From 0e9e4422abc2853e5af4a54384a29aac61037fc1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Dec 2022 22:14:28 +0100 Subject: [PATCH 01/10] NotSupported is specifically about key types Rename NotSupported to KeyTypeNotSupported, because it's only about testing key management. For algorithms, not-supported is handled by OpFail. Signed-off-by: Gilles Peskine --- tests/scripts/generate_psa_tests.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index b271048433..3cb3ed98ee 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -151,8 +151,8 @@ def test_case_for_key_type_not_supported( tc.set_arguments([key_type] + list(args)) return tc -class NotSupported: - """Generate test cases for when something is not supported.""" +class KeyTypeNotSupported: + """Generate test cases for when a key type is not supported.""" def __init__(self, info: Information) -> None: self.constructors = info.constructors @@ -900,7 +900,7 @@ class PSATestGenerator(test_data_generation.TestGenerator): 'test_suite_psa_crypto_generate_key.generated': lambda info: KeyGenerate(info).test_cases_for_key_generation(), 'test_suite_psa_crypto_not_supported.generated': - lambda info: NotSupported(info).test_cases_for_not_supported(), + lambda info: KeyTypeNotSupported(info).test_cases_for_not_supported(), 'test_suite_psa_crypto_op_fail.generated': lambda info: OpFail(info).all_test_cases(), 'test_suite_psa_crypto_storage_format.current': From ecaa7ca507c7498ccc8b1966ff5e8d7d0f671a87 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Dec 2022 22:16:00 +0100 Subject: [PATCH 02/10] Add missing supported algorithm to psa/crypto_config.h The following shell command lists features that seem to be supported, but are missing from include/psa/crypto_config.h: ``` for x in $(grep -ho -Ew '(PSA_WANT|MBEDTLS_PSA_BUILTIN)_\w+_\w+' library/psa_crypto*.c | sed 's/^MBEDTLS_PSA_BUILTIN/PSA_WANT/' | sort -u); do grep -qw $x include/psa/crypto_config.h || echo $x; done ``` This looks for PSA_WANT__ macros that gate a part of the library, as well as their MBEDTLS_PSA_BUILTIN__ counterparts. This is not necessarily a complete list of identifiers that must appear in the config file, since a few features are not gated. Signed-off-by: Gilles Peskine --- ChangeLog.d/crypto_config_ccm_star.txt | 3 +++ include/psa/crypto_config.h | 1 + 2 files changed, 4 insertions(+) create mode 100644 ChangeLog.d/crypto_config_ccm_star.txt diff --git a/ChangeLog.d/crypto_config_ccm_star.txt b/ChangeLog.d/crypto_config_ccm_star.txt new file mode 100644 index 0000000000..947014ae38 --- /dev/null +++ b/ChangeLog.d/crypto_config_ccm_star.txt @@ -0,0 +1,3 @@ +Bugfix + * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can + be toggled with config.py. diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 5ab4fdef3a..7399a62200 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -57,6 +57,7 @@ #define PSA_WANT_ALG_CBC_NO_PADDING 1 #define PSA_WANT_ALG_CBC_PKCS7 1 #define PSA_WANT_ALG_CCM 1 +#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 #define PSA_WANT_ALG_CMAC 1 #define PSA_WANT_ALG_CFB 1 #define PSA_WANT_ALG_CHACHA20_POLY1305 1 From 72f41562f2125513aa70ffcc1ab458342d8e517e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Dec 2022 22:41:34 +0100 Subject: [PATCH 03/10] Refactoring: new method Algorithm.is_valid_for_operation No intended behavior change. Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/crypto_knowledge.py | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py index 1a033210bc..a56c8638e8 100644 --- a/scripts/mbedtls_dev/crypto_knowledge.py +++ b/scripts/mbedtls_dev/crypto_knowledge.py @@ -214,9 +214,7 @@ class KeyType: This function does not currently handle key derivation or PAKE. """ #pylint: disable=too-many-branches,too-many-return-statements - if alg.is_wildcard: - return False - if alg.is_invalid_truncation(): + if not alg.is_valid_for_operation(): return False if self.head == 'HMAC' and alg.head == 'HMAC': return True @@ -498,6 +496,19 @@ class Algorithm: return True return False + def is_valid_for_operation(self) -> bool: + """Whether this algorithm construction is valid for an operation. + + This function assumes that the algorithm is constructed in a + "grammatically" correct way, and only rejects semantically invalid + combinations. + """ + if self.is_wildcard: + return False + if self.is_invalid_truncation(): + return False + return True + def can_do(self, category: AlgorithmCategory) -> bool: """Whether this algorithm can perform operations in the given category. """ From cafda872f3ace6620bd926e8ced2fe81cd905d3e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Dec 2022 23:03:19 +0100 Subject: [PATCH 04/10] Fix documentation Signed-off-by: Gilles Peskine --- tests/scripts/generate_psa_tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 3cb3ed98ee..171292ba70 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -522,7 +522,7 @@ class StorageFormat: key_type: psa_storage.Expr, bits: int, alg: psa_storage.Expr ) -> bool: - """Whether to the given key with the given algorithm. + """Whether to exercise the given key with the given algorithm. Normally only the type and algorithm matter for compatibility, and this is handled in crypto_knowledge.KeyType.can_do(). This function From bba263054925b0ac1c8b18e84a905daf0b088e95 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Dec 2022 23:25:17 +0100 Subject: [PATCH 05/10] Add ECJPAKE secret input types to psa/crypto_config.h Add PSA_WANT_KEY_TYPE_PASSWORD and PSA_WANT_KEY_TYPE_PASSWORD_HASH to psa/crypto_config.h, since the types PSA_KEY_TYPE_PASSWORD and PSA_KEY_TYPE_PASSWORD_HASH are used by ECJPAKE. The two key types are always enabled, like PSA_KEY_TYPE_DERIVE. Add the key types to the metadata test suite as well. Signed-off-by: Gilles Peskine --- include/mbedtls/config_psa.h | 2 ++ include/psa/crypto_config.h | 2 ++ tests/scripts/generate_psa_tests.py | 2 ++ tests/suites/test_suite_psa_crypto_metadata.data | 6 ++++++ 4 files changed, 12 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 09bc32c730..48b2d3209e 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -843,6 +843,8 @@ extern "C" { /* These features are always enabled. */ #define PSA_WANT_KEY_TYPE_DERIVE 1 +#define PSA_WANT_KEY_TYPE_PASSWORD 1 +#define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 #ifdef __cplusplus diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 7399a62200..e68fac8b44 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -116,6 +116,8 @@ #define PSA_WANT_ECC_SECP_R1_521 1 #define PSA_WANT_KEY_TYPE_DERIVE 1 +#define PSA_WANT_KEY_TYPE_PASSWORD 1 +#define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1 #define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_ARIA 1 diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 171292ba70..d503aa846b 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -159,6 +159,8 @@ class KeyTypeNotSupported: ALWAYS_SUPPORTED = frozenset([ 'PSA_KEY_TYPE_DERIVE', + 'PSA_KEY_TYPE_PASSWORD', + 'PSA_KEY_TYPE_PASSWORD_HASH', 'PSA_KEY_TYPE_RAW_DATA', 'PSA_KEY_TYPE_HMAC' ]) diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index bf5f04e4f5..aba5127419 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -339,6 +339,12 @@ key_type:PSA_KEY_TYPE_HMAC:KEY_TYPE_IS_UNSTRUCTURED Key type: secret for key derivation key_type:PSA_KEY_TYPE_DERIVE:KEY_TYPE_IS_UNSTRUCTURED +Key type: password +key_type:PSA_KEY_TYPE_PASSWORD:KEY_TYPE_IS_UNSTRUCTURED + +Key type: password hash +key_type:PSA_KEY_TYPE_PASSWORD_HASH:KEY_TYPE_IS_UNSTRUCTURED + Block cipher key type: AES depends_on:PSA_WANT_KEY_TYPE_AES block_cipher_key_type:PSA_KEY_TYPE_AES:16 From 763ffdd2a6fc96d41c0865a3c53ca8f50b829dc8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Dec 2022 23:27:38 +0100 Subject: [PATCH 06/10] Add metadata test case for PSA_ALG_CCM_STAR_NO_TAG The following shell command (requiring GNU grep) looks for algorithms and key types, as well as IS and GET macros, that lack metadata tests: ``` for x in $(grep -Pho '(?<=^#define )PSA_(ALG|KEY_TYPE)_(?!CATEGORY_|NONE\b|\w+_(BASE|FLAG|MASK|CASE))\w+' include/psa/crypto_values.h include/psa/crypto_extra.h); do grep -qw $x tests/suites/test_suite_psa_crypto_metadata.* || echo $x; done ``` This may have false negatives: it only checks that the constants are mentioned at least once, not that the tests are written correctly. This has false positives: * Types and algorithms that Mbed TLS does not support. * PSA_ALG_ECDSA_IS_DETERMINISTIC, PSA_ALG_DSA_IS_DETERMINISTIC are peculiar auxiliary macros that only apply to very specific algorithms and aren't tested like the other IS macros. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_psa_crypto_metadata.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index aba5127419..dbb5791536 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -118,6 +118,10 @@ Cipher: XTS depends_on:PSA_WANT_ALG_XTS:MBEDTLS_CIPHER_C cipher_algorithm:PSA_ALG_XTS:0 +Cipher: CCM* +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG +cipher_algorithm:PSA_ALG_CCM_STAR_NO_TAG:ALG_IS_STREAM_CIPHER + AEAD: CCM-AES-128 depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM aead_algorithm:PSA_ALG_CCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_AES:128 From 4db02f2324cfecfef932c5e6226e06f68e19764a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Dec 2022 01:05:58 +0100 Subject: [PATCH 07/10] Add SECRET input validation test cases for PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS Signed-off-by: Gilles Peskine --- tests/suites/test_suite_psa_crypto.data | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 9ced77c2bf..c3561420b7 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5080,6 +5080,22 @@ PSA key derivation: ECDH on P256 with HKDF-SHA256, missing info depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 derive_input:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":PSA_SUCCESS:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE +PSA key derivation: TLS12_ECJPAKE_TO_PMS, good input, output too short +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_SUCCESS:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: TLS12_ECJPAKE_TO_PMS, input[0]=0x02 +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"02aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE + +PSA key derivation: TLS12_ECJPAKE_TO_PMS, input too short +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE + +PSA key derivation: TLS12_ECJPAKE_TO_PMS, input too long +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE + PSA key derivation over capacity: HKDF depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_over_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_256) From 2566679eb81770de2dac2c2757846239eda18621 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Dec 2022 23:27:57 +0100 Subject: [PATCH 08/10] Add metadata test case for PSA_ALG_TLS12_ECJPAKE_TO_PMS Signed-off-by: Gilles Peskine --- tests/suites/test_suite_psa_crypto_metadata.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index dbb5791536..bbd5017850 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -290,6 +290,10 @@ Key derivation: HKDF-Expand using SHA-384 depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_384 key_derivation_algorithm:PSA_ALG_HKDF_EXPAND( PSA_ALG_SHA_384 ):ALG_IS_HKDF_EXPAND +Key derivation: TLS1.2 ECJPAKE-to-PMS +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +key_derivation_algorithm:PSA_ALG_TLS12_ECJPAKE_TO_PMS:0 + Key derivation: TLS 1.2 PRF using SHA-256 depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF key_derivation_algorithm:PSA_ALG_TLS12_PRF( PSA_ALG_SHA_256 ):ALG_IS_TLS12_PRF From f6c6b64be2a4d836ab1585e2f64bbc999b563e8e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Dec 2022 00:20:50 +0100 Subject: [PATCH 09/10] A key agreement cannot be chained with PSA_ALG_TLS12_ECJPAKE_TO_PMS Test accordingly. Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/crypto_knowledge.py | 35 ++++++++++++++++++++----- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py index a56c8638e8..3029c801d3 100644 --- a/scripts/mbedtls_dev/crypto_knowledge.py +++ b/scripts/mbedtls_dev/crypto_knowledge.py @@ -246,6 +246,8 @@ class KeyType: # So a public key object with a key agreement algorithm is not # a valid combination. return False + if alg.is_invalid_key_agreement_with_derivation(): + return False if self.head == 'ECC': assert self.params is not None eccc = EllipticCurveCategory.from_family(self.params[0]) @@ -412,17 +414,38 @@ class Algorithm: self.category = self.determine_category(self.base_expression, self.head) self.is_wildcard = self.determine_wildcard(self.expression) - def is_key_agreement_with_derivation(self) -> bool: - """Whether this is a combined key agreement and key derivation algorithm.""" + def get_key_agreement_derivation(self) -> Optional[str]: + """For a combined key agreement and key derivation algorithm, get the derivation part. + + For anything else, return None. + """ if self.category != AlgorithmCategory.KEY_AGREEMENT: - return False + return None m = re.match(r'PSA_ALG_KEY_AGREEMENT\(\w+,\s*(.*)\)\Z', self.expression) if not m: - return False + return None kdf_alg = m.group(1) # Assume kdf_alg is either a valid KDF or 0. - return not re.match(r'(?:0[Xx])?0+\s*\Z', kdf_alg) + if re.match(r'(?:0[Xx])?0+\s*\Z', kdf_alg): + return None + return kdf_alg + KEY_DERIVATIONS_INCOMPATIBLE_WITH_AGREEMENT = frozenset([ + 'PSA_ALG_TLS12_ECJPAKE_TO_PMS', # secret input in specific format + ]) + def is_valid_key_agreement_with_derivation(self) -> bool: + """Whether this is a valid combined key agreement and key derivation algorithm.""" + kdf_alg = self.get_key_agreement_derivation() + if kdf_alg is None: + return False + return kdf_alg not in self.KEY_DERIVATIONS_INCOMPATIBLE_WITH_AGREEMENT + + def is_invalid_key_agreement_with_derivation(self) -> bool: + """Whether this is an invalid combined key agreement and key derivation algorithm.""" + kdf_alg = self.get_key_agreement_derivation() + if kdf_alg is None: + return False + return kdf_alg in self.KEY_DERIVATIONS_INCOMPATIBLE_WITH_AGREEMENT def short_expression(self, level: int = 0) -> str: """Abbreviate the expression, keeping it human-readable. @@ -515,7 +538,7 @@ class Algorithm: if category == self.category: return True if category == AlgorithmCategory.KEY_DERIVATION and \ - self.is_key_agreement_with_derivation(): + self.is_valid_key_agreement_with_derivation(): return True return False From bb3814c7a80ba7a3c80634676a882b02e616cb39 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Dec 2022 01:12:12 +0100 Subject: [PATCH 10/10] Reject key agreement chained with PSA_ALG_TLS12_ECJPAKE_TO_PMS The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be used on a shared secret from a key agreement since its input must be an ECC public key. Reject this properly. This is tested by test_suite_psa_crypto_op_fail.generated. Signed-off-by: Gilles Peskine --- .../psa_alg_tls12_ecjpake_to_pms-reject_ka.txt | 4 ++++ library/psa_crypto.c | 15 +++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt diff --git a/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt b/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt new file mode 100644 index 0000000000..cfea661365 --- /dev/null +++ b/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt @@ -0,0 +1,4 @@ +Bugfix + * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be + used on a shared secret from a key agreement since its input must be + an ECC public key. Reject this properly. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 0a8949fdad..a683fdb8f7 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5168,6 +5168,18 @@ static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg) (void) alg; return PSA_ERROR_NOT_SUPPORTED; } + +static int psa_key_derivation_allows_free_form_secret_input( + psa_algorithm_t kdf_alg) +{ +#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) + if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { + return 0; + } +#endif + (void) kdf_alg; + return 1; +} #endif /* AT_LEAST_ONE_BUILTIN_KDF */ psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation, @@ -5189,6 +5201,9 @@ psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation, if (status != PSA_SUCCESS) { return status; } + if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) { + return PSA_ERROR_INVALID_ARGUMENT; + } status = psa_key_derivation_setup_kdf(operation, kdf_alg); #else return PSA_ERROR_NOT_SUPPORTED;