From 7607cd6e576b3c4ea0430fb0989b56975e56fd56 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 29 May 2019 17:35:00 +0200
Subject: [PATCH 01/13] Convert exercise_key_derivation_key to the new KDF API

---
 tests/suites/test_suite_psa_crypto.function | 27 ++++++++++++++-------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 48f533764e..de88bfb0d5 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -530,9 +530,9 @@ static int exercise_key_derivation_key( psa_key_handle_t handle,
 
     if( usage & PSA_KEY_USAGE_DERIVE )
     {
+        PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
         if( PSA_ALG_IS_HKDF( alg ) )
         {
-            PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
             PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
                                                         PSA_KEY_DERIVATION_INPUT_SALT,
                                                         label,
@@ -545,17 +545,26 @@ static int exercise_key_derivation_key( psa_key_handle_t handle,
                                                         seed,
                                                         seed_length ) );
         }
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
+        else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
+                 PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
+        {
+            PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
+                                                        PSA_KEY_DERIVATION_INPUT_SEED,
+                                                        seed,
+                                                        seed_length ) );
+            PSA_ASSERT( psa_key_derivation_input_key( &operation,
+                                                      PSA_KEY_DERIVATION_INPUT_SECRET,
+                                                      handle ) );
+            PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
+                                                        PSA_KEY_DERIVATION_INPUT_LABEL,
+                                                        label,
+                                                        label_length ) );
+        }
         else
         {
-            // legacy
-            PSA_ASSERT( psa_key_derivation( &operation,
-                                            handle, alg,
-                                            label, label_length,
-                                            seed, seed_length,
-                                            sizeof( output ) ) );
+            TEST_ASSERT( ! "Key derivation algorithm not supported" );
         }
-#endif
+
         PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
                                                      output,
                                                      sizeof( output ) ) );

From 46d9fbc4a9ed2814c6850303a8088884c4df26d6 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Tue, 2 Jul 2019 13:42:16 +0100
Subject: [PATCH 02/13] Add test cases for exercise_key_derivation_key

---
 tests/suites/test_suite_psa_crypto.data | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index f618e13db0..61faed49e2 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -1466,6 +1466,14 @@ PSA import/exercise: ECP SECP256R1 keypair, ECDH
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDH_C
 import_and_exercise_key:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):256:PSA_ALG_ECDH
 
+PSA import/exercise: HKDF SHA-256
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+import_and_exercise_key:"c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0":PSA_KEY_TYPE_DERIVE:192:PSA_ALG_HKDF(PSA_ALG_SHA_256)
+
+PSA import/exercise: TLS 1.2 PRF SHA-256
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+import_and_exercise_key:"c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0":PSA_KEY_TYPE_DERIVE:192:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)
+
 PSA sign: RSA PKCS#1 v1.5, raw
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
 sign_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a"

From 47f27ed752488a8193096c719692339fd6cd8324 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Tue, 25 Jun 2019 13:24:52 +0100
Subject: [PATCH 03/13] Convert derive_full test to the new KDF API

---
 tests/suites/test_suite_psa_crypto.function | 38 +++++++++++++--------
 1 file changed, 23 insertions(+), 15 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index de88bfb0d5..90948d7bac 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -4340,8 +4340,8 @@ exit:
 /* BEGIN_CASE */
 void derive_full( int alg_arg,
                   data_t *key_data,
-                  data_t *salt,
-                  data_t *label,
+                  data_t *input1,
+                  data_t *input2,
                   int requested_capacity_arg )
 {
     psa_key_handle_t handle = 0;
@@ -4362,33 +4362,41 @@ void derive_full( int alg_arg,
     PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
                                 &handle ) );
 
+    PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
+    PSA_ASSERT( psa_key_derivation_set_capacity( &operation,
+                                                 requested_capacity ) );
+
     /* Extraction phase. */
     if( PSA_ALG_IS_HKDF( alg ) )
     {
-        PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
-        PSA_ASSERT( psa_key_derivation_set_capacity( &operation,
-                                                     requested_capacity ) );
         PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
                                                     PSA_KEY_DERIVATION_INPUT_SALT,
-                                                    salt->x, salt->len ) );
+                                                    input1->x, input1->len ) );
         PSA_ASSERT( psa_key_derivation_input_key( &operation,
                                                   PSA_KEY_DERIVATION_INPUT_SECRET,
                                                   handle ) );
         PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
                                                     PSA_KEY_DERIVATION_INPUT_INFO,
-                                                    label->x, label->len ) );
+                                                    input2->x, input2->len ) );
+    }
+    else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
+             PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
+    {
+        PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
+                                                    PSA_KEY_DERIVATION_INPUT_SEED,
+                                                    input1->x, input1->len ) );
+        PSA_ASSERT( psa_key_derivation_input_key( &operation,
+                                                  PSA_KEY_DERIVATION_INPUT_SECRET,
+                                                  handle ) );
+        PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
+                                                    PSA_KEY_DERIVATION_INPUT_LABEL,
+                                                    input2->x, input2->len ) );
     }
-
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
     else
     {
-        // legacy
-        PSA_ASSERT( psa_key_derivation( &operation, handle, alg,
-                                        salt->x, salt->len,
-                                        label->x, label->len,
-                                        requested_capacity ) );
+        TEST_ASSERT( ! "Key derivation algorithm not supported" );
     }
-#endif
+
     PSA_ASSERT( psa_key_derivation_get_capacity( &operation,
                                                  &current_capacity ) );
     TEST_EQUAL( current_capacity, expected_capacity );

From e7e4706230a9e2a91aae5bf6d473bbc570814e7b Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Tue, 25 Jun 2019 14:35:43 +0100
Subject: [PATCH 04/13] Add derive_full test cases for TLS 1.2 PRF

---
 tests/suites/test_suite_psa_crypto.data | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 61faed49e2..10dac8f645 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -1995,6 +1995,14 @@ PSA key derivation: HKDF SHA-256, read maximum capacity
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32
 
+PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity minus 1
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32 - 1
+
+PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32
+
 PSA key derivation: HKDF SHA-256, exercise AES128-CTR
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR

From f2815eaec6fd5e30f991cd936244a051bf06a7ae Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 3 Jul 2019 12:41:36 +0100
Subject: [PATCH 05/13] Refactor key derivation setup in tests

---
 tests/suites/test_suite_psa_crypto.function | 136 +++++++++-----------
 1 file changed, 63 insertions(+), 73 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 90948d7bac..9efee51e3b 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -517,57 +517,76 @@ exit:
     return( 0 );
 }
 
+static int setup_key_derivation_wrap( psa_key_derivation_operation_t* operation,
+                                      psa_key_handle_t handle,
+                                      psa_algorithm_t alg,
+                                      unsigned char* input1, size_t input1_length,
+                                      unsigned char* input2, size_t input2_length,
+                                      size_t capacity )
+{
+    PSA_ASSERT( psa_key_derivation_setup( operation, alg ) );
+    if( PSA_ALG_IS_HKDF( alg ) )
+    {
+        PSA_ASSERT( psa_key_derivation_input_bytes( operation,
+                                                    PSA_KEY_DERIVATION_INPUT_SALT,
+                                                    input1, input1_length ) );
+        PSA_ASSERT( psa_key_derivation_input_key( operation,
+                                                  PSA_KEY_DERIVATION_INPUT_SECRET,
+                                                  handle ) );
+        PSA_ASSERT( psa_key_derivation_input_bytes( operation,
+                                                    PSA_KEY_DERIVATION_INPUT_INFO,
+                                                    input2,
+                                                    input2_length ) );
+    }
+    else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
+             PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
+    {
+        PSA_ASSERT( psa_key_derivation_input_bytes( operation,
+                                                    PSA_KEY_DERIVATION_INPUT_SEED,
+                                                    input1, input1_length ) );
+        PSA_ASSERT( psa_key_derivation_input_key( operation,
+                                                  PSA_KEY_DERIVATION_INPUT_SECRET,
+                                                  handle ) );
+        PSA_ASSERT( psa_key_derivation_input_bytes( operation,
+                                                    PSA_KEY_DERIVATION_INPUT_LABEL,
+                                                    input2, input2_length ) );
+    }
+    else
+    {
+        TEST_ASSERT( ! "Key derivation algorithm not supported" );
+    }
+
+    PSA_ASSERT( psa_key_derivation_set_capacity( operation, capacity ) );
+
+    return( 1 );
+
+exit:
+    return( 0 );
+}
+
+
 static int exercise_key_derivation_key( psa_key_handle_t handle,
                                         psa_key_usage_t usage,
                                         psa_algorithm_t alg )
 {
     psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
-    unsigned char label[16] = "This is a label.";
-    size_t label_length = sizeof( label );
-    unsigned char seed[16] = "abcdefghijklmnop";
-    size_t seed_length = sizeof( seed );
+    unsigned char input1[] = "Input 1";
+    size_t input1_length = sizeof( input1 );
+    unsigned char input2[] = "Input 2";
+    size_t input2_length = sizeof( input2 );
     unsigned char output[1];
+    size_t capacity = sizeof( output );
 
     if( usage & PSA_KEY_USAGE_DERIVE )
     {
-        PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
-        if( PSA_ALG_IS_HKDF( alg ) )
-        {
-            PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
-                                                        PSA_KEY_DERIVATION_INPUT_SALT,
-                                                        label,
-                                                        label_length ) );
-            PSA_ASSERT( psa_key_derivation_input_key( &operation,
-                                                      PSA_KEY_DERIVATION_INPUT_SECRET,
-                                                      handle ) );
-            PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
-                                                        PSA_KEY_DERIVATION_INPUT_INFO,
-                                                        seed,
-                                                        seed_length ) );
-        }
-        else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
-                 PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
-        {
-            PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
-                                                        PSA_KEY_DERIVATION_INPUT_SEED,
-                                                        seed,
-                                                        seed_length ) );
-            PSA_ASSERT( psa_key_derivation_input_key( &operation,
-                                                      PSA_KEY_DERIVATION_INPUT_SECRET,
-                                                      handle ) );
-            PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
-                                                        PSA_KEY_DERIVATION_INPUT_LABEL,
-                                                        label,
-                                                        label_length ) );
-        }
-        else
-        {
-            TEST_ASSERT( ! "Key derivation algorithm not supported" );
-        }
+        if( !setup_key_derivation_wrap( &operation, handle, alg,
+                                        input1, input1_length,
+                                        input2, input2_length, capacity ) )
+            goto exit;
 
         PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
                                                      output,
-                                                     sizeof( output ) ) );
+                                                     capacity ) );
         PSA_ASSERT( psa_key_derivation_abort( &operation ) );
     }
 
@@ -4362,40 +4381,11 @@ void derive_full( int alg_arg,
     PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
                                 &handle ) );
 
-    PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
-    PSA_ASSERT( psa_key_derivation_set_capacity( &operation,
-                                                 requested_capacity ) );
-
-    /* Extraction phase. */
-    if( PSA_ALG_IS_HKDF( alg ) )
-    {
-        PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
-                                                    PSA_KEY_DERIVATION_INPUT_SALT,
-                                                    input1->x, input1->len ) );
-        PSA_ASSERT( psa_key_derivation_input_key( &operation,
-                                                  PSA_KEY_DERIVATION_INPUT_SECRET,
-                                                  handle ) );
-        PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
-                                                    PSA_KEY_DERIVATION_INPUT_INFO,
-                                                    input2->x, input2->len ) );
-    }
-    else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
-             PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
-    {
-        PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
-                                                    PSA_KEY_DERIVATION_INPUT_SEED,
-                                                    input1->x, input1->len ) );
-        PSA_ASSERT( psa_key_derivation_input_key( &operation,
-                                                  PSA_KEY_DERIVATION_INPUT_SECRET,
-                                                  handle ) );
-        PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
-                                                    PSA_KEY_DERIVATION_INPUT_LABEL,
-                                                    input2->x, input2->len ) );
-    }
-    else
-    {
-        TEST_ASSERT( ! "Key derivation algorithm not supported" );
-    }
+    if( !setup_key_derivation_wrap( &operation, handle, alg,
+                                    input1->x, input1->len,
+                                    input2->x, input2->len,
+                                    requested_capacity ) )
+        goto exit;
 
     PSA_ASSERT( psa_key_derivation_get_capacity( &operation,
                                                  &current_capacity ) );

From e60c9052ecb714b1bf5692f11ff1bba444e25ec5 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 3 Jul 2019 13:51:30 +0100
Subject: [PATCH 06/13] Convert derive_key_exercise to the new KDF API

---
 tests/suites/test_suite_psa_crypto.data     | 12 ++++++------
 tests/suites/test_suite_psa_crypto.function | 15 ++++++++-------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 10dac8f645..e83618fd28 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -2004,27 +2004,27 @@ depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32
 
 PSA key derivation: HKDF SHA-256, exercise AES128-CTR
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR
 
 PSA key derivation: HKDF SHA-256, exercise AES256-CTR
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR
 
 PSA key derivation: HKDF SHA-256, exercise DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:64:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: HKDF SHA-256, exercise 2-key 3DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: HKDF SHA-256, exercise 3-key 3DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:192:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: HKDF SHA-256, exercise HMAC-SHA-256
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN:PSA_ALG_HMAC(PSA_ALG_SHA_256)
 
 PSA key derivation: HKDF SHA-256, exercise HKDF-SHA-256
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 9efee51e3b..a36a8aff59 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -4419,11 +4419,11 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */
+/* BEGIN_CASE */
 void derive_key_exercise( int alg_arg,
                           data_t *key_data,
-                          data_t *salt,
-                          data_t *label,
+                          data_t *input1,
+                          data_t *input2,
                           int derived_type_arg,
                           int derived_bits_arg,
                           int derived_usage_arg,
@@ -4450,10 +4450,11 @@ void derive_key_exercise( int alg_arg,
                                 &base_handle ) );
 
     /* Derive a key. */
-    PSA_ASSERT( psa_key_derivation( &operation, base_handle, alg,
-                                    salt->x, salt->len,
-                                    label->x, label->len,
-                                    capacity ) );
+    if ( setup_key_derivation_wrap( &operation, base_handle, alg,
+                                    input1->x, input1->len,
+                                    input2->x, input2->len, capacity ) )
+        goto exit;
+
     psa_set_key_usage_flags( &attributes, derived_usage );
     psa_set_key_algorithm( &attributes, derived_alg );
     psa_set_key_type( &attributes, derived_type );

From 8d98a1e62648443b06a1085b5b2777bb4b1857f7 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 3 Jul 2019 14:02:15 +0100
Subject: [PATCH 07/13] Add derive_key_exercise test cases for TLS 1.2 PRF

---
 tests/suites/test_suite_psa_crypto.data | 30 ++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index e83618fd28..11d61d4b34 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -2027,9 +2027,33 @@ PSA key derivation: HKDF SHA-256, exercise HMAC-SHA-256
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN:PSA_ALG_HMAC(PSA_ALG_SHA_256)
 
-PSA key derivation: HKDF SHA-256, exercise HKDF-SHA-256
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
-derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DERIVE:400:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256)
+PSA key derivation: TLS 1.2 PRF SHA-256, exercise AES128-CTR
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR
+
+PSA key derivation: TLS 1.2 PRF SHA-256, exercise AES256-CTR
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR
+
+PSA key derivation: TLS 1.2 PRF SHA-256, exercise DES-CBC
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:64:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
+
+PSA key derivation: TLS 1.2 PRF SHA-256, exercise 2-key 3DES-CBC
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
+
+PSA key derivation: TLS 1.2 PRF SHA-256, exercise 3-key 3DES-CBC
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:192:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
+
+PSA key derivation: TLS 1.2 PRF SHA-256, exercise HMAC-SHA-256
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN:PSA_ALG_HMAC(PSA_ALG_SHA_256)
+
+PSA key derivation: TLS 1.2 PRF SHA-256, exercise HKDF-SHA-256
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DERIVE:400:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
 PSA key derivation: HKDF SHA-256, derive key, 16+32
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C

From 42fd888ab09c1aa32c7b20bd3ac8f6b7ea618f4f Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 3 Jul 2019 14:17:09 +0100
Subject: [PATCH 08/13] Convert derive_key_export to the new KDF API

---
 tests/suites/test_suite_psa_crypto.data     |  8 +++----
 tests/suites/test_suite_psa_crypto.function | 24 +++++++++++----------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 11d61d4b34..cf1911fc88 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -2055,12 +2055,12 @@ PSA key derivation: TLS 1.2 PRF SHA-256, exercise HKDF-SHA-256
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DERIVE:400:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
-PSA key derivation: HKDF SHA-256, derive key, 16+32
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+PSA key derivation: HKDF SHA-256, derive key export, 16+32
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_export:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":16:32
 
-PSA key derivation: HKDF SHA-256, derive key, 1+41
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+PSA key derivation: HKDF SHA-256, derive key export, 1+41
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_export:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":1:41
 
 PSA key agreement setup: ECDH + HKDF-SHA-256: good
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index a36a8aff59..a6fcdb5c29 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -4480,11 +4480,11 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */
+/* BEGIN_CASE */
 void derive_key_export( int alg_arg,
                         data_t *key_data,
-                        data_t *salt,
-                        data_t *label,
+                        data_t *input1,
+                        data_t *input2,
                         int bytes1_arg,
                         int bytes2_arg )
 {
@@ -4512,20 +4512,22 @@ void derive_key_export( int alg_arg,
                                 &base_handle ) );
 
     /* Derive some material and output it. */
-    PSA_ASSERT( psa_key_derivation( &operation, base_handle, alg,
-                                    salt->x, salt->len,
-                                    label->x, label->len,
-                                    capacity ) );
+    if( !setup_key_derivation_wrap( &operation, base_handle, alg,
+                                    input1->x, input1->len,
+                                    input2->x, input2->len, capacity ) )
+        goto exit;
+
     PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
                                                  output_buffer,
                                                  capacity ) );
     PSA_ASSERT( psa_key_derivation_abort( &operation ) );
 
     /* Derive the same output again, but this time store it in key objects. */
-    PSA_ASSERT( psa_key_derivation( &operation, base_handle, alg,
-                                    salt->x, salt->len,
-                                    label->x, label->len,
-                                    capacity ) );
+    if( !setup_key_derivation_wrap( &operation, base_handle, alg,
+                                    input1->x, input1->len,
+                                    input2->x, input2->len, capacity ) )
+        goto exit;
+
     psa_set_key_usage_flags( &derived_attributes, PSA_KEY_USAGE_EXPORT );
     psa_set_key_algorithm( &derived_attributes, 0 );
     psa_set_key_type( &derived_attributes, PSA_KEY_TYPE_RAW_DATA );

From 5ab0e0b601f0d82abd515fd8843fe1be040a00a3 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 3 Jul 2019 14:21:29 +0100
Subject: [PATCH 09/13] Add derive_key_export test cases for TLS 1.2 PRF

---
 tests/suites/test_suite_psa_crypto.data | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index cf1911fc88..c609a02317 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -2063,6 +2063,14 @@ PSA key derivation: HKDF SHA-256, derive key export, 1+41
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 derive_key_export:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":1:41
 
+PSA key derivation: TLS 1.2 PRF SHA-256, derive key export, 16+32
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_export:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":16:32
+
+PSA key derivation: TLS 1.2 PRF SHA-256, derive key export, 1+41
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+derive_key_export:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":1:41
+
 PSA key agreement setup: ECDH + HKDF-SHA-256: good
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDH_C:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 key_agreement_setup:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":PSA_SUCCESS

From d958bb7aae4e45a125cb82cbbac431ee1d6662d1 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 3 Jul 2019 15:02:16 +0100
Subject: [PATCH 10/13] Convert invalid_key_derivation_state to new API

Convert the test_derive_invalid_key_derivation_state() test to the new
KDF API.
---
 tests/suites/test_suite_psa_crypto.data     |  6 +++---
 tests/suites/test_suite_psa_crypto.function | 24 +++++++++++----------
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index c609a02317..7a52f804d1 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -1827,9 +1827,9 @@ PSA key derivation: TLS 1.2 PRF SHA-256, bad key type
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_RAW_DATA:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
 
-PSA key derivation: invalid state (double generate + read past capacity)
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
-test_derive_invalid_key_derivation_state:
+PSA key derivation: HKDF invalid state (double generate + read past capacity)
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+test_derive_invalid_key_derivation_state:PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
 PSA key derivation: invalid state (call read/get_capacity after init and abort)
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index a6fcdb5c29..1d06d62e73 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -4163,13 +4163,17 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */
-void test_derive_invalid_key_derivation_state( )
+/* BEGIN_CASE */
+void test_derive_invalid_key_derivation_state( int alg_arg )
 {
+    psa_algorithm_t alg = alg_arg;
     psa_key_handle_t handle = 0;
     size_t key_type = PSA_KEY_TYPE_DERIVE;
     psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
-    psa_algorithm_t alg = PSA_ALG_HKDF( PSA_ALG_SHA_256 );
+    unsigned char input1[] = "Input 1";
+    size_t input1_length = sizeof( input1 );
+    unsigned char input2[] = "Input 2";
+    size_t input2_length = sizeof( input2 );
     uint8_t buffer[42];
     size_t capacity = sizeof( buffer );
     const uint8_t key_data[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
@@ -4188,16 +4192,14 @@ void test_derive_invalid_key_derivation_state( )
                                 &handle ) );
 
     /* valid key derivation */
-    PSA_ASSERT(  psa_key_derivation( &operation, handle, alg,
-                                     NULL, 0,
-                                     NULL, 0,
-                                     capacity ) );
+    if( !setup_key_derivation_wrap( &operation, handle, alg,
+                                    input1, input1_length,
+                                    input2, input2_length,
+                                    capacity ) )
+        goto exit;
 
     /* state of operation shouldn't allow additional generation */
-    TEST_EQUAL(  psa_key_derivation( &operation, handle, alg,
-                                     NULL, 0,
-                                     NULL, 0,
-                                     capacity ),
+    TEST_EQUAL(  psa_key_derivation_setup( &operation, alg ),
                  PSA_ERROR_BAD_STATE );
 
     PSA_ASSERT( psa_key_derivation_output_bytes( &operation, buffer, capacity ) );

From 343067e0d196e6c5b0f827104b87e33f6a4c010d Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 3 Jul 2019 15:07:53 +0100
Subject: [PATCH 11/13] Add invalid_key_derivation test cases for TLS PRF

Add test_derive_invalid_key_derivation_state test cases for TLS 1.2 PRF.
---
 tests/suites/test_suite_psa_crypto.data | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 7a52f804d1..53f842201b 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -1831,6 +1831,10 @@ PSA key derivation: HKDF invalid state (double generate + read past capacity)
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
 test_derive_invalid_key_derivation_state:PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
+PSA key derivation: TLS 1.2 PRF invalid state (double generate + read past capacity)
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+test_derive_invalid_key_derivation_state:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)
+
 PSA key derivation: invalid state (call read/get_capacity after init and abort)
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 test_derive_invalid_key_derivation_tests:

From 4e2cc5353cada4eddd6066e612bdb8e006cc0067 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 29 May 2019 14:30:27 +0200
Subject: [PATCH 12/13] Update key_ladder_demo to the current key derivation
 API

---
 programs/psa/key_ladder_demo.c | 65 ++++++++++++++++++----------------
 1 file changed, 34 insertions(+), 31 deletions(-)

diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c
index 426e41f870..800896f120 100644
--- a/programs/psa/key_ladder_demo.c
+++ b/programs/psa/key_ladder_demo.c
@@ -63,27 +63,25 @@
 
 #include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
 
+#include <psa/crypto.h>
+
 /* If the build options we need are not enabled, compile a placeholder. */
 #if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) ||     \
     !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) ||       \
     !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) ||\
-    !defined(PSA_PRE_1_0_KEY_DERIVATION)
+    defined(PSA_PRE_1_0_KEY_DERIVATION)
 int main( void )
 {
     printf("MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or "
            "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or "
            "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO and/or "
-           "PSA_PRE_1_0_KEY_DERIVATION not defined.\n");
+           "not defined and/or PSA_PRE_1_0_KEY_DERIVATION defined.\n");
     return( 0 );
 }
 #else
 
 /* The real program starts here. */
 
-
-
-#include <psa/crypto.h>
-
 /* Run a system function and bail out if it fails. */
 #define SYS_CHECK( expr )                                       \
     do                                                          \
@@ -281,7 +279,7 @@ static psa_status_t derive_key_ladder( const char *ladder[],
 {
     psa_status_t status = PSA_SUCCESS;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
+    psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
     size_t i;
 
     psa_set_key_usage_flags( &attributes,
@@ -295,26 +293,28 @@ static psa_status_t derive_key_ladder( const char *ladder[],
     {
         /* Start deriving material from the master key (if i=0) or from
          * the current intermediate key (if i>0). */
-        PSA_CHECK( psa_key_derivation(
-                       &generator,
-                       *key_handle,
-                       KDF_ALG,
-                       DERIVE_KEY_SALT, DERIVE_KEY_SALT_LENGTH,
-                       (uint8_t*) ladder[i], strlen( ladder[i] ),
-                       KEY_SIZE_BYTES ) );
+        PSA_CHECK( psa_key_derivation_setup( &operation, KDF_ALG ) );
+        PSA_CHECK( psa_key_derivation_input_bytes(
+                       &operation, PSA_KEY_DERIVATION_INPUT_SALT,
+                       DERIVE_KEY_SALT, DERIVE_KEY_SALT_LENGTH ) );
+        PSA_CHECK( psa_key_derivation_input_key(
+                       &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+                       *key_handle ) );
+        PSA_CHECK( psa_key_derivation_input_bytes(
+                       &operation, PSA_KEY_DERIVATION_INPUT_INFO,
+                       (uint8_t*) ladder[i], strlen( ladder[i] ) ) );
         /* When the parent key is not the master key, destroy it,
          * since it is no longer needed. */
         PSA_CHECK( psa_close_key( *key_handle ) );
         *key_handle = 0;
-        /* Use the generator obtained from the parent key to create
-         * the next intermediate key. */
-        PSA_CHECK( psa_key_derivation_output_key( &attributes, &generator,
-                                             key_handle ) );
-        PSA_CHECK( psa_key_derivation_abort( &generator ) );
+        /* Derive the next intermediate key from the parent key. */
+        PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation,
+                                                  key_handle ) );
+        PSA_CHECK( psa_key_derivation_abort( &operation ) );
     }
 
 exit:
-    psa_key_derivation_abort( &generator );
+    psa_key_derivation_abort( &operation );
     if( status != PSA_SUCCESS )
     {
         psa_close_key( *key_handle );
@@ -330,7 +330,7 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
 {
     psa_status_t status = PSA_SUCCESS;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
+    psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
 
     *wrapping_key_handle = 0;
     psa_set_key_usage_flags( &attributes, usage );
@@ -338,18 +338,21 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
     psa_set_key_type( &attributes, PSA_KEY_TYPE_AES );
     psa_set_key_bits( &attributes, WRAPPING_KEY_BITS );
 
-    PSA_CHECK( psa_key_derivation(
-                   &generator,
-                   derived_key_handle,
-                   KDF_ALG,
-                   WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH,
-                   NULL, 0,
-                   PSA_BITS_TO_BYTES( WRAPPING_KEY_BITS ) ) );
-    PSA_CHECK( psa_key_derivation_output_key( &attributes, &generator,
-                                         wrapping_key_handle ) );
+    PSA_CHECK( psa_key_derivation_setup( &operation, KDF_ALG ) );
+    PSA_CHECK( psa_key_derivation_input_bytes(
+                   &operation, PSA_KEY_DERIVATION_INPUT_SALT,
+                   WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH ) );
+    PSA_CHECK( psa_key_derivation_input_key(
+                   &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+                   derived_key_handle ) );
+    PSA_CHECK( psa_key_derivation_input_bytes(
+                   &operation, PSA_KEY_DERIVATION_INPUT_INFO,
+                   NULL, 0 ) );
+    PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation,
+                                              wrapping_key_handle ) );
 
 exit:
-    psa_key_derivation_abort( &generator );
+    psa_key_derivation_abort( &operation );
     if( status != PSA_SUCCESS )
     {
         psa_close_key( *wrapping_key_handle );

From 2a38e2477aeca86c881f04a9acc95ee4cd1171fa Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 29 May 2019 14:33:00 +0200
Subject: [PATCH 13/13] Slightly simplify derive_wrapping_key

No error can arise after the wrapping key is created, so remove the
corresponding cleanup code.
---
 programs/psa/key_ladder_demo.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c
index 800896f120..91e5178706 100644
--- a/programs/psa/key_ladder_demo.c
+++ b/programs/psa/key_ladder_demo.c
@@ -333,11 +333,9 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
     psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
 
     *wrapping_key_handle = 0;
-    psa_set_key_usage_flags( &attributes, usage );
-    psa_set_key_algorithm( &attributes, WRAPPING_ALG );
-    psa_set_key_type( &attributes, PSA_KEY_TYPE_AES );
-    psa_set_key_bits( &attributes, WRAPPING_KEY_BITS );
 
+    /* Set up a key derivation operation from the key derived from
+     * the master key. */
     PSA_CHECK( psa_key_derivation_setup( &operation, KDF_ALG ) );
     PSA_CHECK( psa_key_derivation_input_bytes(
                    &operation, PSA_KEY_DERIVATION_INPUT_SALT,
@@ -348,16 +346,17 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
     PSA_CHECK( psa_key_derivation_input_bytes(
                    &operation, PSA_KEY_DERIVATION_INPUT_INFO,
                    NULL, 0 ) );
+
+    /* Create the wrapping key. */
+    psa_set_key_usage_flags( &attributes, usage );
+    psa_set_key_algorithm( &attributes, WRAPPING_ALG );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_AES );
+    psa_set_key_bits( &attributes, WRAPPING_KEY_BITS );
     PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation,
                                               wrapping_key_handle ) );
 
 exit:
     psa_key_derivation_abort( &operation );
-    if( status != PSA_SUCCESS )
-    {
-        psa_close_key( *wrapping_key_handle );
-        *wrapping_key_handle = 0;
-    }
     return( status );
 }