From 31cbbefde822cb2e2099e6c1d6b7013cdbb8b941 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 11:18:25 +0200 Subject: [PATCH 01/37] PSA PBKDF2: add new key types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Question to reviewers: regarding the numeric values, I'm not sure I've incremented the right byte/nibble. Should this be 0x1201, 0x1202 instead, or something else? Is there a convention I should be aware of? Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 5e865c9315..2c247d068b 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -414,6 +414,20 @@ */ #define PSA_KEY_TYPE_DERIVE ((psa_key_type_t)0x1200) +/** A low-entropy secret for password hashing or key derivation. + * + * The key policy determines which key derivation algorithm the key + * can be used for. + */ +#define PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1300) + +/** A secret value that can be mixed in when doing password hashing. + * + * The key policy determines which key derivation algorithm the key + * can be used for. + */ +#define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1400) + /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher. * * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or From 759438cfce865317382c321cbc5d36ab285b067b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 11:18:53 +0200 Subject: [PATCH 02/37] PSA PBKDF2: add new policies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The documentation references functions that will be introduced in later commits, but hopefully from the naming it's already clear what those function will do. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 2c247d068b..840be8b6cf 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2097,10 +2097,38 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t)0x00002000) -/** Whether the key may be used to derive other keys. +/** Whether the key may be used to derive other keys or produce a password + * hash. + * + * This flag allows the key to be used as the input of + * psa_key_derivation_input_key() at the step + * #PSA_KEY_DERIVATION_INPUT_SECRET of #PSA_KEY_DERIVATION_INPUT_PASSWORD + * depending on the algorithm, and allows the use of + * psa_key_derivation_output_bytes() or psa_key_derivation_output_key() + * at the end of the operation. */ #define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000) +/** Whether the key may be used to produce a password hash and verify it + * against an expected value. + * + * This flag allows the key to be used as the input of + * psa_key_derivation_input_key() at the step + * #PSA_KEY_DERIVATION_INPUT_SECRET of #PSA_KEY_DERIVATION_INPUT_PASSWORD + * depending on the algorithm, and allows the use of + * psa_key_derivation_verify_output_bytes() or + * psa_key_derivation_verify_output_key() at the end of the operation. + */ +#define PSA_KEY_USAGE_PASSWORD_HASH_AND_VERITY ((psa_key_usage_t)0x00008000) + +/** Whether the key may be used to as the expected value to which a password + * hash will be compared. + * + * This flag allows key to be used as the \c key argument of + * psa_key_derivation_verify_output_key(). + */ +#define PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER ((psa_key_usage_t)0x00010000) + /**@}*/ /** \defgroup derivation Key derivation From 5a67992a619b0f09577e86481e71a014c6a6b520 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 11:30:11 +0200 Subject: [PATCH 03/37] PSA PBKDF2: add/update input types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For the numeric values, I followed the apparent existing convention: - first byte is 01 for secret inputs, 02 for non-secret inputs - then second by is just incremented for each new input type The documentation references a function that will be introduced in the next commit. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 840be8b6cf..4787dc1a94 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2149,6 +2149,20 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_KEY_DERIVATION_INPUT_SECRET ((psa_key_derivation_step_t)0x0101) +/** A low-entropy secret input for password hashing / key stretching. + * + * This should be a key of type #PSA_KEY_TYPE_PASSWORD or #PSA_KEY_TYPE_DERIVE + * (passed to psa_key_derivation_input_key()) + * or the shared secret resulting from a key agreement + * (obtained via psa_key_derivation_key_agreement()). + * + * The secret can also be a direct input (passed to + * key_derivation_input_bytes()). In this case, the derivation operation + * may not be used to derive keys: the operation will only allow + * psa_key_derivation_output_bytes(), not psa_key_derivation_output_key(). + */ +#define PSA_KEY_DERIVATION_INPUT_PASSWORD ((psa_key_derivation_step_t)0x0102) + /** A label for key derivation. * * This should be a direct input. @@ -2159,7 +2173,8 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** A salt for key derivation. * * This should be a direct input. - * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA. + * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA or + * #PSA_KEY_TYPE_PEPPER. */ #define PSA_KEY_DERIVATION_INPUT_SALT ((psa_key_derivation_step_t)0x0202) @@ -2177,6 +2192,12 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_KEY_DERIVATION_INPUT_SEED ((psa_key_derivation_step_t)0x0204) +/** A cost parameter for password hashing / key stretching. + * + * This must be a direct input, passed to psa_key_derivation_input_numeric(). + */ +#define PSA_KEY_DERIVATION_INPUT_COST ((psa_key_derivation_step_t)0x0205) + /**@}*/ #endif /* PSA_CRYPTO_VALUES_H */ From 22f08bcc00d066731f47adfacc5722bb774b64fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 11:57:34 +0200 Subject: [PATCH 04/37] PSA PBKDF2: add new input function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Note on naming: previously considered input_numeric but then thought the other two input function are "input " not "input " so decided to follow that pattern. input_int would be shorter but sounds too much like the C type, which could be confusing as that's not the type of the parameter; IMO "integer" avoids that problem. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 42 +++++++++++++++++++++++++++++++++++++ include/psa/crypto_values.h | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 81e1f28697..3eaaed10af 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3290,6 +3290,48 @@ psa_status_t psa_key_derivation_input_bytes( const uint8_t *data, size_t data_length); +/** Provide a numeric input for key derivation or key agreement. + * + * Which inputs are required and in what order depends on the algorithm. + * Refer to the documentation of each key derivation or key agreement + * algorithm for information. + * + * This function is used for inputs which are small non-negative integers. + * + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_key_derivation_abort(). + * + * \param[in,out] operation The key derivation operation object to use. + * It must have been set up with + * psa_key_derivation_setup() and must not + * have produced any output yet. + * \param step Which step the input data is for. + * \param[in] data Input data to use. + * \param data_length Size of the \p data buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \c step is not compatible with the operation's algorithm. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \c step does not allow numeric inputs. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid for this input \p step. + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_key_derivation_input_integer( + psa_key_derivation_operation_t *operation, + psa_key_derivation_step_t step, + uint64_t value); + /** Provide an input for key derivation in the form of a key. * * Which inputs are required and in what order depends on the algorithm. diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 4787dc1a94..2565ebb985 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2194,7 +2194,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** A cost parameter for password hashing / key stretching. * - * This must be a direct input, passed to psa_key_derivation_input_numeric(). + * This must be a direct input, passed to psa_key_derivation_input_integer(). */ #define PSA_KEY_DERIVATION_INPUT_COST ((psa_key_derivation_step_t)0x0205) From 49325d3bcfdc5e17905d6b48732afcd9c2b01d4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 12:16:17 +0200 Subject: [PATCH 05/37] PSA PBKDF2: add verify-output functions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 94 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 3eaaed10af..7df4f3aa48 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3643,6 +3643,100 @@ psa_status_t psa_key_derivation_output_key( psa_key_derivation_operation_t *operation, mbedtls_svc_key_id_t *key); +/** Compare output data from a key derivation operation to an expected value. + * + * This function calculates output bytes from a key derivation algorithm and + * compares those bytes to an expected value. + * If you view the key derivation's output as a stream of bytes, this + * function destructively reads the requested number of bytes from the + * stream before comparing them. + * The operation's capacity decreases by the number of bytes read. + * + * If this function returns an error status other than + * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + * state and must be aborted by calling psa_key_derivation_abort(). + * + * \param[in,out] operation The key derivation operation object to read from. + * \param[in] expected_output Buffer where the output will be written. + * \param output_length Length ot the expected output; this is also the + * number of bytes that will be read. + * + * \retval #PSA_SUCCESS + * \retval #PSA_ERROR_INVALID_SIGNATURE + * The output was read successfully, but if differs from the expected + * output. + * \retval #PSA_ERROR_INSUFFICIENT_DATA + * The operation's capacity was less than + * \p output_length bytes. Note that in this case, + * the operation's capacity is set to 0, thus + * subsequent calls to this function will not + * succeed, even with a smaller output buffer. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active and completed + * all required input steps). + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_key_derivation_verify_output_bytes( + psa_key_derivation_operation_t *operation, + const uint8_t *output, + size_t output_length); + +/** Compare output data from a key derivation operation to an expected value. + * + * This function calculates output bytes from a key derivation algorithm and + * compares those bytes to an expected value, provided as key of type + * #PSA_KEY_TYPE_RAW_DATA. + * If you view the key derivation's output as a stream of bytes, this + * function destructively reads the number of bytes corresponding the the + * length of the expected value from the stream before comparing them. + * The operation's capacity decreases by the number of bytes read. + * + * If this function returns an error status other than + * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error + * state and must be aborted by calling psa_key_derivation_abort(). + * + * \param[in,out] operation The key derivation operation object to read from. + * \param[in] expected A key of type #PSA_KEY_TYPE_RAW_DATA containing + * the expected output. Its policy must include the + * #PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER flag. + * + * \retval #PSA_SUCCESS + * \retval #PSA_ERROR_INVALID_SIGNATURE + * The output was read successfully, but if differs from the expected + * output. + * \retval #PSA_ERROR_NOT_PERMITTED + * The key passed as the expected value does not allow this usage. + * \retval #PSA_ERROR_INSUFFICIENT_DATA + * The operation's capacity was less than + * the length of the expected value. In this case, + * the operation's capacity is set to 0, thus + * subsequent calls to this function will not + * succeed, even with a smaller output buffer. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active and completed + * all required input steps). + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_key_derivation_verify_output_bytes( + psa_key_derivation_operation_t *operation, + psa_key_id_t expected); + /** Abort a key derivation operation. * * Aborting an operation frees all associated resources except for the \c From 7da57914510d70290c75018a10beb1bfc2a53e8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 12:53:07 +0200 Subject: [PATCH 06/37] PSA PBKDF2: add algorithm macros + description MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 43 +++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 2565ebb985..45f1765527 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1681,6 +1681,49 @@ #define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \ (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) +#define PSA_ALG_PBKDF2_HMAC_BASE ((psa_algorithm_t)0x08008100) +/** Macro to build a PBKDF2-HMAC algorithm. + * + * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2). + * It can use on of several PRFs internally; this macro is used when that PRF + * is based on HMAC with a given hash. + * + * For example, `PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA256)` represents PBKDF2 + * using HMAC-SHA-256 as the internal PRF. + * + * This key derivation algorithm uses the following inputs: + * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed + * - #PSA_KEY_DERIVATION_INPUT_SALT is (part of) the salt (see note below) + * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count + * + * Note: if multiple salt inputs are passed, they will be concatenated by the + * implementation in order to produce the salt that will be passed to the + * algorithm. This allows building the salt from multiple inputs, both public + * and secret (also known as pepper). + * + * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that + * #PSA_ALG_IS_HASH(\p hash_alg) is true). + * + * \return The corresponding PBKDF2-HMAC-XXX algorithm. + * \return Unspecified if \p hash_alg is not a supported + * hash algorithm. + */ +#define PSA_ALG_PBKDF2_HMAC(hash_alg) \ + (PSA_ALG_PBKDF2_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) + +/** Whether the specified algorithm is a PBKDF2-HMAC algorithm. + * + * \param alg An algorithm identifier (value of type #psa_algorithm_t). + * + * \return 1 if \c alg is a PBKDF2-HMAC algorithm, 0 otherwise. + * This macro may return either 0 or 1 if \c alg is not a supported + * key derivation algorithm identifier. + */ +#define PSA_ALG_IS_PBKDF2_HMAC(alg) \ + (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_PBKDF2_HMAC_BASE) +#define PSA_ALG_PBKDF2_HMAC_GET_HASH(hkdf_alg) \ + (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) + #define PSA_ALG_KEY_DERIVATION_MASK ((psa_algorithm_t)0xfe00ffff) #define PSA_ALG_KEY_AGREEMENT_MASK ((psa_algorithm_t)0xffff0000) From 234b1ecace84103c58488619afa9cb8050526541 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 13:07:21 +0200 Subject: [PATCH 07/37] PSA PBKDF2: add "stretching" sub-category of key derivation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 45f1765527..38eb421afd 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -800,6 +800,24 @@ #define PSA_ALG_IS_KEY_DERIVATION(alg) \ (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION) +/** Whether the specified algorithm is a key stretching / password hashing + * algorithm. + * + * A key stretching / password hashing algorithm is a key derivation algorithm + * that is suitable for use with low-entropy secret such as passwords. + * Equivalently, it's a key derivation algorithm that accepts an input of type + * #PSA_KEY_DERIVATION_INPUT_PASSWORD. + * + * \param alg An algorithm identifier (value of type #psa_algorithm_t). + * + * \return 1 if \p alg is a key stretching / passowrd hashing algorithm, 0 + * otherwise. This macro may return either 0 or 1 if \p alg is not a + * supported algorithm identifier. + */ +#define PSA_ALG_IS_KEY_DERIVATION_STRETCHING(alg) \ + (PSA_ALG_IS_KEY_DERIVATION(alg) && \ + (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG) + #define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff) /** MD2 */ #define PSA_ALG_MD2 ((psa_algorithm_t)0x02000001) @@ -1681,6 +1699,13 @@ #define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \ (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) +/* This flag indicates whether the key derivation algorithm is suitable for + * use on low-entropy secrets such as password - these algorithms are also + * known as key stretching or password hashing schemes. These are also the + * algorithms that accepts inputs of type #PSA_KEY_DERIVATION_INPUT_PASSWORD. + */ +#define PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG ((psa_algorithm_t)0x00008000) + #define PSA_ALG_PBKDF2_HMAC_BASE ((psa_algorithm_t)0x08008100) /** Macro to build a PBKDF2-HMAC algorithm. * From 351a2576f51f7e530bcc092ed6af79c6abe9b115 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 13:11:17 +0200 Subject: [PATCH 08/37] PSA PBKDF2: extend key derivation driver interface MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- docs/proposed/psa-driver-interface.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 47d7271e64..3685cca841 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -305,9 +305,12 @@ This family requires the following type and entry points: * `"key_derivation_setup"`: called by `psa_key_derivation_setup()`. * `"key_derivation_set_capacity"`: called by `psa_key_derivation_set_capacity()`. The core will always enforce the capacity, therefore this function does not need to do anything for algorithms where the output stream only depends on the effective generated length and not on the capacity. * `"key_derivation_input_bytes"`: called by `psa_key_derivation_input_bytes()` and `psa_key_derivation_input_key()`. For transparent drivers, when processing a call to `psa_key_derivation_input_key()`, the core always calls the applicable driver's `"key_derivation_input_bytes"` entry point. +* `"key_derivation_input_integer"`: called by `psa_key_derivation_input_integer()`. * `"key_derivation_input_key"` (opaque drivers only) * `"key_derivation_output_bytes"`: called by `psa_key_derivation_output_bytes()`; also by `psa_key_derivation_output_key()` for transparent drivers. * `"key_derivation_output_key"`: called by `psa_key_derivation_output_key()` for transparent drivers when deriving an asymmetric key pair, and also for opaque drivers. +* `"key_derivation_verify_output_bytes"`: called by `psa_key_derivation_verify_output_bytes()`; also by `psa_key_derivation_verify_output_key()` for transparent drivers. +* `"key_derivation_verify_output_key"` (opaque drivers only). * `"key_derivation_abort"`: called by all key derivation functions of the PSA Cryptography API. TODO: key input and output for opaque drivers; deterministic key generation for transparent drivers From 7a366f7f97a5b37dbc2fb94e27a62cf1432779d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Apr 2021 13:23:03 +0200 Subject: [PATCH 09/37] PSA PBKDF2: add config option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_config.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 736d9abe08..03aa86ccd6 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -72,6 +72,9 @@ #define PSA_WANT_ALG_MD4 1 #define PSA_WANT_ALG_MD5 1 #define PSA_WANT_ALG_OFB 1 +/* PBKDF2-HMAC is not yet support via the PSA API in Mbed TLS. + * Note: when adding support, also adjust include/mbedtls/config_psa.h */ +//#define PSA_WANT_ALG_PBKDF2_HMAC 1 #define PSA_WANT_ALG_RIPEMD160 1 #define PSA_WANT_ALG_RSA_OAEP 1 #define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 From dc1b4e42e9b7aa5ebcacce0afb38c4d6e7254f23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 30 Apr 2021 10:41:07 +0200 Subject: [PATCH 10/37] Fix a few typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 2 +- include/psa/crypto_config.h | 2 +- include/psa/crypto_values.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 7df4f3aa48..deb5e0c9b3 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3733,7 +3733,7 @@ psa_status_t psa_key_derivation_verify_output_bytes( * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_key_derivation_verify_output_bytes( +psa_status_t psa_key_derivation_verify_output_key( psa_key_derivation_operation_t *operation, psa_key_id_t expected); diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 03aa86ccd6..a0874a17d6 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -72,7 +72,7 @@ #define PSA_WANT_ALG_MD4 1 #define PSA_WANT_ALG_MD5 1 #define PSA_WANT_ALG_OFB 1 -/* PBKDF2-HMAC is not yet support via the PSA API in Mbed TLS. +/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS. * Note: when adding support, also adjust include/mbedtls/config_psa.h */ //#define PSA_WANT_ALG_PBKDF2_HMAC 1 #define PSA_WANT_ALG_RIPEMD160 1 diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 38eb421afd..8036a17826 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2187,7 +2187,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * psa_key_derivation_verify_output_bytes() or * psa_key_derivation_verify_output_key() at the end of the operation. */ -#define PSA_KEY_USAGE_PASSWORD_HASH_AND_VERITY ((psa_key_usage_t)0x00008000) +#define PSA_KEY_USAGE_PASSWORD_HASH_AND_VERIFY ((psa_key_usage_t)0x00008000) /** Whether the key may be used to as the expected value to which a password * hash will be compared. From ffc86ce8d6843ba7e92a8ecc350c51b4b79bf375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 30 Apr 2021 11:37:57 +0200 Subject: [PATCH 11/37] Improve or expand several descriptions. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit No change of behaviour, encoding or naming intended in this commit: just describe the same behaviour, but in a way that's hopefully clearer and more complete. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 46 +++++++++++++++------ include/psa/crypto_values.h | 79 ++++++++++++++++++++++++------------- 2 files changed, 86 insertions(+), 39 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index deb5e0c9b3..f9e051e021 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3293,10 +3293,13 @@ psa_status_t psa_key_derivation_input_bytes( /** Provide a numeric input for key derivation or key agreement. * * Which inputs are required and in what order depends on the algorithm. + * However, when an algorithm requires a particular order, numeric inputs + * usually come first as they tend to be configuration parameters. * Refer to the documentation of each key derivation or key agreement * algorithm for information. * - * This function is used for inputs which are small non-negative integers. + * This function is used for inputs which are fixed-size non-negative + * integers. * * If this function returns an error status, the operation enters an error * state and must be aborted by calling psa_key_derivation_abort(). @@ -3306,8 +3309,7 @@ psa_status_t psa_key_derivation_input_bytes( * psa_key_derivation_setup() and must not * have produced any output yet. * \param step Which step the input data is for. - * \param[in] data Input data to use. - * \param data_length Size of the \p data buffer in bytes. + * \param[in] value The value of the numeric input. * * \retval #PSA_SUCCESS * Success. @@ -3646,15 +3648,25 @@ psa_status_t psa_key_derivation_output_key( /** Compare output data from a key derivation operation to an expected value. * * This function calculates output bytes from a key derivation algorithm and - * compares those bytes to an expected value. + * compares those bytes to an expected value in constant time. * If you view the key derivation's output as a stream of bytes, this * function destructively reads the requested number of bytes from the * stream before comparing them. * The operation's capacity decreases by the number of bytes read. * + * This is functionally equivalent to the following code: + * \code + * psa_key_derivation_output_bytes(operation, tmp, output_length); + * if (memcmp(output, tmp, output_length) != 0) + * return PSA_ERROR_INVALID_SIGNATURE; + * \endcode + * except (1) it works even if the key's policy does not allow outputting the + * bytes, and (2) the comparison will be done in constant time. + * * If this function returns an error status other than - * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - * state and must be aborted by calling psa_key_derivation_abort(). + * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + * the operation enters an error state and must be aborted by calling + * psa_key_derivation_abort(). * * \param[in,out] operation The key derivation operation object to read from. * \param[in] expected_output Buffer where the output will be written. @@ -3686,32 +3698,44 @@ psa_status_t psa_key_derivation_output_key( */ psa_status_t psa_key_derivation_verify_output_bytes( psa_key_derivation_operation_t *operation, - const uint8_t *output, + const uint8_t *expected_output, size_t output_length); -/** Compare output data from a key derivation operation to an expected value. +/** Compare output data from a key derivation operation to an expected value + * stored in a key object. * * This function calculates output bytes from a key derivation algorithm and * compares those bytes to an expected value, provided as key of type - * #PSA_KEY_TYPE_RAW_DATA. + * #PSA_KEY_TYPE_RAW_DATA, in constant time. * If you view the key derivation's output as a stream of bytes, this * function destructively reads the number of bytes corresponding the the * length of the expected value from the stream before comparing them. * The operation's capacity decreases by the number of bytes read. * + * This is functionally equivalent to exporting the key and calling + * psa_key_derivation_verify_output_bytes() on the result, except that it + * works even if the key cannot be exported. + * * If this function returns an error status other than - * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error - * state and must be aborted by calling psa_key_derivation_abort(). + * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE, + * the operation enters an error state and must be aborted by calling + * psa_key_derivation_abort(). * * \param[in,out] operation The key derivation operation object to read from. * \param[in] expected A key of type #PSA_KEY_TYPE_RAW_DATA containing * the expected output. Its policy must include the * #PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER flag. + * The value of this key was likely computed by a + * previous call to psa_key_derivation_output_key(). * * \retval #PSA_SUCCESS * \retval #PSA_ERROR_INVALID_SIGNATURE * The output was read successfully, but if differs from the expected * output. + * \retval #PSA_ERROR_INVALID_HANDLE + * The key passed as the expected value does not exist. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The key passed as the expected value has an invalid type. * \retval #PSA_ERROR_NOT_PERMITTED * The key passed as the expected value does not allow this usage. * \retval #PSA_ERROR_INSUFFICIENT_DATA diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 8036a17826..a3256f6144 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -408,6 +408,12 @@ #define PSA_KEY_TYPE_HMAC ((psa_key_type_t)0x1100) /** A secret for key derivation. + * + * This key type is for high-entropy secrets only. For low-entropy secrets, + * #PSA_KEY_TYPE_PASSWORD should be used instead. + * + * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_SECRET or + * #PSA_KEY_DERIVATION_INPUT_PASSWORD input of key derivation algorithms. * * The key policy determines which key derivation algorithm the key * can be used for. @@ -416,15 +422,31 @@ /** A low-entropy secret for password hashing or key derivation. * - * The key policy determines which key derivation algorithm the key - * can be used for. + * This key type is suitable for passwords and passphrases which are typically + * intended to be memorizable by humans, and have a low entropy relative to + * their size. It can be used for randomly generated or derived keys with + * maximum or near-maximum entropy, but PSA_KEY_TYPE_DERIVE is more suitable + * for such keys. It is not suitable for passwords with extremely low entropy, + * such as numerical PINs. + * + * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_PASSWORD input of + * key derivation algorithms. Algorithms that accept such an input were + * designed to accept low-entropy secret and are known as password hashing or + * key stretching algorithms. + * + * These keys cannot be used as the #PSA_KEY_DERIVATION_INPUT_SECRET input of + * key derivation algorithms, as the algorithms that take such an input expect + * it to be high-entropy. + * + * The key policy determines which key derivation algorithm the key can be + * used for, among the permissible subset defined above. */ #define PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1300) -/** A secret value that can be mixed in when doing password hashing. +/** A secret value that can be used in when computing a password hash. * * The key policy determines which key derivation algorithm the key - * can be used for. + * can be used for, among the subset of algorithms that can use pepper. */ #define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1400) @@ -804,9 +826,9 @@ * algorithm. * * A key stretching / password hashing algorithm is a key derivation algorithm - * that is suitable for use with low-entropy secret such as passwords. - * Equivalently, it's a key derivation algorithm that accepts an input of type - * #PSA_KEY_DERIVATION_INPUT_PASSWORD. + * that is suitable for use with a low-entropy secret such as a password. + * Equivalently, it's a key derivation algorithm that uses a + * #PSA_KEY_DERIVATION_INPUT_PASSWORD input step. * * \param alg An algorithm identifier (value of type #psa_algorithm_t). * @@ -1707,24 +1729,23 @@ #define PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG ((psa_algorithm_t)0x00008000) #define PSA_ALG_PBKDF2_HMAC_BASE ((psa_algorithm_t)0x08008100) -/** Macro to build a PBKDF2-HMAC algorithm. +/** Macro to build a PBKDF2-HMAC password hashing / key stretching algorithm. * * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2). - * It can use on of several PRFs internally; this macro is used when that PRF - * is based on HMAC with a given hash. - * - * For example, `PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA256)` represents PBKDF2 - * using HMAC-SHA-256 as the internal PRF. + * This macro specifies the PBKDF2 algorithm constructed using a PRF based on + * HMAC with the specified hash. + * For example, `PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA256)` specifies PBKDF2 + * using the PRF HMAC-SHA-256. * * This key derivation algorithm uses the following inputs: - * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed - * - #PSA_KEY_DERIVATION_INPUT_SALT is (part of) the salt (see note below) - * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count - * - * Note: if multiple salt inputs are passed, they will be concatenated by the - * implementation in order to produce the salt that will be passed to the - * algorithm. This allows building the salt from multiple inputs, both public - * and secret (also known as pepper). + * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed. + * This input step must be used exactly once. + * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt. + * This input step must be used one or more times; if used several times, the + * inputs will be concatenated. This can be used to build the final salt + * from multiple sources, both public and secret (also known as pepper). + * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count. + * This input step must be used exactly once. * * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_HASH(\p hash_alg) is true). @@ -2213,19 +2234,21 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * The secret can also be a direct input (passed to * key_derivation_input_bytes()). In this case, the derivation operation * may not be used to derive keys: the operation will only allow - * psa_key_derivation_output_bytes(), not psa_key_derivation_output_key(). + * psa_key_derivation_output_bytes() or + * psa_key_derivation_verify_output_xxx() but not + * psa_key_derivation_output_key(). */ #define PSA_KEY_DERIVATION_INPUT_SECRET ((psa_key_derivation_step_t)0x0101) /** A low-entropy secret input for password hashing / key stretching. * - * This should be a key of type #PSA_KEY_TYPE_PASSWORD or #PSA_KEY_TYPE_DERIVE - * (passed to psa_key_derivation_input_key()) - * or the shared secret resulting from a key agreement - * (obtained via psa_key_derivation_key_agreement()). + * This is usually a key of type #PSA_KEY_TYPE_PASSWORD (passed to + * psa_key_derivation_input_key()) or a direct input (passed to + * psa_key_derivation_input_bytes()) that is a password or passphrase. It can + * also be high-entropy secret such as a key of type #PSA_KEY_TYPE_DERIVE or + * the shared secret resulting from a key agreement. * - * The secret can also be a direct input (passed to - * key_derivation_input_bytes()). In this case, the derivation operation + * If the secret is a direct input, the derivation operation * may not be used to derive keys: the operation will only allow * psa_key_derivation_output_bytes(), not psa_key_derivation_output_key(). */ From c16033e0a3609a0efe7856e20da26030bc4dd905 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 30 Apr 2021 11:59:40 +0200 Subject: [PATCH 12/37] Fix the encodings of the new key types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index a3256f6144..fafd3ec350 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -441,14 +441,14 @@ * The key policy determines which key derivation algorithm the key can be * used for, among the permissible subset defined above. */ -#define PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1300) +#define PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1203) /** A secret value that can be used in when computing a password hash. * * The key policy determines which key derivation algorithm the key * can be used for, among the subset of algorithms that can use pepper. */ -#define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1400) +#define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1205) /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher. * From 421390f52fc4e63ff0936f3c6390bc504fb17f6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 30 Apr 2021 12:38:12 +0200 Subject: [PATCH 13/37] Fix driver interface for key derivation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- docs/proposed/psa-driver-interface.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 3685cca841..0e9877df57 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -309,7 +309,7 @@ This family requires the following type and entry points: * `"key_derivation_input_key"` (opaque drivers only) * `"key_derivation_output_bytes"`: called by `psa_key_derivation_output_bytes()`; also by `psa_key_derivation_output_key()` for transparent drivers. * `"key_derivation_output_key"`: called by `psa_key_derivation_output_key()` for transparent drivers when deriving an asymmetric key pair, and also for opaque drivers. -* `"key_derivation_verify_output_bytes"`: called by `psa_key_derivation_verify_output_bytes()`; also by `psa_key_derivation_verify_output_key()` for transparent drivers. +* `"key_derivation_verify_output_bytes"` (opaque drivers only). * `"key_derivation_verify_output_key"` (opaque drivers only). * `"key_derivation_abort"`: called by all key derivation functions of the PSA Cryptography API. From 3d72267db598dc8ae31211c27036c0326a797052 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 30 Apr 2021 12:42:36 +0200 Subject: [PATCH 14/37] Specify the order of PBKDF2 inputs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Might make the implementer's life a bit simpler, and is not a big constraint on applications. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index fafd3ec350..4bc4c1a5e3 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1737,14 +1737,15 @@ * For example, `PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA256)` specifies PBKDF2 * using the PRF HMAC-SHA-256. * - * This key derivation algorithm uses the following inputs: - * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed. + * This key derivation algorithm uses the following inputs, which must be + * provided in the following order: + * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count. * This input step must be used exactly once. * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt. * This input step must be used one or more times; if used several times, the * inputs will be concatenated. This can be used to build the final salt * from multiple sources, both public and secret (also known as pepper). - * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count. + * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed. * This input step must be used exactly once. * * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that From d307f6359725ce686b396690c8f7cb6d610aedeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 10:12:06 +0200 Subject: [PATCH 15/37] Rename verify_output_xxx() to verify_xxx() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 6 +++--- include/psa/crypto_values.h | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index f9e051e021..fdab2b14ec 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3696,7 +3696,7 @@ psa_status_t psa_key_derivation_output_key( * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_key_derivation_verify_output_bytes( +psa_status_t psa_key_derivation_verify_bytes( psa_key_derivation_operation_t *operation, const uint8_t *expected_output, size_t output_length); @@ -3713,7 +3713,7 @@ psa_status_t psa_key_derivation_verify_output_bytes( * The operation's capacity decreases by the number of bytes read. * * This is functionally equivalent to exporting the key and calling - * psa_key_derivation_verify_output_bytes() on the result, except that it + * psa_key_derivation_verify_bytes() on the result, except that it * works even if the key cannot be exported. * * If this function returns an error status other than @@ -3757,7 +3757,7 @@ psa_status_t psa_key_derivation_verify_output_bytes( * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_key_derivation_verify_output_key( +psa_status_t psa_key_derivation_verify_key( psa_key_derivation_operation_t *operation, psa_key_id_t expected); diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 4bc4c1a5e3..7c3ca2c6ad 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2206,8 +2206,8 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * psa_key_derivation_input_key() at the step * #PSA_KEY_DERIVATION_INPUT_SECRET of #PSA_KEY_DERIVATION_INPUT_PASSWORD * depending on the algorithm, and allows the use of - * psa_key_derivation_verify_output_bytes() or - * psa_key_derivation_verify_output_key() at the end of the operation. + * psa_key_derivation_verify_bytes() or + * psa_key_derivation_verify_key() at the end of the operation. */ #define PSA_KEY_USAGE_PASSWORD_HASH_AND_VERIFY ((psa_key_usage_t)0x00008000) @@ -2215,7 +2215,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * hash will be compared. * * This flag allows key to be used as the \c key argument of - * psa_key_derivation_verify_output_key(). + * psa_key_derivation_verify_key(). */ #define PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER ((psa_key_usage_t)0x00010000) @@ -2236,7 +2236,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * key_derivation_input_bytes()). In this case, the derivation operation * may not be used to derive keys: the operation will only allow * psa_key_derivation_output_bytes() or - * psa_key_derivation_verify_output_xxx() but not + * psa_key_derivation_verify_xxx() but not * psa_key_derivation_output_key(). */ #define PSA_KEY_DERIVATION_INPUT_SECRET ((psa_key_derivation_step_t)0x0101) From 9023cacf15cffbcbe37d4fc1a463d5cf80f175a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 10:23:12 +0200 Subject: [PATCH 16/37] Merge verification policies together MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 2 +- include/psa/crypto_values.h | 28 ++++++++++++---------------- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index fdab2b14ec..b92d194bf2 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3724,7 +3724,7 @@ psa_status_t psa_key_derivation_verify_bytes( * \param[in,out] operation The key derivation operation object to read from. * \param[in] expected A key of type #PSA_KEY_TYPE_RAW_DATA containing * the expected output. Its policy must include the - * #PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER flag. + * #PSA_KEY_USAGE_VERIFY_DERIVATION flag. * The value of this key was likely computed by a * previous call to psa_key_derivation_output_key(). * diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 7c3ca2c6ad..faccaf6334 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2199,25 +2199,21 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000) -/** Whether the key may be used to produce a password hash and verify it - * against an expected value. +/** Whether the key may be used to verify the result of a key derivation, + * including password hashing. * - * This flag allows the key to be used as the input of - * psa_key_derivation_input_key() at the step - * #PSA_KEY_DERIVATION_INPUT_SECRET of #PSA_KEY_DERIVATION_INPUT_PASSWORD - * depending on the algorithm, and allows the use of - * psa_key_derivation_verify_bytes() or - * psa_key_derivation_verify_key() at the end of the operation. - */ -#define PSA_KEY_USAGE_PASSWORD_HASH_AND_VERIFY ((psa_key_usage_t)0x00008000) - -/** Whether the key may be used to as the expected value to which a password - * hash will be compared. + * This flag allows the key to be used: * - * This flag allows key to be used as the \c key argument of - * psa_key_derivation_verify_key(). + * - for a key of type #PSA_KEY_TYPE_RAW_DATA, as the \c key argument of + * psa_key_derivation_verify_key(); + * - for a key of type #PSA_KEY_TYPE_PASSWORD (or #PSA_KEY_TYPE_DERIVE), as + * the input to psa_key_derivation_input_key() at the step + * #PSA_KEY_DERIVATION_INPUT_PASSWORD (or #PSA_KEY_DERIVATION_INPUT_SECRET); + * then at the end of the operation use of psa_key_derivation_verify_bytes() + * or psa_key_derivation_verify_key() will be permitted (but not + * psa_key_derivation_output_xxx() unless #PSA_KEY_USAGE_DERIVE is set). */ -#define PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER ((psa_key_usage_t)0x00010000) +#define PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t)0x00008000) /**@}*/ From 88658becd4c06eb6757899d3c30e4717d1c939d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 10:28:57 +0200 Subject: [PATCH 17/37] Clarify algorithm constraint for verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index b92d194bf2..da2a15cfc2 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3724,7 +3724,8 @@ psa_status_t psa_key_derivation_verify_bytes( * \param[in,out] operation The key derivation operation object to read from. * \param[in] expected A key of type #PSA_KEY_TYPE_RAW_DATA containing * the expected output. Its policy must include the - * #PSA_KEY_USAGE_VERIFY_DERIVATION flag. + * #PSA_KEY_USAGE_VERIFY_DERIVATION flag and the + * permitted algorithm must match the operation. * The value of this key was likely computed by a * previous call to psa_key_derivation_output_key(). * @@ -3737,7 +3738,8 @@ psa_status_t psa_key_derivation_verify_bytes( * \retval #PSA_ERROR_INVALID_ARGUMENT * The key passed as the expected value has an invalid type. * \retval #PSA_ERROR_NOT_PERMITTED - * The key passed as the expected value does not allow this usage. + * The key passed as the expected value does not allow this usage or + * this algorithm. * \retval #PSA_ERROR_INSUFFICIENT_DATA * The operation's capacity was less than * the length of the expected value. In this case, From 2171e421c6e1ba62e67436e44d8babd79fdd7f49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 10:49:54 +0200 Subject: [PATCH 18/37] Add new key type PASSWORD_HASH MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 16 +++++++++------- include/psa/crypto_values.h | 12 ++++++++++-- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index da2a15cfc2..074893fe5a 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3536,7 +3536,8 @@ psa_status_t psa_key_derivation_output_bytes( * - #PSA_KEY_TYPE_ARC4; * - #PSA_KEY_TYPE_CAMELLIA; * - #PSA_KEY_TYPE_DERIVE; - * - #PSA_KEY_TYPE_HMAC. + * - #PSA_KEY_TYPE_HMAC; + * - #PSA_KEY_TYPE_PASSWORD_HASH. * * - For ECC keys on a Montgomery elliptic curve * (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a @@ -3722,12 +3723,13 @@ psa_status_t psa_key_derivation_verify_bytes( * psa_key_derivation_abort(). * * \param[in,out] operation The key derivation operation object to read from. - * \param[in] expected A key of type #PSA_KEY_TYPE_RAW_DATA containing - * the expected output. Its policy must include the - * #PSA_KEY_USAGE_VERIFY_DERIVATION flag and the - * permitted algorithm must match the operation. - * The value of this key was likely computed by a - * previous call to psa_key_derivation_output_key(). + * \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH + * containing the expected output. Its policy must + * include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag + * and the permitted algorithm must match the + * operation. The value of this key was likely + * computed by a previous call to + * psa_key_derivation_output_key(). * * \retval #PSA_SUCCESS * \retval #PSA_ERROR_INVALID_SIGNATURE diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index faccaf6334..917a0a2633 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -443,12 +443,20 @@ */ #define PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1203) +/** A secret value that can be used to verify a password hash. + * + * The key policy determines which key derivation algorithm the key + * can be used for, among the same permissible subset as for + * #PSA_KEY_TYPE_PASSWORD. + */ +#define PSA_KEY_TYPE_PASSWORD_HASH ((psa_key_type_t)0x1205) + /** A secret value that can be used in when computing a password hash. * * The key policy determines which key derivation algorithm the key * can be used for, among the subset of algorithms that can use pepper. */ -#define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1205) +#define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1206) /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher. * @@ -2204,7 +2212,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * * This flag allows the key to be used: * - * - for a key of type #PSA_KEY_TYPE_RAW_DATA, as the \c key argument of + * - for a key of type #PSA_KEY_TYPE_PASSWORD_HASH, as the \c key argument of * psa_key_derivation_verify_key(); * - for a key of type #PSA_KEY_TYPE_PASSWORD (or #PSA_KEY_TYPE_DERIVE), as * the input to psa_key_derivation_input_key() at the step From b12de9ffc1dc773a187a3070deae4bf7a9db1dda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 11:02:56 +0200 Subject: [PATCH 19/37] Add new key types to crypto_knowledge.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- scripts/mbedtls_dev/crypto_knowledge.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py index 500aceafd8..aa5279027c 100644 --- a/scripts/mbedtls_dev/crypto_knowledge.py +++ b/scripts/mbedtls_dev/crypto_knowledge.py @@ -89,6 +89,9 @@ class KeyType: 'PSA_KEY_TYPE_DERIVE': (120, 128), # sample 'PSA_KEY_TYPE_DES': (64, 128, 192), # exhaustive 'PSA_KEY_TYPE_HMAC': (128, 160, 224, 256, 384, 512), # standard size for each supported hash + 'PSA_KEY_TYPE_PASSWORD': (48, 168, 336), # sample + 'PSA_KEY_TYPE_PASSWORD_HASH': (128, 256), # sample + 'PSA_KEY_TYPE_PEPPER': (128, 256), # sample 'PSA_KEY_TYPE_RAW_DATA': (8, 40, 128), # sample 'PSA_KEY_TYPE_RSA_KEY_PAIR': (1024, 1536), # small sample } From aa923b9fed860a06a4dfb93026b7ac6ae841414c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 11:03:24 +0200 Subject: [PATCH 20/37] Update generated files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- programs/psa/psa_constant_names_generated.c | 18 ++++++ ...te_psa_crypto_not_supported.generated.data | 56 +++++++++++++++++++ ...ite_psa_crypto_storage_format.current.data | 42 +++++++++++++- ...st_suite_psa_crypto_storage_format.v0.data | 42 +++++++++++++- 4 files changed, 152 insertions(+), 6 deletions(-) diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c index 2175af9ff8..b7afbb9172 100644 --- a/programs/psa/psa_constant_names_generated.c +++ b/programs/psa/psa_constant_names_generated.c @@ -113,6 +113,9 @@ static int psa_snprint_key_type(char *buffer, size_t buffer_size, case PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE", 32); break; case PSA_KEY_TYPE_HMAC: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_HMAC", 17); break; case PSA_KEY_TYPE_NONE: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_NONE", 17); break; + case PSA_KEY_TYPE_PASSWORD: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_PASSWORD", 21); break; + case PSA_KEY_TYPE_PASSWORD_HASH: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_PASSWORD_HASH", 26); break; + case PSA_KEY_TYPE_PEPPER: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_PEPPER", 19); break; case PSA_KEY_TYPE_RAW_DATA: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_RAW_DATA", 21); break; case PSA_KEY_TYPE_RSA_KEY_PAIR: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_RSA_KEY_PAIR", 25); break; case PSA_KEY_TYPE_RSA_PUBLIC_KEY: append(&buffer, buffer_size, &required_size, "PSA_KEY_TYPE_RSA_PUBLIC_KEY", 27); break; @@ -221,6 +224,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, case PSA_ALG_MD4: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD4", 11); break; case PSA_ALG_MD5: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD5", 11); break; case PSA_ALG_OFB: append(&buffer, buffer_size, &required_size, "PSA_ALG_OFB", 11); break; + case PSA_ALG_PBKDF2_HMAC_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_PBKDF2_HMAC_BASE", 24); break; case PSA_ALG_PURE_EDDSA: append(&buffer, buffer_size, &required_size, "PSA_ALG_PURE_EDDSA", 18); break; case PSA_ALG_RIPEMD160: append(&buffer, buffer_size, &required_size, "PSA_ALG_RIPEMD160", 17); break; case PSA_ALG_RSA_OAEP_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_RSA_OAEP_BASE", 21); break; @@ -286,6 +290,13 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, psa_hash_algorithm_name, PSA_ALG_GET_HASH(core_alg)); append(&buffer, buffer_size, &required_size, ")", 1); + } else if (PSA_ALG_IS_PBKDF2_HMAC(core_alg)) { + append(&buffer, buffer_size, &required_size, + "PSA_ALG_PBKDF2_HMAC(", 19 + 1); + append_with_alg(&buffer, buffer_size, &required_size, + psa_hash_algorithm_name, + PSA_ALG_GET_HASH(core_alg)); + append(&buffer, buffer_size, &required_size, ")", 1); } else if (PSA_ALG_IS_RSA_OAEP(core_alg)) { append(&buffer, buffer_size, &required_size, "PSA_ALG_RSA_OAEP(", 16 + 1); @@ -394,6 +405,13 @@ static int psa_snprint_key_usage(char *buffer, size_t buffer_size, append(&buffer, buffer_size, &required_size, "PSA_KEY_USAGE_SIGN_HASH", 23); usage ^= PSA_KEY_USAGE_SIGN_HASH; } + if (usage & PSA_KEY_USAGE_VERIFY_DERIVATION) { + if (required_size != 0) { + append(&buffer, buffer_size, &required_size, " | ", 3); + } + append(&buffer, buffer_size, &required_size, "PSA_KEY_USAGE_VERIFY_DERIVATION", 31); + usage ^= PSA_KEY_USAGE_VERIFY_DERIVATION; + } if (usage & PSA_KEY_USAGE_VERIFY_HASH) { if (required_size != 0) { append(&buffer, buffer_size, &required_size, " | ", 3); diff --git a/tests/suites/test_suite_psa_crypto_not_supported.generated.data b/tests/suites/test_suite_psa_crypto_not_supported.generated.data index e39c8ed8b3..23ce19ff14 100644 --- a/tests/suites/test_suite_psa_crypto_not_supported.generated.data +++ b/tests/suites/test_suite_psa_crypto_not_supported.generated.data @@ -152,6 +152,62 @@ PSA generate HMAC 512-bit not supported depends_on:!PSA_WANT_KEY_TYPE_HMAC generate_not_supported:PSA_KEY_TYPE_HMAC:512 +PSA import PASSWORD 48-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD:DEPENDENCY_NOT_IMPLEMENTED_YET +import_not_supported:PSA_KEY_TYPE_PASSWORD:"486572650069" + +PSA generate PASSWORD 48-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD:DEPENDENCY_NOT_IMPLEMENTED_YET +generate_not_supported:PSA_KEY_TYPE_PASSWORD:48 + +PSA import PASSWORD 168-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD:DEPENDENCY_NOT_IMPLEMENTED_YET +import_not_supported:PSA_KEY_TYPE_PASSWORD:"48657265006973206b6579a0646174614865726500" + +PSA generate PASSWORD 168-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD:DEPENDENCY_NOT_IMPLEMENTED_YET +generate_not_supported:PSA_KEY_TYPE_PASSWORD:168 + +PSA import PASSWORD 336-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD:DEPENDENCY_NOT_IMPLEMENTED_YET +import_not_supported:PSA_KEY_TYPE_PASSWORD:"48657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b65" + +PSA generate PASSWORD 336-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD:DEPENDENCY_NOT_IMPLEMENTED_YET +generate_not_supported:PSA_KEY_TYPE_PASSWORD:336 + +PSA import PASSWORD_HASH 128-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD_HASH:DEPENDENCY_NOT_IMPLEMENTED_YET +import_not_supported:PSA_KEY_TYPE_PASSWORD_HASH:"48657265006973206b6579a064617461" + +PSA generate PASSWORD_HASH 128-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD_HASH:DEPENDENCY_NOT_IMPLEMENTED_YET +generate_not_supported:PSA_KEY_TYPE_PASSWORD_HASH:128 + +PSA import PASSWORD_HASH 256-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD_HASH:DEPENDENCY_NOT_IMPLEMENTED_YET +import_not_supported:PSA_KEY_TYPE_PASSWORD_HASH:"48657265006973206b6579a06461746148657265006973206b6579a064617461" + +PSA generate PASSWORD_HASH 256-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD_HASH:DEPENDENCY_NOT_IMPLEMENTED_YET +generate_not_supported:PSA_KEY_TYPE_PASSWORD_HASH:256 + +PSA import PEPPER 128-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PEPPER:DEPENDENCY_NOT_IMPLEMENTED_YET +import_not_supported:PSA_KEY_TYPE_PEPPER:"48657265006973206b6579a064617461" + +PSA generate PEPPER 128-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PEPPER:DEPENDENCY_NOT_IMPLEMENTED_YET +generate_not_supported:PSA_KEY_TYPE_PEPPER:128 + +PSA import PEPPER 256-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PEPPER:DEPENDENCY_NOT_IMPLEMENTED_YET +import_not_supported:PSA_KEY_TYPE_PEPPER:"48657265006973206b6579a06461746148657265006973206b6579a064617461" + +PSA generate PEPPER 256-bit not supported +depends_on:!PSA_WANT_KEY_TYPE_PEPPER:DEPENDENCY_NOT_IMPLEMENTED_YET +generate_not_supported:PSA_KEY_TYPE_PEPPER:256 + PSA import RSA_KEY_PAIR 1024-bit not supported depends_on:!PSA_WANT_KEY_TYPE_RSA_KEY_PAIR import_not_supported:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24" diff --git a/tests/suites/test_suite_psa_crypto_storage_format.current.data b/tests/suites/test_suite_psa_crypto_storage_format.current.data index f74d0e2736..546299ed36 100644 --- a/tests/suites/test_suite_psa_crypto_storage_format.current.data +++ b/tests/suites/test_suite_psa_crypto_storage_format.current.data @@ -28,6 +28,10 @@ PSA storage save: usage: SIGN_HASH depends_on:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800001000000000000000000000010000004b" +PSA storage save: usage: VERIFY_DERIVATION +depends_on:PSA_WANT_KEY_TYPE_RAW_DATA +key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_DERIVATION:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800008000000000000000000000010000004b" + PSA storage save: usage: VERIFY_HASH depends_on:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002000000000000000000000010000004b" @@ -52,9 +56,13 @@ PSA storage save: usage: EXPORT | SIGN_HASH depends_on:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800011000000000000000000000010000004b" -PSA storage save: usage: SIGN_HASH | VERIFY_HASH +PSA storage save: usage: SIGN_HASH | VERIFY_DERIVATION depends_on:PSA_WANT_KEY_TYPE_RAW_DATA -key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800003000000000000000000000010000004b" +key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_DERIVATION:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800009000000000000000000000010000004b" + +PSA storage save: usage: VERIFY_DERIVATION | VERIFY_HASH +depends_on:PSA_WANT_KEY_TYPE_RAW_DATA +key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_DERIVATION | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b45590000000000010000000110080000a000000000000000000000010000004b" PSA storage save: usage: VERIFY_HASH | COPY depends_on:PSA_WANT_KEY_TYPE_RAW_DATA @@ -62,7 +70,7 @@ key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH | PSA_ PSA storage save: usage: all known depends_on:PSA_WANT_KEY_TYPE_RAW_DATA -key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800037300000000000000000000010000004b" +key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_DERIVATION | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b45590000000000010000000110080003f300000000000000000000010000004b" PSA storage save: type: AES 128-bit depends_on:PSA_WANT_KEY_TYPE_AES @@ -148,6 +156,34 @@ PSA storage save: type: HMAC 512-bit depends_on:PSA_WANT_KEY_TYPE_HMAC key_storage_save:0x0001:PSA_KEY_TYPE_HMAC:512:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b6579a064617461":"505341004b4559000000000001000000001100020100000000000000000000004000000048657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b6579a064617461" +PSA storage save: type: PASSWORD 48-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD +key_storage_save:0x0001:PSA_KEY_TYPE_PASSWORD:48:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"486572650069":"505341004b45590000000000010000000312300001000000000000000000000006000000486572650069" + +PSA storage save: type: PASSWORD 168-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD +key_storage_save:0x0001:PSA_KEY_TYPE_PASSWORD:168:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a0646174614865726500":"505341004b45590000000000010000000312a8000100000000000000000000001500000048657265006973206b6579a0646174614865726500" + +PSA storage save: type: PASSWORD 336-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD +key_storage_save:0x0001:PSA_KEY_TYPE_PASSWORD:336:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b65":"505341004b4559000000000001000000031250010100000000000000000000002a00000048657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b65" + +PSA storage save: type: PASSWORD_HASH 128-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD_HASH +key_storage_save:0x0001:PSA_KEY_TYPE_PASSWORD_HASH:128:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000051280000100000000000000000000001000000048657265006973206b6579a064617461" + +PSA storage save: type: PASSWORD_HASH 256-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD_HASH +key_storage_save:0x0001:PSA_KEY_TYPE_PASSWORD_HASH:256:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a06461746148657265006973206b6579a064617461":"505341004b4559000000000001000000051200010100000000000000000000002000000048657265006973206b6579a06461746148657265006973206b6579a064617461" + +PSA storage save: type: PEPPER 128-bit +depends_on:PSA_WANT_KEY_TYPE_PEPPER +key_storage_save:0x0001:PSA_KEY_TYPE_PEPPER:128:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000061280000100000000000000000000001000000048657265006973206b6579a064617461" + +PSA storage save: type: PEPPER 256-bit +depends_on:PSA_WANT_KEY_TYPE_PEPPER +key_storage_save:0x0001:PSA_KEY_TYPE_PEPPER:256:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a06461746148657265006973206b6579a064617461":"505341004b4559000000000001000000061200010100000000000000000000002000000048657265006973206b6579a06461746148657265006973206b6579a064617461" + PSA storage save: type: RAW_DATA 8-bit depends_on:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48":"505341004b4559000000000001000000011008000100000000000000000000000100000048" diff --git a/tests/suites/test_suite_psa_crypto_storage_format.v0.data b/tests/suites/test_suite_psa_crypto_storage_format.v0.data index 2b2f1b7a73..72d1eb8464 100644 --- a/tests/suites/test_suite_psa_crypto_storage_format.v0.data +++ b/tests/suites/test_suite_psa_crypto_storage_format.v0.data @@ -28,6 +28,10 @@ PSA storage read: usage: SIGN_HASH depends_on:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800001000000000000000000000010000004b":0 +PSA storage read: usage: VERIFY_DERIVATION +depends_on:PSA_WANT_KEY_TYPE_RAW_DATA +key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_DERIVATION:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800008000000000000000000000010000004b":0 + PSA storage read: usage: VERIFY_HASH depends_on:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002000000000000000000000010000004b":0 @@ -52,9 +56,13 @@ PSA storage read: usage: EXPORT | SIGN_HASH depends_on:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800011000000000000000000000010000004b":0 -PSA storage read: usage: SIGN_HASH | VERIFY_HASH +PSA storage read: usage: SIGN_HASH | VERIFY_DERIVATION depends_on:PSA_WANT_KEY_TYPE_RAW_DATA -key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800003000000000000000000000010000004b":0 +key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_DERIVATION:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800009000000000000000000000010000004b":0 + +PSA storage read: usage: VERIFY_DERIVATION | VERIFY_HASH +depends_on:PSA_WANT_KEY_TYPE_RAW_DATA +key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_DERIVATION | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b45590000000000010000000110080000a000000000000000000000010000004b":0 PSA storage read: usage: VERIFY_HASH | COPY depends_on:PSA_WANT_KEY_TYPE_RAW_DATA @@ -62,7 +70,7 @@ key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH | PSA_ PSA storage read: usage: all known depends_on:PSA_WANT_KEY_TYPE_RAW_DATA -key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800037300000000000000000000010000004b":0 +key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_DERIVATION | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b45590000000000010000000110080003f300000000000000000000010000004b":0 PSA storage read: type: AES 128-bit depends_on:PSA_WANT_KEY_TYPE_AES @@ -148,6 +156,34 @@ PSA storage read: type: HMAC 512-bit depends_on:PSA_WANT_KEY_TYPE_HMAC key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:512:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b6579a064617461":"505341004b4559000000000001000000001100020100000000000000000000004000000048657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b6579a064617461":1 +PSA storage read: type: PASSWORD 48-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD +key_storage_read:0x0001:PSA_KEY_TYPE_PASSWORD:48:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"486572650069":"505341004b45590000000000010000000312300001000000000000000000000006000000486572650069":1 + +PSA storage read: type: PASSWORD 168-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD +key_storage_read:0x0001:PSA_KEY_TYPE_PASSWORD:168:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a0646174614865726500":"505341004b45590000000000010000000312a8000100000000000000000000001500000048657265006973206b6579a0646174614865726500":1 + +PSA storage read: type: PASSWORD 336-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD +key_storage_read:0x0001:PSA_KEY_TYPE_PASSWORD:336:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b65":"505341004b4559000000000001000000031250010100000000000000000000002a00000048657265006973206b6579a06461746148657265006973206b6579a06461746148657265006973206b65":1 + +PSA storage read: type: PASSWORD_HASH 128-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD_HASH +key_storage_read:0x0001:PSA_KEY_TYPE_PASSWORD_HASH:128:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000051280000100000000000000000000001000000048657265006973206b6579a064617461":1 + +PSA storage read: type: PASSWORD_HASH 256-bit +depends_on:PSA_WANT_KEY_TYPE_PASSWORD_HASH +key_storage_read:0x0001:PSA_KEY_TYPE_PASSWORD_HASH:256:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a06461746148657265006973206b6579a064617461":"505341004b4559000000000001000000051200010100000000000000000000002000000048657265006973206b6579a06461746148657265006973206b6579a064617461":1 + +PSA storage read: type: PEPPER 128-bit +depends_on:PSA_WANT_KEY_TYPE_PEPPER +key_storage_read:0x0001:PSA_KEY_TYPE_PEPPER:128:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000061280000100000000000000000000001000000048657265006973206b6579a064617461":1 + +PSA storage read: type: PEPPER 256-bit +depends_on:PSA_WANT_KEY_TYPE_PEPPER +key_storage_read:0x0001:PSA_KEY_TYPE_PEPPER:256:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48657265006973206b6579a06461746148657265006973206b6579a064617461":"505341004b4559000000000001000000061200010100000000000000000000002000000048657265006973206b6579a06461746148657265006973206b6579a064617461":1 + PSA storage read: type: RAW_DATA 8-bit depends_on:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"48":"505341004b4559000000000001000000011008000100000000000000000000000100000048":0 From 6983b4fffcb062c5e5ebe595880686c2a2dca620 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 11:41:49 +0200 Subject: [PATCH 21/37] Add identifier for PBKDF2 with AES-CMAC-PRF-128 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This algorithm is used for example by the Thread 1.1.1 specification, which is not public but can be obtained free of charge at https://www.threadgroup.org/ThreadSpec Here it doesn't really make sense to define a parametrised family, as this really seems to be the only use of PBKDF2 with a CMAC-based PRF (or with any PRF other than HMAC with SHA1 or SHA2, for that matter). Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 917a0a2633..fa008d45a0 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1779,6 +1779,17 @@ #define PSA_ALG_PBKDF2_HMAC_GET_HASH(hkdf_alg) \ (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) +/** The PBKDF2-AES-CMAC-PRF-128 password hashing / key stretching algorithm. + * + * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2). + * This macro specifies the PBKDF2 algorithm constructed using the + * AES-CMAC-PRF-128 PRF specified by RFC 4615. + * + * This key derivation algorithm uses the same inputs as + * #PBKDF_ALG_PBKDF2_HMAC() with the same constraints. + */ +#define PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08008200) + #define PSA_ALG_KEY_DERIVATION_MASK ((psa_algorithm_t)0xfe00ffff) #define PSA_ALG_KEY_AGREEMENT_MASK ((psa_algorithm_t)0xffff0000) From 40b81bf8f7ec9241dd4f99d4ec6de32cafb4aa00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 11:53:40 +0200 Subject: [PATCH 22/37] Introduce PSA_ALG_GET_HASH() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit No need to introduce a specific macro for PBKDF2-HMAC when the PSA spec already has a generic one. Documentation from: https://armmbed.github.io/mbed-crypto/html/api/ops/algorithms.html#c.PSA_ALG_GET_HASH Implementation from: https://armmbed.github.io/mbed-crypto/html/appendix/specdef_values.html Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index fa008d45a0..6d34b0640b 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1776,8 +1776,6 @@ */ #define PSA_ALG_IS_PBKDF2_HMAC(alg) \ (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_PBKDF2_HMAC_BASE) -#define PSA_ALG_PBKDF2_HMAC_GET_HASH(hkdf_alg) \ - (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) /** The PBKDF2-AES-CMAC-PRF-128 password hashing / key stretching algorithm. * @@ -1927,6 +1925,18 @@ (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0 : \ (alg) == PSA_ALG_ANY_HASH) +/** Get the hash used by a composite algorithm. + * + * \param alg An algorithm identifier (value of type #psa_algorithm_t). + * + * \return The underlying hash algorithm if alg is a composite algorithm that + * uses a hash algorithm. + * + * \return #PSA_ALG_NONE if alg is not a composite algorithm that uses a hash. + */ +#define PSA_ALG_GET_HASH(alg) \ + (((alg) & 0x000000ff) == 0 ? PSA_ALG_NONE : 0x02000000 | ((alg) & 0x000000ff)) + /**@}*/ /** \defgroup key_lifetimes Key lifetimes From c7f8dbe837fce2c599e3c227165dfcb94f2f699e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 4 May 2021 09:41:35 +0200 Subject: [PATCH 23/37] Update generated files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- programs/psa/psa_constant_names_generated.c | 1 + .../test_suite_psa_crypto_storage_format.current.data | 8 ++++++++ tests/suites/test_suite_psa_crypto_storage_format.v0.data | 8 ++++++++ 3 files changed, 17 insertions(+) diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c index b7afbb9172..34919df769 100644 --- a/programs/psa/psa_constant_names_generated.c +++ b/programs/psa/psa_constant_names_generated.c @@ -224,6 +224,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, case PSA_ALG_MD4: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD4", 11); break; case PSA_ALG_MD5: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD5", 11); break; case PSA_ALG_OFB: append(&buffer, buffer_size, &required_size, "PSA_ALG_OFB", 11); break; + case PSA_ALG_PBKDF2_AES_CMAC_PRF_128: append(&buffer, buffer_size, &required_size, "PSA_ALG_PBKDF2_AES_CMAC_PRF_128", 31); break; case PSA_ALG_PBKDF2_HMAC_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_PBKDF2_HMAC_BASE", 24); break; case PSA_ALG_PURE_EDDSA: append(&buffer, buffer_size, &required_size, "PSA_ALG_PURE_EDDSA", 18); break; case PSA_ALG_RIPEMD160: append(&buffer, buffer_size, &required_size, "PSA_ALG_RIPEMD160", 17); break; diff --git a/tests/suites/test_suite_psa_crypto_storage_format.current.data b/tests/suites/test_suite_psa_crypto_storage_format.current.data index 546299ed36..6c280a2f7c 100644 --- a/tests/suites/test_suite_psa_crypto_storage_format.current.data +++ b/tests/suites/test_suite_psa_crypto_storage_format.current.data @@ -620,6 +620,14 @@ PSA storage save: alg2: PSA_ALG_OFB depends_on:PSA_WANT_ALG_OFB:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ALG_OFB:"4c":"505341004b45590000000000010000000110080001000000000000000012c004010000004c" +PSA storage save: alg: PSA_ALG_PBKDF2_AES_CMAC_PRF_128 +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_KEY_TYPE_RAW_DATA +key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:0x0000:"4b":"505341004b455900000000000100000001100800010000000082000800000000010000004b" + +PSA storage save: alg2: PSA_ALG_PBKDF2_AES_CMAC_PRF_128 +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_KEY_TYPE_RAW_DATA +key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"4c":"505341004b455900000000000100000001100800010000000000000000820008010000004c" + PSA storage save: alg: PSA_ALG_PURE_EDDSA depends_on:PSA_WANT_ALG_PURE_EDDSA:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:PSA_ALG_PURE_EDDSA:0x0000:"4b":"505341004b455900000000000100000001100800010000000008000600000000010000004b" diff --git a/tests/suites/test_suite_psa_crypto_storage_format.v0.data b/tests/suites/test_suite_psa_crypto_storage_format.v0.data index 72d1eb8464..83f80232d1 100644 --- a/tests/suites/test_suite_psa_crypto_storage_format.v0.data +++ b/tests/suites/test_suite_psa_crypto_storage_format.v0.data @@ -620,6 +620,14 @@ PSA storage read: alg2: PSA_ALG_OFB depends_on:PSA_WANT_ALG_OFB:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ALG_OFB:"4c":"505341004b45590000000000010000000110080001000000000000000012c004010000004c":0 +PSA storage read: alg: PSA_ALG_PBKDF2_AES_CMAC_PRF_128 +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_KEY_TYPE_RAW_DATA +key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:0x0000:"4b":"505341004b455900000000000100000001100800010000000082000800000000010000004b":0 + +PSA storage read: alg2: PSA_ALG_PBKDF2_AES_CMAC_PRF_128 +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_KEY_TYPE_RAW_DATA +key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"4c":"505341004b455900000000000100000001100800010000000000000000820008010000004c":0 + PSA storage read: alg: PSA_ALG_PURE_EDDSA depends_on:PSA_WANT_ALG_PURE_EDDSA:PSA_WANT_KEY_TYPE_RAW_DATA key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:PSA_ALG_PURE_EDDSA:0x0000:"4b":"505341004b455900000000000100000001100800010000000008000600000000010000004b":0 From 805251b70c8e069b5e25b558f9f15b53dc0f6473 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 4 May 2021 09:49:59 +0200 Subject: [PATCH 24/37] Update psa_validate_key_policy() for the new policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/psa_crypto.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 32568b3225..f2245f14c9 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1571,6 +1571,7 @@ static psa_status_t psa_validate_key_policy( const psa_key_policy_t *policy ) PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | + PSA_KEY_USAGE_VERIFY_DERIVATION | PSA_KEY_USAGE_DERIVE ) ) != 0 ) return( PSA_ERROR_INVALID_ARGUMENT ); From 06638ae3e8ccb5973243ba7e7ebce0d8384eba9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 4 May 2021 10:19:37 +0200 Subject: [PATCH 25/37] Update "key stretching" flag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 8 +++++--- .../test_suite_psa_crypto_storage_format.current.data | 4 ++-- tests/suites/test_suite_psa_crypto_storage_format.v0.data | 4 ++-- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 6d34b0640b..4f75b1f66c 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1733,10 +1733,12 @@ * use on low-entropy secrets such as password - these algorithms are also * known as key stretching or password hashing schemes. These are also the * algorithms that accepts inputs of type #PSA_KEY_DERIVATION_INPUT_PASSWORD. + * + * Those algorithms cannot be combined with a key agreement algorithm. */ -#define PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG ((psa_algorithm_t)0x00008000) +#define PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG ((psa_algorithm_t)0x00800000) -#define PSA_ALG_PBKDF2_HMAC_BASE ((psa_algorithm_t)0x08008100) +#define PSA_ALG_PBKDF2_HMAC_BASE ((psa_algorithm_t)0x08800100) /** Macro to build a PBKDF2-HMAC password hashing / key stretching algorithm. * * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2). @@ -1786,7 +1788,7 @@ * This key derivation algorithm uses the same inputs as * #PBKDF_ALG_PBKDF2_HMAC() with the same constraints. */ -#define PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08008200) +#define PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08800200) #define PSA_ALG_KEY_DERIVATION_MASK ((psa_algorithm_t)0xfe00ffff) #define PSA_ALG_KEY_AGREEMENT_MASK ((psa_algorithm_t)0xffff0000) diff --git a/tests/suites/test_suite_psa_crypto_storage_format.current.data b/tests/suites/test_suite_psa_crypto_storage_format.current.data index 6c280a2f7c..732b80b6b9 100644 --- a/tests/suites/test_suite_psa_crypto_storage_format.current.data +++ b/tests/suites/test_suite_psa_crypto_storage_format.current.data @@ -622,11 +622,11 @@ key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ PSA storage save: alg: PSA_ALG_PBKDF2_AES_CMAC_PRF_128 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_KEY_TYPE_RAW_DATA -key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:0x0000:"4b":"505341004b455900000000000100000001100800010000000082000800000000010000004b" +key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:0x0000:"4b":"505341004b455900000000000100000001100800010000000002800800000000010000004b" PSA storage save: alg2: PSA_ALG_PBKDF2_AES_CMAC_PRF_128 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_KEY_TYPE_RAW_DATA -key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"4c":"505341004b455900000000000100000001100800010000000000000000820008010000004c" +key_storage_save:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"4c":"505341004b455900000000000100000001100800010000000000000000028008010000004c" PSA storage save: alg: PSA_ALG_PURE_EDDSA depends_on:PSA_WANT_ALG_PURE_EDDSA:PSA_WANT_KEY_TYPE_RAW_DATA diff --git a/tests/suites/test_suite_psa_crypto_storage_format.v0.data b/tests/suites/test_suite_psa_crypto_storage_format.v0.data index 83f80232d1..82f55dd5da 100644 --- a/tests/suites/test_suite_psa_crypto_storage_format.v0.data +++ b/tests/suites/test_suite_psa_crypto_storage_format.v0.data @@ -622,11 +622,11 @@ key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ PSA storage read: alg: PSA_ALG_PBKDF2_AES_CMAC_PRF_128 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_KEY_TYPE_RAW_DATA -key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:0x0000:"4b":"505341004b455900000000000100000001100800010000000082000800000000010000004b":0 +key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:0x0000:"4b":"505341004b455900000000000100000001100800010000000002800800000000010000004b":0 PSA storage read: alg2: PSA_ALG_PBKDF2_AES_CMAC_PRF_128 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_KEY_TYPE_RAW_DATA -key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"4c":"505341004b455900000000000100000001100800010000000000000000820008010000004c":0 +key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"4c":"505341004b455900000000000100000001100800010000000000000000028008010000004c":0 PSA storage read: alg: PSA_ALG_PURE_EDDSA depends_on:PSA_WANT_ALG_PURE_EDDSA:PSA_WANT_KEY_TYPE_RAW_DATA From c149e1de9b77e380c43bb01122aaaf9a59e18166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 4 May 2021 10:25:05 +0200 Subject: [PATCH 26/37] Remove duplicated definition of PSA_ALG_GET_HASH() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- programs/psa/psa_constant_names.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/programs/psa/psa_constant_names.c b/programs/psa/psa_constant_names.c index 14d449441c..b5fea04ddc 100644 --- a/programs/psa/psa_constant_names.c +++ b/programs/psa/psa_constant_names.c @@ -52,12 +52,6 @@ int snprintf( char *s, size_t n, const char *fmt, ... ) } #endif -/* There are different GET_HASH macros for different kinds of algorithms - * built from hashes, but the values are all constructed on the - * same model. */ -#define PSA_ALG_GET_HASH(alg) \ - (((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH) - static void append(char **buffer, size_t buffer_size, size_t *required_size, const char *string, size_t length) From 71d955a79d4a8fbb9b579c00abd194cc019439c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 4 May 2021 10:32:39 +0200 Subject: [PATCH 27/37] Introduce PSA_ALG_NONE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It is required by the standard definition of PSA_ALG_GET_HASH. Documentation and definition from: https://armmbed.github.io/mbed-crypto/html/api/ops/algorithms.html#c.PSA_ALG_NONE Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 6 ++++++ programs/psa/psa_constant_names_generated.c | 1 + 2 files changed, 7 insertions(+) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 4f75b1f66c..304182519f 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -713,6 +713,12 @@ 1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) : \ 0u) +/** An invalid algorithm identifier value. + * + * Zero is not the encoding of any algorithm. + */ +#define PSA_ALG_NONE ((psa_algorithm_t)0) + /** Vendor-defined algorithm flag. * * Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c index 34919df769..63c79ee9cc 100644 --- a/programs/psa/psa_constant_names_generated.c +++ b/programs/psa/psa_constant_names_generated.c @@ -223,6 +223,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, case PSA_ALG_MD2: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD2", 11); break; case PSA_ALG_MD4: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD4", 11); break; case PSA_ALG_MD5: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD5", 11); break; + case PSA_ALG_NONE: append(&buffer, buffer_size, &required_size, "PSA_ALG_NONE", 12); break; case PSA_ALG_OFB: append(&buffer, buffer_size, &required_size, "PSA_ALG_OFB", 11); break; case PSA_ALG_PBKDF2_AES_CMAC_PRF_128: append(&buffer, buffer_size, &required_size, "PSA_ALG_PBKDF2_AES_CMAC_PRF_128", 31); break; case PSA_ALG_PBKDF2_HMAC_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_PBKDF2_HMAC_BASE", 24); break; From 5b79ee252e56b068a63d4753c6a87d51a430f0cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 4 May 2021 10:34:56 +0200 Subject: [PATCH 28/37] Fix typo in doxygen reference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 304182519f..0f156a80f0 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1792,7 +1792,7 @@ * AES-CMAC-PRF-128 PRF specified by RFC 4615. * * This key derivation algorithm uses the same inputs as - * #PBKDF_ALG_PBKDF2_HMAC() with the same constraints. + * #PSA_ALG_PBKDF2_HMAC() with the same constraints. */ #define PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08800200) From acfde465f0916eaf98c8d24007420efc545e199e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 5 May 2021 09:54:22 +0200 Subject: [PATCH 29/37] Mention USAGE_VERIFY_DERIVATION in input_key() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 074893fe5a..84cd90313b 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3358,7 +3358,8 @@ psa_status_t psa_key_derivation_input_integer( * \param step Which step the input data is for. * \param key Identifier of the key. It must have an * appropriate type for step and must allow the - * usage #PSA_KEY_USAGE_DERIVE. + * usage #PSA_KEY_USAGE_DERIVE or + * #PSA_KEY_USAGE_VERIFY_DERIVATION. * * \retval #PSA_SUCCESS * Success. From 730f62a80ac675407359e28d4d887d4d90bffaec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 5 May 2021 10:05:06 +0200 Subject: [PATCH 30/37] Clarify the case of direct inputs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Now use the same description for INPUT_SECRET and INPUT_PASSWORD too. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 0f156a80f0..f7d83020ba 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2267,10 +2267,11 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * * The secret can also be a direct input (passed to * key_derivation_input_bytes()). In this case, the derivation operation - * may not be used to derive keys: the operation will only allow + * may not be used to derive or verify keys: the operation will only allow * psa_key_derivation_output_bytes() or - * psa_key_derivation_verify_xxx() but not - * psa_key_derivation_output_key(). + * psa_key_derivation_verify_bytes() but not + * psa_key_derivation_output_key() or + * psa_key_derivation_verify_key(). */ #define PSA_KEY_DERIVATION_INPUT_SECRET ((psa_key_derivation_step_t)0x0101) @@ -2282,9 +2283,13 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * also be high-entropy secret such as a key of type #PSA_KEY_TYPE_DERIVE or * the shared secret resulting from a key agreement. * - * If the secret is a direct input, the derivation operation - * may not be used to derive keys: the operation will only allow - * psa_key_derivation_output_bytes(), not psa_key_derivation_output_key(). + * The secret can also be a direct input (passed to + * key_derivation_input_bytes()). In this case, the derivation operation + * may not be used to derive or verify keys: the operation will only allow + * psa_key_derivation_output_bytes() or + * psa_key_derivation_verify_bytes(), not + * psa_key_derivation_output_key() or + * psa_key_derivation_verify_key(). */ #define PSA_KEY_DERIVATION_INPUT_PASSWORD ((psa_key_derivation_step_t)0x0102) From ece9087b9375b841b724d5f5551fc8d0347c4254 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 5 May 2021 10:26:29 +0200 Subject: [PATCH 31/37] Clarify requirement on usage flags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 84cd90313b..ae4970c225 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3359,12 +3359,30 @@ psa_status_t psa_key_derivation_input_integer( * \param key Identifier of the key. It must have an * appropriate type for step and must allow the * usage #PSA_KEY_USAGE_DERIVE or - * #PSA_KEY_USAGE_VERIFY_DERIVATION. + * #PSA_KEY_USAGE_VERIFY_DERIVATION (see note) + * and the algorithm used by the operation. + * + * \note Once all inputs steps are completed, the operations will allow: + * - psa_key_derivation_output_bytes() if each input was either a direct input + * or a key with #PSA_KEY_USAGE_DERIVE set; + * - psa_key_derivation_output_key() if each input was either a direct input + * or a key with #PSA_KEY_USAGE_DERIVE set and input for step + * #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD + * was from a key slot; + * - psa_key_derivation_verify_bytes() if each input was either a direct input + * or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; + * - psa_key_derivation_verify_key() if each input was either a direct input + * or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set and input for step + * #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD + * was from a key slot. * * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_INVALID_HANDLE * \retval #PSA_ERROR_NOT_PERMITTED + * The key allows neither #PSA_KEY_USAGE_DERIVE nor + * #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this + * algorithm. * \retval #PSA_ERROR_INVALID_ARGUMENT * \c step is not compatible with the operation's algorithm. * \retval #PSA_ERROR_INVALID_ARGUMENT @@ -3477,6 +3495,9 @@ psa_status_t psa_key_derivation_key_agreement( * \param output_length Number of bytes to output. * * \retval #PSA_SUCCESS + * \retval #PSA_ERROR_NOT_PERMITTED + * One of the inputs was a key whose policy didn't allow + * #PSA_KEY_USAGE_DERIVE. * \retval #PSA_ERROR_INSUFFICIENT_DATA * The operation's capacity was less than * \p output_length bytes. Note that in this case, @@ -3624,8 +3645,10 @@ psa_status_t psa_key_derivation_output_bytes( * \retval #PSA_ERROR_INVALID_ARGUMENT * The provided key attributes are not valid for the operation. * \retval #PSA_ERROR_NOT_PERMITTED - * The #PSA_KEY_DERIVATION_INPUT_SECRET input was not provided through - * a key. + * The #PSA_KEY_DERIVATION_INPUT_SECRET or + * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + * key; or one of the inputs was a key whose policy didn't allow + * #PSA_KEY_USAGE_DERIVE. * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active and completed * all required input steps). @@ -3679,6 +3702,9 @@ psa_status_t psa_key_derivation_output_key( * \retval #PSA_ERROR_INVALID_SIGNATURE * The output was read successfully, but if differs from the expected * output. + * \retval #PSA_ERROR_NOT_PERMITTED + * One of the inputs was a key whose policy didn't allow + * #PSA_KEY_USAGE_VERIFY_DERIVATION. * \retval #PSA_ERROR_INSUFFICIENT_DATA * The operation's capacity was less than * \p output_length bytes. Note that in this case, @@ -3742,7 +3768,10 @@ psa_status_t psa_key_derivation_verify_bytes( * The key passed as the expected value has an invalid type. * \retval #PSA_ERROR_NOT_PERMITTED * The key passed as the expected value does not allow this usage or - * this algorithm. + * this algorithm; or the #PSA_KEY_DERIVATION_INPUT_SECRET or + * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + * key; or one of the inputs was a key whose policy didn't allow + * #PSA_KEY_USAGE_DERIVE. * \retval #PSA_ERROR_INSUFFICIENT_DATA * The operation's capacity was less than * the length of the expected value. In this case, From f9a68ad62a5ea783f1c3a6ad51ced87cabf36a80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 7 May 2021 12:11:38 +0200 Subject: [PATCH 32/37] Fix typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- docs/proposed/psa-driver-interface.md | 4 ++-- include/psa/crypto_values.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md index 0e9877df57..9e46eb0bdb 100644 --- a/docs/proposed/psa-driver-interface.md +++ b/docs/proposed/psa-driver-interface.md @@ -309,8 +309,8 @@ This family requires the following type and entry points: * `"key_derivation_input_key"` (opaque drivers only) * `"key_derivation_output_bytes"`: called by `psa_key_derivation_output_bytes()`; also by `psa_key_derivation_output_key()` for transparent drivers. * `"key_derivation_output_key"`: called by `psa_key_derivation_output_key()` for transparent drivers when deriving an asymmetric key pair, and also for opaque drivers. -* `"key_derivation_verify_output_bytes"` (opaque drivers only). -* `"key_derivation_verify_output_key"` (opaque drivers only). +* `"key_derivation_verify_bytes"` (opaque drivers only). +* `"key_derivation_verify_key"` (opaque drivers only). * `"key_derivation_abort"`: called by all key derivation functions of the PSA Cryptography API. TODO: key input and output for opaque drivers; deterministic key generation for transparent drivers diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index f7d83020ba..722f5bafe2 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -425,7 +425,7 @@ * This key type is suitable for passwords and passphrases which are typically * intended to be memorizable by humans, and have a low entropy relative to * their size. It can be used for randomly generated or derived keys with - * maximum or near-maximum entropy, but PSA_KEY_TYPE_DERIVE is more suitable + * maximum or near-maximum entropy, but #PSA_KEY_TYPE_DERIVE is more suitable * for such keys. It is not suitable for passwords with extremely low entropy, * such as numerical PINs. * From f0c28eff09288fde5cead64d07eaef450fe3843a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 7 May 2021 12:13:48 +0200 Subject: [PATCH 33/37] Avoid introducing PSA_ALG_NONE for now MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_values.h | 10 ++-------- programs/psa/psa_constant_names_generated.c | 1 - 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 722f5bafe2..5fba5382c0 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -713,12 +713,6 @@ 1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) : \ 0u) -/** An invalid algorithm identifier value. - * - * Zero is not the encoding of any algorithm. - */ -#define PSA_ALG_NONE ((psa_algorithm_t)0) - /** Vendor-defined algorithm flag. * * Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG @@ -1940,10 +1934,10 @@ * \return The underlying hash algorithm if alg is a composite algorithm that * uses a hash algorithm. * - * \return #PSA_ALG_NONE if alg is not a composite algorithm that uses a hash. + * \return \c 0 if alg is not a composite algorithm that uses a hash. */ #define PSA_ALG_GET_HASH(alg) \ - (((alg) & 0x000000ff) == 0 ? PSA_ALG_NONE : 0x02000000 | ((alg) & 0x000000ff)) + (((alg) & 0x000000ff) == 0 ? ((psa_algorithm_t)0) : 0x02000000 | ((alg) & 0x000000ff)) /**@}*/ diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c index 63c79ee9cc..34919df769 100644 --- a/programs/psa/psa_constant_names_generated.c +++ b/programs/psa/psa_constant_names_generated.c @@ -223,7 +223,6 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, case PSA_ALG_MD2: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD2", 11); break; case PSA_ALG_MD4: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD4", 11); break; case PSA_ALG_MD5: append(&buffer, buffer_size, &required_size, "PSA_ALG_MD5", 11); break; - case PSA_ALG_NONE: append(&buffer, buffer_size, &required_size, "PSA_ALG_NONE", 12); break; case PSA_ALG_OFB: append(&buffer, buffer_size, &required_size, "PSA_ALG_OFB", 11); break; case PSA_ALG_PBKDF2_AES_CMAC_PRF_128: append(&buffer, buffer_size, &required_size, "PSA_ALG_PBKDF2_AES_CMAC_PRF_128", 31); break; case PSA_ALG_PBKDF2_HMAC_BASE: append(&buffer, buffer_size, &required_size, "PSA_ALG_PBKDF2_HMAC_BASE", 24); break; From e88511d7fed18f1bfcf99f82ab52b1215f1e5868 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 7 May 2021 12:19:03 +0200 Subject: [PATCH 34/37] Try making one condition more readable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit No semantic change intended. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index ae4970c225..2ae1ba1df4 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3365,10 +3365,10 @@ psa_status_t psa_key_derivation_input_integer( * \note Once all inputs steps are completed, the operations will allow: * - psa_key_derivation_output_bytes() if each input was either a direct input * or a key with #PSA_KEY_USAGE_DERIVE set; - * - psa_key_derivation_output_key() if each input was either a direct input - * or a key with #PSA_KEY_USAGE_DERIVE set and input for step + * - psa_key_derivation_output_key() if the input for step * #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD - * was from a key slot; + * was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was + * either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; * - psa_key_derivation_verify_bytes() if each input was either a direct input * or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; * - psa_key_derivation_verify_key() if each input was either a direct input From 4feb611a4944d9b5e12942aee275b5a09051ebb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 7 May 2021 12:22:21 +0200 Subject: [PATCH 35/37] Lift a restriction on usage of verify_key() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 2ae1ba1df4..1780f9821f 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3371,10 +3371,8 @@ psa_status_t psa_key_derivation_input_integer( * either a direct input or a key with #PSA_KEY_USAGE_DERIVE set; * - psa_key_derivation_verify_bytes() if each input was either a direct input * or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set; - * - psa_key_derivation_verify_key() if each input was either a direct input - * or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set and input for step - * #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD - * was from a key slot. + * - psa_key_derivation_verify_key() under the same conditions as + * psa_key_derivation_verify_bytes(). * * \retval #PSA_SUCCESS * Success. @@ -3768,10 +3766,8 @@ psa_status_t psa_key_derivation_verify_bytes( * The key passed as the expected value has an invalid type. * \retval #PSA_ERROR_NOT_PERMITTED * The key passed as the expected value does not allow this usage or - * this algorithm; or the #PSA_KEY_DERIVATION_INPUT_SECRET or - * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a - * key; or one of the inputs was a key whose policy didn't allow - * #PSA_KEY_USAGE_DERIVE. + * this algorithm; or one of the inputs was a key whose policy didn't + * allow #PSA_KEY_USAGE_VERIFY_DERIVATION. * \retval #PSA_ERROR_INSUFFICIENT_DATA * The operation's capacity was less than * the length of the expected value. In this case, From 2c44daf0bc2204500e6ead57f799964f352b617a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 10 May 2021 12:53:30 +0200 Subject: [PATCH 36/37] Add restriction on output_key alg for password hash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 1780f9821f..6fee2b4676 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3619,6 +3619,10 @@ psa_status_t psa_key_derivation_output_bytes( * on the derived key based on the attributes and strength of the secret key. * * \param[in] attributes The attributes for the new key. + * If the key type to be created is + * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + * the policy must be the same as in the current + * operation. * \param[in,out] operation The key derivation operation object to read from. * \param[out] key On success, an identifier for the newly created * key. For persistent keys, this is the key From 4e02f01815557a04c30b73dcec99e6de3a808334 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 May 2021 10:05:45 +0200 Subject: [PATCH 37/37] Fix key type that wasn't updated earlier MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 6fee2b4676..dfd47314f5 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3736,7 +3736,7 @@ psa_status_t psa_key_derivation_verify_bytes( * * This function calculates output bytes from a key derivation algorithm and * compares those bytes to an expected value, provided as key of type - * #PSA_KEY_TYPE_RAW_DATA, in constant time. + * #PSA_KEY_TYPE_PASSWORD_HASH. * If you view the key derivation's output as a stream of bytes, this * function destructively reads the number of bytes corresponding the the * length of the expected value from the stream before comparing them.