 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6412 6413 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6414 input_data->len ) ); 6415 6416 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 6417 additional_data->len ) ); 6418 6419 TEST_EQUAL( psa_aead_finish( &operation, final_data, 6420 finish_output_size, 6421 &output_part_length, 6422 tag_buffer, tag_length, 6423 &tag_size ), 6424 PSA_ERROR_INVALID_ARGUMENT ); 6425 6426 psa_aead_abort( &operation ); 6427 6428 /* Test for sending too much additional data after setting lengths. */ 6429 6430 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6431 6432 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6433 6434 PSA_ASSERT( psa_aead_set_lengths( &operation, 0, 0 ) ); 6435 6436 6437 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 6438 additional_data->len ), 6439 PSA_ERROR_INVALID_ARGUMENT ); 6440 6441 psa_aead_abort( &operation ); 6442 6443 /* ------------------------------------------------------- */ 6444 6445 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6446 6447 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6448 6449 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6450 input_data->len ) ); 6451 6452 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 6453 additional_data->len ) ); 6454 6455 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 6456 1 ), 6457 PSA_ERROR_INVALID_ARGUMENT ); 6458 6459 psa_aead_abort( &operation ); 6460 6461 /* Test for sending too much data after setting lengths. */ 6462 6463 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6464 6465 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6466 6467 PSA_ASSERT( psa_aead_set_lengths( &operation, 0, 0 ) ); 6468 6469 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 6470 input_data->len, output_data, 6471 output_size, &output_length ), 6472 PSA_ERROR_INVALID_ARGUMENT ); 6473 6474 psa_aead_abort( &operation ); 6475 6476 /* ------------------------------------------------------- */ 6477 6478 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6479 6480 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6481 6482 PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, 6483 input_data->len ) ); 6484 6485 PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, 6486 additional_data->len ) ); 6487 6488 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 6489 input_data->len, output_data, 6490 output_size, &output_length ) ); 6491 6492 TEST_EQUAL( psa_aead_update( &operation, input_data->x, 6493 1, output_data, 6494 output_size, &output_length ), 6495 PSA_ERROR_INVALID_ARGUMENT ); 6496 6497 psa_aead_abort( &operation ); 6498 6499 /* Test sending additional data after data. */ 6500 6501 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6502 6503 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6504 6505 if( operation.alg != PSA_ALG_CCM ) 6506 { 6507 PSA_ASSERT( psa_aead_update( &operation, input_data->x, 6508 input_data->len, output_data, 6509 output_size, &output_length ) ); 6510 6511 TEST_EQUAL( psa_aead_update_ad( &operation, additional_data->x, 6512 additional_data->len ), 6513 PSA_ERROR_BAD_STATE ); 6514 } 6515 psa_aead_abort( &operation ); 6516 6517 /* Test calling finish on decryption. */ 6518 6519 PSA_ASSERT( psa_aead_decrypt_setup( &operation, key, alg ) ); 6520 6521 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6522 6523 TEST_EQUAL( psa_aead_finish( &operation, final_data, 6524 finish_output_size, 6525 &output_part_length, 6526 tag_buffer, tag_length, 6527 &tag_size ), 6528 PSA_ERROR_BAD_STATE ); 6529 6530 psa_aead_abort( &operation ); 6531 6532 /* Test calling verify on encryption. */ 6533 6534 PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) ); 6535 6536 PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); 6537 6538 TEST_EQUAL( psa_aead_verify( &operation, final_data, 6539 finish_output_size, 6540 &output_part_length, 6541 tag_buffer, 6542 tag_length ), 6543 PSA_ERROR_BAD_STATE ); 6544 6545 psa_aead_abort( &operation ); 6546 6547 6548exit: 6549 psa_destroy_key( key ); 6550 psa_aead_abort( &operation ); 6551 mbedtls_free( output_data ); 6552 mbedtls_free( final_data ); 6553 PSA_DONE( ); 6554} 6555/* END_CASE */ 6556 6557/* BEGIN_CASE */ 6558void signature_size( int type_arg, 6559 int bits, 6560 int alg_arg, 6561 int expected_size_arg ) 6562{ 6563 psa_key_type_t type = type_arg; 6564 psa_algorithm_t alg = alg_arg; 6565 size_t actual_size = PSA_SIGN_OUTPUT_SIZE( type, bits, alg ); 6566 6567 TEST_EQUAL( actual_size, (size_t) expected_size_arg ); 6568 6569exit: 6570 ; 6571} 6572/* END_CASE */ 6573 6574/* BEGIN_CASE */ 6575void sign_hash_deterministic( int key_type_arg, data_t *key_data, 6576 int alg_arg, data_t *input_data, 6577 data_t *output_data ) 6578{ 6579 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6580 psa_key_type_t key_type = key_type_arg; 6581 psa_algorithm_t alg = alg_arg; 6582 size_t key_bits; 6583 unsigned char *signature = NULL; 6584 size_t signature_size; 6585 size_t signature_length = 0xdeadbeef; 6586 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6587 6588 PSA_ASSERT( psa_crypto_init( ) ); 6589 6590 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 6591 psa_set_key_algorithm( &attributes, alg ); 6592 psa_set_key_type( &attributes, key_type ); 6593 6594 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6595 &key ) ); 6596 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 6597 key_bits = psa_get_key_bits( &attributes ); 6598 6599 /* Allocate a buffer which has the size advertised by the 6600 * library. */ 6601 signature_size = PSA_SIGN_OUTPUT_SIZE( key_type, 6602 key_bits, alg ); 6603 TEST_ASSERT( signature_size != 0 ); 6604 TEST_LE_U( signature_size, PSA_SIGNATURE_MAX_SIZE ); 6605 ASSERT_ALLOC( signature, signature_size ); 6606 6607 /* Perform the signature. */ 6608 PSA_ASSERT( psa_sign_hash( key, alg, 6609 input_data->x, input_data->len, 6610 signature, signature_size, 6611 &signature_length ) ); 6612 /* Verify that the signature is what is expected. */ 6613 ASSERT_COMPARE( output_data->x, output_data->len, 6614 signature, signature_length ); 6615 6616exit: 6617 /* 6618 * Key attributes may have been returned by psa_get_key_attributes() 6619 * thus reset them as required. 6620 */ 6621 psa_reset_key_attributes( &attributes ); 6622 6623 psa_destroy_key( key ); 6624 mbedtls_free( signature ); 6625 PSA_DONE( ); 6626} 6627/* END_CASE */ 6628 6629/* BEGIN_CASE */ 6630void sign_hash_fail( int key_type_arg, data_t *key_data, 6631 int alg_arg, data_t *input_data, 6632 int signature_size_arg, int expected_status_arg ) 6633{ 6634 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6635 psa_key_type_t key_type = key_type_arg; 6636 psa_algorithm_t alg = alg_arg; 6637 size_t signature_size = signature_size_arg; 6638 psa_status_t actual_status; 6639 psa_status_t expected_status = expected_status_arg; 6640 unsigned char *signature = NULL; 6641 size_t signature_length = 0xdeadbeef; 6642 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6643 6644 ASSERT_ALLOC( signature, signature_size ); 6645 6646 PSA_ASSERT( psa_crypto_init( ) ); 6647 6648 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); 6649 psa_set_key_algorithm( &attributes, alg ); 6650 psa_set_key_type( &attributes, key_type ); 6651 6652 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6653 &key ) ); 6654 6655 actual_status = psa_sign_hash( key, alg, 6656 input_data->x, input_data->len, 6657 signature, signature_size, 6658 &signature_length ); 6659 TEST_EQUAL( actual_status, expected_status ); 6660 /* The value of *signature_length is unspecified on error, but 6661 * whatever it is, it should be less than signature_size, so that 6662 * if the caller tries to read *signature_length bytes without 6663 * checking the error code then they don't overflow a buffer. */ 6664 TEST_LE_U( signature_length, signature_size ); 6665 6666exit: 6667 psa_reset_key_attributes( &attributes ); 6668 psa_destroy_key( key ); 6669 mbedtls_free( signature ); 6670 PSA_DONE( ); 6671} 6672/* END_CASE */ 6673 6674/* BEGIN_CASE */ 6675void sign_verify_hash( int key_type_arg, data_t *key_data, 6676 int alg_arg, data_t *input_data ) 6677{ 6678 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6679 psa_key_type_t key_type = key_type_arg; 6680 psa_algorithm_t alg = alg_arg; 6681 size_t key_bits; 6682 unsigned char *signature = NULL; 6683 size_t signature_size; 6684 size_t signature_length = 0xdeadbeef; 6685 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6686 6687 PSA_ASSERT( psa_crypto_init( ) ); 6688 6689 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH ); 6690 psa_set_key_algorithm( &attributes, alg ); 6691 psa_set_key_type( &attributes, key_type ); 6692 6693 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6694 &key ) ); 6695 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 6696 key_bits = psa_get_key_bits( &attributes ); 6697 6698 /* Allocate a buffer which has the size advertised by the 6699 * library. */ 6700 signature_size = PSA_SIGN_OUTPUT_SIZE( key_type, 6701 key_bits, alg ); 6702 TEST_ASSERT( signature_size != 0 ); 6703 TEST_LE_U( signature_size, PSA_SIGNATURE_MAX_SIZE ); 6704 ASSERT_ALLOC( signature, signature_size ); 6705 6706 /* Perform the signature. */ 6707 PSA_ASSERT( psa_sign_hash( key, alg, 6708 input_data->x, input_data->len, 6709 signature, signature_size, 6710 &signature_length ) ); 6711 /* Check that the signature length looks sensible. */ 6712 TEST_LE_U( signature_length, signature_size ); 6713 TEST_ASSERT( signature_length > 0 ); 6714 6715 /* Use the library to verify that the signature is correct. */ 6716 PSA_ASSERT( psa_verify_hash( key, alg, 6717 input_data->x, input_data->len, 6718 signature, signature_length ) ); 6719 6720 if( input_data->len != 0 ) 6721 { 6722 /* Flip a bit in the input and verify that the signature is now 6723 * detected as invalid. Flip a bit at the beginning, not at the end, 6724 * because ECDSA may ignore the last few bits of the input. */ 6725 input_data->x[0] ^= 1; 6726 TEST_EQUAL( psa_verify_hash( key, alg, 6727 input_data->x, input_data->len, 6728 signature, signature_length ), 6729 PSA_ERROR_INVALID_SIGNATURE ); 6730 } 6731 6732exit: 6733 /* 6734 * Key attributes may have been returned by psa_get_key_attributes() 6735 * thus reset them as required. 6736 */ 6737 psa_reset_key_attributes( &attributes ); 6738 6739 psa_destroy_key( key ); 6740 mbedtls_free( signature ); 6741 PSA_DONE( ); 6742} 6743/* END_CASE */ 6744 6745/* BEGIN_CASE */ 6746void verify_hash( int key_type_arg, data_t *key_data, 6747 int alg_arg, data_t *hash_data, 6748 data_t *signature_data ) 6749{ 6750 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6751 psa_key_type_t key_type = key_type_arg; 6752 psa_algorithm_t alg = alg_arg; 6753 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6754 6755 TEST_LE_U( signature_data->len, PSA_SIGNATURE_MAX_SIZE ); 6756 6757 PSA_ASSERT( psa_crypto_init( ) ); 6758 6759 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 6760 psa_set_key_algorithm( &attributes, alg ); 6761 psa_set_key_type( &attributes, key_type ); 6762 6763 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6764 &key ) ); 6765 6766 PSA_ASSERT( psa_verify_hash( key, alg, 6767 hash_data->x, hash_data->len, 6768 signature_data->x, signature_data->len ) ); 6769 6770exit: 6771 psa_reset_key_attributes( &attributes ); 6772 psa_destroy_key( key ); 6773 PSA_DONE( ); 6774} 6775/* END_CASE */ 6776 6777/* BEGIN_CASE */ 6778void verify_hash_fail( int key_type_arg, data_t *key_data, 6779 int alg_arg, data_t *hash_data, 6780 data_t *signature_data, 6781 int expected_status_arg ) 6782{ 6783 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6784 psa_key_type_t key_type = key_type_arg; 6785 psa_algorithm_t alg = alg_arg; 6786 psa_status_t actual_status; 6787 psa_status_t expected_status = expected_status_arg; 6788 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6789 6790 PSA_ASSERT( psa_crypto_init( ) ); 6791 6792 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 6793 psa_set_key_algorithm( &attributes, alg ); 6794 psa_set_key_type( &attributes, key_type ); 6795 6796 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6797 &key ) ); 6798 6799 actual_status = psa_verify_hash( key, alg, 6800 hash_data->x, hash_data->len, 6801 signature_data->x, signature_data->len ); 6802 TEST_EQUAL( actual_status, expected_status ); 6803 6804exit: 6805 psa_reset_key_attributes( &attributes ); 6806 psa_destroy_key( key ); 6807 PSA_DONE( ); 6808} 6809/* END_CASE */ 6810 6811/* BEGIN_CASE */ 6812void sign_message_deterministic( int key_type_arg, 6813 data_t *key_data, 6814 int alg_arg, 6815 data_t *input_data, 6816 data_t *output_data ) 6817{ 6818 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6819 psa_key_type_t key_type = key_type_arg; 6820 psa_algorithm_t alg = alg_arg; 6821 size_t key_bits; 6822 unsigned char *signature = NULL; 6823 size_t signature_size; 6824 size_t signature_length = 0xdeadbeef; 6825 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6826 6827 PSA_ASSERT( psa_crypto_init( ) ); 6828 6829 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); 6830 psa_set_key_algorithm( &attributes, alg ); 6831 psa_set_key_type( &attributes, key_type ); 6832 6833 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6834 &key ) ); 6835 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 6836 key_bits = psa_get_key_bits( &attributes ); 6837 6838 signature_size = PSA_SIGN_OUTPUT_SIZE( key_type, key_bits, alg ); 6839 TEST_ASSERT( signature_size != 0 ); 6840 TEST_LE_U( signature_size, PSA_SIGNATURE_MAX_SIZE ); 6841 ASSERT_ALLOC( signature, signature_size ); 6842 6843 PSA_ASSERT( psa_sign_message( key, alg, 6844 input_data->x, input_data->len, 6845 signature, signature_size, 6846 &signature_length ) ); 6847 6848 ASSERT_COMPARE( output_data->x, output_data->len, 6849 signature, signature_length ); 6850 6851exit: 6852 psa_reset_key_attributes( &attributes ); 6853 6854 psa_destroy_key( key ); 6855 mbedtls_free( signature ); 6856 PSA_DONE( ); 6857 6858} 6859/* END_CASE */ 6860 6861/* BEGIN_CASE */ 6862void sign_message_fail( int key_type_arg, 6863 data_t *key_data, 6864 int alg_arg, 6865 data_t *input_data, 6866 int signature_size_arg, 6867 int expected_status_arg ) 6868{ 6869 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6870 psa_key_type_t key_type = key_type_arg; 6871 psa_algorithm_t alg = alg_arg; 6872 size_t signature_size = signature_size_arg; 6873 psa_status_t actual_status; 6874 psa_status_t expected_status = expected_status_arg; 6875 unsigned char *signature = NULL; 6876 size_t signature_length = 0xdeadbeef; 6877 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6878 6879 ASSERT_ALLOC( signature, signature_size ); 6880 6881 PSA_ASSERT( psa_crypto_init( ) ); 6882 6883 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); 6884 psa_set_key_algorithm( &attributes, alg ); 6885 psa_set_key_type( &attributes, key_type ); 6886 6887 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6888 &key ) ); 6889 6890 actual_status = psa_sign_message( key, alg, 6891 input_data->x, input_data->len, 6892 signature, signature_size, 6893 &signature_length ); 6894 TEST_EQUAL( actual_status, expected_status ); 6895 /* The value of *signature_length is unspecified on error, but 6896 * whatever it is, it should be less than signature_size, so that 6897 * if the caller tries to read *signature_length bytes without 6898 * checking the error code then they don't overflow a buffer. */ 6899 TEST_LE_U( signature_length, signature_size ); 6900 6901exit: 6902 psa_reset_key_attributes( &attributes ); 6903 psa_destroy_key( key ); 6904 mbedtls_free( signature ); 6905 PSA_DONE( ); 6906} 6907/* END_CASE */ 6908 6909/* BEGIN_CASE */ 6910void sign_verify_message( int key_type_arg, 6911 data_t *key_data, 6912 int alg_arg, 6913 data_t *input_data ) 6914{ 6915 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6916 psa_key_type_t key_type = key_type_arg; 6917 psa_algorithm_t alg = alg_arg; 6918 size_t key_bits; 6919 unsigned char *signature = NULL; 6920 size_t signature_size; 6921 size_t signature_length = 0xdeadbeef; 6922 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6923 6924 PSA_ASSERT( psa_crypto_init( ) ); 6925 6926 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE | 6927 PSA_KEY_USAGE_VERIFY_MESSAGE ); 6928 psa_set_key_algorithm( &attributes, alg ); 6929 psa_set_key_type( &attributes, key_type ); 6930 6931 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6932 &key ) ); 6933 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 6934 key_bits = psa_get_key_bits( &attributes ); 6935 6936 signature_size = PSA_SIGN_OUTPUT_SIZE( key_type, key_bits, alg ); 6937 TEST_ASSERT( signature_size != 0 ); 6938 TEST_LE_U( signature_size, PSA_SIGNATURE_MAX_SIZE ); 6939 ASSERT_ALLOC( signature, signature_size ); 6940 6941 PSA_ASSERT( psa_sign_message( key, alg, 6942 input_data->x, input_data->len, 6943 signature, signature_size, 6944 &signature_length ) ); 6945 TEST_LE_U( signature_length, signature_size ); 6946 TEST_ASSERT( signature_length > 0 ); 6947 6948 PSA_ASSERT( psa_verify_message( key, alg, 6949 input_data->x, input_data->len, 6950 signature, signature_length ) ); 6951 6952 if( input_data->len != 0 ) 6953 { 6954 /* Flip a bit in the input and verify that the signature is now 6955 * detected as invalid. Flip a bit at the beginning, not at the end, 6956 * because ECDSA may ignore the last few bits of the input. */ 6957 input_data->x[0] ^= 1; 6958 TEST_EQUAL( psa_verify_message( key, alg, 6959 input_data->x, input_data->len, 6960 signature, signature_length ), 6961 PSA_ERROR_INVALID_SIGNATURE ); 6962 } 6963 6964exit: 6965 psa_reset_key_attributes( &attributes ); 6966 6967 psa_destroy_key( key ); 6968 mbedtls_free( signature ); 6969 PSA_DONE( ); 6970} 6971/* END_CASE */ 6972 6973/* BEGIN_CASE */ 6974void verify_message( int key_type_arg, 6975 data_t *key_data, 6976 int alg_arg, 6977 data_t *input_data, 6978 data_t *signature_data ) 6979{ 6980 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 6981 psa_key_type_t key_type = key_type_arg; 6982 psa_algorithm_t alg = alg_arg; 6983 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 6984 6985 TEST_LE_U( signature_data->len, PSA_SIGNATURE_MAX_SIZE ); 6986 6987 PSA_ASSERT( psa_crypto_init( ) ); 6988 6989 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_MESSAGE ); 6990 psa_set_key_algorithm( &attributes, alg ); 6991 psa_set_key_type( &attributes, key_type ); 6992 6993 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 6994 &key ) ); 6995 6996 PSA_ASSERT( psa_verify_message( key, alg, 6997 input_data->x, input_data->len, 6998 signature_data->x, signature_data->len ) ); 6999 7000exit: 7001 psa_reset_key_attributes( &attributes ); 7002 psa_destroy_key( key ); 7003 PSA_DONE( ); 7004} 7005/* END_CASE */ 7006 7007/* BEGIN_CASE */ 7008void verify_message_fail( int key_type_arg, 7009 data_t *key_data, 7010 int alg_arg, 7011 data_t *hash_data, 7012 data_t *signature_data, 7013 int expected_status_arg ) 7014{ 7015 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7016 psa_key_type_t key_type = key_type_arg; 7017 psa_algorithm_t alg = alg_arg; 7018 psa_status_t actual_status; 7019 psa_status_t expected_status = expected_status_arg; 7020 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7021 7022 PSA_ASSERT( psa_crypto_init( ) ); 7023 7024 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_MESSAGE ); 7025 psa_set_key_algorithm( &attributes, alg ); 7026 psa_set_key_type( &attributes, key_type ); 7027 7028 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 7029 &key ) ); 7030 7031 actual_status = psa_verify_message( key, alg, 7032 hash_data->x, hash_data->len, 7033 signature_data->x, 7034 signature_data->len ); 7035 TEST_EQUAL( actual_status, expected_status ); 7036 7037exit: 7038 psa_reset_key_attributes( &attributes ); 7039 psa_destroy_key( key ); 7040 PSA_DONE( ); 7041} 7042/* END_CASE */ 7043 7044/* BEGIN_CASE */ 7045void asymmetric_encrypt( int key_type_arg, 7046 data_t *key_data, 7047 int alg_arg, 7048 data_t *input_data, 7049 data_t *label, 7050 int expected_output_length_arg, 7051 int expected_status_arg ) 7052{ 7053 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7054 psa_key_type_t key_type = key_type_arg; 7055 psa_algorithm_t alg = alg_arg; 7056 size_t expected_output_length = expected_output_length_arg; 7057 size_t key_bits; 7058 unsigned char *output = NULL; 7059 size_t output_size; 7060 size_t output_length = ~0; 7061 psa_status_t actual_status; 7062 psa_status_t expected_status = expected_status_arg; 7063 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7064 7065 PSA_ASSERT( psa_crypto_init( ) ); 7066 7067 /* Import the key */ 7068 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); 7069 psa_set_key_algorithm( &attributes, alg ); 7070 psa_set_key_type( &attributes, key_type ); 7071 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 7072 &key ) ); 7073 7074 /* Determine the maximum output length */ 7075 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 7076 key_bits = psa_get_key_bits( &attributes ); 7077 7078 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE( key_type, key_bits, alg ); 7079 TEST_LE_U( output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE ); 7080 ASSERT_ALLOC( output, output_size ); 7081 7082 /* Encrypt the input */ 7083 actual_status = psa_asymmetric_encrypt( key, alg, 7084 input_data->x, input_data->len, 7085 label->x, label->len, 7086 output, output_size, 7087 &output_length ); 7088 TEST_EQUAL( actual_status, expected_status ); 7089 TEST_EQUAL( output_length, expected_output_length ); 7090 7091 /* If the label is empty, the test framework puts a non-null pointer 7092 * in label->x. Test that a null pointer works as well. */ 7093 if( label->len == 0 ) 7094 { 7095 output_length = ~0; 7096 if( output_size != 0 ) 7097 memset( output, 0, output_size ); 7098 actual_status = psa_asymmetric_encrypt( key, alg, 7099 input_data->x, input_data->len, 7100 NULL, label->len, 7101 output, output_size, 7102 &output_length ); 7103 TEST_EQUAL( actual_status, expected_status ); 7104 TEST_EQUAL( output_length, expected_output_length ); 7105 } 7106 7107exit: 7108 /* 7109 * Key attributes may have been returned by psa_get_key_attributes() 7110 * thus reset them as required. 7111 */ 7112 psa_reset_key_attributes( &attributes ); 7113 7114 psa_destroy_key( key ); 7115 mbedtls_free( output ); 7116 PSA_DONE( ); 7117} 7118/* END_CASE */ 7119 7120/* BEGIN_CASE */ 7121void asymmetric_encrypt_decrypt( int key_type_arg, 7122 data_t *key_data, 7123 int alg_arg, 7124 data_t *input_data, 7125 data_t *label ) 7126{ 7127 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7128 psa_key_type_t key_type = key_type_arg; 7129 psa_algorithm_t alg = alg_arg; 7130 size_t key_bits; 7131 unsigned char *output = NULL; 7132 size_t output_size; 7133 size_t output_length = ~0; 7134 unsigned char *output2 = NULL; 7135 size_t output2_size; 7136 size_t output2_length = ~0; 7137 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7138 7139 PSA_ASSERT( psa_crypto_init( ) ); 7140 7141 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 7142 psa_set_key_algorithm( &attributes, alg ); 7143 psa_set_key_type( &attributes, key_type ); 7144 7145 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 7146 &key ) ); 7147 7148 /* Determine the maximum ciphertext length */ 7149 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 7150 key_bits = psa_get_key_bits( &attributes ); 7151 7152 output_size = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE( key_type, key_bits, alg ); 7153 TEST_LE_U( output_size, PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE ); 7154 ASSERT_ALLOC( output, output_size ); 7155 7156 output2_size = input_data->len; 7157 TEST_LE_U( output2_size, 7158 PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE( key_type, key_bits, alg ) ); 7159 TEST_LE_U( output2_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE ); 7160 ASSERT_ALLOC( output2, output2_size ); 7161 7162 /* We test encryption by checking that encrypt-then-decrypt gives back 7163 * the original plaintext because of the non-optional random 7164 * part of encryption process which prevents using fixed vectors. */ 7165 PSA_ASSERT( psa_asymmetric_encrypt( key, alg, 7166 input_data->x, input_data->len, 7167 label->x, label->len, 7168 output, output_size, 7169 &output_length ) ); 7170 /* We don't know what ciphertext length to expect, but check that 7171 * it looks sensible. */ 7172 TEST_LE_U( output_length, output_size ); 7173 7174 PSA_ASSERT( psa_asymmetric_decrypt( key, alg, 7175 output, output_length, 7176 label->x, label->len, 7177 output2, output2_size, 7178 &output2_length ) ); 7179 ASSERT_COMPARE( input_data->x, input_data->len, 7180 output2, output2_length ); 7181 7182exit: 7183 /* 7184 * Key attributes may have been returned by psa_get_key_attributes() 7185 * thus reset them as required. 7186 */ 7187 psa_reset_key_attributes( &attributes ); 7188 7189 psa_destroy_key( key ); 7190 mbedtls_free( output ); 7191 mbedtls_free( output2 ); 7192 PSA_DONE( ); 7193} 7194/* END_CASE */ 7195 7196/* BEGIN_CASE */ 7197void asymmetric_decrypt( int key_type_arg, 7198 data_t *key_data, 7199 int alg_arg, 7200 data_t *input_data, 7201 data_t *label, 7202 data_t *expected_data ) 7203{ 7204 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7205 psa_key_type_t key_type = key_type_arg; 7206 psa_algorithm_t alg = alg_arg; 7207 size_t key_bits; 7208 unsigned char *output = NULL; 7209 size_t output_size = 0; 7210 size_t output_length = ~0; 7211 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7212 7213 PSA_ASSERT( psa_crypto_init( ) ); 7214 7215 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 7216 psa_set_key_algorithm( &attributes, alg ); 7217 psa_set_key_type( &attributes, key_type ); 7218 7219 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 7220 &key ) ); 7221 7222 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 7223 key_bits = psa_get_key_bits( &attributes ); 7224 7225 /* Determine the maximum ciphertext length */ 7226 output_size = PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE( key_type, key_bits, alg ); 7227 TEST_LE_U( output_size, PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE ); 7228 ASSERT_ALLOC( output, output_size ); 7229 7230 PSA_ASSERT( psa_asymmetric_decrypt( key, alg, 7231 input_data->x, input_data->len, 7232 label->x, label->len, 7233 output, 7234 output_size, 7235 &output_length ) ); 7236 ASSERT_COMPARE( expected_data->x, expected_data->len, 7237 output, output_length ); 7238 7239 /* If the label is empty, the test framework puts a non-null pointer 7240 * in label->x. Test that a null pointer works as well. */ 7241 if( label->len == 0 ) 7242 { 7243 output_length = ~0; 7244 if( output_size != 0 ) 7245 memset( output, 0, output_size ); 7246 PSA_ASSERT( psa_asymmetric_decrypt( key, alg, 7247 input_data->x, input_data->len, 7248 NULL, label->len, 7249 output, 7250 output_size, 7251 &output_length ) ); 7252 ASSERT_COMPARE( expected_data->x, expected_data->len, 7253 output, output_length ); 7254 } 7255 7256exit: 7257 psa_reset_key_attributes( &attributes ); 7258 psa_destroy_key( key ); 7259 mbedtls_free( output ); 7260 PSA_DONE( ); 7261} 7262/* END_CASE */ 7263 7264/* BEGIN_CASE */ 7265void asymmetric_decrypt_fail( int key_type_arg, 7266 data_t *key_data, 7267 int alg_arg, 7268 data_t *input_data, 7269 data_t *label, 7270 int output_size_arg, 7271 int expected_status_arg ) 7272{ 7273 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7274 psa_key_type_t key_type = key_type_arg; 7275 psa_algorithm_t alg = alg_arg; 7276 unsigned char *output = NULL; 7277 size_t output_size = output_size_arg; 7278 size_t output_length = ~0; 7279 psa_status_t actual_status; 7280 psa_status_t expected_status = expected_status_arg; 7281 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7282 7283 ASSERT_ALLOC( output, output_size ); 7284 7285 PSA_ASSERT( psa_crypto_init( ) ); 7286 7287 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT ); 7288 psa_set_key_algorithm( &attributes, alg ); 7289 psa_set_key_type( &attributes, key_type ); 7290 7291 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 7292 &key ) ); 7293 7294 actual_status = psa_asymmetric_decrypt( key, alg, 7295 input_data->x, input_data->len, 7296 label->x, label->len, 7297 output, output_size, 7298 &output_length ); 7299 TEST_EQUAL( actual_status, expected_status ); 7300 TEST_LE_U( output_length, output_size ); 7301 7302 /* If the label is empty, the test framework puts a non-null pointer 7303 * in label->x. Test that a null pointer works as well. */ 7304 if( label->len == 0 ) 7305 { 7306 output_length = ~0; 7307 if( output_size != 0 ) 7308 memset( output, 0, output_size ); 7309 actual_status = psa_asymmetric_decrypt( key, alg, 7310 input_data->x, input_data->len, 7311 NULL, label->len, 7312 output, output_size, 7313 &output_length ); 7314 TEST_EQUAL( actual_status, expected_status ); 7315 TEST_LE_U( output_length, output_size ); 7316 } 7317 7318exit: 7319 psa_reset_key_attributes( &attributes ); 7320 psa_destroy_key( key ); 7321 mbedtls_free( output ); 7322 PSA_DONE( ); 7323} 7324/* END_CASE */ 7325 7326/* BEGIN_CASE */ 7327void key_derivation_init( ) 7328{ 7329 /* Test each valid way of initializing the object, except for `= {0}`, as 7330 * Clang 5 complains when `-Wmissing-field-initializers` is used, even 7331 * though it's OK by the C standard. We could test for this, but we'd need 7332 * to suppress the Clang warning for the test. */ 7333 size_t capacity; 7334 psa_key_derivation_operation_t func = psa_key_derivation_operation_init( ); 7335 psa_key_derivation_operation_t init = PSA_KEY_DERIVATION_OPERATION_INIT; 7336 psa_key_derivation_operation_t zero; 7337 7338 memset( &zero, 0, sizeof( zero ) ); 7339 7340 /* A default operation should not be able to report its capacity. */ 7341 TEST_EQUAL( psa_key_derivation_get_capacity( &func, &capacity ), 7342 PSA_ERROR_BAD_STATE ); 7343 TEST_EQUAL( psa_key_derivation_get_capacity( &init, &capacity ), 7344 PSA_ERROR_BAD_STATE ); 7345 TEST_EQUAL( psa_key_derivation_get_capacity( &zero, &capacity ), 7346 PSA_ERROR_BAD_STATE ); 7347 7348 /* A default operation should be abortable without error. */ 7349 PSA_ASSERT( psa_key_derivation_abort(&func) ); 7350 PSA_ASSERT( psa_key_derivation_abort(&init) ); 7351 PSA_ASSERT( psa_key_derivation_abort(&zero) ); 7352} 7353/* END_CASE */ 7354 7355/* BEGIN_CASE */ 7356void derive_setup( int alg_arg, int expected_status_arg ) 7357{ 7358 psa_algorithm_t alg = alg_arg; 7359 psa_status_t expected_status = expected_status_arg; 7360 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7361 7362 PSA_ASSERT( psa_crypto_init( ) ); 7363 7364 TEST_EQUAL( psa_key_derivation_setup( &operation, alg ), 7365 expected_status ); 7366 7367exit: 7368 psa_key_derivation_abort( &operation ); 7369 PSA_DONE( ); 7370} 7371/* END_CASE */ 7372 7373/* BEGIN_CASE */ 7374void derive_set_capacity( int alg_arg, int capacity_arg, 7375 int expected_status_arg ) 7376{ 7377 psa_algorithm_t alg = alg_arg; 7378 size_t capacity = capacity_arg; 7379 psa_status_t expected_status = expected_status_arg; 7380 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7381 7382 PSA_ASSERT( psa_crypto_init( ) ); 7383 7384 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 7385 7386 TEST_EQUAL( psa_key_derivation_set_capacity( &operation, capacity ), 7387 expected_status ); 7388 7389exit: 7390 psa_key_derivation_abort( &operation ); 7391 PSA_DONE( ); 7392} 7393/* END_CASE */ 7394 7395/* BEGIN_CASE */ 7396void derive_input( int alg_arg, 7397 int step_arg1, int key_type_arg1, data_t *input1, 7398 int expected_status_arg1, 7399 int step_arg2, int key_type_arg2, data_t *input2, 7400 int expected_status_arg2, 7401 int step_arg3, int key_type_arg3, data_t *input3, 7402 int expected_status_arg3, 7403 int output_key_type_arg, int expected_output_status_arg ) 7404{ 7405 psa_algorithm_t alg = alg_arg; 7406 psa_key_derivation_step_t steps[] = {step_arg1, step_arg2, step_arg3}; 7407 psa_key_type_t key_types[] = {key_type_arg1, key_type_arg2, key_type_arg3}; 7408 psa_status_t expected_statuses[] = {expected_status_arg1, 7409 expected_status_arg2, 7410 expected_status_arg3}; 7411 data_t *inputs[] = {input1, input2, input3}; 7412 mbedtls_svc_key_id_t keys[] = { MBEDTLS_SVC_KEY_ID_INIT, 7413 MBEDTLS_SVC_KEY_ID_INIT, 7414 MBEDTLS_SVC_KEY_ID_INIT }; 7415 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7416 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7417 size_t i; 7418 psa_key_type_t output_key_type = output_key_type_arg; 7419 mbedtls_svc_key_id_t output_key = MBEDTLS_SVC_KEY_ID_INIT; 7420 psa_status_t expected_output_status = expected_output_status_arg; 7421 psa_status_t actual_output_status; 7422 7423 PSA_ASSERT( psa_crypto_init( ) ); 7424 7425 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 7426 psa_set_key_algorithm( &attributes, alg ); 7427 7428 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 7429 7430 for( i = 0; i < ARRAY_LENGTH( steps ); i++ ) 7431 { 7432 mbedtls_test_set_step( i ); 7433 if( steps[i] == 0 ) 7434 { 7435 /* Skip this step */ 7436 } 7437 else if( key_types[i] != PSA_KEY_TYPE_NONE ) 7438 { 7439 psa_set_key_type( &attributes, key_types[i] ); 7440 PSA_ASSERT( psa_import_key( &attributes, 7441 inputs[i]->x, inputs[i]->len, 7442 &keys[i] ) ); 7443 if( PSA_KEY_TYPE_IS_KEY_PAIR( key_types[i] ) && 7444 steps[i] == PSA_KEY_DERIVATION_INPUT_SECRET ) 7445 { 7446 // When taking a private key as secret input, use key agreement 7447 // to add the shared secret to the derivation 7448 TEST_EQUAL( mbedtls_test_psa_key_agreement_with_self( 7449 &operation, keys[i] ), 7450 expected_statuses[i] ); 7451 } 7452 else 7453 { 7454 TEST_EQUAL( psa_key_derivation_input_key( &operation, steps[i], 7455 keys[i] ), 7456 expected_statuses[i] ); 7457 } 7458 } 7459 else 7460 { 7461 TEST_EQUAL( psa_key_derivation_input_bytes( 7462 &operation, steps[i], 7463 inputs[i]->x, inputs[i]->len ), 7464 expected_statuses[i] ); 7465 } 7466 } 7467 7468 if( output_key_type != PSA_KEY_TYPE_NONE ) 7469 { 7470 psa_reset_key_attributes( &attributes ); 7471 psa_set_key_type( &attributes, output_key_type ); 7472 psa_set_key_bits( &attributes, 8 ); 7473 actual_output_status = 7474 psa_key_derivation_output_key( &attributes, &operation, 7475 &output_key ); 7476 } 7477 else 7478 { 7479 uint8_t buffer[1]; 7480 actual_output_status = 7481 psa_key_derivation_output_bytes( &operation, 7482 buffer, sizeof( buffer ) ); 7483 } 7484 TEST_EQUAL( actual_output_status, expected_output_status ); 7485 7486exit: 7487 psa_key_derivation_abort( &operation ); 7488 for( i = 0; i < ARRAY_LENGTH( keys ); i++ ) 7489 psa_destroy_key( keys[i] ); 7490 psa_destroy_key( output_key ); 7491 PSA_DONE( ); 7492} 7493/* END_CASE */ 7494 7495/* BEGIN_CASE */ 7496void derive_over_capacity( int alg_arg ) 7497{ 7498 psa_algorithm_t alg = alg_arg; 7499 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7500 size_t key_type = PSA_KEY_TYPE_DERIVE; 7501 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7502 unsigned char input1[] = "Input 1"; 7503 size_t input1_length = sizeof( input1 ); 7504 unsigned char input2[] = "Input 2"; 7505 size_t input2_length = sizeof( input2 ); 7506 uint8_t buffer[42]; 7507 size_t capacity = sizeof( buffer ); 7508 const uint8_t key_data[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 7509 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 7510 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b}; 7511 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7512 7513 PSA_ASSERT( psa_crypto_init( ) ); 7514 7515 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 7516 psa_set_key_algorithm( &attributes, alg ); 7517 psa_set_key_type( &attributes, key_type ); 7518 7519 PSA_ASSERT( psa_import_key( &attributes, 7520 key_data, sizeof( key_data ), 7521 &key ) ); 7522 7523 /* valid key derivation */ 7524 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, key, alg, 7525 input1, input1_length, 7526 input2, input2_length, 7527 capacity ) ) 7528 goto exit; 7529 7530 /* state of operation shouldn't allow additional generation */ 7531 TEST_EQUAL( psa_key_derivation_setup( &operation, alg ), 7532 PSA_ERROR_BAD_STATE ); 7533 7534 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, buffer, capacity ) ); 7535 7536 TEST_EQUAL( psa_key_derivation_output_bytes( &operation, buffer, capacity ), 7537 PSA_ERROR_INSUFFICIENT_DATA ); 7538 7539exit: 7540 psa_key_derivation_abort( &operation ); 7541 psa_destroy_key( key ); 7542 PSA_DONE( ); 7543} 7544/* END_CASE */ 7545 7546/* BEGIN_CASE */ 7547void derive_actions_without_setup( ) 7548{ 7549 uint8_t output_buffer[16]; 7550 size_t buffer_size = 16; 7551 size_t capacity = 0; 7552 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7553 7554 TEST_ASSERT( psa_key_derivation_output_bytes( &operation, 7555 output_buffer, buffer_size ) 7556 == PSA_ERROR_BAD_STATE ); 7557 7558 TEST_ASSERT( psa_key_derivation_get_capacity( &operation, &capacity ) 7559 == PSA_ERROR_BAD_STATE ); 7560 7561 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 7562 7563 TEST_ASSERT( psa_key_derivation_output_bytes( &operation, 7564 output_buffer, buffer_size ) 7565 == PSA_ERROR_BAD_STATE ); 7566 7567 TEST_ASSERT( psa_key_derivation_get_capacity( &operation, &capacity ) 7568 == PSA_ERROR_BAD_STATE ); 7569 7570exit: 7571 psa_key_derivation_abort( &operation ); 7572} 7573/* END_CASE */ 7574 7575/* BEGIN_CASE */ 7576void derive_output( int alg_arg, 7577 int step1_arg, data_t *input1, int expected_status_arg1, 7578 int step2_arg, data_t *input2, int expected_status_arg2, 7579 int step3_arg, data_t *input3, int expected_status_arg3, 7580 int step4_arg, data_t *input4, int expected_status_arg4, 7581 data_t *key_agreement_peer_key, 7582 int requested_capacity_arg, 7583 data_t *expected_output1, 7584 data_t *expected_output2, 7585 int other_key_input_type, 7586 int key_input_type, 7587 int derive_type ) 7588{ 7589 psa_algorithm_t alg = alg_arg; 7590 psa_key_derivation_step_t steps[] = {step1_arg, step2_arg, step3_arg, step4_arg}; 7591 data_t *inputs[] = {input1, input2, input3, input4}; 7592 mbedtls_svc_key_id_t keys[] = {MBEDTLS_SVC_KEY_ID_INIT, 7593 MBEDTLS_SVC_KEY_ID_INIT, 7594 MBEDTLS_SVC_KEY_ID_INIT, 7595 MBEDTLS_SVC_KEY_ID_INIT}; 7596 psa_status_t statuses[] = {expected_status_arg1, expected_status_arg2, 7597 expected_status_arg3, expected_status_arg4}; 7598 size_t requested_capacity = requested_capacity_arg; 7599 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7600 uint8_t *expected_outputs[2] = 7601 {expected_output1->x, expected_output2->x}; 7602 size_t output_sizes[2] = 7603 {expected_output1->len, expected_output2->len}; 7604 size_t output_buffer_size = 0; 7605 uint8_t *output_buffer = NULL; 7606 size_t expected_capacity; 7607 size_t current_capacity; 7608 psa_key_attributes_t attributes1 = PSA_KEY_ATTRIBUTES_INIT; 7609 psa_key_attributes_t attributes2 = PSA_KEY_ATTRIBUTES_INIT; 7610 psa_key_attributes_t attributes3 = PSA_KEY_ATTRIBUTES_INIT; 7611 psa_key_attributes_t attributes4 = PSA_KEY_ATTRIBUTES_INIT; 7612 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 7613 psa_status_t status; 7614 size_t i; 7615 7616 for( i = 0; i < ARRAY_LENGTH( expected_outputs ); i++ ) 7617 { 7618 if( output_sizes[i] > output_buffer_size ) 7619 output_buffer_size = output_sizes[i]; 7620 if( output_sizes[i] == 0 ) 7621 expected_outputs[i] = NULL; 7622 } 7623 ASSERT_ALLOC( output_buffer, output_buffer_size ); 7624 PSA_ASSERT( psa_crypto_init( ) ); 7625 7626 /* Extraction phase. */ 7627 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 7628 PSA_ASSERT( psa_key_derivation_set_capacity( &operation, 7629 requested_capacity ) ); 7630 for( i = 0; i < ARRAY_LENGTH( steps ); i++ ) 7631 { 7632 switch( steps[i] ) 7633 { 7634 case 0: 7635 break; 7636 case PSA_KEY_DERIVATION_INPUT_SECRET: 7637 switch( key_input_type ) 7638 { 7639 case 0: // input bytes 7640 TEST_EQUAL( psa_key_derivation_input_bytes( 7641 &operation, steps[i], 7642 inputs[i]->x, inputs[i]->len ), 7643 statuses[i] ); 7644 7645 if( statuses[i] != PSA_SUCCESS ) 7646 goto exit; 7647 break; 7648 case 1: // input key 7649 psa_set_key_usage_flags( &attributes1, PSA_KEY_USAGE_DERIVE ); 7650 psa_set_key_algorithm( &attributes1, alg ); 7651 psa_set_key_type( &attributes1, PSA_KEY_TYPE_DERIVE ); 7652 7653 PSA_ASSERT( psa_import_key( &attributes1, 7654 inputs[i]->x, inputs[i]->len, 7655 &keys[i] ) ); 7656 7657 if( PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) ) 7658 { 7659 PSA_ASSERT( psa_get_key_attributes( keys[i], &attributes1 ) ); 7660 TEST_LE_U( PSA_BITS_TO_BYTES( psa_get_key_bits( &attributes1 ) ), 7661 PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE ); 7662 } 7663 7664 PSA_ASSERT( psa_key_derivation_input_key( &operation, 7665 steps[i], 7666 keys[i] ) ); 7667 break; 7668 default: 7669 TEST_ASSERT( ! "default case not supported" ); 7670 break; 7671 } 7672 break; 7673 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET: 7674 switch( other_key_input_type ) 7675 { 7676 case 0: // input bytes 7677 TEST_EQUAL( psa_key_derivation_input_bytes( &operation, 7678 steps[i], 7679 inputs[i]->x, 7680 inputs[i]->len ), 7681 statuses[i] ); 7682 break; 7683 case 1: // input key, type DERIVE 7684 case 11: // input key, type RAW 7685 psa_set_key_usage_flags( &attributes2, PSA_KEY_USAGE_DERIVE ); 7686 psa_set_key_algorithm( &attributes2, alg ); 7687 psa_set_key_type( &attributes2, PSA_KEY_TYPE_DERIVE ); 7688 7689 // other secret of type RAW_DATA passed with input_key 7690 if( other_key_input_type == 11 ) 7691 psa_set_key_type( &attributes2, PSA_KEY_TYPE_RAW_DATA ); 7692 7693 PSA_ASSERT( psa_import_key( &attributes2, 7694 inputs[i]->x, inputs[i]->len, 7695 &keys[i] ) ); 7696 7697 TEST_EQUAL( psa_key_derivation_input_key( &operation, 7698 steps[i], 7699 keys[i] ), 7700 statuses[i] ); 7701 break; 7702 case 2: // key agreement 7703 psa_set_key_usage_flags( &attributes3, PSA_KEY_USAGE_DERIVE ); 7704 psa_set_key_algorithm( &attributes3, alg ); 7705 psa_set_key_type( &attributes3, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) ); 7706 7707 PSA_ASSERT( psa_import_key( &attributes3, 7708 inputs[i]->x, inputs[i]->len, 7709 &keys[i] ) ); 7710 7711 TEST_EQUAL( psa_key_derivation_key_agreement( 7712 &operation, 7713 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, 7714 keys[i], key_agreement_peer_key->x, 7715 key_agreement_peer_key->len ), statuses[i] ); 7716 break; 7717 default: 7718 TEST_ASSERT( ! "default case not supported" ); 7719 break; 7720 } 7721 7722 if( statuses[i] != PSA_SUCCESS ) 7723 goto exit; 7724 break; 7725 default: 7726 TEST_EQUAL( psa_key_derivation_input_bytes( 7727 &operation, steps[i], 7728 inputs[i]->x, inputs[i]->len ), statuses[i] ); 7729 7730 if( statuses[i] != PSA_SUCCESS ) 7731 goto exit; 7732 break; 7733 } 7734 } 7735 7736 PSA_ASSERT( psa_key_derivation_get_capacity( &operation, 7737 ¤t_capacity ) ); 7738 TEST_EQUAL( current_capacity, requested_capacity ); 7739 expected_capacity = requested_capacity; 7740 7741 if( derive_type == 1 ) // output key 7742 { 7743 psa_status_t expected_status = PSA_ERROR_NOT_PERMITTED; 7744 7745 /* For output key derivation secret must be provided using 7746 input key, otherwise operation is not permitted. */ 7747 if( key_input_type == 1 ) 7748 expected_status = PSA_SUCCESS; 7749 7750 psa_set_key_usage_flags( &attributes4, PSA_KEY_USAGE_EXPORT ); 7751 psa_set_key_algorithm( &attributes4, alg ); 7752 psa_set_key_type( &attributes4, PSA_KEY_TYPE_DERIVE ); 7753 psa_set_key_bits( &attributes4, PSA_BYTES_TO_BITS( requested_capacity ) ); 7754 7755 TEST_EQUAL( psa_key_derivation_output_key( &attributes4, &operation, 7756 &derived_key ), expected_status ); 7757 } 7758 else // output bytes 7759 { 7760 /* Expansion phase. */ 7761 for( i = 0; i < ARRAY_LENGTH( expected_outputs ); i++ ) 7762 { 7763 /* Read some bytes. */ 7764 status = psa_key_derivation_output_bytes( &operation, 7765 output_buffer, output_sizes[i] ); 7766 if( expected_capacity == 0 && output_sizes[i] == 0 ) 7767 { 7768 /* Reading 0 bytes when 0 bytes are available can go either way. */ 7769 TEST_ASSERT( status == PSA_SUCCESS || 7770 status == PSA_ERROR_INSUFFICIENT_DATA ); 7771 continue; 7772 } 7773 else if( expected_capacity == 0 || 7774 output_sizes[i] > expected_capacity ) 7775 { 7776 /* Capacity exceeded. */ 7777 TEST_EQUAL( status, PSA_ERROR_INSUFFICIENT_DATA ); 7778 expected_capacity = 0; 7779 continue; 7780 } 7781 /* Success. Check the read data. */ 7782 PSA_ASSERT( status ); 7783 if( output_sizes[i] != 0 ) 7784 ASSERT_COMPARE( output_buffer, output_sizes[i], 7785 expected_outputs[i], output_sizes[i] ); 7786 /* Check the operation status. */ 7787 expected_capacity -= output_sizes[i]; 7788 PSA_ASSERT( psa_key_derivation_get_capacity( &operation, 7789 ¤t_capacity ) ); 7790 TEST_EQUAL( expected_capacity, current_capacity ); 7791 } 7792 } 7793 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 7794 7795exit: 7796 mbedtls_free( output_buffer ); 7797 psa_key_derivation_abort( &operation ); 7798 for( i = 0; i < ARRAY_LENGTH( keys ); i++ ) 7799 psa_destroy_key( keys[i] ); 7800 psa_destroy_key( derived_key ); 7801 PSA_DONE( ); 7802} 7803/* END_CASE */ 7804 7805/* BEGIN_CASE */ 7806void derive_full( int alg_arg, 7807 data_t *key_data, 7808 data_t *input1, 7809 data_t *input2, 7810 int requested_capacity_arg ) 7811{ 7812 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 7813 psa_algorithm_t alg = alg_arg; 7814 size_t requested_capacity = requested_capacity_arg; 7815 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7816 unsigned char output_buffer[16]; 7817 size_t expected_capacity = requested_capacity; 7818 size_t current_capacity; 7819 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7820 7821 PSA_ASSERT( psa_crypto_init( ) ); 7822 7823 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 7824 psa_set_key_algorithm( &attributes, alg ); 7825 psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); 7826 7827 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 7828 &key ) ); 7829 7830 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, key, alg, 7831 input1->x, input1->len, 7832 input2->x, input2->len, 7833 requested_capacity ) ) 7834 goto exit; 7835 7836 PSA_ASSERT( psa_key_derivation_get_capacity( &operation, 7837 ¤t_capacity ) ); 7838 TEST_EQUAL( current_capacity, expected_capacity ); 7839 7840 /* Expansion phase. */ 7841 while( current_capacity > 0 ) 7842 { 7843 size_t read_size = sizeof( output_buffer ); 7844 if( read_size > current_capacity ) 7845 read_size = current_capacity; 7846 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 7847 output_buffer, 7848 read_size ) ); 7849 expected_capacity -= read_size; 7850 PSA_ASSERT( psa_key_derivation_get_capacity( &operation, 7851 ¤t_capacity ) ); 7852 TEST_EQUAL( current_capacity, expected_capacity ); 7853 } 7854 7855 /* Check that the operation refuses to go over capacity. */ 7856 TEST_EQUAL( psa_key_derivation_output_bytes( &operation, output_buffer, 1 ), 7857 PSA_ERROR_INSUFFICIENT_DATA ); 7858 7859 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 7860 7861exit: 7862 psa_key_derivation_abort( &operation ); 7863 psa_destroy_key( key ); 7864 PSA_DONE( ); 7865} 7866/* END_CASE */ 7867 7868/* BEGIN_CASE depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ 7869void derive_ecjpake_to_pms( data_t *input, int expected_input_status_arg, 7870 int derivation_step, 7871 int capacity, int expected_capacity_status_arg, 7872 data_t *expected_output, 7873 int expected_output_status_arg ) 7874{ 7875 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; 7876 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7877 psa_key_derivation_step_t step = (psa_key_derivation_step_t) derivation_step; 7878 uint8_t *output_buffer = NULL; 7879 psa_status_t status; 7880 psa_status_t expected_input_status = (psa_status_t) expected_input_status_arg; 7881 psa_status_t expected_capacity_status = (psa_status_t) expected_capacity_status_arg; 7882 psa_status_t expected_output_status = (psa_status_t) expected_output_status_arg; 7883 7884 ASSERT_ALLOC( output_buffer, expected_output->len ); 7885 PSA_ASSERT( psa_crypto_init() ); 7886 7887 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 7888 TEST_EQUAL( psa_key_derivation_set_capacity( &operation, capacity ), 7889 expected_capacity_status); 7890 7891 TEST_EQUAL( psa_key_derivation_input_bytes( &operation, 7892 step, input->x, input->len ), 7893 expected_input_status ); 7894 7895 if( ( (psa_status_t) expected_input_status ) != PSA_SUCCESS ) 7896 goto exit; 7897 7898 status = psa_key_derivation_output_bytes( &operation, output_buffer, 7899 expected_output->len ); 7900 7901 TEST_EQUAL( status, expected_output_status ); 7902 if( expected_output->len != 0 && expected_output_status == PSA_SUCCESS ) 7903 ASSERT_COMPARE( output_buffer, expected_output->len, expected_output->x, 7904 expected_output->len ); 7905 7906exit: 7907 mbedtls_free( output_buffer ); 7908 psa_key_derivation_abort( &operation ); 7909 PSA_DONE(); 7910} 7911/* END_CASE */ 7912 7913/* BEGIN_CASE */ 7914void derive_key_exercise( int alg_arg, 7915 data_t *key_data, 7916 data_t *input1, 7917 data_t *input2, 7918 int derived_type_arg, 7919 int derived_bits_arg, 7920 int derived_usage_arg, 7921 int derived_alg_arg ) 7922{ 7923 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 7924 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 7925 psa_algorithm_t alg = alg_arg; 7926 psa_key_type_t derived_type = derived_type_arg; 7927 size_t derived_bits = derived_bits_arg; 7928 psa_key_usage_t derived_usage = derived_usage_arg; 7929 psa_algorithm_t derived_alg = derived_alg_arg; 7930 size_t capacity = PSA_BITS_TO_BYTES( derived_bits ); 7931 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7932 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7933 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 7934 7935 PSA_ASSERT( psa_crypto_init( ) ); 7936 7937 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 7938 psa_set_key_algorithm( &attributes, alg ); 7939 psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); 7940 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 7941 &base_key ) ); 7942 7943 /* Derive a key. */ 7944 if ( mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, 7945 input1->x, input1->len, 7946 input2->x, input2->len, 7947 capacity ) ) 7948 goto exit; 7949 7950 psa_set_key_usage_flags( &attributes, derived_usage ); 7951 psa_set_key_algorithm( &attributes, derived_alg ); 7952 psa_set_key_type( &attributes, derived_type ); 7953 psa_set_key_bits( &attributes, derived_bits ); 7954 PSA_ASSERT( psa_key_derivation_output_key( &attributes, &operation, 7955 &derived_key ) ); 7956 7957 /* Test the key information */ 7958 PSA_ASSERT( psa_get_key_attributes( derived_key, &got_attributes ) ); 7959 TEST_EQUAL( psa_get_key_type( &got_attributes ), derived_type ); 7960 TEST_EQUAL( psa_get_key_bits( &got_attributes ), derived_bits ); 7961 7962 /* Exercise the derived key. */ 7963 if( ! mbedtls_test_psa_exercise_key( derived_key, derived_usage, derived_alg ) ) 7964 goto exit; 7965 7966exit: 7967 /* 7968 * Key attributes may have been returned by psa_get_key_attributes() 7969 * thus reset them as required. 7970 */ 7971 psa_reset_key_attributes( &got_attributes ); 7972 7973 psa_key_derivation_abort( &operation ); 7974 psa_destroy_key( base_key ); 7975 psa_destroy_key( derived_key ); 7976 PSA_DONE( ); 7977} 7978/* END_CASE */ 7979 7980/* BEGIN_CASE */ 7981void derive_key_export( int alg_arg, 7982 data_t *key_data, 7983 data_t *input1, 7984 data_t *input2, 7985 int bytes1_arg, 7986 int bytes2_arg ) 7987{ 7988 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 7989 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 7990 psa_algorithm_t alg = alg_arg; 7991 size_t bytes1 = bytes1_arg; 7992 size_t bytes2 = bytes2_arg; 7993 size_t capacity = bytes1 + bytes2; 7994 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 7995 uint8_t *output_buffer = NULL; 7996 uint8_t *export_buffer = NULL; 7997 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 7998 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 7999 size_t length; 8000 8001 ASSERT_ALLOC( output_buffer, capacity ); 8002 ASSERT_ALLOC( export_buffer, capacity ); 8003 PSA_ASSERT( psa_crypto_init( ) ); 8004 8005 psa_set_key_usage_flags( &base_attributes, PSA_KEY_USAGE_DERIVE ); 8006 psa_set_key_algorithm( &base_attributes, alg ); 8007 psa_set_key_type( &base_attributes, PSA_KEY_TYPE_DERIVE ); 8008 PSA_ASSERT( psa_import_key( &base_attributes, key_data->x, key_data->len, 8009 &base_key ) ); 8010 8011 /* Derive some material and output it. */ 8012 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, 8013 input1->x, input1->len, 8014 input2->x, input2->len, 8015 capacity ) ) 8016 goto exit; 8017 8018 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 8019 output_buffer, 8020 capacity ) ); 8021 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 8022 8023 /* Derive the same output again, but this time store it in key objects. */ 8024 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, 8025 input1->x, input1->len, 8026 input2->x, input2->len, 8027 capacity ) ) 8028 goto exit; 8029 8030 psa_set_key_usage_flags( &derived_attributes, PSA_KEY_USAGE_EXPORT ); 8031 psa_set_key_algorithm( &derived_attributes, 0 ); 8032 psa_set_key_type( &derived_attributes, PSA_KEY_TYPE_RAW_DATA ); 8033 psa_set_key_bits( &derived_attributes, PSA_BYTES_TO_BITS( bytes1 ) ); 8034 PSA_ASSERT( psa_key_derivation_output_key( &derived_attributes, &operation, 8035 &derived_key ) ); 8036 PSA_ASSERT( psa_export_key( derived_key, 8037 export_buffer, bytes1, 8038 &length ) ); 8039 TEST_EQUAL( length, bytes1 ); 8040 PSA_ASSERT( psa_destroy_key( derived_key ) ); 8041 psa_set_key_bits( &derived_attributes, PSA_BYTES_TO_BITS( bytes2 ) ); 8042 PSA_ASSERT( psa_key_derivation_output_key( &derived_attributes, &operation, 8043 &derived_key ) ); 8044 PSA_ASSERT( psa_export_key( derived_key, 8045 export_buffer + bytes1, bytes2, 8046 &length ) ); 8047 TEST_EQUAL( length, bytes2 ); 8048 8049 /* Compare the outputs from the two runs. */ 8050 ASSERT_COMPARE( output_buffer, bytes1 + bytes2, 8051 export_buffer, capacity ); 8052 8053exit: 8054 mbedtls_free( output_buffer ); 8055 mbedtls_free( export_buffer ); 8056 psa_key_derivation_abort( &operation ); 8057 psa_destroy_key( base_key ); 8058 psa_destroy_key( derived_key ); 8059 PSA_DONE( ); 8060} 8061/* END_CASE */ 8062 8063/* BEGIN_CASE */ 8064void derive_key_type( int alg_arg, 8065 data_t *key_data, 8066 data_t *input1, 8067 data_t *input2, 8068 int key_type_arg, int bits_arg, 8069 data_t *expected_export ) 8070{ 8071 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 8072 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 8073 const psa_algorithm_t alg = alg_arg; 8074 const psa_key_type_t key_type = key_type_arg; 8075 const size_t bits = bits_arg; 8076 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8077 const size_t export_buffer_size = 8078 PSA_EXPORT_KEY_OUTPUT_SIZE( key_type, bits ); 8079 uint8_t *export_buffer = NULL; 8080 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 8081 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 8082 size_t export_length; 8083 8084 ASSERT_ALLOC( export_buffer, export_buffer_size ); 8085 PSA_ASSERT( psa_crypto_init( ) ); 8086 8087 psa_set_key_usage_flags( &base_attributes, PSA_KEY_USAGE_DERIVE ); 8088 psa_set_key_algorithm( &base_attributes, alg ); 8089 psa_set_key_type( &base_attributes, PSA_KEY_TYPE_DERIVE ); 8090 PSA_ASSERT( psa_import_key( &base_attributes, key_data->x, key_data->len, 8091 &base_key ) ); 8092 8093 if( mbedtls_test_psa_setup_key_derivation_wrap( 8094 &operation, base_key, alg, 8095 input1->x, input1->len, 8096 input2->x, input2->len, 8097 PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ) == 0 ) 8098 goto exit; 8099 8100 psa_set_key_usage_flags( &derived_attributes, PSA_KEY_USAGE_EXPORT ); 8101 psa_set_key_algorithm( &derived_attributes, 0 ); 8102 psa_set_key_type( &derived_attributes, key_type ); 8103 psa_set_key_bits( &derived_attributes, bits ); 8104 PSA_ASSERT( psa_key_derivation_output_key( &derived_attributes, &operation, 8105 &derived_key ) ); 8106 8107 PSA_ASSERT( psa_export_key( derived_key, 8108 export_buffer, export_buffer_size, 8109 &export_length ) ); 8110 ASSERT_COMPARE( export_buffer, export_length, 8111 expected_export->x, expected_export->len ); 8112 8113exit: 8114 mbedtls_free( export_buffer ); 8115 psa_key_derivation_abort( &operation ); 8116 psa_destroy_key( base_key ); 8117 psa_destroy_key( derived_key ); 8118 PSA_DONE( ); 8119} 8120/* END_CASE */ 8121 8122/* BEGIN_CASE */ 8123void derive_key( int alg_arg, 8124 data_t *key_data, data_t *input1, data_t *input2, 8125 int type_arg, int bits_arg, 8126 int expected_status_arg, 8127 int is_large_output ) 8128{ 8129 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 8130 mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; 8131 psa_algorithm_t alg = alg_arg; 8132 psa_key_type_t type = type_arg; 8133 size_t bits = bits_arg; 8134 psa_status_t expected_status = expected_status_arg; 8135 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8136 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 8137 psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; 8138 8139 PSA_ASSERT( psa_crypto_init( ) ); 8140 8141 psa_set_key_usage_flags( &base_attributes, PSA_KEY_USAGE_DERIVE ); 8142 psa_set_key_algorithm( &base_attributes, alg ); 8143 psa_set_key_type( &base_attributes, PSA_KEY_TYPE_DERIVE ); 8144 PSA_ASSERT( psa_import_key( &base_attributes, key_data->x, key_data->len, 8145 &base_key ) ); 8146 8147 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, 8148 input1->x, input1->len, 8149 input2->x, input2->len, 8150 SIZE_MAX ) ) 8151 goto exit; 8152 8153 psa_set_key_usage_flags( &derived_attributes, PSA_KEY_USAGE_EXPORT ); 8154 psa_set_key_algorithm( &derived_attributes, 0 ); 8155 psa_set_key_type( &derived_attributes, type ); 8156 psa_set_key_bits( &derived_attributes, bits ); 8157 8158 psa_status_t status = 8159 psa_key_derivation_output_key( &derived_attributes, 8160 &operation, 8161 &derived_key ); 8162 if( is_large_output > 0 ) 8163 TEST_ASSUME( status != PSA_ERROR_INSUFFICIENT_MEMORY ); 8164 TEST_EQUAL( status, expected_status ); 8165 8166exit: 8167 psa_key_derivation_abort( &operation ); 8168 psa_destroy_key( base_key ); 8169 psa_destroy_key( derived_key ); 8170 PSA_DONE( ); 8171} 8172/* END_CASE */ 8173 8174/* BEGIN_CASE */ 8175void key_agreement_setup( int alg_arg, 8176 int our_key_type_arg, int our_key_alg_arg, 8177 data_t *our_key_data, data_t *peer_key_data, 8178 int expected_status_arg ) 8179{ 8180 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 8181 psa_algorithm_t alg = alg_arg; 8182 psa_algorithm_t our_key_alg = our_key_alg_arg; 8183 psa_key_type_t our_key_type = our_key_type_arg; 8184 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8185 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8186 psa_status_t expected_status = expected_status_arg; 8187 psa_status_t status; 8188 8189 PSA_ASSERT( psa_crypto_init( ) ); 8190 8191 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 8192 psa_set_key_algorithm( &attributes, our_key_alg ); 8193 psa_set_key_type( &attributes, our_key_type ); 8194 PSA_ASSERT( psa_import_key( &attributes, 8195 our_key_data->x, our_key_data->len, 8196 &our_key ) ); 8197 8198 /* The tests currently include inputs that should fail at either step. 8199 * Test cases that fail at the setup step should be changed to call 8200 * key_derivation_setup instead, and this function should be renamed 8201 * to key_agreement_fail. */ 8202 status = psa_key_derivation_setup( &operation, alg ); 8203 if( status == PSA_SUCCESS ) 8204 { 8205 TEST_EQUAL( psa_key_derivation_key_agreement( 8206 &operation, PSA_KEY_DERIVATION_INPUT_SECRET, 8207 our_key, 8208 peer_key_data->x, peer_key_data->len ), 8209 expected_status ); 8210 } 8211 else 8212 { 8213 TEST_ASSERT( status == expected_status ); 8214 } 8215 8216exit: 8217 psa_key_derivation_abort( &operation ); 8218 psa_destroy_key( our_key ); 8219 PSA_DONE( ); 8220} 8221/* END_CASE */ 8222 8223/* BEGIN_CASE */ 8224void raw_key_agreement( int alg_arg, 8225 int our_key_type_arg, data_t *our_key_data, 8226 data_t *peer_key_data, 8227 data_t *expected_output ) 8228{ 8229 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 8230 psa_algorithm_t alg = alg_arg; 8231 psa_key_type_t our_key_type = our_key_type_arg; 8232 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8233 unsigned char *output = NULL; 8234 size_t output_length = ~0; 8235 size_t key_bits; 8236 8237 PSA_ASSERT( psa_crypto_init( ) ); 8238 8239 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 8240 psa_set_key_algorithm( &attributes, alg ); 8241 psa_set_key_type( &attributes, our_key_type ); 8242 PSA_ASSERT( psa_import_key( &attributes, 8243 our_key_data->x, our_key_data->len, 8244 &our_key ) ); 8245 8246 PSA_ASSERT( psa_get_key_attributes( our_key, &attributes ) ); 8247 key_bits = psa_get_key_bits( &attributes ); 8248 8249 /* Validate size macros */ 8250 TEST_LE_U( expected_output->len, 8251 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE( our_key_type, key_bits ) ); 8252 TEST_LE_U( PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE( our_key_type, key_bits ), 8253 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE ); 8254 8255 /* Good case with exact output size */ 8256 ASSERT_ALLOC( output, expected_output->len ); 8257 PSA_ASSERT( psa_raw_key_agreement( alg, our_key, 8258 peer_key_data->x, peer_key_data->len, 8259 output, expected_output->len, 8260 &output_length ) ); 8261 ASSERT_COMPARE( output, output_length, 8262 expected_output->x, expected_output->len ); 8263 mbedtls_free( output ); 8264 output = NULL; 8265 output_length = ~0; 8266 8267 /* Larger buffer */ 8268 ASSERT_ALLOC( output, expected_output->len + 1 ); 8269 PSA_ASSERT( psa_raw_key_agreement( alg, our_key, 8270 peer_key_data->x, peer_key_data->len, 8271 output, expected_output->len + 1, 8272 &output_length ) ); 8273 ASSERT_COMPARE( output, output_length, 8274 expected_output->x, expected_output->len ); 8275 mbedtls_free( output ); 8276 output = NULL; 8277 output_length = ~0; 8278 8279 /* Buffer too small */ 8280 ASSERT_ALLOC( output, expected_output->len - 1 ); 8281 TEST_EQUAL( psa_raw_key_agreement( alg, our_key, 8282 peer_key_data->x, peer_key_data->len, 8283 output, expected_output->len - 1, 8284 &output_length ), 8285 PSA_ERROR_BUFFER_TOO_SMALL ); 8286 /* Not required by the spec, but good robustness */ 8287 TEST_LE_U( output_length, expected_output->len - 1 ); 8288 mbedtls_free( output ); 8289 output = NULL; 8290 8291exit: 8292 mbedtls_free( output ); 8293 psa_destroy_key( our_key ); 8294 PSA_DONE( ); 8295} 8296/* END_CASE */ 8297 8298/* BEGIN_CASE */ 8299void key_agreement_capacity( int alg_arg, 8300 int our_key_type_arg, data_t *our_key_data, 8301 data_t *peer_key_data, 8302 int expected_capacity_arg ) 8303{ 8304 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 8305 psa_algorithm_t alg = alg_arg; 8306 psa_key_type_t our_key_type = our_key_type_arg; 8307 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8308 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8309 size_t actual_capacity; 8310 unsigned char output[16]; 8311 8312 PSA_ASSERT( psa_crypto_init( ) ); 8313 8314 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 8315 psa_set_key_algorithm( &attributes, alg ); 8316 psa_set_key_type( &attributes, our_key_type ); 8317 PSA_ASSERT( psa_import_key( &attributes, 8318 our_key_data->x, our_key_data->len, 8319 &our_key ) ); 8320 8321 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 8322 PSA_ASSERT( psa_key_derivation_key_agreement( 8323 &operation, 8324 PSA_KEY_DERIVATION_INPUT_SECRET, our_key, 8325 peer_key_data->x, peer_key_data->len ) ); 8326 if( PSA_ALG_IS_HKDF( PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ) ) ) 8327 { 8328 /* The test data is for info="" */ 8329 PSA_ASSERT( psa_key_derivation_input_bytes( &operation, 8330 PSA_KEY_DERIVATION_INPUT_INFO, 8331 NULL, 0 ) ); 8332 } 8333 8334 /* Test the advertised capacity. */ 8335 PSA_ASSERT( psa_key_derivation_get_capacity( 8336 &operation, &actual_capacity ) ); 8337 TEST_EQUAL( actual_capacity, (size_t) expected_capacity_arg ); 8338 8339 /* Test the actual capacity by reading the output. */ 8340 while( actual_capacity > sizeof( output ) ) 8341 { 8342 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 8343 output, sizeof( output ) ) ); 8344 actual_capacity -= sizeof( output ); 8345 } 8346 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 8347 output, actual_capacity ) ); 8348 TEST_EQUAL( psa_key_derivation_output_bytes( &operation, output, 1 ), 8349 PSA_ERROR_INSUFFICIENT_DATA ); 8350 8351exit: 8352 psa_key_derivation_abort( &operation ); 8353 psa_destroy_key( our_key ); 8354 PSA_DONE( ); 8355} 8356/* END_CASE */ 8357 8358/* BEGIN_CASE */ 8359void key_agreement_output( int alg_arg, 8360 int our_key_type_arg, data_t *our_key_data, 8361 data_t *peer_key_data, 8362 data_t *expected_output1, data_t *expected_output2 ) 8363{ 8364 mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; 8365 psa_algorithm_t alg = alg_arg; 8366 psa_key_type_t our_key_type = our_key_type_arg; 8367 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8368 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8369 uint8_t *actual_output = NULL; 8370 8371 ASSERT_ALLOC( actual_output, MAX( expected_output1->len, 8372 expected_output2->len ) ); 8373 8374 PSA_ASSERT( psa_crypto_init( ) ); 8375 8376 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 8377 psa_set_key_algorithm( &attributes, alg ); 8378 psa_set_key_type( &attributes, our_key_type ); 8379 PSA_ASSERT( psa_import_key( &attributes, 8380 our_key_data->x, our_key_data->len, 8381 &our_key ) ); 8382 8383 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); 8384 PSA_ASSERT( psa_key_derivation_key_agreement( 8385 &operation, 8386 PSA_KEY_DERIVATION_INPUT_SECRET, our_key, 8387 peer_key_data->x, peer_key_data->len ) ); 8388 if( PSA_ALG_IS_HKDF( PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ) ) ) 8389 { 8390 /* The test data is for info="" */ 8391 PSA_ASSERT( psa_key_derivation_input_bytes( &operation, 8392 PSA_KEY_DERIVATION_INPUT_INFO, 8393 NULL, 0 ) ); 8394 } 8395 8396 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 8397 actual_output, 8398 expected_output1->len ) ); 8399 ASSERT_COMPARE( actual_output, expected_output1->len, 8400 expected_output1->x, expected_output1->len ); 8401 if( expected_output2->len != 0 ) 8402 { 8403 PSA_ASSERT( psa_key_derivation_output_bytes( &operation, 8404 actual_output, 8405 expected_output2->len ) ); 8406 ASSERT_COMPARE( actual_output, expected_output2->len, 8407 expected_output2->x, expected_output2->len ); 8408 } 8409 8410exit: 8411 psa_key_derivation_abort( &operation ); 8412 psa_destroy_key( our_key ); 8413 PSA_DONE( ); 8414 mbedtls_free( actual_output ); 8415} 8416/* END_CASE */ 8417 8418/* BEGIN_CASE */ 8419void generate_random( int bytes_arg ) 8420{ 8421 size_t bytes = bytes_arg; 8422 unsigned char *output = NULL; 8423 unsigned char *changed = NULL; 8424 size_t i; 8425 unsigned run; 8426 8427 TEST_ASSERT( bytes_arg >= 0 ); 8428 8429 ASSERT_ALLOC( output, bytes ); 8430 ASSERT_ALLOC( changed, bytes ); 8431 8432 PSA_ASSERT( psa_crypto_init( ) ); 8433 8434 /* Run several times, to ensure that every output byte will be 8435 * nonzero at least once with overwhelming probability 8436 * (2^(-8*number_of_runs)). */ 8437 for( run = 0; run < 10; run++ ) 8438 { 8439 if( bytes != 0 ) 8440 memset( output, 0, bytes ); 8441 PSA_ASSERT( psa_generate_random( output, bytes ) ); 8442 8443 for( i = 0; i < bytes; i++ ) 8444 { 8445 if( output[i] != 0 ) 8446 ++changed[i]; 8447 } 8448 } 8449 8450 /* Check that every byte was changed to nonzero at least once. This 8451 * validates that psa_generate_random is overwriting every byte of 8452 * the output buffer. */ 8453 for( i = 0; i < bytes; i++ ) 8454 { 8455 TEST_ASSERT( changed[i] != 0 ); 8456 } 8457 8458exit: 8459 PSA_DONE( ); 8460 mbedtls_free( output ); 8461 mbedtls_free( changed ); 8462} 8463/* END_CASE */ 8464 8465/* BEGIN_CASE */ 8466void generate_key( int type_arg, 8467 int bits_arg, 8468 int usage_arg, 8469 int alg_arg, 8470 int expected_status_arg, 8471 int is_large_key ) 8472{ 8473 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8474 psa_key_type_t type = type_arg; 8475 psa_key_usage_t usage = usage_arg; 8476 size_t bits = bits_arg; 8477 psa_algorithm_t alg = alg_arg; 8478 psa_status_t expected_status = expected_status_arg; 8479 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8480 psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; 8481 8482 PSA_ASSERT( psa_crypto_init( ) ); 8483 8484 psa_set_key_usage_flags( &attributes, usage ); 8485 psa_set_key_algorithm( &attributes, alg ); 8486 psa_set_key_type( &attributes, type ); 8487 psa_set_key_bits( &attributes, bits ); 8488 8489 /* Generate a key */ 8490 psa_status_t status = psa_generate_key( &attributes, &key ); 8491 8492 if( is_large_key > 0 ) 8493 TEST_ASSUME( status != PSA_ERROR_INSUFFICIENT_MEMORY ); 8494 TEST_EQUAL( status , expected_status ); 8495 if( expected_status != PSA_SUCCESS ) 8496 goto exit; 8497 8498 /* Test the key information */ 8499 PSA_ASSERT( psa_get_key_attributes( key, &got_attributes ) ); 8500 TEST_EQUAL( psa_get_key_type( &got_attributes ), type ); 8501 TEST_EQUAL( psa_get_key_bits( &got_attributes ), bits ); 8502 8503 /* Do something with the key according to its type and permitted usage. */ 8504 if( ! mbedtls_test_psa_exercise_key( key, usage, alg ) ) 8505 goto exit; 8506 8507exit: 8508 /* 8509 * Key attributes may have been returned by psa_get_key_attributes() 8510 * thus reset them as required. 8511 */ 8512 psa_reset_key_attributes( &got_attributes ); 8513 8514 psa_destroy_key( key ); 8515 PSA_DONE( ); 8516} 8517/* END_CASE */ 8518 8519/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_GENPRIME */ 8520void generate_key_rsa( int bits_arg, 8521 data_t *e_arg, 8522 int expected_status_arg ) 8523{ 8524 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8525 psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR; 8526 size_t bits = bits_arg; 8527 psa_key_usage_t usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT; 8528 psa_algorithm_t alg = PSA_ALG_RSA_PKCS1V15_SIGN_RAW; 8529 psa_status_t expected_status = expected_status_arg; 8530 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8531 uint8_t *exported = NULL; 8532 size_t exported_size = 8533 PSA_EXPORT_KEY_OUTPUT_SIZE( PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits ); 8534 size_t exported_length = SIZE_MAX; 8535 uint8_t *e_read_buffer = NULL; 8536 int is_default_public_exponent = 0; 8537 size_t e_read_size = PSA_KEY_DOMAIN_PARAMETERS_SIZE( type, bits ); 8538 size_t e_read_length = SIZE_MAX; 8539 8540 if( e_arg->len == 0 || 8541 ( e_arg->len == 3 && 8542 e_arg->x[0] == 1 && e_arg->x[1] == 0 && e_arg->x[2] == 1 ) ) 8543 { 8544 is_default_public_exponent = 1; 8545 e_read_size = 0; 8546 } 8547 ASSERT_ALLOC( e_read_buffer, e_read_size ); 8548 ASSERT_ALLOC( exported, exported_size ); 8549 8550 PSA_ASSERT( psa_crypto_init( ) ); 8551 8552 psa_set_key_usage_flags( &attributes, usage ); 8553 psa_set_key_algorithm( &attributes, alg ); 8554 PSA_ASSERT( psa_set_key_domain_parameters( &attributes, type, 8555 e_arg->x, e_arg->len ) ); 8556 psa_set_key_bits( &attributes, bits ); 8557 8558 /* Generate a key */ 8559 TEST_EQUAL( psa_generate_key( &attributes, &key ), expected_status ); 8560 if( expected_status != PSA_SUCCESS ) 8561 goto exit; 8562 8563 /* Test the key information */ 8564 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 8565 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 8566 TEST_EQUAL( psa_get_key_bits( &attributes ), bits ); 8567 PSA_ASSERT( psa_get_key_domain_parameters( &attributes, 8568 e_read_buffer, e_read_size, 8569 &e_read_length ) ); 8570 if( is_default_public_exponent ) 8571 TEST_EQUAL( e_read_length, 0 ); 8572 else 8573 ASSERT_COMPARE( e_read_buffer, e_read_length, e_arg->x, e_arg->len ); 8574 8575 /* Do something with the key according to its type and permitted usage. */ 8576 if( ! mbedtls_test_psa_exercise_key( key, usage, alg ) ) 8577 goto exit; 8578 8579 /* Export the key and check the public exponent. */ 8580 PSA_ASSERT( psa_export_public_key( key, 8581 exported, exported_size, 8582 &exported_length ) ); 8583 { 8584 uint8_t *p = exported; 8585 uint8_t *end = exported + exported_length; 8586 size_t len; 8587 /* RSAPublicKey ::= SEQUENCE { 8588 * modulus INTEGER, -- n 8589 * publicExponent INTEGER } -- e 8590 */ 8591 TEST_EQUAL( 0, mbedtls_asn1_get_tag( &p, end, &len, 8592 MBEDTLS_ASN1_SEQUENCE | 8593 MBEDTLS_ASN1_CONSTRUCTED ) ); 8594 TEST_ASSERT( mbedtls_test_asn1_skip_integer( &p, end, bits, bits, 1 ) ); 8595 TEST_EQUAL( 0, mbedtls_asn1_get_tag( &p, end, &len, 8596 MBEDTLS_ASN1_INTEGER ) ); 8597 if( len >= 1 && p[0] == 0 ) 8598 { 8599 ++p; 8600 --len; 8601 } 8602 if( e_arg->len == 0 ) 8603 { 8604 TEST_EQUAL( len, 3 ); 8605 TEST_EQUAL( p[0], 1 ); 8606 TEST_EQUAL( p[1], 0 ); 8607 TEST_EQUAL( p[2], 1 ); 8608 } 8609 else 8610 ASSERT_COMPARE( p, len, e_arg->x, e_arg->len ); 8611 } 8612 8613exit: 8614 /* 8615 * Key attributes may have been returned by psa_get_key_attributes() or 8616 * set by psa_set_key_domain_parameters() thus reset them as required. 8617 */ 8618 psa_reset_key_attributes( &attributes ); 8619 8620 psa_destroy_key( key ); 8621 PSA_DONE( ); 8622 mbedtls_free( e_read_buffer ); 8623 mbedtls_free( exported ); 8624} 8625/* END_CASE */ 8626 8627/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 8628void persistent_key_load_key_from_storage( data_t *data, 8629 int type_arg, int bits_arg, 8630 int usage_flags_arg, int alg_arg, 8631 int generation_method ) 8632{ 8633 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, 1 ); 8634 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8635 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8636 mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; 8637 psa_key_type_t type = type_arg; 8638 size_t bits = bits_arg; 8639 psa_key_usage_t usage_flags = usage_flags_arg; 8640 psa_algorithm_t alg = alg_arg; 8641 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; 8642 unsigned char *first_export = NULL; 8643 unsigned char *second_export = NULL; 8644 size_t export_size = PSA_EXPORT_KEY_OUTPUT_SIZE( type, bits ); 8645 size_t first_exported_length; 8646 size_t second_exported_length; 8647 8648 if( usage_flags & PSA_KEY_USAGE_EXPORT ) 8649 { 8650 ASSERT_ALLOC( first_export, export_size ); 8651 ASSERT_ALLOC( second_export, export_size ); 8652 } 8653 8654 PSA_ASSERT( psa_crypto_init() ); 8655 8656 psa_set_key_id( &attributes, key_id ); 8657 psa_set_key_usage_flags( &attributes, usage_flags ); 8658 psa_set_key_algorithm( &attributes, alg ); 8659 psa_set_key_type( &attributes, type ); 8660 psa_set_key_bits( &attributes, bits ); 8661 8662 switch( generation_method ) 8663 { 8664 case IMPORT_KEY: 8665 /* Import the key */ 8666 PSA_ASSERT( psa_import_key( &attributes, data->x, data->len, 8667 &key ) ); 8668 break; 8669 8670 case GENERATE_KEY: 8671 /* Generate a key */ 8672 PSA_ASSERT( psa_generate_key( &attributes, &key ) ); 8673 break; 8674 8675 case DERIVE_KEY: 8676#if defined(PSA_WANT_ALG_HKDF) && defined(PSA_WANT_ALG_SHA_256) 8677 { 8678 /* Create base key */ 8679 psa_algorithm_t derive_alg = PSA_ALG_HKDF( PSA_ALG_SHA_256 ); 8680 psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; 8681 psa_set_key_usage_flags( &base_attributes, 8682 PSA_KEY_USAGE_DERIVE ); 8683 psa_set_key_algorithm( &base_attributes, derive_alg ); 8684 psa_set_key_type( &base_attributes, PSA_KEY_TYPE_DERIVE ); 8685 PSA_ASSERT( psa_import_key( &base_attributes, 8686 data->x, data->len, 8687 &base_key ) ); 8688 /* Derive a key. */ 8689 PSA_ASSERT( psa_key_derivation_setup( &operation, derive_alg ) ); 8690 PSA_ASSERT( psa_key_derivation_input_key( 8691 &operation, 8692 PSA_KEY_DERIVATION_INPUT_SECRET, base_key ) ); 8693 PSA_ASSERT( psa_key_derivation_input_bytes( 8694 &operation, PSA_KEY_DERIVATION_INPUT_INFO, 8695 NULL, 0 ) ); 8696 PSA_ASSERT( psa_key_derivation_output_key( &attributes, 8697 &operation, 8698 &key ) ); 8699 PSA_ASSERT( psa_key_derivation_abort( &operation ) ); 8700 PSA_ASSERT( psa_destroy_key( base_key ) ); 8701 base_key = MBEDTLS_SVC_KEY_ID_INIT; 8702 } 8703#else 8704 TEST_ASSUME( ! "KDF not supported in this configuration" ); 8705#endif 8706 break; 8707 8708 default: 8709 TEST_ASSERT( ! "generation_method not implemented in test" ); 8710 break; 8711 } 8712 psa_reset_key_attributes( &attributes ); 8713 8714 /* Export the key if permitted by the key policy. */ 8715 if( usage_flags & PSA_KEY_USAGE_EXPORT ) 8716 { 8717 PSA_ASSERT( psa_export_key( key, 8718 first_export, export_size, 8719 &first_exported_length ) ); 8720 if( generation_method == IMPORT_KEY ) 8721 ASSERT_COMPARE( data->x, data->len, 8722 first_export, first_exported_length ); 8723 } 8724 8725 /* Shutdown and restart */ 8726 PSA_ASSERT( psa_purge_key( key ) ); 8727 PSA_DONE(); 8728 PSA_ASSERT( psa_crypto_init() ); 8729 8730 /* Check key slot still contains key data */ 8731 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 8732 TEST_ASSERT( mbedtls_svc_key_id_equal( 8733 psa_get_key_id( &attributes ), key_id ) ); 8734 TEST_EQUAL( psa_get_key_lifetime( &attributes ), 8735 PSA_KEY_LIFETIME_PERSISTENT ); 8736 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 8737 TEST_EQUAL( psa_get_key_bits( &attributes ), bits ); 8738 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 8739 mbedtls_test_update_key_usage_flags( usage_flags ) ); 8740 TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); 8741 8742 /* Export the key again if permitted by the key policy. */ 8743 if( usage_flags & PSA_KEY_USAGE_EXPORT ) 8744 { 8745 PSA_ASSERT( psa_export_key( key, 8746 second_export, export_size, 8747 &second_exported_length ) ); 8748 ASSERT_COMPARE( first_export, first_exported_length, 8749 second_export, second_exported_length ); 8750 } 8751 8752 /* Do something with the key according to its type and permitted usage. */ 8753 if( ! mbedtls_test_psa_exercise_key( key, usage_flags, alg ) ) 8754 goto exit; 8755 8756exit: 8757 /* 8758 * Key attributes may have been returned by psa_get_key_attributes() 8759 * thus reset them as required. 8760 */ 8761 psa_reset_key_attributes( &attributes ); 8762 8763 mbedtls_free( first_export ); 8764 mbedtls_free( second_export ); 8765 psa_key_derivation_abort( &operation ); 8766 psa_destroy_key( base_key ); 8767 psa_destroy_key( key ); 8768 PSA_DONE(); 8769} 8770/* END_CASE */ 8771 8772/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 8773void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, 8774 int primitive_arg, int hash_arg, int role_arg, 8775 int test_input, data_t *pw_data, 8776 int inj_err_type_arg, 8777 int expected_error_arg) 8778{ 8779 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 8780 psa_pake_operation_t operation = psa_pake_operation_init(); 8781 psa_algorithm_t alg = alg_arg; 8782 psa_pake_primitive_t primitive = primitive_arg; 8783 psa_key_type_t key_type_pw = key_type_pw_arg; 8784 psa_key_usage_t key_usage_pw = key_usage_pw_arg; 8785 psa_algorithm_t hash_alg = hash_arg; 8786 psa_pake_role_t role = role_arg; 8787 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 8788 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8789 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; 8790 psa_status_t expected_error = expected_error_arg; 8791 psa_status_t status; 8792 unsigned char *output_buffer = NULL; 8793 size_t output_len = 0; 8794 8795 PSA_INIT( ); 8796 8797 size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, 8798 PSA_PAKE_STEP_KEY_SHARE); 8799 ASSERT_ALLOC( output_buffer, buf_size ); 8800 8801 if( pw_data->len > 0 ) 8802 { 8803 psa_set_key_usage_flags( &attributes, key_usage_pw ); 8804 psa_set_key_algorithm( &attributes, alg ); 8805 psa_set_key_type( &attributes, key_type_pw ); 8806 PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len, 8807 &key ) ); 8808 } 8809 8810 psa_pake_cs_set_algorithm( &cipher_suite, alg ); 8811 psa_pake_cs_set_primitive( &cipher_suite, primitive ); 8812 psa_pake_cs_set_hash( &cipher_suite, hash_alg ); 8813 8814 PSA_ASSERT( psa_pake_abort( &operation ) ); 8815 8816 if ( inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS ) 8817 { 8818 TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), 8819 expected_error ); 8820 PSA_ASSERT( psa_pake_abort( &operation ) ); 8821 TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), 8822 expected_error ); 8823 PSA_ASSERT( psa_pake_abort( &operation ) ); 8824 TEST_EQUAL( psa_pake_set_password_key( &operation, key ), 8825 expected_error ); 8826 PSA_ASSERT( psa_pake_abort( &operation ) ); 8827 TEST_EQUAL( psa_pake_set_role( &operation, role ), 8828 expected_error ); 8829 PSA_ASSERT( psa_pake_abort( &operation ) ); 8830 TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, 8831 NULL, 0, NULL ), 8832 expected_error ); 8833 PSA_ASSERT( psa_pake_abort( &operation ) ); 8834 TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0), 8835 expected_error ); 8836 PSA_ASSERT( psa_pake_abort( &operation ) ); 8837 goto exit; 8838 } 8839 8840 status = psa_pake_setup( &operation, &cipher_suite ); 8841 if (status != PSA_SUCCESS) 8842 { 8843 TEST_EQUAL( status, expected_error ); 8844 goto exit; 8845 } 8846 8847 if( inj_err_type == INJECT_ERR_DUPLICATE_SETUP ) 8848 { 8849 TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ), 8850 expected_error ); 8851 goto exit; 8852 } 8853 8854 status = psa_pake_set_role( &operation, role); 8855 if ( status != PSA_SUCCESS ) 8856 { 8857 TEST_EQUAL( status, expected_error ); 8858 goto exit; 8859 } 8860 8861 if( pw_data->len > 0 ) 8862 { 8863 status = psa_pake_set_password_key( &operation, key ); 8864 if ( status != PSA_SUCCESS ) 8865 { 8866 TEST_EQUAL( status, expected_error ); 8867 goto exit; 8868 } 8869 } 8870 8871 if ( inj_err_type == INJECT_ERR_INVALID_USER ) 8872 { 8873 TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), 8874 PSA_ERROR_INVALID_ARGUMENT ); 8875 goto exit; 8876 } 8877 8878 if ( inj_err_type == INJECT_ERR_INVALID_PEER ) 8879 { 8880 TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), 8881 PSA_ERROR_INVALID_ARGUMENT ); 8882 goto exit; 8883 } 8884 8885 if ( inj_err_type == INJECT_ERR_SET_USER ) 8886 { 8887 const uint8_t unsupported_id[] = "abcd"; 8888 TEST_EQUAL( psa_pake_set_user( &operation, unsupported_id, 4 ), 8889 PSA_ERROR_NOT_SUPPORTED ); 8890 goto exit; 8891 } 8892 8893 if ( inj_err_type == INJECT_ERR_SET_PEER ) 8894 { 8895 const uint8_t unsupported_id[] = "abcd"; 8896 TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ), 8897 PSA_ERROR_NOT_SUPPORTED ); 8898 goto exit; 8899 } 8900 8901 const size_t size_key_share = PSA_PAKE_INPUT_SIZE( alg, primitive, 8902 PSA_PAKE_STEP_KEY_SHARE ); 8903 const size_t size_zk_public = PSA_PAKE_INPUT_SIZE( alg, primitive, 8904 PSA_PAKE_STEP_ZK_PUBLIC ); 8905 const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE( alg, primitive, 8906 PSA_PAKE_STEP_ZK_PROOF ); 8907 8908 if ( test_input ) 8909 { 8910 if ( inj_err_type == INJECT_EMPTY_IO_BUFFER ) 8911 { 8912 TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ), 8913 PSA_ERROR_INVALID_ARGUMENT ); 8914 goto exit; 8915 } 8916 8917 if ( inj_err_type == INJECT_UNKNOWN_STEP ) 8918 { 8919 TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, 8920 output_buffer, size_zk_proof ), 8921 PSA_ERROR_INVALID_ARGUMENT ); 8922 goto exit; 8923 } 8924 8925 if ( inj_err_type == INJECT_INVALID_FIRST_STEP ) 8926 { 8927 TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, 8928 output_buffer, size_zk_proof ), 8929 PSA_ERROR_BAD_STATE ); 8930 goto exit; 8931 } 8932 8933 status = psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, 8934 output_buffer, size_key_share ); 8935 if ( status != PSA_SUCCESS ) 8936 { 8937 TEST_EQUAL( status, expected_error); 8938 goto exit; 8939 } 8940 8941 if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE ) 8942 { 8943 TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, 8944 output_buffer, size_zk_public + 1 ), 8945 PSA_ERROR_INVALID_ARGUMENT ); 8946 goto exit; 8947 } 8948 8949 if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE ) 8950 { 8951 // Just trigger any kind of error. We don't care about the result here 8952 psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, 8953 output_buffer, size_zk_public + 1 ); 8954 TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, 8955 output_buffer, size_zk_public ), 8956 PSA_ERROR_BAD_STATE ); 8957 goto exit; 8958 } 8959 } else { 8960 if ( inj_err_type == INJECT_EMPTY_IO_BUFFER ) 8961 { 8962 TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, 8963 NULL, 0, NULL ), 8964 PSA_ERROR_INVALID_ARGUMENT ); 8965 goto exit; 8966 } 8967 8968 if ( inj_err_type == INJECT_UNKNOWN_STEP ) 8969 { 8970 TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, 8971 output_buffer, buf_size, &output_len ), 8972 PSA_ERROR_INVALID_ARGUMENT ); 8973 goto exit; 8974 } 8975 8976 if ( inj_err_type == INJECT_INVALID_FIRST_STEP ) 8977 { 8978 TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, 8979 output_buffer, buf_size, &output_len ), 8980 PSA_ERROR_BAD_STATE ); 8981 goto exit; 8982 } 8983 8984 status = psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, 8985 output_buffer, buf_size, &output_len ); 8986 if ( status != PSA_SUCCESS ) 8987 { 8988 TEST_EQUAL( status, expected_error); 8989 goto exit; 8990 } 8991 8992 TEST_ASSERT( output_len > 0 ); 8993 8994 if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE ) 8995 { 8996 TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, 8997 output_buffer, size_zk_public - 1, &output_len ), 8998 PSA_ERROR_BUFFER_TOO_SMALL ); 8999 goto exit; 9000 } 9001 9002 if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE ) 9003 { 9004 // Just trigger any kind of error. We don't care about the result here 9005 psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, 9006 output_buffer, size_zk_public - 1, &output_len ); 9007 TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, 9008 output_buffer, buf_size, &output_len ), 9009 PSA_ERROR_BAD_STATE ); 9010 goto exit; 9011 } 9012 } 9013 9014exit: 9015 PSA_ASSERT( psa_destroy_key( key ) ); 9016 PSA_ASSERT( psa_pake_abort( &operation ) ); 9017 mbedtls_free( output_buffer ); 9018 PSA_DONE( ); 9019} 9020/* END_CASE */ 9021 9022/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 9023void ecjpake_rounds_inject( int alg_arg, int primitive_arg, int hash_arg, 9024 int client_input_first, int inject_error, 9025 data_t *pw_data ) 9026{ 9027 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 9028 psa_pake_operation_t server = psa_pake_operation_init(); 9029 psa_pake_operation_t client = psa_pake_operation_init(); 9030 psa_algorithm_t alg = alg_arg; 9031 psa_algorithm_t hash_alg = hash_arg; 9032 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 9033 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9034 9035 PSA_INIT( ); 9036 9037 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 9038 psa_set_key_algorithm( &attributes, alg ); 9039 psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); 9040 PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len, 9041 &key ) ); 9042 9043 psa_pake_cs_set_algorithm( &cipher_suite, alg ); 9044 psa_pake_cs_set_primitive( &cipher_suite, primitive_arg ); 9045 psa_pake_cs_set_hash( &cipher_suite, hash_alg ); 9046 9047 9048 PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) ); 9049 PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) ); 9050 9051 PSA_ASSERT( psa_pake_set_role( &server, PSA_PAKE_ROLE_SERVER ) ); 9052 PSA_ASSERT( psa_pake_set_role( &client, PSA_PAKE_ROLE_CLIENT ) ); 9053 9054 PSA_ASSERT( psa_pake_set_password_key( &server, key ) ); 9055 PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); 9056 9057 ecjpake_do_round( alg, primitive_arg, &server, &client, 9058 client_input_first, 1, inject_error ); 9059 9060 if( inject_error == 1 || inject_error == 2 ) 9061 goto exit; 9062 9063 ecjpake_do_round( alg, primitive_arg, &server, &client, 9064 client_input_first, 2, inject_error ); 9065 9066exit: 9067 psa_destroy_key( key ); 9068 psa_pake_abort( &server ); 9069 psa_pake_abort( &client ); 9070 PSA_DONE( ); 9071} 9072/* END_CASE */ 9073 9074/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ 9075void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, 9076 int derive_alg_arg, data_t *pw_data, 9077 int client_input_first, int inj_err_type_arg ) 9078{ 9079 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 9080 psa_pake_operation_t server = psa_pake_operation_init(); 9081 psa_pake_operation_t client = psa_pake_operation_init(); 9082 psa_algorithm_t alg = alg_arg; 9083 psa_algorithm_t hash_alg = hash_arg; 9084 psa_algorithm_t derive_alg = derive_alg_arg; 9085 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 9086 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 9087 psa_key_derivation_operation_t server_derive = 9088 PSA_KEY_DERIVATION_OPERATION_INIT; 9089 psa_key_derivation_operation_t client_derive = 9090 PSA_KEY_DERIVATION_OPERATION_INIT; 9091 ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; 9092 9093 PSA_INIT( ); 9094 9095 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); 9096 psa_set_key_algorithm( &attributes, alg ); 9097 psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); 9098 PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len, 9099 &key ) ); 9100 9101 psa_pake_cs_set_algorithm( &cipher_suite, alg ); 9102 psa_pake_cs_set_primitive( &cipher_suite, primitive_arg ); 9103 psa_pake_cs_set_hash( &cipher_suite, hash_alg ); 9104 9105 /* Get shared key */ 9106 PSA_ASSERT( psa_key_derivation_setup( &server_derive, derive_alg ) ); 9107 PSA_ASSERT( psa_key_derivation_setup( &client_derive, derive_alg ) ); 9108 9109 if( PSA_ALG_IS_TLS12_PRF( derive_alg ) || 9110 PSA_ALG_IS_TLS12_PSK_TO_MS( derive_alg ) ) 9111 { 9112 PSA_ASSERT( psa_key_derivation_input_bytes( &server_derive, 9113 PSA_KEY_DERIVATION_INPUT_SEED, 9114 (const uint8_t*) "", 0) ); 9115 PSA_ASSERT( psa_key_derivation_input_bytes( &client_derive, 9116 PSA_KEY_DERIVATION_INPUT_SEED, 9117 (const uint8_t*) "", 0) ); 9118 } 9119 9120 PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) ); 9121 PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) ); 9122 9123 PSA_ASSERT( psa_pake_set_role( &server, PSA_PAKE_ROLE_SERVER ) ); 9124 PSA_ASSERT( psa_pake_set_role( &client, PSA_PAKE_ROLE_CLIENT ) ); 9125 9126 PSA_ASSERT( psa_pake_set_password_key( &server, key ) ); 9127 PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); 9128 9129 if( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1 ) 9130 { 9131 TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), 9132 PSA_ERROR_BAD_STATE ); 9133 TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), 9134 PSA_ERROR_BAD_STATE ); 9135 goto exit; 9136 } 9137 9138 /* First round */ 9139 ecjpake_do_round( alg, primitive_arg, &server, &client, 9140 client_input_first, 1, 0 ); 9141 9142 if ( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2 ) 9143 { 9144 TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), 9145 PSA_ERROR_BAD_STATE ); 9146 TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), 9147 PSA_ERROR_BAD_STATE ); 9148 goto exit; 9149 } 9150 9151 /* Second round */ 9152 ecjpake_do_round( alg, primitive_arg, &server, &client, 9153 client_input_first, 2, 0 ); 9154 9155 PSA_ASSERT( psa_pake_get_implicit_key( &server, &server_derive ) ); 9156 PSA_ASSERT( psa_pake_get_implicit_key( &client, &client_derive ) ); 9157 9158exit: 9159 psa_key_derivation_abort( &server_derive ); 9160 psa_key_derivation_abort( &client_derive ); 9161 psa_destroy_key( key ); 9162 psa_pake_abort( &server ); 9163 psa_pake_abort( &client ); 9164 PSA_DONE( ); 9165} 9166/* END_CASE */ 9167 9168/* BEGIN_CASE */ 9169void ecjpake_size_macros( ) 9170{ 9171 const psa_algorithm_t alg = PSA_ALG_JPAKE; 9172 const size_t bits = 256; 9173 const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( 9174 PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits ); 9175 const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( 9176 PSA_ECC_FAMILY_SECP_R1 ); 9177 9178 // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types 9179 /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */ 9180 TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 9181 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( key_type, bits ) ); 9182 TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 9183 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( key_type, bits ) ); 9184 /* The output for ZK_PROOF is the same bitsize as the curve */ 9185 TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 9186 PSA_BITS_TO_BYTES( bits ) ); 9187 9188 /* Input sizes are the same as output sizes */ 9189 TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 9190 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE) ); 9191 TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 9192 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC) ); 9193 TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 9194 PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF) ); 9195 9196 /* These inequalities will always hold even when other PAKEs are added */ 9197 TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 9198 PSA_PAKE_OUTPUT_MAX_SIZE ); 9199 TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 9200 PSA_PAKE_OUTPUT_MAX_SIZE ); 9201 TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 9202 PSA_PAKE_OUTPUT_MAX_SIZE ); 9203 TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), 9204 PSA_PAKE_INPUT_MAX_SIZE ); 9205 TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), 9206 PSA_PAKE_INPUT_MAX_SIZE ); 9207 TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), 9208 PSA_PAKE_INPUT_MAX_SIZE ); 9209} 9210/* END_CASE */ 9211