From 887e2a70f3001b072bcd74e35630601d18e66033 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Mar 2021 23:00:22 +0100 Subject: [PATCH 001/131] Separate issue templates for bugs and enhancements Mostly reuse the existing issue template, but with separate template for bug reports and feature requests. I made some minor tweaks to the presentation which should hopefully reduce the propensity of users to side-step the template rather than fill it in. In particular, most users should usually not need to remove any parts. I removed specific mentions of Mbed OS since the Mbed TLS project is no longer tightly associated with Mbed OS. I removed "Peer device TLS stack and version" because that's rarely relevant and, in my experience, is mentioned when relevant. Signed-off-by: Gilles Peskine --- .github/ISSUE_TEMPLATE/bug_report.md | 35 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 17 +++++++++++ 2 files changed, 52 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000000..b9f146808a --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,35 @@ +--- +name: Bug report +about: To report a bug, please fill this form. +title: '' +labels: '' +assignees: '' + +--- + +### Summary + + + +### System information + +Mbed TLS version (number or commit id): +Operating system and version: +Configuration (if not default, please attach `config.h`): +Compiler and options (if you used a pre-built binary, please indicate how you obtained it): +Additional environment information: + +### Expected behavior + + + +### Actual behavior + + + +### Steps to reproduce + + + +### Additional information + diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000000..3b515137b2 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,17 @@ +--- +name: Enhancement request +about: To request an enhancement, please fill this form. +title: '' +labels: '' +assignees: '' + +--- + +### Suggested enhancement + + + +### Justification + +Mbed TLS needs this because + From 49c700a026d4dce2fc626494d027b0b49a7c34dc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Mar 2021 23:05:17 +0100 Subject: [PATCH 002/131] Mandate the use of a template Signed-off-by: Gilles Peskine --- .github/ISSUE_TEMPLATE/config.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/ISSUE_TEMPLATE/config.yml diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000000..3ba13e0cec --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1 @@ +blank_issues_enabled: false From 32b73c5052bda8832ac6652f094cc5fc575de188 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Mar 2021 23:05:38 +0100 Subject: [PATCH 003/131] Add contact links for reporting a vulnerability and for support Signed-off-by: Gilles Peskine --- .github/ISSUE_TEMPLATE/config.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 3ba13e0cec..63076f4057 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1 +1,8 @@ blank_issues_enabled: false +contact_links: + - name: Mbed TLS security team + url: mailto:mbed-tls-security@lists.trustedfirmware.org + about: Report a security vulnerability. + - name: Mbed TLS mailing list + url: https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls + about: Mbed TLS community support and general discussion. From 07cdaf11f2f865eb15907e1199710406d73ebcff Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Mar 2021 23:07:47 +0100 Subject: [PATCH 004/131] Remove the old issue template We have separate templates for bug reports and feature requests now. Signed-off-by: Gilles Peskine --- .github/issue_template.md | 46 --------------------------------------- 1 file changed, 46 deletions(-) delete mode 100644 .github/issue_template.md diff --git a/.github/issue_template.md b/.github/issue_template.md deleted file mode 100644 index 370066f486..0000000000 --- a/.github/issue_template.md +++ /dev/null @@ -1,46 +0,0 @@ -_Note:_ this is a template, please remove the parts that are not -applicable (these initial notes, and the "Bug" section for a Feature request -and vice-versa). - -**Note:** to report a security vulnerability, see -[SECURITY.md](../SECURITY.md). Please do not use github issues for -vulnerabilities. - -_Note:_ to get support, see [SUPPORT.md](../SUPPORT.md). Please do not use -github issues for questions. - ---------------------------------------------------------------- -### Description -- Type: Bug | Enhancement / Feature Request -- Priority: Blocker | Major | Minor - ---------------------------------------------------------------- -## Bug - -**OS** -Mbed OS|linux|windows| - -**mbed TLS build:** -Version: x.x.x or git commit id -OS version: x.x.x -Configuration: please attach config.h file where possible -Compiler and options (if you used a pre-built binary, please indicate how you obtained it): -Additional environment information: - -**Peer device TLS stack and version** -OpenSSL|GnuTls|Chrome|NSS(Firefox)|SecureChannel (IIS/Internet Explorer/Edge)|Other -Version: - -**Expected behavior** - -**Actual behavior** - -**Steps to reproduce** - ----------------------------------------------------------------- -## Enhancement / Feature Request - -**Suggested enhancement** - -**Justification - why does the library need this feature?** - From 5ca21db813894628586568fc6d53e08fa5cbafa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 17 May 2021 12:28:08 +0200 Subject: [PATCH 005/131] Fix misuse of MD API in SSL constant-flow HMAC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The sequence of calls starts-update-starts-update-finish is not a guaranteed valid way to abort an operation and start a new one. Our software implementation just happens to support it, but alt implementations may very well not support it. Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/fix-ssl-cf-hmac-alt.txt | 5 +++++ library/ssl_msg.c | 3 +++ 2 files changed, 8 insertions(+) create mode 100644 ChangeLog.d/fix-ssl-cf-hmac-alt.txt diff --git a/ChangeLog.d/fix-ssl-cf-hmac-alt.txt b/ChangeLog.d/fix-ssl-cf-hmac-alt.txt new file mode 100644 index 0000000000..57ffa02e2a --- /dev/null +++ b/ChangeLog.d/fix-ssl-cf-hmac-alt.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites + (when the encrypt-then-MAC extension is not in use) with some ALT + implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing + the affected side to wrongly reject valid messages. Fixes #4118. diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 3956a67d27..55623ccb30 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1164,6 +1164,9 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); } + /* The context needs to finish() before it starts() again */ + MD_CHK( mbedtls_md_finish( ctx, aux_out ) ); + /* Now compute HASH(okey + inner_hash) */ MD_CHK( mbedtls_md_starts( ctx ) ); MD_CHK( mbedtls_md_update( ctx, okey, block_size ) ); From 9752aadd85e61a58da6eaa7c59f6dd7ff47f78a7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 05:54:33 +0100 Subject: [PATCH 006/131] Make query API for state of MFL extension internal This commit makes the API - mbedtls_ssl_get_output_max_frag_len() - mbedtls_ssl_get_input_max_frag_len() - mbedtls_ssl_get__max_frag_len() for querying the state of the Maximum Fragment Length extension internal. Rationale: The value those APIs provide to the user is in upper bounds for the size of incoming and outgoing records, which can be used to size application data buffers apporpriately before passing them to mbedtls_ssl_{read,write}(). However, there are other factors which influence such upper bounds, such as the MTU or other extensions (specifically, the record_size_limit extension which is still to be implemented) which should be taken into account. There should be more general APIs for querying the maximum size of incoming and outgoing records. For the maximum size of outgoing records, we already have such, namely mbedtls_ssl_get_max_out_record_payload(). For the maximum size of incoming records, a new API will be added in a subsequent commit. Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 33 --------------------------------- library/ssl_misc.h | 33 +++++++++++++++++++++++++++++++++ programs/ssl/ssl_client2.c | 7 ------- programs/ssl/ssl_server2.c | 7 ------- 4 files changed, 33 insertions(+), 47 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 88a599c18c..905b5679c2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3645,39 +3645,6 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ); */ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -/** - * \brief Return the maximum fragment length (payload, in bytes) for - * the output buffer. For the client, this is the configured - * value. For the server, it is the minimum of two - the - * configured value and the negotiated one. - * - * \sa mbedtls_ssl_conf_max_frag_len() - * \sa mbedtls_ssl_get_max_record_payload() - * - * \param ssl SSL context - * - * \return Current maximum fragment length for the output buffer. - */ -size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl ); - -/** - * \brief Return the maximum fragment length (payload, in bytes) for - * the input buffer. This is the negotiated maximum fragment - * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. - * If it is not defined either, the value is 2^14. This function - * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). - * - * \sa mbedtls_ssl_conf_max_frag_len() - * \sa mbedtls_ssl_get_max_record_payload() - * - * \param ssl SSL context - * - * \return Current maximum fragment length for the output buffer. - */ -size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl ); -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ - /** * \brief Return the current maximum outgoing record payload in bytes. * This takes into account the config.h setting \c diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 180f4d8dc8..ecbeb8ba8c 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -270,6 +270,39 @@ + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) ) #endif +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +/** + * \brief Return the maximum fragment length (payload, in bytes) for + * the output buffer. For the client, this is the configured + * value. For the server, it is the minimum of two - the + * configured value and the negotiated one. + * + * \sa mbedtls_ssl_conf_max_frag_len() + * \sa mbedtls_ssl_get_max_out_record_payload() + * + * \param ssl SSL context + * + * \return Current maximum fragment length for the output buffer. + */ +size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl ); + +/** + * \brief Return the maximum fragment length (payload, in bytes) for + * the input buffer. This is the negotiated maximum fragment + * length, or, if there is none, MBEDTLS_SSL_MAX_CONTENT_LEN. + * If it is not defined either, the value is 2^14. This function + * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). + * + * \sa mbedtls_ssl_conf_max_frag_len() + * \sa mbedtls_ssl_get_max_in_record_payload() + * + * \param ssl SSL context + * + * \return Current maximum fragment length for the output buffer. + */ +size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2ce8588373..3cbf130003 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2083,13 +2083,6 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " [ Record expansion is unknown ]\n" ); -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - mbedtls_printf( " [ Maximum input fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_input_max_frag_len( &ssl ) ); - mbedtls_printf( " [ Maximum output fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_output_max_frag_len( &ssl ) ); -#endif - #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1ff27fb8b0..1ec8f09f77 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3164,13 +3164,6 @@ handshake: else mbedtls_printf( " [ Record expansion is unknown ]\n" ); -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - mbedtls_printf( " [ Maximum input fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_input_max_frag_len( &ssl ) ); - mbedtls_printf( " [ Maximum output fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_output_max_frag_len( &ssl ) ); -#endif - #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { From be746949c4bf8f701a8a7c5c8cb44d61394bb5da Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 06:18:37 +0100 Subject: [PATCH 007/131] Relax documentation of mbedtls_ssl_get_max_out_record_payload() The previous documentation could be read as exhaustively listing the factors that go into computing the maximum outgoing record plaintext size -- we should give examples, but allow ourselves to add more factors in the future. Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 905b5679c2..9583dcaf8d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3647,10 +3647,10 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); /** * \brief Return the current maximum outgoing record payload in bytes. - * This takes into account the config.h setting \c - * MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated - * max fragment length extension if used, and for DTLS the - * path MTU as configured and current record expansion. + * This takes into account various factors, such as the config.h + * setting \c MBEDTLS_SSL_OUT_CONTENT_LEN, extensions such as the + * max fragment length or record size limit extension if used, and + * for DTLS the path MTU as configured and current record expansion. * * \note With DTLS, \c mbedtls_ssl_write() will return an error if * called with a larger length value. From 2d8e99b0972de4a88217911a4664fbec64d776a4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 06:19:50 +0100 Subject: [PATCH 008/131] Add API to query maximum plaintext size of incoming records Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 26 ++++++++++++++++++++++++++ library/ssl_tls.c | 18 ++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 9583dcaf8d..194aee5fa4 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3671,6 +3671,32 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); */ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); +/** + * \brief Return the current maximum incoming record payload in bytes. + * This takes into account various factors, such as the + * config.h setting \c MBEDTLS_SSL_IN_CONTENT_LEN, extensions + * such as the max fragment length extension or record size limit + * extension if used, and the current record expansion. + * + * \note With DTLS, \c mbedtls_ssl_read() will return an error if + * called with a larger length value. + * With TLS, \c mbedtls_ssl_write() will fragment the input if + * necessary and return the number of bytes written; it is up + * to the caller to call \c mbedtls_ssl_write() again in + * order to send the remaining bytes if any. + * + * \sa mbedtls_ssl_set_mtu() + * \sa mbedtls_ssl_get_output_max_frag_len() + * \sa mbedtls_ssl_get_input_max_frag_len() + * \sa mbedtls_ssl_get_record_expansion() + * + * \param ssl SSL context + * + * \return Current maximum payload for an outgoing record, + * or a negative error code. + */ +int mbedtls_ssl_get_max_in_record_payload( const mbedtls_ssl_context *ssl ); + #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Return the peer certificate from the current connection. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 170d563bdb..fd6050c77d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4767,6 +4767,24 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ) return( (int) max_len ); } +int mbedtls_ssl_get_max_in_record_payload( const mbedtls_ssl_context *ssl ) +{ + size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; + +#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + (void) ssl; +#endif + +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + const size_t mfl = mbedtls_ssl_get_input_max_frag_len( ssl ); + + if( max_len > mfl ) + max_len = mfl; +#endif + + return( (int) max_len ); +} + #if defined(MBEDTLS_X509_CRT_PARSE_C) const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) { From 80d163d496b66ca9e065a0a4f3a9e5a2ab85b9e1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 06:28:18 +0100 Subject: [PATCH 009/131] Remove Doxygen references to now-internal MFL query API Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 194aee5fa4..83df117691 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3659,9 +3659,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); * to the caller to call \c mbedtls_ssl_write() again in * order to send the remaining bytes if any. * - * \sa mbedtls_ssl_set_mtu() - * \sa mbedtls_ssl_get_output_max_frag_len() - * \sa mbedtls_ssl_get_input_max_frag_len() + * \sa mbedtls_ssl_get_max_out_record_payload() * \sa mbedtls_ssl_get_record_expansion() * * \param ssl SSL context @@ -3686,8 +3684,7 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); * order to send the remaining bytes if any. * * \sa mbedtls_ssl_set_mtu() - * \sa mbedtls_ssl_get_output_max_frag_len() - * \sa mbedtls_ssl_get_input_max_frag_len() + * \sa mbedtls_ssl_get_max_in_record_payload() * \sa mbedtls_ssl_get_record_expansion() * * \param ssl SSL context @@ -3995,7 +3992,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) * or negotiated with the peer), then: * - with TLS, less bytes than requested are written. * - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned. - * \c mbedtls_ssl_get_output_max_frag_len() may be used to + * \c mbedtls_ssl_get_max_out_record_payload() may be used to * query the active maximum fragment length. * * \note Attempting to write 0 bytes will result in an empty TLS From b2efc4d4648082058461c664ca597cf661074902 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 15 May 2021 06:26:24 +0100 Subject: [PATCH 010/131] Add migration guide Signed-off-by: Hanno Becker --- docs/3.0-migration-guide.d/max-record-payload-api.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/3.0-migration-guide.d/max-record-payload-api.md diff --git a/docs/3.0-migration-guide.d/max-record-payload-api.md b/docs/3.0-migration-guide.d/max-record-payload-api.md new file mode 100644 index 0000000000..0b34915f40 --- /dev/null +++ b/docs/3.0-migration-guide.d/max-record-payload-api.md @@ -0,0 +1,11 @@ +Remove MaximumFragmentLength (MFL) query API +----------------------------------------------------------------- + +This affects users which use the MFL query APIs +`mbedtls_ssl_get_{input,output}_max_frag_len()` to +infer upper bounds on the plaintext size of incoming and +outgoing record. + +Users should switch to `mbedtls_ssl_get_max_{in,out}_record_payload()` +instead, which also provides such upper bounds but takes more factors +than just the MFL configuration into account. From 24628b69be04b547982f401fa48230a33a993df0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 15 May 2021 06:29:41 +0100 Subject: [PATCH 011/131] Add ChangeLog entry Signed-off-by: Hanno Becker --- ChangeLog.d/max-record-payload-api.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/max-record-payload-api.txt diff --git a/ChangeLog.d/max-record-payload-api.txt b/ChangeLog.d/max-record-payload-api.txt new file mode 100644 index 0000000000..af49fd96d6 --- /dev/null +++ b/ChangeLog.d/max-record-payload-api.txt @@ -0,0 +1,6 @@ +API changes + * Remove `mbedtls_ssl_get_{input,output}_max_frag_len()` + and add `mbedtls_ssl_get_max_in_record_payload()`, + complementing the existing `mbedtls_ssl_get_max_out_record_payload()`. + Uses of `mbedtls_ssl_get_{input,output}_max_frag_len()` + should be replaced by `mbedtls_ssl_get_max_{in,out}_record_payload()`. From ebd6ab7f6e1eb2d421b1441b25b12395d6a10da0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 May 2021 05:59:46 +0100 Subject: [PATCH 012/131] Improve documentation of record expansion API Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 83df117691..02cb6da91c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3647,10 +3647,13 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); /** * \brief Return the current maximum outgoing record payload in bytes. - * This takes into account various factors, such as the config.h - * setting \c MBEDTLS_SSL_OUT_CONTENT_LEN, extensions such as the - * max fragment length or record size limit extension if used, and - * for DTLS the path MTU as configured and current record expansion. + * + * \note The logic to determine the maximum outgoing record payload is + * version-specific. It takes into account various factors, such as + * the config.h setting \c MBEDTLS_SSL_OUT_CONTENT_LEN, extensions + * such as the max fragment length or record size limit extension if + * used, and for DTLS the path MTU as configured and current + * record expansion. * * \note With DTLS, \c mbedtls_ssl_write() will return an error if * called with a larger length value. @@ -3671,8 +3674,10 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); /** * \brief Return the current maximum incoming record payload in bytes. - * This takes into account various factors, such as the - * config.h setting \c MBEDTLS_SSL_IN_CONTENT_LEN, extensions + * + * \note The logic to determine the maximum outgoing record payload is + * version-specific. It takes into account various factors, such as + * the config.h setting \c MBEDTLS_SSL_IN_CONTENT_LEN, extensions * such as the max fragment length extension or record size limit * extension if used, and the current record expansion. * From 88f86f7f37092ede28c3e5647c29f44e4749e78d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 May 2021 06:00:28 +0100 Subject: [PATCH 013/131] Remove copy-pasta from record API documentation Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 7 ------- 1 file changed, 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 02cb6da91c..cf3b44bc38 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3681,13 +3681,6 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); * such as the max fragment length extension or record size limit * extension if used, and the current record expansion. * - * \note With DTLS, \c mbedtls_ssl_read() will return an error if - * called with a larger length value. - * With TLS, \c mbedtls_ssl_write() will fragment the input if - * necessary and return the number of bytes written; it is up - * to the caller to call \c mbedtls_ssl_write() again in - * order to send the remaining bytes if any. - * * \sa mbedtls_ssl_set_mtu() * \sa mbedtls_ssl_get_max_in_record_payload() * \sa mbedtls_ssl_get_record_expansion() From fb1add76fdc62d857dcf43c74e231ea6415a4597 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 May 2021 06:02:48 +0100 Subject: [PATCH 014/131] Don't use markdown formatting in ChangeLog Signed-off-by: Hanno Becker --- ChangeLog.d/max-record-payload-api.txt | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/max-record-payload-api.txt b/ChangeLog.d/max-record-payload-api.txt index af49fd96d6..02b47e4e1b 100644 --- a/ChangeLog.d/max-record-payload-api.txt +++ b/ChangeLog.d/max-record-payload-api.txt @@ -1,6 +1,9 @@ API changes - * Remove `mbedtls_ssl_get_{input,output}_max_frag_len()` - and add `mbedtls_ssl_get_max_in_record_payload()`, - complementing the existing `mbedtls_ssl_get_max_out_record_payload()`. - Uses of `mbedtls_ssl_get_{input,output}_max_frag_len()` - should be replaced by `mbedtls_ssl_get_max_{in,out}_record_payload()`. + * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and + mbedtls_ssl_get_output_max_frag_len(), and add a new API + mbedtls_ssl_get_max_in_record_payload(), complementing the existing + mbedtls_ssl_get_max_out_record_payload(). + Uses of mbedtls_ssl_get_input_max_frag_len() and + mbedtls_ssl_get_input_max_frag_len() should be replaced by + mbedtls_ssl_get_max_in_record_payload() and + mbedtls_ssl_get_max_out_record_payload(), respectively. From ef5235bc2e611cf83457d857b4ea53e99387a518 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 24 May 2021 06:39:41 +0100 Subject: [PATCH 015/131] Add TLS 1.3 second level key derivations This commit adds helper functions to ssl_tls13_keys.[ch] allowing to derive the secrets specific to each stage of a TLS 1.3 handshake (early, handshake, application) from the corresponding master secret (early secret, handshake secret, master secret). Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 219 +++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 194 ++++++++++++++++++++++++++++++++++ 2 files changed, 413 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 4e8fb433b0..ce551f6fc9 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -24,6 +24,7 @@ #include "mbedtls/hkdf.h" #include "ssl_misc.h" #include "ssl_tls13_keys.h" +#include "mbedtls/debug.h" #include #include @@ -346,4 +347,222 @@ int mbedtls_ssl_tls1_3_evolve_secret( return( ret ); } +int mbedtls_ssl_tls1_3_derive_early_secrets( + mbedtls_md_type_t md_type, + unsigned char const *early_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls1_3_early_secrets *derived ) +{ + int ret; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + /* + * 0 + * | + * v + * PSK -> HKDF-Extract = Early Secret + * | + * +-----> Derive-Secret(., "ext binder" | "res binder", "") + * | = binder_key + * | + * +-----> Derive-Secret(., "c e traffic", ClientHello) + * | = client_early_traffic_secret + * | + * +-----> Derive-Secret(., "e exp master", ClientHello) + * | = early_exporter_master_secret + * v + */ + + /* Create client_early_traffic_secret */ + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + early_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_e_traffic ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->client_early_traffic_secret, + md_size ); + if( ret != 0 ) + return( ret ); + + /* Create early exporter */ + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + early_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( e_exp_master ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->early_exporter_master_secret, + md_size ); + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + +int mbedtls_ssl_tls1_3_derive_handshake_secrets( + mbedtls_md_type_t md_type, + unsigned char const *handshake_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls1_3_handshake_secrets *derived ) +{ + int ret; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + /* + * + * Handshake Secret + * | + * +-----> Derive-Secret( ., "c hs traffic", + * | ClientHello...ServerHello ) + * | = client_handshake_traffic_secret + * | + * +-----> Derive-Secret( ., "s hs traffic", + * | ClientHello...ServerHello ) + * | = server_handshake_traffic_secret + * + */ + + /* + * Compute client_handshake_traffic_secret with + * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello ) + */ + + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + handshake_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_hs_traffic ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->client_handshake_traffic_secret, + md_size ); + if( ret != 0 ) + return( ret ); + + /* + * Compute server_handshake_traffic_secret with + * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello ) + */ + + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + handshake_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_hs_traffic ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->server_handshake_traffic_secret, + md_size ); + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + +int mbedtls_ssl_tls1_3_derive_application_secrets( + mbedtls_md_type_t md_type, + unsigned char const *application_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls1_3_application_secrets *derived ) +{ + int ret; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + /* Generate {client,server}_application_traffic_secret_0 + * + * Master Secret + * | + * +-----> Derive-Secret( ., "c ap traffic", + * | ClientHello...server Finished ) + * | = client_application_traffic_secret_0 + * | + * +-----> Derive-Secret( ., "s ap traffic", + * | ClientHello...Server Finished ) + * | = server_application_traffic_secret_0 + * | + * +-----> Derive-Secret( ., "exp master", + * | ClientHello...server Finished) + * | = exporter_master_secret + * + */ + + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + application_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_ap_traffic ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->client_application_traffic_secret_N, + md_size ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + application_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_ap_traffic ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->server_application_traffic_secret_N, + md_size ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + application_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( exp_master ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->exporter_master_secret, + md_size ); + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + +/* Generate resumption_master_secret for use with the ticket exchange. + * + * This is not integrated with mbedtls_ssl_tls1_3_derive_application_secrets() + * because it uses the transcript hash up to and including ClientFinished. */ +int mbedtls_ssl_tls1_3_derive_resumption_master_secret( + mbedtls_md_type_t md_type, + unsigned char const *application_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls1_3_application_secrets *derived ) +{ + int ret; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + application_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->resumption_master_secret, + md_size ); + + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 7089049ce2..cb45cc9099 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -70,6 +70,27 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ MBEDTLS_MD_MAX_SIZE +typedef struct +{ + unsigned char binder_key [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char client_early_traffic_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char early_exporter_master_secret[ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_early_secrets; + +typedef struct +{ + unsigned char client_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char server_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_handshake_secrets; + +typedef struct +{ + unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_application_secrets; + /* Maximum desired length for expanded key material generated * by HKDF-Expand-Label. * @@ -198,6 +219,179 @@ int mbedtls_ssl_tls1_3_derive_secret( int ctx_hashed, unsigned char *dstbuf, size_t buflen ); +/** + * \brief Derive TLS 1.3 early data key material from early secret. + * + * This is a small wrapper invoking mbedtls_ssl_tls1_3_derive_secret() + * with the appropriate labels. + * + * + * Early Secret + * | + * +-----> Derive-Secret(., "c e traffic", ClientHello) + * | = client_early_traffic_secret + * | + * +-----> Derive-Secret(., "e exp master", ClientHello) + * . = early_exporter_master_secret + * . + * . + * + * + * \note To obtain the actual key and IV for the early data traffic, + * the client secret derived by this function need to be + * further processed by mbedtls_ssl_tls1_3_make_traffic_keys(). + * + * \note The binder key, which is also generated from the early secret, + * is omitted here. Its calculation is part of the separate routine + * mbedtls_ssl_tls1_3_create_psk_binder(). + * + * \param md_type The hash algorithm associated with the PSK for which + * early data key material is being derived. + * \param early_secret The early secret from which the early data key material + * should be derived. This must be a readable buffer whose + * length is the digest size of the hash algorithm + * represented by \p md_size. + * \param transcript The transcript of the handshake so far, calculated with + * respect to \p md_type. This must be a readable buffer + * whose length is the digest size of the hash algorithm + * represented by \p md_size. + * \param derived The address of the structure in which to store + * the early data key material. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls1_3_derive_early_secrets( + mbedtls_md_type_t md_type, + unsigned char const *early_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls1_3_early_secrets *derived ); + +/** + * \brief Derive TLS 1.3 handshake key material from the handshake secret. + * + * This is a small wrapper invoking mbedtls_ssl_tls1_3_derive_secret() + * with the appropriate labels from the standard. + * + * + * Handshake Secret + * | + * +-----> Derive-Secret( ., "c hs traffic", + * | ClientHello...ServerHello ) + * | = client_handshake_traffic_secret + * | + * +-----> Derive-Secret( ., "s hs traffic", + * . ClientHello...ServerHello ) + * . = server_handshake_traffic_secret + * . + * + * + * \note To obtain the actual key and IV for the encrypted handshake traffic, + * the client and server secret derived by this function need to be + * further processed by mbedtls_ssl_tls1_3_make_traffic_keys(). + * + * \param md_type The hash algorithm associated with the ciphersuite + * that's being used for the connection. + * \param handshake_secret The handshake secret from which the handshake key + * material should be derived. This must be a readable + * buffer whose length is the digest size of the hash + * algorithm represented by \p md_size. + * \param transcript The transcript of the handshake so far, calculated + * with respect to \p md_type. This must be a readable + * buffer whose length is the digest size of the hash + * algorithm represented by \p md_size. + * \param derived The address of the structure in which to + * store the handshake key material. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls1_3_derive_handshake_secrets( + mbedtls_md_type_t md_type, + unsigned char const *handshake_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls1_3_handshake_secrets *derived ); + +/** + * \brief Derive TLS 1.3 application key material from the master secret. + * + * This is a small wrapper invoking mbedtls_ssl_tls1_3_derive_secret() + * with the appropriate labels from the standard. + * + * + * Master Secret + * | + * +-----> Derive-Secret( ., "c ap traffic", + * | ClientHello...server Finished ) + * | = client_application_traffic_secret_0 + * | + * +-----> Derive-Secret( ., "s ap traffic", + * | ClientHello...Server Finished ) + * | = server_application_traffic_secret_0 + * | + * +-----> Derive-Secret( ., "exp master", + * . ClientHello...server Finished) + * . = exporter_master_secret + * . + * + * + * \note To obtain the actual key and IV for the (0-th) application traffic, + * the client and server secret derived by this function need to be + * further processed by mbedtls_ssl_tls1_3_make_traffic_keys(). + * + * \param md_type The hash algorithm associated with the ciphersuite + * that's being used for the connection. + * \param master_secret The master secret from which the application key + * material should be derived. This must be a readable + * buffer whose length is the digest size of the hash + * algorithm represented by \p md_size. + * \param transcript The transcript of the handshake up to and including + * the ServerFinished message, calculated with respect + * to \p md_type. This must be a readable buffer whose + * length is the digest size of the hash algorithm + * represented by \p md_type. + * \param derived The address of the structure in which to + * store the application key material. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls1_3_derive_application_secrets( + mbedtls_md_type_t md_type, + unsigned char const *master_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls1_3_application_secrets *derived ); + +/** + * \brief Derive TLS 1.3 resumption master secret from the master secret. + * + * This is a small wrapper invoking mbedtls_ssl_tls1_3_derive_secret() + * with the appropriate labels from the standard. + * + * \param md_type The hash algorithm used in the application for which + * key material is being derived. + * \param application_secret The application secret from which the resumption master + * secret should be derived. This must be a readable + * buffer whose length is the digest size of the hash + * algorithm represented by \p md_size. + * \param transcript The transcript of the handshake up to and including + * the ClientFinished message, calculated with respect + * to \p md_type. This must be a readable buffer whose + * length is the digest size of the hash algorithm + * represented by \p md_type. + * \param transcript_len The length of \p transcript in Bytes. + * \param derived The address of the structure in which to + * store the resumption master secret. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls1_3_derive_resumption_master_secret( + mbedtls_md_type_t md_type, + unsigned char const *application_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls1_3_application_secrets *derived ); + /** * \brief Compute the next secret in the TLS 1.3 key schedule * From a4f40a0f48990d4169494d4031947951f1c636b4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 24 May 2021 06:42:11 +0100 Subject: [PATCH 016/131] Test TLS 1.3 second level key derivation helpers Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 16 ++++ tests/suites/test_suite_ssl.function | 120 +++++++++++++++++++++++++++ 2 files changed, 136 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index ab001306df..606034044f 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9241,6 +9241,22 @@ SSL TLS 1.3 Key schedule: Derive-Secret( ., "res master", hash) # Vector from RFC 8448 ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_res_master:"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" +SSL TLS 1.3 Key schedule: Early secrets derivation helper +# Vector from RFC 8448 +ssl_tls1_3_derive_early_secrets:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":"3fbbe6a60deb66c30a32795aba0eff7eaa10105586e7be5c09678d63b6caab62":"b2026866610937d7423e5be90862ccf24c0e6091186d34f812089ff5be2ef7df" + +SSL TLS 1.3 Key schedule: Handshake secrets derivation helper +# Vector from RFC 8448 +ssl_tls1_3_derive_handshake_secrets:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" + +SSL TLS 1.3 Key schedule: Application secrets derivation helper +# Vector from RFC 8448 +ssl_tls1_3_derive_application_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" + +SSL TLS 1.3 Key schedule: Resumption secrets derivation helper +# Vector from RFC 8448 +ssl_tls1_3_derive_resumption_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d9261d1a2a..59fae70e2e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3793,6 +3793,126 @@ MBEDTLS_SSL_TLS1_3_LABEL_LIST } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_derive_early_secrets( int hash_alg, + data_t *secret, + data_t *transcript, + data_t *traffic_expected, + data_t *exporter_expected ) +{ + mbedtls_ssl_tls1_3_early_secrets secrets; + + /* Double-check that we've passed sane parameters. */ + mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + TEST_ASSERT( md_info != 0 && + secret->len == md_size && + transcript->len == md_size && + traffic_expected->len == md_size && + exporter_expected->len == md_size ); + + TEST_ASSERT( mbedtls_ssl_tls1_3_derive_early_secrets( + md_type, secret->x, transcript->x, transcript->len, + &secrets ) == 0 ); + + ASSERT_COMPARE( secrets.client_early_traffic_secret, md_size, + traffic_expected->x, traffic_expected->len ); + ASSERT_COMPARE( secrets.early_exporter_master_secret, md_size, + exporter_expected->x, exporter_expected->len ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_derive_handshake_secrets( int hash_alg, + data_t *secret, + data_t *transcript, + data_t *client_expected, + data_t *server_expected ) +{ + mbedtls_ssl_tls1_3_handshake_secrets secrets; + + /* Double-check that we've passed sane parameters. */ + mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + TEST_ASSERT( md_info != 0 && + secret->len == md_size && + transcript->len == md_size && + client_expected->len == md_size && + server_expected->len == md_size ); + + TEST_ASSERT( mbedtls_ssl_tls1_3_derive_handshake_secrets( + md_type, secret->x, transcript->x, transcript->len, + &secrets ) == 0 ); + + ASSERT_COMPARE( secrets.client_handshake_traffic_secret, md_size, + client_expected->x, client_expected->len ); + ASSERT_COMPARE( secrets.server_handshake_traffic_secret, md_size, + server_expected->x, server_expected->len ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_derive_application_secrets( int hash_alg, + data_t *secret, + data_t *transcript, + data_t *client_expected, + data_t *server_expected, + data_t *exporter_expected ) +{ + mbedtls_ssl_tls1_3_application_secrets secrets; + + /* Double-check that we've passed sane parameters. */ + mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + TEST_ASSERT( md_info != 0 && + secret->len == md_size && + transcript->len == md_size && + client_expected->len == md_size && + server_expected->len == md_size && + exporter_expected->len == md_size ); + + TEST_ASSERT( mbedtls_ssl_tls1_3_derive_application_secrets( + md_type, secret->x, transcript->x, transcript->len, + &secrets ) == 0 ); + + ASSERT_COMPARE( secrets.client_application_traffic_secret_N, md_size, + client_expected->x, client_expected->len ); + ASSERT_COMPARE( secrets.server_application_traffic_secret_N, md_size, + server_expected->x, server_expected->len ); + ASSERT_COMPARE( secrets.exporter_master_secret, md_size, + exporter_expected->x, exporter_expected->len ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_derive_resumption_secrets( int hash_alg, + data_t *secret, + data_t *transcript, + data_t *resumption_expected ) +{ + mbedtls_ssl_tls1_3_application_secrets secrets; + + /* Double-check that we've passed sane parameters. */ + mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + TEST_ASSERT( md_info != 0 && + secret->len == md_size && + transcript->len == md_size && + resumption_expected->len == md_size ); + + TEST_ASSERT( mbedtls_ssl_tls1_3_derive_resumption_master_secret( + md_type, secret->x, transcript->x, transcript->len, + &secrets ) == 0 ); + + ASSERT_COMPARE( secrets.resumption_master_secret, md_size, + resumption_expected->x, resumption_expected->len ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ void ssl_tls1_3_key_evolution( int hash_alg, data_t *secret, From b7d9bad6bedd147f45f1972a35d27e837ab1e565 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 24 May 2021 06:44:14 +0100 Subject: [PATCH 017/131] Add helper function for calculation of TLS 1.3 PSK binder Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 132 +++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 33 ++++++++++ 2 files changed, 165 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index ce551f6fc9..950d32cb93 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -565,4 +565,136 @@ int mbedtls_ssl_tls1_3_derive_resumption_master_secret( return( 0 ); } +static int ssl_tls1_3_calc_finished_core( mbedtls_md_type_t md_type, + unsigned char const *base_key, + unsigned char const *transcript, + unsigned char *dst ) +{ + const mbedtls_md_info_t* const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + unsigned char finished_key[MBEDTLS_MD_MAX_SIZE]; + int ret; + + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + /* TLS 1.3 Finished message + * + * struct { + * opaque verify_data[Hash.length]; + * } Finished; + * + * verify_data = + * HMAC( finished_key, + * Hash( Handshake Context + + * Certificate* + + * CertificateVerify* ) + * ) + * + * finished_key = + * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length ) + */ + + ret = mbedtls_ssl_tls1_3_hkdf_expand_label( + md_type, base_key, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( finished ), + NULL, 0, + finished_key, md_size ); + if( ret != 0 ) + goto exit; + + ret = mbedtls_md_hmac( md_info, finished_key, md_size, transcript, md_size, dst ); + if( ret != 0 ) + goto exit; + +exit: + + mbedtls_platform_zeroize( finished_key, sizeof( finished_key ) ); + return( ret ); +} + +int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md_type, + unsigned char const *psk, size_t psk_len, + int psk_type, + unsigned char const *transcript, + unsigned char *result ) +{ + int ret = 0; + unsigned char binder_key[MBEDTLS_MD_MAX_SIZE]; + unsigned char early_secret[MBEDTLS_MD_MAX_SIZE]; + mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + /* + * 0 + * | + * v + * PSK -> HKDF-Extract = Early Secret + * | + * +-----> Derive-Secret(., "ext binder" | "res binder", "") + * | = binder_key + * v + */ + + ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, + NULL, /* Old secret */ + psk, psk_len, /* Input */ + early_secret ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret ); + goto exit; + } + + if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION ) + { + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + early_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_binder ), + NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, + binder_key, md_size ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'res binder'" ) ); + } + else + { + ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + early_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( ext_binder ), + NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, + binder_key, md_size ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'ext binder'" ) ); + } + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_secret", ret ); + goto exit; + } + + /* + * The binding_value is computed in the same way as the Finished message + * but with the BaseKey being the binder_key. + */ + + ret = ssl_tls1_3_calc_finished_core( md_type, binder_key, transcript, result ); + if( ret != 0 ) + goto exit; + + MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder", result, md_size ); + +exit: + + mbedtls_platform_zeroize( early_secret, sizeof( early_secret ) ); + mbedtls_platform_zeroize( binder_key, sizeof( binder_key ) ); + return( ret ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index cb45cc9099..4b9c68e725 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -465,4 +465,37 @@ int mbedtls_ssl_tls1_3_evolve_secret( const unsigned char *input, size_t input_len, unsigned char *secret_new ); +#define MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL 0 +#define MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION 1 + +/** + * \brief Calculate a TLS 1.3 PSK binder. + * + * \param ssl The SSL context. This is used for debugging only and may + * be \c NULL if MBEDTLS_DEBUG_C is disabled. + * \param md_type The hash algorithm associated to the PSK \p psk. + * \param psk The buffer holding the PSK for which to create a binder. + * \param psk_len The size of \p psk in bytes. + * \param is_external This indicates whether the PSK \p psk is externally + * provisioned (#MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL) or a + * resumption PSK (#MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION). + * \param transcript The handshake transcript up to the point where the + * PSK binder calculation happens. This must be readable, + * and its size must be equal to the digest size of + * the hash algorithm represented by \p md_type. + * \param result The address at which to store the PSK binder on success. + * This must be writable, and its size must be equal to the + * digest size of the hash algorithm represented by + * \p md_type. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md_type, + unsigned char const *psk, size_t psk_len, + int psk_type, + unsigned char const *transcript, + unsigned char *result ); + #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 55bc2c53af7d3ec19b84399d2d0c1f7dfd331322 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 24 May 2021 06:53:52 +0100 Subject: [PATCH 018/131] Test TLS 1.3 PSK binder calculation helper Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 6 ++++++ tests/suites/test_suite_ssl.function | 30 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 606034044f..abc33b125b 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -9257,6 +9257,12 @@ SSL TLS 1.3 Key schedule: Resumption secrets derivation helper # Vector from RFC 8448 ssl_tls1_3_derive_resumption_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" +SSL TLS 1.3 Key schedule: PSK binder +# Vector from RFC 8448 +# For the resumption PSK, see Section 3, 'generate resumption secret "tls13 resumption"' +# For all other data, see Section 4, 'construct a ClientHello handshake message:' +ssl_tls1_3_create_psk_binder:MBEDTLS_MD_SHA256:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3":MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:"63224b2e4573f2d3454ca84b9d009a04f6be9e05711a8396473aefa01e924a14":"3add4fb2d8fdf822a0ca3cf7678ef5e88dae990141c5924d57bb6fa31b9e5f9d" + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 59fae70e2e..d23949c5db 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3913,6 +3913,36 @@ void ssl_tls1_3_derive_resumption_secrets( int hash_alg, } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_create_psk_binder( int hash_alg, + data_t *psk, + int psk_type, + data_t *transcript, + data_t *binder_expected ) +{ + unsigned char binder[ MBEDTLS_MD_MAX_SIZE ]; + + /* Double-check that we've passed sane parameters. */ + mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + TEST_ASSERT( md_info != 0 && + transcript->len == md_size && + binder_expected->len == md_size ); + + TEST_ASSERT( mbedtls_ssl_tls1_3_create_psk_binder( + NULL, /* SSL context for debugging only */ + md_type, + psk->x, psk->len, + psk_type, + transcript->x, + binder ) == 0 ); + + ASSERT_COMPARE( binder, md_size, + binder_expected->x, binder_expected->len ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ void ssl_tls1_3_key_evolution( int hash_alg, data_t *secret, From c8d3ccd67b89f23307badb11f6d6f1409da21eab Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 26 May 2021 04:47:29 +0100 Subject: [PATCH 019/131] Fix Doxygen for TLS 1.3 PSK binder helper Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 4b9c68e725..3b96998aed 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -476,7 +476,7 @@ int mbedtls_ssl_tls1_3_evolve_secret( * \param md_type The hash algorithm associated to the PSK \p psk. * \param psk The buffer holding the PSK for which to create a binder. * \param psk_len The size of \p psk in bytes. - * \param is_external This indicates whether the PSK \p psk is externally + * \param psk_type This indicates whether the PSK \p psk is externally * provisioned (#MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL) or a * resumption PSK (#MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION). * \param transcript The handshake transcript up to the point where the From 28e5f1ed579b41d189a00f4a765f6e5a170db542 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 26 May 2021 09:29:49 +0100 Subject: [PATCH 020/131] Avoid unused variable warning in TLS 1.3 PSK binder calculation Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 950d32cb93..78a55812da 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -628,6 +628,11 @@ int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl, mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type( md_type ); size_t const md_size = mbedtls_md_get_size( md_info ); +#if !defined(MBEDTLS_DEBUG_C) + ssl = NULL; /* make sure we don't use it except for debug */ + ((void) ssl); +#endif + /* We should never call this function with an unknown hash, * but add an assertion anyway. */ if( md_info == 0 ) From 875b5fb7faaecfc9a9d516fae1b0f8e61a80a909 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 21 May 2021 08:50:00 +0200 Subject: [PATCH 021/131] Refactor optional parameter check tests Remove tests related to NULL pointers, keep tests related to invalid enum values. Remove test code related to MBEDTLS_CHECK_PARAMS. Signed-off-by: Ronald Cron Signed-off-by: TRodziewicz --- tests/include/test/helpers.h | 89 ----- tests/include/test/macros.h | 82 +---- tests/scripts/all.sh | 32 -- tests/src/helpers.c | 76 +---- tests/suites/helpers.function | 9 - tests/suites/main_test.function | 19 -- tests/suites/test_suite_aes.function | 189 +---------- tests/suites/test_suite_aes.rest.data | 4 +- tests/suites/test_suite_aria.function | 147 +-------- tests/suites/test_suite_blowfish.function | 121 +------ tests/suites/test_suite_camellia.function | 129 +------- tests/suites/test_suite_ccm.data | 3 - tests/suites/test_suite_ccm.function | 204 ------------ tests/suites/test_suite_chacha20.data | 3 - tests/suites/test_suite_chacha20.function | 46 --- tests/suites/test_suite_chachapoly.data | 3 - tests/suites/test_suite_chachapoly.function | 131 -------- tests/suites/test_suite_cipher.function | 293 +---------------- tests/suites/test_suite_dhm.data | 3 - tests/suites/test_suite_dhm.function | 107 ------ tests/suites/test_suite_ecdh.function | 119 +------ tests/suites/test_suite_ecdsa.data | 3 - tests/suites/test_suite_ecdsa.function | 197 ----------- tests/suites/test_suite_ecjpake.function | 80 +---- tests/suites/test_suite_ecp.function | 309 +---------------- tests/suites/test_suite_gcm.function | 147 +-------- tests/suites/test_suite_mpi.data | 3 - tests/suites/test_suite_mpi.function | 208 ------------ tests/suites/test_suite_pk.data | 3 - tests/suites/test_suite_pk.function | 269 --------------- tests/suites/test_suite_poly1305.data | 3 - tests/suites/test_suite_poly1305.function | 39 --- tests/suites/test_suite_rsa.data | 3 - tests/suites/test_suite_rsa.function | 346 -------------------- 34 files changed, 42 insertions(+), 3377 deletions(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 9bfe08547c..087f2de8db 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -175,95 +175,6 @@ unsigned char *mbedtls_test_unhexify_alloc( const char *ibuf, size_t *olen ); int mbedtls_test_hexcmp( uint8_t * a, uint8_t * b, uint32_t a_len, uint32_t b_len ); -#if defined(MBEDTLS_CHECK_PARAMS) - -typedef struct -{ - const char *failure_condition; - const char *file; - int line; -} -mbedtls_test_param_failed_location_record_t; - -/** - * \brief Get the location record of the last call to - * mbedtls_test_param_failed(). - * - * \note The call expectation is set up and active until the next call to - * mbedtls_test_param_failed_check_expected_call() or - * mbedtls_param_failed() that cancels it. - */ -void mbedtls_test_param_failed_get_location_record( - mbedtls_test_param_failed_location_record_t *location_record ); - -/** - * \brief State that a call to mbedtls_param_failed() is expected. - * - * \note The call expectation is set up and active until the next call to - * mbedtls_test_param_failed_check_expected_call() or - * mbedtls_param_failed that cancel it. - */ -void mbedtls_test_param_failed_expect_call( void ); - -/** - * \brief Check whether mbedtls_param_failed() has been called as expected. - * - * \note Check whether mbedtls_param_failed() has been called between the - * last call to mbedtls_test_param_failed_expect_call() and the call - * to this function. - * - * \return \c 0 Since the last call to mbedtls_param_failed_expect_call(), - * mbedtls_param_failed() has been called. - * \c -1 Otherwise. - */ -int mbedtls_test_param_failed_check_expected_call( void ); - -/** - * \brief Get the address of the object of type jmp_buf holding the execution - * state information used by mbedtls_param_failed() to do a long jump. - * - * \note If a call to mbedtls_param_failed() is not expected in the sense - * that there is no call to mbedtls_test_param_failed_expect_call() - * preceding it, then mbedtls_param_failed() will try to restore the - * execution to the state stored in the jmp_buf object whose address - * is returned by the present function. - * - * \note This function is intended to provide the parameter of the - * setjmp() function to set-up where mbedtls_param_failed() should - * long-jump if it has to. It is foreseen to be used as: - * - * setjmp( mbedtls_test_param_failed_get_state_buf() ). - * - * \note The type of the returned value is not jmp_buf as jmp_buf is an - * an array type (C specification) and a function cannot return an - * array type. - * - * \note The type of the returned value is not jmp_buf* as then the return - * value couldn't be used by setjmp(), as its parameter's type is - * jmp_buf. - * - * \return Address of the object of type jmp_buf holding the execution state - * information used by mbedtls_param_failed() to do a long jump. - */ -void* mbedtls_test_param_failed_get_state_buf( void ); - -/** - * \brief Reset the execution state used by mbedtls_param_failed() to do a - * long jump. - * - * \note If a call to mbedtls_param_failed() is not expected in the sense - * that there is no call to mbedtls_test_param_failed_expect_call() - * preceding it, then mbedtls_param_failed() will try to restore the - * execution state that this function reset. - * - * \note It is recommended to reset the execution state when the state - * is not relevant anymore. That way an unexpected call to - * mbedtls_param_failed() will not trigger a long jump with - * undefined behavior but rather a long jump that will rather fault. - */ -void mbedtls_test_param_failed_reset_state( void ); -#endif /* MBEDTLS_CHECK_PARAMS */ - #if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) #include "test/fake_external_rng_for_test.h" #endif diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h index 450bc2cc3b..cad39aacaa 100644 --- a/tests/include/test/macros.h +++ b/tests/include/test/macros.h @@ -58,10 +58,6 @@ * It allows a library function to return a value and return an error * code that can be tested. * - * When MBEDTLS_CHECK_PARAMS is enabled, calls to the parameter failure - * callback, MBEDTLS_PARAM_FAILED(), will be assumed to be a test - * failure. - * * This macro is not suitable for negative parameter validation tests, * as it assumes the test step will not create an error. * @@ -182,70 +178,11 @@ } while( 0 ) #if defined(MBEDTLS_CHECK_PARAMS) && !defined(MBEDTLS_PARAM_FAILED_ALT) -/** - * \brief This macro tests the statement passed to it as a test step or - * individual test in a test case. The macro assumes the test will fail - * and will generate an error. - * - * It allows a library function to return a value and tests the return - * code on return to confirm the given error code was returned. - * - * When MBEDTLS_CHECK_PARAMS is enabled, calls to the parameter failure - * callback, MBEDTLS_PARAM_FAILED(), are assumed to indicate the - * expected failure, and the test will pass. - * - * This macro is intended for negative parameter validation tests, - * where the failing function may return an error value or call - * MBEDTLS_PARAM_FAILED() to indicate the error. - * - * \param PARAM_ERROR_VALUE The expected error code. - * - * \param TEST The test expression to be tested. - */ -#define TEST_INVALID_PARAM_RET( PARAM_ERR_VALUE, TEST ) \ - do { \ - mbedtls_test_param_failed_expect_call( ); \ - if( ( ( TEST ) != ( PARAM_ERR_VALUE ) ) || \ - ( mbedtls_test_param_failed_check_expected_call( ) != 0 ) ) \ - { \ - mbedtls_test_fail( #TEST, __LINE__, __FILE__ ); \ - goto exit; \ - } \ - mbedtls_test_param_failed_check_expected_call( ); \ - } while( 0 ) +#define TEST_INVALID_PARAM_RET( PARAM_ERR_VALUE, TEST ) \ + do { if( ( TEST ) != ( PARAM_ERR_VALUE ) ) goto exit; } while( 0 ) -/** - * \brief This macro tests the statement passed to it as a test step or - * individual test in a test case. The macro assumes the test will fail - * and will generate an error. - * - * It assumes the library function under test cannot return a value and - * assumes errors can only be indicated byt calls to - * MBEDTLS_PARAM_FAILED(). - * - * When MBEDTLS_CHECK_PARAMS is enabled, calls to the parameter failure - * callback, MBEDTLS_PARAM_FAILED(), are assumed to indicate the - * expected failure. If MBEDTLS_CHECK_PARAMS is not enabled, no test - * can be made. - * - * This macro is intended for negative parameter validation tests, - * where the failing function can only return an error by calling - * MBEDTLS_PARAM_FAILED() to indicate the error. - * - * \param TEST The test expression to be tested. - */ -#define TEST_INVALID_PARAM( TEST ) \ - do { \ - memcpy( jmp_tmp, mbedtls_test_param_failed_get_state_buf( ), \ - sizeof( jmp_tmp ) ); \ - if( setjmp( mbedtls_test_param_failed_get_state_buf( ) ) == 0 ) \ - { \ - TEST; \ - mbedtls_test_fail( #TEST, __LINE__, __FILE__ ); \ - goto exit; \ - } \ - mbedtls_test_param_failed_reset_state( ); \ - } while( 0 ) +#define TEST_INVALID_PARAM( TEST ) \ + do { TEST; } while( 0 ) #endif /* MBEDTLS_CHECK_PARAMS && !MBEDTLS_PARAM_FAILED_ALT */ /** @@ -256,11 +193,6 @@ * assumes errors can only be indicated by calls to * MBEDTLS_PARAM_FAILED(). * - * When MBEDTLS_CHECK_PARAMS is enabled, calls to the parameter failure - * callback, MBEDTLS_PARAM_FAILED(), are assumed to indicate the - * expected failure. If MBEDTLS_CHECK_PARAMS is not enabled, no test - * can be made. - * * This macro is intended to test that functions returning void * accept all of the parameter values they're supposed to accept - eg * that they don't call MBEDTLS_PARAM_FAILED() when a parameter @@ -271,12 +203,6 @@ * accept is best done by using TEST_ASSERT() and checking the return * value as well. * - * Note: this macro is available even when #MBEDTLS_CHECK_PARAMS is - * disabled, as it makes sense to check that the functions accept all - * legal values even if this option is disabled - only in that case, - * the test is more about whether the function segfaults than about - * whether it invokes MBEDTLS_PARAM_FAILED(). - * * \param TEST The test expression to be tested. */ #define TEST_VALID_PARAM( TEST ) \ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8e163a9478..9b0d5fe4a6 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1853,38 +1853,6 @@ component_build_psa_accel_key_type_rsa_public_key() { make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } -component_test_check_params_functionality () { - msg "build+test: MBEDTLS_CHECK_PARAMS functionality" - scripts/config.py full # includes CHECK_PARAMS - # Make MBEDTLS_PARAM_FAILED call mbedtls_param_failed(). - scripts/config.py unset MBEDTLS_CHECK_PARAMS_ASSERT - make CC=gcc CFLAGS='-Werror -O1' all test -} - -component_test_check_params_without_platform () { - msg "build+test: MBEDTLS_CHECK_PARAMS without MBEDTLS_PLATFORM_C" - scripts/config.py full # includes CHECK_PARAMS - # Keep MBEDTLS_PARAM_FAILED as assert. - scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT - scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT - scripts/config.py unset MBEDTLS_PLATFORM_FPRINTF_ALT - scripts/config.py unset MBEDTLS_PLATFORM_MEMORY - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - scripts/config.py unset MBEDTLS_PLATFORM_PRINTF_ALT - scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED - scripts/config.py unset MBEDTLS_PLATFORM_C - make CC=gcc CFLAGS='-Werror -O1' all test -} - -component_test_check_params_silent () { - msg "build+test: MBEDTLS_CHECK_PARAMS with alternative MBEDTLS_PARAM_FAILED()" - scripts/config.py full # includes CHECK_PARAMS - # Set MBEDTLS_PARAM_FAILED to nothing. - sed -i 's/.*\(#define MBEDTLS_PARAM_FAILED( cond )\).*/\1/' "$CONFIG_H" - make CC=gcc CFLAGS='-Werror -O1' all test -} - component_test_no_platform () { # Full configuration build, without platform support, file IO and net sockets. # This should catch missing mbedtls_printf definitions, and by disabling file diff --git a/tests/src/helpers.c b/tests/src/helpers.c index b7c9867b05..ece0465139 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -19,27 +19,9 @@ #include #include -#if defined(MBEDTLS_CHECK_PARAMS) -#include -#endif - /*----------------------------------------------------------------------------*/ /* Static global variables */ -#if defined(MBEDTLS_CHECK_PARAMS) -typedef struct -{ - uint8_t expected_call; - uint8_t expected_call_happened; - - jmp_buf state; - - mbedtls_test_param_failed_location_record_t location_record; -} -param_failed_ctx_t; -static param_failed_ctx_t param_failed_ctx; -#endif - #if defined(MBEDTLS_PLATFORM_C) static mbedtls_platform_context platform_ctx; #endif @@ -222,66 +204,14 @@ int mbedtls_test_hexcmp( uint8_t * a, uint8_t * b, return ret; } -#if defined(MBEDTLS_CHECK_PARAMS) -void mbedtls_test_param_failed_get_location_record( - mbedtls_test_param_failed_location_record_t *location_record ) -{ - *location_record = param_failed_ctx.location_record; -} - -void mbedtls_test_param_failed_expect_call( void ) -{ - param_failed_ctx.expected_call_happened = 0; - param_failed_ctx.expected_call = 1; -} - -int mbedtls_test_param_failed_check_expected_call( void ) -{ - param_failed_ctx.expected_call = 0; - - if( param_failed_ctx.expected_call_happened != 0 ) - return( 0 ); - - return( -1 ); -} - -void* mbedtls_test_param_failed_get_state_buf( void ) -{ - return ¶m_failed_ctx.state; -} - -void mbedtls_test_param_failed_reset_state( void ) -{ - memset( param_failed_ctx.state, 0, sizeof( param_failed_ctx.state ) ); -} - void mbedtls_param_failed( const char *failure_condition, const char *file, int line ) { - /* Record the location of the failure */ - param_failed_ctx.location_record.failure_condition = failure_condition; - param_failed_ctx.location_record.file = file; - param_failed_ctx.location_record.line = line; - - /* If we are testing the callback function... */ - if( param_failed_ctx.expected_call != 0 ) - { - param_failed_ctx.expected_call = 0; - param_failed_ctx.expected_call_happened = 1; - } - else - { - /* ...else try a long jump. If the execution state has not been set-up - * or reset then the long jump buffer is all zero's and the call will - * with high probability fault, emphasizing there is something to look - * at. - */ - - longjmp( param_failed_ctx.state, 1 ); - } + (void) failure_condition; + (void) file; + (void) line; } -#endif /* MBEDTLS_CHECK_PARAMS */ #if defined(MBEDTLS_TEST_HOOKS) void mbedtls_test_err_add_check( int high, int low, diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index 2ef07fa62b..89ba0b093c 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -28,11 +28,6 @@ #include "mbedtls/memory_buffer_alloc.h" #endif -#if defined(MBEDTLS_CHECK_PARAMS) -#include "mbedtls/platform_util.h" -#include -#endif - #ifdef _MSC_VER #include typedef UINT8 uint8_t; @@ -78,10 +73,6 @@ typedef struct data_tag /*----------------------------------------------------------------------------*/ /* Global variables */ -#if defined(MBEDTLS_CHECK_PARAMS) -jmp_buf jmp_tmp; -#endif - /*----------------------------------------------------------------------------*/ /* Helper flags for complex dependencies */ diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index ac00f45e57..13d032c4a4 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -176,26 +176,7 @@ void execute_function_ptr(TestWrapper_t fp, void **params) mbedtls_test_enable_insecure_external_rng( ); #endif -#if defined(MBEDTLS_CHECK_PARAMS) - mbedtls_test_param_failed_location_record_t location_record; - - if ( setjmp( mbedtls_test_param_failed_get_state_buf( ) ) == 0 ) - { - fp( params ); - } - else - { - /* Unexpected parameter validation error */ - mbedtls_test_param_failed_get_location_record( &location_record ); - mbedtls_test_fail( location_record.failure_condition, - location_record.line, - location_record.file ); - } - - mbedtls_test_param_failed_reset_state( ); -#else fp( params ); -#endif #if defined(MBEDTLS_TEST_MUTEX_USAGE) mbedtls_test_mutex_usage_check( ); diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function index 754a167026..a740391035 100644 --- a/tests/suites/test_suite_aes.function +++ b/tests/suites/test_suite_aes.function @@ -360,193 +360,40 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void aes_check_params( ) +void aes_invalid_mode( ) { mbedtls_aes_context aes_ctx; -#if defined(MBEDTLS_CIPHER_MODE_XTS) - mbedtls_aes_xts_context xts_ctx; -#endif - const unsigned char key[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 }; const unsigned char in[16] = { 0 }; unsigned char out[16]; - size_t size; - const int valid_mode = MBEDTLS_AES_ENCRYPT; const int invalid_mode = 42; - TEST_INVALID_PARAM( mbedtls_aes_init( NULL ) ); -#if defined(MBEDTLS_CIPHER_MODE_XTS) - TEST_INVALID_PARAM( mbedtls_aes_xts_init( NULL ) ); -#endif - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_setkey_enc( NULL, key, 128 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_setkey_enc( &aes_ctx, NULL, 128 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_setkey_dec( NULL, key, 128 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_setkey_dec( &aes_ctx, NULL, 128 ) ); - -#if defined(MBEDTLS_CIPHER_MODE_XTS) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_xts_setkey_enc( NULL, key, 128 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_xts_setkey_enc( &xts_ctx, NULL, 128 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_xts_setkey_dec( NULL, key, 128 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_xts_setkey_dec( &xts_ctx, NULL, 128 ) ); -#endif - - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ecb( NULL, - valid_mode, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ecb( &aes_ctx, - invalid_mode, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ecb( &aes_ctx, - valid_mode, NULL, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ecb( &aes_ctx, - valid_mode, in, NULL ) ); + TEST_EQUAL( MBEDTLS_ERR_AES_BAD_INPUT_DATA, + mbedtls_aes_crypt_ecb( &aes_ctx, invalid_mode, in, out ) ); #if defined(MBEDTLS_CIPHER_MODE_CBC) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cbc( NULL, - valid_mode, 16, - out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cbc( &aes_ctx, - invalid_mode, 16, - out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cbc( &aes_ctx, - valid_mode, 16, - NULL, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cbc( &aes_ctx, - valid_mode, 16, - out, NULL, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cbc( &aes_ctx, - valid_mode, 16, - out, in, NULL ) ); + TEST_EQUAL( MBEDTLS_ERR_AES_BAD_INPUT_DATA, + mbedtls_aes_crypt_cbc( &aes_ctx, invalid_mode, 16, + out, in, out ) ); #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_XTS) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_xts( NULL, - valid_mode, 16, - in, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_xts( &xts_ctx, - invalid_mode, 16, - in, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_xts( &xts_ctx, - valid_mode, 16, - NULL, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_xts( &xts_ctx, - valid_mode, 16, - in, NULL, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_xts( &xts_ctx, - valid_mode, 16, - in, in, NULL ) ); + mbedtls_aes_xts_context xts_ctx; + + TEST_EQUAL( MBEDTLS_ERR_AES_BAD_INPUT_DATA, + mbedtls_aes_crypt_xts( &xts_ctx, invalid_mode, 16, + in, in, out ) ); #endif /* MBEDTLS_CIPHER_MODE_XTS */ #if defined(MBEDTLS_CIPHER_MODE_CFB) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb128( NULL, - valid_mode, 16, - &size, out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb128( &aes_ctx, - invalid_mode, 16, - &size, out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb128( &aes_ctx, - valid_mode, 16, - NULL, out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb128( &aes_ctx, - valid_mode, 16, - &size, NULL, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb128( &aes_ctx, - valid_mode, 16, - &size, out, NULL, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb128( &aes_ctx, - valid_mode, 16, - &size, out, in, NULL ) ); + size_t size; - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb8( NULL, - valid_mode, 16, - out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb8( &aes_ctx, - invalid_mode, 16, - out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb8( &aes_ctx, - valid_mode, 16, - NULL, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb8( &aes_ctx, - valid_mode, 16, - out, NULL, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_cfb8( &aes_ctx, - valid_mode, 16, - out, in, NULL ) ); + TEST_EQUAL( MBEDTLS_ERR_AES_BAD_INPUT_DATA, + mbedtls_aes_crypt_cfb128( &aes_ctx, invalid_mode, 16, + &size, out, in, out ) ); + TEST_EQUAL( MBEDTLS_ERR_AES_BAD_INPUT_DATA, + mbedtls_aes_crypt_cfb8( &aes_ctx, invalid_mode, 16, + out, in, out ) ); #endif /* MBEDTLS_CIPHER_MODE_CFB */ - -#if defined(MBEDTLS_CIPHER_MODE_OFB) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ofb( NULL, 16, - &size, out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ofb( &aes_ctx, 16, - NULL, out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ofb( &aes_ctx, 16, - &size, NULL, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ofb( &aes_ctx, 16, - &size, out, NULL, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ofb( &aes_ctx, 16, - &size, out, in, NULL ) ); -#endif /* MBEDTLS_CIPHER_MODE_OFB */ - -#if defined(MBEDTLS_CIPHER_MODE_CTR) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ctr( NULL, 16, &size, out, - out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ctr( &aes_ctx, 16, NULL, out, - out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ctr( &aes_ctx, 16, &size, NULL, - out, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ctr( &aes_ctx, 16, &size, out, - NULL, in, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ctr( &aes_ctx, 16, &size, out, - out, NULL, out ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA, - mbedtls_aes_crypt_ctr( &aes_ctx, 16, &size, out, - out, in, NULL ) ); -#endif /* MBEDTLS_CIPHER_MODE_CTR */ } /* END_CASE */ diff --git a/tests/suites/test_suite_aes.rest.data b/tests/suites/test_suite_aes.rest.data index 6a76b43eb8..3b43c90cd2 100644 --- a/tests/suites/test_suite_aes.rest.data +++ b/tests/suites/test_suite_aes.rest.data @@ -10,8 +10,8 @@ aes_encrypt_cbc:"000000000000000000000000000000000000000000000000000000000000000 AES-256-CBC Decrypt (Invalid input length) aes_decrypt_cbc:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"623a52fcea5d443e48d9181ab32c74":"":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -AES - Optional Parameter Validation (MBEDTLS_CHECK_PARAMS) -aes_check_params: +AES - Mode Parameter Validation +aes_invalid_mode: AES - Mandatory Parameter Validation and Valid Parameters aes_misc_params: diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index 6d6a203356..b24e4984ed 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -27,7 +27,6 @@ void aria_valid_param( ) void aria_invalid_param( ) { mbedtls_aria_context ctx; - unsigned char key[128 / 8] = { 0 }; unsigned char input[MBEDTLS_ARIA_BLOCKSIZE] = { 0 }; unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] = { 0 }; unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE] = { 0 }; @@ -36,77 +35,18 @@ void aria_invalid_param( ) ((void) iv_off); ((void) iv); - TEST_INVALID_PARAM( mbedtls_aria_init( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_setkey_enc( NULL, key, - sizeof( key ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_setkey_enc( &ctx, NULL, - sizeof( key ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_setkey_dec( NULL, key, - sizeof( key ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_setkey_dec( &ctx, NULL, - sizeof( key ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ecb( NULL, input, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ecb( &ctx, NULL, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ecb( &ctx, input, NULL ) ); - #if defined(MBEDTLS_CIPHER_MODE_CBC) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cbc( NULL, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - iv, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, mbedtls_aria_crypt_cbc( &ctx, 42 /* invalid mode */, sizeof( input ), iv, input, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cbc( &ctx, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - NULL, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cbc( &ctx, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - iv, - NULL, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cbc( &ctx, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - iv, - input, - NULL ) ); #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cfb128( NULL, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - &iv_off, - iv, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, mbedtls_aria_crypt_cfb128( &ctx, 42, /* invalid mode */ sizeof( input ), @@ -114,91 +54,8 @@ void aria_invalid_param( ) iv, input, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cfb128( &ctx, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - NULL, - iv, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cfb128( &ctx, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - &iv_off, - NULL, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cfb128( &ctx, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - &iv_off, - iv, - NULL, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_cfb128( &ctx, - MBEDTLS_ARIA_ENCRYPT, - sizeof( input ), - &iv_off, - iv, - input, - NULL ) ); #endif /* MBEDTLS_CIPHER_MODE_CFB */ -#if defined(MBEDTLS_CIPHER_MODE_CTR) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ctr( NULL, - sizeof( input ), - &iv_off, - iv, - iv, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ctr( &ctx, - sizeof( input ), - NULL, - iv, - iv, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ctr( &ctx, - sizeof( input ), - &iv_off, - NULL, - iv, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ctr( &ctx, - sizeof( input ), - &iv_off, - iv, - NULL, - input, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ctr( &ctx, - sizeof( input ), - &iv_off, - iv, - iv, - NULL, - output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, - mbedtls_aria_crypt_ctr( &ctx, - sizeof( input ), - &iv_off, - iv, - iv, - input, - NULL ) ); -#endif /* MBEDTLS_CIPHER_MODE_CTR */ - exit: return; diff --git a/tests/suites/test_suite_blowfish.function b/tests/suites/test_suite_blowfish.function index f89353ce95..5681a9e945 100644 --- a/tests/suites/test_suite_blowfish.function +++ b/tests/suites/test_suite_blowfish.function @@ -19,147 +19,32 @@ void blowfish_invalid_param( ) { mbedtls_blowfish_context ctx; unsigned char buf[16] = { 0 }; - size_t const valid_keylength = sizeof( buf ) * 8; - size_t valid_mode = MBEDTLS_BLOWFISH_ENCRYPT; size_t invalid_mode = 42; size_t off; ((void) off); - TEST_INVALID_PARAM( mbedtls_blowfish_init( NULL ) ); - TEST_VALID_PARAM( mbedtls_blowfish_free( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_setkey( NULL, - buf, - valid_keylength ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_setkey( &ctx, - NULL, - valid_keylength ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ecb( NULL, - valid_mode, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, mbedtls_blowfish_crypt_ecb( &ctx, invalid_mode, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ecb( &ctx, - valid_mode, - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ecb( &ctx, - valid_mode, - buf, NULL ) ); #if defined(MBEDTLS_CIPHER_MODE_CBC) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cbc( NULL, - valid_mode, - sizeof( buf ), - buf, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, mbedtls_blowfish_crypt_cbc( &ctx, invalid_mode, sizeof( buf ), buf, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cbc( &ctx, - valid_mode, - sizeof( buf ), - NULL, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cbc( &ctx, - valid_mode, - sizeof( buf ), - buf, NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cbc( &ctx, - valid_mode, - sizeof( buf ), - buf, buf, NULL ) ); #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cfb64( NULL, - valid_mode, - sizeof( buf ), - &off, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, mbedtls_blowfish_crypt_cfb64( &ctx, invalid_mode, sizeof( buf ), &off, buf, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cfb64( &ctx, - valid_mode, - sizeof( buf ), - NULL, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cfb64( &ctx, - valid_mode, - sizeof( buf ), - &off, NULL, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cfb64( &ctx, - valid_mode, - sizeof( buf ), - &off, buf, - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_cfb64( &ctx, - valid_mode, - sizeof( buf ), - &off, buf, - buf, NULL ) ); #endif /* MBEDTLS_CIPHER_MODE_CFB */ -#if defined(MBEDTLS_CIPHER_MODE_CTR) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ctr( NULL, - sizeof( buf ), - &off, - buf, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ctr( &ctx, - sizeof( buf ), - NULL, - buf, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ctr( &ctx, - sizeof( buf ), - &off, - NULL, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ctr( &ctx, - sizeof( buf ), - &off, - buf, NULL, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ctr( &ctx, - sizeof( buf ), - &off, - buf, buf, - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA, - mbedtls_blowfish_crypt_ctr( &ctx, - sizeof( buf ), - &off, - buf, buf, - buf, NULL ) ); -#endif /* MBEDTLS_CIPHER_MODE_CTR */ - exit: return; } diff --git a/tests/suites/test_suite_camellia.function b/tests/suites/test_suite_camellia.function index 312495c9ae..fb0a349177 100644 --- a/tests/suites/test_suite_camellia.function +++ b/tests/suites/test_suite_camellia.function @@ -19,155 +19,32 @@ void camellia_invalid_param( ) { mbedtls_camellia_context ctx; unsigned char buf[16] = { 0 }; - const size_t valid_keybits = 128; const int invalid_mode = 42; - const int valid_mode = MBEDTLS_CAMELLIA_ENCRYPT; size_t off; ((void) off); - TEST_INVALID_PARAM( mbedtls_camellia_init( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_setkey_enc( NULL, - buf, - valid_keybits ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_setkey_enc( &ctx, - NULL, - valid_keybits ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_setkey_dec( NULL, - buf, - valid_keybits ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_setkey_dec( &ctx, - NULL, - valid_keybits ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ecb( NULL, - valid_mode, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, mbedtls_camellia_crypt_ecb( &ctx, invalid_mode, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ecb( &ctx, - valid_mode, - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ecb( &ctx, - valid_mode, - buf, NULL ) ); #if defined(MBEDTLS_CIPHER_MODE_CBC) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cbc( NULL, - valid_mode, - sizeof( buf ), - buf, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, mbedtls_camellia_crypt_cbc( &ctx, invalid_mode, sizeof( buf ), buf, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cbc( &ctx, - valid_mode, - sizeof( buf ), - NULL, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cbc( &ctx, - valid_mode, - sizeof( buf ), - buf, NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cbc( &ctx, - valid_mode, - sizeof( buf ), - buf, buf, NULL ) ); #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cfb128( NULL, - valid_mode, - sizeof( buf ), - &off, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, mbedtls_camellia_crypt_cfb128( &ctx, invalid_mode, sizeof( buf ), &off, buf, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cfb128( &ctx, - valid_mode, - sizeof( buf ), - NULL, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cfb128( &ctx, - valid_mode, - sizeof( buf ), - &off, NULL, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cfb128( &ctx, - valid_mode, - sizeof( buf ), - &off, buf, - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_cfb128( &ctx, - valid_mode, - sizeof( buf ), - &off, buf, - buf, NULL ) ); #endif /* MBEDTLS_CIPHER_MODE_CFB */ -#if defined(MBEDTLS_CIPHER_MODE_CTR) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ctr( NULL, - sizeof( buf ), - &off, - buf, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ctr( &ctx, - sizeof( buf ), - NULL, - buf, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ctr( &ctx, - sizeof( buf ), - &off, - NULL, buf, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ctr( &ctx, - sizeof( buf ), - &off, - buf, NULL, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ctr( &ctx, - sizeof( buf ), - &off, - buf, buf, - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA, - mbedtls_camellia_crypt_ctr( &ctx, - sizeof( buf ), - &off, - buf, buf, - buf, NULL ) ); -#endif /* MBEDTLS_CIPHER_MODE_CTR */ - exit: return; } diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 4f83468ac4..63af5aa04a 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1,9 +1,6 @@ CCM self test mbedtls_ccm_self_test: -CCM - Invalid parameters -ccm_invalid_param: - CCM - Valid parameters ccm_valid_param: diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 5a3726e07b..1b00560ecf 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -292,210 +292,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void ccm_invalid_param( ) -{ - struct mbedtls_ccm_context ctx; - unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 }; - mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES; - int valid_len = sizeof(valid_buffer); - int valid_bitlen = valid_len * 8; - - mbedtls_ccm_init( &ctx ); - - /* mbedtls_ccm_init() */ - TEST_INVALID_PARAM( mbedtls_ccm_init( NULL ) ); - - /* mbedtls_ccm_setkey() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_setkey( NULL, valid_cipher, valid_buffer, valid_bitlen ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_setkey( &ctx, valid_cipher, NULL, valid_bitlen ) ); - - /* mbedtls_ccm_encrypt_and_tag() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_encrypt_and_tag( NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_encrypt_and_tag( &ctx, valid_len, - NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_encrypt_and_tag( &ctx, valid_len, - valid_buffer, valid_len, - NULL, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_encrypt_and_tag( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - NULL, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_encrypt_and_tag( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, NULL, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_encrypt_and_tag( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - NULL, valid_len ) ); - - /* mbedtls_ccm_star_encrypt_and_tag() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_encrypt_and_tag( NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len, - NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len, - valid_buffer, valid_len, - NULL, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - NULL, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, NULL, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - NULL, valid_len ) ); - - /* mbedtls_ccm_auth_decrypt() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_auth_decrypt( NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_auth_decrypt( &ctx, valid_len, - NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - NULL, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - NULL, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, NULL, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - NULL, valid_len ) ); - - /* mbedtls_ccm_star_auth_decrypt() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_auth_decrypt( NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_auth_decrypt( &ctx, valid_len, - NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - NULL, valid_len, - valid_buffer, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - NULL, valid_buffer, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, NULL, - valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CCM_BAD_INPUT, - mbedtls_ccm_star_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - NULL, valid_len ) ); - -exit: - mbedtls_ccm_free( &ctx ); - return; -} -/* END_CASE */ - /* BEGIN_CASE */ void ccm_valid_param( ) { diff --git a/tests/suites/test_suite_chacha20.data b/tests/suites/test_suite_chacha20.data index 3f9033eeb2..86094604bf 100644 --- a/tests/suites/test_suite_chacha20.data +++ b/tests/suites/test_suite_chacha20.data @@ -22,8 +22,5 @@ chacha20_crypt:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 ChaCha20 RFC 7539 Test Vector #3 (Decrypt) chacha20_crypt:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000000000000000002":42:"62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1":"2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e" -ChaCha20 Paremeter Validation -chacha20_bad_params: - ChaCha20 Selftest chacha20_self_test: diff --git a/tests/suites/test_suite_chacha20.function b/tests/suites/test_suite_chacha20.function index 67c8de2ec1..9afadb7738 100644 --- a/tests/suites/test_suite_chacha20.function +++ b/tests/suites/test_suite_chacha20.function @@ -66,52 +66,6 @@ void chacha20_crypt( data_t *key_str, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void chacha20_bad_params() -{ - unsigned char key[32]; - unsigned char nonce[12]; - unsigned char src[1]; - unsigned char dst[1]; - uint32_t counter = 0; - size_t len = sizeof( src ); - mbedtls_chacha20_context ctx; - - TEST_INVALID_PARAM( mbedtls_chacha20_init( NULL ) ); - TEST_VALID_PARAM( mbedtls_chacha20_free( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_setkey( NULL, key ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_setkey( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_starts( NULL, nonce, counter ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_starts( &ctx, NULL, counter ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_update( NULL, 0, src, dst ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_update( &ctx, len, NULL, dst ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_update( &ctx, len, src, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_crypt( NULL, nonce, counter, 0, src, dst ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_crypt( key, NULL, counter, 0, src, dst ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_crypt( key, nonce, counter, len, NULL, dst ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA, - mbedtls_chacha20_crypt( key, nonce, counter, len, src, NULL ) ); - -exit: - return; - -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ void chacha20_self_test() { diff --git a/tests/suites/test_suite_chachapoly.data b/tests/suites/test_suite_chachapoly.data index 34cb568311..02c7bf3d21 100644 --- a/tests/suites/test_suite_chachapoly.data +++ b/tests/suites/test_suite_chachapoly.data @@ -19,9 +19,6 @@ mbedtls_chachapoly_dec:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc ChaCha20-Poly1305 State Flow chachapoly_state: -ChaCha20-Poly1305 Parameter Validation -chachapoly_bad_params: - ChaCha20-Poly1305 Selftest depends_on:MBEDTLS_SELF_TEST chachapoly_selftest: diff --git a/tests/suites/test_suite_chachapoly.function b/tests/suites/test_suite_chachapoly.function index 96128e4ec3..2e1e7b2dcf 100644 --- a/tests/suites/test_suite_chachapoly.function +++ b/tests/suites/test_suite_chachapoly.function @@ -66,137 +66,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void chachapoly_bad_params() -{ - unsigned char key[32]; - unsigned char nonce[12]; - unsigned char aad[1]; - unsigned char input[1]; - unsigned char output[1]; - unsigned char mac[16]; - size_t input_len = sizeof( input ); - size_t aad_len = sizeof( aad ); - mbedtls_chachapoly_context ctx; - - memset( key, 0x00, sizeof( key ) ); - memset( nonce, 0x00, sizeof( nonce ) ); - memset( aad, 0x00, sizeof( aad ) ); - memset( input, 0x00, sizeof( input ) ); - memset( output, 0x00, sizeof( output ) ); - memset( mac, 0x00, sizeof( mac ) ); - - TEST_INVALID_PARAM( mbedtls_chachapoly_init( NULL ) ); - TEST_VALID_PARAM( mbedtls_chachapoly_free( NULL ) ); - - /* setkey */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_setkey( NULL, key ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_setkey( &ctx, NULL ) ); - - /* encrypt_and_tag */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_encrypt_and_tag( NULL, - 0, nonce, - aad, 0, - input, output, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_encrypt_and_tag( &ctx, - 0, NULL, - aad, 0, - input, output, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_encrypt_and_tag( &ctx, - 0, nonce, - NULL, aad_len, - input, output, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_encrypt_and_tag( &ctx, - input_len, nonce, - aad, 0, - NULL, output, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_encrypt_and_tag( &ctx, - input_len, nonce, - aad, 0, - input, NULL, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_encrypt_and_tag( &ctx, - 0, nonce, - aad, 0, - input, output, NULL ) ); - - /* auth_decrypt */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_auth_decrypt( NULL, - 0, nonce, - aad, 0, - mac, input, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_auth_decrypt( &ctx, - 0, NULL, - aad, 0, - mac, input, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_auth_decrypt( &ctx, - 0, nonce, - NULL, aad_len, - mac, input, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_auth_decrypt( &ctx, - 0, nonce, - aad, 0, - NULL, input, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_auth_decrypt( &ctx, - input_len, nonce, - aad, 0, - mac, NULL, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_auth_decrypt( &ctx, - input_len, nonce, - aad, 0, - mac, input, NULL ) ); - - /* starts */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_starts( NULL, nonce, - MBEDTLS_CHACHAPOLY_ENCRYPT ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_starts( &ctx, NULL, - MBEDTLS_CHACHAPOLY_ENCRYPT ) ); - - /* update_aad */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_update_aad( NULL, aad, - aad_len ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_update_aad( &ctx, NULL, - aad_len ) ); - - /* update */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_update( NULL, input_len, - input, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_update( &ctx, input_len, - NULL, output ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_update( &ctx, input_len, - input, NULL ) ); - - /* finish */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_finish( NULL, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_chachapoly_finish( &ctx, NULL ) ); - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE */ void chachapoly_state() { diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 3d3f6a3292..ea5fa2e5e4 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -212,7 +212,6 @@ void cipher_invalid_param_conditional( ) { mbedtls_cipher_context_t valid_ctx; - mbedtls_operation_t valid_operation = MBEDTLS_ENCRYPT; mbedtls_operation_t invalid_operation = 100; mbedtls_cipher_padding_t valid_mode = MBEDTLS_PADDING_ZEROS; unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; @@ -221,311 +220,21 @@ void cipher_invalid_param_conditional( ) const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type( *( mbedtls_cipher_list() ) ); - size_t size_t_var; - (void)valid_mode; /* In some configurations this is unused */ /* mbedtls_cipher_init() */ TEST_VALID_PARAM( mbedtls_cipher_init( &valid_ctx ) ); - TEST_INVALID_PARAM( mbedtls_cipher_init( NULL ) ); /* mbedtls_cipher_setup() */ TEST_VALID_PARAM( mbedtls_cipher_setup( &valid_ctx, valid_info ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_setup( NULL, valid_info ) ); - /* mbedtls_cipher_get_block_size() */ - TEST_INVALID_PARAM_RET( 0, mbedtls_cipher_get_block_size( NULL ) ); - - /* mbedtls_cipher_get_cipher_mode() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_MODE_NONE, - mbedtls_cipher_get_cipher_mode( NULL ) ); - - /* mbedtls_cipher_get_iv_size() */ - TEST_INVALID_PARAM_RET( 0, mbedtls_cipher_get_iv_size( NULL ) ); - - /* mbedtls_cipher_get_type() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_CIPHER_NONE, - mbedtls_cipher_get_type( NULL ) ); - - /* mbedtls_cipher_get_name() */ - TEST_INVALID_PARAM_RET( 0, mbedtls_cipher_get_name( NULL ) ); - - /* mbedtls_cipher_get_key_bitlen() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_KEY_LENGTH_NONE, - mbedtls_cipher_get_key_bitlen( NULL ) ); - - /* mbedtls_cipher_get_operation() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_OPERATION_NONE, - mbedtls_cipher_get_operation( NULL ) ); - - /* mbedtls_cipher_setkey() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_setkey( NULL, - valid_buffer, - valid_bitlen, - valid_operation ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_setkey( &valid_ctx, - NULL, - valid_bitlen, - valid_operation ) ); - TEST_INVALID_PARAM_RET( + TEST_EQUAL( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, mbedtls_cipher_setkey( &valid_ctx, valid_buffer, valid_bitlen, invalid_operation ) ); - /* mbedtls_cipher_set_iv() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_set_iv( NULL, - valid_buffer, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_set_iv( &valid_ctx, - NULL, - valid_size ) ); - - /* mbedtls_cipher_reset() */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_reset( NULL ) ); - -#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - /* mbedtls_cipher_update_ad() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_update_ad( NULL, - valid_buffer, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_update_ad( &valid_ctx, - NULL, - valid_size ) ); -#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */ - -#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) - /* mbedtls_cipher_set_padding_mode() */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_set_padding_mode( NULL, valid_mode ) ); -#endif - - /* mbedtls_cipher_update() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_update( NULL, - valid_buffer, - valid_size, - valid_buffer, - &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_update( &valid_ctx, - NULL, valid_size, - valid_buffer, - &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_update( &valid_ctx, - valid_buffer, valid_size, - NULL, - &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_update( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, - NULL ) ); - - /* mbedtls_cipher_finish() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_finish( NULL, - valid_buffer, - &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_finish( &valid_ctx, - NULL, - &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_finish( &valid_ctx, - valid_buffer, - NULL ) ); - -#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - /* mbedtls_cipher_write_tag() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_write_tag( NULL, - valid_buffer, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_write_tag( &valid_ctx, - NULL, - valid_size ) ); - - /* mbedtls_cipher_check_tag() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_check_tag( NULL, - valid_buffer, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_check_tag( &valid_ctx, - NULL, - valid_size ) ); -#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */ - - /* mbedtls_cipher_crypt() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_crypt( NULL, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_crypt( &valid_ctx, - NULL, valid_size, - valid_buffer, valid_size, - valid_buffer, &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_crypt( &valid_ctx, - valid_buffer, valid_size, - NULL, valid_size, - valid_buffer, &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_crypt( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, valid_size, - NULL, &size_t_var ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_crypt( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, NULL ) ); - -#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) - /* mbedtls_cipher_auth_encrypt_ext */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_encrypt_ext( NULL, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_encrypt_ext( &valid_ctx, - NULL, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_encrypt_ext( &valid_ctx, - valid_buffer, valid_size, - NULL, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_encrypt_ext( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, valid_size, - NULL, valid_size, - valid_buffer, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_encrypt_ext( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, - NULL, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_encrypt_ext( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, NULL, - valid_size ) ); - - /* mbedtls_cipher_auth_decrypt_ext */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_decrypt_ext( NULL, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_decrypt_ext( &valid_ctx, - NULL, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_decrypt_ext( &valid_ctx, - valid_buffer, valid_size, - NULL, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_decrypt_ext( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, valid_size, - NULL, valid_size, - valid_buffer, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_decrypt_ext( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, - NULL, valid_size, &size_t_var, - valid_size ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, - mbedtls_cipher_auth_decrypt_ext( &valid_ctx, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, - valid_buffer, valid_size, NULL, - valid_size ) ); -#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ - - /* mbedtls_cipher_free() */ - TEST_VALID_PARAM( mbedtls_cipher_free( NULL ) ); exit: TEST_VALID_PARAM( mbedtls_cipher_free( &valid_ctx ) ); } diff --git a/tests/suites/test_suite_dhm.data b/tests/suites/test_suite_dhm.data index c4795b6d34..3b71c35694 100644 --- a/tests/suites/test_suite_dhm.data +++ b/tests/suites/test_suite_dhm.data @@ -1,6 +1,3 @@ -Diffie-Hellman parameter validation -dhm_invalid_params: - Diffie-Hellman full exchange #1 dhm_do_dhm:10:"23":10:"5":0 diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function index 1726b9eb75..2d54e8189f 100644 --- a/tests/suites/test_suite_dhm.function +++ b/tests/suites/test_suite_dhm.function @@ -7,113 +7,6 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void dhm_invalid_params( ) -{ - mbedtls_dhm_context ctx; - unsigned char buf[42] = { 0 }; - unsigned char *buf_null = NULL; - mbedtls_mpi X; - size_t const buflen = sizeof( buf ); - size_t len; - - TEST_INVALID_PARAM( mbedtls_dhm_init( NULL ) ); - TEST_VALID_PARAM( mbedtls_dhm_free( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_read_params( NULL, - (unsigned char**) &buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_read_params( &ctx, &buf_null, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_read_params( &ctx, NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_read_params( &ctx, - (unsigned char**) &buf, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_make_params( NULL, buflen, - buf, &len, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_make_params( &ctx, buflen, - NULL, &len, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_make_params( &ctx, buflen, - buf, NULL, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_make_params( &ctx, buflen, - buf, &len, - NULL, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_set_group( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_set_group( &ctx, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_set_group( &ctx, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_read_public( NULL, buf, buflen ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_read_public( &ctx, NULL, buflen ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_make_public( NULL, buflen, - buf, buflen, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_make_public( &ctx, buflen, - NULL, buflen, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_make_public( &ctx, buflen, - buf, buflen, - NULL, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_calc_secret( NULL, buf, buflen, &len, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_calc_secret( &ctx, NULL, buflen, &len, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_calc_secret( &ctx, buf, buflen, NULL, - mbedtls_test_rnd_std_rand, - NULL ) ); - -#if defined(MBEDTLS_ASN1_PARSE_C) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_parse_dhm( NULL, buf, buflen ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_parse_dhm( &ctx, NULL, buflen ) ); - -#if defined(MBEDTLS_FS_IO) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_parse_dhmfile( NULL, "" ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA, - mbedtls_dhm_parse_dhmfile( &ctx, NULL ) ); -#endif /* MBEDTLS_FS_IO */ -#endif /* MBEDTLS_ASN1_PARSE_C */ - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE */ void dhm_do_dhm( int radix_P, char *input_P, int radix_G, char *input_G, int result ) diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function index 3ab96fa111..5fced62d42 100644 --- a/tests/suites/test_suite_ecdh.function +++ b/tests/suites/test_suite_ecdh.function @@ -53,131 +53,14 @@ void ecdh_valid_param( ) /* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ void ecdh_invalid_param( ) { - mbedtls_ecp_group grp; mbedtls_ecdh_context ctx; - mbedtls_mpi m; - mbedtls_ecp_point P; mbedtls_ecp_keypair kp; - size_t olen; - unsigned char buf[42] = { 0 }; - const unsigned char *buf_null = NULL; - size_t const buflen = sizeof( buf ); int invalid_side = 42; - mbedtls_ecp_group_id valid_grp = MBEDTLS_ECP_DP_SECP192R1; - TEST_INVALID_PARAM( mbedtls_ecdh_init( NULL ) ); - -#if defined(MBEDTLS_ECP_RESTARTABLE) - TEST_INVALID_PARAM( mbedtls_ecdh_enable_restart( NULL ) ); -#endif /* MBEDTLS_ECP_RESTARTABLE */ - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_gen_public( NULL, &m, &P, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_gen_public( &grp, NULL, &P, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_gen_public( &grp, &m, NULL, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_gen_public( &grp, &m, &P, - NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_compute_shared( NULL, &m, &P, &m, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_compute_shared( &grp, NULL, &P, &m, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_compute_shared( &grp, &m, NULL, &m, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_compute_shared( &grp, &m, &P, NULL, - mbedtls_test_rnd_std_rand, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_setup( NULL, valid_grp ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_make_params( NULL, &olen, buf, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_make_params( &ctx, NULL, buf, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_make_params( &ctx, &olen, NULL, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_make_params( &ctx, &olen, buf, buflen, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_read_params( NULL, - (const unsigned char**) &buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_read_params( &ctx, &buf_null, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_read_params( &ctx, NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_read_params( &ctx, - (const unsigned char**) &buf, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_get_params( NULL, &kp, - MBEDTLS_ECDH_OURS ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_get_params( &ctx, NULL, - MBEDTLS_ECDH_OURS ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, mbedtls_ecdh_get_params( &ctx, &kp, invalid_side ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_make_public( NULL, &olen, buf, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_make_public( &ctx, NULL, buf, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_make_public( &ctx, &olen, NULL, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_make_public( &ctx, &olen, buf, buflen, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_read_public( NULL, buf, buflen ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_read_public( &ctx, NULL, buflen ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_calc_secret( NULL, &olen, buf, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_calc_secret( &ctx, NULL, buf, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdh_calc_secret( &ctx, &olen, NULL, buflen, - mbedtls_test_rnd_std_rand, NULL ) ); - exit: return; } diff --git a/tests/suites/test_suite_ecdsa.data b/tests/suites/test_suite_ecdsa.data index e510c504eb..95efc73a31 100644 --- a/tests/suites/test_suite_ecdsa.data +++ b/tests/suites/test_suite_ecdsa.data @@ -1,6 +1,3 @@ -ECDSA Parameter validation -ecdsa_invalid_param: - ECDSA primitive hash zero #1 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED ecdsa_prim_zero:MBEDTLS_ECP_DP_SECP192R1 diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function index 58cedc13c4..e066b14e99 100644 --- a/tests/suites/test_suite_ecdsa.function +++ b/tests/suites/test_suite_ecdsa.function @@ -7,203 +7,6 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void ecdsa_invalid_param( ) -{ - mbedtls_ecdsa_context ctx; - mbedtls_ecp_keypair key; - mbedtls_ecp_group grp; - mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP192R1; - mbedtls_ecp_point P; - mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256; - mbedtls_mpi m; - size_t slen; - unsigned char buf[42] = { 0 }; - - TEST_INVALID_PARAM( mbedtls_ecdsa_init( NULL ) ); - TEST_VALID_PARAM( mbedtls_ecdsa_free( NULL ) ); - -#if defined(MBEDTLS_ECP_RESTARTABLE) - TEST_INVALID_PARAM( mbedtls_ecdsa_restart_init( NULL ) ); - TEST_VALID_PARAM( mbedtls_ecdsa_restart_free( NULL ) ); -#endif /* MBEDTLS_ECP_RESTARTABLE */ - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign( NULL, &m, &m, &m, - buf, sizeof( buf ), - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign( &grp, NULL, &m, &m, - buf, sizeof( buf ), - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign( &grp, &m, NULL, &m, - buf, sizeof( buf ), - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign( &grp, &m, &m, NULL, - buf, sizeof( buf ), - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign( &grp, &m, &m, &m, - NULL, sizeof( buf ), - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign( &grp, &m, &m, &m, - buf, sizeof( buf ), - NULL, NULL ) ); - -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign_det_ext( NULL, &m, &m, &m, - buf, sizeof( buf ), - valid_md, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign_det_ext( &grp, NULL, &m, &m, - buf, sizeof( buf ), - valid_md, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign_det_ext( &grp, &m, NULL, &m, - buf, sizeof( buf ), - valid_md, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign_det_ext( &grp, &m, &m, NULL, - buf, sizeof( buf ), - valid_md, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_sign_det_ext( &grp, &m, &m, &m, - NULL, sizeof( buf ), - valid_md, - mbedtls_test_rnd_std_rand, - NULL ) ); -#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_verify( NULL, - buf, sizeof( buf ), - &P, &m, &m ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_verify( &grp, - NULL, sizeof( buf ), - &P, &m, &m ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_verify( &grp, - buf, sizeof( buf ), - NULL, &m, &m ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_verify( &grp, - buf, sizeof( buf ), - &P, NULL, &m ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_verify( &grp, - buf, sizeof( buf ), - &P, &m, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_write_signature( NULL, valid_md, buf, sizeof( buf ), - buf, &slen, mbedtls_test_rnd_std_rand, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_write_signature( &ctx, valid_md, NULL, sizeof( buf ), - buf, &slen, mbedtls_test_rnd_std_rand, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_write_signature( &ctx, valid_md, buf, sizeof( buf ), - NULL, &slen, mbedtls_test_rnd_std_rand, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_write_signature( &ctx, valid_md, buf, sizeof( buf ), - buf, NULL, mbedtls_test_rnd_std_rand, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_write_signature_restartable( NULL, valid_md, buf, - sizeof( buf ), buf, &slen, - mbedtls_test_rnd_std_rand, - NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_write_signature_restartable( &ctx, valid_md, NULL, - sizeof( buf ), buf, &slen, - mbedtls_test_rnd_std_rand, - NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_write_signature_restartable( &ctx, valid_md, buf, - sizeof( buf ), NULL, &slen, - mbedtls_test_rnd_std_rand, - NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_write_signature_restartable( &ctx, valid_md, buf, - sizeof( buf ), buf, NULL, - mbedtls_test_rnd_std_rand, - NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_read_signature( NULL, - buf, sizeof( buf ), - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_read_signature( &ctx, - NULL, sizeof( buf ), - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_read_signature( &ctx, - buf, sizeof( buf ), - NULL, sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_read_signature_restartable( NULL, - buf, sizeof( buf ), - buf, sizeof( buf ), - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_read_signature_restartable( &ctx, - NULL, sizeof( buf ), - buf, sizeof( buf ), - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_read_signature_restartable( &ctx, - buf, sizeof( buf ), - NULL, sizeof( buf ), - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_genkey( NULL, valid_group, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_genkey( &ctx, valid_group, - NULL, NULL ) ); - - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_from_keypair( NULL, &key ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecdsa_from_keypair( &ctx, NULL ) ); - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE */ void ecdsa_prim_zero( int id ) { diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function index ab672a8dcb..2a6d8935ef 100644 --- a/tests/suites/test_suite_ecjpake.function +++ b/tests/suites/test_suite_ecjpake.function @@ -103,95 +103,17 @@ void ecjpake_invalid_param( ) { mbedtls_ecjpake_context ctx; unsigned char buf[42] = { 0 }; - size_t olen; size_t const len = sizeof( buf ); - mbedtls_ecjpake_role valid_role = MBEDTLS_ECJPAKE_SERVER; mbedtls_ecjpake_role invalid_role = (mbedtls_ecjpake_role) 42; mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256; mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP256R1; - TEST_INVALID_PARAM( mbedtls_ecjpake_init( NULL ) ); - TEST_VALID_PARAM( mbedtls_ecjpake_free( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_setup( NULL, - valid_role, - valid_md, - valid_group, - buf, len ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, mbedtls_ecjpake_setup( &ctx, invalid_role, valid_md, valid_group, buf, len ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_setup( &ctx, - valid_role, - valid_md, - valid_group, - NULL, len ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_check( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_write_round_one( NULL, buf, len, &olen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_write_round_one( &ctx, NULL, len, &olen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_write_round_one( &ctx, buf, len, NULL, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_write_round_one( &ctx, buf, len, &olen, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_write_round_two( NULL, buf, len, &olen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_write_round_two( &ctx, NULL, len, &olen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_write_round_two( &ctx, buf, len, NULL, - mbedtls_test_rnd_std_rand, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_write_round_two( &ctx, buf, len, &olen, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_read_round_one( NULL, - buf, len ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_read_round_one( &ctx, - NULL, len ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_read_round_two( NULL, - buf, len ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_read_round_two( &ctx, - NULL, len ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_derive_secret( NULL, buf, len, &olen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_derive_secret( &ctx, NULL, len, &olen, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_derive_secret( &ctx, buf, len, NULL, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecjpake_derive_secret( &ctx, buf, len, &olen, NULL, NULL ) ); exit: return; diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 6d23377f36..9b8ba8201e 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -42,327 +42,22 @@ exit: void ecp_invalid_param( ) { mbedtls_ecp_group grp; - mbedtls_ecp_keypair kp; mbedtls_ecp_point P; - mbedtls_mpi m; - const char *x = "deadbeef"; - int valid_fmt = MBEDTLS_ECP_PF_UNCOMPRESSED; int invalid_fmt = 42; size_t olen; unsigned char buf[42] = { 0 }; - const unsigned char *null_buf = NULL; - mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP192R1; -#if defined(MBEDTLS_ECP_RESTARTABLE) - mbedtls_ecp_restart_ctx restart_ctx; -#endif /* MBEDTLS_ECP_RESTARTABLE */ - TEST_INVALID_PARAM( mbedtls_ecp_point_init( NULL ) ); - TEST_INVALID_PARAM( mbedtls_ecp_keypair_init( NULL ) ); - TEST_INVALID_PARAM( mbedtls_ecp_group_init( NULL ) ); - -#if defined(MBEDTLS_ECP_RESTARTABLE) - TEST_INVALID_PARAM( mbedtls_ecp_restart_init( NULL ) ); - TEST_INVALID_PARAM( mbedtls_ecp_check_budget( NULL, &restart_ctx, 42 ) ); -#endif /* MBEDTLS_ECP_RESTARTABLE */ - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_copy( NULL, &P ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_copy( &P, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_group_copy( NULL, &grp ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_group_copy( &grp, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_privkey( NULL, - &m, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_privkey( &grp, - NULL, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_privkey( &grp, - &m, - NULL, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_set_zero( NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_is_zero( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_cmp( NULL, &P ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_cmp( &P, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_read_string( NULL, 2, - x, x ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_read_string( &P, 2, - NULL, x ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_read_string( &P, 2, - x, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_write_binary( NULL, &P, - valid_fmt, - &olen, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_write_binary( &grp, NULL, - valid_fmt, - &olen, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, mbedtls_ecp_point_write_binary( &grp, &P, invalid_fmt, &olen, buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_write_binary( &grp, &P, - valid_fmt, - NULL, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_write_binary( &grp, &P, - valid_fmt, - &olen, - NULL, sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_read_binary( NULL, &P, buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_read_binary( &grp, NULL, buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_point_read_binary( &grp, &P, NULL, - sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_point( NULL, &P, - (const unsigned char **) &buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_point( &grp, NULL, - (const unsigned char **) &buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_point( &grp, &P, &null_buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_point( &grp, &P, NULL, - sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_write_point( NULL, &P, - valid_fmt, - &olen, - buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_write_point( &grp, NULL, - valid_fmt, - &olen, - buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, mbedtls_ecp_tls_write_point( &grp, &P, invalid_fmt, &olen, buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_write_point( &grp, &P, - valid_fmt, - NULL, - buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_write_point( &grp, &P, - valid_fmt, - &olen, - NULL, - sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_group_load( NULL, valid_group ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_group( NULL, - (const unsigned char **) &buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_group( &grp, NULL, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_group( &grp, &null_buf, - sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_group_id( NULL, - (const unsigned char **) &buf, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_group_id( &valid_group, NULL, - sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_read_group_id( &valid_group, - &null_buf, - sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_write_group( NULL, &olen, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_write_group( &grp, NULL, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_tls_write_group( &grp, &olen, - NULL, sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_mul( NULL, &P, &m, &P, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_mul( &grp, NULL, &m, &P, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_mul( &grp, &P, NULL, &P, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_mul( &grp, &P, &m, NULL, - mbedtls_test_rnd_std_rand, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_mul_restartable( NULL, &P, &m, &P, - mbedtls_test_rnd_std_rand, - NULL , NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_mul_restartable( &grp, NULL, &m, &P, - mbedtls_test_rnd_std_rand, - NULL , NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_mul_restartable( &grp, &P, NULL, &P, - mbedtls_test_rnd_std_rand, - NULL , NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_mul_restartable( &grp, &P, &m, NULL, - mbedtls_test_rnd_std_rand, - NULL , NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd( NULL, &P, &m, &P, - &m, &P ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd( &grp, NULL, &m, &P, - &m, &P ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd( &grp, &P, NULL, &P, - &m, &P ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd( &grp, &P, &m, NULL, - &m, &P ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd( &grp, &P, &m, &P, - NULL, &P ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd( &grp, &P, &m, &P, - &m, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd_restartable( NULL, &P, &m, &P, - &m, &P, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd_restartable( &grp, NULL, &m, &P, - &m, &P, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd_restartable( &grp, &P, NULL, &P, - &m, &P, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd_restartable( &grp, &P, &m, NULL, - &m, &P, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd_restartable( &grp, &P, &m, &P, - NULL, &P, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_muladd_restartable( &grp, &P, &m, &P, - &m, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_check_pubkey( NULL, &P ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_check_pubkey( &grp, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_check_pub_priv( NULL, &kp ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_check_pub_priv( &kp, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_check_privkey( NULL, &m ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_check_privkey( &grp, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair_base( NULL, &P, &m, &P, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair_base( &grp, NULL, &m, &P, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair_base( &grp, &P, NULL, &P, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair_base( &grp, &P, &m, NULL, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair_base( &grp, &P, &m, &P, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair( NULL, - &m, &P, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair( &grp, - NULL, &P, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair( &grp, - &m, NULL, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_keypair( &grp, - &m, &P, - NULL, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_key( valid_group, NULL, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, - mbedtls_ecp_gen_key( valid_group, &kp, - NULL, NULL ) ); exit: return; diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 9733eb2356..35691f725f 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -187,158 +187,15 @@ void gcm_invalid_param( ) mbedtls_gcm_context ctx; unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 }; mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES; - int valid_mode = MBEDTLS_GCM_ENCRYPT; - int valid_len = sizeof(valid_buffer); - int valid_bitlen = 128, invalid_bitlen = 1; - size_t olen; + int invalid_bitlen = 1; mbedtls_gcm_init( &ctx ); - /* mbedtls_gcm_init() */ - TEST_INVALID_PARAM( mbedtls_gcm_init( NULL ) ); - /* mbedtls_gcm_setkey */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_setkey( NULL, valid_cipher, valid_buffer, valid_bitlen ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_setkey( &ctx, valid_cipher, NULL, valid_bitlen ) ); - TEST_INVALID_PARAM_RET( + TEST_EQUAL( MBEDTLS_ERR_GCM_BAD_INPUT, mbedtls_gcm_setkey( &ctx, valid_cipher, valid_buffer, invalid_bitlen ) ); - /* mbedtls_gcm_crypt_and_tag() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_crypt_and_tag( NULL, valid_mode, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_len, valid_buffer ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len, - NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_len, valid_buffer ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len, - valid_buffer, valid_len, - NULL, valid_len, - valid_buffer, valid_buffer, - valid_len, valid_buffer ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - NULL, valid_buffer, - valid_len, valid_buffer ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, NULL, - valid_len, valid_buffer ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer, - valid_len, NULL ) ); - - /* mbedtls_gcm_auth_decrypt() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_auth_decrypt( NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_auth_decrypt( &ctx, valid_len, - NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - NULL, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_buffer) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - NULL, valid_len, - valid_buffer, valid_buffer) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - NULL, valid_buffer) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_auth_decrypt( &ctx, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, valid_len, - valid_buffer, NULL) ); - - /* mbedtls_gcm_starts() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_starts( NULL, valid_mode, - valid_buffer, valid_len ) ); - - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_starts( &ctx, valid_mode, - NULL, valid_len ) ); - - /* mbedtls_gcm_update_ad() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_update_ad( &ctx, - NULL, valid_len ) ); - - /* mbedtls_gcm_update() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_update( NULL, valid_buffer, valid_len, - valid_buffer, valid_len, &olen ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_update( &ctx, NULL, valid_len, - valid_buffer, valid_len, &olen ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_update( &ctx, valid_buffer, valid_len, - NULL, valid_len, &olen ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_update( &ctx, valid_buffer, valid_len, - valid_buffer, valid_len, NULL ) ); - - /* mbedtls_gcm_finish() */ - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_finish( NULL, NULL, 0, valid_buffer, valid_len ) ); - TEST_INVALID_PARAM_RET( - MBEDTLS_ERR_GCM_BAD_INPUT, - mbedtls_gcm_finish( &ctx, NULL, 0, NULL, valid_len ) ); - exit: mbedtls_gcm_free( &ctx ); } diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index 59fd7824bb..8e09ee5bd0 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -1,9 +1,6 @@ MPI - Valid parameters mpi_valid_param: -MPI - Invalid parameters -mpi_invalid_param: - Arguments with no value mpi_null: diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index c5bb5a678a..8c20258c59 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -78,214 +78,6 @@ void mpi_valid_param( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void mpi_invalid_param( ) -{ - mbedtls_mpi X; - const char *s_in = "00101000101010"; - char s_out[16] = { 0 }; - unsigned char u_out[16] = { 0 }; - unsigned char u_in[16] = { 0 }; - size_t olen; - mbedtls_mpi_uint mpi_uint; - - TEST_INVALID_PARAM( mbedtls_mpi_init( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_grow( NULL, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_copy( NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_copy( &X, NULL ) ); - - TEST_INVALID_PARAM( mbedtls_mpi_swap( NULL, &X ) ); - TEST_INVALID_PARAM( mbedtls_mpi_swap( &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_safe_cond_assign( NULL, &X, 0 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_safe_cond_assign( &X, NULL, 0 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_safe_cond_swap( NULL, &X, 0 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_safe_cond_swap( &X, NULL, 0 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_lset( NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_get_bit( NULL, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_set_bit( NULL, 42, 0 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_read_string( NULL, 2, s_in ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_read_string( &X, 2, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_write_string( NULL, 2, - s_out, sizeof( s_out ), - &olen ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_write_string( &X, 2, - NULL, sizeof( s_out ), - &olen ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_write_string( &X, 2, - s_out, sizeof( s_out ), - NULL ) ); - -#if defined(MBEDTLS_FS_IO) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_read_file( NULL, 2, stdin ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_read_file( &X, 2, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_write_file( "", NULL, 2, NULL ) ); -#endif /* MBEDTLS_FS_IO */ - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_read_binary( NULL, u_in, - sizeof( u_in ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_read_binary( &X, NULL, - sizeof( u_in ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_write_binary( NULL, u_out, - sizeof( u_out ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_write_binary( &X, NULL, - sizeof( u_out ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_shift_l( NULL, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_shift_r( NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_cmp_abs( NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_cmp_abs( &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_cmp_mpi( NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_cmp_mpi( &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_cmp_int( NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_add_abs( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_add_abs( &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_add_abs( &X, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_sub_abs( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_sub_abs( &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_sub_abs( &X, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_add_mpi( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_add_mpi( &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_add_mpi( &X, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_sub_mpi( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_sub_mpi( &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_sub_mpi( &X, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_add_int( NULL, &X, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_add_int( &X, NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_sub_int( NULL, &X, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_sub_int( &X, NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mul_mpi( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mul_mpi( &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mul_mpi( &X, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mul_int( NULL, &X, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mul_int( &X, NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_div_mpi( &X, &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_div_mpi( &X, &X, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_div_int( &X, &X, NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( 0, mbedtls_mpi_lsb( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_mpi( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_mpi( &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_mpi( &X, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_int( NULL, &X, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_int( &mpi_uint, NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_exp_mod( NULL, &X, &X, &X, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_exp_mod( &X, NULL, &X, &X, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_exp_mod( &X, &X, NULL, &X, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_exp_mod( &X, &X, &X, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_fill_random( NULL, 42, - mbedtls_test_rnd_std_rand, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_fill_random( &X, 42, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_gcd( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_gcd( &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_gcd( &X, &X, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_inv_mod( NULL, &X, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_inv_mod( &X, NULL, &X ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_inv_mod( &X, &X, NULL ) ); - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE */ void mpi_null( ) { diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 9ebdc7e5f2..5eb145ddac 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -1,6 +1,3 @@ -PK invalid parameters -invalid_parameters: - PK valid parameters valid_parameters: diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index ddef83604e..06e40d8144 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -323,275 +323,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void invalid_parameters( ) -{ - size_t len; - unsigned char *null_buf = NULL; - unsigned char buf[1]; - unsigned char *p = buf; - char str[1] = {0}; - mbedtls_pk_context pk; - mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256; - void *options = buf; - - (void) null_buf; - (void) p; - (void) str; - - mbedtls_pk_init( &pk ); - - TEST_INVALID_PARAM( mbedtls_pk_init( NULL ) ); - -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) - TEST_INVALID_PARAM( mbedtls_pk_restart_init( NULL ) ); -#endif - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_setup( NULL, NULL ) ); - -#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_setup_rsa_alt( NULL, buf, - NULL, NULL, NULL ) ); -#endif - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify_restartable( NULL, - MBEDTLS_MD_NONE, - buf, sizeof( buf ), - buf, sizeof( buf ), - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify_restartable( &pk, - MBEDTLS_MD_NONE, - NULL, sizeof( buf ), - buf, sizeof( buf ), - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify_restartable( &pk, - valid_md, - NULL, 0, - buf, sizeof( buf ), - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify_restartable( &pk, - MBEDTLS_MD_NONE, - buf, sizeof( buf ), - NULL, sizeof( buf ), - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify( NULL, - MBEDTLS_MD_NONE, - buf, sizeof( buf ), - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify( &pk, - MBEDTLS_MD_NONE, - NULL, sizeof( buf ), - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify( &pk, - valid_md, - NULL, 0, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify( &pk, - MBEDTLS_MD_NONE, - buf, sizeof( buf ), - NULL, sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options, - NULL, - MBEDTLS_MD_NONE, - buf, sizeof( buf ), - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options, - &pk, - MBEDTLS_MD_NONE, - NULL, sizeof( buf ), - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options, - &pk, - valid_md, - NULL, 0, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options, - &pk, - MBEDTLS_MD_NONE, - buf, sizeof( buf ), - NULL, sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_sign_restartable( NULL, MBEDTLS_MD_NONE, buf, sizeof( buf ), - buf, &len, mbedtls_test_rnd_std_rand, - NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_sign_restartable( &pk, MBEDTLS_MD_NONE, NULL, sizeof( buf ), - buf, &len, mbedtls_test_rnd_std_rand, - NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_sign_restartable( &pk, valid_md, NULL, 0, buf, &len, - mbedtls_test_rnd_std_rand, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_sign_restartable( &pk, MBEDTLS_MD_NONE, buf, sizeof( buf ), - NULL, &len, mbedtls_test_rnd_std_rand, - NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_sign( NULL, MBEDTLS_MD_NONE, buf, sizeof( buf ), - buf, &len, mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_sign( &pk, MBEDTLS_MD_NONE, NULL, sizeof( buf ), - buf, &len, mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_sign( &pk, valid_md, NULL, 0, buf, &len, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_sign( &pk, MBEDTLS_MD_NONE, buf, sizeof( buf ), NULL, &len, - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_decrypt( NULL, buf, sizeof( buf ), buf, &len, sizeof( buf ), - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_decrypt( &pk, NULL, sizeof( buf ), buf, &len, sizeof( buf ), - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_decrypt( &pk, buf, sizeof( buf ), NULL, &len, sizeof( buf ), - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_decrypt( &pk, buf, sizeof( buf ), buf, NULL, sizeof( buf ), - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_encrypt( NULL, buf, sizeof( buf ), buf, &len, sizeof( buf ), - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_encrypt( &pk, NULL, sizeof( buf ), buf, &len, sizeof( buf ), - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_encrypt( &pk, buf, sizeof( buf ), NULL, &len, sizeof( buf ), - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_encrypt( &pk, buf, sizeof( buf ), buf, NULL, sizeof( buf ), - mbedtls_test_rnd_std_rand, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_check_pair( NULL, &pk ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_check_pair( &pk, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_debug( NULL, NULL ) ); - -#if defined(MBEDTLS_PK_PARSE_C) -#if defined(MBEDTLS_FS_IO) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_load_file( NULL, &p, &len ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_load_file( str, NULL, &len ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_load_file( str, &p, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_keyfile( NULL, str, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_keyfile( &pk, NULL, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_public_keyfile( NULL, str ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_public_keyfile( &pk, NULL ) ); -#endif - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_subpubkey( NULL, buf, &pk ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_subpubkey( &null_buf, buf, &pk ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_subpubkey( &p, NULL, &pk ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_subpubkey( &p, buf, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_key( NULL, - buf, sizeof( buf ), - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_key( &pk, - NULL, sizeof( buf ), - buf, sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_public_key( NULL, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_parse_public_key( &pk, - NULL, sizeof( buf ) ) ); -#endif /* MBEDTLS_PK_PARSE_C */ - -#if defined(MBEDTLS_PK_WRITE_C) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_pubkey( NULL, p, &pk ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_pubkey( &null_buf, p, &pk ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_pubkey( &p, NULL, &pk ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_pubkey( &p, p, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_pubkey_der( NULL, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_pubkey_der( &pk, - NULL, sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_key_der( NULL, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_key_der( &pk, - NULL, sizeof( buf ) ) ); - -#if defined(MBEDTLS_PEM_WRITE_C) - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_pubkey_pem( NULL, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_pubkey_pem( &pk, - NULL, sizeof( buf ) ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_key_pem( NULL, - buf, sizeof( buf ) ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA, - mbedtls_pk_write_key_pem( &pk, - NULL, sizeof( buf ) ) ); -#endif /* MBEDTLS_PEM_WRITE_C */ - -#endif /* MBEDTLS_PK_WRITE_C */ -} -/* END_CASE */ - /* BEGIN_CASE */ void pk_utils( int type, int parameter, int bitlen, int len, char * name ) { diff --git a/tests/suites/test_suite_poly1305.data b/tests/suites/test_suite_poly1305.data index 13912e997a..eb9712c49e 100644 --- a/tests/suites/test_suite_poly1305.data +++ b/tests/suites/test_suite_poly1305.data @@ -34,9 +34,6 @@ mbedtls_poly1305:"01000000000000000400000000000000000000000000000000000000000000 Poly1305 RFC 7539 Test Vector #11 mbedtls_poly1305:"0100000000000000040000000000000000000000000000000000000000000000":"13000000000000000000000000000000":"e33594d7505e43b900000000000000003394d7505e4379cd010000000000000000000000000000000000000000000000" -Poly1305 Parameter validation -poly1305_bad_params: - Poly1305 Selftest depends_on:MBEDTLS_SELF_TEST poly1305_selftest: diff --git a/tests/suites/test_suite_poly1305.function b/tests/suites/test_suite_poly1305.function index 4b8995b609..59e927734c 100644 --- a/tests/suites/test_suite_poly1305.function +++ b/tests/suites/test_suite_poly1305.function @@ -79,45 +79,6 @@ void mbedtls_poly1305( data_t *key, data_t *expected_mac, data_t *src_str ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void poly1305_bad_params() -{ - unsigned char src[1]; - unsigned char key[32]; - unsigned char mac[16]; - size_t src_len = sizeof( src ); - mbedtls_poly1305_context ctx; - - TEST_INVALID_PARAM( mbedtls_poly1305_init( NULL ) ); - TEST_VALID_PARAM( mbedtls_poly1305_free( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_starts( NULL, key ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_starts( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_update( NULL, src, 0 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_update( &ctx, NULL, src_len ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_finish( NULL, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_finish( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_mac( NULL, src, 0, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_mac( key, NULL, src_len, mac ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA, - mbedtls_poly1305_mac( key, src, 0, NULL ) ); - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ void poly1305_selftest() { diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index cc5a047790..2512ef24c6 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -1,6 +1,3 @@ -RSA parameter validation -rsa_invalid_param: - RSA init-free-free rsa_init_free:0 diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index efea5c169a..9cf2fcf348 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -17,352 +17,6 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void rsa_invalid_param( ) -{ - mbedtls_rsa_context ctx; - const int valid_padding = MBEDTLS_RSA_PKCS_V21; - const int invalid_padding = 42; - unsigned char buf[42] = { 0 }; - size_t olen; - - TEST_INVALID_PARAM( mbedtls_rsa_init( NULL, valid_padding, 0 ) ); - TEST_INVALID_PARAM( mbedtls_rsa_init( &ctx, invalid_padding, 0 ) ); - TEST_VALID_PARAM( mbedtls_rsa_free( NULL ) ); - - /* No more variants because only the first argument must be non-NULL. */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_import( NULL, NULL, NULL, - NULL, NULL, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_import_raw( NULL, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_complete( NULL ) ); - - /* No more variants because only the first argument must be non-NULL. */ - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_export( NULL, NULL, NULL, - NULL, NULL, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_export_raw( NULL, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_export_crt( NULL, NULL, NULL, NULL ) ); - - TEST_INVALID_PARAM( mbedtls_rsa_set_padding( NULL, - valid_padding, 0 ) ); - TEST_INVALID_PARAM( mbedtls_rsa_set_padding( &ctx, - invalid_padding, 0 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_gen_key( NULL, - mbedtls_test_rnd_std_rand, - NULL, 0, 0 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_gen_key( &ctx, NULL, - NULL, 0, 0 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_check_pubkey( NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_check_privkey( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_check_pub_priv( NULL, &ctx ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_check_pub_priv( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_public( NULL, buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_public( &ctx, NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_public( &ctx, buf, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_private( NULL, NULL, NULL, - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_private( &ctx, NULL, NULL, - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_private( &ctx, NULL, NULL, - buf, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_encrypt( NULL, NULL, NULL, - sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL, - sizeof( buf ), NULL, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL, - sizeof( buf ), buf, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_pkcs1_v15_encrypt( NULL, NULL, - NULL, sizeof( buf ), - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL, - NULL, sizeof( buf ), - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL, - NULL, sizeof( buf ), - buf, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_encrypt( NULL, NULL, NULL, - buf, sizeof( buf ), - sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - NULL, sizeof( buf ), - sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - buf, sizeof( buf ), - sizeof( buf ), NULL, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - buf, sizeof( buf ), - sizeof( buf ), buf, - NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_decrypt( NULL, NULL, NULL, - &olen, - buf, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_decrypt( &ctx, NULL, NULL, - NULL, - buf, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_decrypt( &ctx, NULL, NULL, - &olen, - NULL, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_decrypt( &ctx, NULL, NULL, - &olen, - buf, NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_pkcs1_v15_decrypt( NULL, NULL, - NULL, &olen, - buf, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL, - NULL, NULL, - buf, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL, - NULL, &olen, - NULL, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL, - NULL, &olen, - buf, NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_decrypt( NULL, NULL, NULL, - buf, sizeof( buf ), - &olen, - buf, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_decrypt( &ctx, NULL, NULL, - NULL, sizeof( buf ), - NULL, - buf, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_decrypt( &ctx, NULL, NULL, - buf, sizeof( buf ), - &olen, - NULL, buf, 42 ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_decrypt( &ctx, NULL, NULL, - buf, sizeof( buf ), - &olen, - buf, NULL, 42 ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_sign( NULL, NULL, NULL, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - 0, sizeof( buf ), NULL, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - 0, sizeof( buf ), buf, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - MBEDTLS_MD_SHA1, - 0, NULL, - buf ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_sign( NULL, NULL, NULL, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - 0, sizeof( buf ), NULL, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - 0, sizeof( buf ), buf, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - MBEDTLS_MD_SHA1, - 0, NULL, - buf ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign( NULL, NULL, NULL, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - 0, sizeof( buf ), NULL, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - 0, sizeof( buf ), buf, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - MBEDTLS_MD_SHA1, - 0, NULL, - buf ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign_ext( NULL, NULL, NULL, - 0, sizeof( buf ), buf, - MBEDTLS_RSA_SALT_LEN_ANY, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign_ext( &ctx, NULL, NULL, - 0, sizeof( buf ), NULL, - MBEDTLS_RSA_SALT_LEN_ANY, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign_ext( &ctx, NULL, NULL, - 0, sizeof( buf ), buf, - MBEDTLS_RSA_SALT_LEN_ANY, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign_ext( &ctx, NULL, NULL, - MBEDTLS_MD_SHA1, - 0, NULL, - MBEDTLS_RSA_SALT_LEN_ANY, - buf ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( NULL, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, - 0, sizeof( buf ), NULL, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, - 0, sizeof( buf ), buf, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, - MBEDTLS_MD_SHA1, 0, NULL, - buf ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( NULL, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, - 0, sizeof( buf ), - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, - 0, sizeof( buf ), buf, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, - MBEDTLS_MD_SHA1, - 0, NULL, - buf ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( NULL, - 0, sizeof( buf ), - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, - 0, sizeof( buf ), - NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, - 0, sizeof( buf ), - buf, NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, - MBEDTLS_MD_SHA1, - 0, NULL, - buf ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( NULL, - 0, sizeof( buf ), - buf, - 0, 0, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, - 0, sizeof( buf ), - NULL, 0, 0, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, - 0, sizeof( buf ), - buf, 0, 0, - NULL ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, - MBEDTLS_MD_SHA1, - 0, NULL, - 0, 0, - buf ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_copy( NULL, &ctx ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_copy( &ctx, NULL ) ); - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE */ void rsa_init_free( int reinit ) { From cc7074128a437cbca66dcc0f710c764d0021d0cd Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Fri, 14 May 2021 15:08:04 +0200 Subject: [PATCH 022/131] Remove MBEDTLS_CHECK_PARAMS option Signed-off-by: TRodziewicz --- include/mbedtls/check_config.h | 4 ++ include/mbedtls/config.h | 102 --------------------------- include/mbedtls/platform_util.h | 68 ------------------ library/psa_crypto.c | 3 - library/psa_crypto_slot_management.c | 11 --- scripts/generate_query_config.pl | 1 - 6 files changed, 4 insertions(+), 185 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ae23602a07..5a39cb3a70 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -836,6 +836,10 @@ #error "MBEDTLS_SSL_PROTO_TLS1_1 (TLS v1.1 support) was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4286" #endif +#if defined(MBEDTLS_CHECK_PARAMS) //no-check-names +#error "MBEDTLS_CHECK_PARAMS was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4313" +#endif + /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 10140915e3..4669273499 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -255,72 +255,6 @@ */ //#define MBEDTLS_DEPRECATED_REMOVED -/** - * \def MBEDTLS_CHECK_PARAMS - * - * This configuration option controls whether the library validates more of - * the parameters passed to it. - * - * When this flag is not defined, the library only attempts to validate an - * input parameter if: (1) they may come from the outside world (such as the - * network, the filesystem, etc.) or (2) not validating them could result in - * internal memory errors such as overflowing a buffer controlled by the - * library. On the other hand, it doesn't attempt to validate parameters whose - * values are fully controlled by the application (such as pointers). - * - * When this flag is defined, the library additionally attempts to validate - * parameters that are fully controlled by the application, and should always - * be valid if the application code is fully correct and trusted. - * - * For example, when a function accepts as input a pointer to a buffer that may - * contain untrusted data, and its documentation mentions that this pointer - * must not be NULL: - * - The pointer is checked to be non-NULL only if this option is enabled. - * - The content of the buffer is always validated. - * - * When this flag is defined, if a library function receives a parameter that - * is invalid: - * 1. The function will invoke the macro MBEDTLS_PARAM_FAILED(). - * 2. If MBEDTLS_PARAM_FAILED() did not terminate the program, the function - * will immediately return. If the function returns an Mbed TLS error code, - * the error code in this case is MBEDTLS_ERR_xxx_BAD_INPUT_DATA. - * - * When defining this flag, you also need to arrange a definition for - * MBEDTLS_PARAM_FAILED(). You can do this by any of the following methods: - * - By default, the library defines MBEDTLS_PARAM_FAILED() to call a - * function mbedtls_param_failed(), but the library does not define this - * function. If you do not make any other arrangements, you must provide - * the function mbedtls_param_failed() in your application. - * See `platform_util.h` for its prototype. - * - If you enable the macro #MBEDTLS_CHECK_PARAMS_ASSERT, then the - * library defines MBEDTLS_PARAM_FAILED(\c cond) to be `assert(cond)`. - * You can still supply an alternative definition of - * MBEDTLS_PARAM_FAILED(), which may call `assert`. - * - If you define a macro MBEDTLS_PARAM_FAILED() before including `config.h` - * or you uncomment the definition of MBEDTLS_PARAM_FAILED() in `config.h`, - * the library will call the macro that you defined and will not supply - * its own version. Note that if MBEDTLS_PARAM_FAILED() calls `assert`, - * you need to enable #MBEDTLS_CHECK_PARAMS_ASSERT so that library source - * files include ``. - * - * Uncomment to enable validation of application-controlled parameters. - */ -//#define MBEDTLS_CHECK_PARAMS - -/** - * \def MBEDTLS_CHECK_PARAMS_ASSERT - * - * Allow MBEDTLS_PARAM_FAILED() to call `assert`, and make it default to - * `assert`. This macro is only used if #MBEDTLS_CHECK_PARAMS is defined. - * - * If this macro is not defined, then MBEDTLS_PARAM_FAILED() defaults to - * calling a function mbedtls_param_failed(). See the documentation of - * #MBEDTLS_CHECK_PARAMS for details. - * - * Uncomment to allow MBEDTLS_PARAM_FAILED() to call `assert`. - */ -//#define MBEDTLS_CHECK_PARAMS_ASSERT - /* \} name SECTION: System support */ /** @@ -3385,42 +3319,6 @@ //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ -/** - * \brief This macro is invoked by the library when an invalid parameter - * is detected that is only checked with #MBEDTLS_CHECK_PARAMS - * (see the documentation of that option for context). - * - * When you leave this undefined here, the library provides - * a default definition. If the macro #MBEDTLS_CHECK_PARAMS_ASSERT - * is defined, the default definition is `assert(cond)`, - * otherwise the default definition calls a function - * mbedtls_param_failed(). This function is declared in - * `platform_util.h` for the benefit of the library, but - * you need to define in your application. - * - * When you define this here, this replaces the default - * definition in platform_util.h (which no longer declares the - * function mbedtls_param_failed()) and it is your responsibility - * to make sure this macro expands to something suitable (in - * particular, that all the necessary declarations are visible - * from within the library - you can ensure that by providing - * them in this file next to the macro definition). - * If you define this macro to call `assert`, also define - * #MBEDTLS_CHECK_PARAMS_ASSERT so that library source files - * include ``. - * - * Note that you may define this macro to expand to nothing, in - * which case you don't have to worry about declarations or - * definitions. However, you will then be notified about invalid - * parameters only in non-void functions, and void function will - * just silently return early on invalid parameters, which - * partially negates the benefits of enabling - * #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged. - * - * \param cond The expression that should evaluate to true, but doesn't. - */ -//#define MBEDTLS_PARAM_FAILED( cond ) assert( cond ) - /* PSA options */ /** * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index fbc2a0d1c0..6d9cfecfa8 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -39,78 +39,10 @@ extern "C" { #endif -#if defined(MBEDTLS_CHECK_PARAMS) - -#if defined(MBEDTLS_CHECK_PARAMS_ASSERT) -/* Allow the user to define MBEDTLS_PARAM_FAILED to something like assert - * (which is what our config.h suggests). */ -#include -#endif /* MBEDTLS_CHECK_PARAMS_ASSERT */ - -#if defined(MBEDTLS_PARAM_FAILED) -/** An alternative definition of MBEDTLS_PARAM_FAILED has been set in config.h. - * - * This flag can be used to check whether it is safe to assume that - * MBEDTLS_PARAM_FAILED() will expand to a call to mbedtls_param_failed(). - */ -#define MBEDTLS_PARAM_FAILED_ALT - -#elif defined(MBEDTLS_CHECK_PARAMS_ASSERT) -#define MBEDTLS_PARAM_FAILED( cond ) assert( cond ) -#define MBEDTLS_PARAM_FAILED_ALT - -#else /* MBEDTLS_PARAM_FAILED */ -#define MBEDTLS_PARAM_FAILED( cond ) \ - mbedtls_param_failed( #cond, __FILE__, __LINE__ ) - -/** - * \brief User supplied callback function for parameter validation failure. - * See #MBEDTLS_CHECK_PARAMS for context. - * - * This function will be called unless an alternative treatement - * is defined through the #MBEDTLS_PARAM_FAILED macro. - * - * This function can return, and the operation will be aborted, or - * alternatively, through use of setjmp()/longjmp() can resume - * execution in the application code. - * - * \param failure_condition The assertion that didn't hold. - * \param file The file where the assertion failed. - * \param line The line in the file where the assertion failed. - */ -void mbedtls_param_failed( const char *failure_condition, - const char *file, - int line ); -#endif /* MBEDTLS_PARAM_FAILED */ - -/* Internal macro meant to be called only from within the library. */ -#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) \ - do { \ - if( !(cond) ) \ - { \ - MBEDTLS_PARAM_FAILED( cond ); \ - return( ret ); \ - } \ - } while( 0 ) - -/* Internal macro meant to be called only from within the library. */ -#define MBEDTLS_INTERNAL_VALIDATE( cond ) \ - do { \ - if( !(cond) ) \ - { \ - MBEDTLS_PARAM_FAILED( cond ); \ - return; \ - } \ - } while( 0 ) - -#else /* MBEDTLS_CHECK_PARAMS */ - /* Internal macros meant to be called only from within the library. */ #define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) #define MBEDTLS_INTERNAL_VALIDATE( cond ) do { } while( 0 ) -#endif /* MBEDTLS_CHECK_PARAMS */ - /* Internal helper macros for deprecating API constants. */ #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3fe2a883bc..552750ce39 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1028,9 +1028,6 @@ psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot ) */ if( slot->lock_count != 1 ) { -#ifdef MBEDTLS_CHECK_PARAMS - MBEDTLS_PARAM_FAILED( slot->lock_count == 1 ); -#endif status = PSA_ERROR_CORRUPTION_DETECTED; } diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 0b1a3c1661..4cf32db2b1 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -409,17 +409,6 @@ psa_status_t psa_unlock_key_slot( psa_key_slot_t *slot ) return( PSA_SUCCESS ); } - /* - * As the return error code may not be handled in case of multiple errors, - * do our best to report if the lock counter is equal to zero: if - * available call MBEDTLS_PARAM_FAILED that may terminate execution (if - * called as part of the execution of a unit test suite this will stop the - * test suite execution). - */ -#ifdef MBEDTLS_CHECK_PARAMS - MBEDTLS_PARAM_FAILED( slot->lock_count > 0 ); -#endif - return( PSA_ERROR_CORRUPTION_DETECTED ); } diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index 8c8c1880e2..7276049822 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -50,7 +50,6 @@ unless( -f $config_file && -f $query_config_format_file ) { # throw errors. my @excluded = qw( MBEDTLS_SSL_CIPHERSUITES -MBEDTLS_PARAM_FAILED ); my $excluded_re = join '|', @excluded; From caf2ae04b885551ddc83e0ec4905fc012694b9fc Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Tue, 18 May 2021 12:49:59 +0200 Subject: [PATCH 023/131] ChangeLog and migration guide added. Signed-off-by: TRodziewicz --- ChangeLog.d/issue4313.txt | 25 ++++++++++ .../remove_mbedtls_check_params_option.md | 49 +++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 ChangeLog.d/issue4313.txt create mode 100644 docs/3.0-migration-guide.d/remove_mbedtls_check_params_option.md diff --git a/ChangeLog.d/issue4313.txt b/ChangeLog.d/issue4313.txt new file mode 100644 index 0000000000..026a190bd5 --- /dev/null +++ b/ChangeLog.d/issue4313.txt @@ -0,0 +1,25 @@ +Removals + * Remove the following macros: MBEDTLS_CHECK_PARAMS, + MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED, + MBEDTLS_PARAM_FAILED_ALT, TEST_INVALID_PARAM, TEST_INVALID_PARAM_RET, + the following macros have been inactivated MBEDTLS_INTERNAL_VALIDATE_RET + and MBEDTLS_INTERNAL_VALIDATE, structures: param_failed_ctx_t, + mbedtls_test_param_failed_location_record_t, functions: + mbedtls_test_param_failed_get_location_record(), + mbedtls_test_param_failed_expect_call(), + mbedtls_test_param_failed_check_expected_call(), + mbedtls_test_param_failed_get_state_buf(), + mbedtls_test_param_failed_reset_state(), + mbedtls_param_failed(). Remove the following functions from all.sh: + component_test_check_params_functionality(), + component_test_check_params_without_platform(), + component_test_check_params_silent(). + Remove the following test functions from test_suite_*.function files: + aes_check_params(), aria_invalid_param(), blowfish_invalid_param(), + camellia_invalid_param(), ccm_invalid_param(), chacha20_bad_params(), + chachapoly_bad_params(), cipher_invalid_param_conditional(), + dhm_invalid_params(), ecdh_invalid_param(), ecdsa_invalid_param(), + ecjpake_invalid_param(), ecp_invalid_param(), gcm_invalid_param(), + mpi_invalid_param(), invalid_parameters() (pk), poly1305_bad_params(), + rsa_invalid_param(), sha1_invalid_param(), sha256_invalid_param(), + sha512_invalid_param(). Fixes #4313. diff --git a/docs/3.0-migration-guide.d/remove_mbedtls_check_params_option.md b/docs/3.0-migration-guide.d/remove_mbedtls_check_params_option.md new file mode 100644 index 0000000000..146b1c7592 --- /dev/null +++ b/docs/3.0-migration-guide.d/remove_mbedtls_check_params_option.md @@ -0,0 +1,49 @@ +Remove MBEDTLS_CHECK_PARAMS option +---------------------------------- + +This change affects the way of how parameters are validated. + +The option `MBEDTLS_CHECK_PARAMS` (disabled by default) enables certain kinds of +“parameter validation”. It covers two kinds of validations: + +- In some functions that require a valid pointer, “parameter validation” checks +that the pointer is non-null. With the feature disabled, a null pointer is not +treated differently from any other invalid pointer, and typically leads to a +runtime crash. 90% of the uses of the feature are of this kind. +- In some functions that take an enum-like argument, “parameter validation” +checks that the value is a valid one. With the feature disabled, an invalid +value causes a silent default to one of the valid values. + +The default reaction to a failed check is to call a function mbedtls_param_failed +which the application must provide. If this function returns, its caller returns +an error `MBEDTLS_ERR_xxx_BAD_INPUT_DATA`. + +This feature is only used in some classic (non-PSA) cryptography modules. It is +not used in X.509, TLS or in PSA crypto, and it has not been implemented in all +classic crypto modules. + +Removal of `MBEDTLS_CHECK_PARAMS` and all dependent features means changing +code that does something like this: +``` +#if MBEDTLS_CHECK_PARAMS +#define VALIDATE(cond) do {if(cond) return BAD_INPUT_DATA;} while (0) +#else +#define VALIDATE(cond) do {} while (0) +#endif +... +VALIDATE(coin == HEADS || coin == TAILS); +VALIDATE(data != NULL); +if (coin == HEADS) heads(); +else tails(); +``` +to something like this: +``` +if (coin == HEADS) heads(); +else if (coin == TAILS) tails(); +else return BAD_INPUT_DATA; +``` + +Validation of enum-like values is somewhat useful, but not extremely important, +because the parameters concerned are usually constants in applications. + +For more information see issue #4313. From 062f353804db3faa67f49cc0f5b8bf10beba3a06 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Tue, 25 May 2021 15:15:57 +0200 Subject: [PATCH 024/131] Changes after code review Signed-off-by: TRodziewicz --- ChangeLog.d/issue4313.txt | 23 +--- .../remove_mbedtls_check_params_option.md | 40 ++----- library/psa_crypto.c | 5 +- tests/include/test/macros.h | 8 -- tests/suites/test_suite_aes.function | 5 +- tests/suites/test_suite_aria.function | 2 +- tests/suites/test_suite_blowfish.function | 2 +- tests/suites/test_suite_camellia.function | 2 +- tests/suites/test_suite_cipher.function | 2 +- tests/suites/test_suite_ecdh.function | 2 +- tests/suites/test_suite_ecjpake.function | 2 +- tests/suites/test_suite_ecp.function | 2 +- tests/suites/test_suite_gcm.function | 2 +- tests/suites/test_suite_shax.data | 3 - tests/suites/test_suite_shax.function | 108 +----------------- 15 files changed, 29 insertions(+), 179 deletions(-) diff --git a/ChangeLog.d/issue4313.txt b/ChangeLog.d/issue4313.txt index 026a190bd5..1fb61234be 100644 --- a/ChangeLog.d/issue4313.txt +++ b/ChangeLog.d/issue4313.txt @@ -1,25 +1,4 @@ Removals * Remove the following macros: MBEDTLS_CHECK_PARAMS, MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED, - MBEDTLS_PARAM_FAILED_ALT, TEST_INVALID_PARAM, TEST_INVALID_PARAM_RET, - the following macros have been inactivated MBEDTLS_INTERNAL_VALIDATE_RET - and MBEDTLS_INTERNAL_VALIDATE, structures: param_failed_ctx_t, - mbedtls_test_param_failed_location_record_t, functions: - mbedtls_test_param_failed_get_location_record(), - mbedtls_test_param_failed_expect_call(), - mbedtls_test_param_failed_check_expected_call(), - mbedtls_test_param_failed_get_state_buf(), - mbedtls_test_param_failed_reset_state(), - mbedtls_param_failed(). Remove the following functions from all.sh: - component_test_check_params_functionality(), - component_test_check_params_without_platform(), - component_test_check_params_silent(). - Remove the following test functions from test_suite_*.function files: - aes_check_params(), aria_invalid_param(), blowfish_invalid_param(), - camellia_invalid_param(), ccm_invalid_param(), chacha20_bad_params(), - chachapoly_bad_params(), cipher_invalid_param_conditional(), - dhm_invalid_params(), ecdh_invalid_param(), ecdsa_invalid_param(), - ecjpake_invalid_param(), ecp_invalid_param(), gcm_invalid_param(), - mpi_invalid_param(), invalid_parameters() (pk), poly1305_bad_params(), - rsa_invalid_param(), sha1_invalid_param(), sha256_invalid_param(), - sha512_invalid_param(). Fixes #4313. + MBEDTLS_PARAM_FAILED_ALT. Fixes #4313. diff --git a/docs/3.0-migration-guide.d/remove_mbedtls_check_params_option.md b/docs/3.0-migration-guide.d/remove_mbedtls_check_params_option.md index 146b1c7592..6f43aa37a8 100644 --- a/docs/3.0-migration-guide.d/remove_mbedtls_check_params_option.md +++ b/docs/3.0-migration-guide.d/remove_mbedtls_check_params_option.md @@ -1,10 +1,11 @@ Remove MBEDTLS_CHECK_PARAMS option ---------------------------------- -This change affects the way of how parameters are validated. +This change does not affect users who use the default configuration; it only +affects users who enabled that option. -The option `MBEDTLS_CHECK_PARAMS` (disabled by default) enables certain kinds of -“parameter validation”. It covers two kinds of validations: +The option `MBEDTLS_CHECK_PARAMS` (disabled by default) enabled certain kinds +of “parameter validation”. It covered two kinds of validations: - In some functions that require a valid pointer, “parameter validation” checks that the pointer is non-null. With the feature disabled, a null pointer is not @@ -14,34 +15,17 @@ runtime crash. 90% of the uses of the feature are of this kind. checks that the value is a valid one. With the feature disabled, an invalid value causes a silent default to one of the valid values. -The default reaction to a failed check is to call a function mbedtls_param_failed -which the application must provide. If this function returns, its caller returns -an error `MBEDTLS_ERR_xxx_BAD_INPUT_DATA`. +The default reaction to a failed check was to call a function +`mbedtls_param_failed()` which the application had to provide. If this function +returned, its caller returned an error `MBEDTLS_ERR_xxx_BAD_INPUT_DATA`. -This feature is only used in some classic (non-PSA) cryptography modules. It is -not used in X.509, TLS or in PSA crypto, and it has not been implemented in all +This feature was only used in some classic (non-PSA) cryptography modules. It was +not used in X.509, TLS or in PSA crypto, and it was not implemented in all classic crypto modules. -Removal of `MBEDTLS_CHECK_PARAMS` and all dependent features means changing -code that does something like this: -``` -#if MBEDTLS_CHECK_PARAMS -#define VALIDATE(cond) do {if(cond) return BAD_INPUT_DATA;} while (0) -#else -#define VALIDATE(cond) do {} while (0) -#endif -... -VALIDATE(coin == HEADS || coin == TAILS); -VALIDATE(data != NULL); -if (coin == HEADS) heads(); -else tails(); -``` -to something like this: -``` -if (coin == HEADS) heads(); -else if (coin == TAILS) tails(); -else return BAD_INPUT_DATA; -``` +This feature has been removed. The library no longer checks for NULL pointers; +checks for enum-like arguments will be kept or re-introduced on a case-by-case +basis, but their presence will no longer be dependent on a compile-time option. Validation of enum-like values is somewhat useful, but not extremely important, because the parameters concerned are usually constants in applications. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 552750ce39..c3dc6e7549 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1021,10 +1021,7 @@ psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot ) /* * As the return error code may not be handled in case of multiple errors, - * do our best to report an unexpected lock counter: if available - * call MBEDTLS_PARAM_FAILED that may terminate execution (if called as - * part of the execution of a test suite this will stop the test suite - * execution). + * do our best to report an unexpected lock counter. */ if( slot->lock_count != 1 ) { diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h index cad39aacaa..1c0e2bdd69 100644 --- a/tests/include/test/macros.h +++ b/tests/include/test/macros.h @@ -177,14 +177,6 @@ } \ } while( 0 ) -#if defined(MBEDTLS_CHECK_PARAMS) && !defined(MBEDTLS_PARAM_FAILED_ALT) -#define TEST_INVALID_PARAM_RET( PARAM_ERR_VALUE, TEST ) \ - do { if( ( TEST ) != ( PARAM_ERR_VALUE ) ) goto exit; } while( 0 ) - -#define TEST_INVALID_PARAM( TEST ) \ - do { TEST; } while( 0 ) -#endif /* MBEDTLS_CHECK_PARAMS && !MBEDTLS_PARAM_FAILED_ALT */ - /** * \brief This macro tests the statement passed to it as a test step or * individual test in a test case. The macro assumes the test will not fail. diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function index a740391035..fe4dd3e820 100644 --- a/tests/suites/test_suite_aes.function +++ b/tests/suites/test_suite_aes.function @@ -206,9 +206,6 @@ void aes_crypt_xts_size( int size, int retval ) mbedtls_aes_xts_init( &ctx ); memset( data_unit, 0x00, sizeof( data_unit ) ); - - /* Valid pointers are passed for builds with MBEDTLS_CHECK_PARAMS, as - * otherwise we wouldn't get to the size check we're interested in. */ TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_ENCRYPT, length, data_unit, src, output ) == retval ); } /* END_CASE */ @@ -359,7 +356,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void aes_invalid_mode( ) { mbedtls_aes_context aes_ctx; diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index b24e4984ed..514706455a 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -23,7 +23,7 @@ void aria_valid_param( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void aria_invalid_param( ) { mbedtls_aria_context ctx; diff --git a/tests/suites/test_suite_blowfish.function b/tests/suites/test_suite_blowfish.function index 5681a9e945..fdecfb6f92 100644 --- a/tests/suites/test_suite_blowfish.function +++ b/tests/suites/test_suite_blowfish.function @@ -14,7 +14,7 @@ void blowfish_valid_param( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void blowfish_invalid_param( ) { mbedtls_blowfish_context ctx; diff --git a/tests/suites/test_suite_camellia.function b/tests/suites/test_suite_camellia.function index fb0a349177..0633b73d11 100644 --- a/tests/suites/test_suite_camellia.function +++ b/tests/suites/test_suite_camellia.function @@ -14,7 +14,7 @@ void camellia_valid_param( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void camellia_invalid_param( ) { mbedtls_camellia_context ctx; diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index ea5fa2e5e4..f1095b1f03 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -207,7 +207,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void cipher_invalid_param_conditional( ) { mbedtls_cipher_context_t valid_ctx; diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function index 5fced62d42..5fa5b6781d 100644 --- a/tests/suites/test_suite_ecdh.function +++ b/tests/suites/test_suite_ecdh.function @@ -50,7 +50,7 @@ void ecdh_valid_param( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void ecdh_invalid_param( ) { mbedtls_ecdh_context ctx; diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function index 2a6d8935ef..311733b0dd 100644 --- a/tests/suites/test_suite_ecjpake.function +++ b/tests/suites/test_suite_ecjpake.function @@ -98,7 +98,7 @@ cleanup: * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void ecjpake_invalid_param( ) { mbedtls_ecjpake_context ctx; diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 9b8ba8201e..81a6514cb4 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -38,7 +38,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void ecp_invalid_param( ) { mbedtls_ecp_group grp; diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 35691f725f..ae306b5e3d 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -181,7 +181,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ void gcm_invalid_param( ) { mbedtls_gcm_context ctx; diff --git a/tests/suites/test_suite_shax.data b/tests/suites/test_suite_shax.data index 12eec84efc..1cc58af413 100644 --- a/tests/suites/test_suite_shax.data +++ b/tests/suites/test_suite_shax.data @@ -1,9 +1,6 @@ SHA-1 - Valid parameters sha1_valid_param: -SHA-1 - Invalid parameters -sha1_invalid_param: - # Test the operation of SHA-1 and SHA-2 SHA-1 Test Vector NIST CAVS #1 depends_on:MBEDTLS_SHA1_C diff --git a/tests/suites/test_suite_shax.function b/tests/suites/test_suite_shax.function index 1d4cf7192b..a8f5b1848d 100644 --- a/tests/suites/test_suite_shax.function +++ b/tests/suites/test_suite_shax.function @@ -11,46 +11,6 @@ void sha1_valid_param( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SHA1_C:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ -void sha1_invalid_param( ) -{ - mbedtls_sha1_context ctx; - unsigned char buf[64] = { 0 }; - size_t const buflen = sizeof( buf ); - - TEST_INVALID_PARAM( mbedtls_sha1_init( NULL ) ); - - TEST_INVALID_PARAM( mbedtls_sha1_clone( NULL, &ctx ) ); - TEST_INVALID_PARAM( mbedtls_sha1_clone( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_sha1_starts_ret( NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_sha1_update_ret( NULL, buf, buflen ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_sha1_update_ret( &ctx, NULL, buflen ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_sha1_finish_ret( NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_sha1_finish_ret( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_internal_sha1_process( NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_internal_sha1_process( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_sha1_ret( NULL, buflen, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA, - mbedtls_sha1_ret( buf, buflen, NULL ) ); - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_SHA1_C */ void mbedtls_sha1( data_t * src_str, data_t * hash ) { @@ -72,7 +32,7 @@ void sha256_valid_param( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C:NOT_DEFINED */ void sha256_invalid_param( ) { mbedtls_sha256_context ctx; @@ -81,38 +41,10 @@ void sha256_invalid_param( ) int valid_type = 0; int invalid_type = 42; - TEST_INVALID_PARAM( mbedtls_sha256_init( NULL ) ); - - TEST_INVALID_PARAM( mbedtls_sha256_clone( NULL, &ctx ) ); - TEST_INVALID_PARAM( mbedtls_sha256_clone( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_sha256_starts_ret( NULL, valid_type ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, mbedtls_sha256_starts_ret( &ctx, invalid_type ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_sha256_update_ret( NULL, buf, buflen ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_sha256_update_ret( &ctx, NULL, buflen ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_sha256_finish_ret( NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_sha256_finish_ret( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_internal_sha256_process( NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_internal_sha256_process( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_sha256_ret( NULL, buflen, - buf, valid_type ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, - mbedtls_sha256_ret( buf, buflen, - NULL, valid_type ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA, mbedtls_sha256_ret( buf, buflen, buf, invalid_type ) ); @@ -156,7 +88,7 @@ void sha512_valid_param( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SHA512_C:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */ +/* BEGIN_CASE depends_on:MBEDTLS_SHA512_C:NOT_DEFINED */ void sha512_invalid_param( ) { mbedtls_sha512_context ctx; @@ -165,38 +97,10 @@ void sha512_invalid_param( ) int valid_type = 0; int invalid_type = 42; - TEST_INVALID_PARAM( mbedtls_sha512_init( NULL ) ); - - TEST_INVALID_PARAM( mbedtls_sha512_clone( NULL, &ctx ) ); - TEST_INVALID_PARAM( mbedtls_sha512_clone( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_sha512_starts_ret( NULL, valid_type ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, mbedtls_sha512_starts_ret( &ctx, invalid_type ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_sha512_update_ret( NULL, buf, buflen ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_sha512_update_ret( &ctx, NULL, buflen ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_sha512_finish_ret( NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_sha512_finish_ret( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_internal_sha512_process( NULL, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_internal_sha512_process( &ctx, NULL ) ); - - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_sha512_ret( NULL, buflen, - buf, valid_type ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, - mbedtls_sha512_ret( buf, buflen, - NULL, valid_type ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, + TEST_EQUAL( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA, mbedtls_sha512_ret( buf, buflen, buf, invalid_type ) ); From 7019955c767c8d6305a9fbbb26278e1627e7b747 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 27 May 2021 13:52:59 +0200 Subject: [PATCH 025/131] Removal of the TEST_VALID_PARAM macro and its usages Signed-off-by: TRodziewicz --- tests/include/test/macros.h | 23 ----------------------- tests/suites/test_suite_aes.function | 6 ------ tests/suites/test_suite_aria.data | 3 --- tests/suites/test_suite_aria.function | 7 ------- tests/suites/test_suite_blowfish.data | 3 --- tests/suites/test_suite_blowfish.function | 7 ------- tests/suites/test_suite_camellia.data | 3 --- tests/suites/test_suite_camellia.function | 7 ------- tests/suites/test_suite_ccm.data | 3 --- tests/suites/test_suite_ccm.function | 9 --------- tests/suites/test_suite_cipher.function | 8 +------- tests/suites/test_suite_ecdh.data | 3 --- tests/suites/test_suite_ecdh.function | 7 ------- tests/suites/test_suite_ecp.data | 3 --- tests/suites/test_suite_ecp.function | 16 ---------------- tests/suites/test_suite_gcm.function | 9 --------- tests/suites/test_suite_gcm.misc.data | 3 --- tests/suites/test_suite_mpi.data | 3 --- tests/suites/test_suite_mpi.function | 7 ------- tests/suites/test_suite_pk.function | 6 ------ tests/suites/test_suite_shax.data | 9 --------- tests/suites/test_suite_shax.function | 21 --------------------- 22 files changed, 1 insertion(+), 165 deletions(-) diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h index 1c0e2bdd69..a8a01ce473 100644 --- a/tests/include/test/macros.h +++ b/tests/include/test/macros.h @@ -177,29 +177,6 @@ } \ } while( 0 ) -/** - * \brief This macro tests the statement passed to it as a test step or - * individual test in a test case. The macro assumes the test will not fail. - * - * It assumes the library function under test cannot return a value and - * assumes errors can only be indicated by calls to - * MBEDTLS_PARAM_FAILED(). - * - * This macro is intended to test that functions returning void - * accept all of the parameter values they're supposed to accept - eg - * that they don't call MBEDTLS_PARAM_FAILED() when a parameter - * that's allowed to be NULL happens to be NULL. - * - * Note: for functions that return something other that void, - * checking that they accept all the parameters they're supposed to - * accept is best done by using TEST_ASSERT() and checking the return - * value as well. - * - * \param TEST The test expression to be tested. - */ -#define TEST_VALID_PARAM( TEST ) \ - TEST_ASSERT( ( TEST, 1 ) ); - /** Allocate memory dynamically and fail the test case if this fails. * * You must set \p pointer to \c NULL before calling this macro and diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function index fe4dd3e820..3e07c9cf9a 100644 --- a/tests/suites/test_suite_aes.function +++ b/tests/suites/test_suite_aes.function @@ -413,12 +413,6 @@ void aes_misc_params( ) size_t size; #endif - /* These calls accept NULL */ - TEST_VALID_PARAM( mbedtls_aes_free( NULL ) ); -#if defined(MBEDTLS_CIPHER_MODE_XTS) - TEST_VALID_PARAM( mbedtls_aes_xts_free( NULL ) ); -#endif - #if defined(MBEDTLS_CIPHER_MODE_CBC) TEST_ASSERT( mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_ENCRYPT, 15, diff --git a/tests/suites/test_suite_aria.data b/tests/suites/test_suite_aria.data index 8848978e21..94b6e7e22f 100644 --- a/tests/suites/test_suite_aria.data +++ b/tests/suites/test_suite_aria.data @@ -1,6 +1,3 @@ -ARIA - Valid parameters -aria_valid_param: - ARIA - Invalid parameters aria_invalid_param: diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index 514706455a..6432df0811 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -16,13 +16,6 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE */ -void aria_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_aria_free( NULL ) ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:NOT_DEFINED */ void aria_invalid_param( ) { diff --git a/tests/suites/test_suite_blowfish.data b/tests/suites/test_suite_blowfish.data index c9639f6e79..0ebb64234c 100644 --- a/tests/suites/test_suite_blowfish.data +++ b/tests/suites/test_suite_blowfish.data @@ -1,6 +1,3 @@ -BLOWFISH - Valid parameters -blowfish_valid_param: - BLOWFISH - Invalid parameters blowfish_invalid_param: diff --git a/tests/suites/test_suite_blowfish.function b/tests/suites/test_suite_blowfish.function index fdecfb6f92..1fa59ee6e9 100644 --- a/tests/suites/test_suite_blowfish.function +++ b/tests/suites/test_suite_blowfish.function @@ -7,13 +7,6 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE */ -void blowfish_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_blowfish_free( NULL ) ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:NOT_DEFINED */ void blowfish_invalid_param( ) { diff --git a/tests/suites/test_suite_camellia.data b/tests/suites/test_suite_camellia.data index 3d11b8cb0c..3f73abcea9 100644 --- a/tests/suites/test_suite_camellia.data +++ b/tests/suites/test_suite_camellia.data @@ -1,6 +1,3 @@ -Camellia - Valid parameters -camellia_valid_param: - Camellia - Invalid parameters camellia_invalid_param: diff --git a/tests/suites/test_suite_camellia.function b/tests/suites/test_suite_camellia.function index 0633b73d11..cc18d5b381 100644 --- a/tests/suites/test_suite_camellia.function +++ b/tests/suites/test_suite_camellia.function @@ -7,13 +7,6 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE */ -void camellia_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_camellia_free( NULL ) ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:NOT_DEFINED */ void camellia_invalid_param( ) { diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 63af5aa04a..459683bd29 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1,9 +1,6 @@ CCM self test mbedtls_ccm_self_test: -CCM - Valid parameters -ccm_valid_param: - CCM init #1 AES-128: OK depends_on:MBEDTLS_AES_C mbedtls_ccm_setkey:MBEDTLS_CIPHER_ID_AES:128:0 diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 1b00560ecf..840583c5ca 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -291,12 +291,3 @@ exit: mbedtls_ccm_free( &ctx ); } /* END_CASE */ - -/* BEGIN_CASE */ -void ccm_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_ccm_free( NULL ) ); -exit: - return; -} -/* END_CASE */ diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index f1095b1f03..2ef8f5f63d 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -222,12 +222,6 @@ void cipher_invalid_param_conditional( ) (void)valid_mode; /* In some configurations this is unused */ - /* mbedtls_cipher_init() */ - TEST_VALID_PARAM( mbedtls_cipher_init( &valid_ctx ) ); - - /* mbedtls_cipher_setup() */ - TEST_VALID_PARAM( mbedtls_cipher_setup( &valid_ctx, valid_info ) ); - TEST_EQUAL( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, mbedtls_cipher_setkey( &valid_ctx, @@ -236,7 +230,7 @@ void cipher_invalid_param_conditional( ) invalid_operation ) ); exit: - TEST_VALID_PARAM( mbedtls_cipher_free( &valid_ctx ) ); + ; } /* END_CASE */ diff --git a/tests/suites/test_suite_ecdh.data b/tests/suites/test_suite_ecdh.data index fb4a232fc3..3711e55318 100644 --- a/tests/suites/test_suite_ecdh.data +++ b/tests/suites/test_suite_ecdh.data @@ -1,6 +1,3 @@ -ECDH - Valid parameters -ecdh_valid_param: - ECDH - Invalid parameters ecdh_invalid_param: diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function index 5fa5b6781d..63dc22175d 100644 --- a/tests/suites/test_suite_ecdh.function +++ b/tests/suites/test_suite_ecdh.function @@ -43,13 +43,6 @@ exit: * END_DEPENDENCIES */ -/* BEGIN_CASE */ -void ecdh_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_ecdh_free( NULL ) ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:NOT_DEFINED */ void ecdh_invalid_param( ) { diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 106791cb88..88d801fb6b 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -1,6 +1,3 @@ -ECP valid params -ecp_valid_param: - ECP invalid params ecp_invalid_param: diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 81a6514cb4..50792b710f 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -22,22 +22,6 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE */ -void ecp_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_ecp_group_free( NULL ) ); - TEST_VALID_PARAM( mbedtls_ecp_keypair_free( NULL ) ); - TEST_VALID_PARAM( mbedtls_ecp_point_free( NULL ) ); - -#if defined(MBEDTLS_ECP_RESTARTABLE) - TEST_VALID_PARAM( mbedtls_ecp_restart_free( NULL ) ); -#endif /* MBEDTLS_ECP_RESTARTABLE */ - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE depends_on:NOT_DEFINED */ void ecp_invalid_param( ) { diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index ae306b5e3d..a6b0a4c119 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -201,15 +201,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ -void gcm_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_gcm_free( NULL ) ); -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ void gcm_selftest( ) { diff --git a/tests/suites/test_suite_gcm.misc.data b/tests/suites/test_suite_gcm.misc.data index cf01526535..f22b7a3b79 100644 --- a/tests/suites/test_suite_gcm.misc.data +++ b/tests/suites/test_suite_gcm.misc.data @@ -1,5 +1,2 @@ GCM - Invalid parameters gcm_invalid_param: - -GCM - Valid parameters -gcm_valid_param: diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index 8e09ee5bd0..a542267e4c 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -1,6 +1,3 @@ -MPI - Valid parameters -mpi_valid_param: - Arguments with no value mpi_null: diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index 8c20258c59..d9a44a6e0b 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -71,13 +71,6 @@ static int f_rng_bytes_left( void *state, unsigned char *buf, size_t len ) * END_DEPENDENCIES */ -/* BEGIN_CASE */ -void mpi_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_mpi_free( NULL ) ); -} -/* END_CASE */ - /* BEGIN_CASE */ void mpi_null( ) { diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 06e40d8144..2e24aecc7d 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -211,12 +211,6 @@ void valid_parameters( ) mbedtls_pk_init( &pk ); - TEST_VALID_PARAM( mbedtls_pk_free( NULL ) ); - -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) - TEST_VALID_PARAM( mbedtls_pk_restart_free( NULL ) ); -#endif - TEST_ASSERT( mbedtls_pk_setup( &pk, NULL ) == MBEDTLS_ERR_PK_BAD_INPUT_DATA ); diff --git a/tests/suites/test_suite_shax.data b/tests/suites/test_suite_shax.data index 1cc58af413..3552346e42 100644 --- a/tests/suites/test_suite_shax.data +++ b/tests/suites/test_suite_shax.data @@ -1,6 +1,3 @@ -SHA-1 - Valid parameters -sha1_valid_param: - # Test the operation of SHA-1 and SHA-2 SHA-1 Test Vector NIST CAVS #1 depends_on:MBEDTLS_SHA1_C @@ -42,9 +39,6 @@ SHA-1 Test Vector NIST CAVS #10 depends_on:MBEDTLS_SHA1_C mbedtls_sha1:"8236153781bd2f1b81ffe0def1beb46f5a70191142926651503f1b3bb1016acdb9e7f7acced8dd168226f118ff664a01a8800116fd023587bfba52a2558393476f5fc69ce9c65001f23e70476d2cc81c97ea19caeb194e224339bcb23f77a83feac5096f9b3090c51a6ee6d204b735aa71d7e996d380b80822e4dfd43683af9c7442498cacbea64842dfda238cb099927c6efae07fdf7b23a4e4456e0152b24853fe0d5de4179974b2b9d4a1cdbefcbc01d8d311b5dda059136176ea698ab82acf20dd490be47130b1235cb48f8a6710473cfc923e222d94b582f9ae36d4ca2a32d141b8e8cc36638845fbc499bce17698c3fecae2572dbbd470552430d7ef30c238c2124478f1f780483839b4fb73d63a9460206824a5b6b65315b21e3c2f24c97ee7c0e78faad3df549c7ca8ef241876d9aafe9a309f6da352bec2caaa92ee8dca392899ba67dfed90aef33d41fc2494b765cb3e2422c8e595dabbfaca217757453fb322a13203f425f6073a9903e2dc5818ee1da737afc345f0057744e3a56e1681c949eb12273a3bfc20699e423b96e44bd1ff62e50a848a890809bfe1611c6787d3d741103308f849a790f9c015098286dbacfc34c1718b2c2b77e32194a75dda37954a320fa68764027852855a7e5b5274eb1e2cbcd27161d98b59ad245822015f48af82a45c0ed59be94f9af03d9736048570d6e3ef63b1770bc98dfb77de84b1bb1708d872b625d9ab9b06c18e5dbbf34399391f0f8aa26ec0dac7ff4cb8ec97b52bcb942fa6db2385dcd1b3b9d567aaeb425d567b0ebe267235651a1ed9bf78fd93d3c1dd077fe340bb04b00529c58f45124b717c168d07e9826e33376988bc5cf62845c2009980a4dfa69fbc7e5a0b1bb20a5958ca967aec68eb31dd8fccca9afcd30a26bab26279f1bf6724ff":"11863b483809ef88413ca9b0084ac4a5390640af" -SHA-256 Valid parameters -sha256_valid_param: - SHA-256 Invalid parameters sha256_invalid_param: @@ -107,9 +101,6 @@ mbedtls_sha256:"8390cf0be07661cc7669aac54ce09a37733a629d45f5d983ef201f9b2d13800e SHA-512 Invalid parameters sha512_invalid_param: -SHA-512 Valid parameters -sha512_valid_param: - SHA-384 Test Vector NIST CAVS #1 depends_on:MBEDTLS_SHA384_C sha384:"":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b" diff --git a/tests/suites/test_suite_shax.function b/tests/suites/test_suite_shax.function index a8f5b1848d..35fecce6ce 100644 --- a/tests/suites/test_suite_shax.function +++ b/tests/suites/test_suite_shax.function @@ -4,13 +4,6 @@ #include "mbedtls/sha512.h" /* END_HEADER */ -/* BEGIN_CASE depends_on:MBEDTLS_SHA1_C */ -void sha1_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_sha1_free( NULL ) ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_SHA1_C */ void mbedtls_sha1( data_t * src_str, data_t * hash ) { @@ -25,13 +18,6 @@ void mbedtls_sha1( data_t * src_str, data_t * hash ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */ -void sha256_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_sha256_free( NULL ) ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_SHA256_C:NOT_DEFINED */ void sha256_invalid_param( ) { @@ -81,13 +67,6 @@ void mbedtls_sha256( data_t * src_str, data_t * hash ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SHA512_C */ -void sha512_valid_param( ) -{ - TEST_VALID_PARAM( mbedtls_sha512_free( NULL ) ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_SHA512_C:NOT_DEFINED */ void sha512_invalid_param( ) { From 2d0769d1491aa2b8882dab1408b0b5fdf778436d Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 27 May 2021 15:24:33 +0200 Subject: [PATCH 026/131] Simplification of the tests Signed-off-by: TRodziewicz --- tests/include/test/macros.h | 3 -- tests/src/helpers.c | 9 ------ tests/suites/main_test.function | 37 ++++++++----------------- tests/suites/test_suite_cipher.function | 3 -- tests/suites/test_suite_rsa.data | 3 ++ tests/suites/test_suite_rsa.function | 19 +++++++++++++ 6 files changed, 33 insertions(+), 41 deletions(-) diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h index a8a01ce473..df961aa049 100644 --- a/tests/include/test/macros.h +++ b/tests/include/test/macros.h @@ -58,9 +58,6 @@ * It allows a library function to return a value and return an error * code that can be tested. * - * This macro is not suitable for negative parameter validation tests, - * as it assumes the test step will not create an error. - * * Failing the test means: * - Mark this test case as failed. * - Print a message identifying the failure. diff --git a/tests/src/helpers.c b/tests/src/helpers.c index ece0465139..cac6d4cc0a 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -204,15 +204,6 @@ int mbedtls_test_hexcmp( uint8_t * a, uint8_t * b, return ret; } -void mbedtls_param_failed( const char *failure_condition, - const char *file, - int line ) -{ - (void) failure_condition; - (void) file; - (void) line; -} - #if defined(MBEDTLS_TEST_HOOKS) void mbedtls_test_err_add_check( int high, int low, const char *file, int line ) diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index 13d032c4a4..491de6d2fb 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -158,31 +158,6 @@ $dispatch_code #line $line_no "suites/main_test.function" }; -/** - * \brief Execute the test function. - * - * This is a wrapper function around the test function execution - * to allow the setjmp() call used to catch any calls to the - * parameter failure callback, to be used. Calls to setjmp() - * can invalidate the state of any local auto variables. - * - * \param fp Function pointer to the test function. - * \param params Parameters to pass to the #TestWrapper_t wrapper function. - * - */ -void execute_function_ptr(TestWrapper_t fp, void **params) -{ -#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) - mbedtls_test_enable_insecure_external_rng( ); -#endif - - fp( params ); - -#if defined(MBEDTLS_TEST_MUTEX_USAGE) - mbedtls_test_mutex_usage_check( ); -#endif /* MBEDTLS_TEST_MUTEX_USAGE */ -} - /** * \brief Dispatches test functions based on function index. * @@ -203,7 +178,17 @@ int dispatch_test( size_t func_idx, void ** params ) { fp = test_funcs[func_idx]; if ( fp ) - execute_function_ptr(fp, params); + { + #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) + mbedtls_test_enable_insecure_external_rng( ); + #endif + + fp( params ); + + #if defined(MBEDTLS_TEST_MUTEX_USAGE) + mbedtls_test_mutex_usage_check( ); + #endif /* MBEDTLS_TEST_MUTEX_USAGE */ + } else ret = DISPATCH_UNSUPPORTED_SUITE; } diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 2ef8f5f63d..674349f764 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -213,15 +213,12 @@ void cipher_invalid_param_conditional( ) mbedtls_cipher_context_t valid_ctx; mbedtls_operation_t invalid_operation = 100; - mbedtls_cipher_padding_t valid_mode = MBEDTLS_PADDING_ZEROS; unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; int valid_size = sizeof(valid_buffer); int valid_bitlen = valid_size * 8; const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type( *( mbedtls_cipher_list() ) ); - (void)valid_mode; /* In some configurations this is unused */ - TEST_EQUAL( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, mbedtls_cipher_setkey( &valid_ctx, diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 2512ef24c6..cc5a047790 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -1,3 +1,6 @@ +RSA parameter validation +rsa_invalid_param: + RSA init-free-free rsa_init_free:0 diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 9cf2fcf348..bc5036c5c9 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -17,6 +17,25 @@ * END_DEPENDENCIES */ +/* BEGIN_CASE depends_on:NOT_DEFINED */ +void rsa_invalid_param( ) +{ + mbedtls_rsa_context ctx; + const int valid_padding = MBEDTLS_RSA_PKCS_V21; + const int invalid_padding = 42; + unsigned char buf[42] = { 0 }; + size_t olen; + + TEST_INVALID_PARAM( mbedtls_rsa_init( &ctx, invalid_padding, 0 ) ); + + TEST_INVALID_PARAM( mbedtls_rsa_set_padding( &ctx, + invalid_padding, 0 ) ); + +exit: + return; +} +/* END_CASE */ + /* BEGIN_CASE */ void rsa_init_free( int reinit ) { From 9b279f98bcd5eab3898610327e2f731eef5eff47 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 27 May 2021 17:20:41 +0200 Subject: [PATCH 027/131] Removal of the rsa_invalid_param() from the test Signed-off-by: TRodziewicz --- tests/suites/test_suite_rsa.data | 3 --- tests/suites/test_suite_rsa.function | 19 ------------------- 2 files changed, 22 deletions(-) diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index cc5a047790..2512ef24c6 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -1,6 +1,3 @@ -RSA parameter validation -rsa_invalid_param: - RSA init-free-free rsa_init_free:0 diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index bc5036c5c9..9cf2fcf348 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -17,25 +17,6 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:NOT_DEFINED */ -void rsa_invalid_param( ) -{ - mbedtls_rsa_context ctx; - const int valid_padding = MBEDTLS_RSA_PKCS_V21; - const int invalid_padding = 42; - unsigned char buf[42] = { 0 }; - size_t olen; - - TEST_INVALID_PARAM( mbedtls_rsa_init( &ctx, invalid_padding, 0 ) ); - - TEST_INVALID_PARAM( mbedtls_rsa_set_padding( &ctx, - invalid_padding, 0 ) ); - -exit: - return; -} -/* END_CASE */ - /* BEGIN_CASE */ void rsa_init_free( int reinit ) { From bcd2b4b9725e64b806b9b92d07c1a12c45b9e9d7 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Fri, 28 May 2021 12:56:57 +0200 Subject: [PATCH 028/131] Addition of ommited part of code review follow-up Signed-off-by: TRodziewicz --- tests/suites/test_suite_aria.function | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index 6432df0811..04263247e3 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -27,6 +27,9 @@ void aria_invalid_param( ) ((void) iv_off); ((void) iv); + ((void) ctx); + ((void) input); + ((void) output); #if defined(MBEDTLS_CIPHER_MODE_CBC) TEST_EQUAL( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA, From 358e588b323fa9ec29e386c5197db3d46c5303b8 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Fri, 28 May 2021 12:58:46 +0200 Subject: [PATCH 029/131] Temporary addition of an empty assert to satisfy the compiler Signed-off-by: TRodziewicz --- tests/suites/test_suite_aes.function | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function index 3e07c9cf9a..aa3df92fa5 100644 --- a/tests/suites/test_suite_aes.function +++ b/tests/suites/test_suite_aes.function @@ -447,6 +447,14 @@ void aes_misc_params( ) TEST_ASSERT( mbedtls_aes_crypt_ofb( &aes_ctx, 16, &size, out, in, out ) == MBEDTLS_ERR_AES_BAD_INPUT_DATA ); #endif + +/* + * The following line needs to be added to make the code compilable + * when all the conditions above will be not define in a specific + * choice of features. + */ + TEST_ASSERT( 1 ); +/* TODO: It will be removed when the whole test will be reworked */ } /* END_CASE */ From cd817b06303bf43547ed6fe855e712c529de7e63 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 31 May 2021 19:40:45 +0100 Subject: [PATCH 030/131] Remove misleading comment in TLS 1.3 key schedule code The implementation documentation of ``` mbedtls_ssl_tls1_3_derive_early_secrets() ``` mentioned the PSK binder key, which is misleading because the function doesn't actually calculate it. Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 78a55812da..f1c8a12d86 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -368,9 +368,6 @@ int mbedtls_ssl_tls1_3_derive_early_secrets( * v * PSK -> HKDF-Extract = Early Secret * | - * +-----> Derive-Secret(., "ext binder" | "res binder", "") - * | = binder_key - * | * +-----> Derive-Secret(., "c e traffic", ClientHello) * | = client_early_traffic_secret * | From 1483fe4c217786f530fda73931738a9a75d5d8a9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 1 Jun 2021 22:29:06 +0200 Subject: [PATCH 031/131] Document what we mean by backward compatibility Signed-off-by: Gilles Peskine --- BRANCHES.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/BRANCHES.md b/BRANCHES.md index 8486ef0637..dbdc1738e4 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -28,6 +28,15 @@ undocumented features, then you should be able to re-compile it without modification with any later release x.y'.z' with the same major version number, and your code will still build, be secure, and work. +Note that new releases of Mbed TLS may extend the API. Here are some example of changes that are common in minor releases of Mbed TLS, and are not considered compatibility breaks: + +* Adding or reordering fields in a structure or union. +* Removing a field from a structure, unless the field is documented as public. +* Adding items to an enum. +* Returning an error code that was not previously documented for a function when a new error condition arises. +* Changing which error code is returned in a case where multiple error conditions apply. +* Changing the behavior of a function from failing to succeeding, when the change is a reasonable extension of the current behavior, i.e. the addition of a new feature. + There are rare exceptions: code that was relying on something that became insecure in the meantime (for example, crypto that was found to be weak) may need to be changed. In case security comes in conflict with backwards From 58d6eb5024ff23a887798feb411b77b7d4469a4f Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 2 Jun 2021 14:43:11 +0200 Subject: [PATCH 032/131] Removing unneeded comment Signed-off-by: TRodziewicz --- library/psa_crypto.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c3dc6e7549..214c405b30 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1019,10 +1019,6 @@ psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot ) { psa_status_t status = psa_remove_key_data_from_memory( slot ); - /* - * As the return error code may not be handled in case of multiple errors, - * do our best to report an unexpected lock counter. - */ if( slot->lock_count != 1 ) { status = PSA_ERROR_CORRUPTION_DETECTED; From 5e5dcaced3276417a8fd25f9023b0c34e3577eeb Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 20 Mar 2021 14:35:20 +0000 Subject: [PATCH 033/131] PSA PAKE: Add function declarations Add function declarations for the draft version of PSA Crypto API PAKE interface. Signed-off-by: Janos Follath --- include/psa/crypto.h | 359 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 359 insertions(+) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 6aa7ccc924..0992a65109 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4126,6 +4126,365 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, /**@}*/ + +/** \defgroup Password-authenticated key agreement + * @{ + */ + +/** The type of the state data structure for PAKE operations. + * + * Before calling any function on a PAKE operation object, the application + * must initialize it by any of the following means: + * - Set the structure to all-bits-zero, for example: + * \code + * psa_pake_operation_t operation; + * memset(&operation, 0, sizeof(operation)); + * \endcode + * - Initialize the structure to logical zero values, for example: + * \code + * psa_pake_operation_t operation = {0}; + * \endcode + * - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, + * for example: + * \code + * psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; + * \endcode + * - Assign the result of the function psa_pake_operation_init() + * to the structure, for example: + * \code + * psa_pake_operation_t operation; + * operation = psa_pake_operation_init(); + * \endcode + * + * This is an implementation-defined \c struct. Applications should not + * make any assumptions about the content of this structure except + * as directed by the documentation of a specific implementation. */ +typedef struct psa_pake_operation_s psa_pake_operation_t; + +/** \def PSA_PAKE_OPERATION_INIT + * + * This macro returns a suitable initializer for an PAKE operation object of + * type #psa_pake_operation_t. + */ +#ifdef __DOXYGEN_ONLY__ +/* This is an example definition for documentation purposes. + * Implementations should define a suitable value in `crypto_struct.h`. + */ +#define PSA_PAKE_OPERATION_INIT {0} +#endif + +/** Return an initial value for an PAKE operation object. + */ +static psa_pake_operation_t psa_pake_operation_init(void); + +/** Set the session information for a password-authenticated key exchange. + * + * The sequence of operations to set up a password-authenticated key exchange + * is as follows: + * -# Allocate an operation object which will be passed to all the functions + * listed here. + * -# Initialize the operation object with one of the methods described in the + * documentation for #psa_pake_operation_t, e.g. + * #PSA_PAKE_OPERATION_INIT. + * -# Call psa_pake_setup() to specify the algorithm, the key, cipher suite, + * identities and additional session information. + * + * A typical sequence of calls to perform a password-authenticated key + * exchange: + * -# Call psa_pake_get_key_share() to get the key share that needs to be sent + * to the peer. + * -# Call psa_pake_set_key_share() to provide the key share that was received + * from the peer. + * -# Call psa_pake_get_implicit_key() for accessing the shared secret. + * + * The exact sequence of calls to perform a password-authenticated key exchange + * depends on the protocol in use: + * -# Some protocols exchange more data than just a single key share. When using + * such a protocol, call psa_pake_output() and psa_pake_input() one or more + * times to exchange any further data that is needed to derive the shared + * secret. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * If an error occurs at any step after a call to psa_pake_setup(), + * the operation will need to be reset by a call to psa_pake_abort(). The + * application may call psa_pake_abort() at any time after the operation + * has been initialized. + * + * After a successful call to psa_pake_setup(), the application must + * eventually terminate the operation. The following events terminate an + * operation: + * - A call to psa_pake_abort(). + * - A successful call to psa_pake_get_implicit_key(). + * + * \param[in,out] operation The operation object to set up. It must have + * been initialized as per the documentation for + * #psa_pake_operation_t and not yet in use. + * \param password Identifier of the key holding the password or a + * value derived from the password (eg. by a + * memory-hard function). It must remain valid + * until the operation terminates. It must allow + * the usage #PSA_KEY_USAGE_PAKE. + * \param alg The PAKE protocol to use + * (\c PSA_ALG_XXX value such that + * #PSA_ALG_IS_PAKE(\p alg) is true). + * \param cipher_suite The cipher suite to use with the PAKE algorithm. + * \param[in] user_id The user ID to authenticate with. + * \param user_id_length Size of the \p user_id buffer in bytes. + * \param[in] peer_id The peer's ID to authenticate. + * \param peer_id_length Size of the \p peer_id buffer in bytes. + * \param[in] session_data Additional session related data if it is allowed + * or required by the protocol. This must be empty + * if additional session data is not used by the + * protocol. + * \param session_data_length Size of the \p session_data buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be inactive). + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p key is not compatible with \p alg. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p session_data is not empty and is not allowed in \p alg. + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p cipher_suite is not compatible with \p alg. (Eg. \p cipher_suite + * mandates algorithms or sets options that do not make sense for \p alg + * or are not supported with \p alg.) + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p alg is not supported or is not a PAKE algorithm. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_setup(psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password, + psa_algorithm_t alg, + psa_pake_cipher_suite_t cipher_suite, + psa_pake_side_t side, + const uint8_t *user_id, + size_t user_id_len, + const uint8_t *peer_id, + size_t peer_id_len, + const uint8_t *session_data, + size_t session_data_len); + +/** Get the key share from a password-authenticated key exchange operation. + * + * This function returns a simple key share (eg. group element). + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the protocol in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_pake_abort(). + * + * \param[in,out] operation Active PAKE operation. + * \param[out] key_share Buffer where the key share is to be written. + * \param key_share_size Size of the \p key_share buffer in bytes. + * \param[out] key_share_length On success, the number of bytes of the + * returned key_share. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, but beyond that + * validity is specific to the protocol). + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * The size of the \p key_share buffer is too small. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_get_key_share(psa_pake_operation_t *operation, + uint8_t *key_share, + size_t key_share_size, + size_t *key_share_length); + +/** Get additional key share from a password-authenticated key exchange. + * + * Depending on the protocol being executed, you might need to call this + * function several times or you might not need to call this at all. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the protocol in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_pake_abort(). + * + * \param[in,out] operation Active PAKE operation. + * \param type The type of the data that is requested. + * \param[out] output Buffer where the output is to be written. + * \param output_size Size of the \p output buffer in bytes. + * \param[out] output_length On success, the number of bytes of the returned + * output. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, but beyond that + * validity is specific to the protocol). + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * The size of the \p output buffer is too small. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_output(psa_pake_operation_t *operation, + psa_pake_data_t type, + uint8_t *output, + size_t output_size, + size_t *output_length); + +/** Provide peer key share to a password-authenticated key exchange operation. + * + * This function inputs a simple key share (eg. group element). + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the protocol in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * \param[in,out] operation Active PAKE operation. + * \param[in] key_share Buffer containing the peer's key share. + * \param key_share_length Size of the \p key_share buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, but beyond that + * validity is specific to the protocol). + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_key_share(psa_pake_operation_t *operation, + const uint8_t *key_share, + size_t key_share_length); + +/** Provide additional peer key share for a password-authenticated key exchange. + * + * Depending on the protocol being executed, you might need to call this + * function several times or you might not need to call this at all. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the protocol in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_pake_abort(). + * + * \param[in,out] operation Active PAKE operation. + * \param type The type of the data provided. + * \param[out] input Buffer containing the input. + * \param[out] input_length Size of the \p input buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, but beyond that + * validity is specific to the protocol). + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_input(psa_pake_operation_t *operation, + psa_pake_data_t type, + uint8_t *input, + size_t input_length); + +/** Get implicitly confirmed shared secret from a PAKE. + * + * This function can be called after the key exchange phase of the operation + * has completed. It imports the shared secret output of the PAKE into the + * provided derivation operation. The input step + * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key + * material in the key derivation operation. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the protocol in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * When this function returns successfully, the operation becomes inactive. + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_pake_abort(). + * + * \param[in,out] operation Active PAKE operation. + * \param[out] output A key derivation operation that has been + * initialized and set up. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, but beyond that + * validity is specific to the protocol). + * \retval #PSA_ERROR_BAD_STATE + * The state of \p output is not valid for + * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the + * step is out of order or the application has done this step already + * and it may not be repeated. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the output’s + * algorithm. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, + psa_key_derivation_operation_t *output); +/**@}*/ + #ifdef __cplusplus } #endif From b86273a6dc60a450a21841b2b9dc7c825619773a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 20 Mar 2021 14:58:52 +0000 Subject: [PATCH 034/131] PSA PAKE: Add integral types Add integral types for the draft version of PSA Crypto API PAKE interface. Signed-off-by: Janos Follath --- include/psa/crypto_types.h | 11 +++++++++++ include/psa/crypto_values.h | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 386c7d794b..cd8ac4b1cf 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -380,4 +380,15 @@ typedef uint16_t psa_key_derivation_step_t; /**@}*/ +/** \defgroup pake Password-authenticated key exchange + * @{ + */ + +/** \brief Encoding of the side of PAKE */ +typedef uint16_t psa_pake_side_t; + +/** \brief Encoding of the type of input/output for PAKE */ +typedef uint16_t psa_pake_data_t; + +/**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 497bd8f01f..3c2b7bec2c 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2381,4 +2381,38 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /**@}*/ +/** \defgroup pake Password-authenticated key exchange + * @{ + */ + +/** The first peer in a balanced PAKE. + * + * Although balanced PAKE protocols are symmetric, some of them needs an + * ordering of peers for the transcript calculations. If the protocol does not + * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are + * accepted. + */ +#define PSA_PAKE_SIDE_FIRST ((psa_pake_side_t)0x0001) + +/** The second peer in a balanced PAKE. + * + * Although balanced PAKE protocols are symmetric, some of them needs an + * ordering of peers for the transcript calculations. If the protocol does not + * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are + * accepted. + */ +#define PSA_PAKE_SIDE_SECOND ((psa_pake_side_t)0x0002) + +/** The client in an augmented PAKE. + * + * Augmented PAKE protocols need to differentiate between client and server. + */ +#define PSA_PAKE_SIDE_CLIENT ((psa_pake_side_t)0x0101) + +/** The server in an augmented PAKE. + * + * Augmented PAKE protocols need to differentiate between client and server. + */ +#define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x0102) +/**@}*/ #endif /* PSA_CRYPTO_VALUES_H */ From 38a5d3564633f1e74aff0124f05d1f8e9895f74b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 21 Mar 2021 07:01:53 +0000 Subject: [PATCH 035/131] PSA PAKE: Add type for representing primitives In most of the PAKEs the primitives are prime order groups, but some of them might need the ring structure or just are using completely different algebraic structures (eg. SRP or PQC schemes). Signed-off-by: Janos Follath --- include/psa/crypto_types.h | 22 ++++++++++++++++++++++ include/psa/crypto_values.h | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index cd8ac4b1cf..1c40f5bf7c 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -390,5 +390,27 @@ typedef uint16_t psa_pake_side_t; /** \brief Encoding of the type of input/output for PAKE */ typedef uint16_t psa_pake_data_t; +/** Encoding of the type of the PAKE's primitive. + * + * Values defined by this standard will never be in the range 0x80-0xff. + * Vendors who define additional types must use an encoding in this range. + */ +typedef uint8_t psa_pake_primitive_type_t; + +/** Encoding of the bitsize for the PAKE's primitive. + * + * The type and family is not enough to identify the primitive to use in the + * PAKE, the implementation needs to know the bitsize too. + */ +typedef uint16_t psa_pake_bits_t; + +/** Encoding of the PAKE's primitive. + * + * In most of the PAKEs the primitives are prime order groups, but some of + * them might need the ring structure or just are using completely different + * algebraic structures (eg. SRP or PQC schemes). + */ +typedef uint32_t psa_pake_primitive_t; + /**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 3c2b7bec2c..afdcaa9f6f 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2414,5 +2414,42 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * Augmented PAKE protocols need to differentiate between client and server. */ #define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x0102) + +/** The pake uses finite fields. + * + * The corresponding family type is ::psa_dh_family_t. In determining a + * specific curve in the family ::psa_pake_bits_t values are interpreted in the + * exact same way as ::psa_key_bits_t would. + */ +#define PSA_PAKE_PRIMITIVE_TYPE_FIELD ((psa_pake_primitive_type_t)0x01) + +/** The pake uses elliptic curves. + * + * The corresponding family type is ::psa_ecc_family_t. in determining a + * specific curve in the family ::psa_pake_bits_t values are interpreted in the + * exact same way as ::psa_key_bits_t would. + */ +#define PSA_PAKE_PRIMITIVE_TYPE_CURVE ((psa_pake_primitive_type_t)0x02) + +/** Construct a PAKE primitive from type, family and bitsize. + * + * \param type The type of the primitive + * (value of type ::psa_pake_primitive_type_t). + * \param family The family of the primitive + * (the type and interpretation of this parameter depends + * on \p type, for more information consult the + * documentation of individual ::psa_pake_primitive_type_t + * constants). + * \param bits The bitwise of the primitive + * (Value of type ::psa_pake_bits_t. The interpretation + * of this parameter depends on \p family, for more + * information consult the documentation of individual + * ::psa_pake_primitive_type_t constants). + * + * \return The constructed primitive value. + */ +#define PSA_PAKE_PRIMITIVE(type, family, bits) \ + ((psa_pake_primitive_t) (((type) << 24 | (persistence) << 16) | (bits))) + /**@}*/ #endif /* PSA_CRYPTO_VALUES_H */ From 508afeca67799a11631f68d8c45e846c7fc76dbc Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 21 Mar 2021 09:42:37 +0000 Subject: [PATCH 036/131] PSA PAKE: Add cipher suite structure PAKE protocols make use of a range of cryptographic schemes and primitives. Standards allow for several options to use for each of them. They call the combination of specific algorithms cipher suites, configurations or options. Cipher suites are represented by a separate data type for several reasons: 1. To allow for individual PAKE protocols to provide pre-defined cipher suites. 2. To organise cipher suites into a unit that can be handled separately from the operation context. The PAKE operation flow is already complex, will be even more so when key confirmation is added. Handling them separately should reduce the surface of the interface the application developer needs to pay attention at any given time. Signed-off-by: Janos Follath --- include/psa/crypto.h | 41 +++++++++++++++++++++++++++++++++++++ include/psa/crypto_struct.h | 33 +++++++++++++++++++++++++++++ include/psa/crypto_types.h | 10 ++++++++- 3 files changed, 83 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 0992a65109..a0f5b135ed 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4131,6 +4131,47 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * @{ */ +/** The type of the data strucure for PAKE cipher suites. + * + * This is an implementation-defined \c struct. Applications should not + * make any assumptions about the content of this structure except + * as directed by the documentation of a specific implementation. + */ +typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t; + +/** Construct a cipher suite for a password-authenticated key exchange. + * + * \param primitive The primitive used in the cipher suite. + * \param hash The hash involved in the cipher suite. + * (`PSA_ALG_XXX` values of type ::psa_algorithm_t + * such that #PSA_ALG_IS_HASH(\c alg) is true.) + * \param algorithm1 Additional algorithm if needed in the cipher suite, + * 0 otherwise. + * \param bits1 A bit size qualifier if needed for \p algorithm1, + * 0 otherwise. + * \param algorithm2 Additional algorithm if needed in the cipher suite, + * 0 otherwise. + * \param bits2 A bit size qualifier if needed for \p algorithm2, + * 0 otherwise. + * \param options Additional options to be included with the cipher + * suite if needed, 0 otherwise. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \retval The constructed cipher suite. + */ +static psa_pake_cipher_suite_t psa_pake_cipher_suite( + psa_pake_primitive_t primitive, + psa_algorithm_t hash, + psa_algorithm_t algorithm1, + psa_pake_bits_t bits1, + psa_algorithm_t algorithm2, + psa_pake_bits_t bits2, + psa_pake_cipher_suite_options_t options + ); + /** The type of the state data structure for PAKE operations. * * Before calling any function on a PAKE operation object, the application diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 47012fdd00..a4e6cca8e2 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -461,6 +461,39 @@ static inline size_t psa_get_key_bits( return( attributes->core.bits ); } +struct psa_pake_cipher_suite_s +{ + psa_pake_primitive_t primitive; + psa_algorithm_t hash; + psa_algorithm_t algorithm1; + psa_pake_bits_t bits1; + psa_algorithm_t algorithm2; + psa_pake_bits_t bits2; + psa_pake_cipher_suite_options_t options; +}; + +static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite( + psa_pake_primitive_t primitive, + psa_algorithm_t hash, + psa_algorithm_t algorithm1, + psa_pake_bits_t bits1, + psa_algorithm_t algorithm2, + psa_pake_bits_t bits2, + psa_pake_cipher_suite_options_t options + ) +{ + struct psa_pake_cipher_suite_s cipher_suite; + + cipher_suite.primitive = primitive; + cipher_suite.hash = hash; + cipher_suite.algorithm1 = algorithm1; + cipher_suite.bits1 = bits1; + cipher_suite.algorithm2 = algorithm2; + cipher_suite.bits2 = bits2; + cipher_suite.options = options; + + return cipher_suite; +} #ifdef __cplusplus } #endif diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 1c40f5bf7c..8031c9d27c 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -380,7 +380,7 @@ typedef uint16_t psa_key_derivation_step_t; /**@}*/ -/** \defgroup pake Password-authenticated key exchange +/** \defgroup pake Password-authenticated key exchange (PAKE) * @{ */ @@ -412,5 +412,13 @@ typedef uint16_t psa_pake_bits_t; */ typedef uint32_t psa_pake_primitive_t; +/** Encoding of additional options for PAKE. + * + * This type is for encoding additional options into PAKE cipher suites. + * (Options like for example EnvelopeMode in OPAQUE or "Per-User M and N" in + * SPAKE2.) + */ +typedef uint32_t psa_pake_cipher_suite_options_t; + /**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ From 8a09ca9d94da0963e003b7f28ddfc48e5fff5359 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 21 Mar 2021 10:14:08 +0000 Subject: [PATCH 037/131] PSA PAKE: Add dummy operation context Signed-off-by: Janos Follath --- include/psa/crypto_struct.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index a4e6cca8e2..f289caf16b 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -494,6 +494,25 @@ static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite( return cipher_suite; } + +struct psa_pake_operation_s +{ + psa_algorithm_t alg; + union + { + /* Make the union non-empty even with no supported algorithms. */ + uint8_t dummy; + } ctx; +}; + +/* This only zeroes out the first byte in the union, the rest is unspecified. */ +#define PSA_PAKE_OPERATION_INIT {0, {0}} +static inline struct psa_pake_operation_s psa_pake_operation_init( void ) +{ + const struct psa_pake_operation_s v = PSA_PAKE_OPERATION_INIT; + return( v ); +} + #ifdef __cplusplus } #endif From 9c6b147d98fac6a12ea0be7337fb4c679432d2ae Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 21 Mar 2021 15:11:01 +0000 Subject: [PATCH 038/131] PSA PAKE: Add J-PAKE to the interface Signed-off-by: Janos Follath --- include/psa/crypto.h | 6 + include/psa/crypto_types.h | 9 +- include/psa/crypto_values.h | 185 +++++++++++++++++- .../test_suite_psa_crypto_metadata.data | 3 + .../test_suite_psa_crypto_metadata.function | 26 +++ 5 files changed, 217 insertions(+), 12 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index a0f5b135ed..88cc2d149d 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4366,6 +4366,9 @@ psa_status_t psa_pake_get_key_share(psa_pake_operation_t *operation, * Depending on the protocol being executed, you might need to call this * function several times or you might not need to call this at all. * + * Calling this function with PSA_PAKE_DATA_KEY_SHARE as \p type is equivalent + * to calling psa_pake_get_key_share(). + * * The exact sequence of calls to perform a password-authenticated key * exchange depends on the protocol in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type @@ -4443,6 +4446,9 @@ psa_status_t psa_pake_set_key_share(psa_pake_operation_t *operation, * Depending on the protocol being executed, you might need to call this * function several times or you might not need to call this at all. * + * Calling this function with PSA_PAKE_DATA_KEY_SHARE as \p type is equivalent + * to calling psa_pake_set_key_share(). + * * The exact sequence of calls to perform a password-authenticated key * exchange depends on the protocol in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 8031c9d27c..4fa7395474 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -387,8 +387,13 @@ typedef uint16_t psa_key_derivation_step_t; /** \brief Encoding of the side of PAKE */ typedef uint16_t psa_pake_side_t; -/** \brief Encoding of the type of input/output for PAKE */ -typedef uint16_t psa_pake_data_t; +/** Encoding of input and output indicators for PAKE. + * + * Some PAKE protocols need to exchange more data than just a single key share. + * This type is for encoding additional input and output data for such + * protocols. + */ +typedef uint8_t psa_pake_data_t; /** Encoding of the type of the PAKE's primitive. * diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index afdcaa9f6f..be3325890c 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -731,6 +731,7 @@ #define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x07000000) #define PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x08000000) #define PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x09000000) +#define PSA_ALG_CATEGORY_PAKE ((psa_algorithm_t)0x0a000000) /** Whether an algorithm is vendor-defined. * @@ -848,6 +849,18 @@ (PSA_ALG_IS_KEY_DERIVATION(alg) && \ (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG) +/** Whether the specified algorithm is a password-authenticated key exchange. + * + * \param alg An algorithm identifier (value of type #psa_algorithm_t). + * + * \return 1 if \p alg is a password-authenticated key exchange (PAKE) + * algorithm, 0 otherwise. + * This macro may return either 0 or 1 if \p alg is not a supported + * algorithm identifier. + */ +#define PSA_ALG_IS_PAKE(alg) \ + (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_PAKE) + #define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff) /** MD2 */ #define PSA_ALG_MD2 ((psa_algorithm_t)0x02000001) @@ -1953,6 +1966,58 @@ #define PSA_ALG_GET_HASH(alg) \ (((alg) & 0x000000ff) == 0 ? ((psa_algorithm_t)0) : 0x02000000 | ((alg) & 0x000000ff)) +/** The Password-authenticated key exchange by juggling (J-PAKE) protocol. + * + * J-PAKE can be instantiated over finite fields or elliptic curves. This can + * be achieved by passing either #PSA_PAKE_PRIMITIVE_TYPE_FIELD or + * #PSA_PAKE_PRIMITIVE_TYPE_CURVE to #PSA_PAKE_PRIMITIVE respectively, when + * creating the cipher suite. + * + * In theory the protocol works with any non-interactive zero-knowledge proof. + * Implementations of the present specification use Schnorr NIZK and this does + * not need to be configured in the cipher suites. + * + * J-PAKE can be used with any secure cryptographic hash function, the choice + * of hash must be supplied to the psa_pake_cipher_suite() as the second + * parameter (\p hash). + * + * All the remaining parameters passed to psa_pake_cipher_suite() when creating + * the cipher suite must be 0. + * + * The key exchange flow for JPAKE is as follows: + * -# To get the first round data that needs to be sent to the peer, call + * psa_pake_get_key_share(operation, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE_2, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC_2, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF_2, ...); + * -# To provide the first round data received from the peer to the operation, + * call + * psa_pake_set_key_share(operation, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE_2, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC_2, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF_2, ...); + * -# To get the second round data that needs to be sent to the peer, call + * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE_3, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC_3, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF_3, ...); + * -# To provide the second round data received from the peer to the operation, + * call + * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE_3, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC_3, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF_3, ...); + * -# Call psa_pake_get_implicit_key() for accessing the shared secret. + * + * For more information consult the documentation of the individual + * PSA_PAKE_DATA_XXX constants. + * + * J-PAKE is standardised for example in RFC 8236 and in THREAD. + */ +#define PSA_ALG_PAKE_JPAKE ((psa_algorithm_t)0x0a000001) + /**@}*/ /** \defgroup key_lifetimes Key lifetimes @@ -2415,21 +2480,39 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x0102) -/** The pake uses finite fields. - * - * The corresponding family type is ::psa_dh_family_t. In determining a - * specific curve in the family ::psa_pake_bits_t values are interpreted in the - * exact same way as ::psa_key_bits_t would. - */ -#define PSA_PAKE_PRIMITIVE_TYPE_FIELD ((psa_pake_primitive_type_t)0x01) - -/** The pake uses elliptic curves. +/** The PAKE uses elliptic curves. * * The corresponding family type is ::psa_ecc_family_t. in determining a * specific curve in the family ::psa_pake_bits_t values are interpreted in the * exact same way as ::psa_key_bits_t would. + * + * Input and output during the operation can involve group elements and scalar + * values: + * -# The format for group elements is the same as for public keys on the + * specific curve would be. For more information, consult the documentation of + * psa_export_public_key(). + * -# The format for scalars is the same as for private keys on the specific + * curve would be. For more information, consult the documentation of + * psa_export_key(). */ -#define PSA_PAKE_PRIMITIVE_TYPE_CURVE ((psa_pake_primitive_type_t)0x02) +#define PSA_PAKE_PRIMITIVE_TYPE_CURVE ((psa_pake_primitive_type_t)0x01) + +/** The PAKE uses finite fields based Diffie-Hellman groups. + * + * The corresponding family type is ::psa_dh_family_t. In determining a + * specific group in the family ::psa_pake_bits_t values are interpreted in the + * exact same way as ::psa_key_bits_t would. + * + * Input and output during the operation can involve group elements and scalar + * values: + * -# The format for group elements is the same as for public keys on the + * specific group would be. For more information, consult the documentation of + * psa_export_public_key(). + * -# The format for scalars is the same as for private keys on the specific + * group would be. For more information, consult the documentation of + * psa_export_key(). + */ +#define PSA_PAKE_PRIMITIVE_TYPE_FIELD_DH ((psa_pake_primitive_type_t)0x02) /** Construct a PAKE primitive from type, family and bitsize. * @@ -2451,5 +2534,87 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) #define PSA_PAKE_PRIMITIVE(type, family, bits) \ ((psa_pake_primitive_t) (((type) << 24 | (persistence) << 16) | (bits))) + +/** The key share being sent to or received from the peer. + * + * Unless the documentation of the PAKE algorithm says otherwise this is a + * group element. + * + * For information regarding representation consult the documentation of + * individual ::psa_pake_primitive_type_t constants. + * + * Some PAKE protocols need to exchange several key shares. If that is the + * case, this value marks the first key share sent and the first key share + * received. For values sent or received afterwards, use + * #PSA_PAKE_DATA_KEY_SHARE_2 and #PSA_PAKE_DATA_KEY_SHARE_3. + */ +#define PSA_PAKE_DATA_KEY_SHARE ((psa_pake_data_t)0x01) + + +/** A Schnorr NIZKP public key. + * + * This is a group element. + * + * For information regarding representation consult the documentation of + * individual ::psa_pake_primitive_type_t constants. + * + * Some PAKE protocols need to perform several zero-knowledge proofs. If that + * is the case, this value marks the first public key sent and the first public + * key received. For values sent or received afterwards, use + * #PSA_PAKE_DATA_ZK_PUBLIC_2 and #PSA_PAKE_DATA_ZK_PUBLIC_3. + */ +#define PSA_PAKE_DATA_ZK_PUBLIC ((psa_pake_data_t)0x02) + + +/** A Schnorr NIZKP proof. + * + * This is a skalar value. + * + * For information regarding representation consult the documentation of + * individual ::psa_pake_primitive_type_t constants. + * + * Some PAKE protocols need to perform several zero-knowledge proofs. If that + * is the case, this value marks the first proof sent and the first proof + * received. For values sent or received afterwards, use + * #PSA_PAKE_DATA_ZK_PROOF_2 and #PSA_PAKE_DATA_ZK_PROOF_3. + */ +#define PSA_PAKE_DATA_ZK_PROOF ((psa_pake_data_t)0x03) + +/** Marks the second key share sent and received. + * + * See #PSA_PAKE_DATA_KEY_SHARE. + */ +#define PSA_PAKE_DATA_KEY_SHARE_2 ((psa_pake_data_t)0x04) + +/** Marks the second Schnorr NIZKP public key sent and received. + * + * See #PSA_PAKE_DATA_ZK_PUBLIC. + */ +#define PSA_PAKE_DATA_ZK_PUBLIC_2 ((psa_pake_data_t)0x05) + +/** Marks the second Schnorr NIZKP proof sent and received. + * + * See #PSA_PAKE_DATA_ZK_PROOF. + */ +#define PSA_PAKE_DATA_ZK_PROOF_2 ((psa_pake_data_t)0x06) + +/** Marks the third key share sent and received. + * + * See #PSA_PAKE_DATA_KEY_SHARE. + */ +#define PSA_PAKE_DATA_KEY_SHARE_3 ((psa_pake_data_t)0x07) + +/** Marks the third Schnorr NIZKP public key sent and received. + * + * See #PSA_PAKE_DATA_ZK_PUBLIC. + */ +#define PSA_PAKE_DATA_ZK_PUBLIC_3 ((psa_pake_data_t)0x08) + +/** Marks the third Schnorr NIZKP proof sent and received. + * + * See #PSA_PAKE_DATA_ZK_PROOF. + */ +#define PSA_PAKE_DATA_ZK_PROOF_3 ((psa_pake_data_t)0x09) + /**@}*/ #endif /* PSA_CRYPTO_VALUES_H */ diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index 4e2f4d5af2..0845b55d7b 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -294,6 +294,9 @@ Key agreement: ECDH, HKDF using SHA-384 depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_384 key_agreement_algorithm:PSA_ALG_KEY_AGREEMENT( PSA_ALG_ECDH, PSA_ALG_HKDF( PSA_ALG_SHA_384 ) ):ALG_IS_ECDH:PSA_ALG_ECDH:PSA_ALG_HKDF( PSA_ALG_SHA_384 ) +PAKE: J-PAKE +pake_algorithm:PSA_ALG_PAKE_JPAKE + Key type: raw data key_type:PSA_KEY_TYPE_RAW_DATA:KEY_TYPE_IS_UNSTRUCTURED diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function index 8134f44710..3ed08a6a04 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.function +++ b/tests/suites/test_suite_psa_crypto_metadata.function @@ -156,6 +156,7 @@ void mac_algorithm_core( psa_algorithm_t alg, int classification_flags, TEST_ASSERT( ! PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_PAKE( alg ) ); algorithm_classification( alg, classification_flags ); /* Length */ @@ -181,6 +182,7 @@ void aead_algorithm_core( psa_algorithm_t alg, int classification_flags, TEST_ASSERT( ! PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_PAKE( alg ) ); algorithm_classification( alg, classification_flags ); /* Tag length */ @@ -220,6 +222,7 @@ void hash_algorithm( int alg_arg, int length_arg ) TEST_ASSERT( ! PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_PAKE( alg ) ); algorithm_classification( alg, 0 ); /* Dependent algorithms */ @@ -362,6 +365,7 @@ void cipher_algorithm( int alg_arg, int classification_flags ) TEST_ASSERT( ! PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_PAKE( alg ) ); algorithm_classification( alg, classification_flags ); } /* END_CASE */ @@ -462,6 +466,7 @@ void asymmetric_signature_algorithm( int alg_arg, int classification_flags ) TEST_ASSERT( ! PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_PAKE( alg ) ); algorithm_classification( alg, classification_flags ); } /* END_CASE */ @@ -491,6 +496,7 @@ void asymmetric_encryption_algorithm( int alg_arg, int classification_flags ) TEST_ASSERT( PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_PAKE( alg ) ); algorithm_classification( alg, classification_flags ); } /* END_CASE */ @@ -511,6 +517,7 @@ void key_derivation_algorithm( int alg_arg, int classification_flags ) TEST_ASSERT( ! PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) ); TEST_ASSERT( PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_PAKE( alg ) ); algorithm_classification( alg, classification_flags ); /* Check combinations with key agreements */ @@ -540,6 +547,7 @@ void key_agreement_algorithm( int alg_arg, int classification_flags, TEST_ASSERT( ! PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); TEST_ASSERT( PSA_ALG_IS_KEY_AGREEMENT( alg ) ); TEST_ASSERT( ! PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_PAKE( alg ) ); algorithm_classification( alg, classification_flags ); /* Shared secret derivation properties */ @@ -548,6 +556,24 @@ void key_agreement_algorithm( int alg_arg, int classification_flags, } /* END_CASE */ +/* BEGIN_CASE */ +void pake_algorithm( int alg_arg ) +{ + psa_algorithm_t alg = alg_arg; + + /* Algorithm classification */ + TEST_ASSERT( ! PSA_ALG_IS_HASH( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_MAC( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_CIPHER( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_AEAD( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_SIGN( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) ); + TEST_ASSERT( ! PSA_ALG_IS_KEY_DERIVATION( alg ) ); + TEST_ASSERT( PSA_ALG_IS_PAKE( alg ) ); +} + +/* END_CASE */ /* BEGIN_CASE */ void key_type( int type_arg, int classification_flags ) { From b378d5784021405fb9801eed17a81714798532ae Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Apr 2021 13:53:12 +0100 Subject: [PATCH 039/131] PSA PAKE: add output size macros Signed-off-by: Janos Follath --- include/psa/crypto_sizes.h | 50 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 79f96739ba..8497b14d02 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1132,4 +1132,54 @@ #define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE \ (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE) +/** A sufficient output buffer size for psa_pake_get_key_share(). + * + * If the size of the ciphertext buffer is at least this large, it is + * guaranteed that psa_pake_get_key_share() will not fail due to an + * insufficient ciphertext buffer size. The actual size of the output might be + * smaller in any given call. + * + * See also #PSA_PAKE_OUTPUT_MAX_SIZE + * + * \param alg A PAKE algorithm (PSA_ALG_XXX value such that + * #PSA_ALG_IS_PAKE(\p alg) is true). + * \param cipher_suite A cipher suite that is compatible with algorithm \p alg. + * \return A sufficient key share buffer size for the specified + * cipher suite and algorithm. If the cipher suite or PAKE + * algorithm is not recognized, or the parameters are + * incompatible, return 0. + */ +#define PSA_PAKE_KEY_SHARE_SIZE(alg, cipher_suite) \ + (PSA_PAKE_OUTPUT_SIZE(alg, cipher_suite, PSA_PAKE_DATA_KEY_SHARE) + +/** A sufficient output buffer size for psa_pake_output(). + * + * If the size of the ciphertext buffer is at least this large, it is + * guaranteed that psa_pake_output() will not fail due to an + * insufficient ciphertext buffer size. The actual size of the output might be + * smaller in any given call. + * + * See also #PSA_PAKE_OUTPUT_MAX_SIZE + * + * \param alg A PAKE algorithm (PSA_ALG_XXX value such that + * #PSA_ALG_IS_PAKE(\p alg) is true). + * \param cipher_suite A cipher suite that is compatible with algorithm \p alg. + * \param output An output type used with algorithm \p alg. + * \return A sufficient output buffer size for the specified + * output, cipher suite and algorithm. If the cipher suite, + * the output type or PAKE algorithm is not recognized, or + * the parameters are incompatible, return 0. + */ +#define PSA_PAKE_OUTPUT_SIZE(alg, cipher_suite, output) + +/** Output buffer size for psa_pake_output() and psa_pake_get_key_share(), + * for any of the supported cipher suites and PAKE algorithms. + * + * This macro must expand to a compile-time constant integer. + * + * See also #PSA_PAKE_KEY_SHARE_SIZE(\p alg, \p cipher_suite) and + * #PSA_PAKE_OUTPUT_SIZE(\p alg, \p cipher_suite, \p output). + */ +#define PSA_PAKE_OUTPUT_MAX_SIZE + #endif /* PSA_CRYPTO_SIZES_H */ From 7f1e81a98dd783edf1d572883d11e2de5ffd9bce Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Apr 2021 14:20:55 +0100 Subject: [PATCH 040/131] PSA PAKE: specify key type and usage The PSA_KEY_TYPE_PASSWORD key type to which this documentation change refers to is not yet present in the code and will be introduced by a parallel line of work. Signed-off-by: Janos Follath --- include/psa/crypto.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 88cc2d149d..79d997672e 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4266,8 +4266,10 @@ static psa_pake_operation_t psa_pake_operation_init(void); * \param password Identifier of the key holding the password or a * value derived from the password (eg. by a * memory-hard function). It must remain valid - * until the operation terminates. It must allow - * the usage #PSA_KEY_USAGE_PAKE. + * until the operation terminates. It must be of + * type #PSA_KEY_TYPE_PASSWORD or + * #PSA_KEY_TYPE_DERIVE. It has to allow the usage + * #PSA_KEY_USAGE_DERIVE. * \param alg The PAKE protocol to use * (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). From ca2c167dcbb1e46c904f32fb24c219c16a7e64ab Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 12 Apr 2021 10:00:43 +0100 Subject: [PATCH 041/131] PSA PAKE: fix doxygen warnings Signed-off-by: Janos Follath --- include/psa/crypto.h | 12 ++++++++---- include/psa/crypto_types.h | 6 +++++- include/psa/crypto_values.h | 4 ++-- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 79d997672e..8bc92e1f6c 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4267,22 +4267,26 @@ static psa_pake_operation_t psa_pake_operation_init(void); * value derived from the password (eg. by a * memory-hard function). It must remain valid * until the operation terminates. It must be of - * type #PSA_KEY_TYPE_PASSWORD or + * type PSA_KEY_TYPE_PASSWORD or * #PSA_KEY_TYPE_DERIVE. It has to allow the usage * #PSA_KEY_USAGE_DERIVE. * \param alg The PAKE protocol to use * (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). * \param cipher_suite The cipher suite to use with the PAKE algorithm. + * \param side A value of type ::psa_pake_side_t signaling the + * side of the protocol that is being set up. For + * more information see the documentation of \c + * PSA_PAKE_SIDE_XXX constants. * \param[in] user_id The user ID to authenticate with. - * \param user_id_length Size of the \p user_id buffer in bytes. + * \param user_id_len Size of the \p user_id buffer in bytes. * \param[in] peer_id The peer's ID to authenticate. - * \param peer_id_length Size of the \p peer_id buffer in bytes. + * \param peer_id_len Size of the \p peer_id buffer in bytes. * \param[in] session_data Additional session related data if it is allowed * or required by the protocol. This must be empty * if additional session data is not used by the * protocol. - * \param session_data_length Size of the \p session_data buffer in bytes. + * \param session_data_len Size of the \p session_data buffer in bytes. * * \retval #PSA_SUCCESS * Success. diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 4fa7395474..e434e01e33 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -384,7 +384,11 @@ typedef uint16_t psa_key_derivation_step_t; * @{ */ -/** \brief Encoding of the side of PAKE */ +/** \brief Encoding of the side of PAKE + * + * Encodes which side of the protocol is being executed. For more information + * see the documentation of individual PSA_PAKE_SIDE_XXX constants. + */ typedef uint16_t psa_pake_side_t; /** Encoding of input and output indicators for PAKE. diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index be3325890c..3650fd7724 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1969,7 +1969,7 @@ /** The Password-authenticated key exchange by juggling (J-PAKE) protocol. * * J-PAKE can be instantiated over finite fields or elliptic curves. This can - * be achieved by passing either #PSA_PAKE_PRIMITIVE_TYPE_FIELD or + * be achieved by passing either #PSA_PAKE_PRIMITIVE_TYPE_FIELD_DH or * #PSA_PAKE_PRIMITIVE_TYPE_CURVE to #PSA_PAKE_PRIMITIVE respectively, when * creating the cipher suite. * @@ -2446,7 +2446,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /**@}*/ -/** \defgroup pake Password-authenticated key exchange +/** \defgroup pake Password-authenticated key exchange (PAKE) * @{ */ From 1101edb948fbe1e172eeb5a24233075e317b3b75 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Apr 2021 09:34:44 +0100 Subject: [PATCH 042/131] PSA PAKE: typo fixes in documentation Also removes the mention of THREAD as we can't give a publicly available reference for it. Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 3650fd7724..04b0303e85 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1974,7 +1974,7 @@ * creating the cipher suite. * * In theory the protocol works with any non-interactive zero-knowledge proof. - * Implementations of the present specification use Schnorr NIZK and this does + * Implementations of the present specification use Schnorr NIZKP and this does * not need to be configured in the cipher suites. * * J-PAKE can be used with any secure cryptographic hash function, the choice @@ -2014,7 +2014,7 @@ * For more information consult the documentation of the individual * PSA_PAKE_DATA_XXX constants. * - * J-PAKE is standardised for example in RFC 8236 and in THREAD. + * J-PAKE is standardised for example in RFC 8236. */ #define PSA_ALG_PAKE_JPAKE ((psa_algorithm_t)0x0a000001) @@ -2482,7 +2482,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** The PAKE uses elliptic curves. * - * The corresponding family type is ::psa_ecc_family_t. in determining a + * The corresponding family type is ::psa_ecc_family_t. In determining a * specific curve in the family ::psa_pake_bits_t values are interpreted in the * exact same way as ::psa_key_bits_t would. * @@ -2523,7 +2523,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * on \p type, for more information consult the * documentation of individual ::psa_pake_primitive_type_t * constants). - * \param bits The bitwise of the primitive + * \param bits The bitsize of the primitive * (Value of type ::psa_pake_bits_t. The interpretation * of this parameter depends on \p family, for more * information consult the documentation of individual @@ -2568,7 +2568,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** A Schnorr NIZKP proof. * - * This is a skalar value. + * This is a scalar value. * * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. From 020da462d27b3a1de288a93a4ad0cee215eb46b7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Apr 2021 09:43:45 +0100 Subject: [PATCH 043/131] Fix PSA_PAKE_PRIMITIVE macro Fix the typo in the macro definition and more specific parameter names allow for future scripts to check validity of arguments. Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 04b0303e85..2d86136e0f 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2516,14 +2516,14 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** Construct a PAKE primitive from type, family and bitsize. * - * \param type The type of the primitive + * \param pake_type The type of the primitive * (value of type ::psa_pake_primitive_type_t). - * \param family The family of the primitive + * \param pake_family The family of the primitive * (the type and interpretation of this parameter depends * on \p type, for more information consult the * documentation of individual ::psa_pake_primitive_type_t * constants). - * \param bits The bitsize of the primitive + * \param pake_bits The bitsize of the primitive * (Value of type ::psa_pake_bits_t. The interpretation * of this parameter depends on \p family, for more * information consult the documentation of individual @@ -2531,8 +2531,9 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * * \return The constructed primitive value. */ -#define PSA_PAKE_PRIMITIVE(type, family, bits) \ - ((psa_pake_primitive_t) (((type) << 24 | (persistence) << 16) | (bits))) +#define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \ + ((psa_pake_primitive_t) (((pake_type) << 24 | \ + (pake_family) << 16) | (pake_bits))) /** The key share being sent to or received from the peer. From fb4203dcffafeb5eb047373f9e550671673933b2 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Apr 2021 09:53:17 +0100 Subject: [PATCH 044/131] PSA PAKE: Call the scheme algorithm The documentation is calling PAKEs protocols but it has an psa_algorithm_t identifier. To align the terminology, the documentation should call them algorithms as well. Signed-off-by: Janos Follath --- include/psa/crypto.h | 38 ++++++++++++++++++------------------- include/psa/crypto_types.h | 6 +++--- include/psa/crypto_values.h | 22 ++++++++++----------- 3 files changed, 33 insertions(+), 33 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 8bc92e1f6c..e6e78eb1c7 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4239,9 +4239,9 @@ static psa_pake_operation_t psa_pake_operation_init(void); * -# Call psa_pake_get_implicit_key() for accessing the shared secret. * * The exact sequence of calls to perform a password-authenticated key exchange - * depends on the protocol in use: - * -# Some protocols exchange more data than just a single key share. When using - * such a protocol, call psa_pake_output() and psa_pake_input() one or more + * depends on the algorithm in use: + * -# Some algorithms exchange more data than just a single key share. When using + * such a algorithm, call psa_pake_output() and psa_pake_input() one or more * times to exchange any further data that is needed to derive the shared * secret. * @@ -4270,12 +4270,12 @@ static psa_pake_operation_t psa_pake_operation_init(void); * type PSA_KEY_TYPE_PASSWORD or * #PSA_KEY_TYPE_DERIVE. It has to allow the usage * #PSA_KEY_USAGE_DERIVE. - * \param alg The PAKE protocol to use + * \param alg The PAKE algorithm to use * (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). * \param cipher_suite The cipher suite to use with the PAKE algorithm. * \param side A value of type ::psa_pake_side_t signaling the - * side of the protocol that is being set up. For + * side of the algorithm that is being set up. For * more information see the documentation of \c * PSA_PAKE_SIDE_XXX constants. * \param[in] user_id The user ID to authenticate with. @@ -4283,9 +4283,9 @@ static psa_pake_operation_t psa_pake_operation_init(void); * \param[in] peer_id The peer's ID to authenticate. * \param peer_id_len Size of the \p peer_id buffer in bytes. * \param[in] session_data Additional session related data if it is allowed - * or required by the protocol. This must be empty + * or required by the algorithm. This must be empty * if additional session data is not used by the - * protocol. + * algorithm. * \param session_data_len Size of the \p session_data buffer in bytes. * * \retval #PSA_SUCCESS @@ -4331,7 +4331,7 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * This function returns a simple key share (eg. group element). * * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the protocol in use. Refer to the documentation of + * exchange depends on the algorithm in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more * information. @@ -4349,7 +4349,7 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * Success. * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, but beyond that - * validity is specific to the protocol). + * validity is specific to the algorithm). * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p key_share buffer is too small. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY @@ -4369,14 +4369,14 @@ psa_status_t psa_pake_get_key_share(psa_pake_operation_t *operation, /** Get additional key share from a password-authenticated key exchange. * - * Depending on the protocol being executed, you might need to call this + * Depending on the algorithm being executed, you might need to call this * function several times or you might not need to call this at all. * * Calling this function with PSA_PAKE_DATA_KEY_SHARE as \p type is equivalent * to calling psa_pake_get_key_share(). * * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the protocol in use. Refer to the documentation of + * exchange depends on the algorithm in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more * information. @@ -4395,7 +4395,7 @@ psa_status_t psa_pake_get_key_share(psa_pake_operation_t *operation, * Success. * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, but beyond that - * validity is specific to the protocol). + * validity is specific to the algorithm). * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY @@ -4419,7 +4419,7 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * This function inputs a simple key share (eg. group element). * * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the protocol in use. Refer to the documentation of + * exchange depends on the algorithm in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more * information. @@ -4432,7 +4432,7 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * Success. * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, but beyond that - * validity is specific to the protocol). + * validity is specific to the algorithm). * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE @@ -4449,14 +4449,14 @@ psa_status_t psa_pake_set_key_share(psa_pake_operation_t *operation, /** Provide additional peer key share for a password-authenticated key exchange. * - * Depending on the protocol being executed, you might need to call this + * Depending on the algorithm being executed, you might need to call this * function several times or you might not need to call this at all. * * Calling this function with PSA_PAKE_DATA_KEY_SHARE as \p type is equivalent * to calling psa_pake_set_key_share(). * * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the protocol in use. Refer to the documentation of + * exchange depends on the algorithm in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more * information. @@ -4473,7 +4473,7 @@ psa_status_t psa_pake_set_key_share(psa_pake_operation_t *operation, * Success. * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, but beyond that - * validity is specific to the protocol). + * validity is specific to the algorithm). * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE @@ -4498,7 +4498,7 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, * material in the key derivation operation. * * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the protocol in use. Refer to the documentation of + * exchange depends on the algorithm in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more * information. @@ -4515,7 +4515,7 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, * Success. * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, but beyond that - * validity is specific to the protocol). + * validity is specific to the algorithm). * \retval #PSA_ERROR_BAD_STATE * The state of \p output is not valid for * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index e434e01e33..8635afd74d 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -386,16 +386,16 @@ typedef uint16_t psa_key_derivation_step_t; /** \brief Encoding of the side of PAKE * - * Encodes which side of the protocol is being executed. For more information + * Encodes which side of the algorithm is being executed. For more information * see the documentation of individual PSA_PAKE_SIDE_XXX constants. */ typedef uint16_t psa_pake_side_t; /** Encoding of input and output indicators for PAKE. * - * Some PAKE protocols need to exchange more data than just a single key share. + * Some PAKE algorithms need to exchange more data than just a single key share. * This type is for encoding additional input and output data for such - * protocols. + * algorithms. */ typedef uint8_t psa_pake_data_t; diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 2d86136e0f..4a6b06c76e 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1966,14 +1966,14 @@ #define PSA_ALG_GET_HASH(alg) \ (((alg) & 0x000000ff) == 0 ? ((psa_algorithm_t)0) : 0x02000000 | ((alg) & 0x000000ff)) -/** The Password-authenticated key exchange by juggling (J-PAKE) protocol. +/** The Password-authenticated key exchange by juggling (J-PAKE) algorithm. * * J-PAKE can be instantiated over finite fields or elliptic curves. This can * be achieved by passing either #PSA_PAKE_PRIMITIVE_TYPE_FIELD_DH or * #PSA_PAKE_PRIMITIVE_TYPE_CURVE to #PSA_PAKE_PRIMITIVE respectively, when * creating the cipher suite. * - * In theory the protocol works with any non-interactive zero-knowledge proof. + * In theory the algorithm works with any non-interactive zero-knowledge proof. * Implementations of the present specification use Schnorr NIZKP and this does * not need to be configured in the cipher suites. * @@ -2452,8 +2452,8 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** The first peer in a balanced PAKE. * - * Although balanced PAKE protocols are symmetric, some of them needs an - * ordering of peers for the transcript calculations. If the protocol does not + * Although balanced PAKE algorithms are symmetric, some of them needs an + * ordering of peers for the transcript calculations. If the algorithm does not * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are * accepted. */ @@ -2461,8 +2461,8 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** The second peer in a balanced PAKE. * - * Although balanced PAKE protocols are symmetric, some of them needs an - * ordering of peers for the transcript calculations. If the protocol does not + * Although balanced PAKE algorithms are symmetric, some of them needs an + * ordering of peers for the transcript calculations. If the algorithm does not * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are * accepted. */ @@ -2470,13 +2470,13 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** The client in an augmented PAKE. * - * Augmented PAKE protocols need to differentiate between client and server. + * Augmented PAKE algorithms need to differentiate between client and server. */ #define PSA_PAKE_SIDE_CLIENT ((psa_pake_side_t)0x0101) /** The server in an augmented PAKE. * - * Augmented PAKE protocols need to differentiate between client and server. + * Augmented PAKE algorithms need to differentiate between client and server. */ #define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x0102) @@ -2544,7 +2544,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. * - * Some PAKE protocols need to exchange several key shares. If that is the + * Some PAKE algorithms need to exchange several key shares. If that is the * case, this value marks the first key share sent and the first key share * received. For values sent or received afterwards, use * #PSA_PAKE_DATA_KEY_SHARE_2 and #PSA_PAKE_DATA_KEY_SHARE_3. @@ -2559,7 +2559,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. * - * Some PAKE protocols need to perform several zero-knowledge proofs. If that + * Some PAKE algorithms need to perform several zero-knowledge proofs. If that * is the case, this value marks the first public key sent and the first public * key received. For values sent or received afterwards, use * #PSA_PAKE_DATA_ZK_PUBLIC_2 and #PSA_PAKE_DATA_ZK_PUBLIC_3. @@ -2574,7 +2574,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. * - * Some PAKE protocols need to perform several zero-knowledge proofs. If that + * Some PAKE algorithms need to perform several zero-knowledge proofs. If that * is the case, this value marks the first proof sent and the first proof * received. For values sent or received afterwards, use * #PSA_PAKE_DATA_ZK_PROOF_2 and #PSA_PAKE_DATA_ZK_PROOF_3. From 7ebcbf34f99c62581f83c32e2dc294418c3af8cd Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Apr 2021 13:57:13 +0100 Subject: [PATCH 045/131] Remove psa_pake_get/set_key_share() functions The main purpose of psa_pake_get_key_share() is to provide a more straightforward and convenient call flow for regular PAKEs. Most PAKEs have a single key share and need a flow like this: op=PSA_PAKE_OPERATION_INIT; psa_pake_setup(); psa_pake_get_key_share(); psa_pake_set_key_share(); psa_pake_get_implicit_key(); Adding psa_pake_get/set_key_share() functions cuts out the psa_pake_data_t constants from the users vision, hiding complexity that exists only for unrelated PAKEs that aren't relevant for the user. This comes with the cost of the two additional API functions that we need to maintain. Since the current stream of work focuses on enabling J-PAKE, there are no benefits to these functions for now. Once algorithms that can benefit from this simplification are added, adding back these functions can be reconsidered. Signed-off-by: Janos Follath --- include/psa/crypto.h | 88 ++----------------------------------- include/psa/crypto_sizes.h | 24 +--------- include/psa/crypto_values.h | 4 +- 3 files changed, 8 insertions(+), 108 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index e6e78eb1c7..632006dfbc 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4232,10 +4232,10 @@ static psa_pake_operation_t psa_pake_operation_init(void); * * A typical sequence of calls to perform a password-authenticated key * exchange: - * -# Call psa_pake_get_key_share() to get the key share that needs to be sent - * to the peer. - * -# Call psa_pake_set_key_share() to provide the key share that was received - * from the peer. + * -# Call psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...) to get the + * key share that needs to be sent to the peer. + * -# Call psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...) to provide + * the key share that was received from the peer. * -# Call psa_pake_get_implicit_key() for accessing the shared secret. * * The exact sequence of calls to perform a password-authenticated key exchange @@ -4326,55 +4326,11 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, const uint8_t *session_data, size_t session_data_len); -/** Get the key share from a password-authenticated key exchange operation. - * - * This function returns a simple key share (eg. group element). - * - * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the algorithm in use. Refer to the documentation of - * individual PAKE algorithm types (`PSA_ALG_XXX` values of type - * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - * information. - * - * If this function returns an error status, the operation enters an error - * state and must be aborted by calling psa_pake_abort(). - * - * \param[in,out] operation Active PAKE operation. - * \param[out] key_share Buffer where the key share is to be written. - * \param key_share_size Size of the \p key_share buffer in bytes. - * \param[out] key_share_length On success, the number of bytes of the - * returned key_share. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active, but beyond that - * validity is specific to the algorithm). - * \retval #PSA_ERROR_BUFFER_TOO_SMALL - * The size of the \p key_share buffer is too small. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_get_key_share(psa_pake_operation_t *operation, - uint8_t *key_share, - size_t key_share_size, - size_t *key_share_length); - /** Get additional key share from a password-authenticated key exchange. * * Depending on the algorithm being executed, you might need to call this * function several times or you might not need to call this at all. * - * Calling this function with PSA_PAKE_DATA_KEY_SHARE as \p type is equivalent - * to calling psa_pake_get_key_share(). - * * The exact sequence of calls to perform a password-authenticated key * exchange depends on the algorithm in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type @@ -4414,47 +4370,11 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, size_t output_size, size_t *output_length); -/** Provide peer key share to a password-authenticated key exchange operation. - * - * This function inputs a simple key share (eg. group element). - * - * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the algorithm in use. Refer to the documentation of - * individual PAKE algorithm types (`PSA_ALG_XXX` values of type - * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - * information. - * - * \param[in,out] operation Active PAKE operation. - * \param[in] key_share Buffer containing the peer's key share. - * \param key_share_length Size of the \p key_share buffer in bytes. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active, but beyond that - * validity is specific to the algorithm). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_set_key_share(psa_pake_operation_t *operation, - const uint8_t *key_share, - size_t key_share_length); - /** Provide additional peer key share for a password-authenticated key exchange. * * Depending on the algorithm being executed, you might need to call this * function several times or you might not need to call this at all. * - * Calling this function with PSA_PAKE_DATA_KEY_SHARE as \p type is equivalent - * to calling psa_pake_set_key_share(). - * * The exact sequence of calls to perform a password-authenticated key * exchange depends on the algorithm in use. Refer to the documentation of * individual PAKE algorithm types (`PSA_ALG_XXX` values of type diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 8497b14d02..482ff6806d 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1132,26 +1132,6 @@ #define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE \ (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE) -/** A sufficient output buffer size for psa_pake_get_key_share(). - * - * If the size of the ciphertext buffer is at least this large, it is - * guaranteed that psa_pake_get_key_share() will not fail due to an - * insufficient ciphertext buffer size. The actual size of the output might be - * smaller in any given call. - * - * See also #PSA_PAKE_OUTPUT_MAX_SIZE - * - * \param alg A PAKE algorithm (PSA_ALG_XXX value such that - * #PSA_ALG_IS_PAKE(\p alg) is true). - * \param cipher_suite A cipher suite that is compatible with algorithm \p alg. - * \return A sufficient key share buffer size for the specified - * cipher suite and algorithm. If the cipher suite or PAKE - * algorithm is not recognized, or the parameters are - * incompatible, return 0. - */ -#define PSA_PAKE_KEY_SHARE_SIZE(alg, cipher_suite) \ - (PSA_PAKE_OUTPUT_SIZE(alg, cipher_suite, PSA_PAKE_DATA_KEY_SHARE) - /** A sufficient output buffer size for psa_pake_output(). * * If the size of the ciphertext buffer is at least this large, it is @@ -1172,8 +1152,8 @@ */ #define PSA_PAKE_OUTPUT_SIZE(alg, cipher_suite, output) -/** Output buffer size for psa_pake_output() and psa_pake_get_key_share(), - * for any of the supported cipher suites and PAKE algorithms. +/** Output buffer size for psa_pake_output() for any of the supported cipher + * suites and PAKE algorithms. * * This macro must expand to a compile-time constant integer. * diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 4a6b06c76e..1e8c9fe38d 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1986,7 +1986,7 @@ * * The key exchange flow for JPAKE is as follows: * -# To get the first round data that needs to be sent to the peer, call - * psa_pake_get_key_share(operation, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE_2, ...); @@ -1994,7 +1994,7 @@ * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF_2, ...); * -# To provide the first round data received from the peer to the operation, * call - * psa_pake_set_key_share(operation, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE_2, ...); From ef1b8c9a76167937dd7e79f538250c3a309c9c7f Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Apr 2021 14:35:03 +0100 Subject: [PATCH 046/131] PSA PAKE: Relate JPAKE documentation to RFC8236 Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 1e8c9fe38d..21d0202ffc 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1986,30 +1986,50 @@ * * The key exchange flow for JPAKE is as follows: * -# To get the first round data that needs to be sent to the peer, call + * // Get g1 * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); + * // Get the ZKP public key for x1 * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * // Get the ZKP proof for x1 * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * // Get g2 * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE_2, ...); + * // Get the ZKP public key for x2 * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC_2, ...); + * // Get the ZKP proof for x2 * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF_2, ...); * -# To provide the first round data received from the peer to the operation, * call + * // Set g3 * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); + * // Set the ZKP public key for x3 * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * // Set the ZKP proof for x3 * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * // Set g4 * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE_2, ...); + * // Set the ZKP public key for x4 * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC_2, ...); + * // Set the ZKP proof for x4 * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF_2, ...); * -# To get the second round data that needs to be sent to the peer, call + * // Get A * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE_3, ...); + * // Get ZKP public key for x2*s * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC_3, ...); + * // Get ZKP proof for x2*s * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF_3, ...); * -# To provide the second round data received from the peer to the operation, * call + * // Set B * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE_3, ...); + * // Set ZKP public key for x4*s * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC_3, ...); + * // Set ZKP proof for x4*s * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF_3, ...); - * -# Call psa_pake_get_implicit_key() for accessing the shared secret. + * -# To access the shared secret call + * // Get Ka=Kb=K + * psa_pake_get_implicit_key() * * For more information consult the documentation of the individual * PSA_PAKE_DATA_XXX constants. From 8005e8a167c196f1b10bdaf924c14eadc47bf629 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Apr 2021 14:46:54 +0100 Subject: [PATCH 047/131] Shrink psa_pake_side_t to uint8_t Signed-off-by: Janos Follath --- include/psa/crypto_types.h | 2 +- include/psa/crypto_values.h | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 8635afd74d..3ec77f28f8 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -389,7 +389,7 @@ typedef uint16_t psa_key_derivation_step_t; * Encodes which side of the algorithm is being executed. For more information * see the documentation of individual PSA_PAKE_SIDE_XXX constants. */ -typedef uint16_t psa_pake_side_t; +typedef uint8_t psa_pake_side_t; /** Encoding of input and output indicators for PAKE. * diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 21d0202ffc..0e3d9231a8 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2477,7 +2477,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are * accepted. */ -#define PSA_PAKE_SIDE_FIRST ((psa_pake_side_t)0x0001) +#define PSA_PAKE_SIDE_FIRST ((psa_pake_side_t)0x01) /** The second peer in a balanced PAKE. * @@ -2486,19 +2486,19 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are * accepted. */ -#define PSA_PAKE_SIDE_SECOND ((psa_pake_side_t)0x0002) +#define PSA_PAKE_SIDE_SECOND ((psa_pake_side_t)0x02) /** The client in an augmented PAKE. * * Augmented PAKE algorithms need to differentiate between client and server. */ -#define PSA_PAKE_SIDE_CLIENT ((psa_pake_side_t)0x0101) +#define PSA_PAKE_SIDE_CLIENT ((psa_pake_side_t)0x11) /** The server in an augmented PAKE. * * Augmented PAKE algorithms need to differentiate between client and server. */ -#define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x0102) +#define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x12) /** The PAKE uses elliptic curves. * From 8603fb09fe6864ad2be31ab996c6524bff129045 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 19 Apr 2021 15:12:46 +0100 Subject: [PATCH 048/131] PSA PAKE: add to PSA constant name test Signed-off-by: Janos Follath --- scripts/mbedtls_dev/macro_collector.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/mbedtls_dev/macro_collector.py b/scripts/mbedtls_dev/macro_collector.py index 0e76435f38..395e038ca1 100644 --- a/scripts/mbedtls_dev/macro_collector.py +++ b/scripts/mbedtls_dev/macro_collector.py @@ -95,6 +95,7 @@ class PSAMacroEnumerator: self.mac_algorithms = set() #type: Set[str] self.ka_algorithms = set() #type: Set[str] self.kdf_algorithms = set() #type: Set[str] + self.pake_algorithms = set() #type: Set[str] self.aead_algorithms = set() #type: Set[str] # macro name -> list of argument names self.argspecs = {} #type: Dict[str, List[str]] @@ -364,6 +365,7 @@ enumerate 'asymmetric_signature_algorithm': [], 'asymmetric_signature_wildcard': [self.algorithms], 'asymmetric_encryption_algorithm': [], + 'pake_algorithm': [self.pake_algorithms], 'other_algorithm': [], } #type: Dict[str, List[Set[str]]] self.arguments_for['mac_length'] += ['1', '63'] @@ -389,6 +391,7 @@ enumerate self.mac_algorithms.add('0x03007fff') self.ka_algorithms.add('0x09fc0000') self.kdf_algorithms.add('0x080000ff') + self.pake_algorithms.add('0x0a0000ff') # For AEAD algorithms, the only variability is over the tag length, # and this only applies to known algorithms, so don't test an # unknown algorithm. From 2ba6079d473971b7271ca469b68ac2e4b72ff1a9 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 28 Apr 2021 09:37:34 +0100 Subject: [PATCH 049/131] PSA: fix wording for implementation defined types There were remnants of the PSA specification wording in the documentation that can be confusing in Mbed TLS. We need to make it clear what the consequences of being implementation defined are in Mbed TLS. Signed-off-by: Janos Follath --- include/psa/crypto.h | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 632006dfbc..074cc93e17 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -938,8 +938,8 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg, * \endcode * * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure except - * as directed by the documentation of a specific implementation. */ + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ typedef struct psa_hash_operation_s psa_hash_operation_t; /** \def PSA_HASH_OPERATION_INIT @@ -1307,9 +1307,10 @@ psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key, * operation = psa_mac_operation_init(); * \endcode * + * * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure except - * as directed by the documentation of a specific implementation. */ + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ typedef struct psa_mac_operation_s psa_mac_operation_t; /** \def PSA_MAC_OPERATION_INIT @@ -1732,8 +1733,8 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, * \endcode * * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure except - * as directed by the documentation of a specific implementation. */ + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ typedef struct psa_cipher_operation_s psa_cipher_operation_t; /** \def PSA_CIPHER_OPERATION_INIT @@ -2261,8 +2262,8 @@ psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key, * \endcode * * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure except - * as directed by the documentation of a specific implementation. */ + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ typedef struct psa_aead_operation_s psa_aead_operation_t; /** \def PSA_AEAD_OPERATION_INIT @@ -3260,8 +3261,8 @@ psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, * \endcode * * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure except - * as directed by the documentation of a specific implementation. + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ typedef struct psa_key_derivation_s psa_key_derivation_operation_t; @@ -4134,8 +4135,8 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, /** The type of the data strucure for PAKE cipher suites. * * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure except - * as directed by the documentation of a specific implementation. + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t; @@ -4198,8 +4199,8 @@ static psa_pake_cipher_suite_t psa_pake_cipher_suite( * \endcode * * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure except - * as directed by the documentation of a specific implementation. */ + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ typedef struct psa_pake_operation_s psa_pake_operation_t; /** \def PSA_PAKE_OPERATION_INIT From fc3577daae6058b01c89cebb1b067c9712e85c62 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 28 Apr 2021 09:51:55 +0100 Subject: [PATCH 050/131] Remove reference to PSA_PAKE_KEY_SHARE_SIZE The macro PSA_PAKE_KEY_SHARE_SIZE has been removed, we need to remove references to it from the documentation as well. Signed-off-by: Janos Follath --- include/psa/crypto_sizes.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 482ff6806d..bb01d53158 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1157,8 +1157,7 @@ * * This macro must expand to a compile-time constant integer. * - * See also #PSA_PAKE_KEY_SHARE_SIZE(\p alg, \p cipher_suite) and - * #PSA_PAKE_OUTPUT_SIZE(\p alg, \p cipher_suite, \p output). + * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p cipher_suite, \p output). */ #define PSA_PAKE_OUTPUT_MAX_SIZE From 82b54b96d3e5be4d491a17e9e369a973bd51cbff Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 28 Apr 2021 13:47:12 +0100 Subject: [PATCH 051/131] PSA PAKE: Align macro names In the key types API, PSA Crypto uses ECC to denote Elliptic curve cryptography and DH to denote Finite Field Diffie-Hellman. Change PSA_PAKE_PRIMITIVE_TYPE_XXX macros to be aligned. Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 0e3d9231a8..9a9f69e611 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1969,8 +1969,8 @@ /** The Password-authenticated key exchange by juggling (J-PAKE) algorithm. * * J-PAKE can be instantiated over finite fields or elliptic curves. This can - * be achieved by passing either #PSA_PAKE_PRIMITIVE_TYPE_FIELD_DH or - * #PSA_PAKE_PRIMITIVE_TYPE_CURVE to #PSA_PAKE_PRIMITIVE respectively, when + * be achieved by passing either #PSA_PAKE_PRIMITIVE_TYPE_DH or + * #PSA_PAKE_PRIMITIVE_TYPE_ECC to #PSA_PAKE_PRIMITIVE respectively, when * creating the cipher suite. * * In theory the algorithm works with any non-interactive zero-knowledge proof. @@ -2515,7 +2515,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * curve would be. For more information, consult the documentation of * psa_export_key(). */ -#define PSA_PAKE_PRIMITIVE_TYPE_CURVE ((psa_pake_primitive_type_t)0x01) +#define PSA_PAKE_PRIMITIVE_TYPE_ECC ((psa_pake_primitive_type_t)0x01) /** The PAKE uses finite fields based Diffie-Hellman groups. * @@ -2532,7 +2532,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * group would be. For more information, consult the documentation of * psa_export_key(). */ -#define PSA_PAKE_PRIMITIVE_TYPE_FIELD_DH ((psa_pake_primitive_type_t)0x02) +#define PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t)0x02) /** Construct a PAKE primitive from type, family and bitsize. * From cd56ff9c596d591e738b54ee274ff6082d0d6b81 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 30 Apr 2021 11:51:55 +0100 Subject: [PATCH 052/131] PSA PAKE: make cipher suite opaque Hiding the structure of the cipher suite implementation allows for greater flexibility. To preserve maximum flexibility, the constructor is replaced by individual setter/getter functions. Convenience macros and or functions can be added later. Signed-off-by: Janos Follath --- include/psa/crypto.h | 200 +++++++++++++++++++++++++++++++----- include/psa/crypto_struct.h | 94 ++++++++++++----- include/psa/crypto_values.h | 21 ++-- 3 files changed, 256 insertions(+), 59 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 074cc93e17..9220b2ea79 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4140,38 +4140,188 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, */ typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t; -/** Construct a cipher suite for a password-authenticated key exchange. +/** Retrieve the PAKE algorithm from a PAKE cipher suite. * - * \param primitive The primitive used in the cipher suite. - * \param hash The hash involved in the cipher suite. - * (`PSA_ALG_XXX` values of type ::psa_algorithm_t - * such that #PSA_ALG_IS_HASH(\c alg) is true.) - * \param algorithm1 Additional algorithm if needed in the cipher suite, - * 0 otherwise. - * \param bits1 A bit size qualifier if needed for \p algorithm1, - * 0 otherwise. - * \param algorithm2 Additional algorithm if needed in the cipher suite, - * 0 otherwise. - * \param bits2 A bit size qualifier if needed for \p algorithm2, - * 0 otherwise. - * \param options Additional options to be included with the cipher - * suite if needed, 0 otherwise. + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate its argument exactly once. + * + * \param[in] cipher_suite The cipher suite structure to query. + * + * \return The PAKE algorithm stored in the cipher suite structure. + */ +static psa_algorithm_t psa_pake_cs_get_algorithm( + const psa_pake_cipher_suite_t* cipher_suite + ); + +/** Declare the PAKE algorithm for the cipher suite. + * + * This function overwrites any PAKE algorithm + * previously set in \p cipher_suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate each of its arguments exactly once. + * + * \param[out] cipher_suite The cipher suite structure to write to. + * \param algorithm The PAKE algorithm to write. + * (`PSA_ALG_XXX` values of type ::psa_algorithm_t + * such that #PSA_ALG_IS_PAKE(\c alg) is true.) + * If this is 0, the PAKE algorithm in + * \p cipher_suite becomes unspecified. + */ +static void psa_pake_cs_set_algorithm( + psa_pake_cipher_suite_t* cipher_suite, + psa_algorithm_t algorithm + ); + +/** Retrieve the primitive type from a PAKE cipher suite. + * + * This function may be declared as `static` (i.e. without external linkage). + * This function may be provided as a function-like macro, but in this case it + * must evaluate its argument exactly once. * * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) * for more information. * - * \retval The constructed cipher suite. + * \param[in] cipher_suite The cipher suite structure to query. + * + * \return The primitive type stored in the cipher suite structure. */ -static psa_pake_cipher_suite_t psa_pake_cipher_suite( - psa_pake_primitive_t primitive, - psa_algorithm_t hash, - psa_algorithm_t algorithm1, - psa_pake_bits_t bits1, - psa_algorithm_t algorithm2, - psa_pake_bits_t bits2, - psa_pake_cipher_suite_options_t options - ); +static psa_pake_primitive_type_t psa_pake_cs_get_type( + const psa_pake_cipher_suite_t* cipher_suite + ); + +/** Declare the primitive type for a PAKE cipher suite. + * + * This function overwrites any primitive type + * previously set in \p cipher_suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate each of its arguments exactly once. + * + * \param[out] cipher_suite The cipher suite structure to write to. + * \param type The primitive type to write. + * If this is 0, the primitive type in + * \p cipher_suite becomes unspecified. + */ +static void psa_pake_cs_set_type( + psa_pake_cipher_suite_t* cipher_suite, + psa_pake_primitive_type_t type + ); + +/** Retrieve the primitive family from a PAKE cipher suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate its argument exactly once. + * + * \param[in] cipher_suite The cipher suite structure to query. + * + * \return The primitive family stored in the cipher suite structure. + */ +static uint8_t psa_pake_cs_get_family( + const psa_pake_cipher_suite_t* cipher_suite + ); + +/** Declare the primitive family for a PAKE cipher suite. + * + * This function overwrites any primitive family + * previously set in \p cipher_suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate each of its arguments exactly once. + * + * \param[out] cipher_suite The cipher suite structure to write to. + * \param family The primitive family to write. + * If this is 0, the primitive family in + * \p cipher_suite becomes unspecified. The + * interpretation of this parameter depends on + * the primitive type, for more information consult the + * documentation of individual + * ::psa_pake_primitive_type_t constants). + */ +static void psa_pake_cs_set_family( + psa_pake_cipher_suite_t* cipher_suite, + uint8_t family + ); + +/** Retrieve the primitive bits from a PAKE cipher suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate its argument exactly once. + * + * \param[in] cipher_suite The cipher suite structure to query. + * + * \return The primitive bits stored in the cipher suite structure. + */ +static size_t psa_pake_cs_get_bits(const psa_pake_cipher_suite_t* cipher_suite); + +/** Declare the primitive bits for a PAKE cipher suite. + * + * This function overwrites any primitive bits + * previously set in \p cipher_suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate each of its arguments exactly once. + * + * \param[out] cipher_suite The cipher suite structure to write to. + * \param bits The primitive bits to write. + * If this is 0, the primitive bits in + * \p cipher_suite becomes unspecified. The + * interpretation of this parameter depends on + * the family, for more information consult the + * documentation of individual + * ::psa_pake_primitive_type_t constants). + */ +static void psa_pake_cs_set_bits( + psa_pake_cipher_suite_t* cipher_suite, + size_t bits + ); + +/** Retrieve the hash algorithm from a PAKE cipher suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate its argument exactly once. + * + * \param[in] cipher_suite The cipher suite structure to query. + * + * \return The hash algorithm stored in the cipher suite structure. + */ +static psa_algorithm_t psa_pake_cs_get_hash( + const psa_pake_cipher_suite_t* cipher_suite + ); + +/** Declare the hash algorithm for a PAKE cipher suite. + * + * This function overwrites any hash algorithm + * previously set in \p cipher_suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate each of its arguments exactly once. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[out] cipher_suite The cipher suite structure to write to. + * \param hash The hash involved in the cipher suite. + * (`PSA_ALG_XXX` values of type ::psa_algorithm_t + * such that #PSA_ALG_IS_HASH(\c alg) is true.) + * If this is 0, the hash algorithm in + * \p cipher_suite becomes unspecified. + */ +static void psa_pake_cs_set_hash( + psa_pake_cipher_suite_t* cipher_suite, + psa_algorithm_t hash + ); /** The type of the state data structure for PAKE operations. * diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index f289caf16b..881abcb2a7 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -463,36 +463,82 @@ static inline size_t psa_get_key_bits( struct psa_pake_cipher_suite_s { - psa_pake_primitive_t primitive; + psa_algorithm_t algorithm; + psa_pake_primitive_type_t type; + uint8_t family; + size_t bits; psa_algorithm_t hash; - psa_algorithm_t algorithm1; - psa_pake_bits_t bits1; - psa_algorithm_t algorithm2; - psa_pake_bits_t bits2; - psa_pake_cipher_suite_options_t options; }; -static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite( - psa_pake_primitive_t primitive, - psa_algorithm_t hash, - psa_algorithm_t algorithm1, - psa_pake_bits_t bits1, - psa_algorithm_t algorithm2, - psa_pake_bits_t bits2, - psa_pake_cipher_suite_options_t options - ) +static inline void psa_pake_cs_set_algorithm( + psa_pake_cipher_suite_t *cipher_suite, + psa_algorithm_t algorithm) { - struct psa_pake_cipher_suite_s cipher_suite; + if( !PSA_ALG_IS_PAKE(algorithm) ) + cipher_suite->algorithm = 0; + else + cipher_suite->algorithm = algorithm; +} - cipher_suite.primitive = primitive; - cipher_suite.hash = hash; - cipher_suite.algorithm1 = algorithm1; - cipher_suite.bits1 = bits1; - cipher_suite.algorithm2 = algorithm2; - cipher_suite.bits2 = bits2; - cipher_suite.options = options; +static inline psa_algorithm_t psa_pake_cs_get_algorithm( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return( cipher_suite->algorithm ); +} - return cipher_suite; +static inline psa_pake_primitive_type_t psa_pake_cs_get_type( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return( cipher_suite->type ); +} + +static inline void psa_pake_cs_set_type( + psa_pake_cipher_suite_t *cipher_suite, + psa_pake_primitive_type_t type) +{ + cipher_suite->type = type; +} + +static inline uint8_t psa_pake_cs_get_family( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return( cipher_suite->family ); +} + +static inline void psa_pake_cs_set_family( + psa_pake_cipher_suite_t *cipher_suite, + uint8_t family) +{ + cipher_suite->family = family; +} + +static inline size_t psa_pake_cs_get_bits( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return( cipher_suite->bits ); +} + +static inline void psa_pake_cs_set_bits( + psa_pake_cipher_suite_t *cipher_suite, + size_t bits) +{ + cipher_suite->bits = bits; +} + +static inline psa_algorithm_t psa_pake_cs_get_hash( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return( cipher_suite->hash ); +} + +static inline void psa_pake_cs_set_hash( + psa_pake_cipher_suite_t *cipher_suite, + psa_algorithm_t hash) +{ + if( !PSA_ALG_IS_HASH(hash) ) + cipher_suite->hash = 0; + else + cipher_suite->hash = hash; } struct psa_pake_operation_s diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 9a9f69e611..bed48f79c4 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1969,21 +1969,22 @@ /** The Password-authenticated key exchange by juggling (J-PAKE) algorithm. * * J-PAKE can be instantiated over finite fields or elliptic curves. This can - * be achieved by passing either #PSA_PAKE_PRIMITIVE_TYPE_DH or - * #PSA_PAKE_PRIMITIVE_TYPE_ECC to #PSA_PAKE_PRIMITIVE respectively, when - * creating the cipher suite. + * be achieved by setting either #PSA_PAKE_PRIMITIVE_TYPE_DH or + * #PSA_PAKE_PRIMITIVE_TYPE_ECC respectively in the cipher suite (see + * ::psa_pake_cipher_suite_t) via psa_pake_cs_set_type(). (Before using the + * cipher suite the field or curve must be fully specified by calling + * psa_pake_cs_set_family() and psa_pake_cs_set_bits() as well. For more + * information refer to the documentation of the individual + * `PSA_PAKE_PRIMITIVE_TYPE_XXX` constants.) + * + * J-PAKE can be used with any secure cryptographic hash function. The choice + * of hash must be supplied to the cipher suite by calling + * psa_pake_cs_set_hash(). * * In theory the algorithm works with any non-interactive zero-knowledge proof. * Implementations of the present specification use Schnorr NIZKP and this does * not need to be configured in the cipher suites. * - * J-PAKE can be used with any secure cryptographic hash function, the choice - * of hash must be supplied to the psa_pake_cipher_suite() as the second - * parameter (\p hash). - * - * All the remaining parameters passed to psa_pake_cipher_suite() when creating - * the cipher suite must be 0. - * * The key exchange flow for JPAKE is as follows: * -# To get the first round data that needs to be sent to the peer, call * // Get g1 From 684da035322b3b0e1d06dd9658235ceb1e7340cb Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 30 Apr 2021 12:50:32 +0100 Subject: [PATCH 053/131] PSA PAKE: remove obsolete types and macros Making the cipher suite struct internal made a number of types and macros in the interface unused. Signed-off-by: Janos Follath --- include/psa/crypto_types.h | 23 ----------------------- include/psa/crypto_values.h | 34 ++++++---------------------------- 2 files changed, 6 insertions(+), 51 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 3ec77f28f8..7c560b3a5a 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -406,28 +406,5 @@ typedef uint8_t psa_pake_data_t; */ typedef uint8_t psa_pake_primitive_type_t; -/** Encoding of the bitsize for the PAKE's primitive. - * - * The type and family is not enough to identify the primitive to use in the - * PAKE, the implementation needs to know the bitsize too. - */ -typedef uint16_t psa_pake_bits_t; - -/** Encoding of the PAKE's primitive. - * - * In most of the PAKEs the primitives are prime order groups, but some of - * them might need the ring structure or just are using completely different - * algebraic structures (eg. SRP or PQC schemes). - */ -typedef uint32_t psa_pake_primitive_t; - -/** Encoding of additional options for PAKE. - * - * This type is for encoding additional options into PAKE cipher suites. - * (Options like for example EnvelopeMode in OPAQUE or "Per-User M and N" in - * SPAKE2.) - */ -typedef uint32_t psa_pake_cipher_suite_options_t; - /**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index bed48f79c4..78d431b9be 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2504,8 +2504,9 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** The PAKE uses elliptic curves. * * The corresponding family type is ::psa_ecc_family_t. In determining a - * specific curve in the family ::psa_pake_bits_t values are interpreted in the - * exact same way as ::psa_key_bits_t would. + * specific curve in the family the cipher suite (see + * ::psa_pake_cipher_suite_t) bits are interpreted in the exact same way + * as key bits are. * * Input and output during the operation can involve group elements and scalar * values: @@ -2521,8 +2522,9 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** The PAKE uses finite fields based Diffie-Hellman groups. * * The corresponding family type is ::psa_dh_family_t. In determining a - * specific group in the family ::psa_pake_bits_t values are interpreted in the - * exact same way as ::psa_key_bits_t would. + * specific group in the family the cipher suite (see + * ::psa_pake_cipher_suite_t) bits are interpreted in the exact same way + * as key bits are. * * Input and output during the operation can involve group elements and scalar * values: @@ -2535,28 +2537,6 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t)0x02) -/** Construct a PAKE primitive from type, family and bitsize. - * - * \param pake_type The type of the primitive - * (value of type ::psa_pake_primitive_type_t). - * \param pake_family The family of the primitive - * (the type and interpretation of this parameter depends - * on \p type, for more information consult the - * documentation of individual ::psa_pake_primitive_type_t - * constants). - * \param pake_bits The bitsize of the primitive - * (Value of type ::psa_pake_bits_t. The interpretation - * of this parameter depends on \p family, for more - * information consult the documentation of individual - * ::psa_pake_primitive_type_t constants). - * - * \return The constructed primitive value. - */ -#define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \ - ((psa_pake_primitive_t) (((pake_type) << 24 | \ - (pake_family) << 16) | (pake_bits))) - - /** The key share being sent to or received from the peer. * * Unless the documentation of the PAKE algorithm says otherwise this is a @@ -2572,7 +2552,6 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_PAKE_DATA_KEY_SHARE ((psa_pake_data_t)0x01) - /** A Schnorr NIZKP public key. * * This is a group element. @@ -2587,7 +2566,6 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_PAKE_DATA_ZK_PUBLIC ((psa_pake_data_t)0x02) - /** A Schnorr NIZKP proof. * * This is a scalar value. From 5b44cfd430af591940845bc2c5ef6a4416007cea Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 30 Apr 2021 13:06:27 +0100 Subject: [PATCH 054/131] PSA PAKE: remove alg parameter from setup The cipher suite now defines the algorithm itself as well. Passing the algorithm separately is redundant and error prone. Signed-off-by: Janos Follath --- include/psa/crypto.h | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 9220b2ea79..17316795db 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4421,10 +4421,9 @@ static psa_pake_operation_t psa_pake_operation_init(void); * type PSA_KEY_TYPE_PASSWORD or * #PSA_KEY_TYPE_DERIVE. It has to allow the usage * #PSA_KEY_USAGE_DERIVE. - * \param alg The PAKE algorithm to use - * (\c PSA_ALG_XXX value such that - * #PSA_ALG_IS_PAKE(\p alg) is true). - * \param cipher_suite The cipher suite to use with the PAKE algorithm. + * \param cipher_suite The cipher suite to use. (A cipher suite fully + * characterizes a PAKE algorithm and determines + * the algorithm as well.) * \param side A value of type ::psa_pake_side_t signaling the * side of the algorithm that is being set up. For * more information see the documentation of \c @@ -4446,15 +4445,12 @@ static psa_pake_operation_t psa_pake_operation_init(void); * \retval #PSA_ERROR_INVALID_HANDLE * \retval #PSA_ERROR_NOT_PERMITTED * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p key is not compatible with \p alg. + * \p key is not compatible with the algorithm in \p cipher_suite. * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p session_data is not empty and is not allowed in \p alg. + * \p session_data is not empty and is not allowed in the algorithm in + * \p cipher_suite. * \retval #PSA_ERROR_NOT_SUPPORTED - * \p cipher_suite is not compatible with \p alg. (Eg. \p cipher_suite - * mandates algorithms or sets options that do not make sense for \p alg - * or are not supported with \p alg.) - * \retval #PSA_ERROR_NOT_SUPPORTED - * \p alg is not supported or is not a PAKE algorithm. + * The \p cipher_suite is not supported or is not valid. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE @@ -4467,7 +4463,6 @@ static psa_pake_operation_t psa_pake_operation_init(void); */ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, mbedtls_svc_key_id_t password, - psa_algorithm_t alg, psa_pake_cipher_suite_t cipher_suite, psa_pake_side_t side, const uint8_t *user_id, From f75be64ef555f63f7b5bf4863f00d652f2300483 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 30 Apr 2021 13:11:05 +0100 Subject: [PATCH 055/131] PSA PAKE: fix identifier value Identifier value was not consistent with PSA conventions (last byte is reserved for hash algorithms or used in algorithms parametrized by a hash). Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 78d431b9be..a243370817 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2037,7 +2037,7 @@ * * J-PAKE is standardised for example in RFC 8236. */ -#define PSA_ALG_PAKE_JPAKE ((psa_algorithm_t)0x0a000001) +#define PSA_ALG_PAKE_JPAKE ((psa_algorithm_t)0x0a000100) /**@}*/ From 1459aa5656935a07737ab1769403ff7f4eae8a3a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 May 2021 08:24:56 +0100 Subject: [PATCH 056/131] PSA PAKE: improve documentation Minor documentation improvement and fixes. Signed-off-by: Janos Follath --- include/psa/crypto.h | 36 +++++++++++++++++++++++------------- include/psa/crypto_sizes.h | 5 +++-- include/psa/crypto_values.h | 24 ++++++++++++++---------- 3 files changed, 40 insertions(+), 25 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 17316795db..df8d4d4e96 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4240,8 +4240,8 @@ static uint8_t psa_pake_cs_get_family( * If this is 0, the primitive family in * \p cipher_suite becomes unspecified. The * interpretation of this parameter depends on - * the primitive type, for more information consult the - * documentation of individual + * the primitive type. For more information + * consult the documentation of individual * ::psa_pake_primitive_type_t constants). */ static void psa_pake_cs_set_family( @@ -4249,7 +4249,7 @@ static void psa_pake_cs_set_family( uint8_t family ); -/** Retrieve the primitive bits from a PAKE cipher suite. +/** Retrieve the size associated with the primitive from a PAKE cipher suite. * * This function may be declared as `static` (i.e. without external * linkage). This function may be provided as a function-like macro, @@ -4292,7 +4292,9 @@ static void psa_pake_cs_set_bits( * * \param[in] cipher_suite The cipher suite structure to query. * - * \return The hash algorithm stored in the cipher suite structure. + * \return The hash algorithm stored in the cipher suite structure. The return + * value is 0 if the PAKE is not parametrised by a hash algorithm or if + * the hash algorithm is not set. */ static psa_algorithm_t psa_pake_cs_get_hash( const psa_pake_cipher_suite_t* cipher_suite @@ -4378,8 +4380,8 @@ static psa_pake_operation_t psa_pake_operation_init(void); * -# Initialize the operation object with one of the methods described in the * documentation for #psa_pake_operation_t, e.g. * #PSA_PAKE_OPERATION_INIT. - * -# Call psa_pake_setup() to specify the algorithm, the key, cipher suite, - * identities and additional session information. + * -# Call psa_pake_setup() to specify the algorithm, the password, cipher + * suite, identities and additional session information. * * A typical sequence of calls to perform a password-authenticated key * exchange: @@ -4388,13 +4390,17 @@ static psa_pake_operation_t psa_pake_operation_init(void); * -# Call psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...) to provide * the key share that was received from the peer. * -# Call psa_pake_get_implicit_key() for accessing the shared secret. + * -# Make a sequence of function calls to execute the password-authenticated + * key exchange as described below. + * -# Terminate the operation by a call to psa_pake_get_implicit_key() or + * psa_pake_abort(). * * The exact sequence of calls to perform a password-authenticated key exchange * depends on the algorithm in use: - * -# Some algorithms exchange more data than just a single key share. When using - * such a algorithm, call psa_pake_output() and psa_pake_input() one or more - * times to exchange any further data that is needed to derive the shared - * secret. + * - Some algorithms exchange more data than just a single key share. When using + * such a algorithm, call psa_pake_output() and psa_pake_input() one or more + * times to exchange any further data that is needed to derive the shared + * secret. * * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) @@ -4489,7 +4495,10 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * \param[in,out] operation Active PAKE operation. * \param type The type of the data that is requested. * \param[out] output Buffer where the output is to be written. - * \param output_size Size of the \p output buffer in bytes. + * \param output_size Size of the \p output buffer in bytes. This must + * be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \c + * cipher_suite, \p type). + * * \param[out] output_length On success, the number of bytes of the returned * output. * @@ -4574,8 +4583,9 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, * state and must be aborted by calling psa_pake_abort(). * * \param[in,out] operation Active PAKE operation. - * \param[out] output A key derivation operation that has been - * initialized and set up. + * \param[out] output A key derivation operation that is ready + * for an input step of type + * #PSA_KEY_DERIVATION_INPUT_SECRET. * * \retval #PSA_SUCCESS * Success. diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index bb01d53158..4428fc01fe 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1144,13 +1144,14 @@ * \param alg A PAKE algorithm (PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). * \param cipher_suite A cipher suite that is compatible with algorithm \p alg. - * \param output An output type used with algorithm \p alg. + * \param output_step A value of type ::psa_pake_data_t that is valid for the + * algorithm \p alg. * \return A sufficient output buffer size for the specified * output, cipher suite and algorithm. If the cipher suite, * the output type or PAKE algorithm is not recognized, or * the parameters are incompatible, return 0. */ -#define PSA_PAKE_OUTPUT_SIZE(alg, cipher_suite, output) +#define PSA_PAKE_OUTPUT_SIZE(alg, cipher_suite, output_step) /** Output buffer size for psa_pake_output() for any of the supported cipher * suites and PAKE algorithms. diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index a243370817..ab064dbdd9 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2501,12 +2501,14 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x12) -/** The PAKE uses elliptic curves. +/** The PAKE primitive type indicating the use of elliptic curves. * - * The corresponding family type is ::psa_ecc_family_t. In determining a - * specific curve in the family the cipher suite (see - * ::psa_pake_cipher_suite_t) bits are interpreted in the exact same way - * as key bits are. + * The values of the \c family and \c bits fields of the cipher suite identify a + * specific elliptic curve, using the same mapping that is used for ECC + * (::psa_ecc_family_t) keys. + * + * (Here \c familiy means the value returned by psa_pake_cs_get_family() and + * \c bits means the value returned by psa_pake_cs_get_bits().) * * Input and output during the operation can involve group elements and scalar * values: @@ -2519,12 +2521,14 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_PAKE_PRIMITIVE_TYPE_ECC ((psa_pake_primitive_type_t)0x01) -/** The PAKE uses finite fields based Diffie-Hellman groups. +/** The PAKE primitive type indicating the use of Diffie-Hellman groups. * - * The corresponding family type is ::psa_dh_family_t. In determining a - * specific group in the family the cipher suite (see - * ::psa_pake_cipher_suite_t) bits are interpreted in the exact same way - * as key bits are. + * The values of the \c family and \c bits fields of the cipher suite identify + * a specific Diffie-Hellman group, using the same mapping that is used for + * Diffie-Hellman (::psa_dh_family_t) keys. + * + * (Here \c familiy means the value returned by psa_pake_cs_get_family() and + * \c bits means the value returned by psa_pake_cs_get_bits().) * * Input and output during the operation can involve group elements and scalar * values: From f53c7af916877bfacf5fb9c27fbe0bfd21ff713d Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 May 2021 08:35:31 +0100 Subject: [PATCH 057/131] PSA PAKE: introduce psa_pake_family_t It is the size of something that has no a priori reason to consist of 8 bits. This should be psa_pake_family_t, both for documentation (and possibly static analysis) and in case 8 bits turn out not to be enough. Signed-off-by: Janos Follath --- include/psa/crypto.h | 4 ++-- include/psa/crypto_struct.h | 6 +++--- include/psa/crypto_types.h | 9 +++++++++ 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index df8d4d4e96..970aea324a 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4222,7 +4222,7 @@ static void psa_pake_cs_set_type( * * \return The primitive family stored in the cipher suite structure. */ -static uint8_t psa_pake_cs_get_family( +static psa_pake_family_t psa_pake_cs_get_family( const psa_pake_cipher_suite_t* cipher_suite ); @@ -4246,7 +4246,7 @@ static uint8_t psa_pake_cs_get_family( */ static void psa_pake_cs_set_family( psa_pake_cipher_suite_t* cipher_suite, - uint8_t family + psa_pake_family_t family ); /** Retrieve the size associated with the primitive from a PAKE cipher suite. diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 881abcb2a7..97d5d2b416 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -465,7 +465,7 @@ struct psa_pake_cipher_suite_s { psa_algorithm_t algorithm; psa_pake_primitive_type_t type; - uint8_t family; + psa_pake_family_t family; size_t bits; psa_algorithm_t hash; }; @@ -499,7 +499,7 @@ static inline void psa_pake_cs_set_type( cipher_suite->type = type; } -static inline uint8_t psa_pake_cs_get_family( +static inline psa_pake_family_t psa_pake_cs_get_family( const psa_pake_cipher_suite_t *cipher_suite) { return( cipher_suite->family ); @@ -507,7 +507,7 @@ static inline uint8_t psa_pake_cs_get_family( static inline void psa_pake_cs_set_family( psa_pake_cipher_suite_t *cipher_suite, - uint8_t family) + psa_pake_family_t family) { cipher_suite->family = family; } diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 7c560b3a5a..09ff1c5eda 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -403,8 +403,17 @@ typedef uint8_t psa_pake_data_t; * * Values defined by this standard will never be in the range 0x80-0xff. * Vendors who define additional types must use an encoding in this range. + * + * For more information see the documentation of individual + * PSA_PAKE_PRIMITIVE_TYPE_XXX constants. */ typedef uint8_t psa_pake_primitive_type_t; +/** \brief Encoding of the family of the primitive associated with the PAKE. + * + * For more information see the documentation of individual + * PSA_PAKE_PRIMITIVE_TYPE_XXX constants. + */ +typedef uint8_t psa_pake_family_t; /**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ From 57cfc407e0ad421143e31fc6f8a656e560a249a2 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 May 2021 09:05:25 +0100 Subject: [PATCH 058/131] Remove obsolete __DOXYGEN_ONLY__ blocks __DOXYGEN_ONLY__ blocks were only used to typeset the PSA specification back when it was extracted from Mbed TLS headers. They are no longer used and should be removed. The PSA Crypto Driver API is still under development and might be extracted from Mbed TLS headers, leaving them there for now. Signed-off-by: Janos Follath --- include/psa/crypto.h | 42 ------------------------------------------ 1 file changed, 42 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 970aea324a..7efa3154cd 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -112,12 +112,6 @@ psa_status_t psa_crypto_init(void); * This macro returns a suitable initializer for a key attribute structure * of type #psa_key_attributes_t. */ -#ifdef __DOXYGEN_ONLY__ -/* This is an example definition for documentation purposes. - * Implementations should define a suitable value in `crypto_struct.h`. - */ -#define PSA_KEY_ATTRIBUTES_INIT {0} -#endif /** Return an initial value for a key attributes structure. */ @@ -947,12 +941,6 @@ typedef struct psa_hash_operation_s psa_hash_operation_t; * This macro returns a suitable initializer for a hash operation object * of type #psa_hash_operation_t. */ -#ifdef __DOXYGEN_ONLY__ -/* This is an example definition for documentation purposes. - * Implementations should define a suitable value in `crypto_struct.h`. - */ -#define PSA_HASH_OPERATION_INIT {0} -#endif /** Return an initial value for a hash operation object. */ @@ -1318,12 +1306,6 @@ typedef struct psa_mac_operation_s psa_mac_operation_t; * This macro returns a suitable initializer for a MAC operation object of type * #psa_mac_operation_t. */ -#ifdef __DOXYGEN_ONLY__ -/* This is an example definition for documentation purposes. - * Implementations should define a suitable value in `crypto_struct.h`. - */ -#define PSA_MAC_OPERATION_INIT {0} -#endif /** Return an initial value for a MAC operation object. */ @@ -1742,12 +1724,6 @@ typedef struct psa_cipher_operation_s psa_cipher_operation_t; * This macro returns a suitable initializer for a cipher operation object of * type #psa_cipher_operation_t. */ -#ifdef __DOXYGEN_ONLY__ -/* This is an example definition for documentation purposes. - * Implementations should define a suitable value in `crypto_struct.h`. - */ -#define PSA_CIPHER_OPERATION_INIT {0} -#endif /** Return an initial value for a cipher operation object. */ @@ -2271,12 +2247,6 @@ typedef struct psa_aead_operation_s psa_aead_operation_t; * This macro returns a suitable initializer for an AEAD operation object of * type #psa_aead_operation_t. */ -#ifdef __DOXYGEN_ONLY__ -/* This is an example definition for documentation purposes. - * Implementations should define a suitable value in `crypto_struct.h`. - */ -#define PSA_AEAD_OPERATION_INIT {0} -#endif /** Return an initial value for an AEAD operation object. */ @@ -3271,12 +3241,6 @@ typedef struct psa_key_derivation_s psa_key_derivation_operation_t; * This macro returns a suitable initializer for a key derivation operation * object of type #psa_key_derivation_operation_t. */ -#ifdef __DOXYGEN_ONLY__ -/* This is an example definition for documentation purposes. - * Implementations should define a suitable value in `crypto_struct.h`. - */ -#define PSA_KEY_DERIVATION_OPERATION_INIT {0} -#endif /** Return an initial value for a key derivation operation object. */ @@ -4360,12 +4324,6 @@ typedef struct psa_pake_operation_s psa_pake_operation_t; * This macro returns a suitable initializer for an PAKE operation object of * type #psa_pake_operation_t. */ -#ifdef __DOXYGEN_ONLY__ -/* This is an example definition for documentation purposes. - * Implementations should define a suitable value in `crypto_struct.h`. - */ -#define PSA_PAKE_OPERATION_INIT {0} -#endif /** Return an initial value for an PAKE operation object. */ From beb78d4d415fd68a6262194ccdf6fa4d84737bdd Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 May 2021 09:11:39 +0100 Subject: [PATCH 059/131] Rename psa_pake_data_t "Data" is too vague, renaming it to psa_pake_step_t. It is still somewhat vague, but at least consistent with the naming used in key derivation. Signed-off-by: Janos Follath --- include/psa/crypto.h | 4 ++-- include/psa/crypto_sizes.h | 2 +- include/psa/crypto_types.h | 2 +- include/psa/crypto_values.h | 18 +++++++++--------- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 7efa3154cd..9ceac0a580 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4478,7 +4478,7 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * results in this error code. */ psa_status_t psa_pake_output(psa_pake_operation_t *operation, - psa_pake_data_t type, + psa_pake_step_t type, uint8_t *output, size_t output_size, size_t *output_length); @@ -4518,7 +4518,7 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * results in this error code. */ psa_status_t psa_pake_input(psa_pake_operation_t *operation, - psa_pake_data_t type, + psa_pake_step_t type, uint8_t *input, size_t input_length); diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 4428fc01fe..9d2f6c49c2 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1144,7 +1144,7 @@ * \param alg A PAKE algorithm (PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). * \param cipher_suite A cipher suite that is compatible with algorithm \p alg. - * \param output_step A value of type ::psa_pake_data_t that is valid for the + * \param output_step A value of type ::psa_pake_step_t that is valid for the * algorithm \p alg. * \return A sufficient output buffer size for the specified * output, cipher suite and algorithm. If the cipher suite, diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 09ff1c5eda..bf8ab15a79 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -397,7 +397,7 @@ typedef uint8_t psa_pake_side_t; * This type is for encoding additional input and output data for such * algorithms. */ -typedef uint8_t psa_pake_data_t; +typedef uint8_t psa_pake_step_t; /** Encoding of the type of the PAKE's primitive. * diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index ab064dbdd9..06aeec5e49 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2554,7 +2554,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * received. For values sent or received afterwards, use * #PSA_PAKE_DATA_KEY_SHARE_2 and #PSA_PAKE_DATA_KEY_SHARE_3. */ -#define PSA_PAKE_DATA_KEY_SHARE ((psa_pake_data_t)0x01) +#define PSA_PAKE_DATA_KEY_SHARE ((psa_pake_step_t)0x01) /** A Schnorr NIZKP public key. * @@ -2568,7 +2568,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * key received. For values sent or received afterwards, use * #PSA_PAKE_DATA_ZK_PUBLIC_2 and #PSA_PAKE_DATA_ZK_PUBLIC_3. */ -#define PSA_PAKE_DATA_ZK_PUBLIC ((psa_pake_data_t)0x02) +#define PSA_PAKE_DATA_ZK_PUBLIC ((psa_pake_step_t)0x02) /** A Schnorr NIZKP proof. * @@ -2582,43 +2582,43 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * received. For values sent or received afterwards, use * #PSA_PAKE_DATA_ZK_PROOF_2 and #PSA_PAKE_DATA_ZK_PROOF_3. */ -#define PSA_PAKE_DATA_ZK_PROOF ((psa_pake_data_t)0x03) +#define PSA_PAKE_DATA_ZK_PROOF ((psa_pake_step_t)0x03) /** Marks the second key share sent and received. * * See #PSA_PAKE_DATA_KEY_SHARE. */ -#define PSA_PAKE_DATA_KEY_SHARE_2 ((psa_pake_data_t)0x04) +#define PSA_PAKE_DATA_KEY_SHARE_2 ((psa_pake_step_t)0x04) /** Marks the second Schnorr NIZKP public key sent and received. * * See #PSA_PAKE_DATA_ZK_PUBLIC. */ -#define PSA_PAKE_DATA_ZK_PUBLIC_2 ((psa_pake_data_t)0x05) +#define PSA_PAKE_DATA_ZK_PUBLIC_2 ((psa_pake_step_t)0x05) /** Marks the second Schnorr NIZKP proof sent and received. * * See #PSA_PAKE_DATA_ZK_PROOF. */ -#define PSA_PAKE_DATA_ZK_PROOF_2 ((psa_pake_data_t)0x06) +#define PSA_PAKE_DATA_ZK_PROOF_2 ((psa_pake_step_t)0x06) /** Marks the third key share sent and received. * * See #PSA_PAKE_DATA_KEY_SHARE. */ -#define PSA_PAKE_DATA_KEY_SHARE_3 ((psa_pake_data_t)0x07) +#define PSA_PAKE_DATA_KEY_SHARE_3 ((psa_pake_step_t)0x07) /** Marks the third Schnorr NIZKP public key sent and received. * * See #PSA_PAKE_DATA_ZK_PUBLIC. */ -#define PSA_PAKE_DATA_ZK_PUBLIC_3 ((psa_pake_data_t)0x08) +#define PSA_PAKE_DATA_ZK_PUBLIC_3 ((psa_pake_step_t)0x08) /** Marks the third Schnorr NIZKP proof sent and received. * * See #PSA_PAKE_DATA_ZK_PROOF. */ -#define PSA_PAKE_DATA_ZK_PROOF_3 ((psa_pake_data_t)0x09) +#define PSA_PAKE_DATA_ZK_PROOF_3 ((psa_pake_step_t)0x09) /**@}*/ #endif /* PSA_CRYPTO_VALUES_H */ From a86c3131a8981d632585f83d8f5f61384b70c072 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 10:51:01 +0100 Subject: [PATCH 060/131] PSA PAKE: divide setup into several steps There are too many parameters to the setup function. This makes it hard to figure out how to call the function and read code that calls the function. This also opens the suspicion that there's yet another parameter that we're missing. Signed-off-by: Janos Follath --- include/psa/crypto.h | 195 ++++++++++++++++++++++++++---------- include/psa/crypto_values.h | 5 + 2 files changed, 147 insertions(+), 53 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 9ceac0a580..a2f34cab03 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4319,12 +4319,6 @@ static void psa_pake_cs_set_hash( * Implementation details can change in future versions without notice. */ typedef struct psa_pake_operation_s psa_pake_operation_t; -/** \def PSA_PAKE_OPERATION_INIT - * - * This macro returns a suitable initializer for an PAKE operation object of - * type #psa_pake_operation_t. - */ - /** Return an initial value for an PAKE operation object. */ static psa_pake_operation_t psa_pake_operation_init(void); @@ -4338,8 +4332,21 @@ static psa_pake_operation_t psa_pake_operation_init(void); * -# Initialize the operation object with one of the methods described in the * documentation for #psa_pake_operation_t, e.g. * #PSA_PAKE_OPERATION_INIT. - * -# Call psa_pake_setup() to specify the algorithm, the password, cipher - * suite, identities and additional session information. + * -# Call psa_pake_setup() to specify cipher suite. + * -# Call \c psa_pake_set_xxx() functions on the operation to complete the + * setup. The exact sequence of \c psa_pake_set_xxx() functions that needs + * to be called depends on the algorithm in use. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * Like in the case of completing setup, the exact sequence of calls to perform + * a password-authenticated key exchange depends on the algorithm in use: + * - Some algorithms exchange more data than just a single key share. When using + * such a algorithm, call psa_pake_output() and psa_pake_input() one or more + * times to exchange any further data that is needed to derive the shared + * secret. * * A typical sequence of calls to perform a password-authenticated key * exchange: @@ -4353,13 +4360,6 @@ static psa_pake_operation_t psa_pake_operation_init(void); * -# Terminate the operation by a call to psa_pake_get_implicit_key() or * psa_pake_abort(). * - * The exact sequence of calls to perform a password-authenticated key exchange - * depends on the algorithm in use: - * - Some algorithms exchange more data than just a single key share. When using - * such a algorithm, call psa_pake_output() and psa_pake_input() one or more - * times to exchange any further data that is needed to derive the shared - * secret. - * * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) * for more information. @@ -4378,6 +4378,29 @@ static psa_pake_operation_t psa_pake_operation_init(void); * \param[in,out] operation The operation object to set up. It must have * been initialized as per the documentation for * #psa_pake_operation_t and not yet in use. + * \param cipher_suite The cipher suite to use. (A cipher suite fully + * characterizes a PAKE algorithm and determines + * the algorithm as well.) + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be inactive). + * \retval #PSA_ERROR_NOT_SUPPORTED + * The \p cipher_suite is not supported or is not valid. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_setup(psa_pake_operation_t *operation, + psa_pake_cipher_suite_t cipher_suite); + +/** Set the password for a password-authenticated key exchange. + * * \param password Identifier of the key holding the password or a * value derived from the password (eg. by a * memory-hard function). It must remain valid @@ -4385,56 +4408,122 @@ static psa_pake_operation_t psa_pake_operation_init(void); * type PSA_KEY_TYPE_PASSWORD or * #PSA_KEY_TYPE_DERIVE. It has to allow the usage * #PSA_KEY_USAGE_DERIVE. - * \param cipher_suite The cipher suite to use. (A cipher suite fully - * characterizes a PAKE algorithm and determines - * the algorithm as well.) - * \param side A value of type ::psa_pake_side_t signaling the - * side of the algorithm that is being set up. For - * more information see the documentation of \c - * PSA_PAKE_SIDE_XXX constants. - * \param[in] user_id The user ID to authenticate with. - * \param user_id_len Size of the \p user_id buffer in bytes. - * \param[in] peer_id The peer's ID to authenticate. - * \param peer_id_len Size of the \p peer_id buffer in bytes. - * \param[in] session_data Additional session related data if it is allowed - * or required by the algorithm. This must be empty - * if additional session data is not used by the - * algorithm. - * \param session_data_len Size of the \p session_data buffer in bytes. * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be inactive). + * \retval #PSA_ERROR_CORRUPTION_DETECTED * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_NOT_PERMITTED * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with the algorithm in \p cipher_suite. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p session_data is not empty and is not allowed in the algorithm in - * \p cipher_suite. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The \p cipher_suite is not supported or is not valid. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_pake_setup(psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password, - psa_pake_cipher_suite_t cipher_suite, - psa_pake_side_t side, - const uint8_t *user_id, - size_t user_id_len, - const uint8_t *peer_id, - size_t peer_id_len, - const uint8_t *session_data, - size_t session_data_len); +psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password); + +/** Set the user ID for a password-authenticated key exchange. + * + * Some PAKE algorithms assiciate only a single user identifier with the + * session. Such algorithms must call this function (psa_pake_set_user()) to + * set the identifier for the PAKE context. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[in] user_id The user ID to authenticate with. + * \param user_id_len Size of the \p user_id buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p user_id is NULL. + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len); + +/** Set the peer ID for a password-authenticated key exchange. + * + * Some PAKE algorithms assiciate only a single user identifier with the + * session. Such algorithms must call psa_pake_set_user() to set the + * identifier for the PAKE context. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[in] peer_id The peer's ID to authenticate. + * \param peer_id_len Size of the \p peer_id buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The algorithm doesn't associate a second identity with the session. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p user_id is NULL. + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len); + +/** Set the side for a password-authenticated key exchange. + * + * Not all PAKE algorithms need to differentiate the communicating entities. + * It is optional to call this function for PAKEs that don't require a side + * parameter. For such PAKEs the side parameter is ignored. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param side A value of type ::psa_pake_side_t signaling the + * side of the algorithm that is being set up. For + * more information see the documentation of \c + * PSA_PAKE_SIDE_XXX constants. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must have been set up). + * \retval #PSA_ERROR_NOT_SUPPORTED + * The \p side for this algorithm is not supported or is not valid. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_side(psa_pake_operation_t *operation, + psa_pake_side_t side); /** Get additional key share from a password-authenticated key exchange. * diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 06aeec5e49..a92002304a 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1985,6 +1985,11 @@ * Implementations of the present specification use Schnorr NIZKP and this does * not need to be configured in the cipher suites. * + * J-PAKE doesn't differentiate between sides and has a distinct identifier + * associated with each entity. This means that both psa_pake_set_user() and + * psa_pake_set_peer() needs to be called before commencing the operation. + * Another conseque is that psa_pake_set_side() is optional and is ignored. + * * The key exchange flow for JPAKE is as follows: * -# To get the first round data that needs to be sent to the peer, call * // Get g1 From 78b9e40662bca1b594537433594dc130fffbc507 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 11:45:14 +0100 Subject: [PATCH 061/131] PSA PAKE: reintroduce psa_pake_primitive_t If PSA_PAKE_OUTPUT_SIZE takes cipher_suite as a parameter and it is a structure it can't be a compile-time constant anymore. Reintroducing psa_pake_primitive_t, because it can be constructed as an integral type and holds enough information to allow PSA_PAKE_OUTPUT_SIZE calculating accurate estimates on the output size in compile time. Signed-off-by: Janos Follath --- include/psa/crypto.h | 93 ++++--------------------------------- include/psa/crypto_sizes.h | 4 +- include/psa/crypto_struct.h | 53 ++++++--------------- include/psa/crypto_types.h | 6 +++ include/psa/crypto_values.h | 24 ++++++++++ 5 files changed, 55 insertions(+), 125 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index a2f34cab03..ec5c16c488 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4145,107 +4145,30 @@ static void psa_pake_cs_set_algorithm( * This function may be provided as a function-like macro, but in this case it * must evaluate its argument exactly once. * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * * \param[in] cipher_suite The cipher suite structure to query. * - * \return The primitive type stored in the cipher suite structure. + * \return The primitive stored in the cipher suite structure. */ -static psa_pake_primitive_type_t psa_pake_cs_get_type( +static psa_pake_primitive_t psa_pake_cs_get_primitive( const psa_pake_cipher_suite_t* cipher_suite ); /** Declare the primitive type for a PAKE cipher suite. * - * This function overwrites any primitive type - * previously set in \p cipher_suite. + * This function overwrites any primitive previously set in \p cipher_suite. * * This function may be declared as `static` (i.e. without external * linkage). This function may be provided as a function-like macro, * but in this case it must evaluate each of its arguments exactly once. * * \param[out] cipher_suite The cipher suite structure to write to. - * \param type The primitive type to write. - * If this is 0, the primitive type in - * \p cipher_suite becomes unspecified. + * \param primitive The primitive to write. If this is 0, the + * primitive type in \p cipher_suite becomes + * unspecified. */ -static void psa_pake_cs_set_type( +static void psa_pake_cs_set_primitive( psa_pake_cipher_suite_t* cipher_suite, - psa_pake_primitive_type_t type - ); - -/** Retrieve the primitive family from a PAKE cipher suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate its argument exactly once. - * - * \param[in] cipher_suite The cipher suite structure to query. - * - * \return The primitive family stored in the cipher suite structure. - */ -static psa_pake_family_t psa_pake_cs_get_family( - const psa_pake_cipher_suite_t* cipher_suite - ); - -/** Declare the primitive family for a PAKE cipher suite. - * - * This function overwrites any primitive family - * previously set in \p cipher_suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate each of its arguments exactly once. - * - * \param[out] cipher_suite The cipher suite structure to write to. - * \param family The primitive family to write. - * If this is 0, the primitive family in - * \p cipher_suite becomes unspecified. The - * interpretation of this parameter depends on - * the primitive type. For more information - * consult the documentation of individual - * ::psa_pake_primitive_type_t constants). - */ -static void psa_pake_cs_set_family( - psa_pake_cipher_suite_t* cipher_suite, - psa_pake_family_t family - ); - -/** Retrieve the size associated with the primitive from a PAKE cipher suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate its argument exactly once. - * - * \param[in] cipher_suite The cipher suite structure to query. - * - * \return The primitive bits stored in the cipher suite structure. - */ -static size_t psa_pake_cs_get_bits(const psa_pake_cipher_suite_t* cipher_suite); - -/** Declare the primitive bits for a PAKE cipher suite. - * - * This function overwrites any primitive bits - * previously set in \p cipher_suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate each of its arguments exactly once. - * - * \param[out] cipher_suite The cipher suite structure to write to. - * \param bits The primitive bits to write. - * If this is 0, the primitive bits in - * \p cipher_suite becomes unspecified. The - * interpretation of this parameter depends on - * the family, for more information consult the - * documentation of individual - * ::psa_pake_primitive_type_t constants). - */ -static void psa_pake_cs_set_bits( - psa_pake_cipher_suite_t* cipher_suite, - size_t bits + psa_pake_primitive_t primitive ); /** Retrieve the hash algorithm from a PAKE cipher suite. diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 9d2f6c49c2..d8fc9979bd 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1143,7 +1143,7 @@ * * \param alg A PAKE algorithm (PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). - * \param cipher_suite A cipher suite that is compatible with algorithm \p alg. + * \param primitive A primitive that is compatible with algorithm \p alg. * \param output_step A value of type ::psa_pake_step_t that is valid for the * algorithm \p alg. * \return A sufficient output buffer size for the specified @@ -1151,7 +1151,7 @@ * the output type or PAKE algorithm is not recognized, or * the parameters are incompatible, return 0. */ -#define PSA_PAKE_OUTPUT_SIZE(alg, cipher_suite, output_step) +#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) /** Output buffer size for psa_pake_output() for any of the supported cipher * suites and PAKE algorithms. diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 97d5d2b416..a5f35cb9cf 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -466,10 +466,16 @@ struct psa_pake_cipher_suite_s psa_algorithm_t algorithm; psa_pake_primitive_type_t type; psa_pake_family_t family; - size_t bits; + uint16_t bits; psa_algorithm_t hash; }; +static inline psa_algorithm_t psa_pake_cs_get_algorithm( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return( cipher_suite->algorithm ); +} + static inline void psa_pake_cs_set_algorithm( psa_pake_cipher_suite_t *cipher_suite, psa_algorithm_t algorithm) @@ -480,49 +486,20 @@ static inline void psa_pake_cs_set_algorithm( cipher_suite->algorithm = algorithm; } -static inline psa_algorithm_t psa_pake_cs_get_algorithm( +static inline psa_pake_primitive_t psa_pake_cs_get_primitive( const psa_pake_cipher_suite_t *cipher_suite) { - return( cipher_suite->algorithm ); + return( PSA_PAKE_PRIMITIVE( cipher_suite->type, cipher_suite->family, + cipher_suite->bits) ); } -static inline psa_pake_primitive_type_t psa_pake_cs_get_type( - const psa_pake_cipher_suite_t *cipher_suite) -{ - return( cipher_suite->type ); -} - -static inline void psa_pake_cs_set_type( +static inline void psa_pake_cs_set_primitive( psa_pake_cipher_suite_t *cipher_suite, - psa_pake_primitive_type_t type) + psa_pake_primitive_t primitive) { - cipher_suite->type = type; -} - -static inline psa_pake_family_t psa_pake_cs_get_family( - const psa_pake_cipher_suite_t *cipher_suite) -{ - return( cipher_suite->family ); -} - -static inline void psa_pake_cs_set_family( - psa_pake_cipher_suite_t *cipher_suite, - psa_pake_family_t family) -{ - cipher_suite->family = family; -} - -static inline size_t psa_pake_cs_get_bits( - const psa_pake_cipher_suite_t *cipher_suite) -{ - return( cipher_suite->bits ); -} - -static inline void psa_pake_cs_set_bits( - psa_pake_cipher_suite_t *cipher_suite, - size_t bits) -{ - cipher_suite->bits = bits; + cipher_suite->type = (psa_pake_primitive_type_t) primitive >> 24; + cipher_suite->family = (psa_pake_family_t) ( 0xFF & (primitive >> 16) ); + cipher_suite->bits = (uint16_t) ( 0xFFFF & primitive ); } static inline psa_algorithm_t psa_pake_cs_get_hash( diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index bf8ab15a79..5418bd76ea 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -415,5 +415,11 @@ typedef uint8_t psa_pake_primitive_type_t; * PSA_PAKE_PRIMITIVE_TYPE_XXX constants. */ typedef uint8_t psa_pake_family_t; + +/** \brief Encoding of the primitive associated with the PAKE. + * + * For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. + */ +typedef uint32_t psa_pake_primitive_t; /**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index a92002304a..cb4c604a68 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2546,6 +2546,30 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t)0x02) +/** Construct a PAKE primitive from type, family and bitsize. + * + * \param pake_type The type of the primitive + * (value of type ::psa_pake_primitive_type_t). + * \param pake_family The family of the primitive + * (the type and interpretation of this parameter depends + * on \p type, for more information consult the + * documentation of individual ::psa_pake_primitive_type_t + * constants). + * \param pake_bits The bitsize of the primitive + * (Value of type \c size_t. The interpretation + * of this parameter depends on \p family, for more + * information consult the documentation of individual + * ::psa_pake_primitive_type_t constants). + * + * \return The constructed primitive value of type ::psa_pake_primitive_t. + * Return 0 if the requested primitive can't be encoded as + * ::psa_pake_primitive_t. + */ +#define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \ + (pake_bits > 0xFFFF) ? 0 : \ + ((psa_pake_primitive_t) (((pake_type) << 24 | \ + (pake_family) << 16) | (pake_bits))) + /** The key share being sent to or received from the peer. * * Unless the documentation of the PAKE algorithm says otherwise this is a From a71811aa4c4958998a1a750dd99f4cb3be8b249d Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 11:50:01 +0100 Subject: [PATCH 062/131] Fix typo Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index cb4c604a68..9fc84f34d8 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2512,7 +2512,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * specific elliptic curve, using the same mapping that is used for ECC * (::psa_ecc_family_t) keys. * - * (Here \c familiy means the value returned by psa_pake_cs_get_family() and + * (Here \c family means the value returned by psa_pake_cs_get_family() and * \c bits means the value returned by psa_pake_cs_get_bits().) * * Input and output during the operation can involve group elements and scalar @@ -2532,7 +2532,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * a specific Diffie-Hellman group, using the same mapping that is used for * Diffie-Hellman (::psa_dh_family_t) keys. * - * (Here \c familiy means the value returned by psa_pake_cs_get_family() and + * (Here \c family means the value returned by psa_pake_cs_get_family() and * \c bits means the value returned by psa_pake_cs_get_bits().) * * Input and output during the operation can involve group elements and scalar From 3c09c4733342ab0a142df1d7ec263ce4f4bb68e0 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 11:57:49 +0100 Subject: [PATCH 063/131] PSA PAKE: remove redundant steps PAKE constructions that have multiple key shares will always consume and produce the key shares in numerical order. So using PSA_PAKE_DATA_XXX_X would demand step-sequence validation, and provides no functional utility over having only PSA_PAKE_DATA_XXX. Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 75 ++++++------------------------------- 1 file changed, 12 insertions(+), 63 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 9fc84f34d8..229485e663 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1999,11 +1999,11 @@ * // Get the ZKP proof for x1 * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); * // Get g2 - * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE_2, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); * // Get the ZKP public key for x2 - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC_2, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); * // Get the ZKP proof for x2 - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF_2, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); * -# To provide the first round data received from the peer to the operation, * call * // Set g3 @@ -2013,26 +2013,26 @@ * // Set the ZKP proof for x3 * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); * // Set g4 - * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE_2, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); * // Set the ZKP public key for x4 - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC_2, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); * // Set the ZKP proof for x4 - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF_2, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); * -# To get the second round data that needs to be sent to the peer, call * // Get A - * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE_3, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); * // Get ZKP public key for x2*s - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC_3, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); * // Get ZKP proof for x2*s - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF_3, ...); + * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); * -# To provide the second round data received from the peer to the operation, * call * // Set B - * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE_3, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); * // Set ZKP public key for x4*s - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC_3, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); * // Set ZKP proof for x4*s - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF_3, ...); + * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); * -# To access the shared secret call * // Get Ka=Kb=K * psa_pake_get_implicit_key() @@ -2577,11 +2577,6 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. - * - * Some PAKE algorithms need to exchange several key shares. If that is the - * case, this value marks the first key share sent and the first key share - * received. For values sent or received afterwards, use - * #PSA_PAKE_DATA_KEY_SHARE_2 and #PSA_PAKE_DATA_KEY_SHARE_3. */ #define PSA_PAKE_DATA_KEY_SHARE ((psa_pake_step_t)0x01) @@ -2591,11 +2586,6 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. - * - * Some PAKE algorithms need to perform several zero-knowledge proofs. If that - * is the case, this value marks the first public key sent and the first public - * key received. For values sent or received afterwards, use - * #PSA_PAKE_DATA_ZK_PUBLIC_2 and #PSA_PAKE_DATA_ZK_PUBLIC_3. */ #define PSA_PAKE_DATA_ZK_PUBLIC ((psa_pake_step_t)0x02) @@ -2605,49 +2595,8 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. - * - * Some PAKE algorithms need to perform several zero-knowledge proofs. If that - * is the case, this value marks the first proof sent and the first proof - * received. For values sent or received afterwards, use - * #PSA_PAKE_DATA_ZK_PROOF_2 and #PSA_PAKE_DATA_ZK_PROOF_3. */ #define PSA_PAKE_DATA_ZK_PROOF ((psa_pake_step_t)0x03) -/** Marks the second key share sent and received. - * - * See #PSA_PAKE_DATA_KEY_SHARE. - */ -#define PSA_PAKE_DATA_KEY_SHARE_2 ((psa_pake_step_t)0x04) - -/** Marks the second Schnorr NIZKP public key sent and received. - * - * See #PSA_PAKE_DATA_ZK_PUBLIC. - */ -#define PSA_PAKE_DATA_ZK_PUBLIC_2 ((psa_pake_step_t)0x05) - -/** Marks the second Schnorr NIZKP proof sent and received. - * - * See #PSA_PAKE_DATA_ZK_PROOF. - */ -#define PSA_PAKE_DATA_ZK_PROOF_2 ((psa_pake_step_t)0x06) - -/** Marks the third key share sent and received. - * - * See #PSA_PAKE_DATA_KEY_SHARE. - */ -#define PSA_PAKE_DATA_KEY_SHARE_3 ((psa_pake_step_t)0x07) - -/** Marks the third Schnorr NIZKP public key sent and received. - * - * See #PSA_PAKE_DATA_ZK_PUBLIC. - */ -#define PSA_PAKE_DATA_ZK_PUBLIC_3 ((psa_pake_step_t)0x08) - -/** Marks the third Schnorr NIZKP proof sent and received. - * - * See #PSA_PAKE_DATA_ZK_PROOF. - */ -#define PSA_PAKE_DATA_ZK_PROOF_3 ((psa_pake_step_t)0x09) - /**@}*/ #endif /* PSA_CRYPTO_VALUES_H */ From 56cc9ccc39b45a384a4ad5e60061bb4f49a63bd9 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 12:01:11 +0100 Subject: [PATCH 064/131] PSA PAKE: Align macro names with psa_pake_step_t Signed-off-by: Janos Follath --- include/psa/crypto.h | 4 ++-- include/psa/crypto_values.h | 44 ++++++++++++++++++------------------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index ec5c16c488..5473fbfd05 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4273,9 +4273,9 @@ static psa_pake_operation_t psa_pake_operation_init(void); * * A typical sequence of calls to perform a password-authenticated key * exchange: - * -# Call psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...) to get the + * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the * key share that needs to be sent to the peer. - * -# Call psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...) to provide + * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide * the key share that was received from the peer. * -# Call psa_pake_get_implicit_key() for accessing the shared secret. * -# Make a sequence of function calls to execute the password-authenticated diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 229485e663..174a1f1e0d 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1993,52 +1993,52 @@ * The key exchange flow for JPAKE is as follows: * -# To get the first round data that needs to be sent to the peer, call * // Get g1 - * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); * // Get the ZKP public key for x1 - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); * // Get the ZKP proof for x1 - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); * // Get g2 - * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); * // Get the ZKP public key for x2 - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); * // Get the ZKP proof for x2 - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); * -# To provide the first round data received from the peer to the operation, * call * // Set g3 - * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); * // Set the ZKP public key for x3 - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); * // Set the ZKP proof for x3 - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); * // Set g4 - * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); * // Set the ZKP public key for x4 - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); * // Set the ZKP proof for x4 - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); * -# To get the second round data that needs to be sent to the peer, call * // Get A - * psa_pake_output(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); * // Get ZKP public key for x2*s - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); * // Get ZKP proof for x2*s - * psa_pake_output(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); * -# To provide the second round data received from the peer to the operation, * call * // Set B - * psa_pake_input(operation, #PSA_PAKE_DATA_KEY_SHARE, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); * // Set ZKP public key for x4*s - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PUBLIC, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); * // Set ZKP proof for x4*s - * psa_pake_input(operation, #PSA_PAKE_DATA_ZK_PROOF, ...); + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); * -# To access the shared secret call * // Get Ka=Kb=K * psa_pake_get_implicit_key() * * For more information consult the documentation of the individual - * PSA_PAKE_DATA_XXX constants. + * PSA_PAKE_STEP_XXX constants. * * J-PAKE is standardised for example in RFC 8236. */ @@ -2578,7 +2578,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. */ -#define PSA_PAKE_DATA_KEY_SHARE ((psa_pake_step_t)0x01) +#define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t)0x01) /** A Schnorr NIZKP public key. * @@ -2587,7 +2587,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. */ -#define PSA_PAKE_DATA_ZK_PUBLIC ((psa_pake_step_t)0x02) +#define PSA_PAKE_STEP_ZK_PUBLIC ((psa_pake_step_t)0x02) /** A Schnorr NIZKP proof. * @@ -2596,7 +2596,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * For information regarding representation consult the documentation of * individual ::psa_pake_primitive_type_t constants. */ -#define PSA_PAKE_DATA_ZK_PROOF ((psa_pake_step_t)0x03) +#define PSA_PAKE_STEP_ZK_PROOF ((psa_pake_step_t)0x03) /**@}*/ #endif /* PSA_CRYPTO_VALUES_H */ From fe0c4493f5a3118d56759ad0f4b4478aadfdb077 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 12:25:15 +0100 Subject: [PATCH 065/131] Add psa_pake_set_password_mhf() Using memory hard functions with PAKEs is the more secure option. It should be as convenient and efficient to use as less secure options, but so far it required creating an additional temporary key object. With psa_pake_set_password_mhf() this eliminates the need for this. Similarly we could add a convenience function to supply the password directly from character strings, but that would make the less secure option more convenient again and therfore we are not doing it now. Signed-off-by: Janos Follath --- include/psa/crypto.h | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 5473fbfd05..e94a957137 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4322,7 +4322,7 @@ static psa_pake_operation_t psa_pake_operation_init(void); psa_status_t psa_pake_setup(psa_pake_operation_t *operation, psa_pake_cipher_suite_t cipher_suite); -/** Set the password for a password-authenticated key exchange. +/** Set the password for a password-authenticated key exchange from key ID. * * \param password Identifier of the key holding the password or a * value derived from the password (eg. by a @@ -4350,6 +4350,37 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, mbedtls_svc_key_id_t password); +/** Set the password for a password-authenticated key exchange with memory hard + * function. + * + * Some protocols require using values derived from passwords via memory hard + * functions to mitigate dictionary attacks. Memory hard functions can be + * accessed through the key derivation interface and the result can be supplied + * to the PAKE operation in the form of a key derivation object. + * + * \param key_derivation An ongoing key derivation operation set up from + * the password and in a state suitable for + * calling psa_key_derivation_output_bytes(). + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p key_derivation is not ready for a call to + * psa_key_derivation_output_bytes(). + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_password_mhf(psa_pake_operation_t *operation, + psa_pake_operation_t *key_derivation); + /** Set the user ID for a password-authenticated key exchange. * * Some PAKE algorithms assiciate only a single user identifier with the From b0bcb633ffb567aaa9ff2a17fe5043df6485bfd7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 13:21:43 +0100 Subject: [PATCH 066/131] Link PSA_KEY_TYPE_PASSWORD in the documentation Signed-off-by: Janos Follath --- include/psa/crypto.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index e94a957137..8759d69756 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4328,7 +4328,7 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * value derived from the password (eg. by a * memory-hard function). It must remain valid * until the operation terminates. It must be of - * type PSA_KEY_TYPE_PASSWORD or + * type #PSA_KEY_TYPE_PASSWORD or * #PSA_KEY_TYPE_DERIVE. It has to allow the usage * #PSA_KEY_USAGE_DERIVE. * From 60fa7c59b26aa1f5eee0aeaca00428159c391b0d Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 13:36:32 +0100 Subject: [PATCH 067/131] PSA PAKE: document operation parameters Signed-off-by: Janos Follath --- include/psa/crypto.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 8759d69756..f49286ca7f 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4324,6 +4324,9 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, /** Set the password for a password-authenticated key exchange from key ID. * + * \param[in,out] operation The operation object to set the password for. It + * must have been set up by psa_pake_setup() and + * not yet in use. * \param password Identifier of the key holding the password or a * value derived from the password (eg. by a * memory-hard function). It must remain valid @@ -4358,6 +4361,9 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * accessed through the key derivation interface and the result can be supplied * to the PAKE operation in the form of a key derivation object. * + * \param[in,out] operation The operation object to set the password for. It + * must have been set up by psa_pake_setup() and + * not yet in use. * \param key_derivation An ongoing key derivation operation set up from * the password and in a state suitable for * calling psa_key_derivation_output_bytes(). @@ -4391,6 +4397,9 @@ psa_status_t psa_pake_set_password_mhf(psa_pake_operation_t *operation, * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) * for more information. * + * \param[in,out] operation The operation object to set the user ID for. It + * must have been set up by psa_pake_setup() and + * not yet in use. * \param[in] user_id The user ID to authenticate with. * \param user_id_len Size of the \p user_id buffer in bytes. * @@ -4423,6 +4432,9 @@ psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) * for more information. * + * \param[in,out] operation The operation object to set the peer ID for. It + * must have been set up by psa_pake_setup() and + * not yet in use. * \param[in] peer_id The peer's ID to authenticate. * \param peer_id_len Size of the \p peer_id buffer in bytes. * @@ -4457,6 +4469,9 @@ psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) * for more information. * + * \param[in,out] operation The operation object to set the side for. It + * must have been set up by psa_pake_setup() and + * not yet in use. * \param side A value of type ::psa_pake_side_t signaling the * side of the algorithm that is being set up. For * more information see the documentation of \c From ed82716546567583b42419338ffd0448f66a6171 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 14:38:15 +0100 Subject: [PATCH 068/131] Remove always false comparison PSA_PAKE_PRIMITIVE Always false comparison triggered compiler warnings. Removing comparison while preserving semantics to achieve clean build. Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 174a1f1e0d..94616aad72 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2566,7 +2566,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * ::psa_pake_primitive_t. */ #define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \ - (pake_bits > 0xFFFF) ? 0 : \ + ((pake_bits & 0xFFFF) != pake_bits) ? 0 : \ ((psa_pake_primitive_t) (((pake_type) << 24 | \ (pake_family) << 16) | (pake_bits))) From ef816f37be9e1d33639152bb4349680c973b8449 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 May 2021 16:01:47 +0100 Subject: [PATCH 069/131] Fix precedence in psa_pake_cs_set_primitive() Signed-off-by: Janos Follath --- include/psa/crypto_struct.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index a5f35cb9cf..b20a179729 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -497,7 +497,7 @@ static inline void psa_pake_cs_set_primitive( psa_pake_cipher_suite_t *cipher_suite, psa_pake_primitive_t primitive) { - cipher_suite->type = (psa_pake_primitive_type_t) primitive >> 24; + cipher_suite->type = (psa_pake_primitive_type_t) (primitive >> 24); cipher_suite->family = (psa_pake_family_t) ( 0xFF & (primitive >> 16) ); cipher_suite->bits = (uint16_t) ( 0xFFFF & primitive ); } From 14ce06afe270687e6490e038ab5d2e647b193b17 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 14 May 2021 11:26:23 +0100 Subject: [PATCH 070/131] PSA PAKE: fix documentation Signed-off-by: Janos Follath --- include/psa/crypto.h | 6 +++--- include/psa/crypto_values.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index f49286ca7f..87b4526eb4 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4139,7 +4139,7 @@ static void psa_pake_cs_set_algorithm( psa_algorithm_t algorithm ); -/** Retrieve the primitive type from a PAKE cipher suite. +/** Retrieve the primitive from a PAKE cipher suite. * * This function may be declared as `static` (i.e. without external linkage). * This function may be provided as a function-like macro, but in this case it @@ -4153,7 +4153,7 @@ static psa_pake_primitive_t psa_pake_cs_get_primitive( const psa_pake_cipher_suite_t* cipher_suite ); -/** Declare the primitive type for a PAKE cipher suite. +/** Declare the primitive for a PAKE cipher suite. * * This function overwrites any primitive previously set in \p cipher_suite. * @@ -4353,7 +4353,7 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, mbedtls_svc_key_id_t password); -/** Set the password for a password-authenticated key exchange with memory hard +/** Set the password for a password-authenticated key exchange via a memory hard * function. * * Some protocols require using values derived from passwords via memory hard diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 94616aad72..d1924db67b 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1988,7 +1988,7 @@ * J-PAKE doesn't differentiate between sides and has a distinct identifier * associated with each entity. This means that both psa_pake_set_user() and * psa_pake_set_peer() needs to be called before commencing the operation. - * Another conseque is that psa_pake_set_side() is optional and is ignored. + * Another consequence is that psa_pake_set_side() is optional and is ignored. * * The key exchange flow for JPAKE is as follows: * -# To get the first round data that needs to be sent to the peer, call From 1062a24152c32228ff0750256e84d77f97d39cb8 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 14 May 2021 12:02:55 +0100 Subject: [PATCH 071/131] Fix psa_pake_set_password_mhf() parameter list The type of the key derivation operation was incorrect. Also neither the PAKE nor key_derivation algorithm knows how many bytes to transfer at this stage. There is no optimal or recommended size, PAKEs don't mandate it either (with the exception of OPAQUE, but that uses it internally and won't be using this interface). Adding an input length parameter to allow the application to control how many bytes the PAKE takes from the key derivation. Signed-off-by: Janos Follath --- include/psa/crypto.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 87b4526eb4..00317f7ffd 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4367,6 +4367,8 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * \param key_derivation An ongoing key derivation operation set up from * the password and in a state suitable for * calling psa_key_derivation_output_bytes(). + * \param input_length Number of bytes to input from the + * \p key_derivation operation. * * \retval #PSA_SUCCESS * Success. @@ -4385,7 +4387,8 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * results in this error code. */ psa_status_t psa_pake_set_password_mhf(psa_pake_operation_t *operation, - psa_pake_operation_t *key_derivation); + psa_key_derivation_operation_t *key_derivation, + size_t input_length); /** Set the user ID for a password-authenticated key exchange. * From e1a080f1f8c82386da370d2893cf9d2b985d1e51 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 14 May 2021 12:16:36 +0100 Subject: [PATCH 072/131] Improve psa_pake_set_password_mhf() documentation Signed-off-by: Janos Follath --- include/psa/crypto.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 00317f7ffd..205c5fd8ae 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4361,14 +4361,14 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * accessed through the key derivation interface and the result can be supplied * to the PAKE operation in the form of a key derivation object. * - * \param[in,out] operation The operation object to set the password for. It - * must have been set up by psa_pake_setup() and - * not yet in use. - * \param key_derivation An ongoing key derivation operation set up from - * the password and in a state suitable for - * calling psa_key_derivation_output_bytes(). - * \param input_length Number of bytes to input from the - * \p key_derivation operation. + * \param[in,out] operation The operation object to set the password for. + * It must have been set up by psa_pake_setup() + * and not yet in use. + * \param[in,out] key_derivation An ongoing key derivation operation set up + * from the password and in a state suitable for + * calling psa_key_derivation_output_bytes(). + * \param input_length Number of bytes to input from the + * \p key_derivation operation. * * \retval #PSA_SUCCESS * Success. From 7b8910322c701bb85a1ba7690ce1634537f0845a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 14 May 2021 15:42:46 +0100 Subject: [PATCH 073/131] PSA PAKE: refine documentation of return values The key derivation operation passed to psa_pake_set_password_mhf() might enter an error state before the function returns. If this happens, the user needs to know about it so that they can properly abort it. Signed-off-by: Janos Follath --- include/psa/crypto.h | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 205c5fd8ae..6706ef8ea5 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4337,6 +4337,8 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * * \retval #PSA_SUCCESS * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must have been set up.) * \retval #PSA_ERROR_CORRUPTION_DETECTED * \retval #PSA_ERROR_INVALID_HANDLE * \retval #PSA_ERROR_COMMUNICATION_FAILURE @@ -4361,6 +4363,16 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * accessed through the key derivation interface and the result can be supplied * to the PAKE operation in the form of a key derivation object. * + * This function draws bytes from a key derivation algorithm and sets those + * bytes as a password for the password-authenticated key exchange. If you + * view the key derivation's output as a stream of bytes, this function + * destructively reads the requested number of bytes from the stream. + * The key derivation operation's capacity decreases by the number of bytes read. + * + * If this function returns #PSA_ERROR_INVALID_ARGUMENT, \p key_derivation + * enters an error state and must be aborted by calling + * psa_key_derivation_abort(). + * * \param[in,out] operation The operation object to set the password for. * It must have been set up by psa_pake_setup() * and not yet in use. @@ -4372,6 +4384,11 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * * \retval #PSA_SUCCESS * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must have been set up.) + * \retval #PSA_ERROR_INSUFFICIENT_DATA + * The \p key_derivation operation's capacity was less than + * \p input_length bytes. * \retval #PSA_ERROR_CORRUPTION_DETECTED * \retval #PSA_ERROR_INVALID_HANDLE * \retval #PSA_ERROR_COMMUNICATION_FAILURE @@ -4379,8 +4396,8 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_NOT_PERMITTED * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p key_derivation is not ready for a call to - * psa_key_derivation_output_bytes(). + * The call to psa_key_derivation_output_bytes() returned something + * other than #PSA_ERROR_INSUFFICIENT_DATA. * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -4409,7 +4426,7 @@ psa_status_t psa_pake_set_password_mhf(psa_pake_operation_t *operation, * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid. + * The operation state is not valid (it must have been set up.) * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE @@ -4444,7 +4461,7 @@ psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid. + * The operation state is not valid (it must have been set up.) * \retval #PSA_ERROR_NOT_SUPPORTED * The algorithm doesn't associate a second identity with the session. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY From 9a04aeaff5e01abde65a972030e23ce9cf700c99 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 20 May 2021 16:21:01 +0100 Subject: [PATCH 074/131] PSA PAKE: improve and fix documentation Signed-off-by: Janos Follath --- include/psa/crypto.h | 30 ++++++++++++++++++------------ include/psa/crypto_sizes.h | 3 ++- include/psa/crypto_types.h | 6 +++--- include/psa/crypto_values.h | 12 ++++++------ 4 files changed, 29 insertions(+), 22 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 6706ef8ea5..fa4102278e 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4092,7 +4092,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, /**@}*/ -/** \defgroup Password-authenticated key agreement +/** \defgroup pake Password-authenticated key exchange (PAKE) * @{ */ @@ -4255,7 +4255,7 @@ static psa_pake_operation_t psa_pake_operation_init(void); * -# Initialize the operation object with one of the methods described in the * documentation for #psa_pake_operation_t, e.g. * #PSA_PAKE_OPERATION_INIT. - * -# Call psa_pake_setup() to specify cipher suite. + * -# Call psa_pake_setup() to specify the cipher suite. * -# Call \c psa_pake_set_xxx() functions on the operation to complete the * setup. The exact sequence of \c psa_pake_set_xxx() functions that needs * to be called depends on the algorithm in use. @@ -4323,6 +4323,11 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, psa_pake_cipher_suite_t cipher_suite); /** Set the password for a password-authenticated key exchange from key ID. + * + * Call this function when the password, or a value derived from the password, + * is already present in the key store. To calculate the password-derived value + * from a password input, use the key derivation interface and + * psa_pake_set_password_stretch() instead. * * \param[in,out] operation The operation object to set the password for. It * must have been set up by psa_pake_setup() and @@ -4332,8 +4337,8 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * memory-hard function). It must remain valid * until the operation terminates. It must be of * type #PSA_KEY_TYPE_PASSWORD or - * #PSA_KEY_TYPE_DERIVE. It has to allow the usage - * #PSA_KEY_USAGE_DERIVE. + * #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow + * the usage #PSA_KEY_USAGE_DERIVE. * * \retval #PSA_SUCCESS * Success. @@ -4409,7 +4414,7 @@ psa_status_t psa_pake_set_password_mhf(psa_pake_operation_t *operation, /** Set the user ID for a password-authenticated key exchange. * - * Some PAKE algorithms assiciate only a single user identifier with the + * Some PAKE algorithms associate only a single user identifier with the * session. Such algorithms must call this function (psa_pake_set_user()) to * set the identifier for the PAKE context. * @@ -4444,7 +4449,7 @@ psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, /** Set the peer ID for a password-authenticated key exchange. * - * Some PAKE algorithms assiciate only a single user identifier with the + * Some PAKE algorithms associate only a single user identifier with the * session. Such algorithms must call psa_pake_set_user() to set the * identifier for the PAKE context. * @@ -4514,7 +4519,7 @@ psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, psa_status_t psa_pake_set_side(psa_pake_operation_t *operation, psa_pake_side_t side); -/** Get additional key share from a password-authenticated key exchange. +/** Get output for a step of a password-authenticated key exchange. * * Depending on the algorithm being executed, you might need to call this * function several times or you might not need to call this at all. @@ -4529,7 +4534,8 @@ psa_status_t psa_pake_set_side(psa_pake_operation_t *operation, * state and must be aborted by calling psa_pake_abort(). * * \param[in,out] operation Active PAKE operation. - * \param type The type of the data that is requested. + * \param step The step of the algorithm for which the output is + * requested. * \param[out] output Buffer where the output is to be written. * \param output_size Size of the \p output buffer in bytes. This must * be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \c @@ -4556,12 +4562,12 @@ psa_status_t psa_pake_set_side(psa_pake_operation_t *operation, * results in this error code. */ psa_status_t psa_pake_output(psa_pake_operation_t *operation, - psa_pake_step_t type, + psa_pake_step_t step, uint8_t *output, size_t output_size, size_t *output_length); -/** Provide additional peer key share for a password-authenticated key exchange. +/** Provide input for a step of a password-authenticated key exchange. * * Depending on the algorithm being executed, you might need to call this * function several times or you might not need to call this at all. @@ -4576,7 +4582,7 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * state and must be aborted by calling psa_pake_abort(). * * \param[in,out] operation Active PAKE operation. - * \param type The type of the data provided. + * \param step The step for which the input is provided. * \param[out] input Buffer containing the input. * \param[out] input_length Size of the \p input buffer in bytes. * @@ -4596,7 +4602,7 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * results in this error code. */ psa_status_t psa_pake_input(psa_pake_operation_t *operation, - psa_pake_step_t type, + psa_pake_step_t step, uint8_t *input, size_t input_length); diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index d8fc9979bd..a603c9d298 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1143,7 +1143,8 @@ * * \param alg A PAKE algorithm (PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). - * \param primitive A primitive that is compatible with algorithm \p alg. + * \param primitive A primitive of type ::psa_pake_primitive_t that is + * compatible with algorithm \p alg. * \param output_step A value of type ::psa_pake_step_t that is valid for the * algorithm \p alg. * \return A sufficient output buffer size for the specified diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 5418bd76ea..5a66a8709e 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -387,7 +387,7 @@ typedef uint16_t psa_key_derivation_step_t; /** \brief Encoding of the side of PAKE * * Encodes which side of the algorithm is being executed. For more information - * see the documentation of individual PSA_PAKE_SIDE_XXX constants. + * see the documentation of individual \c PSA_PAKE_SIDE_XXX constants. */ typedef uint8_t psa_pake_side_t; @@ -405,14 +405,14 @@ typedef uint8_t psa_pake_step_t; * Vendors who define additional types must use an encoding in this range. * * For more information see the documentation of individual - * PSA_PAKE_PRIMITIVE_TYPE_XXX constants. + * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. */ typedef uint8_t psa_pake_primitive_type_t; /** \brief Encoding of the family of the primitive associated with the PAKE. * * For more information see the documentation of individual - * PSA_PAKE_PRIMITIVE_TYPE_XXX constants. + * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. */ typedef uint8_t psa_pake_family_t; diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index d1924db67b..c8a074caef 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1975,7 +1975,7 @@ * cipher suite the field or curve must be fully specified by calling * psa_pake_cs_set_family() and psa_pake_cs_set_bits() as well. For more * information refer to the documentation of the individual - * `PSA_PAKE_PRIMITIVE_TYPE_XXX` constants.) + * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.) * * J-PAKE can be used with any secure cryptographic hash function. The choice * of hash must be supplied to the cipher suite by calling @@ -1987,7 +1987,7 @@ * * J-PAKE doesn't differentiate between sides and has a distinct identifier * associated with each entity. This means that both psa_pake_set_user() and - * psa_pake_set_peer() needs to be called before commencing the operation. + * psa_pake_set_peer() need to be called before commencing the operation. * Another consequence is that psa_pake_set_side() is optional and is ignored. * * The key exchange flow for JPAKE is as follows: @@ -2038,7 +2038,7 @@ * psa_pake_get_implicit_key() * * For more information consult the documentation of the individual - * PSA_PAKE_STEP_XXX constants. + * \c PSA_PAKE_STEP_XXX constants. * * J-PAKE is standardised for example in RFC 8236. */ @@ -2480,7 +2480,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * * Although balanced PAKE algorithms are symmetric, some of them needs an * ordering of peers for the transcript calculations. If the algorithm does not - * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are + * need this, both #PSA_PAKE_SIDE_FIRST and #PSA_PAKE_SIDE_SECOND are * accepted. */ #define PSA_PAKE_SIDE_FIRST ((psa_pake_side_t)0x01) @@ -2546,7 +2546,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t)0x02) -/** Construct a PAKE primitive from type, family and bitsize. +/** Construct a PAKE primitive from type, family and bit-size. * * \param pake_type The type of the primitive * (value of type ::psa_pake_primitive_type_t). @@ -2555,7 +2555,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) * on \p type, for more information consult the * documentation of individual ::psa_pake_primitive_type_t * constants). - * \param pake_bits The bitsize of the primitive + * \param pake_bits The bit-size of the primitive * (Value of type \c size_t. The interpretation * of this parameter depends on \p family, for more * information consult the documentation of individual From 19271ea1833b3fb24e9ca4e940cfcb87357fcd72 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 21 May 2021 12:38:12 +0100 Subject: [PATCH 075/131] PSA PAKE: Clarify documentation of valid states Signed-off-by: Janos Follath --- include/psa/crypto.h | 72 ++++++++++++++++++++++++++++++-------------- 1 file changed, 49 insertions(+), 23 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index fa4102278e..ce941ed2e1 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4300,7 +4300,9 @@ static psa_pake_operation_t psa_pake_operation_init(void); * * \param[in,out] operation The operation object to set up. It must have * been initialized as per the documentation for - * #psa_pake_operation_t and not yet in use. + * #psa_pake_operation_t and not yet in use (no + * other function has been called on it since the + * last initialization). * \param cipher_suite The cipher suite to use. (A cipher suite fully * characterizes a PAKE algorithm and determines * the algorithm as well.) @@ -4308,7 +4310,7 @@ static psa_pake_operation_t psa_pake_operation_init(void); * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be inactive). + * The operation state is not valid. * \retval #PSA_ERROR_NOT_SUPPORTED * The \p cipher_suite is not supported or is not valid. * \retval #PSA_ERROR_COMMUNICATION_FAILURE @@ -4331,7 +4333,13 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * * \param[in,out] operation The operation object to set the password for. It * must have been set up by psa_pake_setup() and - * not yet in use. + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the password hasn't + * been set yet (neither + * psa_pake_set_password_mhf() nor + * psa_pake_set_password_key() has been called + * yet). * \param password Identifier of the key holding the password or a * value derived from the password (eg. by a * memory-hard function). It must remain valid @@ -4374,13 +4382,19 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * destructively reads the requested number of bytes from the stream. * The key derivation operation's capacity decreases by the number of bytes read. * - * If this function returns #PSA_ERROR_INVALID_ARGUMENT, \p key_derivation - * enters an error state and must be aborted by calling - * psa_key_derivation_abort(). + * If this function returns anything other than #PSA_SUCCESS, both \p operation + * and \p key_derivation operations enter an error state and must be aborted by + * calling psa_pake_abort() and psa_key_derivation_abort() respectively. * * \param[in,out] operation The operation object to set the password for. * It must have been set up by psa_pake_setup() - * and not yet in use. + * and not yet in use (neither psa_pake_output() + * nor psa_pake_input() has been called yet). It + * must be on operation for which the password + * hasn't been set yet (neither + * psa_pake_set_password_mhf() nor + * psa_pake_set_password_key() has been called + * yet). * \param[in,out] key_derivation An ongoing key derivation operation set up * from the password and in a state suitable for * calling psa_key_derivation_output_bytes(). @@ -4390,7 +4404,7 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must have been set up.) + * The state of \p operation or \p key_derivation is not valid. * \retval #PSA_ERROR_INSUFFICIENT_DATA * The \p key_derivation operation's capacity was less than * \p input_length bytes. @@ -4400,9 +4414,8 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * \retval #PSA_ERROR_HARDWARE_FAILURE * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_NOT_PERMITTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * The call to psa_key_derivation_output_bytes() returned something - * other than #PSA_ERROR_INSUFFICIENT_DATA. + * One of the inputs to \p key_derivation was a key whose policy didn't + * allow #PSA_KEY_USAGE_DERIVE. * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -4424,14 +4437,18 @@ psa_status_t psa_pake_set_password_mhf(psa_pake_operation_t *operation, * * \param[in,out] operation The operation object to set the user ID for. It * must have been set up by psa_pake_setup() and - * not yet in use. + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the user ID hasn't + * been set (psa_pake_set_user() hasn't been + * called yet). * \param[in] user_id The user ID to authenticate with. * \param user_id_len Size of the \p user_id buffer in bytes. * * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must have been set up.) + * The operation state is not valid. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_COMMUNICATION_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE @@ -4459,14 +4476,18 @@ psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, * * \param[in,out] operation The operation object to set the peer ID for. It * must have been set up by psa_pake_setup() and - * not yet in use. + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the peer ID hasn't + * been set (psa_pake_set_peer() hasn't been + * called yet). * \param[in] peer_id The peer's ID to authenticate. * \param peer_id_len Size of the \p peer_id buffer in bytes. * * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must have been set up.) + * The operation state is not valid. * \retval #PSA_ERROR_NOT_SUPPORTED * The algorithm doesn't associate a second identity with the session. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY @@ -4496,7 +4517,11 @@ psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, * * \param[in,out] operation The operation object to set the side for. It * must have been set up by psa_pake_setup() and - * not yet in use. + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the side hasn't been + * set (psa_pake_set_side() hasn't been called + * yet). * \param side A value of type ::psa_pake_side_t signaling the * side of the algorithm that is being set up. For * more information see the documentation of \c @@ -4505,7 +4530,7 @@ psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must have been set up). + * The operation state is not valid. * \retval #PSA_ERROR_NOT_SUPPORTED * The \p side for this algorithm is not supported or is not valid. * \retval #PSA_ERROR_COMMUNICATION_FAILURE @@ -4602,9 +4627,9 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * results in this error code. */ psa_status_t psa_pake_input(psa_pake_operation_t *operation, - psa_pake_step_t step, - uint8_t *input, - size_t input_length); + psa_pake_step_t step, + uint8_t *input, + size_t input_length); /** Get implicitly confirmed shared secret from a PAKE. * @@ -4620,9 +4645,10 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more * information. * - * When this function returns successfully, the operation becomes inactive. - * If this function returns an error status, the operation enters an error - * state and must be aborted by calling psa_pake_abort(). + * When this function returns successfully, \p operation becomes inactive. + * If this function returns an error status, both \p operation + * and \p key_derivation operations enter an error state and must be aborted by + * calling psa_pake_abort() and psa_key_derivation_abort() respectively. * * \param[in,out] operation Active PAKE operation. * \param[out] output A key derivation operation that is ready From 3ae6696811089c7211a69139fed840e489798b42 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 24 May 2021 12:09:00 +0100 Subject: [PATCH 076/131] Clarify psa_pake_setup() documentation Signed-off-by: Janos Follath --- include/psa/crypto.h | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index ce941ed2e1..02ed575574 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4264,24 +4264,15 @@ static psa_pake_operation_t psa_pake_operation_init(void); * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) * for more information. * - * Like in the case of completing setup, the exact sequence of calls to perform - * a password-authenticated key exchange depends on the algorithm in use: - * - Some algorithms exchange more data than just a single key share. When using - * such a algorithm, call psa_pake_output() and psa_pake_input() one or more - * times to exchange any further data that is needed to derive the shared - * secret. - * * A typical sequence of calls to perform a password-authenticated key * exchange: * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the * key share that needs to be sent to the peer. * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide * the key share that was received from the peer. + * -# Depending on the algorithm additional calls to psa_pake_output() and + * psa_pake_input() might be necessary. * -# Call psa_pake_get_implicit_key() for accessing the shared secret. - * -# Make a sequence of function calls to execute the password-authenticated - * key exchange as described below. - * -# Terminate the operation by a call to psa_pake_get_implicit_key() or - * psa_pake_abort(). * * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) From d416838ffd590563e819e7a1fac8f4389b216b3c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 24 May 2021 12:20:12 +0100 Subject: [PATCH 077/131] Rename psa_pake_set_password_mhf() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This step is not necessarily a memory-hard function. Memory-hard functions are the best of the breed at the moment, but that's due to current hardware designs, and CPU-hard-but-not-memory-hard functions like PBKDF2 are acceptable as well. We're using “key stretching” as the generic term for such functions. Signed-off-by: Janos Follath --- include/psa/crypto.h | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 02ed575574..abf3da0df9 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4328,7 +4328,7 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * psa_pake_input() has been called yet). It must * be on operation for which the password hasn't * been set yet (neither - * psa_pake_set_password_mhf() nor + * psa_pake_set_password_stretch() nor * psa_pake_set_password_key() has been called * yet). * \param password Identifier of the key holding the password or a @@ -4359,11 +4359,11 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, mbedtls_svc_key_id_t password); -/** Set the password for a password-authenticated key exchange via a memory hard - * function. +/** Set the password for a password-authenticated key exchange via a key + * stretching function. * - * Some protocols require using values derived from passwords via memory hard - * functions to mitigate dictionary attacks. Memory hard functions can be + * Some protocols use values derived from passwords via key stretching + * functions to mitigate dictionary attacks. Key stretching functions can be * accessed through the key derivation interface and the result can be supplied * to the PAKE operation in the form of a key derivation object. * @@ -4383,7 +4383,7 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * nor psa_pake_input() has been called yet). It * must be on operation for which the password * hasn't been set yet (neither - * psa_pake_set_password_mhf() nor + * psa_pake_set_password_stretch() nor * psa_pake_set_password_key() has been called * yet). * \param[in,out] key_derivation An ongoing key derivation operation set up @@ -4412,9 +4412,11 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_pake_set_password_mhf(psa_pake_operation_t *operation, - psa_key_derivation_operation_t *key_derivation, - size_t input_length); +psa_status_t psa_pake_set_password_stretch( + psa_pake_operation_t *operation, + psa_key_derivation_operation_t *key_derivation, + size_t input_length + ); /** Set the user ID for a password-authenticated key exchange. * From ead0e4fc7b6b9be06992d4e584f6eb93b0c899bc Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 25 May 2021 14:16:52 +0100 Subject: [PATCH 078/131] PSA PAKE: Clarify J-PAKE algorithm documentation - Transformed setup description to a more explicit pseudocode based approach. - Explained implicit vs explicit key confirmation Signed-off-by: Janos Follath --- include/psa/crypto.h | 4 ++- include/psa/crypto_values.h | 65 +++++++++++++++++++++++++------------ 2 files changed, 48 insertions(+), 21 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index abf3da0df9..2fe797a3b9 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4350,7 +4350,7 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_NOT_PERMITTED * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p key is not compatible with the algorithm in \p cipher_suite. + * \p key is not compatible with the algorithm or the cipher suite. * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -4407,6 +4407,8 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * \retval #PSA_ERROR_NOT_PERMITTED * One of the inputs to \p key_derivation was a key whose policy didn't * allow #PSA_KEY_USAGE_DERIVE. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p key is not compatible with the algorithm or the cipher suite. * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index c8a074caef..527b9c30d2 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1968,29 +1968,44 @@ /** The Password-authenticated key exchange by juggling (J-PAKE) algorithm. * - * J-PAKE can be instantiated over finite fields or elliptic curves. This can - * be achieved by setting either #PSA_PAKE_PRIMITIVE_TYPE_DH or - * #PSA_PAKE_PRIMITIVE_TYPE_ECC respectively in the cipher suite (see - * ::psa_pake_cipher_suite_t) via psa_pake_cs_set_type(). (Before using the - * cipher suite the field or curve must be fully specified by calling - * psa_pake_cs_set_family() and psa_pake_cs_set_bits() as well. For more - * information refer to the documentation of the individual - * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.) + * This is J-PAKE as defined by RFC 8236, instantiated with the following + * parameters: * - * J-PAKE can be used with any secure cryptographic hash function. The choice - * of hash must be supplied to the cipher suite by calling - * psa_pake_cs_set_hash(). + * - The group can be either an elliptic curve or defined over a finite field. + * - Schnorr NIZK proof as defined by RFC 8235 and using the same group as the + * J-PAKE algorithm. + * - A secure cryptographic hash function. * - * In theory the algorithm works with any non-interactive zero-knowledge proof. - * Implementations of the present specification use Schnorr NIZKP and this does - * not need to be configured in the cipher suites. + * To select these parameters and set up the cipher suite, call + * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_PAKE_JPAKE); + * psa_pake_cs_set_primitive(cipher_suite, + * PSA_PAKE_PRIMITIVE(type, family, bits)); + * psa_pake_cs_set_hash(cipher_suite, hash); * - * J-PAKE doesn't differentiate between sides and has a distinct identifier - * associated with each entity. This means that both psa_pake_set_user() and - * psa_pake_set_peer() need to be called before commencing the operation. - * Another consequence is that psa_pake_set_side() is optional and is ignored. + * For more information on how to set a specific curve or field, refer to the + * documentation of the individual \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. * - * The key exchange flow for JPAKE is as follows: + * After initializing a J-PAKE operation, call + * psa_pake_setup(operation, cipher_suite); + * psa_pake_set_user(operation, ...); + * psa_pake_set_peer(operation, ...); + * and either + * psa_pake_set_password_stretch(operation, ...); + * or + * psa_pake_set_password_key(operation, ...); + * + * Either way the password is read as a byte array and must be non-empty. This + * can be the password itself (in some pre-defined character encoding) or some + * value derived from the password as mandated by some higher level protocol. + * + * (The implementation converts this byte array to a number as described in + * Section 2.3.8 of _SEC 1: Elliptic Curve Cryptography_ + * (https://www.secg.org/sec1-v2.pdf), before reducing it modulo \c q. Here + * \c q is order of the group defined by the primitive set in the cipher suite. + * The \c psa_pake_set_password_xxx() functions return an error if the result + * of the reduction is 0.) + * + * The key exchange flow for J-PAKE is as follows: * -# To get the first round data that needs to be sent to the peer, call * // Get g1 * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); @@ -2040,7 +2055,17 @@ * For more information consult the documentation of the individual * \c PSA_PAKE_STEP_XXX constants. * - * J-PAKE is standardised for example in RFC 8236. + * At this point there is a cryptographic guarantee that only the authenticated + * party who used the same password is able to compute the key. But there is no + * guarantee that the peer is the party he claims to be and was able to do so. + * + * That is, the authentication is only implicit (the peer is not authenticated + * at this point, and no action should be taken that assume that they are - like + * for example accessing restricted files). + * + * To make the authentication explicit there are various methods, see Section 5 + * of RFC 8236 for two examples. + * */ #define PSA_ALG_PAKE_JPAKE ((psa_algorithm_t)0x0a000100) From 56a4d7a59fb171f4c16ca4fde54ba04aaf7e8d91 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 25 May 2021 15:35:11 +0100 Subject: [PATCH 079/131] Simplify PAKE input/output format documentation Make input/output format documentation easier to find: - Add direct reference to the steps from the input/output functions - Move the format description directly to the step constants Signed-off-by: Janos Follath --- include/psa/crypto.h | 12 ++++++++++-- include/psa/crypto_values.h | 38 +++++++++++++++++++++++++++---------- 2 files changed, 38 insertions(+), 12 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 2fe797a3b9..3df82d91d8 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4556,7 +4556,11 @@ psa_status_t psa_pake_set_side(psa_pake_operation_t *operation, * \param[in,out] operation Active PAKE operation. * \param step The step of the algorithm for which the output is * requested. - * \param[out] output Buffer where the output is to be written. + * \param[out] output Buffer where the output is to be written in the + * format appropriate for this \p step. Refer to + * the documentation of the individual + * \c PSA_PAKE_STEP_XXX constants for more + * information. * \param output_size Size of the \p output buffer in bytes. This must * be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \c * cipher_suite, \p type). @@ -4603,7 +4607,11 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * * \param[in,out] operation Active PAKE operation. * \param step The step for which the input is provided. - * \param[out] input Buffer containing the input. + * \param[out] input Buffer containing the input in the format + * appropriate for this \p step. Refer to the + * documentation of the individual + * \c PSA_PAKE_STEP_XXX constants for more + * information. * \param[out] input_length Size of the \p input buffer in bytes. * * \retval #PSA_SUCCESS diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 527b9c30d2..ab9bb5b8bd 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2597,29 +2597,47 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /** The key share being sent to or received from the peer. * - * Unless the documentation of the PAKE algorithm says otherwise this is a - * group element. + * The format for both input and output at this step is the same as for public + * keys on the group determined by the primitive (::psa_pake_primitive_t) would + * be. * - * For information regarding representation consult the documentation of - * individual ::psa_pake_primitive_type_t constants. + * For more information on the format, consult the documentation of + * psa_export_public_key(). + * + * For information regarding how the group is determined, consult the + * documentation #PSA_PAKE_PRIMITIVE. */ #define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t)0x01) /** A Schnorr NIZKP public key. * - * This is a group element. + * The format for both input and output at this step is the same as for public + * keys on the group determined by the primitive (::psa_pake_primitive_t) would + * be. * - * For information regarding representation consult the documentation of - * individual ::psa_pake_primitive_type_t constants. + * For more information on the format, consult the documentation of + * psa_export_public_key(). + * + * For information regarding how the group is determined, consult the + * documentation #PSA_PAKE_PRIMITIVE. */ #define PSA_PAKE_STEP_ZK_PUBLIC ((psa_pake_step_t)0x02) /** A Schnorr NIZKP proof. * - * This is a scalar value. + * The format for both input and output at this step is the same as for private + * keys on the group determined by the primitive (::psa_pake_primitive_t) would + * be. * - * For information regarding representation consult the documentation of - * individual ::psa_pake_primitive_type_t constants. + * Some public key algorithms mask the private keys and this might be reflected + * in the export format. Even if this is the case the masking is omitted at + * this step. + * + * For more information on the format, consult the documentation of + * psa_export_key(). + * + * For information regarding how the group is determined, consult the + * documentation #PSA_PAKE_PRIMITIVE. */ #define PSA_PAKE_STEP_ZK_PROOF ((psa_pake_step_t)0x03) From 7c59b7a073fc6430bda38177769eb4e93c82ba0e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 25 May 2021 15:46:56 +0100 Subject: [PATCH 080/131] Improve psa_pake_set_peer()/user() documentation Signed-off-by: Janos Follath --- include/psa/crypto.h | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 3df82d91d8..2d4c80df92 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4422,9 +4422,10 @@ psa_status_t psa_pake_set_password_stretch( /** Set the user ID for a password-authenticated key exchange. * - * Some PAKE algorithms associate only a single user identifier with the - * session. Such algorithms must call this function (psa_pake_set_user()) to - * set the identifier for the PAKE context. + * Call this function to set the user ID. For PAKE algorithms that associate a + * user identifier with each side of the session you need to call + * psa_pake_set_peer() as well. For PAKE algorithms that associate a single + * user identifier with the session, call psa_pake_set_user() only. * * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) @@ -4461,9 +4462,10 @@ psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, /** Set the peer ID for a password-authenticated key exchange. * - * Some PAKE algorithms associate only a single user identifier with the - * session. Such algorithms must call psa_pake_set_user() to set the - * identifier for the PAKE context. + * Call this function in addition to psa_pake_set_user() for PAKE algorithms + * that associate a user identifier with each side of the session. For PAKE + * algorithms that associate a single user identifier with the session, call + * psa_pake_set_user() only. * * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) From 79e1c47a54c0504b42827343df0b61a2e10ef721 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 25 May 2021 15:53:13 +0100 Subject: [PATCH 081/131] PSA PAKE: explain implicit key confirmation Signed-off-by: Janos Follath --- include/psa/crypto.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 2d4c80df92..bbdd06d5ae 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4637,6 +4637,14 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, size_t input_length); /** Get implicitly confirmed shared secret from a PAKE. + * + * At this point there is a cryptographic guarantee that only the authenticated + * party who used the same password is able to compute the key. But there is no + * guarantee that the peer is the party he claims to be and was able to do so. + * + * That is, the authentication is only implicit (the peer is not authenticated + * at this point, and no action should be taken that assume that they are - like + * for example accessing restricted files). * * This function can be called after the key exchange phase of the operation * has completed. It imports the shared secret output of the PAKE into the From d60b6c62d57563b04caa1ee0470fb0d1354302d5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 29 Apr 2021 12:04:11 +0100 Subject: [PATCH 082/131] Remove per-version ciphersuite configuration API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit removes the API ``` mbedtls_ssl_conf_ciphersuites_for_version() ``` which allows to configure lists of acceptable ciphersuites for each supported version of SSL/TLS: SSL3, TLS 1.{0,1,2}. With Mbed TLS 3.0, support for SSL3, TLS 1.0 and TLS 1.1 is dropped. Moreover, upcoming TLS 1.3 support has a different notion of cipher suite and will require a different API. This means that it's only for TLS 1.2 that we require a ciphersuite configuration API, and ``` mbedtls_ssl_conf_ciphersuites() ``` can be used for that. The version-specific ciphersuite configuration API `mbedtls_ssl_conf_ciphersuites_for_version()`, in turn, is no longer needed. Signed-off-by: Hanno Becker Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 38 +----------------- library/ssl_cli.c | 7 ++-- library/ssl_srv.c | 2 +- library/ssl_tls.c | 80 ++------------------------------------ programs/ssl/ssl_server2.c | 63 ------------------------------ tests/ssl-opt.sh | 11 ------ 6 files changed, 9 insertions(+), 192 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 677ed9869b..b5b91f3e17 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -976,10 +976,8 @@ struct mbedtls_ssl_config * Pointers */ - /** Allowed ciphersuites per version. To access list's elements, please use - * \c mbedtls_ssl_get_protocol_version_ciphersuites - */ - const int *ciphersuite_list[3]; + /** Allowed ciphersuites for (D)TLS 1.2 (0-terminated) */ + const int *ciphersuite_list; /** Callback for printing debug output */ void (*f_dbg)(void *, int, const char *, int, const char *); @@ -2508,17 +2506,6 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ); -/** - * \brief Get ciphersuite for given protocol's minor version. - * - * \param conf The SSL configuration. - * \param prot_version Protocol version. One of MBEDTLS_SSL_MINOR_VERSION_x macros. - * \return Ciphersuites pointer if successful. - * \return \c NULL if no ciphersuites where found. - */ -const int *mbedtls_ssl_get_protocol_version_ciphersuites( - const mbedtls_ssl_config *conf, int prot_version ); - #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0 #define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1 @@ -2558,27 +2545,6 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, int ignore_other_cids ); #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -/** - * \brief Set the list of allowed ciphersuites and the - * preference order for a specific version of the protocol. - * (Only useful on the server side) - * - * The ciphersuites array is not copied, and must remain - * valid for the lifetime of the ssl_config. - * - * \param conf SSL configuration - * \param ciphersuites 0-terminated list of allowed ciphersuites - * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 - * supported) - * \param minor Minor version number (only MBEDTLS_SSL_MINOR_VERSION_3 - * supported) - * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 - */ -void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, - const int *ciphersuites, - int major, int minor ); - #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Set the X.509 security profile used for verification diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 6cf283e1db..12ed0fbb27 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1155,8 +1155,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) /* * Ciphersuite list */ - ciphersuites = mbedtls_ssl_get_protocol_version_ciphersuites( ssl->conf, - ssl->minor_ver ); + ciphersuites = ssl->conf->ciphersuite_list; /* Skip writing ciphersuite length for now */ n = 0; @@ -2244,7 +2243,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) i = 0; while( 1 ) { - if( mbedtls_ssl_get_protocol_version_ciphersuites( ssl->conf, ssl->minor_ver )[i] == 0 ) + if( ssl->conf->ciphersuite_list[i] == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); mbedtls_ssl_send_alert_message( @@ -2254,7 +2253,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - if( mbedtls_ssl_get_protocol_version_ciphersuites( ssl->conf, ssl->minor_ver )[i++] == + if( ssl->conf->ciphersuite_list[i++] == ssl->session_negotiate->ciphersuite ) { break; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 8f13a2cec0..4fe6b02f10 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1870,7 +1870,7 @@ read_record_header: * and certificate from the SNI callback triggered by the SNI extension.) */ got_common_suite = 0; - ciphersuites = mbedtls_ssl_get_protocol_version_ciphersuites( ssl->conf, ssl->minor_ver ); + ciphersuites = ssl->conf->ciphersuite_list; ciphersuite_info = NULL; #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 342832f120..9b8c05f761 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3514,73 +3514,10 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session } #endif /* MBEDTLS_SSL_CLI_C */ -static int protocol_version_to_ciphersuites_list_index(int prot_version) -{ - switch(prot_version) { - case MBEDTLS_SSL_MINOR_VERSION_1: - return 0; - case MBEDTLS_SSL_MINOR_VERSION_2: - return 1; - case MBEDTLS_SSL_MINOR_VERSION_3: - return 2; - default: - return -1; - }; -} - -static void set_protocol_version_ciphersuites( mbedtls_ssl_config *conf, - int prot_version, - const int* ciphersuites ) -{ - int ciphersuite_list_index = - protocol_version_to_ciphersuites_list_index(prot_version); - if ( ciphersuite_list_index >= 0 && - (unsigned int)ciphersuite_list_index < - sizeof(conf->ciphersuite_list)/sizeof(conf->ciphersuite_list[0]) ) - { - conf->ciphersuite_list[ciphersuite_list_index] = ciphersuites; - } -} - void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ) { - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_1, - ciphersuites); - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_2, - ciphersuites); - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_3, - ciphersuites); -} - -const int *mbedtls_ssl_get_protocol_version_ciphersuites( - const mbedtls_ssl_config *conf, int prot_version ) -{ - int ciphersuite_list_index = - protocol_version_to_ciphersuites_list_index(prot_version); - if ( ciphersuite_list_index >= 0 && - (unsigned int)ciphersuite_list_index < - sizeof(conf->ciphersuite_list)/sizeof(conf->ciphersuite_list[0]) ) - { - return conf->ciphersuite_list[ciphersuite_list_index]; - } - else - { - return NULL; - } -} - -void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, - const int *ciphersuites, - int major, int minor ) -{ - if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) - return; - - if( minor != MBEDTLS_SSL_MINOR_VERSION_3 ) - return; - - set_protocol_version_ciphersuites(conf, minor, ciphersuites); + conf->ciphersuite_list = ciphersuites; } #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -6278,12 +6215,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_1, - ssl_preset_suiteb_ciphersuites); - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_2, - ssl_preset_suiteb_ciphersuites); - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_3, - ssl_preset_suiteb_ciphersuites); + conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites; #if defined(MBEDTLS_X509_CRT_PARSE_C) conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; @@ -6317,13 +6249,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; #endif - const int* default_ciphersuites = mbedtls_ssl_list_ciphersuites(); - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_1, - default_ciphersuites); - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_2, - default_ciphersuites); - set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_3, - default_ciphersuites); + conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites(); #if defined(MBEDTLS_X509_CRT_PARSE_C) conf->cert_profile = &mbedtls_x509_crt_profile_default; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index ef55a7c250..0e7b7f929b 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -93,7 +93,6 @@ int main( void ) #define DFL_ECJPAKE_PW NULL #define DFL_PSK_LIST NULL #define DFL_FORCE_CIPHER 0 -#define DFL_VERSION_SUITES NULL #define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED #define DFL_ALLOW_LEGACY -2 #define DFL_RENEGOTIATE 0 @@ -501,9 +500,6 @@ int main( void ) " force_version=%%s default: \"\" (none)\n" \ " options: tls1_2, dtls1_2\n" \ "\n" \ - " version_suites=a,b,c per-version ciphersuites\n" \ - " in order from tls1 to tls1_2\n" \ - " default: all enabled\n" \ " force_ciphersuite= default: all enabled\n" \ " query_config= return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ @@ -565,7 +561,6 @@ struct options char *psk_list; /* list of PSK id/key pairs for callback */ const char *ecjpake_pw; /* the EC J-PAKE password */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ - const char *version_suites; /* per-version ciphersuites */ int renegotiation; /* enable / disable renegotiation */ int allow_legacy; /* allow legacy renegotiation */ int renegotiate; /* attempt renegotiation? */ @@ -1253,7 +1248,6 @@ int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; int query_config_ret = 0; - int version_suites[3][2]; io_ctx_t io_ctx; unsigned char* buf = 0; #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) @@ -1481,7 +1475,6 @@ int main( int argc, char *argv[] ) opt.psk_list = DFL_PSK_LIST; opt.ecjpake_pw = DFL_ECJPAKE_PW; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; - opt.version_suites = DFL_VERSION_SUITES; opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; @@ -1669,8 +1662,6 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "curves" ) == 0 ) opt.curves = q; - else if( strcmp( p, "version_suites" ) == 0 ) - opt.version_suites = q; else if( strcmp( p, "renegotiation" ) == 0 ) { opt.renegotiation = (atoi( q )) ? @@ -2067,47 +2058,6 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_USE_PSA_CRYPTO */ } - if( opt.version_suites != NULL ) - { - const char *name[3] = { 0 }; - - /* Parse 4-element coma-separated list */ - for( i = 0, p = (char *) opt.version_suites; - i < 3 && *p != '\0'; - i++ ) - { - name[i] = p; - - /* Terminate the current string and move on to next one */ - while( *p != ',' && *p != '\0' ) - p++; - if( *p == ',' ) - *p++ = '\0'; - } - - if( i != 3 ) - { - mbedtls_printf( "too few values for version_suites\n" ); - ret = 1; - goto exit; - } - - memset( version_suites, 0, sizeof( version_suites ) ); - - /* Get the suites identifiers from their name */ - for( i = 0; i < 3; i++ ) - { - version_suites[i][0] = mbedtls_ssl_get_ciphersuite_id( name[i] ); - - if( version_suites[i][0] == 0 ) - { - mbedtls_printf( "unknown ciphersuite: '%s'\n", name[i] ); - ret = 2; - goto usage; - } - } - } - #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( mbedtls_test_unhexify( cid, sizeof( cid ), opt.cid_val, &cid_len ) != 0 ) @@ -2689,19 +2639,6 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); - if( opt.version_suites != NULL ) - { - mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[0], - MBEDTLS_SSL_MAJOR_VERSION_3, - MBEDTLS_SSL_MINOR_VERSION_1 ); - mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[1], - MBEDTLS_SSL_MAJOR_VERSION_3, - MBEDTLS_SSL_MINOR_VERSION_2 ); - mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[2], - MBEDTLS_SSL_MAJOR_VERSION_3, - MBEDTLS_SSL_MINOR_VERSION_3 ); - } - if( opt.allow_legacy != DFL_ALLOW_LEGACY ) mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1d49dc5cbf..a54aab1f64 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5614,17 +5614,6 @@ run_test "ECJPAKE: working, DTLS, nolog" \ force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ 0 -# Tests for ciphersuites per version - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: TLS 1.2" \ - "$P_SRV version_suites=TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=tls1_2" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256" - # Test for ClientHello without extensions requires_gnutls From cac90a15edff69afca15837d3187a4bf655d37be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 4 Jun 2021 11:42:30 +0200 Subject: [PATCH 083/131] Hide constants for TLS 1.0 and TLS 1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ssl_server2 had a check that we never try to use a minor version lower than 2 with DTLS, but that check is no longer needed, as there's no way that would happen now that MBEDTLS_SSL_MINOR_VERSION_1 is no longer public. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 4 ---- library/ssl_ciphersuites.c | 1 + library/ssl_misc.h | 10 ++++++++++ programs/ssl/ssl_server2.c | 4 ---- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b5b91f3e17..c6bd35814e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -125,14 +125,10 @@ */ /* These are the high an low bytes of ProtocolVersion as defined by: - * - RFC 2246: ProtocolVersion version = { 3, 1 }; // TLS v1.0 - * - RFC 4346: ProtocolVersion version = { 3, 2 }; // TLS v1.1 * - RFC 5246: ProtocolVersion version = { 3, 3 }; // TLS v1.2 * - RFC 8446: see section 4.2.1 */ #define MBEDTLS_SSL_MAJOR_VERSION_3 3 -#define MBEDTLS_SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 deprecated */ -#define MBEDTLS_SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 deprecated */ #define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */ #define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 (experimental) */ diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 00dcd07976..1bda9c0666 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -31,6 +31,7 @@ #include "mbedtls/ssl_ciphersuites.h" #include "mbedtls/ssl.h" +#include "ssl_misc.h" #include diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 73ffdef92e..e5ec13118e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -65,6 +65,16 @@ #define inline __inline #endif +/* Legacy minor version numbers as defined by: + * - RFC 2246: ProtocolVersion version = { 3, 1 }; // TLS v1.0 + * - RFC 4346: ProtocolVersion version = { 3, 2 }; // TLS v1.1 + * + * We no longer support these versions, but some code still references those + * constants, for keep them for now until we clean up that code. + */ +#define MBEDTLS_SSL_MINOR_VERSION_1 1 +#define MBEDTLS_SSL_MINOR_VERSION_2 2 + /* Determine minimum supported version */ #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 0e7b7f929b..151c811e31 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2027,10 +2027,6 @@ int main( int argc, char *argv[] ) if( opt.min_version < ciphersuite_info->min_minor_ver ) { opt.min_version = ciphersuite_info->min_minor_ver; - /* DTLS starts with TLS 1.1 */ - if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; } #if defined(MBEDTLS_USE_PSA_CRYPTO) From 9371a404767f8225f7ef7e0264e7c2f69bc459d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 4 Jun 2021 11:44:44 +0200 Subject: [PATCH 084/131] Stop referencing private constants in documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c6bd35814e..dc37bc310a 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3191,8 +3191,7 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) - * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, - * MBEDTLS_SSL_MINOR_VERSION_3 supported) + * \param minor Minor version number (only MBEDTLS_SSL_MINOR_VERSION_3 supported) */ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ); @@ -3207,9 +3206,7 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) - * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_1, - * MBEDTLS_SSL_MINOR_VERSION_2, - * MBEDTLS_SSL_MINOR_VERSION_3 supported) + * \param minor Minor version number (only MBEDTLS_SSL_MINOR_VERSION_3 supported) */ void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ); From 2f458d3dccb0405bdf006bb48522a9a03cce8870 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 3 Jun 2021 17:58:13 +0100 Subject: [PATCH 085/131] Update README to document minimum tool versions Fixes #4379. Signed-off-by: Dave Rodgman --- README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 3f41a0d76d..78d3c30cfd 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Documentation for the Mbed TLS interfaces in the default library configuration i To generate a local copy of the library documentation in HTML format, tailored to your compile-time configuration: -1. Make sure that [Doxygen](http://www.doxygen.nl/) is installed. We use version 1.8.11 but slightly older or more recent versions should work. +1. Make sure that [Doxygen](http://www.doxygen.nl/) is installed. 1. Run `make apidoc`. 1. Browse `apidoc/index.html` or `apidoc/modules.html`. @@ -39,7 +39,7 @@ There are currently three active build systems used within Mbed TLS releases: - GNU Make - CMake -- Microsoft Visual Studio (Microsoft Visual Studio 2013 or later) +- Microsoft Visual Studio The main systems used for development are CMake and GNU Make. Those systems are always complete and up-to-date. The others should reflect all changes present in the CMake and Make build system, although features may not be ported there automatically. @@ -49,10 +49,13 @@ The Make and CMake build systems create three libraries: libmbedcrypto, libmbedx You need the following tools to build the library with the provided makefiles: -* GNU Make or a build tool that CMake supports. -* A C99 toolchain (compiler, linker, archiver). We actively test with GCC 5.4, Clang 3.8, IAR8 and Visual Studio 2013. More recent versions should work. Slightly older versions may work. -* Python 3 to generate the test code, and to generate sample programs in the development branch. +* GNU Make 3.82 or a build tool that CMake supports. +* A C99 toolchain (compiler, linker, archiver). We actively test with GCC 5.4, Clang 3.8, IAR 8 and Visual Studio 2013. More recent versions should work. Slightly older versions may work. +* Python 3.6 to generate the test code, and to generate sample programs in the development branch. * Perl to run the tests, and to generate some source files in the development branch. +* CMake 3.10.2 or later (if using CMake). +* Microsoft Visual Studio 2013 or later (if using Visual Studio). +* Doxygen 1.8.11 or later (if building the documentation; slightly older versions should work). ### Generated source files in the development branch From f21e4621f8933533e28d78402dc5c6d43d9f8555 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 4 Jun 2021 14:15:27 +0100 Subject: [PATCH 086/131] Changelog entry for updated tool versions Signed-off-by: Dave Rodgman --- ChangeLog.d/tool-versions.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/tool-versions.txt diff --git a/ChangeLog.d/tool-versions.txt b/ChangeLog.d/tool-versions.txt new file mode 100644 index 0000000000..b89b384aa3 --- /dev/null +++ b/ChangeLog.d/tool-versions.txt @@ -0,0 +1,4 @@ +Requirement changes + * Refresh the minimum supported versions of tools to build the + library. CMake versions older than 3.10.2 and Python older + than 3.6 are no longer supported. From be4af04fcffcfebe44fa12d39388817d9949a9f3 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 4 Jun 2021 17:04:20 +0100 Subject: [PATCH 087/131] Update minimum CMake version in CMakeLists.txt Signed-off-by: Dave Rodgman --- CMakeLists.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index f648f2299b..efe3cab65a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -16,7 +16,9 @@ # mbedtls, mbedx509, mbedcrypto and apidoc targets. # -cmake_minimum_required(VERSION 2.8.12) +# We specify a minimum requirement of 3.10.2, but for now use 3.5.1 here +# until our infrastructure catches up. +cmake_minimum_required(VERSION 3.5.1) # https://cmake.org/cmake/help/latest/policy/CMP0011.html # Setting this policy is required in CMake >= 3.18.0, otherwise a warning is generated. The OLD From 3b5a7c198c51e09342ed83947057375533aaff36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Jun 2021 11:13:34 +0200 Subject: [PATCH 088/131] Update ChangeLog and migration guide MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/issue4286.txt | 15 ++++++++------ ...ve_support_for_tls_1.0_1.1_and_dtls_1.0.md | 20 +++++++++++++++++-- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index 813b2ecfba..427b37ccc9 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -1,11 +1,14 @@ Removals - * Remove the TLS 1.0, TLS 1.1 and DTLS 1.0 support by removing the following - library constants: MBEDTLS_SSL_PROTO_TLS1, - MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING, + * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for + CBC record splitting, fallback SCSV, and the ability to configure + ciphersuites per version, which are no longer relevant. This removes the + following public constants: MBEDTLS_SSL_PROTO_TLS1, + MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_MINOR_VERSION_1, + MBEDTLS_SSL_MINOR_VERSION_2, MBEDTLS_SSL_CBC_RECORD_SPLITTING, MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED, MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, - MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions: + MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK; and functions: mbedtls_ssl_conf_cbc_record_splitting(), - mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(). - Fixes #4286. + mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(), + mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286. diff --git a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md index 4beebe240d..b1afe64eb4 100644 --- a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md +++ b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md @@ -3,9 +3,25 @@ Remove suport for TLS 1.0, 1.1 and DTLS 1.0 This change affects users of the TLS 1.0, 1.1 and DTLS 1.0 protocols. -The versions of (D)TLS that are being removed are not as secure as the latest -versions. Keeping them in the library creates opportunities for misconfiguration +These versions have been deprecated by RFC 8996. +Keeping them in the library creates opportunities for misconfiguration and possibly downgrade attacks. More generally, more code means a larger attack surface, even if the code is supposedly not used. The migration path is to adopt the latest versions of the protocol. + +As a consequence of removing 1.0, support for CBC record splitting was also +removed, as it was a work-around for a weakness in this particular version. +There is no migration path is no longer makes sense with newer versions. + +As a consequence of currently supporting only one version of (D)TLS (and in the +future 1.3 which will have a different version negociation mechanism), support +for fallback SCSV (RFC 7507) was also removed. There is no migration path as +it's no longer useful with TLS 1.2 and later. + +As a consequence of currently supporting only one version of (D)TLS (and in the +future 1.3 which will have a different concept of ciphersuites), support for +configuring ciphersuites separately for each version via +`mbedtls_ssl_conf_ciphersuites_for_version()` was removed. Use +`mbedtls_ssl_conf_ciphersuites()` to configure ciphersuites to use with (D)TLS +1.2; in the future a different API will be added for (D)TLS 1.3. From 13a977667652ec3a7a3e9ad45b9e6bad09b2539b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Jun 2021 12:00:04 +0200 Subject: [PATCH 089/131] Editorial improvements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/issue4286.txt | 12 ++++-------- .../remove_support_for_tls_1.0_1.1_and_dtls_1.0.md | 6 +++--- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index 427b37ccc9..75d2f0928f 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -2,13 +2,9 @@ Removals * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for CBC record splitting, fallback SCSV, and the ability to configure ciphersuites per version, which are no longer relevant. This removes the - following public constants: MBEDTLS_SSL_PROTO_TLS1, - MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_MINOR_VERSION_1, - MBEDTLS_SSL_MINOR_VERSION_2, MBEDTLS_SSL_CBC_RECORD_SPLITTING, - MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED, - MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, - MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, - MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK; and functions: + configuration options MBEDTLS_SSL_PROTO_TLS1, + MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and + MBEDTLS_SSL_FALLBACK_SCSV as well as the functions mbedtls_ssl_conf_cbc_record_splitting(), mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(), - mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286. + and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286. diff --git a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md index b1afe64eb4..73d621f781 100644 --- a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md +++ b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md @@ -10,9 +10,9 @@ surface, even if the code is supposedly not used. The migration path is to adopt the latest versions of the protocol. -As a consequence of removing 1.0, support for CBC record splitting was also -removed, as it was a work-around for a weakness in this particular version. -There is no migration path is no longer makes sense with newer versions. +As a consequence of removing TLS 1.0, support for CBC record splitting was +also removed, as it was a work-around for a weakness in this particular +version. There is no migration path since the feature is no longer relevant. As a consequence of currently supporting only one version of (D)TLS (and in the future 1.3 which will have a different version negociation mechanism), support From 442fdc22eac7ae24c507543529a887ec33482165 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Mon, 7 Jun 2021 13:52:23 +0200 Subject: [PATCH 090/131] Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code Signed-off-by: TRodziewicz --- ChangeLog.d/issue4405.txt | 4 +++ configs/config-no-entropy.h | 2 -- ..._MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md | 20 ++++++++++++++ include/mbedtls/config.h | 27 ------------------- include/mbedtls/x509_crt.h | 4 --- library/ssl_tls.c | 17 ------------ library/x509_crt.c | 8 ------ tests/suites/test_suite_x509parse.data | 6 ++--- tests/suites/test_suite_x509parse.function | 4 +-- 9 files changed, 29 insertions(+), 63 deletions(-) create mode 100644 ChangeLog.d/issue4405.txt create mode 100644 docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md diff --git a/ChangeLog.d/issue4405.txt b/ChangeLog.d/issue4405.txt new file mode 100644 index 0000000000..c36aefa154 --- /dev/null +++ b/ChangeLog.d/issue4405.txt @@ -0,0 +1,4 @@ +Removals + * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and + MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code + behave as if they were always enabled. Fixes #4405. diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h index 09b3cf5e0a..7ca33c3816 100644 --- a/configs/config-no-entropy.h +++ b/configs/config-no-entropy.h @@ -49,8 +49,6 @@ #define MBEDTLS_PKCS1_V21 #define MBEDTLS_SELF_TEST #define MBEDTLS_VERSION_FEATURES -#define MBEDTLS_X509_CHECK_KEY_USAGE -#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE /* mbed TLS modules */ #define MBEDTLS_AES_C diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md new file mode 100644 index 0000000000..348fe32f71 --- /dev/null +++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md @@ -0,0 +1,20 @@ +Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `config.h` +-- + +This change affects users who have chosen the compilation time options to disable +the library's verification of the `keyUsage` and `extendedKeyUsage` fields of an x509 +certificate. + +The change is to remove MBEDTLS_X509_CHECK_KEY_USAGE and +MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE from the configuration. + +After the change the options are removed and the compilation is done in a way that +the verification of the key usage fields is allways enabled by default. + +This verification is an important step and disabling it can cause security issues. +If the verification is for some reason undesirable it can still be disabled at +a runtime with even more flexibility by using the callback parameter in +`mbedtls_x509_crt_verify()`. + +For example the user can disable the verification by using the callback which +clears the corresponding flags when they've been set. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 9cce3cd8ed..42f9867acb 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1910,33 +1910,6 @@ */ //#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -/** - * \def MBEDTLS_X509_CHECK_KEY_USAGE - * - * Enable verification of the keyUsage extension (CA and leaf certificates). - * - * Disabling this avoids problems with mis-issued and/or misused - * (intermediate) CA and leaf certificates. - * - * \warning Depending on your PKI use, disabling this can be a security risk! - * - * Comment to skip keyUsage checking for both CA and leaf certificates. - */ -#define MBEDTLS_X509_CHECK_KEY_USAGE - -/** - * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE - * - * Enable verification of the extendedKeyUsage extension (leaf certificates). - * - * Disabling this avoids problems with mis-issued and/or misused certificates. - * - * \warning Depending on your PKI use, disabling this can be a security risk! - * - * Comment to skip extendedKeyUsage checking for certificates. - */ -#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE - /** * \def MBEDTLS_X509_REMOVE_INFO * diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 23a20d10be..18b03738c6 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -827,7 +827,6 @@ int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt, #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ -#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) /** * \brief Check usage of certificate against keyUsage extension. * @@ -851,9 +850,7 @@ int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt, */ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, unsigned int usage ); -#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */ -#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) /** * \brief Check usage of certificate against extendedKeyUsage. * @@ -870,7 +867,6 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len ); -#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ #if defined(MBEDTLS_X509_CRL_PARSE_C) /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9b8c05f761..b9666e9b0e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6526,22 +6526,10 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, uint32_t *flags ) { int ret = 0; -#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) int usage = 0; -#endif -#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) const char *ext_oid; size_t ext_len; -#endif -#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \ - !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) - ((void) cert); - ((void) cert_endpoint); - ((void) flags); -#endif - -#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) { /* Server part of the key exchange */ @@ -6583,11 +6571,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; ret = -1; } -#else - ((void) ciphersuite); -#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ -#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) { ext_oid = MBEDTLS_OID_SERVER_AUTH; @@ -6604,7 +6588,6 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; ret = -1; } -#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ return( ret ); } diff --git a/library/x509_crt.c b/library/x509_crt.c index 8387de618b..2cc3381d18 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2238,7 +2238,6 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, } #endif /* MBEDTLS_X509_REMOVE_INFO */ -#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, unsigned int usage ) { @@ -2261,9 +2260,7 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, return( 0 ); } -#endif -#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len ) @@ -2293,7 +2290,6 @@ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); } -#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ #if defined(MBEDTLS_X509_CRL_PARSE_C) /* @@ -2344,14 +2340,12 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, /* * Check if the CA is configured to sign CRLs */ -#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) if( mbedtls_x509_crt_check_key_usage( ca, MBEDTLS_X509_KU_CRL_SIGN ) != 0 ) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; break; } -#endif /* * Check if CRL is correctly signed by the trusted CA @@ -2488,13 +2482,11 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child, if( need_ca_bit && ! parent->ca_istrue ) return( -1 ); -#if defined(MBEDTLS_X509_CHECK_KEY_USAGE) if( need_ca_bit && mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 ) { return( -1 ); } -#endif return( 0 ); } diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 59acc667a1..d9611e5daa 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -720,7 +720,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_S x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #53 (CA keyUsage missing cRLSign) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #54 (CA keyUsage missing cRLSign, no CRL) @@ -728,11 +728,11 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_S x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #55 (CA keyUsage missing keyCertSign) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #56 (CA keyUsage plain wrong) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #57 (Valid, RSASSA-PSS, SHA-1) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index a6361d83a8..fea02f362c 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -1173,7 +1173,7 @@ void x509_oid_numstr( data_t * oid_buf, char * numstr, int blen, int ret ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_KEY_USAGE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void x509_check_key_usage( char * crt_file, int usage, int ret ) { mbedtls_x509_crt crt; @@ -1189,7 +1189,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void x509_check_extended_key_usage( char * crt_file, data_t * oid, int ret ) { From 34428a6849e50728ed782094fb5f463db42b533a Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Mon, 7 Jun 2021 15:33:15 +0200 Subject: [PATCH 091/131] Remove duplicated ASSERT_ALLOC define Signed-off-by: TRodziewicz --- tests/include/test/macros.h | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h index df961aa049..87e86d38e5 100644 --- a/tests/include/test/macros.h +++ b/tests/include/test/macros.h @@ -174,38 +174,6 @@ } \ } while( 0 ) -/** Allocate memory dynamically and fail the test case if this fails. - * - * You must set \p pointer to \c NULL before calling this macro and - * put `mbedtls_free( pointer )` in the test's cleanup code. - * - * If \p length is zero, the resulting \p pointer will be \c NULL. - * This is usually what we want in tests since API functions are - * supposed to accept null pointers when a buffer size is zero. - * - * This macro expands to an instruction, not an expression. - * It may jump to the \c exit label. - * - * \param pointer An lvalue where the address of the allocated buffer - * will be stored. - * This expression may be evaluated multiple times. - * \param length Number of elements to allocate. - * This expression may be evaluated multiple times. - * - */ -#define ASSERT_ALLOC( pointer, length ) \ - do \ - { \ - TEST_ASSERT( ( pointer ) == NULL ); \ - if( ( length ) != 0 ) \ - { \ - ( pointer ) = mbedtls_calloc( sizeof( *( pointer ) ), \ - ( length ) ); \ - TEST_ASSERT( ( pointer ) != NULL ); \ - } \ - } \ - while( 0 ) - #define TEST_HELPER_ASSERT(a) if( !( a ) ) \ { \ mbedtls_fprintf( stderr, "Assertion Failed at %s:%d - %s\n", \ From d1a8cd5169d81308be85320ad39c80ea810970a7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 7 Jun 2021 20:42:40 +0200 Subject: [PATCH 092/131] Minor clarifications Signed-off-by: Gilles Peskine --- BRANCHES.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/BRANCHES.md b/BRANCHES.md index dbdc1738e4..d9de6957d7 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -28,7 +28,7 @@ undocumented features, then you should be able to re-compile it without modification with any later release x.y'.z' with the same major version number, and your code will still build, be secure, and work. -Note that new releases of Mbed TLS may extend the API. Here are some example of changes that are common in minor releases of Mbed TLS, and are not considered compatibility breaks: +Note that new releases of Mbed TLS may extend the API. Here are some example of changes that are common in minor releases of Mbed TLS, and are not considered API compatibility breaks: * Adding or reordering fields in a structure or union. * Removing a field from a structure, unless the field is documented as public. @@ -37,11 +37,11 @@ Note that new releases of Mbed TLS may extend the API. Here are some example of * Changing which error code is returned in a case where multiple error conditions apply. * Changing the behavior of a function from failing to succeeding, when the change is a reasonable extension of the current behavior, i.e. the addition of a new feature. -There are rare exceptions: code that was relying on something that became -insecure in the meantime (for example, crypto that was found to be weak) may -need to be changed. In case security comes in conflict with backwards -compatibility, we will put security first, but always attempt to provide a -compatibility option. +There are rare exceptions where we break API compatibility: code that was +relying on something that became insecure in the meantime (for example, +crypto that was found to be weak) may need to be changed. In case security +comes in conflict with backwards compatibility, we will put security first, +but always attempt to provide a compatibility option. For the LTS branches, additionally we try very hard to also maintain ABI compatibility (same definition as API except with re-linking instead of From 87d36e311bd043ce4170f31c94803fc05b4c312b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 7 Jun 2021 20:42:50 +0200 Subject: [PATCH 093/131] Add a section heading for LTS branches Signed-off-by: Gilles Peskine --- BRANCHES.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/BRANCHES.md b/BRANCHES.md index d9de6957d7..a758d08b34 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -28,7 +28,7 @@ undocumented features, then you should be able to re-compile it without modification with any later release x.y'.z' with the same major version number, and your code will still build, be secure, and work. -Note that new releases of Mbed TLS may extend the API. Here are some example of changes that are common in minor releases of Mbed TLS, and are not considered API compatibility breaks: +Note that new releases of Mbed TLS may extend the API. Here are some examples of changes that are common in minor releases of Mbed TLS, and are not considered API compatibility breaks: * Adding or reordering fields in a structure or union. * Removing a field from a structure, unless the field is documented as public. @@ -43,6 +43,8 @@ crypto that was found to be weak) may need to be changed. In case security comes in conflict with backwards compatibility, we will put security first, but always attempt to provide a compatibility option. +## Long-time support branches + For the LTS branches, additionally we try very hard to also maintain ABI compatibility (same definition as API except with re-linking instead of re-compiling) and to avoid any increase in code size or RAM usage, or in the From df3b86343ac80a4874878c28108c88a157a8c076 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Jun 2021 05:30:45 +0100 Subject: [PATCH 094/131] Fixup rebase slip in library/ssl_misc.h Signed-off-by: Hanno Becker --- library/ssl_misc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index ecbeb8ba8c..7fd5686bd6 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -289,7 +289,7 @@ size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl ); /** * \brief Return the maximum fragment length (payload, in bytes) for * the input buffer. This is the negotiated maximum fragment - * length, or, if there is none, MBEDTLS_SSL_MAX_CONTENT_LEN. + * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. * If it is not defined either, the value is 2^14. This function * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). * From 59d3670fa557f5ed564b631e4299138a8bbf4e78 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Jun 2021 05:35:29 +0100 Subject: [PATCH 095/131] Fix ssl-opt.sh test cases grepping for MFL configuration output Use and grep for the new max in/out record payload length API instead. Signed-off-by: Hanno Becker --- programs/ssl/ssl_client2.c | 7 ++ programs/ssl/ssl_server2.c | 7 ++ tests/ssl-opt.sh | 188 ++++++++++++++++++------------------- 3 files changed, 108 insertions(+), 94 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 3cbf130003..6e9955ccf8 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2083,6 +2083,13 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " [ Record expansion is unknown ]\n" ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + mbedtls_printf( " [ Maximum incoming record payload length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_in_record_payload( &ssl ) ); + mbedtls_printf( " [ Maximum outgoing record payload length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_out_record_payload( &ssl ) ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1ec8f09f77..914286cfc5 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3164,6 +3164,13 @@ handshake: else mbedtls_printf( " [ Record expansion is unknown ]\n" ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + mbedtls_printf( " [ Maximum incoming record payload length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_in_record_payload( &ssl ) ); + mbedtls_printf( " [ Maximum outgoing record payload length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_out_record_payload( &ssl ) ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1041c87d4f..a42ff73aca 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3033,10 +3033,10 @@ run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ - -c "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -c "Maximum output fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum output fragment length is $MAX_CONTENT_LEN" \ + -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -3047,10 +3047,10 @@ run_test "Max fragment length: enabled, default, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 0 \ - -c "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -c "Maximum output fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum output fragment length is $MAX_CONTENT_LEN" \ + -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -3064,10 +3064,10 @@ run_test "Max fragment length, DTLS: enabled, default, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 1 \ - -c "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -c "Maximum output fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum output fragment length is $MAX_CONTENT_LEN" \ + -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -3083,10 +3083,10 @@ run_test "Max fragment length: disabled, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 0 \ - -C "Maximum input fragment length is 16384" \ - -C "Maximum output fragment length is 16384" \ - -S "Maximum input fragment length is 16384" \ - -S "Maximum output fragment length is 16384" \ + -C "Maximum incoming record payload length is 16384" \ + -C "Maximum outgoing record payload length is 16384" \ + -S "Maximum incoming record payload length is 16384" \ + -S "Maximum outgoing record payload length is 16384" \ -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \ -s "$MAX_CONTENT_LEN bytes read" \ -s "1 bytes read" @@ -3096,10 +3096,10 @@ run_test "Max fragment length DTLS: disabled, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 1 \ - -C "Maximum input fragment length is 16384" \ - -C "Maximum output fragment length is 16384" \ - -S "Maximum input fragment length is 16384" \ - -S "Maximum output fragment length is 16384" \ + -C "Maximum incoming record payload length is 16384" \ + -C "Maximum outgoing record payload length is 16384" \ + -S "Maximum incoming record payload length is 16384" \ + -S "Maximum outgoing record payload length is 16384" \ -c "fragment larger than.*maximum " requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH @@ -3107,10 +3107,10 @@ run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ - -s "Maximum input fragment length is 4096" \ - -s "Maximum output fragment length is 4096" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ + -s "Maximum incoming record payload length is 4096" \ + -s "Maximum outgoing record payload length is 4096" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3121,10 +3121,10 @@ run_test "Max fragment length: client 512, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=512" \ 0 \ - -c "Maximum input fragment length is 512" \ - -c "Maximum output fragment length is 512" \ - -s "Maximum input fragment length is 512" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 512" \ + -c "Maximum outgoing record payload length is 512" \ + -s "Maximum incoming record payload length is 512" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3135,10 +3135,10 @@ run_test "Max fragment length: client 512, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=512" \ 0 \ - -c "Maximum input fragment length is 512" \ - -c "Maximum output fragment length is 512" \ - -s "Maximum input fragment length is 512" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 512" \ + -c "Maximum outgoing record payload length is 512" \ + -s "Maximum incoming record payload length is 512" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3149,10 +3149,10 @@ run_test "Max fragment length: client 512, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=512" \ 0 \ - -c "Maximum input fragment length is 512" \ - -c "Maximum output fragment length is 512" \ - -s "Maximum input fragment length is 512" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 512" \ + -c "Maximum outgoing record payload length is 512" \ + -s "Maximum incoming record payload length is 512" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3163,10 +3163,10 @@ run_test "Max fragment length: client 1024, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=1024" \ 0 \ - -c "Maximum input fragment length is 1024" \ - -c "Maximum output fragment length is 1024" \ - -s "Maximum input fragment length is 1024" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 1024" \ + -c "Maximum outgoing record payload length is 1024" \ + -s "Maximum incoming record payload length is 1024" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3177,10 +3177,10 @@ run_test "Max fragment length: client 1024, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=1024" \ 0 \ - -c "Maximum input fragment length is 1024" \ - -c "Maximum output fragment length is 1024" \ - -s "Maximum input fragment length is 1024" \ - -s "Maximum output fragment length is 1024" \ + -c "Maximum incoming record payload length is 1024" \ + -c "Maximum outgoing record payload length is 1024" \ + -s "Maximum incoming record payload length is 1024" \ + -s "Maximum outgoing record payload length is 1024" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3191,10 +3191,10 @@ run_test "Max fragment length: client 1024, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=1024" \ 0 \ - -c "Maximum input fragment length is 1024" \ - -c "Maximum output fragment length is 1024" \ - -s "Maximum input fragment length is 1024" \ - -s "Maximum output fragment length is 1024" \ + -c "Maximum incoming record payload length is 1024" \ + -c "Maximum outgoing record payload length is 1024" \ + -s "Maximum incoming record payload length is 1024" \ + -s "Maximum outgoing record payload length is 1024" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3205,10 +3205,10 @@ run_test "Max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=2048" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3219,10 +3219,10 @@ run_test "Max fragment length: client 2048, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=2048" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 1024" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 1024" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3233,10 +3233,10 @@ run_test "Max fragment length: client 2048, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=2048" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3247,10 +3247,10 @@ run_test "Max fragment length: client 4096, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ - -s "Maximum input fragment length is 4096" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ + -s "Maximum incoming record payload length is 4096" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3261,10 +3261,10 @@ run_test "Max fragment length: client 4096, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ - -s "Maximum input fragment length is 4096" \ - -s "Maximum output fragment length is 1024" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ + -s "Maximum incoming record payload length is 4096" \ + -s "Maximum outgoing record payload length is 1024" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3275,10 +3275,10 @@ run_test "Max fragment length: client 4096, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ - -s "Maximum input fragment length is 4096" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ + -s "Maximum incoming record payload length is 4096" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3289,10 +3289,10 @@ run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3" \ 0 \ - -c "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -c "Maximum output fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum output fragment length is 4096" \ + -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum outgoing record payload length is 4096" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -3304,8 +3304,8 @@ run_test "Max fragment length: gnutls server" \ "$G_SRV" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" @@ -3314,10 +3314,10 @@ run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3330,10 +3330,10 @@ run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3347,10 +3347,10 @@ run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \ 1 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3457,10 +3457,10 @@ run_test "Renegotiation with max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 max_frag_len=2048 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ From 61f292ea0a4b2e4388f69a80661ba8b22a547152 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Jun 2021 07:50:55 +0100 Subject: [PATCH 096/131] Fix migration guide for now-removed deprecated functions Signed-off-by: Hanno Becker --- .../remove_deprecated_functions_and_constants.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md b/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md index b18b3109d8..31c2ce8621 100644 --- a/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md +++ b/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md @@ -50,7 +50,9 @@ The function `mbedtls_ssl_conf_dh_param()` was removed. Please use `mbedtls_ssl_conf_dh_param_bin()` or `mbedtls_ssl_conf_dh_param_ctx()` instead. The function `mbedtls_ssl_get_max_frag_len()` was removed. Please use -`mbedtls_ssl_get_output_max_frag_len()` instead. +`mbedtls_ssl_get_max_out_record_payload()` and +`mbedtls_ssl_get_max_in_record_payload()` +instead. Deprecated hex-encoded primes were removed from DHM --------------------------------------------------- From 6dd92c3f6b2c3e2dc28d966607560b260a491e27 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 7 Jun 2021 20:44:47 +0200 Subject: [PATCH 097/131] Wrap lines in the source to <80 columns Signed-off-by: Gilles Peskine --- BRANCHES.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/BRANCHES.md b/BRANCHES.md index a758d08b34..df30ae1004 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -28,14 +28,20 @@ undocumented features, then you should be able to re-compile it without modification with any later release x.y'.z' with the same major version number, and your code will still build, be secure, and work. -Note that new releases of Mbed TLS may extend the API. Here are some examples of changes that are common in minor releases of Mbed TLS, and are not considered API compatibility breaks: +Note that new releases of Mbed TLS may extend the API. Here are some +examples of changes that are common in minor releases of Mbed TLS, and are +not considered API compatibility breaks: * Adding or reordering fields in a structure or union. * Removing a field from a structure, unless the field is documented as public. * Adding items to an enum. -* Returning an error code that was not previously documented for a function when a new error condition arises. -* Changing which error code is returned in a case where multiple error conditions apply. -* Changing the behavior of a function from failing to succeeding, when the change is a reasonable extension of the current behavior, i.e. the addition of a new feature. +* Returning an error code that was not previously documented for a function + when a new error condition arises. +* Changing which error code is returned in a case where multiple error + conditions apply. +* Changing the behavior of a function from failing to succeeding, when the + change is a reasonable extension of the current behavior, i.e. the + addition of a new feature. There are rare exceptions where we break API compatibility: code that was relying on something that became insecure in the meantime (for example, From ea7631be1c797f8b6363c44535aba7df0c348795 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 3 Jun 2021 18:51:59 +0200 Subject: [PATCH 098/131] Change mbedtls_rsa_set_padding() signature mbedtls_rsa_set_padding() now returns the error code MBEDTLS_ERR_RSA_INVALID_PADDING when padding parameters are invalid. Signed-off-by: Ronald Cron --- include/mbedtls/rsa.h | 10 +++- library/psa_crypto.c | 19 ++++++-- library/psa_crypto_rsa.c | 73 ++++++++++++++++------------ library/rsa.c | 22 +++++++-- programs/pkey/rsa_sign_pss.c | 8 ++- programs/pkey/rsa_verify_pss.c | 8 ++- tests/suites/test_suite_rsa.data | 3 ++ tests/suites/test_suite_rsa.function | 24 +++++++++ 8 files changed, 123 insertions(+), 44 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index ba00bff31b..eeb846e285 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -399,9 +399,15 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, * \param padding The padding mode to use. This must be either * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. * \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier. + * #MBEDTLS_MD_NONE is accepted by this function but may be + * not suitable for some operations. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: + * \p padding or \p hash_id is invalid. */ -void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, - int hash_id ); +int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, + mbedtls_md_type_t hash_id ); /** * \brief This function retrieves the length of RSA modulus in Bytes. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 214c405b30..7921eb2313 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2838,13 +2838,14 @@ psa_status_t psa_verify_hash( mbedtls_svc_key_id_t key, } #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) -static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg, - mbedtls_rsa_context *rsa ) +static int psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg, + mbedtls_rsa_context *rsa ) { psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH( alg ); const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg ); mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info ); - mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); + + return( mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ) ); } #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */ @@ -2917,7 +2918,11 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key, #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) if( PSA_ALG_IS_RSA_OAEP( alg ) ) { - psa_rsa_oaep_set_padding_mode( alg, rsa ); + status = mbedtls_to_psa_error( + psa_rsa_oaep_set_padding_mode( alg, rsa ) ); + if( status != PSA_SUCCESS ) + goto rsa_exit; + status = mbedtls_to_psa_error( mbedtls_rsa_rsaes_oaep_encrypt( rsa, mbedtls_psa_get_random, @@ -3023,7 +3028,11 @@ psa_status_t psa_asymmetric_decrypt( mbedtls_svc_key_id_t key, #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) if( PSA_ALG_IS_RSA_OAEP( alg ) ) { - psa_rsa_oaep_set_padding_mode( alg, rsa ); + status = mbedtls_to_psa_error( + psa_rsa_oaep_set_padding_mode( alg, rsa ) ); + if( status != PSA_SUCCESS ) + goto rsa_exit; + status = mbedtls_to_psa_error( mbedtls_rsa_rsaes_oaep_decrypt( rsa, mbedtls_psa_get_random, diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index b5aec20031..33e22e7002 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -416,29 +416,36 @@ static psa_status_t rsa_sign_hash( #if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) ) { - mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, - MBEDTLS_MD_NONE ); - ret = mbedtls_rsa_pkcs1_sign( rsa, - mbedtls_psa_get_random, - MBEDTLS_PSA_RANDOM_STATE, - md_alg, - (unsigned int) hash_length, - hash, - signature ); + ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, + MBEDTLS_MD_NONE ); + if( ret == 0 ) + { + ret = mbedtls_rsa_pkcs1_sign( rsa, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE, + md_alg, + (unsigned int) hash_length, + hash, + signature ); + } } else #endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */ #if defined(BUILTIN_ALG_RSA_PSS) if( PSA_ALG_IS_RSA_PSS( alg ) ) { - mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); - ret = mbedtls_rsa_rsassa_pss_sign( rsa, - mbedtls_psa_get_random, - MBEDTLS_PSA_RANDOM_STATE, - MBEDTLS_MD_NONE, - (unsigned int) hash_length, - hash, - signature ); + ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); + + if( ret == 0 ) + { + ret = mbedtls_rsa_rsassa_pss_sign( rsa, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE, + MBEDTLS_MD_NONE, + (unsigned int) hash_length, + hash, + signature ); + } } else #endif /* BUILTIN_ALG_RSA_PSS */ @@ -489,25 +496,31 @@ static psa_status_t rsa_verify_hash( #if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) ) { - mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, - MBEDTLS_MD_NONE ); - ret = mbedtls_rsa_pkcs1_verify( rsa, - md_alg, - (unsigned int) hash_length, - hash, - signature ); + ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, + MBEDTLS_MD_NONE ); + if( ret == 0 ) + { + ret = mbedtls_rsa_pkcs1_verify( rsa, + md_alg, + (unsigned int) hash_length, + hash, + signature ); + } } else #endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */ #if defined(BUILTIN_ALG_RSA_PSS) if( PSA_ALG_IS_RSA_PSS( alg ) ) { - mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); - ret = mbedtls_rsa_rsassa_pss_verify( rsa, - MBEDTLS_MD_NONE, - (unsigned int) hash_length, - hash, - signature ); + ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); + if( ret == 0 ) + { + ret = mbedtls_rsa_rsassa_pss_verify( rsa, + MBEDTLS_MD_NONE, + (unsigned int) hash_length, + hash, + signature ); + } } else #endif /* BUILTIN_ALG_RSA_PSS */ diff --git a/library/rsa.c b/library/rsa.c index 36424bd193..5a1ae79bce 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -500,15 +500,27 @@ void mbedtls_rsa_init( mbedtls_rsa_context *ctx, /* * Set padding for an existing RSA context */ -void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, - int hash_id ) +int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, + mbedtls_md_type_t hash_id ) { - RSA_VALIDATE( ctx != NULL ); - RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || - padding == MBEDTLS_RSA_PKCS_V21 ); + if( ( padding != MBEDTLS_RSA_PKCS_V15 ) && + ( padding != MBEDTLS_RSA_PKCS_V21 ) ) + return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + + if( ( padding == MBEDTLS_RSA_PKCS_V21 ) && + ( hash_id != MBEDTLS_MD_NONE ) ) + { + const mbedtls_md_info_t *md_info; + + md_info = mbedtls_md_info_from_type( hash_id ); + if( md_info == NULL ) + return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + } ctx->padding = padding; ctx->hash_id = hash_id; + + return( 0 ); } /* diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c index 9d5053a560..e7fcf511a9 100644 --- a/programs/pkey/rsa_sign_pss.c +++ b/programs/pkey/rsa_sign_pss.c @@ -115,7 +115,13 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_rsa_set_padding( mbedtls_pk_rsa( pk ), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256 ); + if( ( ret = mbedtls_rsa_set_padding( mbedtls_pk_rsa( pk ), + MBEDTLS_RSA_PKCS_V21, + MBEDTLS_MD_SHA256 ) ) != 0 ) + { + mbedtls_printf( " failed\n ! Invalid padding\n" ); + goto exit; + } /* * Compute the SHA-256 hash of the input file, diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c index 81b0fd644e..527d799167 100644 --- a/programs/pkey/rsa_verify_pss.c +++ b/programs/pkey/rsa_verify_pss.c @@ -98,7 +98,13 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_rsa_set_padding( mbedtls_pk_rsa( pk ), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256 ); + if( ( ret = mbedtls_rsa_set_padding( mbedtls_pk_rsa( pk ), + MBEDTLS_RSA_PKCS_V21, + MBEDTLS_MD_SHA256 ) ) != 0 ) + { + mbedtls_printf( " failed\n ! Invalid padding\n" ); + goto exit; + } /* * Extract the RSA signature from the file diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 2512ef24c6..cc5a047790 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -1,3 +1,6 @@ +RSA parameter validation +rsa_invalid_param: + RSA init-free-free rsa_init_free:0 diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 9cf2fcf348..e057dfb19b 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -17,6 +17,30 @@ * END_DEPENDENCIES */ +/* BEGIN_CASE */ +void rsa_invalid_param( ) +{ + mbedtls_rsa_context ctx; + const int invalid_padding = 42; + const int invalid_hash_id = 0xff; + + mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE ); + + TEST_EQUAL( mbedtls_rsa_set_padding( &ctx, + invalid_padding, + MBEDTLS_MD_NONE ), + MBEDTLS_ERR_RSA_INVALID_PADDING ); + + TEST_EQUAL( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V21, + invalid_hash_id ), + MBEDTLS_ERR_RSA_INVALID_PADDING ); + +exit: + mbedtls_rsa_free( &ctx ); +} +/* END_CASE */ + /* BEGIN_CASE */ void rsa_init_free( int reinit ) { From c1905a1c3debef865c6ecc19be121e4f205a13cb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Sat, 5 Jun 2021 11:11:14 +0200 Subject: [PATCH 099/131] Change mbedtls_rsa_init() signature Remove padding parameters as mbedtls_rsa_init() cannot return an error code when padding parameters are invalid. Signed-off-by: Ronald Cron --- include/mbedtls/rsa.h | 56 +++++++++++----------- library/pk_wrap.c | 2 +- library/psa_crypto_rsa.c | 2 +- library/rsa.c | 11 ++--- programs/pkey/dh_client.c | 3 +- programs/pkey/dh_server.c | 3 +- programs/pkey/rsa_decrypt.c | 2 +- programs/pkey/rsa_encrypt.c | 2 +- programs/pkey/rsa_genkey.c | 2 +- programs/pkey/rsa_sign.c | 2 +- programs/pkey/rsa_verify.c | 2 +- programs/test/benchmark.c | 2 +- tests/suites/test_suite_pk.function | 2 +- tests/suites/test_suite_pkcs1_v15.function | 14 ++++-- tests/suites/test_suite_pkcs1_v21.function | 15 ++++-- tests/suites/test_suite_rsa.function | 53 +++++++++++--------- 16 files changed, 92 insertions(+), 81 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index eeb846e285..514484574e 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -134,33 +134,51 @@ mbedtls_rsa_context; /** * \brief This function initializes an RSA context. * + * \note This function initializes the padding and the hash + * identifier for #MBEDTLS_RSA_PKCS_V21 to respectively + * #MBEDTLS_RSA_PKCS_V15 and #MBEDTLS_MD_NONE. See + * mbedtls_rsa_set_padding() for more information about + * those parameters. + * + * \param ctx The RSA context to initialize. This must not be \c NULL. + */ +void mbedtls_rsa_init( mbedtls_rsa_context *ctx ); + +/** + * \brief This function sets padding for an already initialized RSA + * context. + * * \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP * encryption scheme and the RSASSA-PSS signature scheme. * * \note The \p hash_id parameter is ignored when using * #MBEDTLS_RSA_PKCS_V15 padding. * - * \note The choice of padding mode is strictly enforced for private key - * operations, since there might be security concerns in + * \note The choice of padding mode is strictly enforced for private + * key operations, since there might be security concerns in * mixing padding modes. For public key operations it is * a default value, which can be overridden by calling specific - * \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions. + * \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx + * functions. * * \note The hash selected in \p hash_id is always used for OEAP * encryption. For PSS signatures, it is always used for * making signatures, but can be overridden for verifying them. * If set to #MBEDTLS_MD_NONE, it is always overridden. * - * \param ctx The RSA context to initialize. This must not be \c NULL. + * \param ctx The initialized RSA context to be configured. * \param padding The padding mode to use. This must be either * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. - * \param hash_id The hash identifier of ::mbedtls_md_type_t type, if - * \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused - * otherwise. + * \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier. + * #MBEDTLS_MD_NONE is accepted by this function but may be + * not suitable for some operations. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: + * \p padding or \p hash_id is invalid. */ -void mbedtls_rsa_init( mbedtls_rsa_context *ctx, - int padding, - int hash_id ); +int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, + mbedtls_md_type_t hash_id ); /** * \brief This function imports a set of core parameters into an @@ -391,24 +409,6 @@ int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP ); -/** - * \brief This function sets padding for an already initialized RSA - * context. See mbedtls_rsa_init() for details. - * - * \param ctx The initialized RSA context to be configured. - * \param padding The padding mode to use. This must be either - * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. - * \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier. - * #MBEDTLS_MD_NONE is accepted by this function but may be - * not suitable for some operations. - * - * \return \c 0 on success. - * \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: - * \p padding or \p hash_id is invalid. - */ -int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, - mbedtls_md_type_t hash_id ); - /** * \brief This function retrieves the length of RSA modulus in Bytes. * diff --git a/library/pk_wrap.c b/library/pk_wrap.c index c351113e04..ec0ff45ccb 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -165,7 +165,7 @@ static void *rsa_alloc_wrap( void ) void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) ); if( ctx != NULL ) - mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 ); + mbedtls_rsa_init( (mbedtls_rsa_context *) ctx ); return( ctx ); } diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 33e22e7002..f2e9a1c052 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -317,7 +317,7 @@ static psa_status_t rsa_generate_key( if( status != PSA_SUCCESS ) return( status ); - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE ); + mbedtls_rsa_init( &rsa ); ret = mbedtls_rsa_gen_key( &rsa, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE, diff --git a/library/rsa.c b/library/rsa.c index 5a1ae79bce..26a93c1b94 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -477,17 +477,14 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, /* * Initialize an RSA context */ -void mbedtls_rsa_init( mbedtls_rsa_context *ctx, - int padding, - int hash_id ) +void mbedtls_rsa_init( mbedtls_rsa_context *ctx ) { RSA_VALIDATE( ctx != NULL ); - RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || - padding == MBEDTLS_RSA_PKCS_V21 ); memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); - mbedtls_rsa_set_padding( ctx, padding, hash_id ); + ctx->padding = MBEDTLS_RSA_PKCS_V15; + ctx->hash_id = MBEDTLS_MD_NONE; #if defined(MBEDTLS_THREADING_C) /* Set ctx->ver to nonzero to indicate that the mutex has been @@ -2592,7 +2589,7 @@ int mbedtls_rsa_self_test( int verbose ) mbedtls_mpi K; mbedtls_mpi_init( &K ); - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) ); MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) ); diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index c6b3132005..3abf49edac 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -92,7 +92,6 @@ int main( void ) mbedtls_aes_context aes; mbedtls_net_init( &server_fd ); - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_SHA256 ); mbedtls_dhm_init( &dhm ); mbedtls_aes_init( &aes ); mbedtls_ctr_drbg_init( &ctr_drbg ); @@ -125,7 +124,7 @@ int main( void ) goto exit; } - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); if( ( ret = mbedtls_mpi_read_file( &rsa.N, 16, f ) ) != 0 || ( ret = mbedtls_mpi_read_file( &rsa.E, 16, f ) ) != 0 ) diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 63df77ee01..d87f75a554 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -95,7 +95,6 @@ int main( void ) mbedtls_net_init( &listen_fd ); mbedtls_net_init( &client_fd ); - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_SHA256 ); mbedtls_dhm_init( &dhm ); mbedtls_aes_init( &aes ); mbedtls_ctr_drbg_init( &ctr_drbg ); @@ -131,7 +130,7 @@ int main( void ) goto exit; } - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); if( ( ret = mbedtls_mpi_read_file( &N , 16, f ) ) != 0 || ( ret = mbedtls_mpi_read_file( &E , 16, f ) ) != 0 || diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index 1ba8c735db..88b80d1775 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -90,7 +90,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_entropy_init( &entropy ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index 6c654ad188..1113622058 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -87,7 +87,7 @@ int main( int argc, char *argv[] ) fflush( stdout ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_entropy_init( &entropy ); diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c index 26a8925044..1dcfc52f0f 100644 --- a/programs/pkey/rsa_genkey.c +++ b/programs/pkey/rsa_genkey.c @@ -75,7 +75,7 @@ int main( void ) const char *pers = "rsa_genkey"; mbedtls_ctr_drbg_init( &ctr_drbg ); - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP ); diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index 1cfa0a8dd9..427554ff11 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -67,7 +67,7 @@ int main( int argc, char *argv[] ) char filename[512]; mbedtls_mpi N, P, Q, D, E, DP, DQ, QP; - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP ); diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index 6aca17134a..0cd17b0a3b 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -66,7 +66,7 @@ int main( int argc, char *argv[] ) unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); if( argc != 2 ) { diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index e12345365f..5aa31f7250 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -786,7 +786,7 @@ int main( int argc, char *argv[] ) { mbedtls_snprintf( title, sizeof( title ), "RSA-%d", keysize ); - mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &rsa ); mbedtls_rsa_gen_key( &rsa, myrand, NULL, keysize, 65537 ); TIME_PUBLIC( title, " public", diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 2e24aecc7d..573c9d4306 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -863,7 +863,7 @@ void pk_rsa_alt( ) size_t sig_len, ciph_len, test_len; int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; - mbedtls_rsa_init( &raw, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE ); + mbedtls_rsa_init( &raw ); mbedtls_pk_init( &rsa ); mbedtls_pk_init( &alt ); memset( hash, 0x2a, sizeof hash ); diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index a7fb2a5ff8..d558c386fc 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -25,7 +25,8 @@ void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N, info.length = rnd_buf->len; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -71,7 +72,8 @@ void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char * input_P, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); memset( output, 0x00, sizeof( output ) ); memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); @@ -193,7 +195,7 @@ void pkcs1_v15_decode( data_t *input, memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); mbedtls_mpi_init( &Nmpi ); mbedtls_mpi_init( &Empi ); mbedtls_mpi_init( &Pmpi ); mbedtls_mpi_init( &Qmpi ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &ctx ); TEST_ASSERT( mbedtls_mpi_read_binary( &Nmpi, N, sizeof( N ) ) == 0 ); TEST_ASSERT( mbedtls_mpi_read_binary( &Empi, E, sizeof( E ) ) == 0 ); @@ -277,7 +279,8 @@ void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); memset( hash_result, 0x00, sizeof( hash_result ) ); memset( output, 0x00, sizeof( output ) ); @@ -325,7 +328,8 @@ void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, ((void) salt); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); memset( hash_result, 0x00, sizeof( hash_result ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index f7e1e24ac7..e923e0b28f 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -24,7 +24,8 @@ void pkcs1_rsaes_oaep_encrypt( int mod, data_t * input_N, data_t * input_E, info.length = rnd_buf->len; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_binary( &N, input_N->x, input_N->len ) == 0 ); @@ -67,7 +68,8 @@ void pkcs1_rsaes_oaep_decrypt( int mod, data_t * input_P, data_t * input_Q, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); memset( output, 0x00, sizeof( output ) ); memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); @@ -131,7 +133,8 @@ void pkcs1_rsassa_pss_sign( int mod, data_t * input_P, data_t * input_Q, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); memset( hash_result, 0x00, sizeof( hash_result ) ); memset( output, 0x00, sizeof( output ) ); @@ -189,7 +192,8 @@ void pkcs1_rsassa_pss_verify( int mod, data_t * input_N, data_t * input_E, ((void) salt); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); memset( hash_result, 0x00, sizeof( hash_result ) ); TEST_ASSERT( mbedtls_mpi_read_binary( &N, input_N->x, input_N->len ) == 0 ); @@ -225,7 +229,8 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, mbedtls_mpi N, E; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, ctx_hash ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, ctx_hash ); memset( hash_result, 0x00, sizeof( hash_result ) ); TEST_ASSERT( mbedtls_mpi_read_binary( &N, input_N->x, input_N->len ) == 0 ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index e057dfb19b..aed05a4204 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -24,7 +24,7 @@ void rsa_invalid_param( ) const int invalid_padding = 42; const int invalid_hash_id = 0xff; - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE ); + mbedtls_rsa_init( &ctx ); TEST_EQUAL( mbedtls_rsa_set_padding( &ctx, invalid_padding, @@ -51,11 +51,11 @@ void rsa_init_free( int reinit ) * unconditionally on an error path without checking whether it has * already been called in the success path. */ - mbedtls_rsa_init( &ctx, 0, 0 ); + mbedtls_rsa_init( &ctx ); mbedtls_rsa_free( &ctx ); if( reinit ) - mbedtls_rsa_init( &ctx, 0, 0 ); + mbedtls_rsa_init( &ctx ); mbedtls_rsa_free( &ctx ); /* This test case always succeeds, functionally speaking. A plausible @@ -79,7 +79,8 @@ void mbedtls_rsa_pkcs1_sign( data_t * message_str, int padding_mode, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, padding_mode, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); memset( hash_result, 0x00, sizeof( hash_result ) ); memset( output, 0x00, sizeof( output ) ); @@ -128,7 +129,8 @@ void mbedtls_rsa_pkcs1_verify( data_t * message_str, int padding_mode, mbedtls_mpi N, E; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, padding_mode, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); memset( hash_result, 0x00, sizeof( hash_result ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -162,7 +164,8 @@ void rsa_pkcs1_sign_raw( data_t * hash_result, mbedtls_mpi N, P, Q, E; mbedtls_test_rnd_pseudo_info rnd_info; - mbedtls_rsa_init( &ctx, padding_mode, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); @@ -209,7 +212,8 @@ void rsa_pkcs1_verify_raw( data_t * hash_result, mbedtls_mpi N, E; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, padding_mode, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -243,7 +247,8 @@ void mbedtls_rsa_pkcs1_encrypt( data_t * message_str, int padding_mode, memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); - mbedtls_rsa_init( &ctx, padding_mode, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -284,7 +289,8 @@ void rsa_pkcs1_encrypt_bad_rng( data_t * message_str, int padding_mode, mbedtls_mpi N, E; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, padding_mode, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -329,7 +335,8 @@ void mbedtls_rsa_pkcs1_decrypt( data_t * message_str, int padding_mode, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, padding_mode, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); memset( output, 0x00, sizeof( output ) ); memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); @@ -377,8 +384,8 @@ void mbedtls_rsa_public( data_t * message_str, int mod, int radix_N, mbedtls_mpi N, E; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 ); - mbedtls_rsa_init( &ctx2, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_init( &ctx2 ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -435,8 +442,8 @@ void mbedtls_rsa_private( data_t * message_str, int mod, int radix_P, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 ); - mbedtls_rsa_init( &ctx2, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &ctx ); + mbedtls_rsa_init( &ctx2 ); memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); @@ -512,7 +519,7 @@ void mbedtls_rsa_check_pubkey( int radix_N, char * input_N, int radix_E, mbedtls_mpi N, E; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &ctx ); if( strlen( input_N ) ) { @@ -543,7 +550,7 @@ void mbedtls_rsa_check_privkey( int mod, int radix_P, char * input_P, { mbedtls_rsa_context ctx; - mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &ctx ); ctx.len = mod / 8; if( strlen( input_P ) ) @@ -604,8 +611,8 @@ void rsa_check_pubpriv( int mod, int radix_Npub, char * input_Npub, { mbedtls_rsa_context pub, prv; - mbedtls_rsa_init( &pub, MBEDTLS_RSA_PKCS_V15, 0 ); - mbedtls_rsa_init( &prv, MBEDTLS_RSA_PKCS_V15, 0 ); + mbedtls_rsa_init( &pub ); + mbedtls_rsa_init( &prv ); pub.len = mod / 8; prv.len = mod / 8; @@ -676,7 +683,7 @@ void mbedtls_rsa_gen_key( int nrbits, int exponent, int result) mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_entropy_init( &entropy ); - mbedtls_rsa_init ( &ctx, 0, 0 ); + mbedtls_rsa_init ( &ctx ); TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers, @@ -828,7 +835,7 @@ void mbedtls_rsa_import( int radix_N, char *input_N, mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_entropy_init( &entropy ); - mbedtls_rsa_init( &ctx, 0, 0 ); + mbedtls_rsa_init( &ctx ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); @@ -969,7 +976,7 @@ void mbedtls_rsa_export( int radix_N, char *input_N, mbedtls_rsa_context ctx; - mbedtls_rsa_init( &ctx, 0, 0 ); + mbedtls_rsa_init( &ctx ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); @@ -1149,7 +1156,7 @@ void mbedtls_rsa_export_raw( data_t *input_N, data_t *input_P, mbedtls_rsa_context ctx; - mbedtls_rsa_init( &ctx, 0, 0 ); + mbedtls_rsa_init( &ctx ); /* Setup RSA context */ TEST_ASSERT( mbedtls_rsa_import_raw( &ctx, @@ -1251,7 +1258,7 @@ void mbedtls_rsa_import_raw( data_t *input_N, mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_entropy_init( &entropy ); - mbedtls_rsa_init( &ctx, 0, 0 ); + mbedtls_rsa_init( &ctx ); TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers, From 6fe1bc3f246e93b08d5c7c4f9e0a41f38556402c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 7 Jun 2021 09:35:02 +0200 Subject: [PATCH 100/131] Add change log and migration guide Signed-off-by: Ronald Cron --- ChangeLog.d/rsa-padding.txt | 5 ++++ docs/3.0-migration-guide.d/rsa-padding.md | 29 +++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 ChangeLog.d/rsa-padding.txt create mode 100644 docs/3.0-migration-guide.d/rsa-padding.md diff --git a/ChangeLog.d/rsa-padding.txt b/ChangeLog.d/rsa-padding.txt new file mode 100644 index 0000000000..5f9c11f717 --- /dev/null +++ b/ChangeLog.d/rsa-padding.txt @@ -0,0 +1,5 @@ +API changes + * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA + key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding() + after initializing the context. mbedtls_rsa_set_padding() now returns an + error if its parameters are invalid. diff --git a/docs/3.0-migration-guide.d/rsa-padding.md b/docs/3.0-migration-guide.d/rsa-padding.md new file mode 100644 index 0000000000..a04d9ee2ae --- /dev/null +++ b/docs/3.0-migration-guide.d/rsa-padding.md @@ -0,0 +1,29 @@ +Remove the padding parameters from mbedtls_rsa_init() +----------------------------------------------------- + +This affects all users who use the RSA encryption, decryption, sign and +verify APIs. + +The function mbedtls_rsa_init() no longer supports selecting the PKCS#1 v2.1 +encoding and its hash. It just selects the PKCS#1 v1.5 encoding by default. If +you were using the PKCS#1 v2.1 encoding you now need, subsequently to the call +to mbedtls_rsa_init(), to call mbedtls_rsa_set_padding() to set it. + +Code migration examples: +```C + mbedtls_rsa_init(ctx, padding, hash_id); +``` +to +```C + mbedtls_rsa_init(ctx); + mbedtls_rsa_set_padding(ctx, padding, hash_id); +``` +or +```C + mbedtls_rsa_init(ctx, MBEDTLS_RSA_PKCS_V15, ); +``` +to +```C + mbedtls_rsa_init(ctx); +``` + From d2cfa3e9809f62c7a5f7a873d900e9ca7714bf89 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 8 Jun 2021 09:09:04 +0200 Subject: [PATCH 101/131] Improve mbedtls_rsa_init/set_padding() descriptions Signed-off-by: Ronald Cron --- include/mbedtls/rsa.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 514484574e..34174b69b5 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -135,10 +135,9 @@ mbedtls_rsa_context; * \brief This function initializes an RSA context. * * \note This function initializes the padding and the hash - * identifier for #MBEDTLS_RSA_PKCS_V21 to respectively - * #MBEDTLS_RSA_PKCS_V15 and #MBEDTLS_MD_NONE. See - * mbedtls_rsa_set_padding() for more information about - * those parameters. + * identifier to respectively #MBEDTLS_RSA_PKCS_V15 and + * #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more + * information about those parameters. * * \param ctx The RSA context to initialize. This must not be \c NULL. */ @@ -169,9 +168,10 @@ void mbedtls_rsa_init( mbedtls_rsa_context *ctx ); * \param ctx The initialized RSA context to be configured. * \param padding The padding mode to use. This must be either * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. - * \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier. - * #MBEDTLS_MD_NONE is accepted by this function but may be - * not suitable for some operations. + * \param hash_id The hash identifier for PSS or OAEP, if \p padding is + * #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this + * function but may be not suitable for some operations. + * Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. * * \return \c 0 on success. * \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: From 266b6d2121eb2bbfb68725fa3b3ba63e9accbcc5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 8 Jun 2021 10:03:49 +0200 Subject: [PATCH 102/131] tests: Assert success of calls to mbedtls_rsa_set_padding() Signed-off-by: Ronald Cron --- tests/suites/test_suite_pkcs1_v15.function | 12 ++++++++---- tests/suites/test_suite_pkcs1_v21.function | 15 ++++++++++----- tests/suites/test_suite_rsa.function | 21 ++++++++++++++------- 3 files changed, 32 insertions(+), 16 deletions(-) diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index d558c386fc..d78ee88959 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -26,7 +26,8 @@ void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -73,7 +74,8 @@ void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char * input_P, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); memset( output, 0x00, sizeof( output ) ); memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); @@ -280,7 +282,8 @@ void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); memset( hash_result, 0x00, sizeof( hash_result ) ); memset( output, 0x00, sizeof( output ) ); @@ -329,7 +332,8 @@ void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V15, hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V15, hash ) == 0 ); memset( hash_result, 0x00, sizeof( hash_result ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index e923e0b28f..ec5591f6d1 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -25,7 +25,8 @@ void pkcs1_rsaes_oaep_encrypt( int mod, data_t * input_N, data_t * input_E, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V21, hash ) == 0 ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_binary( &N, input_N->x, input_N->len ) == 0 ); @@ -69,7 +70,8 @@ void pkcs1_rsaes_oaep_decrypt( int mod, data_t * input_P, data_t * input_Q, mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V21, hash ) == 0 ); memset( output, 0x00, sizeof( output ) ); memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); @@ -134,7 +136,8 @@ void pkcs1_rsassa_pss_sign( int mod, data_t * input_P, data_t * input_Q, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V21, hash ) == 0 ); memset( hash_result, 0x00, sizeof( hash_result ) ); memset( output, 0x00, sizeof( output ) ); @@ -193,7 +196,8 @@ void pkcs1_rsassa_pss_verify( int mod, data_t * input_N, data_t * input_E, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V21, hash ) == 0 ); memset( hash_result, 0x00, sizeof( hash_result ) ); TEST_ASSERT( mbedtls_mpi_read_binary( &N, input_N->x, input_N->len ) == 0 ); @@ -230,7 +234,8 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, MBEDTLS_RSA_PKCS_V21, ctx_hash ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V21, ctx_hash ) == 0 ); memset( hash_result, 0x00, sizeof( hash_result ) ); TEST_ASSERT( mbedtls_mpi_read_binary( &N, input_N->x, input_N->len ) == 0 ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index aed05a4204..086544401b 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -80,7 +80,8 @@ void mbedtls_rsa_pkcs1_sign( data_t * message_str, int padding_mode, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx,padding_mode, + MBEDTLS_MD_NONE ) == 0 ); memset( hash_result, 0x00, sizeof( hash_result ) ); memset( output, 0x00, sizeof( output ) ); @@ -130,7 +131,8 @@ void mbedtls_rsa_pkcs1_verify( data_t * message_str, int padding_mode, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, padding_mode, + MBEDTLS_MD_NONE ) == 0 ); memset( hash_result, 0x00, sizeof( hash_result ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -165,7 +167,8 @@ void rsa_pkcs1_sign_raw( data_t * hash_result, mbedtls_test_rnd_pseudo_info rnd_info; mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, padding_mode, + MBEDTLS_MD_NONE ) == 0 ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); @@ -213,7 +216,8 @@ void rsa_pkcs1_verify_raw( data_t * hash_result, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, padding_mode, + MBEDTLS_MD_NONE ) == 0 ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -248,7 +252,8 @@ void mbedtls_rsa_pkcs1_encrypt( data_t * message_str, int padding_mode, memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, padding_mode, + MBEDTLS_MD_NONE ) == 0 ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -290,7 +295,8 @@ void rsa_pkcs1_encrypt_bad_rng( data_t * message_str, int padding_mode, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, padding_mode, + MBEDTLS_MD_NONE ) == 0 ); memset( output, 0x00, sizeof( output ) ); TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 ); @@ -336,7 +342,8 @@ void mbedtls_rsa_pkcs1_decrypt( data_t * message_str, int padding_mode, mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E ); mbedtls_rsa_init( &ctx ); - mbedtls_rsa_set_padding( &ctx, padding_mode, MBEDTLS_MD_NONE ); + TEST_ASSERT( mbedtls_rsa_set_padding( &ctx, padding_mode, + MBEDTLS_MD_NONE ) == 0 ); memset( output, 0x00, sizeof( output ) ); memset( &rnd_info, 0, sizeof( mbedtls_test_rnd_pseudo_info ) ); From 3a0375fff43fba25b95ea9b765c504eba9194b2a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 8 Jun 2021 10:22:28 +0200 Subject: [PATCH 103/131] Fail if a padding disabled by the build-time configuration is selected Signed-off-by: Ronald Cron --- library/rsa.c | 17 ++++++++++++++--- programs/pkey/rsa_sign_pss.c | 2 +- tests/suites/test_suite_rsa.function | 14 ++++++++++++++ 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 26a93c1b94..a788337a59 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -500,9 +500,20 @@ void mbedtls_rsa_init( mbedtls_rsa_context *ctx ) int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, mbedtls_md_type_t hash_id ) { - if( ( padding != MBEDTLS_RSA_PKCS_V15 ) && - ( padding != MBEDTLS_RSA_PKCS_V21 ) ) - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + switch( padding ) + { +#if defined(MBEDTLS_PKCS1_V15) + case MBEDTLS_RSA_PKCS_V15: + break; +#endif + +#if defined(MBEDTLS_PKCS1_V21) + case MBEDTLS_RSA_PKCS_V21: + break; +#endif + default: + return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + } if( ( padding == MBEDTLS_RSA_PKCS_V21 ) && ( hash_id != MBEDTLS_MD_NONE ) ) diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c index e7fcf511a9..26056dd9b6 100644 --- a/programs/pkey/rsa_sign_pss.c +++ b/programs/pkey/rsa_sign_pss.c @@ -119,7 +119,7 @@ int main( int argc, char *argv[] ) MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256 ) ) != 0 ) { - mbedtls_printf( " failed\n ! Invalid padding\n" ); + mbedtls_printf( " failed\n ! Padding not supported\n" ); goto exit; } diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 086544401b..14b4afc3a3 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -36,6 +36,20 @@ void rsa_invalid_param( ) invalid_hash_id ), MBEDTLS_ERR_RSA_INVALID_PADDING ); +#if !defined(MBEDTLS_PKCS1_V15) + TEST_EQUAL( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V15, + MBEDTLS_MD_NONE ), + MBEDTLS_ERR_RSA_INVALID_PADDING ); +#endif + +#if !defined(MBEDTLS_PKCS1_V21) + TEST_EQUAL( mbedtls_rsa_set_padding( &ctx, + MBEDTLS_RSA_PKCS_V21, + MBEDTLS_MD_NONE ), + MBEDTLS_ERR_RSA_INVALID_PADDING ); +#endif + exit: mbedtls_rsa_free( &ctx ); } From 73876cf9cb16ab8ca9c761ae9204692b0f626477 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 8 Jun 2021 15:33:53 +0200 Subject: [PATCH 104/131] Clarify "between major version changes" This was diversely interpreted as "compatibility in the period between two major version changes" (as intended) or "compatibility between two versions whose major version is different" (unintended). Signed-off-by: Gilles Peskine --- BRANCHES.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/BRANCHES.md b/BRANCHES.md index df30ae1004..b9926ac9df 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -16,9 +16,10 @@ At any point in time, we have a number of maintained branches consisting of: these only get bug fixes and security fixes. We use [Semantic Versioning](https://semver.org/). In particular, we maintain -API compatibility in the `master` branch between major version changes. We -also maintain ABI compatibility within LTS branches; see the next section for -details. +API compatibility in the `master` branch across minor version changes (e.g. +the API of 3.(x+1) is backward compatible with 3.x). We only break API +compatibility on major version changes (e.g. from 3.x to 4.0). We also maintain +ABI compatibility within LTS branches; see the next section for details. ## Backwards Compatibility From 5e1948d2a311a64254265431a4ab8d10024b7941 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 09:27:03 +0100 Subject: [PATCH 105/131] PSA PAKE: define size macros as 0 Define the size macros to 0 rather than empty. That will lead to fewer weird errors when we start implementing. Signed-off-by: Janos Follath --- include/psa/crypto_sizes.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index a603c9d298..a1b89446e7 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1152,7 +1152,7 @@ * the output type or PAKE algorithm is not recognized, or * the parameters are incompatible, return 0. */ -#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) +#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) 0 /** Output buffer size for psa_pake_output() for any of the supported cipher * suites and PAKE algorithms. @@ -1161,6 +1161,6 @@ * * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p cipher_suite, \p output). */ -#define PSA_PAKE_OUTPUT_MAX_SIZE +#define PSA_PAKE_OUTPUT_MAX_SIZE 0 #endif /* PSA_CRYPTO_SIZES_H */ From a2959185969fd26fb42643e135ae5ce4672d5eac Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 09:41:39 +0100 Subject: [PATCH 106/131] PSA PAKE: add input size macros The caller is likely to receive the inputs on the wire, and having a known size for which they can confidently reject longer inputs would be helpful in cases where the application can't just use the input in place. Signed-off-by: Janos Follath --- include/psa/crypto.h | 2 ++ include/psa/crypto_sizes.h | 36 ++++++++++++++++++++++++++++++++---- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index bbdd06d5ae..e84c757d10 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4626,6 +4626,8 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * \retval #PSA_ERROR_HARDWARE_FAILURE * \retval #PSA_ERROR_CORRUPTION_DETECTED * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The input is not valid for the algorithm, ciphersuite or \p step. * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index a1b89446e7..62254fab52 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1134,10 +1134,9 @@ /** A sufficient output buffer size for psa_pake_output(). * - * If the size of the ciphertext buffer is at least this large, it is - * guaranteed that psa_pake_output() will not fail due to an - * insufficient ciphertext buffer size. The actual size of the output might be - * smaller in any given call. + * If the size of the output buffer is at least this large, it is guaranteed + * that psa_pake_output() will not fail due to an insufficient output buffer + * size. The actual size of the output might be smaller in any given call. * * See also #PSA_PAKE_OUTPUT_MAX_SIZE * @@ -1154,6 +1153,26 @@ */ #define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) 0 +/** A sufficient input buffer size for psa_pake_input(). + * + * If the size of the input is larger than this, it is guaranteed + * that psa_pake_input() will fail with #PSA_ERROR_INVALID_ARGUMENT. + * + * See also #PSA_PAKE_INPUT_MAX_SIZE + * + * \param alg A PAKE algorithm (PSA_ALG_XXX value such that + * #PSA_ALG_IS_PAKE(\p alg) is true). + * \param primitive A primitive of type ::psa_pake_primitive_t that is + * compatible with algorithm \p alg. + * \param output_step A value of type ::psa_pake_step_t that is valid for the + * algorithm \p alg. + * \return A sufficient output buffer size for the specified + * output, cipher suite and algorithm. If the cipher suite, + * the output type or PAKE algorithm is not recognized, or + * the parameters are incompatible, return 0. + */ +#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) 0 + /** Output buffer size for psa_pake_output() for any of the supported cipher * suites and PAKE algorithms. * @@ -1163,4 +1182,13 @@ */ #define PSA_PAKE_OUTPUT_MAX_SIZE 0 +/** Input buffer size for psa_pake_input() for any of the supported cipher + * suites and PAKE algorithms. + * + * This macro must expand to a compile-time constant integer. + * + * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p cipher_suite, \p output). + */ +#define PSA_PAKE_INPUT_MAX_SIZE 0 + #endif /* PSA_CRYPTO_SIZES_H */ From 304766e11ef35d17c549b9df9e46617ce12c5291 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 09:48:08 +0100 Subject: [PATCH 107/131] PSA PAKE: make algorithm macro name consistent The API has PSA_ALG_GCM and not PSA_ALG_AEAD_GCM, PSA_ALG_MD5 and not PSA_ALG_HASH_MD5, etc., so PSA_ALG_PAKE_JPAKE should be PSA_ALG_JPAKE as well. Signed-off-by: Janos Follath --- include/psa/crypto_values.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index ab9bb5b8bd..37cd030247 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1977,7 +1977,7 @@ * - A secure cryptographic hash function. * * To select these parameters and set up the cipher suite, call - * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_PAKE_JPAKE); + * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE); * psa_pake_cs_set_primitive(cipher_suite, * PSA_PAKE_PRIMITIVE(type, family, bits)); * psa_pake_cs_set_hash(cipher_suite, hash); @@ -2067,7 +2067,7 @@ * of RFC 8236 for two examples. * */ -#define PSA_ALG_PAKE_JPAKE ((psa_algorithm_t)0x0a000100) +#define PSA_ALG_JPAKE ((psa_algorithm_t)0x0a000100) /**@}*/ From 702cf09ae9fdb180fc1a4b56206aaf9425d99e39 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 12:58:23 +0100 Subject: [PATCH 108/131] PSA PAKE: move the API to crypto_extra.h At this point this is a proposed PAKE interface for the PSA Crypto API and not part of the official standard. Place the interface in crypto_extra.h to make this clear. Signed-off-by: Janos Follath --- include/psa/crypto.h | 606 -------------------- include/psa/crypto_extra.h | 1041 +++++++++++++++++++++++++++++++++++ include/psa/crypto_sizes.h | 59 -- include/psa/crypto_struct.h | 75 --- include/psa/crypto_types.h | 42 -- include/psa/crypto_values.h | 261 --------- 6 files changed, 1041 insertions(+), 1043 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index e84c757d10..534902f2df 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4091,612 +4091,6 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, /**@}*/ - -/** \defgroup pake Password-authenticated key exchange (PAKE) - * @{ - */ - -/** The type of the data strucure for PAKE cipher suites. - * - * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure. - * Implementation details can change in future versions without notice. - */ -typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t; - -/** Retrieve the PAKE algorithm from a PAKE cipher suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate its argument exactly once. - * - * \param[in] cipher_suite The cipher suite structure to query. - * - * \return The PAKE algorithm stored in the cipher suite structure. - */ -static psa_algorithm_t psa_pake_cs_get_algorithm( - const psa_pake_cipher_suite_t* cipher_suite - ); - -/** Declare the PAKE algorithm for the cipher suite. - * - * This function overwrites any PAKE algorithm - * previously set in \p cipher_suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate each of its arguments exactly once. - * - * \param[out] cipher_suite The cipher suite structure to write to. - * \param algorithm The PAKE algorithm to write. - * (`PSA_ALG_XXX` values of type ::psa_algorithm_t - * such that #PSA_ALG_IS_PAKE(\c alg) is true.) - * If this is 0, the PAKE algorithm in - * \p cipher_suite becomes unspecified. - */ -static void psa_pake_cs_set_algorithm( - psa_pake_cipher_suite_t* cipher_suite, - psa_algorithm_t algorithm - ); - -/** Retrieve the primitive from a PAKE cipher suite. - * - * This function may be declared as `static` (i.e. without external linkage). - * This function may be provided as a function-like macro, but in this case it - * must evaluate its argument exactly once. - * - * \param[in] cipher_suite The cipher suite structure to query. - * - * \return The primitive stored in the cipher suite structure. - */ -static psa_pake_primitive_t psa_pake_cs_get_primitive( - const psa_pake_cipher_suite_t* cipher_suite - ); - -/** Declare the primitive for a PAKE cipher suite. - * - * This function overwrites any primitive previously set in \p cipher_suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate each of its arguments exactly once. - * - * \param[out] cipher_suite The cipher suite structure to write to. - * \param primitive The primitive to write. If this is 0, the - * primitive type in \p cipher_suite becomes - * unspecified. - */ -static void psa_pake_cs_set_primitive( - psa_pake_cipher_suite_t* cipher_suite, - psa_pake_primitive_t primitive - ); - -/** Retrieve the hash algorithm from a PAKE cipher suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate its argument exactly once. - * - * \param[in] cipher_suite The cipher suite structure to query. - * - * \return The hash algorithm stored in the cipher suite structure. The return - * value is 0 if the PAKE is not parametrised by a hash algorithm or if - * the hash algorithm is not set. - */ -static psa_algorithm_t psa_pake_cs_get_hash( - const psa_pake_cipher_suite_t* cipher_suite - ); - -/** Declare the hash algorithm for a PAKE cipher suite. - * - * This function overwrites any hash algorithm - * previously set in \p cipher_suite. - * - * This function may be declared as `static` (i.e. without external - * linkage). This function may be provided as a function-like macro, - * but in this case it must evaluate each of its arguments exactly once. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * \param[out] cipher_suite The cipher suite structure to write to. - * \param hash The hash involved in the cipher suite. - * (`PSA_ALG_XXX` values of type ::psa_algorithm_t - * such that #PSA_ALG_IS_HASH(\c alg) is true.) - * If this is 0, the hash algorithm in - * \p cipher_suite becomes unspecified. - */ -static void psa_pake_cs_set_hash( - psa_pake_cipher_suite_t* cipher_suite, - psa_algorithm_t hash - ); - -/** The type of the state data structure for PAKE operations. - * - * Before calling any function on a PAKE operation object, the application - * must initialize it by any of the following means: - * - Set the structure to all-bits-zero, for example: - * \code - * psa_pake_operation_t operation; - * memset(&operation, 0, sizeof(operation)); - * \endcode - * - Initialize the structure to logical zero values, for example: - * \code - * psa_pake_operation_t operation = {0}; - * \endcode - * - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, - * for example: - * \code - * psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; - * \endcode - * - Assign the result of the function psa_pake_operation_init() - * to the structure, for example: - * \code - * psa_pake_operation_t operation; - * operation = psa_pake_operation_init(); - * \endcode - * - * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure. - * Implementation details can change in future versions without notice. */ -typedef struct psa_pake_operation_s psa_pake_operation_t; - -/** Return an initial value for an PAKE operation object. - */ -static psa_pake_operation_t psa_pake_operation_init(void); - -/** Set the session information for a password-authenticated key exchange. - * - * The sequence of operations to set up a password-authenticated key exchange - * is as follows: - * -# Allocate an operation object which will be passed to all the functions - * listed here. - * -# Initialize the operation object with one of the methods described in the - * documentation for #psa_pake_operation_t, e.g. - * #PSA_PAKE_OPERATION_INIT. - * -# Call psa_pake_setup() to specify the cipher suite. - * -# Call \c psa_pake_set_xxx() functions on the operation to complete the - * setup. The exact sequence of \c psa_pake_set_xxx() functions that needs - * to be called depends on the algorithm in use. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * A typical sequence of calls to perform a password-authenticated key - * exchange: - * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the - * key share that needs to be sent to the peer. - * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide - * the key share that was received from the peer. - * -# Depending on the algorithm additional calls to psa_pake_output() and - * psa_pake_input() might be necessary. - * -# Call psa_pake_get_implicit_key() for accessing the shared secret. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * If an error occurs at any step after a call to psa_pake_setup(), - * the operation will need to be reset by a call to psa_pake_abort(). The - * application may call psa_pake_abort() at any time after the operation - * has been initialized. - * - * After a successful call to psa_pake_setup(), the application must - * eventually terminate the operation. The following events terminate an - * operation: - * - A call to psa_pake_abort(). - * - A successful call to psa_pake_get_implicit_key(). - * - * \param[in,out] operation The operation object to set up. It must have - * been initialized as per the documentation for - * #psa_pake_operation_t and not yet in use (no - * other function has been called on it since the - * last initialization). - * \param cipher_suite The cipher suite to use. (A cipher suite fully - * characterizes a PAKE algorithm and determines - * the algorithm as well.) - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The \p cipher_suite is not supported or is not valid. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_setup(psa_pake_operation_t *operation, - psa_pake_cipher_suite_t cipher_suite); - -/** Set the password for a password-authenticated key exchange from key ID. - * - * Call this function when the password, or a value derived from the password, - * is already present in the key store. To calculate the password-derived value - * from a password input, use the key derivation interface and - * psa_pake_set_password_stretch() instead. - * - * \param[in,out] operation The operation object to set the password for. It - * must have been set up by psa_pake_setup() and - * not yet in use (neither psa_pake_output() nor - * psa_pake_input() has been called yet). It must - * be on operation for which the password hasn't - * been set yet (neither - * psa_pake_set_password_stretch() nor - * psa_pake_set_password_key() has been called - * yet). - * \param password Identifier of the key holding the password or a - * value derived from the password (eg. by a - * memory-hard function). It must remain valid - * until the operation terminates. It must be of - * type #PSA_KEY_TYPE_PASSWORD or - * #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow - * the usage #PSA_KEY_USAGE_DERIVE. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must have been set up.) - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_NOT_PERMITTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p key is not compatible with the algorithm or the cipher suite. - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password); - -/** Set the password for a password-authenticated key exchange via a key - * stretching function. - * - * Some protocols use values derived from passwords via key stretching - * functions to mitigate dictionary attacks. Key stretching functions can be - * accessed through the key derivation interface and the result can be supplied - * to the PAKE operation in the form of a key derivation object. - * - * This function draws bytes from a key derivation algorithm and sets those - * bytes as a password for the password-authenticated key exchange. If you - * view the key derivation's output as a stream of bytes, this function - * destructively reads the requested number of bytes from the stream. - * The key derivation operation's capacity decreases by the number of bytes read. - * - * If this function returns anything other than #PSA_SUCCESS, both \p operation - * and \p key_derivation operations enter an error state and must be aborted by - * calling psa_pake_abort() and psa_key_derivation_abort() respectively. - * - * \param[in,out] operation The operation object to set the password for. - * It must have been set up by psa_pake_setup() - * and not yet in use (neither psa_pake_output() - * nor psa_pake_input() has been called yet). It - * must be on operation for which the password - * hasn't been set yet (neither - * psa_pake_set_password_stretch() nor - * psa_pake_set_password_key() has been called - * yet). - * \param[in,out] key_derivation An ongoing key derivation operation set up - * from the password and in a state suitable for - * calling psa_key_derivation_output_bytes(). - * \param input_length Number of bytes to input from the - * \p key_derivation operation. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The state of \p operation or \p key_derivation is not valid. - * \retval #PSA_ERROR_INSUFFICIENT_DATA - * The \p key_derivation operation's capacity was less than - * \p input_length bytes. - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_NOT_PERMITTED - * One of the inputs to \p key_derivation was a key whose policy didn't - * allow #PSA_KEY_USAGE_DERIVE. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p key is not compatible with the algorithm or the cipher suite. - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_set_password_stretch( - psa_pake_operation_t *operation, - psa_key_derivation_operation_t *key_derivation, - size_t input_length - ); - -/** Set the user ID for a password-authenticated key exchange. - * - * Call this function to set the user ID. For PAKE algorithms that associate a - * user identifier with each side of the session you need to call - * psa_pake_set_peer() as well. For PAKE algorithms that associate a single - * user identifier with the session, call psa_pake_set_user() only. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * \param[in,out] operation The operation object to set the user ID for. It - * must have been set up by psa_pake_setup() and - * not yet in use (neither psa_pake_output() nor - * psa_pake_input() has been called yet). It must - * be on operation for which the user ID hasn't - * been set (psa_pake_set_user() hasn't been - * called yet). - * \param[in] user_id The user ID to authenticate with. - * \param user_id_len Size of the \p user_id buffer in bytes. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p user_id is NULL. - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, - const uint8_t *user_id, - size_t user_id_len); - -/** Set the peer ID for a password-authenticated key exchange. - * - * Call this function in addition to psa_pake_set_user() for PAKE algorithms - * that associate a user identifier with each side of the session. For PAKE - * algorithms that associate a single user identifier with the session, call - * psa_pake_set_user() only. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * \param[in,out] operation The operation object to set the peer ID for. It - * must have been set up by psa_pake_setup() and - * not yet in use (neither psa_pake_output() nor - * psa_pake_input() has been called yet). It must - * be on operation for which the peer ID hasn't - * been set (psa_pake_set_peer() hasn't been - * called yet). - * \param[in] peer_id The peer's ID to authenticate. - * \param peer_id_len Size of the \p peer_id buffer in bytes. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The algorithm doesn't associate a second identity with the session. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p user_id is NULL. - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, - const uint8_t *peer_id, - size_t peer_id_len); - -/** Set the side for a password-authenticated key exchange. - * - * Not all PAKE algorithms need to differentiate the communicating entities. - * It is optional to call this function for PAKEs that don't require a side - * parameter. For such PAKEs the side parameter is ignored. - * - * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` - * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) - * for more information. - * - * \param[in,out] operation The operation object to set the side for. It - * must have been set up by psa_pake_setup() and - * not yet in use (neither psa_pake_output() nor - * psa_pake_input() has been called yet). It must - * be on operation for which the side hasn't been - * set (psa_pake_set_side() hasn't been called - * yet). - * \param side A value of type ::psa_pake_side_t signaling the - * side of the algorithm that is being set up. For - * more information see the documentation of \c - * PSA_PAKE_SIDE_XXX constants. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The \p side for this algorithm is not supported or is not valid. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_set_side(psa_pake_operation_t *operation, - psa_pake_side_t side); - -/** Get output for a step of a password-authenticated key exchange. - * - * Depending on the algorithm being executed, you might need to call this - * function several times or you might not need to call this at all. - * - * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the algorithm in use. Refer to the documentation of - * individual PAKE algorithm types (`PSA_ALG_XXX` values of type - * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - * information. - * - * If this function returns an error status, the operation enters an error - * state and must be aborted by calling psa_pake_abort(). - * - * \param[in,out] operation Active PAKE operation. - * \param step The step of the algorithm for which the output is - * requested. - * \param[out] output Buffer where the output is to be written in the - * format appropriate for this \p step. Refer to - * the documentation of the individual - * \c PSA_PAKE_STEP_XXX constants for more - * information. - * \param output_size Size of the \p output buffer in bytes. This must - * be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \c - * cipher_suite, \p type). - * - * \param[out] output_length On success, the number of bytes of the returned - * output. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active, but beyond that - * validity is specific to the algorithm). - * \retval #PSA_ERROR_BUFFER_TOO_SMALL - * The size of the \p output buffer is too small. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_output(psa_pake_operation_t *operation, - psa_pake_step_t step, - uint8_t *output, - size_t output_size, - size_t *output_length); - -/** Provide input for a step of a password-authenticated key exchange. - * - * Depending on the algorithm being executed, you might need to call this - * function several times or you might not need to call this at all. - * - * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the algorithm in use. Refer to the documentation of - * individual PAKE algorithm types (`PSA_ALG_XXX` values of type - * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - * information. - * - * If this function returns an error status, the operation enters an error - * state and must be aborted by calling psa_pake_abort(). - * - * \param[in,out] operation Active PAKE operation. - * \param step The step for which the input is provided. - * \param[out] input Buffer containing the input in the format - * appropriate for this \p step. Refer to the - * documentation of the individual - * \c PSA_PAKE_STEP_XXX constants for more - * information. - * \param[out] input_length Size of the \p input buffer in bytes. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active, but beyond that - * validity is specific to the algorithm). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INVALID_ARGUMENT - * The input is not valid for the algorithm, ciphersuite or \p step. - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_input(psa_pake_operation_t *operation, - psa_pake_step_t step, - uint8_t *input, - size_t input_length); - -/** Get implicitly confirmed shared secret from a PAKE. - * - * At this point there is a cryptographic guarantee that only the authenticated - * party who used the same password is able to compute the key. But there is no - * guarantee that the peer is the party he claims to be and was able to do so. - * - * That is, the authentication is only implicit (the peer is not authenticated - * at this point, and no action should be taken that assume that they are - like - * for example accessing restricted files). - * - * This function can be called after the key exchange phase of the operation - * has completed. It imports the shared secret output of the PAKE into the - * provided derivation operation. The input step - * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key - * material in the key derivation operation. - * - * The exact sequence of calls to perform a password-authenticated key - * exchange depends on the algorithm in use. Refer to the documentation of - * individual PAKE algorithm types (`PSA_ALG_XXX` values of type - * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more - * information. - * - * When this function returns successfully, \p operation becomes inactive. - * If this function returns an error status, both \p operation - * and \p key_derivation operations enter an error state and must be aborted by - * calling psa_pake_abort() and psa_key_derivation_abort() respectively. - * - * \param[in,out] operation Active PAKE operation. - * \param[out] output A key derivation operation that is ready - * for an input step of type - * #PSA_KEY_DERIVATION_INPUT_SECRET. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active, but beyond that - * validity is specific to the algorithm). - * \retval #PSA_ERROR_BAD_STATE - * The state of \p output is not valid for - * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the - * step is out of order or the application has done this step already - * and it may not be repeated. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the output’s - * algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, - psa_key_derivation_operation_t *output); -/**@}*/ - #ifdef __cplusplus } #endif diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index a7b4ab5994..615b6511c8 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -813,6 +813,1047 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( /** @} */ +/** \addtogroup crypto_types + * @{ + */ + +#define PSA_ALG_CATEGORY_PAKE ((psa_algorithm_t)0x0a000000) + +/** Whether the specified algorithm is a password-authenticated key exchange. + * + * \param alg An algorithm identifier (value of type #psa_algorithm_t). + * + * \return 1 if \p alg is a password-authenticated key exchange (PAKE) + * algorithm, 0 otherwise. + * This macro may return either 0 or 1 if \p alg is not a supported + * algorithm identifier. + */ +#define PSA_ALG_IS_PAKE(alg) \ + (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_PAKE) + +/** The Password-authenticated key exchange by juggling (J-PAKE) algorithm. + * + * This is J-PAKE as defined by RFC 8236, instantiated with the following + * parameters: + * + * - The group can be either an elliptic curve or defined over a finite field. + * - Schnorr NIZK proof as defined by RFC 8235 and using the same group as the + * J-PAKE algorithm. + * - A secure cryptographic hash function. + * + * To select these parameters and set up the cipher suite, call + * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE); + * psa_pake_cs_set_primitive(cipher_suite, + * PSA_PAKE_PRIMITIVE(type, family, bits)); + * psa_pake_cs_set_hash(cipher_suite, hash); + * + * For more information on how to set a specific curve or field, refer to the + * documentation of the individual \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. + * + * After initializing a J-PAKE operation, call + * psa_pake_setup(operation, cipher_suite); + * psa_pake_set_user(operation, ...); + * psa_pake_set_peer(operation, ...); + * and either + * psa_pake_set_password_stretch(operation, ...); + * or + * psa_pake_set_password_key(operation, ...); + * + * Either way the password is read as a byte array and must be non-empty. This + * can be the password itself (in some pre-defined character encoding) or some + * value derived from the password as mandated by some higher level protocol. + * + * (The implementation converts this byte array to a number as described in + * Section 2.3.8 of _SEC 1: Elliptic Curve Cryptography_ + * (https://www.secg.org/sec1-v2.pdf), before reducing it modulo \c q. Here + * \c q is order of the group defined by the primitive set in the cipher suite. + * The \c psa_pake_set_password_xxx() functions return an error if the result + * of the reduction is 0.) + * + * The key exchange flow for J-PAKE is as follows: + * -# To get the first round data that needs to be sent to the peer, call + * // Get g1 + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Get the ZKP public key for x1 + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Get the ZKP proof for x1 + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * // Get g2 + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Get the ZKP public key for x2 + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Get the ZKP proof for x2 + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * -# To provide the first round data received from the peer to the operation, + * call + * // Set g3 + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Set the ZKP public key for x3 + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Set the ZKP proof for x3 + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * // Set g4 + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Set the ZKP public key for x4 + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Set the ZKP proof for x4 + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * -# To get the second round data that needs to be sent to the peer, call + * // Get A + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Get ZKP public key for x2*s + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Get ZKP proof for x2*s + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * -# To provide the second round data received from the peer to the operation, + * call + * // Set B + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Set ZKP public key for x4*s + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Set ZKP proof for x4*s + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * -# To access the shared secret call + * // Get Ka=Kb=K + * psa_pake_get_implicit_key() + * + * For more information consult the documentation of the individual + * \c PSA_PAKE_STEP_XXX constants. + * + * At this point there is a cryptographic guarantee that only the authenticated + * party who used the same password is able to compute the key. But there is no + * guarantee that the peer is the party he claims to be and was able to do so. + * + * That is, the authentication is only implicit (the peer is not authenticated + * at this point, and no action should be taken that assume that they are - like + * for example accessing restricted files). + * + * To make the authentication explicit there are various methods, see Section 5 + * of RFC 8236 for two examples. + * + */ +#define PSA_ALG_JPAKE ((psa_algorithm_t)0x0a000100) + +/** @} */ + +/** \defgroup pake Password-authenticated key exchange (PAKE) + * @{ + */ + +/** \brief Encoding of the side of PAKE + * + * Encodes which side of the algorithm is being executed. For more information + * see the documentation of individual \c PSA_PAKE_SIDE_XXX constants. + */ +typedef uint8_t psa_pake_side_t; + +/** Encoding of input and output indicators for PAKE. + * + * Some PAKE algorithms need to exchange more data than just a single key share. + * This type is for encoding additional input and output data for such + * algorithms. + */ +typedef uint8_t psa_pake_step_t; + +/** Encoding of the type of the PAKE's primitive. + * + * Values defined by this standard will never be in the range 0x80-0xff. + * Vendors who define additional types must use an encoding in this range. + * + * For more information see the documentation of individual + * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. + */ +typedef uint8_t psa_pake_primitive_type_t; + +/** \brief Encoding of the family of the primitive associated with the PAKE. + * + * For more information see the documentation of individual + * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. + */ +typedef uint8_t psa_pake_family_t; + +/** \brief Encoding of the primitive associated with the PAKE. + * + * For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. + */ +typedef uint32_t psa_pake_primitive_t; + +/** The first peer in a balanced PAKE. + * + * Although balanced PAKE algorithms are symmetric, some of them needs an + * ordering of peers for the transcript calculations. If the algorithm does not + * need this, both #PSA_PAKE_SIDE_FIRST and #PSA_PAKE_SIDE_SECOND are + * accepted. + */ +#define PSA_PAKE_SIDE_FIRST ((psa_pake_side_t)0x01) + +/** The second peer in a balanced PAKE. + * + * Although balanced PAKE algorithms are symmetric, some of them needs an + * ordering of peers for the transcript calculations. If the algorithm does not + * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are + * accepted. + */ +#define PSA_PAKE_SIDE_SECOND ((psa_pake_side_t)0x02) + +/** The client in an augmented PAKE. + * + * Augmented PAKE algorithms need to differentiate between client and server. + */ +#define PSA_PAKE_SIDE_CLIENT ((psa_pake_side_t)0x11) + +/** The server in an augmented PAKE. + * + * Augmented PAKE algorithms need to differentiate between client and server. + */ +#define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x12) + +/** The PAKE primitive type indicating the use of elliptic curves. + * + * The values of the \c family and \c bits fields of the cipher suite identify a + * specific elliptic curve, using the same mapping that is used for ECC + * (::psa_ecc_family_t) keys. + * + * (Here \c family means the value returned by psa_pake_cs_get_family() and + * \c bits means the value returned by psa_pake_cs_get_bits().) + * + * Input and output during the operation can involve group elements and scalar + * values: + * -# The format for group elements is the same as for public keys on the + * specific curve would be. For more information, consult the documentation of + * psa_export_public_key(). + * -# The format for scalars is the same as for private keys on the specific + * curve would be. For more information, consult the documentation of + * psa_export_key(). + */ +#define PSA_PAKE_PRIMITIVE_TYPE_ECC ((psa_pake_primitive_type_t)0x01) + +/** The PAKE primitive type indicating the use of Diffie-Hellman groups. + * + * The values of the \c family and \c bits fields of the cipher suite identify + * a specific Diffie-Hellman group, using the same mapping that is used for + * Diffie-Hellman (::psa_dh_family_t) keys. + * + * (Here \c family means the value returned by psa_pake_cs_get_family() and + * \c bits means the value returned by psa_pake_cs_get_bits().) + * + * Input and output during the operation can involve group elements and scalar + * values: + * -# The format for group elements is the same as for public keys on the + * specific group would be. For more information, consult the documentation of + * psa_export_public_key(). + * -# The format for scalars is the same as for private keys on the specific + * group would be. For more information, consult the documentation of + * psa_export_key(). + */ +#define PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t)0x02) + +/** Construct a PAKE primitive from type, family and bit-size. + * + * \param pake_type The type of the primitive + * (value of type ::psa_pake_primitive_type_t). + * \param pake_family The family of the primitive + * (the type and interpretation of this parameter depends + * on \p type, for more information consult the + * documentation of individual ::psa_pake_primitive_type_t + * constants). + * \param pake_bits The bit-size of the primitive + * (Value of type \c size_t. The interpretation + * of this parameter depends on \p family, for more + * information consult the documentation of individual + * ::psa_pake_primitive_type_t constants). + * + * \return The constructed primitive value of type ::psa_pake_primitive_t. + * Return 0 if the requested primitive can't be encoded as + * ::psa_pake_primitive_t. + */ +#define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \ + ((pake_bits & 0xFFFF) != pake_bits) ? 0 : \ + ((psa_pake_primitive_t) (((pake_type) << 24 | \ + (pake_family) << 16) | (pake_bits))) + +/** The key share being sent to or received from the peer. + * + * The format for both input and output at this step is the same as for public + * keys on the group determined by the primitive (::psa_pake_primitive_t) would + * be. + * + * For more information on the format, consult the documentation of + * psa_export_public_key(). + * + * For information regarding how the group is determined, consult the + * documentation #PSA_PAKE_PRIMITIVE. + */ +#define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t)0x01) + +/** A Schnorr NIZKP public key. + * + * The format for both input and output at this step is the same as for public + * keys on the group determined by the primitive (::psa_pake_primitive_t) would + * be. + * + * For more information on the format, consult the documentation of + * psa_export_public_key(). + * + * For information regarding how the group is determined, consult the + * documentation #PSA_PAKE_PRIMITIVE. + */ +#define PSA_PAKE_STEP_ZK_PUBLIC ((psa_pake_step_t)0x02) + +/** A Schnorr NIZKP proof. + * + * The format for both input and output at this step is the same as for private + * keys on the group determined by the primitive (::psa_pake_primitive_t) would + * be. + * + * Some public key algorithms mask the private keys and this might be reflected + * in the export format. Even if this is the case the masking is omitted at + * this step. + * + * For more information on the format, consult the documentation of + * psa_export_key(). + * + * For information regarding how the group is determined, consult the + * documentation #PSA_PAKE_PRIMITIVE. + */ +#define PSA_PAKE_STEP_ZK_PROOF ((psa_pake_step_t)0x03) + +/** The type of the data strucure for PAKE cipher suites. + * + * This is an implementation-defined \c struct. Applications should not + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. + */ +typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t; + +/** Retrieve the PAKE algorithm from a PAKE cipher suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate its argument exactly once. + * + * \param[in] cipher_suite The cipher suite structure to query. + * + * \return The PAKE algorithm stored in the cipher suite structure. + */ +static psa_algorithm_t psa_pake_cs_get_algorithm( + const psa_pake_cipher_suite_t* cipher_suite + ); + +/** Declare the PAKE algorithm for the cipher suite. + * + * This function overwrites any PAKE algorithm + * previously set in \p cipher_suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate each of its arguments exactly once. + * + * \param[out] cipher_suite The cipher suite structure to write to. + * \param algorithm The PAKE algorithm to write. + * (`PSA_ALG_XXX` values of type ::psa_algorithm_t + * such that #PSA_ALG_IS_PAKE(\c alg) is true.) + * If this is 0, the PAKE algorithm in + * \p cipher_suite becomes unspecified. + */ +static void psa_pake_cs_set_algorithm( + psa_pake_cipher_suite_t* cipher_suite, + psa_algorithm_t algorithm + ); + +/** Retrieve the primitive from a PAKE cipher suite. + * + * This function may be declared as `static` (i.e. without external linkage). + * This function may be provided as a function-like macro, but in this case it + * must evaluate its argument exactly once. + * + * \param[in] cipher_suite The cipher suite structure to query. + * + * \return The primitive stored in the cipher suite structure. + */ +static psa_pake_primitive_t psa_pake_cs_get_primitive( + const psa_pake_cipher_suite_t* cipher_suite + ); + +/** Declare the primitive for a PAKE cipher suite. + * + * This function overwrites any primitive previously set in \p cipher_suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate each of its arguments exactly once. + * + * \param[out] cipher_suite The cipher suite structure to write to. + * \param primitive The primitive to write. If this is 0, the + * primitive type in \p cipher_suite becomes + * unspecified. + */ +static void psa_pake_cs_set_primitive( + psa_pake_cipher_suite_t* cipher_suite, + psa_pake_primitive_t primitive + ); + +/** Retrieve the hash algorithm from a PAKE cipher suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate its argument exactly once. + * + * \param[in] cipher_suite The cipher suite structure to query. + * + * \return The hash algorithm stored in the cipher suite structure. The return + * value is 0 if the PAKE is not parametrised by a hash algorithm or if + * the hash algorithm is not set. + */ +static psa_algorithm_t psa_pake_cs_get_hash( + const psa_pake_cipher_suite_t* cipher_suite + ); + +/** Declare the hash algorithm for a PAKE cipher suite. + * + * This function overwrites any hash algorithm + * previously set in \p cipher_suite. + * + * This function may be declared as `static` (i.e. without external + * linkage). This function may be provided as a function-like macro, + * but in this case it must evaluate each of its arguments exactly once. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[out] cipher_suite The cipher suite structure to write to. + * \param hash The hash involved in the cipher suite. + * (`PSA_ALG_XXX` values of type ::psa_algorithm_t + * such that #PSA_ALG_IS_HASH(\c alg) is true.) + * If this is 0, the hash algorithm in + * \p cipher_suite becomes unspecified. + */ +static void psa_pake_cs_set_hash( + psa_pake_cipher_suite_t* cipher_suite, + psa_algorithm_t hash + ); + +/** The type of the state data structure for PAKE operations. + * + * Before calling any function on a PAKE operation object, the application + * must initialize it by any of the following means: + * - Set the structure to all-bits-zero, for example: + * \code + * psa_pake_operation_t operation; + * memset(&operation, 0, sizeof(operation)); + * \endcode + * - Initialize the structure to logical zero values, for example: + * \code + * psa_pake_operation_t operation = {0}; + * \endcode + * - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT, + * for example: + * \code + * psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT; + * \endcode + * - Assign the result of the function psa_pake_operation_init() + * to the structure, for example: + * \code + * psa_pake_operation_t operation; + * operation = psa_pake_operation_init(); + * \endcode + * + * This is an implementation-defined \c struct. Applications should not + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ +typedef struct psa_pake_operation_s psa_pake_operation_t; + +/** Return an initial value for an PAKE operation object. + */ +static psa_pake_operation_t psa_pake_operation_init(void); + +/** Set the session information for a password-authenticated key exchange. + * + * The sequence of operations to set up a password-authenticated key exchange + * is as follows: + * -# Allocate an operation object which will be passed to all the functions + * listed here. + * -# Initialize the operation object with one of the methods described in the + * documentation for #psa_pake_operation_t, e.g. + * #PSA_PAKE_OPERATION_INIT. + * -# Call psa_pake_setup() to specify the cipher suite. + * -# Call \c psa_pake_set_xxx() functions on the operation to complete the + * setup. The exact sequence of \c psa_pake_set_xxx() functions that needs + * to be called depends on the algorithm in use. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * A typical sequence of calls to perform a password-authenticated key + * exchange: + * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the + * key share that needs to be sent to the peer. + * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide + * the key share that was received from the peer. + * -# Depending on the algorithm additional calls to psa_pake_output() and + * psa_pake_input() might be necessary. + * -# Call psa_pake_get_implicit_key() for accessing the shared secret. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * If an error occurs at any step after a call to psa_pake_setup(), + * the operation will need to be reset by a call to psa_pake_abort(). The + * application may call psa_pake_abort() at any time after the operation + * has been initialized. + * + * After a successful call to psa_pake_setup(), the application must + * eventually terminate the operation. The following events terminate an + * operation: + * - A call to psa_pake_abort(). + * - A successful call to psa_pake_get_implicit_key(). + * + * \param[in,out] operation The operation object to set up. It must have + * been initialized as per the documentation for + * #psa_pake_operation_t and not yet in use (no + * other function has been called on it since the + * last initialization). + * \param cipher_suite The cipher suite to use. (A cipher suite fully + * characterizes a PAKE algorithm and determines + * the algorithm as well.) + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The \p cipher_suite is not supported or is not valid. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_setup(psa_pake_operation_t *operation, + psa_pake_cipher_suite_t cipher_suite); + +/** Set the password for a password-authenticated key exchange from key ID. + * + * Call this function when the password, or a value derived from the password, + * is already present in the key store. To calculate the password-derived value + * from a password input, use the key derivation interface and + * psa_pake_set_password_stretch() instead. + * + * \param[in,out] operation The operation object to set the password for. It + * must have been set up by psa_pake_setup() and + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the password hasn't + * been set yet (neither + * psa_pake_set_password_stretch() nor + * psa_pake_set_password_key() has been called + * yet). + * \param password Identifier of the key holding the password or a + * value derived from the password (eg. by a + * memory-hard function). It must remain valid + * until the operation terminates. It must be of + * type #PSA_KEY_TYPE_PASSWORD or + * #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow + * the usage #PSA_KEY_USAGE_DERIVE. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must have been set up.) + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p key is not compatible with the algorithm or the cipher suite. + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password); + +/** Set the password for a password-authenticated key exchange via a key + * stretching function. + * + * Some protocols use values derived from passwords via key stretching + * functions to mitigate dictionary attacks. Key stretching functions can be + * accessed through the key derivation interface and the result can be supplied + * to the PAKE operation in the form of a key derivation object. + * + * This function draws bytes from a key derivation algorithm and sets those + * bytes as a password for the password-authenticated key exchange. If you + * view the key derivation's output as a stream of bytes, this function + * destructively reads the requested number of bytes from the stream. + * The key derivation operation's capacity decreases by the number of bytes read. + * + * If this function returns anything other than #PSA_SUCCESS, both \p operation + * and \p key_derivation operations enter an error state and must be aborted by + * calling psa_pake_abort() and psa_key_derivation_abort() respectively. + * + * \param[in,out] operation The operation object to set the password for. + * It must have been set up by psa_pake_setup() + * and not yet in use (neither psa_pake_output() + * nor psa_pake_input() has been called yet). It + * must be on operation for which the password + * hasn't been set yet (neither + * psa_pake_set_password_stretch() nor + * psa_pake_set_password_key() has been called + * yet). + * \param[in,out] key_derivation An ongoing key derivation operation set up + * from the password and in a state suitable for + * calling psa_key_derivation_output_bytes(). + * \param input_length Number of bytes to input from the + * \p key_derivation operation. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The state of \p operation or \p key_derivation is not valid. + * \retval #PSA_ERROR_INSUFFICIENT_DATA + * The \p key_derivation operation's capacity was less than + * \p input_length bytes. + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_NOT_PERMITTED + * One of the inputs to \p key_derivation was a key whose policy didn't + * allow #PSA_KEY_USAGE_DERIVE. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p key is not compatible with the algorithm or the cipher suite. + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_password_stretch( + psa_pake_operation_t *operation, + psa_key_derivation_operation_t *key_derivation, + size_t input_length + ); + +/** Set the user ID for a password-authenticated key exchange. + * + * Call this function to set the user ID. For PAKE algorithms that associate a + * user identifier with each side of the session you need to call + * psa_pake_set_peer() as well. For PAKE algorithms that associate a single + * user identifier with the session, call psa_pake_set_user() only. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[in,out] operation The operation object to set the user ID for. It + * must have been set up by psa_pake_setup() and + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the user ID hasn't + * been set (psa_pake_set_user() hasn't been + * called yet). + * \param[in] user_id The user ID to authenticate with. + * \param user_id_len Size of the \p user_id buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p user_id is NULL. + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, + const uint8_t *user_id, + size_t user_id_len); + +/** Set the peer ID for a password-authenticated key exchange. + * + * Call this function in addition to psa_pake_set_user() for PAKE algorithms + * that associate a user identifier with each side of the session. For PAKE + * algorithms that associate a single user identifier with the session, call + * psa_pake_set_user() only. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[in,out] operation The operation object to set the peer ID for. It + * must have been set up by psa_pake_setup() and + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the peer ID hasn't + * been set (psa_pake_set_peer() hasn't been + * called yet). + * \param[in] peer_id The peer's ID to authenticate. + * \param peer_id_len Size of the \p peer_id buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The algorithm doesn't associate a second identity with the session. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p user_id is NULL. + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, + const uint8_t *peer_id, + size_t peer_id_len); + +/** Set the side for a password-authenticated key exchange. + * + * Not all PAKE algorithms need to differentiate the communicating entities. + * It is optional to call this function for PAKEs that don't require a side + * parameter. For such PAKEs the side parameter is ignored. + * + * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX` + * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) + * for more information. + * + * \param[in,out] operation The operation object to set the side for. It + * must have been set up by psa_pake_setup() and + * not yet in use (neither psa_pake_output() nor + * psa_pake_input() has been called yet). It must + * be on operation for which the side hasn't been + * set (psa_pake_set_side() hasn't been called + * yet). + * \param side A value of type ::psa_pake_side_t signaling the + * side of the algorithm that is being set up. For + * more information see the documentation of \c + * PSA_PAKE_SIDE_XXX constants. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The \p side for this algorithm is not supported or is not valid. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_set_side(psa_pake_operation_t *operation, + psa_pake_side_t side); + +/** Get output for a step of a password-authenticated key exchange. + * + * Depending on the algorithm being executed, you might need to call this + * function several times or you might not need to call this at all. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the algorithm in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_pake_abort(). + * + * \param[in,out] operation Active PAKE operation. + * \param step The step of the algorithm for which the output is + * requested. + * \param[out] output Buffer where the output is to be written in the + * format appropriate for this \p step. Refer to + * the documentation of the individual + * \c PSA_PAKE_STEP_XXX constants for more + * information. + * \param output_size Size of the \p output buffer in bytes. This must + * be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \c + * cipher_suite, \p type). + * + * \param[out] output_length On success, the number of bytes of the returned + * output. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, but beyond that + * validity is specific to the algorithm). + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * The size of the \p output buffer is too small. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_output(psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length); + +/** Provide input for a step of a password-authenticated key exchange. + * + * Depending on the algorithm being executed, you might need to call this + * function several times or you might not need to call this at all. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the algorithm in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * If this function returns an error status, the operation enters an error + * state and must be aborted by calling psa_pake_abort(). + * + * \param[in,out] operation Active PAKE operation. + * \param step The step for which the input is provided. + * \param[out] input Buffer containing the input in the format + * appropriate for this \p step. Refer to the + * documentation of the individual + * \c PSA_PAKE_STEP_XXX constants for more + * information. + * \param[out] input_length Size of the \p input buffer in bytes. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, but beyond that + * validity is specific to the algorithm). + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The input is not valid for the algorithm, ciphersuite or \p step. + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_input(psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *input, + size_t input_length); + +/** Get implicitly confirmed shared secret from a PAKE. + * + * At this point there is a cryptographic guarantee that only the authenticated + * party who used the same password is able to compute the key. But there is no + * guarantee that the peer is the party he claims to be and was able to do so. + * + * That is, the authentication is only implicit (the peer is not authenticated + * at this point, and no action should be taken that assume that they are - like + * for example accessing restricted files). + * + * This function can be called after the key exchange phase of the operation + * has completed. It imports the shared secret output of the PAKE into the + * provided derivation operation. The input step + * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key + * material in the key derivation operation. + * + * The exact sequence of calls to perform a password-authenticated key + * exchange depends on the algorithm in use. Refer to the documentation of + * individual PAKE algorithm types (`PSA_ALG_XXX` values of type + * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more + * information. + * + * When this function returns successfully, \p operation becomes inactive. + * If this function returns an error status, both \p operation + * and \p key_derivation operations enter an error state and must be aborted by + * calling psa_pake_abort() and psa_key_derivation_abort() respectively. + * + * \param[in,out] operation Active PAKE operation. + * \param[out] output A key derivation operation that is ready + * for an input step of type + * #PSA_KEY_DERIVATION_INPUT_SECRET. + * + * \retval #PSA_SUCCESS + * Success. + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active, but beyond that + * validity is specific to the algorithm). + * \retval #PSA_ERROR_BAD_STATE + * The state of \p output is not valid for + * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the + * step is out of order or the application has done this step already + * and it may not be repeated. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the output’s + * algorithm. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, + psa_key_derivation_operation_t *output); + +/**@}*/ + +/** A sufficient output buffer size for psa_pake_output(). + * + * If the size of the output buffer is at least this large, it is guaranteed + * that psa_pake_output() will not fail due to an insufficient output buffer + * size. The actual size of the output might be smaller in any given call. + * + * See also #PSA_PAKE_OUTPUT_MAX_SIZE + * + * \param alg A PAKE algorithm (PSA_ALG_XXX value such that + * #PSA_ALG_IS_PAKE(\p alg) is true). + * \param primitive A primitive of type ::psa_pake_primitive_t that is + * compatible with algorithm \p alg. + * \param output_step A value of type ::psa_pake_step_t that is valid for the + * algorithm \p alg. + * \return A sufficient output buffer size for the specified + * output, cipher suite and algorithm. If the cipher suite, + * the output type or PAKE algorithm is not recognized, or + * the parameters are incompatible, return 0. + */ +#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) 0 + +/** A sufficient input buffer size for psa_pake_input(). + * + * If the size of the input is larger than this, it is guaranteed + * that psa_pake_input() will fail with #PSA_ERROR_INVALID_ARGUMENT. + * + * See also #PSA_PAKE_INPUT_MAX_SIZE + * + * \param alg A PAKE algorithm (PSA_ALG_XXX value such that + * #PSA_ALG_IS_PAKE(\p alg) is true). + * \param primitive A primitive of type ::psa_pake_primitive_t that is + * compatible with algorithm \p alg. + * \param output_step A value of type ::psa_pake_step_t that is valid for the + * algorithm \p alg. + * \return A sufficient output buffer size for the specified + * output, cipher suite and algorithm. If the cipher suite, + * the output type or PAKE algorithm is not recognized, or + * the parameters are incompatible, return 0. + */ +#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) 0 + +/** Output buffer size for psa_pake_output() for any of the supported cipher + * suites and PAKE algorithms. + * + * This macro must expand to a compile-time constant integer. + * + * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p cipher_suite, \p output). + */ +#define PSA_PAKE_OUTPUT_MAX_SIZE 0 + +/** Input buffer size for psa_pake_input() for any of the supported cipher + * suites and PAKE algorithms. + * + * This macro must expand to a compile-time constant integer. + * + * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p cipher_suite, \p output). + */ +#define PSA_PAKE_INPUT_MAX_SIZE 0 + +struct psa_pake_cipher_suite_s +{ + psa_algorithm_t algorithm; + psa_pake_primitive_type_t type; + psa_pake_family_t family; + uint16_t bits; + psa_algorithm_t hash; +}; + +static inline psa_algorithm_t psa_pake_cs_get_algorithm( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return(cipher_suite->algorithm); +} + +static inline void psa_pake_cs_set_algorithm( + psa_pake_cipher_suite_t *cipher_suite, + psa_algorithm_t algorithm) +{ + if(!PSA_ALG_IS_PAKE(algorithm)) + cipher_suite->algorithm = 0; + else + cipher_suite->algorithm = algorithm; +} + +static inline psa_pake_primitive_t psa_pake_cs_get_primitive( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return(PSA_PAKE_PRIMITIVE(cipher_suite->type, cipher_suite->family, + cipher_suite->bits)); +} + +static inline void psa_pake_cs_set_primitive( + psa_pake_cipher_suite_t *cipher_suite, + psa_pake_primitive_t primitive) +{ + cipher_suite->type = (psa_pake_primitive_type_t) (primitive >> 24); + cipher_suite->family = (psa_pake_family_t) (0xFF & (primitive >> 16)); + cipher_suite->bits = (uint16_t) (0xFFFF & primitive); +} + +static inline psa_algorithm_t psa_pake_cs_get_hash( + const psa_pake_cipher_suite_t *cipher_suite) +{ + return(cipher_suite->hash); +} + +static inline void psa_pake_cs_set_hash( + psa_pake_cipher_suite_t *cipher_suite, + psa_algorithm_t hash) +{ + if(!PSA_ALG_IS_HASH(hash)) + cipher_suite->hash = 0; + else + cipher_suite->hash = hash; +} + +struct psa_pake_operation_s +{ + psa_algorithm_t alg; + union + { + /* Make the union non-empty even with no supported algorithms. */ + uint8_t dummy; + } ctx; +}; + +/* This only zeroes out the first byte in the union, the rest is unspecified. */ +#define PSA_PAKE_OPERATION_INIT {0, {0}} +static inline struct psa_pake_operation_s psa_pake_operation_init(void) +{ + const struct psa_pake_operation_s v = PSA_PAKE_OPERATION_INIT; + return(v); +} + #ifdef __cplusplus } #endif diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 62254fab52..79f96739ba 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -1132,63 +1132,4 @@ #define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE \ (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE) -/** A sufficient output buffer size for psa_pake_output(). - * - * If the size of the output buffer is at least this large, it is guaranteed - * that psa_pake_output() will not fail due to an insufficient output buffer - * size. The actual size of the output might be smaller in any given call. - * - * See also #PSA_PAKE_OUTPUT_MAX_SIZE - * - * \param alg A PAKE algorithm (PSA_ALG_XXX value such that - * #PSA_ALG_IS_PAKE(\p alg) is true). - * \param primitive A primitive of type ::psa_pake_primitive_t that is - * compatible with algorithm \p alg. - * \param output_step A value of type ::psa_pake_step_t that is valid for the - * algorithm \p alg. - * \return A sufficient output buffer size for the specified - * output, cipher suite and algorithm. If the cipher suite, - * the output type or PAKE algorithm is not recognized, or - * the parameters are incompatible, return 0. - */ -#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) 0 - -/** A sufficient input buffer size for psa_pake_input(). - * - * If the size of the input is larger than this, it is guaranteed - * that psa_pake_input() will fail with #PSA_ERROR_INVALID_ARGUMENT. - * - * See also #PSA_PAKE_INPUT_MAX_SIZE - * - * \param alg A PAKE algorithm (PSA_ALG_XXX value such that - * #PSA_ALG_IS_PAKE(\p alg) is true). - * \param primitive A primitive of type ::psa_pake_primitive_t that is - * compatible with algorithm \p alg. - * \param output_step A value of type ::psa_pake_step_t that is valid for the - * algorithm \p alg. - * \return A sufficient output buffer size for the specified - * output, cipher suite and algorithm. If the cipher suite, - * the output type or PAKE algorithm is not recognized, or - * the parameters are incompatible, return 0. - */ -#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) 0 - -/** Output buffer size for psa_pake_output() for any of the supported cipher - * suites and PAKE algorithms. - * - * This macro must expand to a compile-time constant integer. - * - * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p cipher_suite, \p output). - */ -#define PSA_PAKE_OUTPUT_MAX_SIZE 0 - -/** Input buffer size for psa_pake_input() for any of the supported cipher - * suites and PAKE algorithms. - * - * This macro must expand to a compile-time constant integer. - * - * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p cipher_suite, \p output). - */ -#define PSA_PAKE_INPUT_MAX_SIZE 0 - #endif /* PSA_CRYPTO_SIZES_H */ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index b20a179729..47012fdd00 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -461,81 +461,6 @@ static inline size_t psa_get_key_bits( return( attributes->core.bits ); } -struct psa_pake_cipher_suite_s -{ - psa_algorithm_t algorithm; - psa_pake_primitive_type_t type; - psa_pake_family_t family; - uint16_t bits; - psa_algorithm_t hash; -}; - -static inline psa_algorithm_t psa_pake_cs_get_algorithm( - const psa_pake_cipher_suite_t *cipher_suite) -{ - return( cipher_suite->algorithm ); -} - -static inline void psa_pake_cs_set_algorithm( - psa_pake_cipher_suite_t *cipher_suite, - psa_algorithm_t algorithm) -{ - if( !PSA_ALG_IS_PAKE(algorithm) ) - cipher_suite->algorithm = 0; - else - cipher_suite->algorithm = algorithm; -} - -static inline psa_pake_primitive_t psa_pake_cs_get_primitive( - const psa_pake_cipher_suite_t *cipher_suite) -{ - return( PSA_PAKE_PRIMITIVE( cipher_suite->type, cipher_suite->family, - cipher_suite->bits) ); -} - -static inline void psa_pake_cs_set_primitive( - psa_pake_cipher_suite_t *cipher_suite, - psa_pake_primitive_t primitive) -{ - cipher_suite->type = (psa_pake_primitive_type_t) (primitive >> 24); - cipher_suite->family = (psa_pake_family_t) ( 0xFF & (primitive >> 16) ); - cipher_suite->bits = (uint16_t) ( 0xFFFF & primitive ); -} - -static inline psa_algorithm_t psa_pake_cs_get_hash( - const psa_pake_cipher_suite_t *cipher_suite) -{ - return( cipher_suite->hash ); -} - -static inline void psa_pake_cs_set_hash( - psa_pake_cipher_suite_t *cipher_suite, - psa_algorithm_t hash) -{ - if( !PSA_ALG_IS_HASH(hash) ) - cipher_suite->hash = 0; - else - cipher_suite->hash = hash; -} - -struct psa_pake_operation_s -{ - psa_algorithm_t alg; - union - { - /* Make the union non-empty even with no supported algorithms. */ - uint8_t dummy; - } ctx; -}; - -/* This only zeroes out the first byte in the union, the rest is unspecified. */ -#define PSA_PAKE_OPERATION_INIT {0, {0}} -static inline struct psa_pake_operation_s psa_pake_operation_init( void ) -{ - const struct psa_pake_operation_s v = PSA_PAKE_OPERATION_INIT; - return( v ); -} - #ifdef __cplusplus } #endif diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 5a66a8709e..386c7d794b 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -380,46 +380,4 @@ typedef uint16_t psa_key_derivation_step_t; /**@}*/ -/** \defgroup pake Password-authenticated key exchange (PAKE) - * @{ - */ - -/** \brief Encoding of the side of PAKE - * - * Encodes which side of the algorithm is being executed. For more information - * see the documentation of individual \c PSA_PAKE_SIDE_XXX constants. - */ -typedef uint8_t psa_pake_side_t; - -/** Encoding of input and output indicators for PAKE. - * - * Some PAKE algorithms need to exchange more data than just a single key share. - * This type is for encoding additional input and output data for such - * algorithms. - */ -typedef uint8_t psa_pake_step_t; - -/** Encoding of the type of the PAKE's primitive. - * - * Values defined by this standard will never be in the range 0x80-0xff. - * Vendors who define additional types must use an encoding in this range. - * - * For more information see the documentation of individual - * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. - */ -typedef uint8_t psa_pake_primitive_type_t; - -/** \brief Encoding of the family of the primitive associated with the PAKE. - * - * For more information see the documentation of individual - * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. - */ -typedef uint8_t psa_pake_family_t; - -/** \brief Encoding of the primitive associated with the PAKE. - * - * For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro. - */ -typedef uint32_t psa_pake_primitive_t; -/**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 37cd030247..497bd8f01f 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -731,7 +731,6 @@ #define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x07000000) #define PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x08000000) #define PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x09000000) -#define PSA_ALG_CATEGORY_PAKE ((psa_algorithm_t)0x0a000000) /** Whether an algorithm is vendor-defined. * @@ -849,18 +848,6 @@ (PSA_ALG_IS_KEY_DERIVATION(alg) && \ (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG) -/** Whether the specified algorithm is a password-authenticated key exchange. - * - * \param alg An algorithm identifier (value of type #psa_algorithm_t). - * - * \return 1 if \p alg is a password-authenticated key exchange (PAKE) - * algorithm, 0 otherwise. - * This macro may return either 0 or 1 if \p alg is not a supported - * algorithm identifier. - */ -#define PSA_ALG_IS_PAKE(alg) \ - (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_PAKE) - #define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff) /** MD2 */ #define PSA_ALG_MD2 ((psa_algorithm_t)0x02000001) @@ -1966,109 +1953,6 @@ #define PSA_ALG_GET_HASH(alg) \ (((alg) & 0x000000ff) == 0 ? ((psa_algorithm_t)0) : 0x02000000 | ((alg) & 0x000000ff)) -/** The Password-authenticated key exchange by juggling (J-PAKE) algorithm. - * - * This is J-PAKE as defined by RFC 8236, instantiated with the following - * parameters: - * - * - The group can be either an elliptic curve or defined over a finite field. - * - Schnorr NIZK proof as defined by RFC 8235 and using the same group as the - * J-PAKE algorithm. - * - A secure cryptographic hash function. - * - * To select these parameters and set up the cipher suite, call - * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE); - * psa_pake_cs_set_primitive(cipher_suite, - * PSA_PAKE_PRIMITIVE(type, family, bits)); - * psa_pake_cs_set_hash(cipher_suite, hash); - * - * For more information on how to set a specific curve or field, refer to the - * documentation of the individual \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. - * - * After initializing a J-PAKE operation, call - * psa_pake_setup(operation, cipher_suite); - * psa_pake_set_user(operation, ...); - * psa_pake_set_peer(operation, ...); - * and either - * psa_pake_set_password_stretch(operation, ...); - * or - * psa_pake_set_password_key(operation, ...); - * - * Either way the password is read as a byte array and must be non-empty. This - * can be the password itself (in some pre-defined character encoding) or some - * value derived from the password as mandated by some higher level protocol. - * - * (The implementation converts this byte array to a number as described in - * Section 2.3.8 of _SEC 1: Elliptic Curve Cryptography_ - * (https://www.secg.org/sec1-v2.pdf), before reducing it modulo \c q. Here - * \c q is order of the group defined by the primitive set in the cipher suite. - * The \c psa_pake_set_password_xxx() functions return an error if the result - * of the reduction is 0.) - * - * The key exchange flow for J-PAKE is as follows: - * -# To get the first round data that needs to be sent to the peer, call - * // Get g1 - * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Get the ZKP public key for x1 - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Get the ZKP proof for x1 - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); - * // Get g2 - * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Get the ZKP public key for x2 - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Get the ZKP proof for x2 - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); - * -# To provide the first round data received from the peer to the operation, - * call - * // Set g3 - * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Set the ZKP public key for x3 - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Set the ZKP proof for x3 - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); - * // Set g4 - * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Set the ZKP public key for x4 - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Set the ZKP proof for x4 - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); - * -# To get the second round data that needs to be sent to the peer, call - * // Get A - * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Get ZKP public key for x2*s - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Get ZKP proof for x2*s - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); - * -# To provide the second round data received from the peer to the operation, - * call - * // Set B - * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Set ZKP public key for x4*s - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Set ZKP proof for x4*s - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); - * -# To access the shared secret call - * // Get Ka=Kb=K - * psa_pake_get_implicit_key() - * - * For more information consult the documentation of the individual - * \c PSA_PAKE_STEP_XXX constants. - * - * At this point there is a cryptographic guarantee that only the authenticated - * party who used the same password is able to compute the key. But there is no - * guarantee that the peer is the party he claims to be and was able to do so. - * - * That is, the authentication is only implicit (the peer is not authenticated - * at this point, and no action should be taken that assume that they are - like - * for example accessing restricted files). - * - * To make the authentication explicit there are various methods, see Section 5 - * of RFC 8236 for two examples. - * - */ -#define PSA_ALG_JPAKE ((psa_algorithm_t)0x0a000100) - /**@}*/ /** \defgroup key_lifetimes Key lifetimes @@ -2497,149 +2381,4 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) /**@}*/ -/** \defgroup pake Password-authenticated key exchange (PAKE) - * @{ - */ - -/** The first peer in a balanced PAKE. - * - * Although balanced PAKE algorithms are symmetric, some of them needs an - * ordering of peers for the transcript calculations. If the algorithm does not - * need this, both #PSA_PAKE_SIDE_FIRST and #PSA_PAKE_SIDE_SECOND are - * accepted. - */ -#define PSA_PAKE_SIDE_FIRST ((psa_pake_side_t)0x01) - -/** The second peer in a balanced PAKE. - * - * Although balanced PAKE algorithms are symmetric, some of them needs an - * ordering of peers for the transcript calculations. If the algorithm does not - * need this, either #PSA_PAKE_SIDE_FIRST or #PSA_PAKE_SIDE_SECOND are - * accepted. - */ -#define PSA_PAKE_SIDE_SECOND ((psa_pake_side_t)0x02) - -/** The client in an augmented PAKE. - * - * Augmented PAKE algorithms need to differentiate between client and server. - */ -#define PSA_PAKE_SIDE_CLIENT ((psa_pake_side_t)0x11) - -/** The server in an augmented PAKE. - * - * Augmented PAKE algorithms need to differentiate between client and server. - */ -#define PSA_PAKE_SIDE_SERVER ((psa_pake_side_t)0x12) - -/** The PAKE primitive type indicating the use of elliptic curves. - * - * The values of the \c family and \c bits fields of the cipher suite identify a - * specific elliptic curve, using the same mapping that is used for ECC - * (::psa_ecc_family_t) keys. - * - * (Here \c family means the value returned by psa_pake_cs_get_family() and - * \c bits means the value returned by psa_pake_cs_get_bits().) - * - * Input and output during the operation can involve group elements and scalar - * values: - * -# The format for group elements is the same as for public keys on the - * specific curve would be. For more information, consult the documentation of - * psa_export_public_key(). - * -# The format for scalars is the same as for private keys on the specific - * curve would be. For more information, consult the documentation of - * psa_export_key(). - */ -#define PSA_PAKE_PRIMITIVE_TYPE_ECC ((psa_pake_primitive_type_t)0x01) - -/** The PAKE primitive type indicating the use of Diffie-Hellman groups. - * - * The values of the \c family and \c bits fields of the cipher suite identify - * a specific Diffie-Hellman group, using the same mapping that is used for - * Diffie-Hellman (::psa_dh_family_t) keys. - * - * (Here \c family means the value returned by psa_pake_cs_get_family() and - * \c bits means the value returned by psa_pake_cs_get_bits().) - * - * Input and output during the operation can involve group elements and scalar - * values: - * -# The format for group elements is the same as for public keys on the - * specific group would be. For more information, consult the documentation of - * psa_export_public_key(). - * -# The format for scalars is the same as for private keys on the specific - * group would be. For more information, consult the documentation of - * psa_export_key(). - */ -#define PSA_PAKE_PRIMITIVE_TYPE_DH ((psa_pake_primitive_type_t)0x02) - -/** Construct a PAKE primitive from type, family and bit-size. - * - * \param pake_type The type of the primitive - * (value of type ::psa_pake_primitive_type_t). - * \param pake_family The family of the primitive - * (the type and interpretation of this parameter depends - * on \p type, for more information consult the - * documentation of individual ::psa_pake_primitive_type_t - * constants). - * \param pake_bits The bit-size of the primitive - * (Value of type \c size_t. The interpretation - * of this parameter depends on \p family, for more - * information consult the documentation of individual - * ::psa_pake_primitive_type_t constants). - * - * \return The constructed primitive value of type ::psa_pake_primitive_t. - * Return 0 if the requested primitive can't be encoded as - * ::psa_pake_primitive_t. - */ -#define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \ - ((pake_bits & 0xFFFF) != pake_bits) ? 0 : \ - ((psa_pake_primitive_t) (((pake_type) << 24 | \ - (pake_family) << 16) | (pake_bits))) - -/** The key share being sent to or received from the peer. - * - * The format for both input and output at this step is the same as for public - * keys on the group determined by the primitive (::psa_pake_primitive_t) would - * be. - * - * For more information on the format, consult the documentation of - * psa_export_public_key(). - * - * For information regarding how the group is determined, consult the - * documentation #PSA_PAKE_PRIMITIVE. - */ -#define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t)0x01) - -/** A Schnorr NIZKP public key. - * - * The format for both input and output at this step is the same as for public - * keys on the group determined by the primitive (::psa_pake_primitive_t) would - * be. - * - * For more information on the format, consult the documentation of - * psa_export_public_key(). - * - * For information regarding how the group is determined, consult the - * documentation #PSA_PAKE_PRIMITIVE. - */ -#define PSA_PAKE_STEP_ZK_PUBLIC ((psa_pake_step_t)0x02) - -/** A Schnorr NIZKP proof. - * - * The format for both input and output at this step is the same as for private - * keys on the group determined by the primitive (::psa_pake_primitive_t) would - * be. - * - * Some public key algorithms mask the private keys and this might be reflected - * in the export format. Even if this is the case the masking is omitted at - * this step. - * - * For more information on the format, consult the documentation of - * psa_export_key(). - * - * For information regarding how the group is determined, consult the - * documentation #PSA_PAKE_PRIMITIVE. - */ -#define PSA_PAKE_STEP_ZK_PROOF ((psa_pake_step_t)0x03) - -/**@}*/ #endif /* PSA_CRYPTO_VALUES_H */ From 7d69b3a993d2785bc75299d8c5dfe7b7c20bf3e4 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 13:10:56 +0100 Subject: [PATCH 109/131] PSA PAKE: add warning about stability We are not confident about the stability of the PAKE interface (it is just a proposal, not part of the standard yet). So we should explicitly document it as experimental, subject to change. Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 615b6511c8..4478f3a43c 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -937,6 +937,14 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( /** @} */ /** \defgroup pake Password-authenticated key exchange (PAKE) + * + * This is a proposed PAKE interface for the PSA Crypto API. It is not part of + * the official PSA Crypto API yet. + * + * \note The content of this section is not part of the stable API and ABI + * of Mbed Crypto and may change arbitrarily from version to version. + * Same holds for the corresponding macros #PSA_ALG_CATEGORY_PAKE and + * #PSA_ALG_JPAKE. * @{ */ From 559f05eefc002dfc8f89e532d04e727bf91ed256 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 15:44:30 +0100 Subject: [PATCH 110/131] PSA PAKE: remove psa_pake_set_password_stretch() The password stretching (using slow and/or memory hard hashes) in PAKEs usually serves two purposes: - Defending against server compromise impersonation attacks. J-PAKE is an augmented PAKE and as such, stores a password-equivalent and defending against this class of attacks is out of scope. - Preventing offline dictionary attacks. J-PAKE is proven to be zero knowledge and leaks no information beyond the fact if the passwords matched and offline dictionary attack is not possible. In summary: J-PAKE does not benefit from pasword stretching and is unlikely to be an input. This part of the API is not necessary at this point and can be added later. Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 80 +++----------------------------------- 1 file changed, 6 insertions(+), 74 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 4478f3a43c..dcaf75568d 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -854,14 +854,11 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( * psa_pake_setup(operation, cipher_suite); * psa_pake_set_user(operation, ...); * psa_pake_set_peer(operation, ...); - * and either - * psa_pake_set_password_stretch(operation, ...); - * or * psa_pake_set_password_key(operation, ...); * - * Either way the password is read as a byte array and must be non-empty. This - * can be the password itself (in some pre-defined character encoding) or some - * value derived from the password as mandated by some higher level protocol. + * The password is read as a byte array and must be non-empty. This can be the + * password itself (in some pre-defined character encoding) or some value + * derived from the password as mandated by some higher level protocol. * * (The implementation converts this byte array to a number as described in * Section 2.3.8 of _SEC 1: Elliptic Curve Cryptography_ @@ -1348,19 +1345,15 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, /** Set the password for a password-authenticated key exchange from key ID. * * Call this function when the password, or a value derived from the password, - * is already present in the key store. To calculate the password-derived value - * from a password input, use the key derivation interface and - * psa_pake_set_password_stretch() instead. + * is already present in the key store. * * \param[in,out] operation The operation object to set the password for. It * must have been set up by psa_pake_setup() and * not yet in use (neither psa_pake_output() nor * psa_pake_input() has been called yet). It must * be on operation for which the password hasn't - * been set yet (neither - * psa_pake_set_password_stretch() nor - * psa_pake_set_password_key() has been called - * yet). + * been set yet (psa_pake_set_password_key() + * hasn't been called yet). * \param password Identifier of the key holding the password or a * value derived from the password (eg. by a * memory-hard function). It must remain valid @@ -1389,67 +1382,6 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, mbedtls_svc_key_id_t password); -/** Set the password for a password-authenticated key exchange via a key - * stretching function. - * - * Some protocols use values derived from passwords via key stretching - * functions to mitigate dictionary attacks. Key stretching functions can be - * accessed through the key derivation interface and the result can be supplied - * to the PAKE operation in the form of a key derivation object. - * - * This function draws bytes from a key derivation algorithm and sets those - * bytes as a password for the password-authenticated key exchange. If you - * view the key derivation's output as a stream of bytes, this function - * destructively reads the requested number of bytes from the stream. - * The key derivation operation's capacity decreases by the number of bytes read. - * - * If this function returns anything other than #PSA_SUCCESS, both \p operation - * and \p key_derivation operations enter an error state and must be aborted by - * calling psa_pake_abort() and psa_key_derivation_abort() respectively. - * - * \param[in,out] operation The operation object to set the password for. - * It must have been set up by psa_pake_setup() - * and not yet in use (neither psa_pake_output() - * nor psa_pake_input() has been called yet). It - * must be on operation for which the password - * hasn't been set yet (neither - * psa_pake_set_password_stretch() nor - * psa_pake_set_password_key() has been called - * yet). - * \param[in,out] key_derivation An ongoing key derivation operation set up - * from the password and in a state suitable for - * calling psa_key_derivation_output_bytes(). - * \param input_length Number of bytes to input from the - * \p key_derivation operation. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_BAD_STATE - * The state of \p operation or \p key_derivation is not valid. - * \retval #PSA_ERROR_INSUFFICIENT_DATA - * The \p key_derivation operation's capacity was less than - * \p input_length bytes. - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_NOT_PERMITTED - * One of the inputs to \p key_derivation was a key whose policy didn't - * allow #PSA_KEY_USAGE_DERIVE. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p key is not compatible with the algorithm or the cipher suite. - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_pake_set_password_stretch( - psa_pake_operation_t *operation, - psa_key_derivation_operation_t *key_derivation, - size_t input_length - ); - /** Set the user ID for a password-authenticated key exchange. * * Call this function to set the user ID. For PAKE algorithms that associate a From 89ee05a80589e719bfde97c5d1b0cdcc55a3443c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 15:57:53 +0100 Subject: [PATCH 111/131] Rename psa_pake_set_password() Technically this function takes a low entropy secret as an input which might or might not be the password. Using the term "secret" in the function name is less misleading. Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index dcaf75568d..43d37b912a 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -854,7 +854,7 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( * psa_pake_setup(operation, cipher_suite); * psa_pake_set_user(operation, ...); * psa_pake_set_peer(operation, ...); - * psa_pake_set_password_key(operation, ...); + * psa_pake_set_secret_from_key(operation, ...); * * The password is read as a byte array and must be non-empty. This can be the * password itself (in some pre-defined character encoding) or some value @@ -1345,14 +1345,15 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, /** Set the password for a password-authenticated key exchange from key ID. * * Call this function when the password, or a value derived from the password, - * is already present in the key store. + * (for example a hash of the password or a key derived from the password) is + * already present in the key store. * * \param[in,out] operation The operation object to set the password for. It * must have been set up by psa_pake_setup() and * not yet in use (neither psa_pake_output() nor * psa_pake_input() has been called yet). It must * be on operation for which the password hasn't - * been set yet (psa_pake_set_password_key() + * been set yet (psa_pake_set_secret_from_key() * hasn't been called yet). * \param password Identifier of the key holding the password or a * value derived from the password (eg. by a @@ -1379,8 +1380,8 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password); +psa_status_t psa_pake_set_secret_from_key(psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password); /** Set the user ID for a password-authenticated key exchange. * From 1f9e9e95c975b61297eee2c00f97daa21d93a55e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 16:10:25 +0100 Subject: [PATCH 112/131] PSA PAKE: fix old constant name in test Signed-off-by: Janos Follath --- tests/suites/test_suite_psa_crypto_metadata.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index 0845b55d7b..22056b0a85 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -295,7 +295,7 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_384 key_agreement_algorithm:PSA_ALG_KEY_AGREEMENT( PSA_ALG_ECDH, PSA_ALG_HKDF( PSA_ALG_SHA_384 ) ):ALG_IS_ECDH:PSA_ALG_ECDH:PSA_ALG_HKDF( PSA_ALG_SHA_384 ) PAKE: J-PAKE -pake_algorithm:PSA_ALG_PAKE_JPAKE +pake_algorithm:PSA_ALG_JPAKE Key type: raw data key_type:PSA_KEY_TYPE_RAW_DATA:KEY_TYPE_IS_UNSTRUCTURED From 52f9efad22a3c1dbeea5abd33479188ae2978e85 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 27 May 2021 08:40:16 +0100 Subject: [PATCH 113/131] Revert "Rename psa_pake_set_password()" This reverts commit 03a5fd7780026b2ca0b4728352ded930f5a7cff9. We're already calling the output of a PAKE a "shared secret". The password is a shared secret (for PAKE where the verifier knows a password-equivalent secret), but calling it "shared secret" or even just "secret" would be confusing. Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 43d37b912a..dcaf75568d 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -854,7 +854,7 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( * psa_pake_setup(operation, cipher_suite); * psa_pake_set_user(operation, ...); * psa_pake_set_peer(operation, ...); - * psa_pake_set_secret_from_key(operation, ...); + * psa_pake_set_password_key(operation, ...); * * The password is read as a byte array and must be non-empty. This can be the * password itself (in some pre-defined character encoding) or some value @@ -1345,15 +1345,14 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, /** Set the password for a password-authenticated key exchange from key ID. * * Call this function when the password, or a value derived from the password, - * (for example a hash of the password or a key derived from the password) is - * already present in the key store. + * is already present in the key store. * * \param[in,out] operation The operation object to set the password for. It * must have been set up by psa_pake_setup() and * not yet in use (neither psa_pake_output() nor * psa_pake_input() has been called yet). It must * be on operation for which the password hasn't - * been set yet (psa_pake_set_secret_from_key() + * been set yet (psa_pake_set_password_key() * hasn't been called yet). * \param password Identifier of the key holding the password or a * value derived from the password (eg. by a @@ -1380,8 +1379,8 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_pake_set_secret_from_key(psa_pake_operation_t *operation, - mbedtls_svc_key_id_t password); +psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, + mbedtls_svc_key_id_t password); /** Set the user ID for a password-authenticated key exchange. * From ec83eb605e0744e4975446d0e7e6c7b5c7329bb7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 27 May 2021 08:41:59 +0100 Subject: [PATCH 114/131] Fix copy+paste mistake Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index dcaf75568d..997fec0b8a 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1692,7 +1692,7 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, * #PSA_ALG_IS_PAKE(\p alg) is true). * \param primitive A primitive of type ::psa_pake_primitive_t that is * compatible with algorithm \p alg. - * \param output_step A value of type ::psa_pake_step_t that is valid for the + * \param input_step A value of type ::psa_pake_step_t that is valid for the * algorithm \p alg. * \return A sufficient output buffer size for the specified * output, cipher suite and algorithm. If the cipher suite, From a46e28f7861203b983e904f5040ae512ec5dc36a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 3 Jun 2021 13:07:03 +0100 Subject: [PATCH 115/131] PSA PAKE: use neutral pronouns Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 997fec0b8a..02e87ffa22 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -919,7 +919,7 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( * * At this point there is a cryptographic guarantee that only the authenticated * party who used the same password is able to compute the key. But there is no - * guarantee that the peer is the party he claims to be and was able to do so. + * guarantee that the peer is the party it claims to be and was able to do so. * * That is, the authentication is only implicit (the peer is not authenticated * at this point, and no action should be taken that assume that they are - like @@ -1604,7 +1604,7 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, * * At this point there is a cryptographic guarantee that only the authenticated * party who used the same password is able to compute the key. But there is no - * guarantee that the peer is the party he claims to be and was able to do so. + * guarantee that the peer is the party it claims to be and was able to do so. * * That is, the authentication is only implicit (the peer is not authenticated * at this point, and no action should be taken that assume that they are - like From 38d29db75fd2c06a899341895fbeec989c1d1fb6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 3 Jun 2021 13:14:42 +0100 Subject: [PATCH 116/131] Fix copy+paste mistake Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 02e87ffa22..dd99839cc7 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1694,9 +1694,9 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, * compatible with algorithm \p alg. * \param input_step A value of type ::psa_pake_step_t that is valid for the * algorithm \p alg. - * \return A sufficient output buffer size for the specified - * output, cipher suite and algorithm. If the cipher suite, - * the output type or PAKE algorithm is not recognized, or + * \return A sufficient input buffer size for the specified + * input, cipher suite and algorithm. If the cipher suite, + * the input type or PAKE algorithm is not recognized, or * the parameters are incompatible, return 0. */ #define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) 0 @@ -1715,7 +1715,7 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, * * This macro must expand to a compile-time constant integer. * - * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p cipher_suite, \p output). + * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p cipher_suite, \p input). */ #define PSA_PAKE_INPUT_MAX_SIZE 0 From b4db90fb27008932fe5735f7572885c22243e52d Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 3 Jun 2021 13:17:09 +0100 Subject: [PATCH 117/131] PSA PAKE: improve documentation Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index dd99839cc7..66c9f9c206 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1606,9 +1606,10 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, * party who used the same password is able to compute the key. But there is no * guarantee that the peer is the party it claims to be and was able to do so. * - * That is, the authentication is only implicit (the peer is not authenticated - * at this point, and no action should be taken that assume that they are - like - * for example accessing restricted files). + * That is, the authentication is only implicit. Since the peer is not + * authenticated yet, no action should be taken yet that assumes that the peer + * is who it claims to be. For example, do not access restricted files on the + * peer's behalf until an explicit authentication has succeeded. * * This function can be called after the key exchange phase of the operation * has completed. It imports the shared secret output of the PAKE into the @@ -1683,8 +1684,9 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, /** A sufficient input buffer size for psa_pake_input(). * - * If the size of the input is larger than this, it is guaranteed - * that psa_pake_input() will fail with #PSA_ERROR_INVALID_ARGUMENT. + * The value returned by this macro is guaranteed to be large enough for any + * valid input to psa_pake_input() in an operation with the specified + * parameters. * * See also #PSA_PAKE_INPUT_MAX_SIZE * From 3293dae00eaf300bd6f180181c253551b7506d3e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 3 Jun 2021 13:21:33 +0100 Subject: [PATCH 118/131] psa_pake_setup(): simplify documentation This level of detail can be confusing and could require even more detail to clear it up. Simplifying it instead in alignment wiht the documentation of existing setup functions. Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 66c9f9c206..a7425deb28 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1317,10 +1317,7 @@ static psa_pake_operation_t psa_pake_operation_init(void); * - A successful call to psa_pake_get_implicit_key(). * * \param[in,out] operation The operation object to set up. It must have - * been initialized as per the documentation for - * #psa_pake_operation_t and not yet in use (no - * other function has been called on it since the - * last initialization). + * been initialized but not set up yet. * \param cipher_suite The cipher suite to use. (A cipher suite fully * characterizes a PAKE algorithm and determines * the algorithm as well.) From b384ec19d188eb58056367d481d4091e8dba6390 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 3 Jun 2021 14:48:51 +0100 Subject: [PATCH 119/131] PSA PAKE: fix J-PAKE documentation code rendering 4-space indent is only guaranteed to result in a code block if there's a blank line just before (details vary depending on the markdown implementation, and doxygen isn't exactly markdown anyway). In a bullet list, you need 8 spaces since the list itself is a nested construct which takes a 4-space indent (even though you don't have to indent continuation lines inside a bullet point by 4 spaces, 1 is enough). Using \code...\encode which is rendering as intended. Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 108 +++++++++++++++++++++---------------- 1 file changed, 62 insertions(+), 46 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index a7425deb28..717db2bc93 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -842,19 +842,25 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( * - A secure cryptographic hash function. * * To select these parameters and set up the cipher suite, call - * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE); - * psa_pake_cs_set_primitive(cipher_suite, - * PSA_PAKE_PRIMITIVE(type, family, bits)); - * psa_pake_cs_set_hash(cipher_suite, hash); + * + * \code + * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE); + * psa_pake_cs_set_primitive(cipher_suite, + * PSA_PAKE_PRIMITIVE(type, family, bits)); + * psa_pake_cs_set_hash(cipher_suite, hash); + * \endcode * * For more information on how to set a specific curve or field, refer to the * documentation of the individual \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants. * * After initializing a J-PAKE operation, call - * psa_pake_setup(operation, cipher_suite); - * psa_pake_set_user(operation, ...); - * psa_pake_set_peer(operation, ...); - * psa_pake_set_password_key(operation, ...); + * + * \code + * psa_pake_setup(operation, cipher_suite); + * psa_pake_set_user(operation, ...); + * psa_pake_set_peer(operation, ...); + * psa_pake_set_password_key(operation, ...); + * \endcode * * The password is read as a byte array and must be non-empty. This can be the * password itself (in some pre-defined character encoding) or some value @@ -869,50 +875,60 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( * * The key exchange flow for J-PAKE is as follows: * -# To get the first round data that needs to be sent to the peer, call - * // Get g1 - * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Get the ZKP public key for x1 - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Get the ZKP proof for x1 - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); - * // Get g2 - * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Get the ZKP public key for x2 - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Get the ZKP proof for x2 - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * \code + * // Get g1 + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Get the ZKP public key for x1 + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Get the ZKP proof for x1 + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * // Get g2 + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Get the ZKP public key for x2 + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Get the ZKP proof for x2 + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * \endcode * -# To provide the first round data received from the peer to the operation, * call - * // Set g3 - * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Set the ZKP public key for x3 - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Set the ZKP proof for x3 - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); - * // Set g4 - * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Set the ZKP public key for x4 - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Set the ZKP proof for x4 - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * \code + * // Set g3 + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Set the ZKP public key for x3 + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Set the ZKP proof for x3 + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * // Set g4 + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Set the ZKP public key for x4 + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Set the ZKP proof for x4 + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * \endcode * -# To get the second round data that needs to be sent to the peer, call - * // Get A - * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Get ZKP public key for x2*s - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Get ZKP proof for x2*s - * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * \code + * // Get A + * psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Get ZKP public key for x2*s + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Get ZKP proof for x2*s + * psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * \endcode * -# To provide the second round data received from the peer to the operation, * call - * // Set B - * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); - * // Set ZKP public key for x4*s - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); - * // Set ZKP proof for x4*s - * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * \code + * // Set B + * psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...); + * // Set ZKP public key for x4*s + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...); + * // Set ZKP proof for x4*s + * psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...); + * \endcode * -# To access the shared secret call - * // Get Ka=Kb=K - * psa_pake_get_implicit_key() + * \code + * // Get Ka=Kb=K + * psa_pake_get_implicit_key() + * \endcode * * For more information consult the documentation of the individual * \c PSA_PAKE_STEP_XXX constants. From 55dd5dc3556be0eeccf943cc29fd0077be553003 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 3 Jun 2021 15:51:09 +0100 Subject: [PATCH 120/131] PSA PAKE: Clarify the documentation of NIZKP steps The expression "the masking is omitted" assumes familiarity with Montgomery curve private key format and even then can be confusing and ambiguous or confusing. Describe directly what format we mean and add some more background information and reference to the standard as well. Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 717db2bc93..e4a21d44b7 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1108,6 +1108,9 @@ typedef uint32_t psa_pake_primitive_t; #define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t)0x01) /** A Schnorr NIZKP public key. + * + * This is the ephemeral public key in the Schnorr Non-Interactive + * Zero-Knowledge Proof (the value denoted by the letter 'V' in RFC 8235). * * The format for both input and output at this step is the same as for public * keys on the group determined by the primitive (::psa_pake_primitive_t) would @@ -1123,16 +1126,16 @@ typedef uint32_t psa_pake_primitive_t; /** A Schnorr NIZKP proof. * - * The format for both input and output at this step is the same as for private - * keys on the group determined by the primitive (::psa_pake_primitive_t) would - * be. + * This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the + * value denoted by the letter 'r' in RFC 8235). * - * Some public key algorithms mask the private keys and this might be reflected - * in the export format. Even if this is the case the masking is omitted at - * this step. + * Both input and output at this step is an integer less than the group + * selected in the cipher suite. The format depends on the group as well: * - * For more information on the format, consult the documentation of - * psa_export_key(). + * - For Montgomery curves, the encoding is little endian (see decoding of + * scalars in Section 5 of RFC 7748). + * - For everything else the encoding is big endian (see Section 2.3.8 of + * _SEC 1: Elliptic Curve Cryptography_ at https://www.secg.org/sec1-v2.pdf). * * For information regarding how the group is determined, consult the * documentation #PSA_PAKE_PRIMITIVE. From 33434a9f60f18894953eb64ffd699d5774cd1a37 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 May 2021 09:25:33 +0100 Subject: [PATCH 121/131] Fix parenthesis spacing in crypto_struct.h crypto_struct.h is implementation-specific so it was intended to have Mbed TLS whitespace style. Signed-off-by: Janos Follath --- include/psa/crypto_struct.h | 64 ++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 47012fdd00..4060074454 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -92,7 +92,7 @@ struct psa_hash_operation_s psa_driver_hash_context_t ctx; }; -#define PSA_HASH_OPERATION_INIT {0, {0}} +#define PSA_HASH_OPERATION_INIT { 0, { 0 } } static inline struct psa_hash_operation_s psa_hash_operation_init( void ) { const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT; @@ -117,7 +117,7 @@ struct psa_cipher_operation_s psa_driver_cipher_context_t ctx; }; -#define PSA_CIPHER_OPERATION_INIT {0, 0, 0, 0, {0}} +#define PSA_CIPHER_OPERATION_INIT { 0, 0, 0, 0, { 0 } } static inline struct psa_cipher_operation_s psa_cipher_operation_init( void ) { const struct psa_cipher_operation_s v = PSA_CIPHER_OPERATION_INIT; @@ -142,7 +142,7 @@ struct psa_mac_operation_s psa_driver_mac_context_t ctx; }; -#define PSA_MAC_OPERATION_INIT {0, 0, 0, {0}} +#define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } } static inline struct psa_mac_operation_s psa_mac_operation_init( void ) { const struct psa_mac_operation_s v = PSA_MAC_OPERATION_INIT; @@ -163,7 +163,7 @@ struct psa_aead_operation_s } ctx; }; -#define PSA_AEAD_OPERATION_INIT {0, 0, 0, 0, 0, {0}} +#define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, { 0 } } static inline struct psa_aead_operation_s psa_aead_operation_init( void ) { const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT; @@ -223,7 +223,7 @@ typedef struct psa_tls12_prf_key_derivation_s uint8_t Ai[PSA_HASH_MAX_SIZE]; - /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */ + /* `HMAC_hash( prk, A( i ) + seed )` in the notation of RFC 5246, Sect. 5. */ uint8_t output_block[PSA_HASH_MAX_SIZE]; } psa_tls12_prf_key_derivation_t; #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || @@ -249,8 +249,9 @@ struct psa_key_derivation_s }; /* This only zeroes out the first byte in the union, the rest is unspecified. */ -#define PSA_KEY_DERIVATION_OPERATION_INIT {0, 0, 0, {0}} -static inline struct psa_key_derivation_s psa_key_derivation_operation_init( void ) +#define PSA_KEY_DERIVATION_OPERATION_INIT { 0, 0, 0, { 0 } } +static inline +struct psa_key_derivation_s psa_key_derivation_operation_init( void ) { const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT; return( v ); @@ -264,7 +265,7 @@ struct psa_key_policy_s }; typedef struct psa_key_policy_s psa_key_policy_t; -#define PSA_KEY_POLICY_INIT {0, 0, 0} +#define PSA_KEY_POLICY_INIT { 0, 0, 0 } static inline struct psa_key_policy_s psa_key_policy_init( void ) { const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT; @@ -276,7 +277,7 @@ static inline struct psa_key_policy_s psa_key_policy_init( void ) typedef uint16_t psa_key_bits_t; /* The maximum value of the type used to represent bit-sizes. * This is used to mark an invalid key size. */ -#define PSA_KEY_BITS_TOO_LARGE ( (psa_key_bits_t) ( -1 ) ) +#define PSA_KEY_BITS_TOO_LARGE ( ( psa_key_bits_t ) -1 ) /* The maximum size of a key in bits. * Currently defined as the maximum that can be represented, rounded down * to a whole number of bytes. @@ -317,7 +318,10 @@ typedef struct psa_key_attributes_flag_t flags; } psa_core_key_attributes_t; -#define PSA_CORE_KEY_ATTRIBUTES_INIT {PSA_KEY_TYPE_NONE, 0, PSA_KEY_LIFETIME_VOLATILE, MBEDTLS_SVC_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0} +#define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0, \ + PSA_KEY_LIFETIME_VOLATILE, \ + MBEDTLS_SVC_KEY_ID_INIT, \ + PSA_KEY_POLICY_INIT, 0 } struct psa_key_attributes_s { @@ -330,9 +334,9 @@ struct psa_key_attributes_s }; #if defined(MBEDTLS_PSA_CRYPTO_SE_C) -#define PSA_KEY_ATTRIBUTES_INIT {PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0} +#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0 } #else -#define PSA_KEY_ATTRIBUTES_INIT {PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0} +#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0 } #endif static inline struct psa_key_attributes_s psa_key_attributes_init( void ) @@ -358,7 +362,7 @@ static inline void psa_set_key_id( psa_key_attributes_t *attributes, } static inline mbedtls_svc_key_id_t psa_get_key_id( - const psa_key_attributes_t *attributes) + const psa_key_attributes_t *attributes ) { return( attributes->core.id ); } @@ -371,8 +375,8 @@ static inline void mbedtls_set_key_owner_id( psa_key_attributes_t *attributes, } #endif -static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, - psa_key_lifetime_t lifetime) +static inline void psa_set_key_lifetime( psa_key_attributes_t *attributes, + psa_key_lifetime_t lifetime ) { attributes->core.lifetime = lifetime; if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) @@ -386,44 +390,44 @@ static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, } static inline psa_key_lifetime_t psa_get_key_lifetime( - const psa_key_attributes_t *attributes) + const psa_key_attributes_t *attributes ) { return( attributes->core.lifetime ); } -static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes, - psa_key_usage_t usage_flags) +static inline void psa_set_key_usage_flags( psa_key_attributes_t *attributes, + psa_key_usage_t usage_flags ) { attributes->core.policy.usage = usage_flags; } static inline psa_key_usage_t psa_get_key_usage_flags( - const psa_key_attributes_t *attributes) + const psa_key_attributes_t *attributes ) { return( attributes->core.policy.usage ); } -static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes, - psa_algorithm_t alg) +static inline void psa_set_key_algorithm( psa_key_attributes_t *attributes, + psa_algorithm_t alg ) { attributes->core.policy.alg = alg; } static inline psa_algorithm_t psa_get_key_algorithm( - const psa_key_attributes_t *attributes) + const psa_key_attributes_t *attributes ) { return( attributes->core.policy.alg ); } /* This function is declared in crypto_extra.h, which comes after this * header file, but we need the function here, so repeat the declaration. */ -psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes, +psa_status_t psa_set_key_domain_parameters( psa_key_attributes_t *attributes, psa_key_type_t type, const uint8_t *data, - size_t data_length); + size_t data_length ); -static inline void psa_set_key_type(psa_key_attributes_t *attributes, - psa_key_type_t type) +static inline void psa_set_key_type( psa_key_attributes_t *attributes, + psa_key_type_t type ) { if( attributes->domain_parameters == NULL ) { @@ -441,13 +445,13 @@ static inline void psa_set_key_type(psa_key_attributes_t *attributes, } static inline psa_key_type_t psa_get_key_type( - const psa_key_attributes_t *attributes) + const psa_key_attributes_t *attributes ) { return( attributes->core.type ); } -static inline void psa_set_key_bits(psa_key_attributes_t *attributes, - size_t bits) +static inline void psa_set_key_bits( psa_key_attributes_t *attributes, + size_t bits ) { if( bits > PSA_MAX_KEY_BITS ) attributes->core.bits = PSA_KEY_BITS_TOO_LARGE; @@ -456,7 +460,7 @@ static inline void psa_set_key_bits(psa_key_attributes_t *attributes, } static inline size_t psa_get_key_bits( - const psa_key_attributes_t *attributes) + const psa_key_attributes_t *attributes ) { return( attributes->core.bits ); } From 0dcda95ac04162c0b328ef95622d3886cfa3184a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 7 Jun 2021 14:52:13 +0100 Subject: [PATCH 122/131] Make check-names.sh happy Signed-off-by: Janos Follath --- include/psa/crypto_struct.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 4060074454..1be9949f4e 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -250,8 +250,8 @@ struct psa_key_derivation_s /* This only zeroes out the first byte in the union, the rest is unspecified. */ #define PSA_KEY_DERIVATION_OPERATION_INIT { 0, 0, 0, { 0 } } -static inline -struct psa_key_derivation_s psa_key_derivation_operation_init( void ) +static inline struct psa_key_derivation_s psa_key_derivation_operation_init( + void ) { const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT; return( v ); From 46c02375b730b53f2bfbfd9c49396018a8511711 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 8 Jun 2021 15:22:51 +0100 Subject: [PATCH 123/131] PSA PAKE: improve documentation Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index e4a21d44b7..c5ae09959d 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -839,9 +839,10 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( * - The group can be either an elliptic curve or defined over a finite field. * - Schnorr NIZK proof as defined by RFC 8235 and using the same group as the * J-PAKE algorithm. - * - A secure cryptographic hash function. + * - A cryptographic hash function. * - * To select these parameters and set up the cipher suite, call + * To select these parameters and set up the cipher suite, call these functions + * in any order: * * \code * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE); @@ -1499,8 +1500,8 @@ psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, * yet). * \param side A value of type ::psa_pake_side_t signaling the * side of the algorithm that is being set up. For - * more information see the documentation of \c - * PSA_PAKE_SIDE_XXX constants. + * more information see the documentation of + * \c PSA_PAKE_SIDE_XXX constants. * * \retval #PSA_SUCCESS * Success. @@ -1652,8 +1653,8 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, * \retval #PSA_SUCCESS * Success. * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active, but beyond that - * validity is specific to the algorithm). + * The PAKE operation state is not valid (it must be active, but beyond + * that validity is specific to the algorithm). * \retval #PSA_ERROR_BAD_STATE * The state of \p output is not valid for * the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the @@ -1685,7 +1686,7 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, * * See also #PSA_PAKE_OUTPUT_MAX_SIZE * - * \param alg A PAKE algorithm (PSA_ALG_XXX value such that + * \param alg A PAKE algorithm (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). * \param primitive A primitive of type ::psa_pake_primitive_t that is * compatible with algorithm \p alg. @@ -1706,7 +1707,7 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, * * See also #PSA_PAKE_INPUT_MAX_SIZE * - * \param alg A PAKE algorithm (PSA_ALG_XXX value such that + * \param alg A PAKE algorithm (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_PAKE(\p alg) is true). * \param primitive A primitive of type ::psa_pake_primitive_t that is * compatible with algorithm \p alg. From 1f0131844ce98a50aab4e4c3b4ea70268aa8e72a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 8 Jun 2021 15:30:48 +0100 Subject: [PATCH 124/131] Clarify PSA_PAKE_STEP_ZK_PROOF format Removing reference to RFC 7748 as it is more confusing than helpful. (It decodes the scalars after masking which is not part of the encoding we want to specify. Also, it has the explanation what it means by little endian in a preceding section that is not trivial to find.) We also explicitly specify constraint on leading zeroes. Signed-off-by: Janos Follath --- include/psa/crypto_extra.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index c5ae09959d..0567e8a73b 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1130,14 +1130,17 @@ typedef uint32_t psa_pake_primitive_t; * This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the * value denoted by the letter 'r' in RFC 8235). * - * Both input and output at this step is an integer less than the group - * selected in the cipher suite. The format depends on the group as well: + * Both for input and output, the value at this step is an integer less than + * the order of the group selected in the cipher suite. The format depends on + * the group as well: * - * - For Montgomery curves, the encoding is little endian (see decoding of - * scalars in Section 5 of RFC 7748). + * - For Montgomery curves, the encoding is little endian. * - For everything else the encoding is big endian (see Section 2.3.8 of * _SEC 1: Elliptic Curve Cryptography_ at https://www.secg.org/sec1-v2.pdf). * + * In both cases leading zeroes are allowed as long as the length in bytes does + * not exceed the byte length of the group order. + * * For information regarding how the group is determined, consult the * documentation #PSA_PAKE_PRIMITIVE. */ From f8abfa8b1b1abad18c49725abee214921dcb240f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 9 Jun 2021 10:17:04 +0200 Subject: [PATCH 125/131] Improve migration guide Signed-off-by: Ronald Cron --- docs/3.0-migration-guide.d/rsa-padding.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/3.0-migration-guide.d/rsa-padding.md b/docs/3.0-migration-guide.d/rsa-padding.md index a04d9ee2ae..f10ece6f8c 100644 --- a/docs/3.0-migration-guide.d/rsa-padding.md +++ b/docs/3.0-migration-guide.d/rsa-padding.md @@ -9,21 +9,21 @@ encoding and its hash. It just selects the PKCS#1 v1.5 encoding by default. If you were using the PKCS#1 v2.1 encoding you now need, subsequently to the call to mbedtls_rsa_init(), to call mbedtls_rsa_set_padding() to set it. -Code migration examples: +To choose the padding type when initializing a context, instead of ```C mbedtls_rsa_init(ctx, padding, hash_id); ``` -to +, use ```C mbedtls_rsa_init(ctx); mbedtls_rsa_set_padding(ctx, padding, hash_id); ``` -or + +To use PKCS#1 v1.5 padding, instead of ```C mbedtls_rsa_init(ctx, MBEDTLS_RSA_PKCS_V15, ); ``` -to +, just use ```C mbedtls_rsa_init(ctx); ``` - From 3ecb92e680ac38a1bbe67bcf732a4650fad9fbe8 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Tue, 11 May 2021 18:22:05 +0200 Subject: [PATCH 126/131] Remove _X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION Signed-off-by: TRodziewicz --- ChangeLog.d/issue4378.txt | 4 ++++ include/mbedtls/config.h | 12 ------------ library/x509_crt.c | 9 +-------- scripts/config.py | 1 - tests/suites/test_suite_x509parse.data | 4 ++-- 5 files changed, 7 insertions(+), 23 deletions(-) create mode 100644 ChangeLog.d/issue4378.txt diff --git a/ChangeLog.d/issue4378.txt b/ChangeLog.d/issue4378.txt new file mode 100644 index 0000000000..f10c23c588 --- /dev/null +++ b/ChangeLog.d/issue4378.txt @@ -0,0 +1,4 @@ +Removals + * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h + option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for + for migration path. Fixes #4378. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index d0e27805c6..ae32f21838 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1813,18 +1813,6 @@ */ #define MBEDTLS_VERSION_FEATURES -/** - * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION - * - * If set, the X509 parser will not break-off when parsing an X509 certificate - * and encountering an unknown critical extension. - * - * \warning Depending on your PKI use, enabling this can be a security risk! - * - * Uncomment to prevent an error. - */ -//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION - /** * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK * diff --git a/library/x509_crt.c b/library/x509_crt.c index 8387de618b..7d8847a301 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -818,8 +818,7 @@ static int x509_get_certificate_policies( unsigned char **p, { /* * Set the parsing return code but continue parsing, in case this - * extension is critical and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION - * is configured. + * extension is critical. */ parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; } @@ -961,14 +960,12 @@ static int x509_get_crt_ext( unsigned char **p, /* No parser found, skip extension */ *p = end_ext_octet; -#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) if( is_critical ) { /* Data is marked as critical: fail */ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ); } -#endif continue; } @@ -1027,11 +1024,9 @@ static int x509_get_crt_ext( unsigned char **p, start_ext_octet, end_ext_octet ) == 0 ) break; -#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) if( is_critical ) return( ret ); else -#endif /* * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we * cannot interpret or enforce the policy. However, it is up to @@ -1049,11 +1044,9 @@ static int x509_get_crt_ext( unsigned char **p, * supports, but there isn't an x509 parser for it, * skip the extension. */ -#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) if( is_critical ) return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); else -#endif *p = end_ext_octet; } } diff --git a/scripts/config.py b/scripts/config.py index 94fbdef42f..b85745a2ab 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -192,7 +192,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) - 'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', # influences the use of X.509 in TLS 'MBEDTLS_X509_REMOVE_INFO', # removes a feature ]) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 59acc667a1..0ebfb94984 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1783,7 +1783,7 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crt:"3081ad308197a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a311300f300d0603551d200406300430020601300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, unknown critical policy) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:!MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crt:"3081b130819ba0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a315301330110603551d20010101040730053003060100300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy qualifier invalid tag) @@ -2001,7 +2001,7 @@ depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C:MBEDT x509parse_crt:"3081e430819f020104300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3133303731303135303233375a170d3233303730383135303233375a300f310d300b06035504031304546573743049301306072a8648ce3d020106082a8648ce3d03010103320004e962551a325b21b50cf6b990e33d4318fd16677130726357a196e3efe7107bcb6bdc6d9db2a4df7c964acfe81798433d300d06092a864886f70d01010505000331001a6c18cd1e457474b2d3912743f44b571341a7859a0122774a8e19a671680878936949f904c9255bdd6fffdb33a7e6d8":"cert. version \: 1\nserial number \: 04\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2013-07-10 15\:02\:37\nexpires on \: 2023-07-08 15\:02\:37\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\n":0 X509 CRT ASN1 (Unsupported critical extension) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:!MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crt:"308203353082021da00302010202104d3ebbb8a870f9c78c55a8a7e12fd516300d06092a864886f70d01010b05003010310e300c06035504030c0564756d6d79301e170d3230303432383137343234335a170d3230303632373137343234335a3010310e300c06035504030c0564756d6d7930820122300d06092a864886f70d01010105000382010f003082010a0282010100a51b75b3f7da2d60ea1b0fc077f0dbb2bbb6fe1b474028368af8dc2664672896efff171033b0aede0b323a89d5c6db4d517404bc97b65264e41b9e9e86a6f40ace652498d4b3b859544d1bacfd7f86325503eed046f517406545c0ffb5560f83446dedce0fcafcc41ac8495488a6aa912ae45192ef7e3efa20d0f7403b0baa62c7e2e5404c620c5793623132aa20f624f08d88fbf0985af39433f5a24d0b908e5219d8ba6a404d3ee8418203b62a40c8eb18837354d50281a6a2bf5012e505c419482787b7a81e5935613ceea0c6d93e86f76282b6aa406fb3a1796c56b32e8a22afc3f7a3c9daa8f0e2846ff0d50abfc862a52f6cf0aaece6066c860376f3ed0203010001a3818a308187300c0603551d13040530030101ff30130603551d110101ff04093007820564756d6d79301206082b0601050507011f0101ff0403040100300e0603551d0f0101ff040403020184301d0603551d0e04160414e6e451ec8d19d9677b2d272a9d73b939fa2d915a301f0603551d23041830168014e6e451ec8d19d9677b2d272a9d73b939fa2d915a300d06092a864886f70d01010b0500038201010056d06047b7f48683e2347ca726997d9700b4f2cf1d8bc0ef17addac8445d38ffd7f8079055ead878b6a74c8384d0e30150c8990aa74f59cda6ebcb49465d8991ffa16a4c927a26e4639d1875a3ac396c7455c7eda40dbe66054a03d27f961c15e86bd5b06db6b26572977bcda93453b6b6a88ef96b31996a7bd17323525b33050d28deec9c33a3f9765a11fb99d0e222bd39a6db3a788474c9ca347377688f837d42f5841667bffcbe6b473e6f229f286a0829963e591a99aa7f67e9d20c36ccd2ac84cb85b7a8b3396a6cbe59a573ffff726f373197c230de5c92a52c5bc87e29c20bdf6e89609764a60c649022aabd768f3557661b083ae00e6afc8a5bf2ed":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT ASN1 (Unsupported critical extension recognized by callback) From b8367380b1f6a84662743bbef81ec4ef09f467f8 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 12 May 2021 11:03:42 +0200 Subject: [PATCH 127/131] Addition of the migration guide Signed-off-by: TRodziewicz --- ChangeLog.d/issue4378.txt | 2 +- ...TLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md diff --git a/ChangeLog.d/issue4378.txt b/ChangeLog.d/issue4378.txt index f10c23c588..9a7522b3ab 100644 --- a/ChangeLog.d/issue4378.txt +++ b/ChangeLog.d/issue4378.txt @@ -1,4 +1,4 @@ Removals * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for - for migration path. Fixes #4378. + migration path. Fixes #4378. diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md new file mode 100644 index 0000000000..34ec4738ae --- /dev/null +++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md @@ -0,0 +1,13 @@ +Remove the X509 parser sensitivity control for an unknown critical extension from config.h +------------------------------------------------------------------------------------------ + +It affects users who use the `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` +option which if set, allowed the X509 parser to parse an X509 certificate +even when it encountered an unknown critical extension. + +The migration path from that option is to use the +`mbedtls_x509_crt_parse_der_with_ext_cb()` function which is functionally +equivalent to `mbedtls_x509_crt_parse_der()`, and/or +`mbedtls_x509_crt_parse_der_nocopy()` but it calls the callback with every +unsupported certificate extension and additionally the "certificate policies" +extension if it contains any unsupported certificate policies. From 0ea257650207918f84748c589c1e8238e701fbf2 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 9 Jun 2021 13:24:48 +0200 Subject: [PATCH 128/131] Correction to the migr. guide wording and removal of not needed option Signed-off-by: TRodziewicz --- ...LS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md index 34ec4738ae..738fa81fd1 100644 --- a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md +++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md @@ -1,9 +1,13 @@ -Remove the X509 parser sensitivity control for an unknown critical extension from config.h ------------------------------------------------------------------------------------------- +Remove the config option MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION +-------------------------------------------------------------------------- -It affects users who use the `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` -option which if set, allowed the X509 parser to parse an X509 certificate -even when it encountered an unknown critical extension. +This change does not affect users of the default configuration; it only affect +users who enable this option. + +The X.509 standard says that implementations must reject critical extensions that +they don't recognize, and this is what Mbed TLS does by default. This option +allowed to continue parsing those certificates but didn't provide a convenient +way to handle those extensions. The migration path from that option is to use the `mbedtls_x509_crt_parse_der_with_ext_cb()` function which is functionally From 197496af690ec603c31568fcf6430fc96b15835a Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Tue, 8 Jun 2021 18:31:27 +0100 Subject: [PATCH 129/131] config: Allow Mbed to implement TIMING_C Mbed OS now provides POSIX-like time functions, although not alarm() nor signal(). It is possible to implement MBEDTLS_TIMING_ALT on Mbed OS, so we should not artificially prevent this in check-config. Remove the the check that prevents implementing MBEDTLS_TIMING_ALT on Mbed OS. Note that this limitation originally was added in the following commit, although there isn't much context around why the restriction was imposed: 63e7ebaaa184 ("Add material for generating yotta module"). In 2015, Mbed OS was quite a different thing: no RTOS, no threads, just an asynchronous event loop model. I'd suppose the asynchronous event loop model made it difficult before to implement MBEDTLS_TIMING_C on Mbed OS, but that is no longer the case. Fixes #4633 Signed-off-by: Jaeden Amero --- ChangeLog.d/mbed-can-do-timing.txt | 3 +++ include/mbedtls/check_config.h | 5 ++--- 2 files changed, 5 insertions(+), 3 deletions(-) create mode 100644 ChangeLog.d/mbed-can-do-timing.txt diff --git a/ChangeLog.d/mbed-can-do-timing.txt b/ChangeLog.d/mbed-can-do-timing.txt new file mode 100644 index 0000000000..d83da02432 --- /dev/null +++ b/ChangeLog.d/mbed-can-do-timing.txt @@ -0,0 +1,3 @@ +Bugfix + * Remove outdated check-config.h check that prevented implementing the + timing module on Mbed OS. Fixes #4633. diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ef19f38340..90dee6c1af 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -55,9 +55,8 @@ #endif #endif /* _WIN32 */ -#if defined(TARGET_LIKE_MBED) && \ - ( defined(MBEDTLS_NET_C) || defined(MBEDTLS_TIMING_C) ) -#error "The NET and TIMING modules are not available for mbed OS - please use the network and timing functions provided by mbed OS" +#if defined(TARGET_LIKE_MBED) && defined(MBEDTLS_NET_C) +#error "The NET module is not available for mbed OS - please use the network functions provided by Mbed OS" #endif #if defined(MBEDTLS_DEPRECATED_WARNING) && \ From 2a5e5a2759f99ee084760fd4588b2a13e273b503 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 9 Jun 2021 16:54:20 +0200 Subject: [PATCH 130/131] Correction to the migration guide entry wording Signed-off-by: TRodziewicz --- ..._MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md index 348fe32f71..2acb3bfbe6 100644 --- a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md +++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md @@ -1,20 +1,18 @@ Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `config.h` --- +------------------------------------------------------------------- -This change affects users who have chosen the compilation time options to disable -the library's verification of the `keyUsage` and `extendedKeyUsage` fields of an x509 -certificate. +This change affects users who have chosen the configuration options to disable the +library's verification of the `keyUsage` and `extendedKeyUsage` fields of x509 +certificates. -The change is to remove MBEDTLS_X509_CHECK_KEY_USAGE and -MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE from the configuration. +The `MBEDTLS_X509_CHECK_KEY_USAGE` and `MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE` +configuration options are removed and the X509 code now behaves as if they were +always enabled. It is consequently not possible anymore to disable at compile +time the verification of the `keyUsage` and `extendedKeyUsage` fields of X509 +certificates. -After the change the options are removed and the compilation is done in a way that -the verification of the key usage fields is allways enabled by default. - -This verification is an important step and disabling it can cause security issues. -If the verification is for some reason undesirable it can still be disabled at -a runtime with even more flexibility by using the callback parameter in -`mbedtls_x509_crt_verify()`. - -For example the user can disable the verification by using the callback which -clears the corresponding flags when they've been set. +The verification of the `keyUsage` and `extendedKeyUsage` fields is important, +disabling it can cause security issues and it is thus not recommended. If the +verification is for some reason undesirable, it can still be disabled by means +of the verification callback function passed to `mbedtls_x509_crt_verify()` (see +the documentation of this function for more information). From d0581e119ba3643a9248762b8002b0eeb7b618eb Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 10 Jun 2021 15:47:18 +0100 Subject: [PATCH 131/131] Disable OS X builds on Travis Signed-off-by: Dave Rodgman --- .travis.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.travis.yml b/.travis.yml index 542f705694..48faa4846c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,12 +28,6 @@ jobs: script: - tests/scripts/all.sh -k test_full_cmake_gcc_asan - - name: macOS - os: osx - compiler: clang - script: - - tests/scripts/all.sh -k test_default_out_of_box - - name: Windows os: windows before_install: