From 656b2595fba43254cc9366bd370b38100b9d39c3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 22 Mar 2023 13:15:33 +0100 Subject: [PATCH 1/5] psa_pake_input: validate buffer size using PSA_PAKE_INPUT_SIZE Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 4 +++- library/psa_crypto.c | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 4920508d7b..0e2d57ce2c 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1960,7 +1960,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); /** Returns a suitable initializer for a PAKE operation object of type * psa_pake_operation_t. */ -#define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_SETUP, \ +#define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, 0, PSA_PAKE_OPERATION_STAGE_SETUP, \ { 0 }, { { 0 } } } struct psa_pake_cipher_suite_s { @@ -2106,6 +2106,8 @@ struct psa_pake_operation_s { unsigned int MBEDTLS_PRIVATE(id); /* Algorithm of the PAKE operation */ psa_algorithm_t MBEDTLS_PRIVATE(alg); + /* A primitive of type compatible with algorithm */ + psa_pake_primitive_t MBEDTLS_PRIVATE(primitive); /* Stage of the PAKE operation: waiting for the setup, collecting inputs * or computing. */ uint8_t MBEDTLS_PRIVATE(stage); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bc19ed07c7..049edfcac1 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7323,6 +7323,8 @@ psa_status_t psa_pake_setup( memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); operation->alg = cipher_suite->algorithm; + operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type, + cipher_suite->family, cipher_suite->bits); operation->data.inputs.cipher_suite = *cipher_suite; #if defined(PSA_WANT_ALG_JPAKE) @@ -7920,7 +7922,9 @@ psa_status_t psa_pake_input( goto exit; } - if (input_length == 0 || input_length > PSA_PAKE_INPUT_MAX_SIZE) { + if (input_length == 0 || input_length > PSA_PAKE_INPUT_SIZE(operation->alg, + operation->primitive, + step)) { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; } From 69aba90e5badc34b1bc8b188a5b179d6fba6d6d3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 22 Mar 2023 13:16:35 +0100 Subject: [PATCH 2/5] Add tests case for step with different buffer size Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_psa_crypto_pake.data | 6 +++++- tests/suites/test_suite_psa_crypto_pake.function | 6 ++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 62157037d1..c467d01b71 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -82,10 +82,14 @@ PSA PAKE: invalid first input step depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":1:ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE -PSA PAKE: input buffer too large +PSA PAKE: input buffer too large #1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":1:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT +PSA PAKE: input buffer too large #2 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":1:ERR_INJECT_WRONG_BUFFER_SIZE_2:PSA_ERROR_INVALID_ARGUMENT + PSA PAKE: invalid output depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 88f24dd55b..ecbd36324b 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -17,6 +17,7 @@ typedef enum { ERR_INJECT_UNKNOWN_STEP, ERR_INJECT_INVALID_FIRST_STEP, ERR_INJECT_WRONG_BUFFER_SIZE, + ERR_INJECT_WRONG_BUFFER_SIZE_2, ERR_INJECT_VALID_OPERATION_AFTER_FAILURE, ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1, ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2, @@ -670,6 +671,11 @@ void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, output_buffer, size_zk_public + 1), ERR_INJECT_WRONG_BUFFER_SIZE); + SETUP_CONDITIONAL_CHECK_STEP(psa_pake_input(&operation, + PSA_PAKE_STEP_ZK_PROOF, + output_buffer, size_zk_proof + 1), + ERR_INJECT_WRONG_BUFFER_SIZE_2); + SETUP_CONDITIONAL_CHECK_STEP( (psa_pake_input(&operation, PSA_PAKE_STEP_ZK_PUBLIC, output_buffer, size_zk_public + 1), From fa1754e9efb6bde7378dceb58cd6c76e2cd03410 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 22 Mar 2023 13:18:57 +0100 Subject: [PATCH 3/5] Update documentation of psa_pake_input Signed-off-by: Przemek Stekiel --- docs/proposed/psa-driver-interface.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 0027ec7662..cd1b9fc389 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -474,7 +474,8 @@ For `PSA_ALG_JPAKE` the following steps are available for input operation: * `PSA_JPAKE_X4S_STEP_ZK_PUBLIC`    Round 2: input Schnorr NIZKP public key for the X4S key * `PSA_JPAKE_X4S_STEP_ZK_PROOF`     Round 2: input Schnorr NIZKP proof for the X4S key -The core checks that input_length is smaller than PSA_PAKE_INPUT_MAX_SIZE. +The core checks that `input_length` is not greater than `PSA_PAKE_INPUT_SIZE(alg, prim, step)` and +the driver can rely on that. ### PAKE driver get implicit key From 256c75df90e4d88fc624dd7d88dbbfa89210353c Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 23 Mar 2023 14:09:34 +0100 Subject: [PATCH 4/5] Fix signed/unsigned comparison (windows compilation failure) Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 049edfcac1..e2e0cb849d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7909,6 +7909,9 @@ psa_status_t psa_pake_input( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID; + const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg, + operation->primitive, + step); if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = psa_pake_complete_inputs(operation); @@ -7922,9 +7925,8 @@ psa_status_t psa_pake_input( goto exit; } - if (input_length == 0 || input_length > PSA_PAKE_INPUT_SIZE(operation->alg, - operation->primitive, - step)) { + + if (input_length == 0 || input_length > max_input_length) { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; } From 7921a03425eb50317949807184690b4cda2a4320 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 14 Apr 2023 14:29:57 +0200 Subject: [PATCH 5/5] Add claryfication for PSA_PAKE_INPUT/OUTPUT_MAX_SIZE macros Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 6 ++++++ library/psa_crypto.c | 1 - 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 0e2d57ce2c..56fe1d3036 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1939,6 +1939,9 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); * * This macro must expand to a compile-time constant integer. * + * The value of this macro must be at least as large as the largest value + * returned by PSA_PAKE_OUTPUT_SIZE() + * * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p primitive, \p step). */ #define PSA_PAKE_OUTPUT_MAX_SIZE 65 @@ -1948,6 +1951,9 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation); * * This macro must expand to a compile-time constant integer. * + * The value of this macro must be at least as large as the largest value + * returned by PSA_PAKE_INPUT_SIZE() + * * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p primitive, \p step). */ #define PSA_PAKE_INPUT_MAX_SIZE 65 diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e2e0cb849d..e5a855bf40 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7925,7 +7925,6 @@ psa_status_t psa_pake_input( goto exit; } - if (input_length == 0 || input_length > max_input_length) { status = PSA_ERROR_INVALID_ARGUMENT; goto exit;