From 3f93012bf1a0b34bbadb9d1f5e07ee2945244aec Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 26 Oct 2022 08:08:26 -0400 Subject: [PATCH 001/250] Use config.py as a module in depends.py Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 94 ++++++++++++++++++++++++---------------- 1 file changed, 56 insertions(+), 38 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 0d6ec94c80..86e8fff462 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -23,7 +23,7 @@ Test Mbed TLS with a subset of algorithms. This script can be divided into several steps: First, include/mbedtls/mbedtls_config.h or a different config file passed -in the arguments is parsed to extract any configuration options (collect_config_symbols). +in the arguments is parsed to extract any configuration options (using config.py). Then, test domains (groups of jobs, tests) are built based on predefined data collected in the DomainData class. Here, each domain has five major traits: @@ -72,6 +72,9 @@ import subprocess import sys import traceback +import scripts_path # pylint: disable=unused-import +import config + class Colors: # pylint: disable=too-few-public-methods """Minimalistic support for colored output. Each field of an object of this class is either None if colored output @@ -80,6 +83,7 @@ that outputting start switches the text color to the desired color and stop switches the text color back to the default.""" red = None green = None + cyan = None bold_red = None bold_green = None def __init__(self, options=None): @@ -95,6 +99,7 @@ stop switches the text color back to the default.""" normal = '\033[0m' self.red = ('\033[31m', normal) self.green = ('\033[32m', normal) + self.cyan = ('\033[36m', normal) self.bold_red = ('\033[1;31m', normal) self.bold_green = ('\033[1;32m', normal) NO_COLORS = Colors(None) @@ -130,34 +135,39 @@ Remove the backup file if it was saved earlier.""" else: shutil.copy(options.config_backup, options.config) -def run_config_py(options, args): - """Run scripts/config.py with the specified arguments.""" - cmd = ['scripts/config.py'] - if options.config != 'include/mbedtls/mbedtls_config.h': - cmd += ['--file', options.config] - cmd += args - log_command(cmd) - subprocess.check_call(cmd) +def option_exists(conf, option): + if option not in conf.settings: + return False + return True -def set_reference_config(options): +def set_config_option(conf, option, colors, value=None): + """Set configuration option, optionally specifying a value""" + if not option_exists(conf, option): + log_line('Symbol {} was not found in {}'.format(option, conf.filename), color=colors.red) + return False + log_command(['config.py', 'set', option]) + conf.set(option, value) + return True + +def unset_config_option(conf, option, colors): + """Unset configuration option if it exists""" + if not option_exists(conf, option): + log_line('Symbol {} was not found in {}'.format(option, conf.filename), color=colors.red) + return False + log_command(['config.py', 'unset', option]) + conf.unset(option) + return True + +def set_reference_config(conf, options, colors): """Change the library configuration file (mbedtls_config.h) to the reference state. The reference state is the one from which the tested configurations are derived.""" # Turn off options that are not relevant to the tests and slow them down. - run_config_py(options, ['full']) - run_config_py(options, ['unset', 'MBEDTLS_TEST_HOOKS']) + log_command(['config.py', 'full']) + conf.adapt(config.full_adapter) + unset_config_option(conf, 'MBEDTLS_TEST_HOOKS', colors) if options.unset_use_psa: - run_config_py(options, ['unset', 'MBEDTLS_USE_PSA_CRYPTO']) - -def collect_config_symbols(options): - """Read the list of settings from mbedtls_config.h. -Return them in a generator.""" - with open(options.config, encoding="utf-8") as config_file: - rx = re.compile(r'\s*(?://\s*)?#define\s+(\w+)\s*(?:$|/[/*])') - for line in config_file: - m = re.match(rx, line) - if m: - yield m.group(1) + unset_config_option(conf, 'MBEDTLS_USE_PSA_CRYPTO', colors) class Job: """A job builds the library in a specific configuration and runs some tests.""" @@ -185,19 +195,22 @@ If what is False, announce that the job has failed.''' elif what is False: log_line(self.name + ' FAILED', color=colors.red) else: - log_line('starting ' + self.name) + log_line('starting ' + self.name, color=colors.cyan) - def configure(self, options): + def configure(self, conf, options, colors): '''Set library configuration options as required for the job.''' - set_reference_config(options) + set_reference_config(conf, options, colors) for key, value in sorted(self.config_settings.items()): + ret = False if value is True: - args = ['set', key] + ret = set_config_option(conf, key, colors) elif value is False: - args = ['unset', key] + ret = unset_config_option(conf, key, colors) else: - args = ['set', key, value] - run_config_py(options, args) + ret = set_config_option(conf, key, colors, value) + if ret is False: + return False + return True def test(self, options): '''Run the job's build and test commands. @@ -392,11 +405,11 @@ class DomainData: return [symbol for symbol in self.all_config_symbols if re.match(regexp, symbol)] - def __init__(self, options): + def __init__(self, options, conf): """Gather data about the library and establish a list of domains to test.""" build_command = [options.make_command, 'CFLAGS=-Werror'] build_and_test = [build_command, [options.make_command, 'test']] - self.all_config_symbols = set(collect_config_symbols(options)) + self.all_config_symbols = set(conf.settings.keys()) # Find hash modules by name. hash_symbols = self.config_symbols_matching(r'MBEDTLS_(MD|RIPEMD|SHA)[0-9]+_C\Z') # Find elliptic curve enabling macros by name. @@ -455,16 +468,19 @@ A name can either be the name of a domain or the name of one specific job.""" else: return [self.jobs[name]] -def run(options, job, colors=NO_COLORS): +def run(options, job, conf, colors=NO_COLORS): """Run the specified job (a Job instance).""" subprocess.check_call([options.make_command, 'clean']) job.announce(colors, None) - job.configure(options) + if not job.configure(conf, options, colors): + job.announce(colors, False) + return False + conf.write() success = job.test(options) job.announce(colors, success) return success -def run_tests(options, domain_data): +def run_tests(options, domain_data, conf): """Run the desired jobs. domain_data should be a DomainData instance that describes the available domains and jobs. @@ -480,7 +496,7 @@ Run the jobs listed in options.tasks.""" backup_config(options) try: for job in jobs: - success = run(options, job, colors=colors) + success = run(options, job, conf, colors=colors) if not success: if options.keep_going: failures.append(job.name) @@ -546,7 +562,9 @@ def main(): default=True) options = parser.parse_args() os.chdir(options.directory) - domain_data = DomainData(options) + conf = config.ConfigFile(options.config) + domain_data = DomainData(options, conf) + if options.tasks is True: options.tasks = sorted(domain_data.domains.keys()) if options.list: @@ -555,7 +573,7 @@ def main(): print(domain_name) sys.exit(0) else: - sys.exit(0 if run_tests(options, domain_data) else 1) + sys.exit(0 if run_tests(options, domain_data, conf) else 1) except Exception: # pylint: disable=broad-except traceback.print_exc() sys.exit(3) From 3b0215d453d4d153f1be60c061b155d44a633b73 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 23 Jan 2023 07:19:22 -0500 Subject: [PATCH 002/250] depends.py: merge set/unset config option into one function Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 38 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 86e8fff462..c6583e5455 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -71,7 +71,7 @@ import shutil import subprocess import sys import traceback - +# Add the Mbed TLS Python library directory to the module search path import scripts_path # pylint: disable=unused-import import config @@ -140,22 +140,22 @@ def option_exists(conf, option): return False return True -def set_config_option(conf, option, colors, value=None): - """Set configuration option, optionally specifying a value""" +def set_config_option_value(conf, option, colors, value): + """Set/unset a configuration option, optionally specifying a value""" if not option_exists(conf, option): log_line('Symbol {} was not found in {}'.format(option, conf.filename), color=colors.red) return False - log_command(['config.py', 'set', option]) - conf.set(option, value) - return True -def unset_config_option(conf, option, colors): - """Unset configuration option if it exists""" - if not option_exists(conf, option): - log_line('Symbol {} was not found in {}'.format(option, conf.filename), color=colors.red) - return False - log_command(['config.py', 'unset', option]) - conf.unset(option) + if value is False: + log_command(['config.py', 'unset', option]) + conf.unset(option) + else: + if value is True: + log_command(['config.py', 'set', option]) + conf.set(option) + else: + log_command(['config.py', 'set', option, value]) + conf.set(option, value) return True def set_reference_config(conf, options, colors): @@ -165,9 +165,9 @@ derived.""" # Turn off options that are not relevant to the tests and slow them down. log_command(['config.py', 'full']) conf.adapt(config.full_adapter) - unset_config_option(conf, 'MBEDTLS_TEST_HOOKS', colors) + set_config_option_value(conf, 'MBEDTLS_TEST_HOOKS', colors, False) if options.unset_use_psa: - unset_config_option(conf, 'MBEDTLS_USE_PSA_CRYPTO', colors) + set_config_option_value(conf, 'MBEDTLS_USE_PSA_CRYPTO', colors, False) class Job: """A job builds the library in a specific configuration and runs some tests.""" @@ -201,13 +201,7 @@ If what is False, announce that the job has failed.''' '''Set library configuration options as required for the job.''' set_reference_config(conf, options, colors) for key, value in sorted(self.config_settings.items()): - ret = False - if value is True: - ret = set_config_option(conf, key, colors) - elif value is False: - ret = unset_config_option(conf, key, colors) - else: - ret = set_config_option(conf, key, colors, value) + ret = set_config_option_value(conf, key, colors, value) if ret is False: return False return True From 576803faa2ff3f0477f744a364197171ce27ce30 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 24 Jan 2023 07:40:42 -0500 Subject: [PATCH 003/250] depends.py: improve expected argument type Requested config option can be either boolean or a string. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index c6583e5455..302a4be512 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -71,6 +71,8 @@ import shutil import subprocess import sys import traceback +from typing import Union + # Add the Mbed TLS Python library directory to the module search path import scripts_path # pylint: disable=unused-import import config @@ -140,8 +142,10 @@ def option_exists(conf, option): return False return True -def set_config_option_value(conf, option, colors, value): - """Set/unset a configuration option, optionally specifying a value""" +def set_config_option_value(conf, option, colors, value: Union[bool, str]): + """Set/unset a configuration option, optionally specifying a value. +value can be either True/False (set/unset config option), or a string, +which will make a symbol defined with a certain value.""" if not option_exists(conf, option): log_line('Symbol {} was not found in {}'.format(option, conf.filename), color=colors.red) return False From 81cf5ad347677e7ca1416e5abdd7d6334aedad2f Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 6 Feb 2023 10:48:43 +0100 Subject: [PATCH 004/250] Improve tests/scripts/depends.py code As suggested by gilles-peskine-arm. Co-authored-by: Gilles Peskine Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 302a4be512..2f0fbc219b 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -138,9 +138,7 @@ Remove the backup file if it was saved earlier.""" shutil.copy(options.config_backup, options.config) def option_exists(conf, option): - if option not in conf.settings: - return False - return True + return option in conf.settings def set_config_option_value(conf, option, colors, value: Union[bool, str]): """Set/unset a configuration option, optionally specifying a value. From 2fddfd7f8f3750c131a5a98a3e74cead84df43b4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 Jan 2023 16:32:03 +0800 Subject: [PATCH 005/250] Add AESCE confige options Signed-off-by: Jerry Yu --- include/mbedtls/check_config.h | 10 ++++++++++ include/mbedtls/mbedtls_config.h | 19 +++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1efabdc1fd..055bfa7aa9 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -70,6 +70,16 @@ #error "MBEDTLS_AESNI_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_AESCE_C) && !defined(MBEDTLS_HAVE_ASM) +#error "MBEDTLS_AESCE_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_AESCE_C) && \ + (defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)) +#error "MBEDTLS_AESCE_C defined, MBEDTLS_SHA512_USE_A64_CRYPTO_* MUST be disabled for known fail." +#endif + #if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C) #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 9ae51c964a..6cea050115 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2065,6 +2065,25 @@ */ #define MBEDTLS_AESNI_C +/** + * \def MBEDTLS_AESCE_C + * + * Enable AES crypto engine support on Arm64. + * + * Module: library/aesce.c + * Caller: library/aes.c + * + * Requires: MBEDTLS_HAVE_ASM, MBEDTLS_AES_C + * + * \note The code uses Neon intrinsics, so \c CFLAGS must be set to a minimum + * of \c -march=armv8-a+crypto . + * + * \warning `MBEDTLS_SHA512_USE_A64_CRYPTO_*` should be disabled when enabled + * + * This modules adds support for the AES crypto instructions on Arm64 + */ +#define MBEDTLS_AESCE_C + /** * \def MBEDTLS_AES_C * From 49231319fd56389866199cd16dddae2f9129fefd Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 Jan 2023 16:57:21 +0800 Subject: [PATCH 006/250] Add empty aesce files For time being, we only support gcc and clang Signed-off-by: Jerry Yu --- library/CMakeLists.txt | 1 + library/Makefile | 1 + library/aesce.c | 50 ++++++++++++++++++++++++++++++++++++++++++ library/aesce.h | 50 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 102 insertions(+) create mode 100644 library/aesce.c create mode 100644 library/aesce.h diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index c9714bbfbe..bef2e1c4bd 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -13,6 +13,7 @@ endif() set(src_crypto aes.c aesni.c + aesce.c aria.c asn1parse.c asn1write.c diff --git a/library/Makefile b/library/Makefile index dd16d06158..ed5e1e1729 100644 --- a/library/Makefile +++ b/library/Makefile @@ -78,6 +78,7 @@ endif OBJS_CRYPTO= \ aes.o \ aesni.o \ + aesce.o \ aria.o \ asn1parse.o \ asn1write.o \ diff --git a/library/aesce.c b/library/aesce.c new file mode 100644 index 0000000000..608e5e367e --- /dev/null +++ b/library/aesce.c @@ -0,0 +1,50 @@ +/* + * Arm64 crypto engine support functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include "common.h" + +#if defined(MBEDTLS_AESCE_C) + +#include "aesce.h" + +#if defined(MBEDTLS_HAVE_ARM64) + +#if defined(__clang__) +# if __clang_major__ < 4 +# error "A more recent Clang is required for MBEDTLS_AES_C" +# endif +#elif defined(__GNUC__) +# if __GNUC__ < 6 +# error "A more recent GCC is required for MBEDTLS_AES_C" +# endif +#else +# error "Only GCC and Clang supported for MBEDTLS_AES_C" +#endif + +#if !defined(__ARM_FEATURE_CRYPTO) +# error "`crypto` feature moddifier MUST be enabled for MBEDTLS_AESCE_C." +# error "Typical option for GCC and Clang is `-march=armv8-a+crypto`." +#endif /* !__ARM_FEATURE_CRYPTO */ + +#include + +#endif /* MBEDTLS_HAVE_ARM64 */ + +#endif /* MBEDTLS_AESCE_C */ diff --git a/library/aesce.h b/library/aesce.h new file mode 100644 index 0000000000..4968feda91 --- /dev/null +++ b/library/aesce.h @@ -0,0 +1,50 @@ +/** + * \file aesce.h + * + * \brief AES-CE for hardware AES acceleration on ARMv8 processors with crypto + * engine. + * + * \warning These functions are only for internal use by other library + * functions; you must not call them directly. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef MBEDTLS_AESCE_H +#define MBEDTLS_AESCE_H + +#include "mbedtls/build_info.h" + +#include "mbedtls/aes.h" + + +#if !defined(MBEDTLS_HAVE_ARM64) && \ + (defined(__aarch64__) || defined(_M_ARM64)) +#define MBEDTLS_HAVE_ARM64 +#endif + +#if defined(MBEDTLS_HAVE_ARM64) + +#ifdef __cplusplus +extern "C" { +#endif +#ifdef __cplusplus +} +#endif + +#endif /* MBEDTLS_HAVE_ARM64 */ + +#endif /* MBEDTLS_AESCE_H */ From b95c776c435b56905b0e2e10ab19737abf739797 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 Jan 2023 16:59:51 +0800 Subject: [PATCH 007/250] Add linux runtime detection Signed-off-by: Jerry Yu --- library/aesce.c | 20 ++++++++++++++++++++ library/aesce.h | 12 ++++++++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index 608e5e367e..f33d593427 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -45,6 +45,26 @@ #include +#if defined(__linux__) +#include +#include +#endif + +/* + * AES instruction support detection routine + */ +int mbedtls_aesce_has_support(void) +{ +#if defined(__linux__) + unsigned long auxval = getauxval(AT_HWCAP); + return (auxval & (HWCAP_ASIMD | HWCAP_AES)) == + (HWCAP_ASIMD | HWCAP_AES); +#else + /* Suppose aes instructions are supported. */ + return 1; +#endif +} + #endif /* MBEDTLS_HAVE_ARM64 */ #endif /* MBEDTLS_AESCE_C */ diff --git a/library/aesce.h b/library/aesce.h index 4968feda91..2d5dde985f 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -31,8 +31,8 @@ #include "mbedtls/aes.h" -#if !defined(MBEDTLS_HAVE_ARM64) && \ - (defined(__aarch64__) || defined(_M_ARM64)) +#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ + defined(__aarch64__) && !defined(MBEDTLS_HAVE_ARM64) #define MBEDTLS_HAVE_ARM64 #endif @@ -41,6 +41,14 @@ #ifdef __cplusplus extern "C" { #endif + +/** + * \brief Internal function to detect the crypto engine in CPUs. + * + * \return 1 if CPU has support for the feature, 0 otherwise + */ +int mbedtls_aesce_has_support(void); + #ifdef __cplusplus } #endif From 3f2fb71072678d494b88e477c74273c3fa7fa654 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 Jan 2023 17:05:42 +0800 Subject: [PATCH 008/250] Add key expansion for encrypt Signed-off-by: Jerry Yu --- library/aes.c | 9 ++++ library/aesce.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++ library/aesce.h | 14 +++++++ 3 files changed, 131 insertions(+) diff --git a/library/aes.c b/library/aes.c index 566e74715f..f0ade21490 100644 --- a/library/aes.c +++ b/library/aes.c @@ -39,6 +39,9 @@ #if defined(MBEDTLS_AESNI_C) #include "aesni.h" #endif +#if defined(MBEDTLS_AESCE_C) +#include "aesce.h" +#endif #include "mbedtls/platform.h" @@ -544,6 +547,12 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, } #endif +#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) + if (mbedtls_aesce_has_support()) { + return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits); + } +#endif + for (i = 0; i < (keybits >> 5); i++) { RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); } diff --git a/library/aesce.c b/library/aesce.c index f33d593427..4b0f9d7449 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -65,6 +65,114 @@ int mbedtls_aesce_has_support(void) #endif } + +static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10, + 0x20, 0x40, 0x80, 0x1b, 0x36 }; + +static inline uint32_t ror32_8(uint32_t word) +{ + return (word << (32 - 8)) | (word >> 8); +} + +static inline uint32_t aes_sub(uint32_t in) +{ + uint32x4_t _in = vdupq_n_u32(in); + uint32x4_t v; + uint8x16_t zero = vdupq_n_u8(0); + v = vreinterpretq_u32_u8(vaeseq_u8(zero, vreinterpretq_u8_u32(_in))); + return vgetq_lane_u32(v, 0); +} + +/* + * Key expansion, 128-bit case + */ +static void aesce_setkey_enc_128(unsigned char *rk, + const unsigned char *key) +{ + uint32_t *rki; + uint32_t *rko; + uint32_t *rk_u32 = (uint32_t *) rk; + memcpy(rk, key, (128 / 8)); + + for (size_t i = 0; i < sizeof(rcon); i++) { + rki = rk_u32 + i * (128 / 32); + rko = rki + (128 / 32); + rko[0] = ror32_8(aes_sub(rki[(128 / 32) - 1])) ^ rcon[i] ^ rki[0]; + rko[1] = rko[0] ^ rki[1]; + rko[2] = rko[1] ^ rki[2]; + rko[3] = rko[2] ^ rki[3]; + } +} + +/* + * Key expansion, 192-bit case + */ +static void aesce_setkey_enc_192(unsigned char *rk, + const unsigned char *key) +{ + uint32_t *rki; + uint32_t *rko; + uint32_t *rk_u32 = (uint32_t *) rk; + memcpy(rk, key, (192 / 8)); + + for (size_t i = 0; i < 8; i++) { + rki = rk_u32 + i * (192 / 32); + rko = rki + (192 / 32); + rko[0] = ror32_8(aes_sub(rki[(192 / 32) - 1])) ^ rcon[i] ^ rki[0]; + rko[1] = rko[0] ^ rki[1]; + rko[2] = rko[1] ^ rki[2]; + rko[3] = rko[2] ^ rki[3]; + if (i < 7) { + rko[4] = rko[3] ^ rki[4]; + rko[5] = rko[4] ^ rki[5]; + } + } +} + +/* + * Key expansion, 256-bit case + */ +static void aesce_setkey_enc_256(unsigned char *rk, + const unsigned char *key) +{ + uint32_t *rki; + uint32_t *rko; + uint32_t *rk_u32 = (uint32_t *) rk; + memcpy(rk, key, (256 / 8)); + + for (size_t i = 0; i < 7; i++) { + rki = rk_u32 + i * (256 / 32); + rko = rki + (256 / 32); + rko[0] = ror32_8(aes_sub(rki[(256 / 32) - 1])) ^ rcon[i] ^ rki[0]; + rko[1] = rko[0] ^ rki[1]; + rko[2] = rko[1] ^ rki[2]; + rko[3] = rko[2] ^ rki[3]; + if (i < 6) { + rko[4] = aes_sub(rko[3]) ^ rki[4]; + rko[5] = rko[4] ^ rki[5]; + rko[6] = rko[5] ^ rki[6]; + rko[7] = rko[6] ^ rki[7]; + } + } +} + +/* + * Key expansion, wrapper + */ +int mbedtls_aesce_setkey_enc(unsigned char *rk, + const unsigned char *key, + size_t bits) +{ + switch (bits) { + case 128: aesce_setkey_enc_128(rk, key); break; + case 192: aesce_setkey_enc_192(rk, key); break; + case 256: aesce_setkey_enc_256(rk, key); break; + default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; + } + + return 0; +} + #endif /* MBEDTLS_HAVE_ARM64 */ #endif /* MBEDTLS_AESCE_C */ diff --git a/library/aesce.h b/library/aesce.h index 2d5dde985f..7fc0cfa0eb 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -49,6 +49,20 @@ extern "C" { */ int mbedtls_aesce_has_support(void); + +/** + * \brief Internal key expansion for encryption + * + * \param rk Destination buffer where the round keys are written + * \param key Encryption key + * \param bits Key size in bits (must be 128, 192 or 256) + * + * \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH + */ +int mbedtls_aesce_setkey_enc(unsigned char *rk, + const unsigned char *key, + size_t bits); + #ifdef __cplusplus } #endif From e096da1af61efc6a35e9bcd4f2fd35690299f17e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 Jan 2023 17:07:01 +0800 Subject: [PATCH 009/250] Add inverse key function Signed-off-by: Jerry Yu --- library/aes.c | 10 ++++++++++ library/aesce.c | 18 ++++++++++++++++++ library/aesce.h | 12 ++++++++++++ 3 files changed, 40 insertions(+) diff --git a/library/aes.c b/library/aes.c index f0ade21490..6306fecf84 100644 --- a/library/aes.c +++ b/library/aes.c @@ -661,6 +661,16 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, } #endif +#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) + if (mbedtls_aesce_has_support()) { + mbedtls_aesce_inverse_key( + (unsigned char *) RK, + (const unsigned char *) (cty.buf + cty.rk_offset), + ctx->nr); + goto exit; + } +#endif + SK = cty.buf + cty.rk_offset + cty.nr * 4; *RK++ = *SK++; diff --git a/library/aesce.c b/library/aesce.c index 4b0f9d7449..ba9adc95cb 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -66,6 +66,24 @@ int mbedtls_aesce_has_support(void) } +/* + * Compute decryption round keys from encryption round keys + */ +void mbedtls_aesce_inverse_key(unsigned char *invkey, + const unsigned char *fwdkey, + int nr) +{ + int i, j; + j = nr; + vst1q_u8(invkey, vld1q_u8(fwdkey + j * 16)); + for (i = 1, j--; j > 0; i++, j--) { + vst1q_u8(invkey + i * 16, + vaesimcq_u8(vld1q_u8(fwdkey + j * 16))); + } + vst1q_u8(invkey + i * 16, vld1q_u8(fwdkey + j * 16)); + +} + static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 }; diff --git a/library/aesce.h b/library/aesce.h index 7fc0cfa0eb..d0e02a49d8 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -50,6 +50,18 @@ extern "C" { int mbedtls_aesce_has_support(void); +/** + * \brief Internal round key inversion. This function computes + * decryption round keys from the encryption round keys. + * + * \param invkey Round keys for the equivalent inverse cipher + * \param fwdkey Original round keys (for encryption) + * \param nr Number of rounds (that is, number of round keys minus one) + */ +void mbedtls_aesce_inverse_key(unsigned char *invkey, + const unsigned char *fwdkey, + int nr); + /** * \brief Internal key expansion for encryption * From 2bb3d8101f19aa9395498dd49746c3764ff739d3 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 Jan 2023 17:38:26 +0800 Subject: [PATCH 010/250] Add en(de)crypt routine Signed-off-by: Jerry Yu --- library/aes.c | 6 +++++ library/aesce.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++ library/aesce.h | 15 +++++++++++++ 3 files changed, 81 insertions(+) diff --git a/library/aes.c b/library/aes.c index 6306fecf84..64392fc56b 100644 --- a/library/aes.c +++ b/library/aes.c @@ -963,6 +963,12 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, } #endif +#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) + if (mbedtls_aesce_has_support()) { + return mbedtls_aesce_crypt_ecb(ctx, mode, input, output); + } +#endif + #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) if (aes_padlock_ace > 0) { if (mbedtls_padlock_xcryptecb(ctx, mode, input, output) == 0) { diff --git a/library/aesce.c b/library/aesce.c index ba9adc95cb..e6b675a3d2 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -65,6 +65,66 @@ int mbedtls_aesce_has_support(void) #endif } +static uint8x16_t aesce_encrypt_block(uint8x16_t block, + unsigned char *keys, + int rounds) +{ + for (int i = 0; i < rounds - 1; i++) { + block = vaeseq_u8(block, vld1q_u8(keys + i * 16)); + /* AES mix columns */ + block = vaesmcq_u8(block); + } + + /* AES single round encryption */ + block = vaeseq_u8(block, vld1q_u8(keys + (rounds -1) * 16)); + + /* Final Add (bitwise Xor) */ + block = veorq_u8(block, vld1q_u8(keys + rounds * 16)); + + return block; +} + +static uint8x16_t aesce_decrypt_block(uint8x16_t block, + unsigned char *keys, + int rounds) +{ + + for (int i = 0; i < rounds - 1; i++) { + block = vaesdq_u8(block, vld1q_u8(keys + i * 16)); + /* AES inverse mix columns */ + block = vaesimcq_u8(block); + } + + /* AES single round encryption */ + block = vaesdq_u8(block, vld1q_u8(keys + (rounds - 1) * 16)); + + /* Final Add (bitwise Xor) */ + block = veorq_u8(block, vld1q_u8(keys + rounds * 16)); + + return block; +} + +/* + * AES-ECB block en(de)cryption + */ +int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx, + int mode, + const unsigned char input[16], + unsigned char output[16]) +{ + uint8x16_t block = vld1q_u8(&input[0]); + unsigned char *keys = (unsigned char *) (ctx->buf + ctx->rk_offset); + + if (mode == MBEDTLS_AES_ENCRYPT) { + block = aesce_encrypt_block(block, keys, ctx->nr); + } else { + block = aesce_decrypt_block(block, keys, ctx->nr); + } + vst1q_u8(&output[0], block); + + return 0; +} + /* * Compute decryption round keys from encryption round keys diff --git a/library/aesce.h b/library/aesce.h index d0e02a49d8..741519cfe4 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -49,6 +49,21 @@ extern "C" { */ int mbedtls_aesce_has_support(void); +/** + * \brief Internal AES-ECB block encryption and decryption + * + * \param ctx AES context + * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT + * \param input 16-byte input block + * \param output 16-byte output block + * + * \return 0 on success (cannot fail) + */ +int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx, + int mode, + const unsigned char input[16], + unsigned char output[16]); + /** * \brief Internal round key inversion. This function computes From e51eddce38ada83236a2d1f62c4d226ebd925fce Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 11 Jan 2023 14:16:08 +0800 Subject: [PATCH 011/250] disable aesce when ASM not available Change-Id: Icd53a620cc3aed437b0e0e022ca5a36f29caeea1 Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 883d58b6f6..a769da2aca 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1972,6 +1972,7 @@ component_build_module_alt () { # aesni.c and padlock.c reference mbedtls_aes_context fields directly. scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C # MBEDTLS_ECP_RESTARTABLE is documented as incompatible. scripts/config.py unset MBEDTLS_ECP_RESTARTABLE # You can only have one threading implementation: alt or pthread, not both. @@ -3336,6 +3337,7 @@ component_test_have_int32 () { scripts/config.py unset MBEDTLS_HAVE_ASM scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32' msg "test: gcc, force 32-bit bignum limbs" @@ -3347,6 +3349,7 @@ component_test_have_int64 () { scripts/config.py unset MBEDTLS_HAVE_ASM scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64' msg "test: gcc, force 64-bit bignum limbs" From 32f977e82057b7753f4ec883f25eaee203fe233b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 11 Jan 2023 22:48:51 +0800 Subject: [PATCH 012/250] Add arm64 tests on travis ci Due to time limitation of travis, the job is spited into two job Signed-off-by: Jerry Yu --- .travis.yml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/.travis.yml b/.travis.yml index 54df776060..41bb44cd13 100644 --- a/.travis.yml +++ b/.travis.yml @@ -80,6 +80,55 @@ jobs: - sleep 5 - scripts/windows_msbuild.bat v141 # Visual Studio 2017 + - name: full configuration on arm64 + os: linux + dist: focal + arch: arm64 + addons: + apt: + packages: + - gcc + script: + # See above + - scripts/config.py full + - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY + - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + - make generated_files + - make CFLAGS='-march=armv8-a+crypto -O3 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' LDFLAGS='-Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + - make test + - programs/test/selftest + - tests/scripts/test_psa_constant_names.py + # Modern OpenSSL does not support fixed ECDH or null ciphers. + - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-' + - tests/scripts/travis-log-failure.sh + - tests/context-info.sh + + - name: full configuration(GnuTLS compat tests) on arm64 + os: linux + dist: focal + arch: arm64 + addons: + apt: + packages: + - clang + - gnutls-bin + script: + # See above + - scripts/config.py full + - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY + - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + - make generated_files + - make CC=clang CFLAGS='-march=armv8-a+crypto -O3 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' LDFLAGS='-Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. + - tests/compat.sh -p GnuTLS -e 'CAMELLIA' + - tests/scripts/travis-log-failure.sh + - tests/context-info.sh + + after_failure: - tests/scripts/travis-log-failure.sh From e908c57f95d05cac83bb9532ba50a82e925e3df1 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 13 Jan 2023 21:37:11 +0800 Subject: [PATCH 013/250] Disable clang tests Signed-off-by: Jerry Yu --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 41bb44cd13..3b1d705515 100644 --- a/.travis.yml +++ b/.travis.yml @@ -112,7 +112,7 @@ jobs: addons: apt: packages: - - clang + - gcc - gnutls-bin script: # See above @@ -122,7 +122,7 @@ jobs: - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - make generated_files - - make CC=clang CFLAGS='-march=armv8-a+crypto -O3 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' LDFLAGS='-Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + - make CFLAGS='-march=armv8-a+crypto -O3 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' LDFLAGS='-Werror -fsanitize=address,undefined -fno-sanitize-recover=all' # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. - tests/compat.sh -p GnuTLS -e 'CAMELLIA' - tests/scripts/travis-log-failure.sh From b3b85ddf4ac738947b088f2f2e50d85637a440fc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 30 Jan 2023 15:22:12 +0800 Subject: [PATCH 014/250] Disable macro conflict check It cause full configuration test fail Signed-off-by: Jerry Yu --- include/mbedtls/check_config.h | 6 ------ 1 file changed, 6 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 055bfa7aa9..ac374d2a4b 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -74,12 +74,6 @@ #error "MBEDTLS_AESCE_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_AESCE_C) && \ - (defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)) -#error "MBEDTLS_AESCE_C defined, MBEDTLS_SHA512_USE_A64_CRYPTO_* MUST be disabled for known fail." -#endif - #if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C) #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites" #endif From 8c6325cc8eacd5b463ffa16e9e804cde80928282 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 6 Feb 2023 14:29:02 +0800 Subject: [PATCH 015/250] code_style.py: Apply exclusions to the file list This commit rename `--files` options to `--subset` and it means to check a subset of the files known to git. Signed-off-by: Pengyu Lv --- scripts/code_style.py | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/scripts/code_style.py b/scripts/code_style.py index dd8305faf6..4a5fb68c1b 100755 --- a/scripts/code_style.py +++ b/scripts/code_style.py @@ -174,22 +174,19 @@ def main() -> int: parser.add_argument('-f', '--fix', action='store_true', help=('modify source files to fix the code style ' '(default: print diff, do not modify files)')) - # --files is almost useless: it only matters if there are no files - # ('code_style.py' without arguments checks all files known to Git, - # 'code_style.py --files' does nothing). In particular, - # 'code_style.py --fix --files ...' is intended as a stable ("porcelain") - # way to restyle a possibly empty set of files. - parser.add_argument('--files', action='store_true', - help='only check the specified files (default with non-option arguments)') + parser.add_argument('--subset', action='store_true', + help=('check a subset of the files known to git ' + '(default: empty FILE means full set)')) parser.add_argument('operands', nargs='*', metavar='FILE', - help='files to check (if none: check files that are known to git)') + help='files to check') args = parser.parse_args() - if args.files or args.operands: - src_files = args.operands - else: - src_files = get_src_files() + all_src_files = get_src_files() + src_files = args.operands if args.operands else all_src_files + if args.subset: + # We are to check a subset of the default list + src_files = [f for f in args.operands if f in all_src_files] if args.fix: # Fix mode From acbeb7fa303338d1dadce9b3add3c6470b9a5bb1 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 6 Feb 2023 14:27:30 +0800 Subject: [PATCH 016/250] code_style.py: Add helpers to print warning and skipped files Signed-off-by: Pengyu Lv --- scripts/code_style.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/scripts/code_style.py b/scripts/code_style.py index 4a5fb68c1b..61b1ab0e6b 100755 --- a/scripts/code_style.py +++ b/scripts/code_style.py @@ -33,6 +33,17 @@ CHECK_GENERATED_FILES = "tests/scripts/check-generated-files.sh" def print_err(*args): print("Error: ", *args, file=sys.stderr) +def print_warn(*args): + print("Warn:", *args, file=sys.stderr) + +# Print the file names that will be skipped and the help message +def print_skip(files_to_skip): + print() + print(*files_to_skip, sep=", SKIP\n", end=", SKIP\n") + print_warn("The listed files will be skipped because\n" + "they are not included in the default list.") + print() + # Match FILENAME(s) in "check SCRIPT (FILENAME...)" CHECK_CALL_RE = re.compile(r"\n\s*check\s+[^\s#$&*?;|]+([^\n#$&*?;|]+)", re.ASCII) @@ -187,6 +198,9 @@ def main() -> int: if args.subset: # We are to check a subset of the default list src_files = [f for f in args.operands if f in all_src_files] + skip_src_files = [f for f in args.operands if f not in src_files] + if skip_src_files: + print_skip(skip_src_files) if args.fix: # Fix mode From 837e9cfc77009df92354b9020d3716422e2ef938 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 8 Feb 2023 10:57:23 +0800 Subject: [PATCH 017/250] fix wrong typo Signed-off-by: Jerry Yu --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3b1d705515..a97a3c2ef8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -101,7 +101,7 @@ jobs: - programs/test/selftest - tests/scripts/test_psa_constant_names.py # Modern OpenSSL does not support fixed ECDH or null ciphers. - - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-' + - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH_' - tests/scripts/travis-log-failure.sh - tests/context-info.sh From b4a87b07f8e2791eb368bb79fb9ae8c32c7cb82e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 4 Oct 2022 22:54:26 +0200 Subject: [PATCH 018/250] Don't use pk_write in ecdsa_verify_wrap with USE_PSA_CRYPTO Under MBEDTLS_USE_PSA_CRYPTO, ecdsa_verify_wrap() was calling mbedtls_pk_write_pubkey() to write a public key in the form of a subjectPublicKey, only to then extract the part that represents the EC point which psa_import_key() actually wants. Instead, call an ecp function to directly get the public key in the desired format (just the point). This slightly reduces the code size and stack usage, and removes a dependency on pk_write. Signed-off-by: Gilles Peskine --- library/pk_wrap.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index fa296e8245..0f0ae5b2b1 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -691,11 +691,13 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; - mbedtls_pk_context key; - int key_len; - unsigned char buf[MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES]; + size_t key_len; + /* This buffer contains first the public key (consisting of two public + * points plus a header byte), then the signature (consisting of two + * public points). Size it for the public key which is one byte larger. */ + unsigned char buf[PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE( + PSA_VENDOR_ECC_MAX_CURVE_BITS )]; unsigned char *p; - mbedtls_pk_info_t pk_info = mbedtls_eckey_info; psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY; size_t curve_bits; psa_ecc_family_t curve = @@ -707,25 +709,22 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - /* mbedtls_pk_write_pubkey() expects a full PK context; - * re-construct one to make it happy */ - key.pk_info = &pk_info; - key.pk_ctx = ctx; - p = buf + sizeof(buf); - key_len = mbedtls_pk_write_pubkey(&p, buf, &key); - if (key_len <= 0) { - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) ); + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); + psa_set_key_algorithm( &attributes, psa_sig_md ); + + ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q, + MBEDTLS_ECP_PF_UNCOMPRESSED, + &key_len, buf, sizeof(buf)); + if (ret != 0) { + goto cleanup; } - psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve)); - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); - psa_set_key_algorithm(&attributes, psa_sig_md); - status = psa_import_key(&attributes, - buf + sizeof(buf) - key_len, key_len, + buf, key_len, &key_id); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = mbedtls_pk_error_from_psa( status ); goto cleanup; } From 13caa94746354ecd0b8fe8ba1529916aed0d599e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 4 Oct 2022 22:59:26 +0200 Subject: [PATCH 019/250] Don't use pk_write in ecdsa_sign_wrap with USE_PSA_CRYPTO Under MBEDTLS_USE_PSA_CRYPTO, ecdsa_sign_wrap() was calling mbedtls_pk_write_key_der() to write a private key in SEC1 format, only to then extract the part that represents the private value which is what psa_import_key() actually wants. Instead, call an mpi function to directly get the private key in the desired format. This slightly reduces the code size and stack usage, and removes a dependency on pk_write. Signed-off-by: Gilles Peskine --- library/pk_wrap.c | 82 +++++++---------------------------------------- 1 file changed, 11 insertions(+), 71 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 0f0ae5b2b1..464634db2f 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -869,54 +869,6 @@ static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len, return 0; } -/* Locate an ECDSA privateKey in a RFC 5915, or SEC1 Appendix C.4 ASN.1 buffer - * - * [in/out] buf: ASN.1 buffer start as input - ECDSA privateKey start as output - * [in] end: ASN.1 buffer end - * [out] key_len: the ECDSA privateKey length in bytes - */ -static int find_ecdsa_private_key(unsigned char **buf, unsigned char *end, - size_t *key_len) -{ - size_t len; - int ret; - - /* - * RFC 5915, or SEC1 Appendix C.4 - * - * ECPrivateKey ::= SEQUENCE { - * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), - * privateKey OCTET STRING, - * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, - * publicKey [1] BIT STRING OPTIONAL - * } - */ - - if ((ret = mbedtls_asn1_get_tag(buf, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)) != 0) { - return ret; - } - - /* version */ - if ((ret = mbedtls_asn1_get_tag(buf, end, &len, - MBEDTLS_ASN1_INTEGER)) != 0) { - return ret; - } - - *buf += len; - - /* privateKey */ - if ((ret = mbedtls_asn1_get_tag(buf, end, &len, - MBEDTLS_ASN1_OCTET_STRING)) != 0) { - return ret; - } - - *key_len = len; - - return 0; -} - static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t sig_size, size_t *sig_len, @@ -927,19 +879,14 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; - mbedtls_pk_context key; - size_t key_len; - unsigned char buf[MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES]; - unsigned char *p; - psa_algorithm_t psa_hash = mbedtls_hash_info_psa_from_md(md_alg); -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) - psa_algorithm_t psa_sig_md = PSA_ALG_DETERMINISTIC_ECDSA(psa_hash); -#else - psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA(psa_hash); -#endif + unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE( + PSA_VENDOR_ECC_MAX_CURVE_BITS )]; + psa_algorithm_t psa_sig_md = + PSA_ALG_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) ); size_t curve_bits; psa_ecc_family_t curve = - mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits); + mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits ); + size_t key_len = PSA_BITS_TO_BYTES(curve_bits); /* PSA has its own RNG */ ((void) f_rng); @@ -949,18 +896,11 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - /* mbedtls_pk_write_key_der() expects a full PK context; - * re-construct one to make it happy */ - key.pk_info = &mbedtls_eckey_info; - key.pk_ctx = ctx; - key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf)); - if (key_len <= 0) { - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + if (key_len > sizeof(buf)) { + return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); } - - p = buf + sizeof(buf) - key_len; - ret = find_ecdsa_private_key(&p, buf + sizeof(buf), &key_len); - if (ret != 0) { + ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len); + if( ret != 0 ) { goto cleanup; } @@ -969,7 +909,7 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, psa_set_key_algorithm(&attributes, psa_sig_md); status = psa_import_key(&attributes, - p, key_len, + buf, key_len, &key_id); if (status != PSA_SUCCESS) { ret = mbedtls_pk_error_from_psa(status); From bbccdd485c808d77b7cc11356832d547bbd0db2b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 4 Oct 2022 23:00:42 +0200 Subject: [PATCH 020/250] pk no longer needs pk_write for ECDSA with MBEDTLS_USE_PSA_CRYPTO The dependency is still useful for RSA, for which PSA encodes keys with an ASN.1 structure. Signed-off-by: Gilles Peskine --- include/mbedtls/build_info.h | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index bbfd5d48df..6cf1176de8 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -82,21 +82,9 @@ /* The PK wrappers need pk_write functions to format RSA key objects * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO, - * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). - * PSA crypto also needs pk_write to export RSA keys (otherwise the build - * goes through but psa_export_key() and psa_export_public_key() fail on - * RSA keys), and pk_parse to work with RSA keys in almost any way. - */ -#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C) -#define MBEDTLS_PK_C -#define MBEDTLS_PK_WRITE_C -#define MBEDTLS_PK_PARSE_C -#endif - -/* Under MBEDTLS_USE_PSA_CRYPTO, the pk module needs pk_write functions - * to pass ECC keys to PSA. */ -#if defined(MBEDTLS_PK_C) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECP_C) + * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */ +#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_PSA_CRYPTO_C) && \ + defined(MBEDTLS_RSA_C) #define MBEDTLS_PK_WRITE_C #endif From 8a6022e94885ba73e34019b45849718afdbad446 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 4 Oct 2022 23:01:59 +0200 Subject: [PATCH 021/250] Clean up header inclusions in pk_wrap.c To better reflect what the code relies on, limit the headers that are included when MBEDTLS_USE_PSA_CRYPTO is disabled. Also stop including "pkwrite.h" when it is no longer needed. Include "mbedlts/platform_util.h" unconditionally. It was only included for RSA ALT but was also used for MBEDTLS_USE_PSA_CRYPTO (the code worked because other headers include "mbedtls/platform_util.h"). Signed-off-by: Gilles Peskine --- library/pk_wrap.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 464634db2f..ab19a47af3 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -19,6 +19,8 @@ #include "common.h" +#include "mbedtls/platform_util.h" + #if defined(MBEDTLS_PK_C) #include "pk_wrap.h" #include "mbedtls/error.h" @@ -26,39 +28,34 @@ /* Even if RSA not activated, for the sake of RSA-alt */ #include "mbedtls/rsa.h" -#include - #if defined(MBEDTLS_ECP_C) #include "mbedtls/ecp.h" #endif -#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C) -#include "pkwrite.h" -#endif - #if defined(MBEDTLS_ECDSA_C) #include "mbedtls/ecdsa.h" #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) -#include "mbedtls/asn1write.h" -#endif - -#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) -#include "mbedtls/platform_util.h" +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PSA_CRYPTO_C) +#include "pkwrite.h" #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" #include "mbedtls/psa_util.h" -#include "mbedtls/asn1.h" #include "hash_info.h" + +#if defined(MBEDTLS_ECDSA_C) +#include "mbedtls/asn1write.h" +#include "mbedtls/asn1.h" #endif +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #include "mbedtls/platform.h" #include #include +#include #if defined(MBEDTLS_PSA_CRYPTO_C) int mbedtls_pk_error_from_psa(psa_status_t status) From be9e2a1634ce4798d6ba36316ed2cd4ebc5acd7b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Oct 2022 17:37:07 +0200 Subject: [PATCH 022/250] The pk_psa_sign test function needs pk_write Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index d8a8f863ec..9ec354eed1 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1182,7 +1182,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO */ +/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PK_WRITE_C */ void pk_psa_sign(int parameter_arg, int psa_type_arg, int expected_bits_arg) { From 5bc52248eff9a7833c0b256b1b82409eee2fbff2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 30 Jan 2023 15:48:28 +0100 Subject: [PATCH 023/250] pk_wrap: fix for DETERMINISTIC_ECDSA case in ecdsa_sign_wrap() Signed-off-by: Valerio Setti --- library/pk_wrap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index ab19a47af3..525f6bc90c 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -878,8 +878,13 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, psa_status_t status; unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE( PSA_VENDOR_ECC_MAX_CURVE_BITS )]; +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) + psa_algorithm_t psa_sig_md = + PSA_ALG_DETERMINISTIC_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) ); +#else psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) ); +#endif size_t curve_bits; psa_ecc_family_t curve = mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits ); From 1337a4f334854f9482b80244b4a90f7df7694773 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 30 Jan 2023 15:54:55 +0100 Subject: [PATCH 024/250] pk_wrap: use specific lengths for EC's private key and key-pair Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 3 +++ library/pk_wrap.c | 6 ++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index dc74ac60cc..f6070dcba8 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -257,6 +257,9 @@ static inline int mbedtls_psa_get_ecc_oid_from_id( #define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH \ PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) +#define MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH \ + PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) + /* Expose whatever RNG the PSA subsystem uses to applications using the * mbedtls_xxx API. The declarations and definitions here need to be * consistent with the implementation in library/psa_crypto_random_impl.h. diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 525f6bc90c..6fba6e9b20 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -692,8 +692,7 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, /* This buffer contains first the public key (consisting of two public * points plus a header byte), then the signature (consisting of two * public points). Size it for the public key which is one byte larger. */ - unsigned char buf[PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE( - PSA_VENDOR_ECC_MAX_CURVE_BITS )]; + unsigned char buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; unsigned char *p; psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY; size_t curve_bits; @@ -876,8 +875,7 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; - unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE( - PSA_VENDOR_ECC_MAX_CURVE_BITS )]; + unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH]; #if defined(MBEDTLS_ECDSA_DETERMINISTIC) psa_algorithm_t psa_sig_md = PSA_ALG_DETERMINISTIC_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) ); From d0b83e1fc7e08fe7633f52b1b59771b8e53806fe Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 31 Jan 2023 10:16:23 +0100 Subject: [PATCH 025/250] build_info: fix PK's requirements for RSA_C Signed-off-by: Valerio Setti --- include/mbedtls/build_info.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 6cf1176de8..b10b1ad4ec 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -83,9 +83,10 @@ /* The PK wrappers need pk_write functions to format RSA key objects * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO, * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */ -#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_PSA_CRYPTO_C) && \ - defined(MBEDTLS_RSA_C) +#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C) +#define MBEDTLS_PK_C #define MBEDTLS_PK_WRITE_C +#define MBEDTLS_PK_PARSE_C #endif #if !defined(MBEDTLS_SSL_PROTO_TLS1_2) From b761b15f060dc6ec0c43b20c9d67ae2d58a03c3c Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 31 Jan 2023 14:56:04 +0100 Subject: [PATCH 026/250] fix code style Signed-off-by: Valerio Setti --- library/pk_wrap.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 6fba6e9b20..2a71bd8529 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -705,9 +705,9 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) ); - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); - psa_set_key_algorithm( &attributes, psa_sig_md ); + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve)); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&attributes, psa_sig_md); ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q, MBEDTLS_ECP_PF_UNCOMPRESSED, @@ -720,7 +720,7 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, buf, key_len, &key_id); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa( status ); + ret = mbedtls_pk_error_from_psa(status); goto cleanup; } @@ -878,14 +878,14 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH]; #if defined(MBEDTLS_ECDSA_DETERMINISTIC) psa_algorithm_t psa_sig_md = - PSA_ALG_DETERMINISTIC_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) ); + PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_hash_info_psa_from_md(md_alg)); #else psa_algorithm_t psa_sig_md = - PSA_ALG_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) ); + PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(md_alg)); #endif size_t curve_bits; psa_ecc_family_t curve = - mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits ); + mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits); size_t key_len = PSA_BITS_TO_BYTES(curve_bits); /* PSA has its own RNG */ @@ -897,10 +897,10 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, } if (key_len > sizeof(buf)) { - return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len); - if( ret != 0 ) { + if (ret != 0) { goto cleanup; } From 5c032b5e1bd3b072bc4d54be2f3db1f95eb5a78b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 2 Feb 2023 15:10:32 +0100 Subject: [PATCH 027/250] pk_wrap: fix comment in ecdsa_verify_wrap Signed-off-by: Valerio Setti --- library/pk_wrap.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 2a71bd8529..7f266d23d7 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -689,9 +689,11 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; size_t key_len; - /* This buffer contains first the public key (consisting of two public - * points plus a header byte), then the signature (consisting of two - * public points). Size it for the public key which is one byte larger. */ + /* This buffer will initially contain the public key and then the signature + * but at different points in time. For all curves except secp224k1, which + * is not currently supported in PSA, the public key is one byte longer + * (header byte + 2 numbers, while the signature is only 2 numbers), + * so use that as the buffer size. */ unsigned char buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; unsigned char *p; psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY; From a1e3e3a28fe404c2e166f6095844d75718b1800f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 2 Feb 2023 15:21:48 +0100 Subject: [PATCH 028/250] test: pk: keep PK_WRITE_C only in RSA tests Signed-off-by: Valerio Setti --- tests/suites/test_suite_pk.data | 2 +- tests/suites/test_suite_pk.function | 41 ++++++++++++++++++++++++++--- 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 531a2f1e0f..01d8d2dc08 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -618,7 +618,7 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_DP_BP512R1_ENABLED pk_psa_sign:MBEDTLS_ECP_DP_BP512R1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):512 PSA wrapped sign: RSA PKCS1 v1.5 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_PK_WRITE_C pk_psa_sign:1024:PSA_KEY_TYPE_RSA_KEY_PAIR:1024 PK Sign ext:RSA2048,PK_RSA,MD_SHA256 diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 9ec354eed1..f124c9a5f8 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1182,7 +1182,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PK_WRITE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO */ void pk_psa_sign(int parameter_arg, int psa_type_arg, int expected_bits_arg) { @@ -1242,12 +1242,22 @@ void pk_psa_sign(int parameter_arg, } /* Export underlying public key for re-importing in a legacy context. */ +#if defined(MBEDTLS_PK_WRITE_C) ret = mbedtls_pk_write_pubkey_der(&pk, pkey_legacy, sizeof(pkey_legacy)); TEST_ASSERT(ret >= 0); klen_legacy = (size_t) ret; /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ pkey_legacy_start = pkey_legacy + sizeof(pkey_legacy) - klen_legacy; +#else + ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec(pk)->grp), + &(mbedtls_pk_ec(pk)->Q), + MBEDTLS_ECP_PF_UNCOMPRESSED, + &klen_legacy, pkey_legacy, + sizeof(pkey_legacy)); + TEST_EQUAL(ret, 0); + pkey_legacy_start = pkey_legacy; +#endif /* MBEDTLS_PK_WRITE_C */ /* Turn PK context into an opaque one. */ TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa, @@ -1268,12 +1278,21 @@ void pk_psa_sign(int parameter_arg, NULL, NULL) == 0); /* Export underlying public key for re-importing in a psa context. */ +#if defined(MBEDTLS_PK_WRITE_C) ret = mbedtls_pk_write_pubkey_der(&pk, pkey_psa, sizeof(pkey_psa)); TEST_ASSERT(ret >= 0); klen_psa = (size_t) ret; /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ pkey_psa_start = pkey_psa + sizeof(pkey_psa) - klen_psa; +#else + psa_status_t status; + + status = psa_export_public_key(key_id, pkey_psa, sizeof(pkey_psa), + &klen_psa); + TEST_EQUAL(status, PSA_SUCCESS); + pkey_psa_start = pkey_psa; +#endif /* MBEDTLS_PK_WRITE_C */ TEST_ASSERT(klen_psa == klen_legacy); TEST_ASSERT(memcmp(pkey_psa_start, pkey_legacy_start, klen_psa) == 0); @@ -1282,8 +1301,24 @@ void pk_psa_sign(int parameter_arg, TEST_ASSERT(PSA_SUCCESS == psa_destroy_key(key_id)); mbedtls_pk_init(&pk); - TEST_ASSERT(mbedtls_pk_parse_public_key(&pk, pkey_legacy_start, - klen_legacy) == 0); + + /* If we used "pk_write" previously, then we go for a "pk_parse" here; + * otherwise if we went for "ecp_point_write_binary" then we'll go + * for a "ecp_point_read_binary" here. This allows to drop dependencies + * on "PK_WRITE" and "PK_PARSE" if required */ +#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_PK_PARSE_C) + TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, pkey_legacy_start, + klen_legacy), 0); +#else + TEST_EQUAL(mbedtls_pk_setup(&pk, + mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0); + TEST_EQUAL(mbedtls_ecp_group_load( + &(mbedtls_pk_ec(pk)->grp), + (mbedtls_ecp_group_id) parameter_arg), 0); + TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec(pk)->grp) , + &(mbedtls_pk_ec(pk)->Q), + pkey_legacy_start, klen_legacy), 0); +#endif TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, hash, sizeof(hash), sig, sig_len) == 0); From 683a432a7f99f88a93e52efd47a661ca3f92a0b9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 8 Feb 2023 09:52:40 +0100 Subject: [PATCH 029/250] fix code style Signed-off-by: Valerio Setti --- tests/suites/test_suite_pk.function | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index f124c9a5f8..c252cc664c 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1251,10 +1251,10 @@ void pk_psa_sign(int parameter_arg, pkey_legacy_start = pkey_legacy + sizeof(pkey_legacy) - klen_legacy; #else ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec(pk)->grp), - &(mbedtls_pk_ec(pk)->Q), - MBEDTLS_ECP_PF_UNCOMPRESSED, - &klen_legacy, pkey_legacy, - sizeof(pkey_legacy)); + &(mbedtls_pk_ec(pk)->Q), + MBEDTLS_ECP_PF_UNCOMPRESSED, + &klen_legacy, pkey_legacy, + sizeof(pkey_legacy)); TEST_EQUAL(ret, 0); pkey_legacy_start = pkey_legacy; #endif /* MBEDTLS_PK_WRITE_C */ @@ -1289,7 +1289,7 @@ void pk_psa_sign(int parameter_arg, psa_status_t status; status = psa_export_public_key(key_id, pkey_psa, sizeof(pkey_psa), - &klen_psa); + &klen_psa); TEST_EQUAL(status, PSA_SUCCESS); pkey_psa_start = pkey_psa; #endif /* MBEDTLS_PK_WRITE_C */ @@ -1308,16 +1308,16 @@ void pk_psa_sign(int parameter_arg, * on "PK_WRITE" and "PK_PARSE" if required */ #if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_PK_PARSE_C) TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, pkey_legacy_start, - klen_legacy), 0); + klen_legacy), 0); #else TEST_EQUAL(mbedtls_pk_setup(&pk, - mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0); + mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0); TEST_EQUAL(mbedtls_ecp_group_load( - &(mbedtls_pk_ec(pk)->grp), - (mbedtls_ecp_group_id) parameter_arg), 0); - TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec(pk)->grp) , - &(mbedtls_pk_ec(pk)->Q), - pkey_legacy_start, klen_legacy), 0); + &(mbedtls_pk_ec(pk)->grp), + (mbedtls_ecp_group_id) parameter_arg), 0); + TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec(pk)->grp), + &(mbedtls_pk_ec(pk)->Q), + pkey_legacy_start, klen_legacy), 0); #endif TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, hash, sizeof(hash), sig, sig_len) == 0); From 80d0798ae89316bb78e8fa41934c455d5a781c9d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 8 Feb 2023 13:49:17 +0100 Subject: [PATCH 030/250] pk_wrap: use new macros for ECDSA capabilities Signed-off-by: Valerio Setti --- library/pk_wrap.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 7f266d23d7..378c36833a 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -45,7 +45,7 @@ #include "mbedtls/psa_util.h" #include "hash_info.h" -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) #include "mbedtls/asn1write.h" #include "mbedtls/asn1.h" #endif @@ -950,8 +950,7 @@ static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, #endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ -#if defined(MBEDTLS_ECDSA_C) -#if defined(MBEDTLS_ECP_RESTARTABLE) +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) /* Forward declarations */ static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, @@ -1057,8 +1056,7 @@ static int eckey_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg, cleanup: return ret; } -#endif /* MBEDTLS_ECP_RESTARTABLE */ -#endif /* MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ static int eckey_check_pair(const void *pub, const void *prv, int (*f_rng)(void *, unsigned char *, size_t), From a4e1eece3d097667f7ed132c679e400927d7c2a3 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Fri, 10 Feb 2023 10:55:29 +0800 Subject: [PATCH 031/250] print skipped file names to stdout Signed-off-by: Pengyu Lv --- scripts/code_style.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/scripts/code_style.py b/scripts/code_style.py index 61b1ab0e6b..85008bec1c 100755 --- a/scripts/code_style.py +++ b/scripts/code_style.py @@ -33,15 +33,12 @@ CHECK_GENERATED_FILES = "tests/scripts/check-generated-files.sh" def print_err(*args): print("Error: ", *args, file=sys.stderr) -def print_warn(*args): - print("Warn:", *args, file=sys.stderr) - # Print the file names that will be skipped and the help message def print_skip(files_to_skip): print() print(*files_to_skip, sep=", SKIP\n", end=", SKIP\n") - print_warn("The listed files will be skipped because\n" - "they are not included in the default list.") + print("Warn: The listed files will be skipped because\n" + "they are not included in the default list.") print() # Match FILENAME(s) in "check SCRIPT (FILENAME...)" From b10cf0dd3980a435a8f1d424fd24260748aadcad Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Fri, 10 Feb 2023 11:06:36 +0800 Subject: [PATCH 032/250] adjust help message Signed-off-by: Pengyu Lv --- scripts/code_style.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/code_style.py b/scripts/code_style.py index 85008bec1c..65c9cccfb3 100755 --- a/scripts/code_style.py +++ b/scripts/code_style.py @@ -184,9 +184,10 @@ def main() -> int: '(default: print diff, do not modify files)')) parser.add_argument('--subset', action='store_true', help=('check a subset of the files known to git ' - '(default: empty FILE means full set)')) + '(default: check all files passed as arguments, ' + 'known to git or not)')) parser.add_argument('operands', nargs='*', metavar='FILE', - help='files to check') + help='files to check (if none: check files that are known to git)') args = parser.parse_args() From 512818b1d2173e0ea906316075a6e01fd1654fac Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sun, 27 Nov 2022 22:48:55 -0500 Subject: [PATCH 033/250] pkcs7: check that content lengths fill whole buffer Otherwise invalid data could be accepted. Signed-off-by: Demi Marie Obenour Signed-off-by: Dave Rodgman --- library/pkcs7.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/pkcs7.c b/library/pkcs7.c index 4fdbe36288..ec5d569aa8 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -58,6 +58,9 @@ static int pkcs7_get_next_content_len(unsigned char **p, unsigned char *end, | MBEDTLS_ASN1_CONTEXT_SPECIFIC); if (ret != 0) { ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); + } else if ((size_t) (end - *p) != *len) { + ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } return ret; From aaf3c0028d33262c2707f84ba228d0080eae7396 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 28 Nov 2022 00:20:42 -0500 Subject: [PATCH 034/250] pkcs7: do not store content type OID Since only one content type (signed data) is supported, storing the content type just wastes memory. Signed-off-by: Demi Marie Obenour --- include/mbedtls/pkcs7.h | 1 - library/pkcs7.c | 55 +++++++++++++++++++++-------------------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 5ddd5a3d71..f354db629e 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -165,7 +165,6 @@ mbedtls_pkcs7_signed_data; */ typedef struct mbedtls_pkcs7 { mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); - mbedtls_pkcs7_buf MBEDTLS_PRIVATE(content_type_oid); mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data); } mbedtls_pkcs7; diff --git a/library/pkcs7.c b/library/pkcs7.c index ec5d569aa8..398c0c8264 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -556,7 +556,6 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, unsigned char *end, *end_content_info; size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - int isoidset = 0; if (pkcs7 == NULL) { return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; @@ -572,34 +571,42 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, pkcs7->raw.len = buflen; end = p + buflen; - ret = pkcs7_get_content_info_type(&p, end, &end_content_info, - &pkcs7->content_type_oid); + ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE); if (ret != 0) { + ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); + goto out; + } + + if ((size_t) (end - p) != len) { + ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + goto out; + } + + if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) { + if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { + goto out; + } + p = pkcs7->raw.p; len = buflen; goto try_data; } - /* Ensure PKCS7 data uses the exact number of bytes specified in buflen */ - if (end_content_info != end) { - ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_DATA, p, len)) { + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DATA, p, len) + || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, p, len) + || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, p, len) + || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, p, len) + || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DIGESTED_DATA, p, len)) { + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + } else { + ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + } goto out; } - if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid) - || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid) - || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid) - || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid) - || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid)) { - ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; - goto out; - } - - if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_DATA, &pkcs7->content_type_oid)) { - ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; - goto out; - } - - isoidset = 1; + p += len; ret = pkcs7_get_next_content_len(&p, end, &len); if (ret != 0) { @@ -618,12 +625,6 @@ try_data: goto out; } - if (!isoidset) { - pkcs7->content_type_oid.tag = MBEDTLS_ASN1_OID; - pkcs7->content_type_oid.len = MBEDTLS_OID_SIZE(MBEDTLS_OID_PKCS7_SIGNED_DATA); - pkcs7->content_type_oid.p = (unsigned char *) MBEDTLS_OID_PKCS7_SIGNED_DATA; - } - ret = MBEDTLS_PKCS7_SIGNED_DATA; out: From 4ec835579509200b77864cec72a5f7324bfa491d Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 28 Nov 2022 00:23:00 -0500 Subject: [PATCH 035/250] Check for junk after SignedData There must not be any. Signed-off-by: Demi Marie Obenour --- library/pkcs7.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 398c0c8264..5d470dc15d 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -457,7 +457,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, { unsigned char *p = buf; unsigned char *end = buf + buflen; - unsigned char *end_set, *end_content_info; + unsigned char *end_content_info; size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; @@ -468,16 +468,19 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); } - end_set = p + len; + if (p + len != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } /* Get version of signed data */ - ret = pkcs7_get_version(&p, end_set, &signed_data->version); + ret = pkcs7_get_version(&p, end, &signed_data->version); if (ret != 0) { return ret; } /* Get digest algorithm */ - ret = pkcs7_get_digest_algorithm_set(&p, end_set, + ret = pkcs7_get_digest_algorithm_set(&p, end, &signed_data->digest_alg_identifiers); if (ret != 0) { return ret; @@ -518,7 +521,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, /* Look for certificates, there may or may not be any */ mbedtls_x509_crt_init(&signed_data->certs); - ret = pkcs7_get_certificates(&p, end_set, &signed_data->certs); + ret = pkcs7_get_certificates(&p, end, &signed_data->certs); if (ret < 0) { return ret; } @@ -534,7 +537,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, signed_data->no_of_crls = 0; /* Get signers info */ - ret = pkcs7_get_signers_info_set(&p, end_set, &signed_data->signers); + ret = pkcs7_get_signers_info_set(&p, end, &signed_data->signers); if (ret < 0) { return ret; } @@ -553,7 +556,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, const size_t buflen) { unsigned char *p; - unsigned char *end, *end_content_info; + unsigned char *end; size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; From 55d9df25ef63c8a6e5ad7d9bdfd47f38b7fa303c Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 28 Nov 2022 00:29:32 -0500 Subject: [PATCH 036/250] Simple cleanup No change in behavior. Signed-off-by: Demi Marie Obenour --- library/pkcs7.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 5d470dc15d..39d9f8f20b 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -216,12 +216,11 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end, return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; } - *p = start; - if ((ret = mbedtls_x509_crt_parse_der(certs, *p, len1)) < 0) { + if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) { return MBEDTLS_ERR_PKCS7_INVALID_CERT; } - *p = *p + len1; + *p = end_cert; /* * Since in this version we strictly support single certificate, and reaching From e373a254c42b661f50794250634a90554c3b95c0 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Tue, 13 Dec 2022 23:50:03 -0500 Subject: [PATCH 037/250] pkcs7: do not store content type OIDs They will always be constant. Signed-off-by: Demi Marie Obenour --- include/mbedtls/pkcs7.h | 1 - library/pkcs7.c | 12 +++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index f354db629e..fb24604d00 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -139,7 +139,6 @@ mbedtls_pkcs7_signer_info; * Structure holding attached data as part of PKCS7 signed data format */ typedef struct mbedtls_pkcs7_data { - mbedtls_pkcs7_buf MBEDTLS_PRIVATE(oid); mbedtls_pkcs7_buf MBEDTLS_PRIVATE(data); } mbedtls_pkcs7_data; diff --git a/library/pkcs7.c b/library/pkcs7.c index 39d9f8f20b..9ef76089a8 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -490,12 +490,14 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, return MBEDTLS_ERR_PKCS7_INVALID_ALG; } - /* Do not expect any content */ - ret = pkcs7_get_content_info_type(&p, end_set, &end_content_info, - &signed_data->content.oid); + mbedtls_pkcs7_buf content_type; + ret = pkcs7_get_content_info_type(&p, end, &end_content_info, &content_type); if (ret != 0) { return ret; } + if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { + return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; + } if (p != end_content_info) { /* Determine if valid content is present */ @@ -514,10 +516,6 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; } - if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid)) { - return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; - } - /* Look for certificates, there may or may not be any */ mbedtls_x509_crt_init(&signed_data->certs); ret = pkcs7_get_certificates(&p, end, &signed_data->certs); From 6cfc4692961ba808d801ab2ffbf6e076523ccac0 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 28 Nov 2022 00:46:00 -0500 Subject: [PATCH 038/250] pkcs7: reject signatures with internal data A CMS signature can have internal data, but mbedTLS does not support verifying such signatures. Reject them during parsing. Signed-off-by: Demi Marie Obenour Signed-off-by: Dave Rodgman --- include/mbedtls/pkcs7.h | 31 ++++++++++++------------------- library/pkcs7.c | 25 ++++++++++++++++--------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index fb24604d00..126eac4228 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -135,21 +135,12 @@ typedef struct mbedtls_pkcs7_signer_info { } mbedtls_pkcs7_signer_info; -/** - * Structure holding attached data as part of PKCS7 signed data format - */ -typedef struct mbedtls_pkcs7_data { - mbedtls_pkcs7_buf MBEDTLS_PRIVATE(data); -} -mbedtls_pkcs7_data; - /** * Structure holding the signed data section */ typedef struct mbedtls_pkcs7_signed_data { int MBEDTLS_PRIVATE(version); mbedtls_pkcs7_buf MBEDTLS_PRIVATE(digest_alg_identifiers); - struct mbedtls_pkcs7_data MBEDTLS_PRIVATE(content); int MBEDTLS_PRIVATE(no_of_certs); mbedtls_x509_crt MBEDTLS_PRIVATE(certs); int MBEDTLS_PRIVATE(no_of_crls); @@ -176,7 +167,7 @@ mbedtls_pkcs7; void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7); /** - * \brief Parse a single DER formatted pkcs7 content. + * \brief Parse a single DER formatted pkcs7 detached signature. * * \param pkcs7 The pkcs7 structure to be filled by parser for the output. * \param buf The buffer holding only the DER encoded pkcs7. @@ -186,6 +177,7 @@ void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7); * \note This function makes an internal copy of the PKCS7 buffer * \p buf. In particular, \p buf may be destroyed or reused * after this call returns. + * \note Signatures with internal data are not supported. * * \return The \c mbedtls_pkcs7_type of \p buf, if successful. * \return A negative error code on failure. @@ -205,7 +197,8 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, * matches. * * This function does not use the certificates held within the - * PKCS7 structure itself. + * PKCS7 structure itself, and does not check that the + * certificate is signed by a trusted certification authority. * * \param pkcs7 PKCS7 structure containing signature. * \param cert Certificate containing key to verify signature. @@ -226,15 +219,15 @@ int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7, * \brief Verification of PKCS7 signature against a caller-supplied * certificate. * - * For each signer in the PKCS structure, this function computes - * a signature over the supplied hash, using the supplied - * certificate and the same digest algorithm as specified by the - * signer. It then compares this signature against the - * signer's signature; verification succeeds if any comparison - * matches. + * For each signer in the PKCS structure, this function + * validates a signature over the supplied hash, using the + * supplied certificate and the same digest algorithm as + * specified by the signer. Verification succeeds if any + * signature is good. * * This function does not use the certificates held within the - * PKCS7 structure itself. + * PKCS7 structure itself, and does not check that the + * certificate is signed by a trusted certification authority. * * \param pkcs7 PKCS7 structure containing signature. * \param cert Certificate containing key to verify signature. @@ -242,7 +235,7 @@ int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7, * \param hashlen Length of the hash. * * \note This function is different from mbedtls_pkcs7_signed_data_verify() - * in a way that it directly receives the hash of the data. + * in that it is directly passed the hash of the data. * * \return 0 if the signature verifies, or a negative error code on failure. */ diff --git a/library/pkcs7.c b/library/pkcs7.c index 9ef76089a8..fbe959ef2e 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -57,9 +57,9 @@ static int pkcs7_get_next_content_len(unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC); if (ret != 0) { - ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); + ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); } else if ((size_t) (end - *p) != *len) { - ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, + ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } @@ -187,13 +187,13 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end, size_t len2 = 0; unsigned char *end_set, *end_cert, *start; - if ((ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != 0) { - if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { - return 0; - } else { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); - } + ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC); + if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { + return 0; + } + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); } start = *p; end_set = *p + len1; @@ -716,11 +716,15 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, return ret; } + int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *data, size_t datalen) { + if (data == NULL) { + return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + } return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, data, datalen, 0); } @@ -729,6 +733,9 @@ int mbedtls_pkcs7_signed_hash_verify(mbedtls_pkcs7 *pkcs7, const unsigned char *hash, size_t hashlen) { + if (hash == NULL) { + return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + } return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, hash, hashlen, 1); } From 35598adb781c71b93b400bff9fc7f5b7c1e957c7 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Wed, 30 Nov 2022 02:06:07 -0500 Subject: [PATCH 039/250] pkcs7: Check that hash algs are in digestAlgorithms Since only a single hash algorithm is currenlty supported, this avoids having to perform hashing more than once. Signed-off-by: Demi Marie Obenour --- library/pkcs7.c | 96 +++++++++++++++++++++++++++---------------------- 1 file changed, 53 insertions(+), 43 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index fbe959ef2e..36e1960e99 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -287,7 +287,8 @@ static void pkcs7_free_signer_info(mbedtls_pkcs7_signer_info *signer) * and unauthenticatedAttributes. **/ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end, - mbedtls_pkcs7_signer_info *signer) + mbedtls_pkcs7_signer_info *signer, + mbedtls_x509_buf *alg) { unsigned char *end_signer, *end_issuer_and_sn; int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -345,8 +346,15 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end, goto out; } - /* Assume authenticatedAttributes is nonexistent */ + /* Check that the digest algorithm used matches the one provided earlier */ + if (signer->alg_identifier.tag != alg->tag || + signer->alg_identifier.len != alg->len || + memcmp(signer->alg_identifier.p, alg->p, alg->len) != 0) { + ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO; + goto out; + } + /* Asssume authenticatedAttributes is nonexistent */ ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->sig_alg_identifier); if (ret != 0) { goto out; @@ -379,7 +387,8 @@ out: * Return negative error code for failure. **/ static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end, - mbedtls_pkcs7_signer_info *signers_set) + mbedtls_pkcs7_signer_info *signers_set, + mbedtls_x509_buf *digest_alg) { unsigned char *end_set; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -399,7 +408,7 @@ static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end, end_set = *p + len; - ret = pkcs7_get_signer_info(p, end_set, signers_set); + ret = pkcs7_get_signer_info(p, end_set, signers_set, digest_alg); if (ret != 0) { return ret; } @@ -414,7 +423,7 @@ static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end, goto cleanup; } - ret = pkcs7_get_signer_info(p, end_set, signer); + ret = pkcs7_get_signer_info(p, end_set, signer, digest_alg); if (ret != 0) { mbedtls_free(signer); goto cleanup; @@ -534,7 +543,10 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, signed_data->no_of_crls = 0; /* Get signers info */ - ret = pkcs7_get_signers_info_set(&p, end, &signed_data->signers); + ret = pkcs7_get_signers_info_set(&p, + end, + &signed_data->signers, + &signed_data->digest_alg_identifiers); if (ret < 0) { return ret; } @@ -657,6 +669,39 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, return MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID; } + ret = mbedtls_oid_get_md_alg(&pkcs7->signed_data.digest_alg_identifiers, &md_alg); + if (ret != 0) { + return ret; + } + + md_info = mbedtls_md_info_from_type(md_alg); + if (md_info == NULL) { + return MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + } + + hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1); + if (hash == NULL) { + return MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + } + /* BEGIN must free hash before jumping out */ + + if (is_data_hash) { + if (datalen != mbedtls_md_get_size(md_info)) { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + } else { + memcpy(hash, data, datalen); + } + } else { + ret = mbedtls_md(md_info, data, datalen, hash); + } + if (ret != 0) { + mbedtls_free(hash); + return MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + } + + /* assume failure */ + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + /* * Potential TODOs * Currently we iterate over all signers and return success if any of them @@ -666,54 +711,19 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, * identification and SignerIdentifier fields first. That would also allow * us to distinguish between 'no signature for key' and 'signature for key * failed to validate'. - * - * We could also cache hashes by md, so if there are several sigs all using - * the same algo we don't recalculate the hash each time. */ for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) { - ret = mbedtls_oid_get_md_alg(&signer->alg_identifier, &md_alg); - if (ret != 0) { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - continue; - } - - md_info = mbedtls_md_info_from_type(md_alg); - if (md_info == NULL) { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - continue; - } - - hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1); - if (hash == NULL) { - return MBEDTLS_ERR_PKCS7_ALLOC_FAILED; - } - /* BEGIN must free hash before jumping out */ - if (is_data_hash) { - if (datalen != mbedtls_md_get_size(md_info)) { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - } else { - memcpy(hash, data, datalen); - } - } else { - ret = mbedtls_md(md_info, data, datalen, hash); - } - if (ret != 0) { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - mbedtls_free(hash); - continue; - } - ret = mbedtls_pk_verify(&pk_cxt, md_alg, hash, mbedtls_md_get_size(md_info), signer->sig.p, signer->sig.len); - mbedtls_free(hash); - /* END must free hash before jumping out */ if (ret == 0) { break; } } + mbedtls_free(hash); + /* END must free hash before jumping out */ return ret; } From f691268ee9dc298325ea83e133e8a76cf4c1ddc9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 9 Feb 2023 17:55:41 +0000 Subject: [PATCH 040/250] Add missing initialisers Signed-off-by: Dave Rodgman --- library/pkcs7.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 36e1960e99..60d1175289 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -465,7 +465,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, { unsigned char *p = buf; unsigned char *end = buf + buflen; - unsigned char *end_content_info; + unsigned char *end_content_info = NULL; size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; @@ -500,6 +500,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, } mbedtls_pkcs7_buf content_type; + memset(&content_type, 0, sizeof(content_type)); ret = pkcs7_get_content_info_type(&p, end, &end_content_info, &content_type); if (ret != 0) { return ret; From b2783f66b505cc62634ea6a5f92114fb5d90ffab Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 13 Feb 2023 18:03:25 +0800 Subject: [PATCH 041/250] fix typo issue The error message is wrong Signed-off-by: Jerry Yu --- library/aesce.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index e6b675a3d2..18322a62a6 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -28,14 +28,14 @@ #if defined(__clang__) # if __clang_major__ < 4 -# error "A more recent Clang is required for MBEDTLS_AES_C" +# error "A more recent Clang is required for MBEDTLS_AESCE_C" # endif #elif defined(__GNUC__) # if __GNUC__ < 6 -# error "A more recent GCC is required for MBEDTLS_AES_C" +# error "A more recent GCC is required for MBEDTLS_AESCE_C" # endif #else -# error "Only GCC and Clang supported for MBEDTLS_AES_C" +# error "Only GCC and Clang supported for MBEDTLS_AESCE_C" #endif #if !defined(__ARM_FEATURE_CRYPTO) From 7a05fab716d798275f8815faa193e080773fde19 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 13 Feb 2023 10:03:07 -0500 Subject: [PATCH 042/250] Added the uniformResourceIdentifier subtype for the subjectAltName. Co-authored-by: Hannes Tschofenig Signed-off-by: Andrzej Kurek --- include/mbedtls/x509.h | 6 ++--- include/mbedtls/x509_crt.h | 2 +- library/x509.c | 32 +++++++++++++++++++++-- tests/data_files/Makefile | 6 +++++ tests/data_files/rsa_multiple_san_uri.crt | 22 ++++++++++++++++ tests/data_files/rsa_single_san_uri.crt | 21 +++++++++++++++ tests/suites/test_suite_x509parse.data | 8 ++++++ 7 files changed, 91 insertions(+), 6 deletions(-) create mode 100644 tests/data_files/rsa_multiple_san_uri.crt create mode 100644 tests/data_files/rsa_single_san_uri.crt diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index aa1cd084ee..bf1f94a738 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -294,7 +294,7 @@ typedef struct mbedtls_x509_subject_alternative_name { int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ union { mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ - mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */ + mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only dnsName and uniformResourceIdentifier currently supported */ */ } san; /**< A union of the supported SAN types */ } @@ -385,8 +385,8 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); * \param san The target structure to populate with the parsed presentation * of the subject alternative name encoded in \p san_raw. * - * \note Only "dnsName" and "otherName" of type hardware_module_name - * as defined in RFC 4180 is supported. + * \note Only "dnsName", "uniformResourceIdentifier" and "otherName", + * as defined in RFC 5280, is supported. * * \note This function should be called on a single raw data of * subject alternative name. For example, after successful diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 187e60aac8..036282f7c9 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -76,7 +76,7 @@ typedef struct mbedtls_x509_crt { mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ - mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ + mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). */ mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */ diff --git a/library/x509.c b/library/x509.c index 2865c2ef11..9f0dc6253b 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1227,8 +1227,8 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name, * nameAssigner [0] DirectoryString OPTIONAL, * partyName [1] DirectoryString } * - * NOTE: we list all types, but only use dNSName and otherName - * of type HwModuleName, as defined in RFC 4108, at this point. + * NOTE: we list all types, but only use "dnsName", "otherName" and + * "uniformResourceIdentifier", as defined in RFC 5280, at this point. */ int mbedtls_x509_get_subject_alt_name(unsigned char **p, const unsigned char *end, @@ -1397,7 +1397,19 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, } break; + /* + * uniformResourceIdentifier + */ + case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER): + { + memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); + san->type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER; + memcpy(&san->san.unstructured_name, + san_buf, sizeof(*san_buf)); + + } + break; /* * dNSName */ @@ -1488,7 +1500,23 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ } break; + /* + * uniformResourceIdentifier + */ + case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER: + { + ret = mbedtls_snprintf(p, n, "\n%s uniformResourceIdentifier : ", prefix); + MBEDTLS_X509_SAFE_SNPRINTF; + if (san.san.unstructured_name.len >= n) { + *p = '\0'; + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len); + p += san.san.unstructured_name.len; + n -= san.san.unstructured_name.len; + } + break; /* * dNSName */ diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 070f538fe8..7b97eea729 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -365,6 +365,12 @@ rsa_pkcs8_2048_public.der: rsa_pkcs8_2048_public.pem $(OPENSSL) rsa -pubin -in $< -outform DER -pubout -out $@ all_final += rsa_pkcs8_2048_public.der +rsa_single_san_uri.crt: rsa_single_san_uri.key + $(OPENSSL) req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN" + +rsa_multiple_san_uri.crt: rsa_multiple_san_uri.key + $(OPENSSL) req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c, URI:urn:example.com:5ff40f78-9210-494f-8206-abcde1234567" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN" + ################################################################ #### Generate various RSA keys ################################################################ diff --git a/tests/data_files/rsa_multiple_san_uri.crt b/tests/data_files/rsa_multiple_san_uri.crt new file mode 100644 index 0000000000..ceda8f2c5d --- /dev/null +++ b/tests/data_files/rsa_multiple_san_uri.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtjCCAp6gAwIBAgIULxROma15QuBZpLSG3KZTtcrOX0AwDQYJKoZIhvcNAQEL +BQAwOzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBN +YmVkIFRMUyBVUkkgU0FOMB4XDTIyMTIyODA4Mzc0NloXDTQyMTIyMzA4Mzc0Nlow +OzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBNYmVk +IFRMUyBVUkkgU0FOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3poS +TQijviHqJNAdKXN0FJMfgLsP9JZuLJczG0MAQsLaB6jHEdH/mrL3Q/1qZv6I6+5E +O5mN0fe8V9THT+OzAaxg8SwWvbog94iReK4OvNqbHEHSKZ0Ej2UHsAYBc/y/xzvJ +UD5QcbjF4g6udumddqA4/MqOSM9KUDufD6rbGhTW2zW8Z/teFW6Y7ucIcyYbS10E +T+P00ZoQbXGSzdddMy/sF+1YxsENniKUQhooIpNxX/lSCHe/CHMFfaj9HPyJE3ke +4rZtUAK1rfSmltfbRl7XQdaB1HLQA/oP+sPWp231mp9jhO2DEMYmHQcRREl/0Zrg +6RKyyIWJabtaF0pPCQIDAQABo4GxMIGuMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg +MHUGA1UdEQRuMGyGNHVybjpleGFtcGxlLmNvbTo1ZmY0MGY3OC05MjEwLTQ5NGYt +ODIwNi1jMmMwODJmMDYwOWOGNHVybjpleGFtcGxlLmNvbTo1ZmY0MGY3OC05MjEw +LTQ5NGYtODIwNi1hYmNkZTEyMzQ1NjcwHQYDVR0OBBYEFKmGzddKZIFyozb1WrKj +2GXUOg3WMA0GCSqGSIb3DQEBCwUAA4IBAQAV3+vEBnTFcvxSnMSQmNXuSWPaomed +eoT7p5mbdKBiHGv/XoAaAF/WJUGz3dLKtfg0fPOIDPI/Diuyx2eaVHHzPYRW++W0 +wdx1VyAEfTnPexutol5hYMaSonr6wp6V509utwfXAYm8iMMAcHOpljgiGznY5DoB +5qykEAt1Y9jsjhf1Ih/7Q6rVc3I+w8AG5nrJ56MZQBjdOa6xV+8++RJwzuhiSb8E +iDEccpYkfrOOsMl5UZIsSm2BtWp4CRSigWgmN+LSpIfm/zYVYoQYrkjdWx3YhGVB ++xWW1Q/UQhQYtJ8vw9xw/vYWTVWaQDdA22d9XNxLakzwhPDX1OOCJJNy +-----END CERTIFICATE----- diff --git a/tests/data_files/rsa_single_san_uri.crt b/tests/data_files/rsa_single_san_uri.crt new file mode 100644 index 0000000000..0c5b1ca6eb --- /dev/null +++ b/tests/data_files/rsa_single_san_uri.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfjCCAmagAwIBAgIUWWuPuKBmp/e7Jt4G3JAjp97z0NkwDQYJKoZIhvcNAQEL +BQAwOzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBN +YmVkIFRMUyBVUkkgU0FOMB4XDTIyMTIyNzE3MDUwMVoXDTQyMTIyMjE3MDUwMVow +OzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBNYmVk +IFRMUyBVUkkgU0FOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAigYQ +brVSGf/AyTscC8GSiXPnl0PpJzwvQe0c2oVhX/GB8F++m9FT4msoc6i50KNmcuCO +l52w0lY1+XWkm6+FoqeOm5Vfj2fLrsDed2jomI6T5n68QOtbWZNluCbBbDpnAZbo +QCUwHHjrPSc8h76kxEbX7luPOUaG6cyN/eG+HPY6XLRxDUbqFl9q/WsVkAfm5jO5 +7Oa3j4NfnIbFyuHbQXCmCdBq+4sLW3eKAvp2PyKvB601evOMtmUoX4SrWBTI/rfS +8Z6DqJN+V2afOameP/JiuQbc8GvKwOYLRKjdH8bJZ3GUdxTdOAvFhxfUxQIo7aup +nlLGHLdJUPUurV6dywIDAQABo3oweDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DA/ +BgNVHREEODA2hjR1cm46ZXhhbXBsZS5jb206NWZmNDBmNzgtOTIxMC00OTRmLTgy +MDYtYzJjMDgyZjA2MDljMB0GA1UdDgQWBBSDgDX0Y5xPkSAbqVeJ491MzU9jZDAN +BgkqhkiG9w0BAQsFAAOCAQEAFYXiBh3La7vmEj3uTpzGvNBMtJdiXK6C5IgRnARI +5jye0m3AMK9EJEKrE0144PWOKahirxgznCbPPxL86xfC552Wzu2+ARlXBs+XVQnh +c/IQ7NzCw6Pwtg8hFP0Qhjmp4rMvVjbHH8uPBaefx0wDO80f/VOC3xIPqVHA8U9X +Q8+dBPcv1iHaZ8gBx+lTZVaRSzAciNkPFRv5X/GAcnhIWQFBJD0XTlH4SgdsW4O6 +0Oqo4qbHPxPf5zx3ZtX0zG13+/wiPAMvZyjemCMtsentiJt0+a5n+9X3b2lhEq58 +yy5d8aax9EXT5TAguKP7kV1sglSlJcIzmKXb4MCdTYfdfg== +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 98c2ae3528..6edb43b3d4 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -122,6 +122,14 @@ X509 CRT information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n \n \nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +X509 CRT information, Subject Alt Name with uniformResourceIdentifier +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/rsa_single_san_uri.crt":"cert. version \: 3\nserial number \: 59\:6B\:8F\:B8\:A0\:66\:A7\:F7\:BB\:26\:DE\:06\:DC\:90\:23\:A7\:DE\:F3\:D0\:D9\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2022-12-27 17\:05\:01\nexpires on \: 2042-12-22 17\:05\:01\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" + +X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/rsa_multiple_san_uri.crt":"cert. version \: 3\nserial number \: 2F\:14\:4E\:99\:AD\:79\:42\:E0\:59\:A4\:B4\:86\:DC\:A6\:53\:B5\:CA\:CE\:5F\:40\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2022-12-28 08\:37\:46\nexpires on \: 2042-12-23 08\:37\:46\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" + X509 CRT information, RSA Certificate Policy any depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" From 4077372b980ee73203b4d4d7cdec342c7c1565fc Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 5 Jan 2023 10:41:59 -0500 Subject: [PATCH 043/250] Fix SHA requirement for SAN URI tests Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_x509parse.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 6edb43b3d4..4e6c55dbe1 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -123,11 +123,11 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n \n \nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, Subject Alt Name with uniformResourceIdentifier -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/rsa_single_san_uri.crt":"cert. version \: 3\nserial number \: 59\:6B\:8F\:B8\:A0\:66\:A7\:F7\:BB\:26\:DE\:06\:DC\:90\:23\:A7\:DE\:F3\:D0\:D9\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2022-12-27 17\:05\:01\nexpires on \: 2042-12-22 17\:05\:01\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/rsa_multiple_san_uri.crt":"cert. version \: 3\nserial number \: 2F\:14\:4E\:99\:AD\:79\:42\:E0\:59\:A4\:B4\:86\:DC\:A6\:53\:B5\:CA\:CE\:5F\:40\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2022-12-28 08\:37\:46\nexpires on \: 2042-12-23 08\:37\:46\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, RSA Certificate Policy any From 50836c4dfb31fce11638300ae5dfa2f833d5a0d8 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 13 Feb 2023 10:19:49 -0500 Subject: [PATCH 044/250] Fix a comment in x509_crt.h Signed-off-by: Andrzej Kurek --- include/mbedtls/x509.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index bf1f94a738..40b75a2b99 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -294,7 +294,7 @@ typedef struct mbedtls_x509_subject_alternative_name { int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ union { mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ - mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only dnsName and uniformResourceIdentifier currently supported */ */ + mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only dnsName and uniformResourceIdentifier are currently supported */ } san; /**< A union of the supported SAN types */ } From 3e8f65a7e2a9860552206182cd99b2dade41a15e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 2 Feb 2023 07:06:19 -0500 Subject: [PATCH 045/250] Add a changelog entry for URI SAN parsing Signed-off-by: Andrzej Kurek --- ChangeLog.d/add-uri-san.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/add-uri-san.txt diff --git a/ChangeLog.d/add-uri-san.txt b/ChangeLog.d/add-uri-san.txt new file mode 100644 index 0000000000..5184e8f5dc --- /dev/null +++ b/ChangeLog.d/add-uri-san.txt @@ -0,0 +1,3 @@ +Features + * Add parsing of uniformResourceIdentifier subtype for subjectAltName + extension in x509 certificates. From e19b51bc533194c7447e47e15d75441450e93408 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 14 Feb 2023 10:29:53 +0800 Subject: [PATCH 046/250] Improve readability Signed-off-by: Pengyu Lv --- scripts/code_style.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/code_style.py b/scripts/code_style.py index 65c9cccfb3..eaf1f6b88f 100755 --- a/scripts/code_style.py +++ b/scripts/code_style.py @@ -191,12 +191,12 @@ def main() -> int: args = parser.parse_args() - all_src_files = get_src_files() - src_files = args.operands if args.operands else all_src_files + covered = frozenset(get_src_files()) + src_files = args.operands if args.operands else covered if args.subset: # We are to check a subset of the default list - src_files = [f for f in args.operands if f in all_src_files] - skip_src_files = [f for f in args.operands if f not in src_files] + src_files = [f for f in args.operands if f in covered] + skip_src_files = [f for f in args.operands if f not in covered] if skip_src_files: print_skip(skip_src_files) From 570a0f808bc2e099b927f8981bea64ba130fbd3f Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 14 Feb 2023 05:52:49 -0500 Subject: [PATCH 047/250] Move to DER certificates for new x509 tests Signed-off-by: Andrzej Kurek --- tests/data_files/Makefile | 12 ++++---- tests/data_files/rsa_multiple_san_uri.crt | 22 -------------- tests/data_files/rsa_multiple_san_uri.crt.der | Bin 0 -> 954 bytes tests/data_files/rsa_multiple_san_uri.key | 28 ++++++++++++++++++ tests/data_files/rsa_single_san_uri.crt | 21 ------------- tests/data_files/rsa_single_san_uri.crt.der | Bin 0 -> 898 bytes tests/data_files/rsa_single_san_uri.key | 28 ++++++++++++++++++ tests/suites/test_suite_x509parse.data | 8 ++--- 8 files changed, 66 insertions(+), 53 deletions(-) delete mode 100644 tests/data_files/rsa_multiple_san_uri.crt create mode 100644 tests/data_files/rsa_multiple_san_uri.crt.der create mode 100644 tests/data_files/rsa_multiple_san_uri.key delete mode 100644 tests/data_files/rsa_single_san_uri.crt create mode 100644 tests/data_files/rsa_single_san_uri.crt.der create mode 100644 tests/data_files/rsa_single_san_uri.key diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 7b97eea729..f3165101ac 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -336,6 +336,12 @@ server5-tricky-ip-san.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@ all_final += server5-tricky-ip-san.crt +rsa_single_san_uri.crt.der: rsa_single_san_uri.key + $(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN" + +rsa_multiple_san_uri.crt.der: rsa_multiple_san_uri.key + $(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c, URI:urn:example.com:5ff40f78-9210-494f-8206-abcde1234567" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN" + server10-badsign.crt: server10.crt { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@ all_final += server10-badsign.crt @@ -365,12 +371,6 @@ rsa_pkcs8_2048_public.der: rsa_pkcs8_2048_public.pem $(OPENSSL) rsa -pubin -in $< -outform DER -pubout -out $@ all_final += rsa_pkcs8_2048_public.der -rsa_single_san_uri.crt: rsa_single_san_uri.key - $(OPENSSL) req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN" - -rsa_multiple_san_uri.crt: rsa_multiple_san_uri.key - $(OPENSSL) req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c, URI:urn:example.com:5ff40f78-9210-494f-8206-abcde1234567" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN" - ################################################################ #### Generate various RSA keys ################################################################ diff --git a/tests/data_files/rsa_multiple_san_uri.crt b/tests/data_files/rsa_multiple_san_uri.crt deleted file mode 100644 index ceda8f2c5d..0000000000 --- a/tests/data_files/rsa_multiple_san_uri.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDtjCCAp6gAwIBAgIULxROma15QuBZpLSG3KZTtcrOX0AwDQYJKoZIhvcNAQEL -BQAwOzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBN -YmVkIFRMUyBVUkkgU0FOMB4XDTIyMTIyODA4Mzc0NloXDTQyMTIyMzA4Mzc0Nlow -OzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBNYmVk -IFRMUyBVUkkgU0FOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3poS -TQijviHqJNAdKXN0FJMfgLsP9JZuLJczG0MAQsLaB6jHEdH/mrL3Q/1qZv6I6+5E -O5mN0fe8V9THT+OzAaxg8SwWvbog94iReK4OvNqbHEHSKZ0Ej2UHsAYBc/y/xzvJ -UD5QcbjF4g6udumddqA4/MqOSM9KUDufD6rbGhTW2zW8Z/teFW6Y7ucIcyYbS10E -T+P00ZoQbXGSzdddMy/sF+1YxsENniKUQhooIpNxX/lSCHe/CHMFfaj9HPyJE3ke -4rZtUAK1rfSmltfbRl7XQdaB1HLQA/oP+sPWp231mp9jhO2DEMYmHQcRREl/0Zrg -6RKyyIWJabtaF0pPCQIDAQABo4GxMIGuMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg -MHUGA1UdEQRuMGyGNHVybjpleGFtcGxlLmNvbTo1ZmY0MGY3OC05MjEwLTQ5NGYt -ODIwNi1jMmMwODJmMDYwOWOGNHVybjpleGFtcGxlLmNvbTo1ZmY0MGY3OC05MjEw -LTQ5NGYtODIwNi1hYmNkZTEyMzQ1NjcwHQYDVR0OBBYEFKmGzddKZIFyozb1WrKj -2GXUOg3WMA0GCSqGSIb3DQEBCwUAA4IBAQAV3+vEBnTFcvxSnMSQmNXuSWPaomed -eoT7p5mbdKBiHGv/XoAaAF/WJUGz3dLKtfg0fPOIDPI/Diuyx2eaVHHzPYRW++W0 -wdx1VyAEfTnPexutol5hYMaSonr6wp6V509utwfXAYm8iMMAcHOpljgiGznY5DoB -5qykEAt1Y9jsjhf1Ih/7Q6rVc3I+w8AG5nrJ56MZQBjdOa6xV+8++RJwzuhiSb8E -iDEccpYkfrOOsMl5UZIsSm2BtWp4CRSigWgmN+LSpIfm/zYVYoQYrkjdWx3YhGVB -+xWW1Q/UQhQYtJ8vw9xw/vYWTVWaQDdA22d9XNxLakzwhPDX1OOCJJNy ------END CERTIFICATE----- diff --git a/tests/data_files/rsa_multiple_san_uri.crt.der b/tests/data_files/rsa_multiple_san_uri.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..ac5fab2932aacc7c232d5a78c69c5203ba2f6041 GIT binary patch literal 954 zcmXqLV%}!Z#58XKGZP~dlL*J7$r2OQZn$+!5b)pHcKS%gvsb(Zylk9WZ60mkc^MhG zSs4th4Y>_C*_cCF*o2uvy$uBo_(2>l9uD86)D(pfpI}2t196ZLGmijFNFg-HQz6*V z&p=L`*T~qw$k4>lz}Vc>AWEFq1jse8gmNh}yopf>*|ChQ49rc8{0s(7j9g4jjEoE$ zi)ZaQfAr$3kKeAWGW&AUyyVeJk5|{fn*Ef!+2nAFOIh-AAlKQ6;eAdwCTw4NbFp7c z4&ThrJH_}IJMI5@A8UVoJoe)9n8>s9w=gi@-|H~r*`1q*GUhmDzx#H&N}c6X#+E~8 zwMz=VT-iMFQOoRFcav!^Ql30vPVVE9JMdWXkX-!drocd)X{S%#v(46>r~Y*d zGgS$#II7R_AU4kBEfX^%1LNYxjRuYDz%eK*%)(^AV89KGELnaQ7G@^a2L`1ejvz~( zK~9@VX;Ge4YDHphK~Ab(a(=FrXB0;T3ML-XUwe)}$RX=kqf9QBGWYf3k~fJ=iVhr0rq6T86J6t% z#qugIeD9h`d~XzgonwqV_$q*{Z_DDZio5r{N>sPGF#Eu+EV-lw0w*8)uj~Are15O^ zRqh+RbzF>Xu1Q^q*4wk`8%8$11^?Z1VWy6BzCr^*qe5g5*7qrYoi_9UY@k^nOFbbF8>wEOL)~+eX0NF>o$E$)Zw(OqM~J+ WcvstKeF;9*e0W*?%#B-4UjhK9SbH@9 literal 0 HcmV?d00001 diff --git a/tests/data_files/rsa_multiple_san_uri.key b/tests/data_files/rsa_multiple_san_uri.key new file mode 100644 index 0000000000..c8c3492bb5 --- /dev/null +++ b/tests/data_files/rsa_multiple_san_uri.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCxc5q8z8XR6vH2 +1Ko29Mk3dOKpSOrX9Tb5HtmCQMoKIxnTUQrNkVeOQtiQt6XZo05cbA6Z87kWDgGJ +P/5Lxofrx13Rp1xZzZ+0AAPfvUCY5tzZwmicQWvu9st6JwTyaLTCzSt0cPTUs5Hi +hJt9RzSW6GTk5ANjjgoewOMhwh5f84JRURJ2INZjz4namBGe/9f14ZHxKWuxl5in ++z582rSEhLXrPLbaKjT3Jphff51xsusC+pP0xNqkAcrGJ+/Jk0Vk6ClRCd40ZcTB +4SkOqsZ8/uGWnradkrN74PoMMnSKKOuxlsVMPfzMkrlMbuazO4nK/osTAnoSqMUv +COBdXkTtAgMBAAECggEANVlTIQa6K3UeD546GlGXmQOcDVbtu8VuJJFgxScjVs7c +uco4nDrg/tUb9M4xn2/YZDLcZO6AK6BEV/YURsXGIV2L2DcfraQDKoOCpqZoIE/v +/8vR1YBZqbsqy2ulshdGmPZD5Tr8cGIYLui9MnnQ1rnBc4sVdb3DTyGgZ4rLxP6X +0BoHw+LQA0wwSbE/NW71qmeDSEDkSkUQISVg6Rp06U0PZaJAWtYoBNKGAsDGAhjc +vVTXE5B9d+3yOM0InCWFsM/bUvaUv/yxxTcZnVq9Lji3KwDhy63F99pUaFnV6Rf2 +3CKO3VHegWSwMcnYaBbufDqWPHuEDSlZ0nRhrbrKRQKBgQD6dQd0xPHfxIz5l+AC +1kPHIsUKPEirrJKTVHlxQwT0yVpD+yUkF95HY6NgHVHKnRP9qicqr3raIfA01VQc +y+lhXo6xUAqYsKvB9m4njERFWMTCVSVU30Klhic/s4R/1abKlvkax1SiQFIRStqC +onsZ0M1Isw69/I8Yha3mzv/gvwKBgQC1YPXnd5dZmdbe0UibBWjU5X6AQGt+oxL+ ++6EP3EfuRmYI3i3r2bdbB3ELd95f8tgV0UagmjQfFoigBsuRfbhrQEPSHMBWYpAV ++TZKxUvmpJXwLEgxcPv7VTTvxw0qL1u1s/dX6WBfEOUgVzPgcp+IJGEr1MZekTqt +P65coDpZUwKBgAmrLuiBGd1Lly2jgVBauS8c1oJ4pU2LUfVCE5Ydwjk49LUfIuXr +zfbvj8UMHLY3rifiw7RQJev5124StjaOYKoTnmqV7nLKjzbjroj0T0ZmEOJ3qwNF +wyrkrOs2oOzWcKPthBxWiZvh48krHJhicWIjv2kJEI6hC10k+/unDhW9AoGAZyRg +MeRb+OP2wHaapy0IVCi9Kwl3F2h8oOtOx8ooTWNTGq/dxUTlc6pjqnXbyww5vQ5o +72NBSHxz7SxwDqhDexnsd0tKRNV/wj8ZlKNlah8l9JH568OoR2BI3iF/ZwHPUSCq +Ax//YZAl+6IbKgOEnNKzP02cEKLdjy+rY5jqFWkCgYEAmEl4mg1IGoVDM6d3iIPP +JLz5DghV8kP++99vFrJx07D6e/uhzojR73Ye+fq69Vy0yjGXpaRPwwHfvPzDA1hm +ir7rJWsbbskR+iTn2yKvIpB1wBI1u0SQ4lnJ1ZIVJPVlh4yA29JvPT7/7/2nQ/s6 +v0N2oKrfaiKc7BjCz3eYW4Q= +-----END PRIVATE KEY----- diff --git a/tests/data_files/rsa_single_san_uri.crt b/tests/data_files/rsa_single_san_uri.crt deleted file mode 100644 index 0c5b1ca6eb..0000000000 --- a/tests/data_files/rsa_single_san_uri.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDfjCCAmagAwIBAgIUWWuPuKBmp/e7Jt4G3JAjp97z0NkwDQYJKoZIhvcNAQEL -BQAwOzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBN -YmVkIFRMUyBVUkkgU0FOMB4XDTIyMTIyNzE3MDUwMVoXDTQyMTIyMjE3MDUwMVow -OzELMAkGA1UEBhMCVUsxETAPBgNVBAoMCE1iZWQgVExTMRkwFwYDVQQDDBBNYmVk -IFRMUyBVUkkgU0FOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAigYQ -brVSGf/AyTscC8GSiXPnl0PpJzwvQe0c2oVhX/GB8F++m9FT4msoc6i50KNmcuCO -l52w0lY1+XWkm6+FoqeOm5Vfj2fLrsDed2jomI6T5n68QOtbWZNluCbBbDpnAZbo -QCUwHHjrPSc8h76kxEbX7luPOUaG6cyN/eG+HPY6XLRxDUbqFl9q/WsVkAfm5jO5 -7Oa3j4NfnIbFyuHbQXCmCdBq+4sLW3eKAvp2PyKvB601evOMtmUoX4SrWBTI/rfS -8Z6DqJN+V2afOameP/JiuQbc8GvKwOYLRKjdH8bJZ3GUdxTdOAvFhxfUxQIo7aup -nlLGHLdJUPUurV6dywIDAQABo3oweDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DA/ -BgNVHREEODA2hjR1cm46ZXhhbXBsZS5jb206NWZmNDBmNzgtOTIxMC00OTRmLTgy -MDYtYzJjMDgyZjA2MDljMB0GA1UdDgQWBBSDgDX0Y5xPkSAbqVeJ491MzU9jZDAN -BgkqhkiG9w0BAQsFAAOCAQEAFYXiBh3La7vmEj3uTpzGvNBMtJdiXK6C5IgRnARI -5jye0m3AMK9EJEKrE0144PWOKahirxgznCbPPxL86xfC552Wzu2+ARlXBs+XVQnh -c/IQ7NzCw6Pwtg8hFP0Qhjmp4rMvVjbHH8uPBaefx0wDO80f/VOC3xIPqVHA8U9X -Q8+dBPcv1iHaZ8gBx+lTZVaRSzAciNkPFRv5X/GAcnhIWQFBJD0XTlH4SgdsW4O6 -0Oqo4qbHPxPf5zx3ZtX0zG13+/wiPAMvZyjemCMtsentiJt0+a5n+9X3b2lhEq58 -yy5d8aax9EXT5TAguKP7kV1sglSlJcIzmKXb4MCdTYfdfg== ------END CERTIFICATE----- diff --git a/tests/data_files/rsa_single_san_uri.crt.der b/tests/data_files/rsa_single_san_uri.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..22308c6f45d82f7ed64c5a4224ae63a56aada704 GIT binary patch literal 898 zcmXqLVy-i2VoF=U%*4pVB$8kH`em-_o{pxZ#Sb!;n_Isr?Vn@7%f_kI=F#?@mywa1 zmBGN;klTQhjX9KsO_(Xv+fdMeAH?C};qXmLO;HH(2{x285C;h{^9aC%6hebM6@nf8 z4CKUljf@S93{4CTj4cdIqr`blfLsGhD3>zBn;4al9m~kdz}&>h&tTBR$i>ve$jGp~ z*>7`Mq+*hS*WDKY7tn-np}0 z=M+y{+4{p^^_p9ky}LF<%wH6e%OuhMd2z`;iv~5Ho9<`du?3lZo~``+p|RWUc3q%a~4n7KfT9s+n#gF zsu~S``Wg51^w_L9xBGPMU)!YK^mTvE>vxBTUS9ZNvc&_@59y}M(qBb}uQ+JBut>ye zmfqQiQ*UP+>9%_RPRNWeEJ>4Te&4zt=kP+KYq^h}?5f$f_hIyr|K5^sZz)ZTZf9G) zMwj)D^!pH%s@+PPe!a{5bRyy>&#B4fN~>8;pGZvjC1l1Ll`iYaUb<_uKZ|OF=5xjE zJiTl8t0#q670oGP`QfO(WQB#crbywkza@`9yG`5irkL><%Z>Z9Rz_FK{+D&)PW$h3 y(?|G|?z+{PoXQG!rIe%|?)N+CcBw)wQ2O_WlcD1G_^n>@iS3v+zac)Orvv~P1yK?J literal 0 HcmV?d00001 diff --git a/tests/data_files/rsa_single_san_uri.key b/tests/data_files/rsa_single_san_uri.key new file mode 100644 index 0000000000..bb6c0ca6bb --- /dev/null +++ b/tests/data_files/rsa_single_san_uri.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCng06zdlkhYiBK +43H+cK+vkHYvvRA2RtWbLMw+9rV9IrdGQ+iQQ/X1SZfDl2hWUiKTpabcuGYzY38H +lXW4UXwTB36KEe7G3yF/fbvYzNsdUCAVOzNs/0EMvXJeD/Dm5CBMEsG6V0ovHmkc +c80fQYQiSxgjpWyRpKdP+z/2imGph9onuu7EWOpAXGArozlLL5OixQ2dmutsc5ap +hfgwq6za00uKsFifolRtAhiH86N0vjiAJkzZR83uBlI285sj5+EzRrtjVv+kgsLW +gLDlj3bgsuKQDfxWhe+mpy2PIJ41kqktCz1qew3wyHI2ysE+6htHYQMNbCtkRMdX +/4t1yx95AgMBAAECggEAIIhn6IK7nLgp/WFe6kOIW1h7G5pkY6YuJgz1PeU8Kilr +3sGhkSMhyZmZV+s34EvjWzl4xrUpZCGWsipcyodIyYlTEg2ZihYbs17/9IMUqwS8 +tmLhAfIw+ABzDcGaz7zOaPfbmA0L40rMrzHuTHu05dQfxAyEoWSQ+f+Z1I/bl8jy +GdXQVtqZzqJcWXbXt+3+B4f2/d7K5xzb7lv/8zhAf/zoG9srMByPa6/Do5rVas5Q +NmzJPwXngxE5dJcHsWU4FkHbSbJj0khW858MJ4o5Ddw5ZOPimqlcmpClb01wCdXf +13o2ozKGE/xq3InU7MA4ad0tLMdEM8R7yhUZ9Xe/gQKBgQDYXt4BhiamnSl1tHR8 +MiiyzkcZuVH04/A6FsnUhcbQF9iCqO9szw50k0z7DVIGS9dSY9kmMdEcpsX6m2XC +XfEsxHBm0wmJqLUGq3UzM6oDsyZG1fkTg+eMzbVO0sv4xdhJLPpmsck5yJ8t0TxB +8gIS9yNEw7+w6rZhgSRsMT+WhQKBgQDGMZ0qIdFi1Ae7ueTcBCe+cjgmTG9nXq6+ +qRokU63rPP9y8XTVD6hRmviMRl4skt0F39yGJ7janIQnOBrf2DVEX4Mcf0sY4vDJ +msDV5jkbzgbAEas0ejO4h+dpRqa4mUiU1JR/Pb1jZHNOg7ZfTw45WPqBGsLTEpAt +OsKVUgbZZQKBgCIe+8WjwS6fNC2SspfvVQm1i/Lbjbgfxf9zHor8ObkROZyJRZCU +KoRpwkcI97l0dlVQ16q1SnPJPQljPi3joKfdppggia2CxGFz4nybliEVPGEJV0kj +kP1cZ04x4eauVIhdpnNRcBlDsQ6Jo4YGwxr4jEBI2k7tBKvlsLe7IHr9AoGAeJmi +IAwaBIAvAH16lKL2qD2Ki0uBkq4buSrfHHHK59TjQEdLJ4byjk21pm3/SjJHyhZR +c1TieCw7gj3ypHlE2IkiGAohYVBe4t6HLuF7qL6yfteBjVo69LPGDdqPAs9LSj0c +61xfTQbH32PoapCJgD3zmPH20Ud/cfZKh2A1iL0CgYEAwQgGxHVo+/d3BhLQvQHt +64fE+qrZA5oWWwBh8EzR+98eOnDCF3Gm6chrEs9boOzlwxr9LU4TgiBnpyYrQCEw +AdOA9dhYz91d+chJZjKo635Y9byN9rutr3/EfqZLxWL73k1y5LNAYL+jyAab0Jsw +l2xG6PNj5rItkgO3j50qA7s= +-----END PRIVATE KEY----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 4e6c55dbe1..28ba0776b3 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -123,12 +123,12 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n \n \nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, Subject Alt Name with uniformResourceIdentifier -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/rsa_single_san_uri.crt":"cert. version \: 3\nserial number \: 59\:6B\:8F\:B8\:A0\:66\:A7\:F7\:BB\:26\:DE\:06\:DC\:90\:23\:A7\:DE\:F3\:D0\:D9\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2022-12-27 17\:05\:01\nexpires on \: 2042-12-22 17\:05\:01\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +depends_on:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/rsa_single_san_uri.crt.der":"cert. version \: 3\nserial number \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:38\:05\nexpires on \: 2043-02-09 10\:38\:05\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/rsa_multiple_san_uri.crt":"cert. version \: 3\nserial number \: 2F\:14\:4E\:99\:AD\:79\:42\:E0\:59\:A4\:B4\:86\:DC\:A6\:53\:B5\:CA\:CE\:5F\:40\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2022-12-28 08\:37\:46\nexpires on \: 2042-12-23 08\:37\:46\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +depends_on:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/rsa_multiple_san_uri.crt.der":"cert. version \: 3\nserial number \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:37\:50\nexpires on \: 2043-02-09 10\:37\:50\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, RSA Certificate Policy any depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA From c7f700c795b7b17b9694fef5b53dcc58f1bc46f7 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 14 Feb 2023 14:34:15 +0000 Subject: [PATCH 048/250] Fix incorrect printing of OIDs The first 2 components of an OID are combined together into the same subidentifier via the formula: subidentifier = (component1 * 40) + component2 The current code extracts component1 and component2 using division and modulo as one would expect. However, there is a subtlety in the specification[1]: >This packing of the first two object identifier components recognizes >that only three values are allocated from the root node, and at most >39 subsequent values from nodes reached by X = 0 and X = 1. If the root node (component1) is 2, the subsequent node (component2) may be greater than 38. For example, the following are real OIDs: * 2.40.0.25, UPU standard S25 * 2.49.0.0.826.0, Met Office * 2.999, Allocated example OID This has 2 implications that the current parsing code does not take account of: 1. The second component may be > 39, so (subidentifier % 40) is not correct in all circumstances. 2. The first subidentifier (containing the first 2 components) may be more than one byte long. Currently we assume it is just 1 byte. Improve parsing code to deal with these cases correctly. [1] Rec. ITU-T X.690 (02/2021), 8.19.4 Signed-off-by: David Horstmann --- library/oid.c | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/library/oid.c b/library/oid.c index e7c12248a3..5668e2aa56 100644 --- a/library/oid.c +++ b/library/oid.c @@ -834,14 +834,39 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, p = buf; n = size; - /* First byte contains first two dots */ - if (oid->len > 0) { - ret = mbedtls_snprintf(p, n, "%d.%d", oid->p[0] / 40, oid->p[0] % 40); - OID_SAFE_SNPRINTF; + /* First subidentifier contains first two OID components */ + i = 0; + value = 0; + while (i < oid->len && ((oid->p[i] & 0x80) != 0)) { + /* Prevent overflow in value. */ + if (((value << 7) >> 7) != value) { + return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + } + + value += oid->p[i] & 0x7F; + value <<= 7; + i++; } + if (i >= oid->len) { + return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + } + /* Last byte of first subidentifier */ + value += oid->p[i] & 0x7F; + i++; + + unsigned int component1 = value / 40; + if (component1 > 2) { + /* The first component can only be 0, 1 or 2. + * If oid->p[0] / 40 is greater than 2, the leftover belongs to + * the second component. */ + component1 = 2; + } + unsigned int component2 = value - (40 * component1); + ret = mbedtls_snprintf(p, n, "%u.%u", component1, component2); + OID_SAFE_SNPRINTF; value = 0; - for (i = 1; i < oid->len; i++) { + for (; i < oid->len; i++) { /* Prevent overflow in value. */ if (((value << 7) >> 7) != value) { return MBEDTLS_ERR_OID_BUF_TOO_SMALL; From 8ea7d85851819d342d23389325413d7d47ac4acc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 14 Feb 2023 19:15:40 +0100 Subject: [PATCH 049/250] Define a workaround for empty \retval description Since Clang 15, `clang -Wdocumentation` warns about an empty description in a Doxygen `\retval` command: ``` include/psa/crypto.h:91:23: error: empty paragraph passed to '\retval' command [-Werror,-Wdocumentation] * \retval #PSA_SUCCESS ~~~~~~~~~~~~~~~~~~~^ ``` Ideally `\retval` directives should have a description that describes the precise meaning of the return value, but we commonly use an empty description when the return value is a status code and the status code's description is sufficient documentation. As a workaround, define a Doxygen command `\emptydescription` that we can use to make the description source code non-empty, without changing the appearance. Using the command will be done in a subsequent commit. Signed-off-by: Gilles Peskine --- doxygen/mbedtls.doxyfile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 0c744daaa2..7e8d196113 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -27,3 +27,15 @@ HAVE_DOT = YES DOT_GRAPH_MAX_NODES = 200 MAX_DOT_GRAPH_DEPTH = 1000 DOT_TRANSPARENT = YES + +# Doxygen accepts empty descriptions for commands such as \retval, +# but clang -Wdocumentation doesn't (since Clang 15, for \retval). +# https://github.com/Mbed-TLS/mbedtls/issues/6960 +# https://github.com/llvm/llvm-project/issues/60315 +# As a workaround, when documenting the status codes that a function can +# return, if you don't have anything to say beyond the status code's +# description, you can write something like +# \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription +# This does not change the documentation generated by Doxygen, but +# it pacifies clang -Wdocumentation. +ALIASES += emptydescription="" From ed73355d2eef315631c2c54772d0546393c81fce Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 14 Feb 2023 19:21:09 +0100 Subject: [PATCH 050/250] Make \retval commands non-empty Pacify Clang >=15 which complained: ``` include/psa/crypto.h:91:23: error: empty paragraph passed to '\retval' command [-Werror,-Wdocumentation] * \retval #PSA_SUCCESS ~~~~~~~~~~~~~~~~~~~^ ``` This commit performs the following systematic replacement: ``` perl -i -0777 -p -e 's/([\\@])(retval +\S+)\n(?! *\*? *([^\n \\*\/]|\\[cp]\b))/$1$2 ${1}emptydescription\n/g' $(git ls-files '*.[hc]' '*.function' '*.jinja') ``` i.e. add an `\emptydescription` argument to `\retval` commands (or `@retval`, which we don't normally used) that are followed by a single word, unless the next line looks like it contains text which would be the description. Signed-off-by: Gilles Peskine --- include/psa/crypto.h | 808 +++++++++--------- include/psa/crypto_compat.h | 14 +- include/psa/crypto_extra.h | 96 +-- include/psa/crypto_se_driver.h | 46 +- library/psa_crypto.c | 12 +- library/psa_crypto_aead.h | 8 +- library/psa_crypto_cipher.h | 46 +- library/psa_crypto_core.h | 86 +- library/psa_crypto_ecp.h | 44 +- library/psa_crypto_hash.h | 26 +- library/psa_crypto_mac.h | 28 +- library/psa_crypto_rsa.h | 70 +- library/psa_crypto_slot_management.h | 18 +- library/psa_crypto_storage.c | 28 +- library/psa_crypto_storage.h | 52 +- .../psa_crypto_driver_wrappers.c.jinja | 6 +- 16 files changed, 694 insertions(+), 694 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 2b9b2a27e8..d7c914e2fa 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -88,16 +88,16 @@ extern "C" { * initialization may have security implications, for example due to improper * seeding of the random number generator. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription */ psa_status_t psa_crypto_init(void); @@ -368,14 +368,14 @@ static size_t psa_get_key_bits(const psa_key_attributes_t *attributes); * On failure, equivalent to a * freshly-initialized structure. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -486,7 +486,7 @@ psa_status_t psa_purge_key(mbedtls_svc_key_id_t key); * identifier defined in \p attributes. * \c 0 on failure. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_HANDLE * \p source_key is invalid. * \retval #PSA_ERROR_ALREADY_EXISTS @@ -502,14 +502,14 @@ psa_status_t psa_purge_key(mbedtls_svc_key_id_t key); * The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or * the source key is not exportable and its lifetime does not * allow copying it to the target's lifetime. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -631,14 +631,14 @@ psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key); * the key data is not correctly formatted, or * the size in \p attributes is nonzero and does not match the size * of the key data. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -718,22 +718,22 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes, * \param[out] data_length On success, the number of bytes * that make up the key data. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription * \retval #PSA_ERROR_NOT_PERMITTED * The key does not have the #PSA_KEY_USAGE_EXPORT flag. - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p data buffer is too small. You can determine a * sufficient buffer size by calling * #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits) * where \c type is the key type * and \c bits is the key size in bits. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -793,22 +793,22 @@ psa_status_t psa_export_key(mbedtls_svc_key_id_t key, * \param[out] data_length On success, the number of bytes * that make up the key data. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * The key is neither a public key nor a key pair. - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p data buffer is too small. You can determine a * sufficient buffer size by calling * #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits) * where \c type is the key type * and \c bits is the key size in bits. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -846,13 +846,13 @@ psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key, * Success. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not a hash algorithm. - * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * \p hash_size is too small - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -884,10 +884,10 @@ psa_status_t psa_hash_compute(psa_algorithm_t alg, * \p alg is not supported or is not a hash algorithm. * \retval #PSA_ERROR_INVALID_ARGUMENT * \p input_length or \p hash_length do not match the hash size for \p alg - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -977,10 +977,10 @@ static psa_hash_operation_t psa_hash_operation_init(void); * \p alg is not a supported hash algorithm. * \retval #PSA_ERROR_INVALID_ARGUMENT * \p alg is not a hash algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive), or * the library has not been previously initialized by psa_crypto_init(). @@ -1003,10 +1003,10 @@ psa_status_t psa_hash_setup(psa_hash_operation_t *operation, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active), or * the library has not been previously initialized by psa_crypto_init(). @@ -1049,10 +1049,10 @@ psa_status_t psa_hash_update(psa_hash_operation_t *operation, * The size of the \p hash buffer is too small. You can determine a * sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) * where \c alg is the hash algorithm that is calculated. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active), or * the library has not been previously initialized by psa_crypto_init(). @@ -1090,10 +1090,10 @@ psa_status_t psa_hash_finish(psa_hash_operation_t *operation, * \retval #PSA_ERROR_INVALID_SIGNATURE * The hash of the message was calculated successfully, but it * differs from the expected hash. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active), or * the library has not been previously initialized by psa_crypto_init(). @@ -1120,10 +1120,10 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation, * * \param[in,out] operation Initialized hash operation. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -1146,11 +1146,11 @@ psa_status_t psa_hash_abort(psa_hash_operation_t *operation); * \param[in,out] target_operation The operation object to set up. * It must be initialized but not active. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The \p source_operation state is not valid (it must be active), or * the \p target_operation state is not valid (it must be inactive), or @@ -1190,18 +1190,18 @@ psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not a MAC algorithm. * \retval #PSA_ERROR_BUFFER_TOO_SMALL * \p mac_size is too small - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_STORAGE_FAILURE * The key could not be retrieved from storage. * \retval #PSA_ERROR_BAD_STATE @@ -1233,16 +1233,16 @@ psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key, * \retval #PSA_ERROR_INVALID_SIGNATURE * The MAC of the message was calculated successfully, but it * differs from the expected value. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not a MAC algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_STORAGE_FAILURE * The key could not be retrieved from storage. * \retval #PSA_ERROR_BAD_STATE @@ -1338,16 +1338,16 @@ static psa_mac_operation_t psa_mac_operation_init(void); * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not a MAC algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_STORAGE_FAILURE * The key could not be retrieved from storage. * \retval #PSA_ERROR_BAD_STATE @@ -1400,16 +1400,16 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \c key is not compatible with \c alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \c alg is not supported or is not a MAC algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_STORAGE_FAILURE * The key could not be retrieved from storage. * \retval #PSA_ERROR_BAD_STATE @@ -1437,11 +1437,11 @@ psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active), or * the library has not been previously initialized by psa_crypto_init(). @@ -1485,11 +1485,11 @@ psa_status_t psa_mac_update(psa_mac_operation_t *operation, * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p mac buffer is too small. You can determine a * sufficient buffer size by calling PSA_MAC_LENGTH(). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be an active mac sign * operation), or the library has not been previously initialized @@ -1528,11 +1528,11 @@ psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation, * \retval #PSA_ERROR_INVALID_SIGNATURE * The MAC of the message was calculated successfully, but it * differs from the expected MAC. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be an active mac verify * operation), or the library has not been previously initialized @@ -1560,10 +1560,10 @@ psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation, * * \param[in,out] operation Initialized MAC operation. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -1599,18 +1599,18 @@ psa_status_t psa_mac_abort(psa_mac_operation_t *operation); * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not a cipher algorithm. - * \retval #PSA_ERROR_BUFFER_TOO_SMALL - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -1646,18 +1646,18 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not a cipher algorithm. - * \retval #PSA_ERROR_BUFFER_TOO_SMALL - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -1753,17 +1753,17 @@ static psa_cipher_operation_t psa_cipher_operation_init(void); * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not a cipher algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive), or * the library has not been previously initialized by psa_crypto_init(). @@ -1816,17 +1816,17 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not a cipher algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive), or * the library has not been previously initialized by psa_crypto_init(). @@ -1859,11 +1859,11 @@ psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation, * Success. * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p iv buffer is too small. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, with no IV set), * or the library has not been previously initialized @@ -1900,11 +1900,11 @@ psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation, * \retval #PSA_ERROR_INVALID_ARGUMENT * The size of \p iv is not acceptable for the chosen algorithm, * or the chosen algorithm does not use an IV. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be an active cipher * encrypt operation, with no IV set), or the library has not been @@ -1941,11 +1941,11 @@ psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation, * Success. * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, with an IV set * if required for the algorithm), or the library has not been @@ -1993,11 +1993,11 @@ psa_status_t psa_cipher_update(psa_cipher_operation_t *operation, * padding, and the ciphertext does not contain valid padding. * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, with an IV set * if required for the algorithm), or the library has not been @@ -2026,10 +2026,10 @@ psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation, * * \param[in,out] operation Initialized cipher operation. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -2082,23 +2082,23 @@ psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation); * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not an AEAD algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * \p ciphertext_size is too small. * #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg, * \p plaintext_length) or * #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to * determine the required buffer size. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -2153,25 +2153,25 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription * \retval #PSA_ERROR_INVALID_SIGNATURE * The ciphertext is not authentic. - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not an AEAD algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * \p plaintext_size is too small. * #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg, * \p ciphertext_length) or * #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used * to determine the required buffer size. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -2280,16 +2280,16 @@ static psa_aead_operation_t psa_aead_operation_init(void); * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive), or * the library has not been previously initialized by psa_crypto_init(). - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not an AEAD algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_STORAGE_FAILURE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -2344,17 +2344,17 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p key is not compatible with \p alg. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported or is not an AEAD algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive), or the * library has not been previously initialized by psa_crypto_init(). @@ -2388,11 +2388,11 @@ psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation, * Success. * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p nonce buffer is too small. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be an active aead encrypt * operation, with no nonce set), or the library has not been @@ -2428,11 +2428,11 @@ psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation, * Success. * \retval #PSA_ERROR_INVALID_ARGUMENT * The size of \p nonce is not acceptable for the chosen algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, with no nonce * set), or the library has not been previously initialized @@ -2473,10 +2473,10 @@ psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation, * \retval #PSA_ERROR_INVALID_ARGUMENT * At least one of the lengths is not acceptable for the chosen * algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, and * psa_aead_update_ad() and psa_aead_update() must not have been @@ -2520,11 +2520,11 @@ psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation, * \retval #PSA_ERROR_INVALID_ARGUMENT * The total input length overflows the additional data length that * was previously specified with psa_aead_set_lengths(). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, have a nonce * set, have lengths set if required by the algorithm, and @@ -2605,11 +2605,11 @@ psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation, * specified with psa_aead_set_lengths(), or * the total input length overflows the plaintext length that * was previously specified with psa_aead_set_lengths(). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, have a nonce * set, and have lengths set if required by the algorithm), or the @@ -2691,11 +2691,11 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation, * the total length of input to psa_aead_update() so far is * less than the plaintext length that was previously * specified with psa_aead_set_lengths(). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be an active encryption * operation with a nonce set), or the library has not been previously @@ -2774,11 +2774,11 @@ psa_status_t psa_aead_finish(psa_aead_operation_t *operation, * the total length of input to psa_aead_update() so far is * less than the plaintext length that was previously * specified with psa_aead_set_lengths(). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be an active decryption * operation with a nonce set), or the library has not been previously @@ -2809,10 +2809,10 @@ psa_status_t psa_aead_verify(psa_aead_operation_t *operation, * * \param[in,out] operation Initialized AEAD operation. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -2858,8 +2858,8 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation); * \param[out] signature_length On success, the number of bytes that make up * the returned signature value. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription * \retval #PSA_ERROR_NOT_PERMITTED * The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, * or it does not permit the requested algorithm. @@ -2869,16 +2869,16 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation); * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) * where \c key_type and \c key_bits are the type and bit-size * respectively of \p key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -2914,23 +2914,23 @@ psa_status_t psa_sign_message(mbedtls_svc_key_id_t key, * \param[out] signature Buffer containing the signature to verify. * \param[in] signature_length Size of the \p signature buffer in bytes. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription * \retval #PSA_ERROR_NOT_PERMITTED * The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag, * or it does not permit the requested algorithm. * \retval #PSA_ERROR_INVALID_SIGNATURE * The calculation was performed successfully, but the passed signature * is not a valid signature. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -2967,23 +2967,23 @@ psa_status_t psa_verify_message(mbedtls_svc_key_id_t key, * \param[out] signature_length On success, the number of bytes * that make up the returned signature value. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p signature buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) * where \c key_type and \c key_bits are the type and bit-size * respectively of \p key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -3023,18 +3023,18 @@ psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key, * * \retval #PSA_SUCCESS * The signature is valid. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_SIGNATURE * The calculation was performed successfully, but the passed * signature is not a valid signature. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -3076,23 +3076,23 @@ psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key, * \param[out] output_length On success, the number of bytes * that make up the returned output. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) * where \c key_type and \c key_bits are the type and bit-size * respectively of \p key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -3136,24 +3136,24 @@ psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, * \param[out] output_length On success, the number of bytes * that make up the returned output. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) * where \c key_type and \c key_bits are the type and bit-size * respectively of \p key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - * \retval #PSA_ERROR_INVALID_PADDING + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + * \retval #PSA_ERROR_INVALID_PADDING \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -3263,11 +3263,11 @@ static psa_key_derivation_operation_t psa_key_derivation_operation_init(void); * \c alg is not a key derivation algorithm. * \retval #PSA_ERROR_NOT_SUPPORTED * \c alg is not supported or is not a key derivation algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive), or * the library has not been previously initialized by psa_crypto_init(). @@ -3287,10 +3287,10 @@ psa_status_t psa_key_derivation_setup( * \param[in] operation The operation to query. * \param[out] capacity On success, the capacity of the operation. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active), or * the library has not been previously initialized by psa_crypto_init(). @@ -3311,14 +3311,14 @@ psa_status_t psa_key_derivation_get_capacity( * It must be less or equal to the operation's * current capacity. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p capacity is larger than the operation's current capacity. * In this case, the operation object remains valid and its capacity * remains unchanged. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active), or the * library has not been previously initialized by psa_crypto_init(). @@ -3367,11 +3367,11 @@ psa_status_t psa_key_derivation_set_capacity( * \retval #PSA_ERROR_INVALID_ARGUMENT * \c step is not compatible with the operation's algorithm, or * \c step does not allow direct inputs. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid for this input \p step, or * the library has not been previously initialized by psa_crypto_init(). @@ -3410,11 +3410,11 @@ psa_status_t psa_key_derivation_input_bytes( * \retval #PSA_ERROR_INVALID_ARGUMENT * \c step is not compatible with the operation's algorithm, or * \c step does not allow numeric inputs. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid for this input \p step, or * the library has not been previously initialized by psa_crypto_init(). @@ -3468,7 +3468,7 @@ psa_status_t psa_key_derivation_input_integer( * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription * \retval #PSA_ERROR_NOT_PERMITTED * The key allows neither #PSA_KEY_USAGE_DERIVE nor * #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this @@ -3477,11 +3477,11 @@ psa_status_t psa_key_derivation_input_integer( * \c step is not compatible with the operation's algorithm, or * \c step does not allow key inputs of the given type * or does not allow key inputs at all. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid for this input \p step, or * the library has not been previously initialized by psa_crypto_init(). @@ -3536,8 +3536,8 @@ psa_status_t psa_key_derivation_input_key( * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \c private_key is not compatible with \c alg, * or \p peer_key is not valid for \c alg or not compatible with @@ -3545,11 +3545,11 @@ psa_status_t psa_key_derivation_input_key( * from a key agreement. * \retval #PSA_ERROR_NOT_SUPPORTED * \c alg is not supported or is not a key derivation algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid for this key agreement \p step, * or the library has not been previously initialized by psa_crypto_init(). @@ -3580,7 +3580,7 @@ psa_status_t psa_key_derivation_key_agreement( * \param[out] output Buffer where the output will be written. * \param output_length Number of bytes to output. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_NOT_PERMITTED * One of the inputs was a key whose policy didn't allow * #PSA_KEY_USAGE_DERIVE. @@ -3591,11 +3591,11 @@ psa_status_t psa_key_derivation_key_agreement( * The operation's capacity is set to 0, thus * subsequent calls to this function will not * succeed, even with a smaller output buffer. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active and completed * all required input steps), or the library has not been previously @@ -3738,14 +3738,14 @@ psa_status_t psa_key_derivation_output_bytes( * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a * key; or one of the inputs was a key whose policy didn't allow * #PSA_KEY_USAGE_DERIVE. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active and completed * all required input steps), or the library has not been previously @@ -3786,7 +3786,7 @@ psa_status_t psa_key_derivation_output_key( * \param output_length Length of the expected output; this is also the * number of bytes that will be read. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_SIGNATURE * The output was read successfully, but it differs from the expected * output. @@ -3799,11 +3799,11 @@ psa_status_t psa_key_derivation_output_key( * the operation's capacity is set to 0, thus * subsequent calls to this function will not * succeed, even with a smaller expected output. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active and completed * all required input steps), or the library has not been previously @@ -3845,7 +3845,7 @@ psa_status_t psa_key_derivation_verify_bytes( * computed by a previous call to * psa_key_derivation_output_key(). * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_SIGNATURE * The output was read successfully, but if differs from the expected * output. @@ -3863,11 +3863,11 @@ psa_status_t psa_key_derivation_verify_bytes( * the operation's capacity is set to 0, thus * subsequent calls to this function will not * succeed, even with a smaller expected output. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active and completed * all required input steps), or the library has not been previously @@ -3893,10 +3893,10 @@ psa_status_t psa_key_derivation_verify_key( * * \param[in,out] operation The operation to abort. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -3934,8 +3934,8 @@ psa_status_t psa_key_derivation_abort( * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p alg is not a key agreement algorithm, or * \p private_key is not compatible with \p alg, @@ -3945,11 +3945,11 @@ psa_status_t psa_key_derivation_abort( * \p output_size is too small * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not a supported key agreement algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -3981,13 +3981,13 @@ psa_status_t psa_raw_key_agreement(psa_algorithm_t alg, * \param[out] output Output buffer for the generated data. * \param output_size Number of bytes to generate and output. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -4024,17 +4024,17 @@ psa_status_t psa_generate_random(uint8_t *output, * \retval #PSA_ERROR_ALREADY_EXISTS * This is an attempt to create a persistent key, and there is * already a persistent key with the given identifier. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize diff --git a/include/psa/crypto_compat.h b/include/psa/crypto_compat.h index 97e65848c3..3544f96327 100644 --- a/include/psa/crypto_compat.h +++ b/include/psa/crypto_compat.h @@ -105,11 +105,11 @@ static inline int psa_key_handle_is_null(psa_key_handle_t handle) * permission to access it. Note that this specification does not * define any way to create such a key, but it may be possible * through implementation-specific means. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -149,8 +149,8 @@ psa_status_t psa_open_key(mbedtls_svc_key_id_t key, * \p handle was a valid handle or \c 0. It is now closed. * \retval #PSA_ERROR_INVALID_HANDLE * \p handle is not a valid handle nor \c 0. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index bd1b5af569..582d94249e 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -189,12 +189,12 @@ static inline void psa_clear_key_slot_number( * or the specified slot number is not valid. * \retval #PSA_ERROR_NOT_PERMITTED * The caller is not authorized to register the specified key slot. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -491,10 +491,10 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, * according to \p type as described above. * \param data_length Size of the \p data buffer in bytes. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes, psa_key_type_t type, @@ -521,8 +521,8 @@ psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes, * \param[out] data_length On success, the number of bytes * that make up the key domain parameters data. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription */ psa_status_t psa_get_key_domain_parameters( const psa_key_attributes_t *attributes, @@ -1352,8 +1352,8 @@ static psa_pake_operation_t psa_pake_operation_init(void); * compatible with the PAKE algorithm, or the hash algorithm in * \p cipher_suite is not supported or not compatible with the PAKE * algorithm and primitive. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid, or * the library has not been previously initialized by psa_crypto_init(). @@ -1397,11 +1397,11 @@ psa_status_t psa_pake_setup(psa_pake_operation_t *operation, * \retval #PSA_ERROR_NOT_SUPPORTED * The key type or key size of \p password is not supported with the * \p operation's cipher suite. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must have been set up.), or * the library has not been previously initialized by psa_crypto_init(). @@ -1439,9 +1439,9 @@ psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation, * suite. * \retval #PSA_ERROR_NOT_SUPPORTED * The value of \p user_id is not supported by the implementation. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid, or * the library has not been previously initialized by psa_crypto_init(). @@ -1480,9 +1480,9 @@ psa_status_t psa_pake_set_user(psa_pake_operation_t *operation, * suite. * \retval #PSA_ERROR_NOT_SUPPORTED * The algorithm doesn't associate a second identity with the session. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * Calling psa_pake_set_peer() is invalid with the \p operation's * algorithm, the operation state is not valid, or the library has not @@ -1524,8 +1524,8 @@ psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation, * The \p role is not a valid PAKE role in the \p operation’s algorithm. * \retval #PSA_ERROR_NOT_SUPPORTED * The \p role for this algorithm is not supported or is not valid. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid, or * the library has not been previously initialized by psa_crypto_init(). @@ -1575,13 +1575,13 @@ psa_status_t psa_pake_set_role(psa_pake_operation_t *operation, * \p step is not compatible with the operation's algorithm. * \retval #PSA_ERROR_NOT_SUPPORTED * \p step is not supported with the operation's algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, and fully set * up, and this call must conform to the algorithm's requirements @@ -1631,12 +1631,12 @@ psa_status_t psa_pake_output(psa_pake_operation_t *operation, * \p step p is not supported with the \p operation's algorithm, or the * \p input is not supported for the \p operation's algorithm, cipher * suite or \p step. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active, and fully set * up, and this call must conform to the algorithm's requirements @@ -1691,12 +1691,12 @@ psa_status_t psa_pake_input(psa_pake_operation_t *operation, * \retval #PSA_ERROR_NOT_SUPPORTED * Input from a PAKE is not supported by the algorithm in the \p output * key derivation operation. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription * \retval #PSA_ERROR_BAD_STATE * The PAKE operation state is not valid (it must be active, but beyond * that validity is specific to the algorithm), or @@ -1728,8 +1728,8 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, * * \retval #PSA_SUCCESS * Success. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h index a0527897cf..9ae631ffec 100644 --- a/include/psa/crypto_se_driver.h +++ b/include/psa/crypto_se_driver.h @@ -385,8 +385,8 @@ typedef struct { * \param[in] direction Indicates whether the operation is an encrypt * or decrypt * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription */ typedef psa_status_t (*psa_drv_se_cipher_setup_t)(psa_drv_se_context_t *drv_context, void *op_context, @@ -407,7 +407,7 @@ typedef psa_status_t (*psa_drv_se_cipher_setup_t)(psa_drv_se_context_t *drv_cont * \param[in] p_iv A buffer containing the initialization vector * \param[in] iv_length The size (in bytes) of the `p_iv` buffer * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_cipher_set_iv_t)(void *op_context, const uint8_t *p_iv, @@ -429,7 +429,7 @@ typedef psa_status_t (*psa_drv_se_cipher_set_iv_t)(void *op_context, * \param[out] p_output_length After completion, will contain the number * of bytes placed in the `p_output` buffer * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_cipher_update_t)(void *op_context, const uint8_t *p_input, @@ -450,7 +450,7 @@ typedef psa_status_t (*psa_drv_se_cipher_update_t)(void *op_context, * \param[out] p_output_length After completion, will contain the number of * bytes placed in the `p_output` buffer * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_cipher_finish_t)(void *op_context, uint8_t *p_output, @@ -485,8 +485,8 @@ typedef psa_status_t (*psa_drv_se_cipher_abort_t)(void *op_context); * \param[in] output_size The allocated size in bytes of the `p_output` * buffer * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription */ typedef psa_status_t (*psa_drv_se_cipher_ecb_t)(psa_drv_se_context_t *drv_context, psa_key_slot_number_t key_slot, @@ -554,7 +554,7 @@ typedef struct { * \param[out] p_signature_length On success, the number of bytes * that make up the returned signature value * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_asymmetric_sign_t)(psa_drv_se_context_t *drv_context, psa_key_slot_number_t key_slot, @@ -618,7 +618,7 @@ typedef psa_status_t (*psa_drv_se_asymmetric_verify_t)(psa_drv_se_context_t *drv * \param[out] p_output_length On success, the number of bytes that make up * the returned output * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_asymmetric_encrypt_t)(psa_drv_se_context_t *drv_context, psa_key_slot_number_t key_slot, @@ -658,7 +658,7 @@ typedef psa_status_t (*psa_drv_se_asymmetric_encrypt_t)(psa_drv_se_context_t *dr * \param[out] p_output_length On success, the number of bytes * that make up the returned output * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_asymmetric_decrypt_t)(psa_drv_se_context_t *drv_context, psa_key_slot_number_t key_slot, @@ -904,8 +904,8 @@ typedef enum { * Success. * The core will record \c *key_slot as the key slot where the key * is stored and will update the persistent data in storage. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription */ typedef psa_status_t (*psa_drv_se_allocate_key_t)( psa_drv_se_context_t *drv_context, @@ -1043,13 +1043,13 @@ typedef psa_status_t (*psa_drv_se_destroy_key_t)( * \param[out] p_data_length On success, the number of bytes * that make up the key data. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_DOES_NOT_EXIST - * \retval #PSA_ERROR_NOT_PERMITTED - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ typedef psa_status_t (*psa_drv_se_export_key_t)(psa_drv_se_context_t *drv_context, psa_key_slot_number_t key, @@ -1196,7 +1196,7 @@ typedef struct { * \param[in] source_key The key to be used as the source material for * the key derivation * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_key_derivation_setup_t)(psa_drv_se_context_t *drv_context, void *op_context, @@ -1216,7 +1216,7 @@ typedef psa_status_t (*psa_drv_se_key_derivation_setup_t)(psa_drv_se_context_t * * \param[in] p_collateral A buffer containing the collateral data * \param[in] collateral_size The size in bytes of the collateral * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_key_derivation_collateral_t)(void *op_context, uint32_t collateral_id, @@ -1231,7 +1231,7 @@ typedef psa_status_t (*psa_drv_se_key_derivation_collateral_t)(void *op_context, * \param[in] dest_key The slot where the generated key material * should be placed * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_key_derivation_derive_t)(void *op_context, psa_key_slot_number_t dest_key); @@ -1245,7 +1245,7 @@ typedef psa_status_t (*psa_drv_se_key_derivation_derive_t)(void *op_context, * \param[out] p_output_length Upon success, contains the number of bytes of * key material placed in `p_output` * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ typedef psa_status_t (*psa_drv_se_key_derivation_export_t)(void *op_context, uint8_t *p_output, diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a683fdb8f7..1a2ef59205 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1673,12 +1673,12 @@ static psa_status_t psa_start_key_creation( * * \retval #PSA_SUCCESS * The key was successfully created. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_ALREADY_EXISTS - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription * * \return If this function fails, the key slot is an invalid state. * You must call psa_fail_key_creation() to wipe and free the slot. diff --git a/library/psa_crypto_aead.h b/library/psa_crypto_aead.h index 2ae8fe82d6..4b24b0f68d 100644 --- a/library/psa_crypto_aead.h +++ b/library/psa_crypto_aead.h @@ -71,10 +71,10 @@ * \retval #PSA_SUCCESS Success. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * ciphertext_size is too small. - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_aead_encrypt( const psa_key_attributes_t *attributes, @@ -134,10 +134,10 @@ psa_status_t mbedtls_psa_aead_encrypt( * The cipher is not authentic. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * plaintext_size is too small. - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_aead_decrypt( const psa_key_attributes_t *attributes, diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h index 6cc6bf6145..bf43ff08ab 100644 --- a/library/psa_crypto_cipher.h +++ b/library/psa_crypto_cipher.h @@ -59,10 +59,10 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( * (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_CIPHER(\p alg) is true). * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_cipher_encrypt_setup( mbedtls_psa_cipher_operation_t *operation, @@ -89,10 +89,10 @@ psa_status_t mbedtls_psa_cipher_encrypt_setup( * (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_CIPHER(\p alg) is true). * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_cipher_decrypt_setup( mbedtls_psa_cipher_operation_t *operation, @@ -116,11 +116,11 @@ psa_status_t mbedtls_psa_cipher_decrypt_setup( * the core to be less or equal to * PSA_CIPHER_IV_MAX_SIZE. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * The size of \p iv is not acceptable for the chosen algorithm, * or the chosen algorithm does not use an IV. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_cipher_set_iv( mbedtls_psa_cipher_operation_t *operation, @@ -142,10 +142,10 @@ psa_status_t mbedtls_psa_cipher_set_iv( * \param[out] output_length On success, the number of bytes * that make up the returned output. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_cipher_update( mbedtls_psa_cipher_operation_t *operation, @@ -165,7 +165,7 @@ psa_status_t mbedtls_psa_cipher_update( * \param[out] output_length On success, the number of bytes * that make up the returned output. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * The total input size passed to this operation is not valid for * this particular algorithm. For example, the algorithm is a based @@ -176,7 +176,7 @@ psa_status_t mbedtls_psa_cipher_update( * padding, and the ciphertext does not contain valid padding. * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_cipher_finish( mbedtls_psa_cipher_operation_t *operation, @@ -195,7 +195,7 @@ psa_status_t mbedtls_psa_cipher_finish( * * \param[in,out] operation Initialized cipher operation. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription */ psa_status_t mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t *operation); @@ -224,10 +224,10 @@ psa_status_t mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t *operation) * the returned output. Initialized to zero * by the core. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. * \retval #PSA_ERROR_INVALID_ARGUMENT @@ -275,10 +275,10 @@ psa_status_t mbedtls_psa_cipher_encrypt(const psa_key_attributes_t *attributes, * the returned output. Initialized to zero * by the core. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. * \retval #PSA_ERROR_INVALID_ARGUMENT diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 38e4bc5cca..ed278445a4 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -209,7 +209,7 @@ psa_status_t psa_get_and_lock_key_slot_with_policy(mbedtls_svc_key_id_t key, * \retval #PSA_SUCCESS * Success. This includes the case of a key slot that was * already fully wiped. - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot); @@ -285,9 +285,9 @@ psa_status_t mbedtls_to_psa_error(int ret); * \retval #PSA_SUCCESS The key was imported successfully. * \retval #PSA_ERROR_INVALID_ARGUMENT * The key data is not correctly formatted. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t psa_import_key_into_slot( const psa_key_attributes_t *attributes, @@ -310,12 +310,12 @@ psa_status_t psa_import_key_into_slot( * \p data * * \retval #PSA_SUCCESS The key was exported successfully. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t psa_export_key_internal( const psa_key_attributes_t *attributes, @@ -338,12 +338,12 @@ psa_status_t psa_export_key_internal( * \p data * * \retval #PSA_SUCCESS The public key was exported successfully. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t psa_export_public_key_internal( const psa_key_attributes_t *attributes, @@ -364,7 +364,7 @@ psa_status_t psa_export_public_key_internal( * * \retval #PSA_SUCCESS * The key was generated successfully. - * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription * \retval #PSA_ERROR_NOT_SUPPORTED * Key size in bits or type not supported. * \retval #PSA_ERROR_BUFFER_TOO_SMALL @@ -399,18 +399,18 @@ psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes, * \param[out] signature_length On success, the number of bytes * that make up the returned signature value. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p signature buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) * where \c key_type and \c key_bits are the type and bit-size * respectively of the key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription */ psa_status_t psa_sign_message_builtin( const psa_key_attributes_t *attributes, @@ -445,9 +445,9 @@ psa_status_t psa_sign_message_builtin( * \retval #PSA_ERROR_INVALID_SIGNATURE * The calculation was performed successfully, but the passed * signature is not a valid signature. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t psa_verify_message_builtin( const psa_key_attributes_t *attributes, @@ -475,18 +475,18 @@ psa_status_t psa_verify_message_builtin( * \param[out] signature_length On success, the number of bytes * that make up the returned signature value. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p signature buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) * where \c key_type and \c key_bits are the type and bit-size * respectively of the key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription */ psa_status_t psa_sign_hash_builtin( const psa_key_attributes_t *attributes, @@ -519,9 +519,9 @@ psa_status_t psa_sign_hash_builtin( * \retval #PSA_ERROR_INVALID_SIGNATURE * The calculation was performed successfully, but the passed * signature is not a valid signature. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t psa_verify_hash_builtin( const psa_key_attributes_t *attributes, @@ -577,8 +577,8 @@ psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type, * up the returned shared secret. * \retval #PSA_SUCCESS * Success. Shared secret successfully calculated. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p alg is not a key agreement algorithm, or * \p private_key is not compatible with \p alg, @@ -588,12 +588,12 @@ psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type, * \p shared_secret_size is too small * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not a supported key agreement algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_BAD_STATE + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_BAD_STATE \emptydescription */ psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attributes, diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h index 71f9d6acca..e0656e79c0 100644 --- a/library/psa_crypto_ecp.h +++ b/library/psa_crypto_ecp.h @@ -70,9 +70,9 @@ psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type, * \retval #PSA_SUCCESS The ECP key was imported successfully. * \retval #PSA_ERROR_INVALID_ARGUMENT * The key data is not correctly formatted. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_ecp_import_key( const psa_key_attributes_t *attributes, @@ -111,12 +111,12 @@ psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type, * \p data * * \retval #PSA_SUCCESS The ECP public key was exported successfully. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_ecp_export_public_key( const psa_key_attributes_t *attributes, @@ -166,17 +166,17 @@ psa_status_t mbedtls_psa_ecp_generate_key( * \param[out] signature_length On success, the number of bytes * that make up the returned signature value. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p signature buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_ECC_KEY_PAIR, \c key_bits, * \p alg) where \c key_bits is the bit-size of the ECC key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription */ psa_status_t mbedtls_psa_ecdsa_sign_hash( const psa_key_attributes_t *attributes, @@ -209,9 +209,9 @@ psa_status_t mbedtls_psa_ecdsa_sign_hash( * \retval #PSA_ERROR_INVALID_SIGNATURE * The calculation was performed successfully, but the passed * signature is not a valid signature. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_ecdsa_verify_hash( const psa_key_attributes_t *attributes, @@ -247,8 +247,8 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( * up the returned shared secret. * \retval #PSA_SUCCESS * Success. Shared secret successfully calculated. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription + * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription * \retval #PSA_ERROR_INVALID_ARGUMENT * \p alg is not a key agreement algorithm, or * \p private_key is not compatible with \p alg, @@ -258,8 +258,8 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( * \p shared_secret_size is too small * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not a supported key agreement algorithm. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_key_agreement_ecdh( const psa_key_attributes_t *attributes, diff --git a/library/psa_crypto_hash.h b/library/psa_crypto_hash.h index 63874e87dc..d6bbd3feec 100644 --- a/library/psa_crypto_hash.h +++ b/library/psa_crypto_hash.h @@ -48,8 +48,8 @@ * \p alg is not supported * \retval #PSA_ERROR_BUFFER_TOO_SMALL * \p hash_size is too small - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_hash_compute( psa_algorithm_t alg, @@ -88,8 +88,8 @@ psa_status_t mbedtls_psa_hash_compute( * \p alg is not supported * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_hash_setup( mbedtls_psa_hash_operation_t *operation, @@ -115,13 +115,13 @@ psa_status_t mbedtls_psa_hash_setup( * \param[in,out] target_operation The operation object to set up. * It must be initialized but not active. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_BAD_STATE * The \p source_operation state is not valid (it must be active). * \retval #PSA_ERROR_BAD_STATE * The \p target_operation state is not valid (it must be inactive). - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_hash_clone( const mbedtls_psa_hash_operation_t *source_operation, @@ -147,8 +147,8 @@ psa_status_t mbedtls_psa_hash_clone( * Success. * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_hash_update( mbedtls_psa_hash_operation_t *operation, @@ -186,8 +186,8 @@ psa_status_t mbedtls_psa_hash_update( * The size of the \p hash buffer is too small. You can determine a * sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg) * where \c alg is the hash algorithm that is calculated. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_hash_finish( mbedtls_psa_hash_operation_t *operation, @@ -216,8 +216,8 @@ psa_status_t mbedtls_psa_hash_finish( * * \param[in,out] operation Initialized hash operation. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_hash_abort( mbedtls_psa_hash_operation_t *operation); diff --git a/library/psa_crypto_mac.h b/library/psa_crypto_mac.h index 21c4de6362..4f8024a9e3 100644 --- a/library/psa_crypto_mac.h +++ b/library/psa_crypto_mac.h @@ -52,8 +52,8 @@ * \p alg is not supported. * \retval #PSA_ERROR_BUFFER_TOO_SMALL * \p mac_size is too small - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_mac_compute( const psa_key_attributes_t *attributes, @@ -89,8 +89,8 @@ psa_status_t mbedtls_psa_mac_compute( * Success. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive). */ @@ -124,8 +124,8 @@ psa_status_t mbedtls_psa_mac_sign_setup( * Success. * \retval #PSA_ERROR_NOT_SUPPORTED * \p alg is not supported. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be inactive). */ @@ -158,8 +158,8 @@ psa_status_t mbedtls_psa_mac_verify_setup( * Success. * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be active). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_mac_update( mbedtls_psa_mac_operation_t *operation, @@ -200,8 +200,8 @@ psa_status_t mbedtls_psa_mac_update( * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p mac buffer is too small. A sufficient buffer size * can be determined by calling PSA_MAC_LENGTH(). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_mac_sign_finish( mbedtls_psa_mac_operation_t *operation, @@ -241,8 +241,8 @@ psa_status_t mbedtls_psa_mac_sign_finish( * \retval #PSA_ERROR_BAD_STATE * The operation state is not valid (it must be an active mac verify * operation). - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_mac_verify_finish( mbedtls_psa_mac_operation_t *operation, @@ -267,8 +267,8 @@ psa_status_t mbedtls_psa_mac_verify_finish( * * \param[in,out] operation Initialized MAC operation. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_mac_abort( mbedtls_psa_mac_operation_t *operation); diff --git a/library/psa_crypto_rsa.h b/library/psa_crypto_rsa.h index c3acdd0ebf..bc24ef5d5c 100644 --- a/library/psa_crypto_rsa.h +++ b/library/psa_crypto_rsa.h @@ -61,9 +61,9 @@ psa_status_t mbedtls_psa_rsa_load_representation(psa_key_type_t type, * \retval #PSA_SUCCESS The RSA key was imported successfully. * \retval #PSA_ERROR_INVALID_ARGUMENT * The key data is not correctly formatted. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription */ psa_status_t mbedtls_psa_rsa_import_key( const psa_key_attributes_t *attributes, @@ -102,12 +102,12 @@ psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type, * \p data. * * \retval #PSA_SUCCESS The RSA public key was exported successfully. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_rsa_export_public_key( const psa_key_attributes_t *attributes, @@ -158,17 +158,17 @@ psa_status_t mbedtls_psa_rsa_generate_key( * \param[out] signature_length On success, the number of bytes * that make up the returned signature value. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p signature buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_RSA_KEY_PAIR, \c key_bits, * \p alg) where \c key_bits is the bit-size of the RSA key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription */ psa_status_t mbedtls_psa_rsa_sign_hash( const psa_key_attributes_t *attributes, @@ -202,9 +202,9 @@ psa_status_t mbedtls_psa_rsa_sign_hash( * \retval #PSA_ERROR_INVALID_SIGNATURE * The calculation was performed successfully, but the passed * signature is not a valid signature. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_rsa_verify_hash( const psa_key_attributes_t *attributes, @@ -237,20 +237,20 @@ psa_status_t mbedtls_psa_rsa_verify_hash( * \param[out] output_length On success, the number of bytes * that make up the returned output. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) * where \c key_type and \c key_bits are the type and bit-size * respectively of \p key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -294,21 +294,21 @@ psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attribut * \param[out] output_length On success, the number of bytes * that make up the returned output. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. You can * determine a sufficient buffer size by calling * #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) * where \c key_type and \c key_bits are the type and bit-size * respectively of \p key. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY - * \retval #PSA_ERROR_INVALID_PADDING + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + * \retval #PSA_ERROR_INVALID_PADDING \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index ff8ccdeae5..c8366abeb8 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -88,9 +88,9 @@ static inline int psa_key_id_is_volatile(psa_key_id_t key_id) * due to a lack of empty key slot, or available memory. * \retval #PSA_ERROR_DOES_NOT_EXIST * There is no key with key identifier \p key. - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription */ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot); @@ -118,9 +118,9 @@ void psa_wipe_all_key_slots(void); * associated to the returned slot. * \param[out] p_slot On success, a pointer to the slot. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_BAD_STATE + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_BAD_STATE \emptydescription */ psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id, psa_key_slot_t **p_slot); @@ -195,8 +195,8 @@ static inline int psa_key_lifetime_is_external(psa_key_lifetime_t lifetime) * storage, returns a pointer to the driver table * associated with the key's storage location. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription */ psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime, psa_se_drv_table_entry_t **p_drv); @@ -205,7 +205,7 @@ psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime, * * \param[in] lifetime The key lifetime attribute. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_NOT_SUPPORTED The key is persistent but persistent keys * are not supported. */ diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index 8225014392..a8ed937536 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -79,11 +79,11 @@ static psa_storage_uid_t psa_its_identifier_of_slot(mbedtls_svc_key_id_t key) * \param[out] data Buffer where the data is to be written. * \param data_size Size of the \c data buffer in bytes. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DOES_NOT_EXIST + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription */ static psa_status_t psa_crypto_storage_load( const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size) @@ -131,11 +131,11 @@ int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key) * \param data_length The number of bytes * that make up the data. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_ALREADY_EXISTS - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription */ static psa_status_t psa_crypto_storage_store(const mbedtls_svc_key_id_t key, const uint8_t *data, @@ -205,10 +205,10 @@ psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key) * is to be obtained. * \param[out] data_length The number of bytes that make up the data. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DOES_NOT_EXIST - * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription */ static psa_status_t psa_crypto_storage_get_data_length( const mbedtls_svc_key_id_t key, diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h index 8e108c5684..04768f8a43 100644 --- a/library/psa_crypto_storage.h +++ b/library/psa_crypto_storage.h @@ -96,14 +96,14 @@ int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key); * \param[in] data Buffer containing the key data. * \param data_length The number of bytes that make up the key data. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_ALREADY_EXISTS - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription */ psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr, const uint8_t *data, @@ -129,11 +129,11 @@ psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr, * \param[out] data Pointer to an allocated key data buffer on return. * \param[out] data_length The number of bytes that make up the key data. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DOES_NOT_EXIST + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription */ psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr, uint8_t **data, @@ -148,7 +148,7 @@ psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr, * \retval #PSA_SUCCESS * The key was successfully removed, * or the key did not exist. - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_DATA_INVALID \emptydescription */ psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key); @@ -190,9 +190,9 @@ void psa_format_key_data_for_storage(const uint8_t *data, * \param[out] attr On success, the attribute structure is filled * with the loaded key metadata. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription */ psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data, size_t storage_data_length, @@ -322,10 +322,10 @@ static inline void psa_crypto_prepare_transaction( * You may call this function multiple times during a transaction to * atomically update the transaction state. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription */ psa_status_t psa_crypto_save_transaction(void); @@ -339,9 +339,9 @@ psa_status_t psa_crypto_save_transaction(void); * #psa_crypto_transaction. * \retval #PSA_ERROR_DOES_NOT_EXIST * There is no ongoing transaction. - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription */ psa_status_t psa_crypto_load_transaction(void); @@ -380,8 +380,8 @@ psa_status_t psa_crypto_stop_transaction(void); * * \retval #PSA_SUCCESS * Success - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription * \retval #PSA_ERROR_NOT_PERMITTED * The entropy seed file already exists. */ diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index bdf331516c..942798075b 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -441,9 +441,9 @@ psa_status_t psa_driver_wrapper_verify_hash( * \param[in] data_length The input data length. * \param[out] key_buffer_size Minimum buffer size to contain the key material. * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription */ psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data( const psa_key_attributes_t *attributes, From 4386cf188d1299f5652f99c6f0293baa67af996b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 14 Feb 2023 19:26:56 +0100 Subject: [PATCH 051/250] Changelog entry for pacifying clang -Wdocumentation about \retval Fixes #6960 Signed-off-by: Gilles Peskine --- ChangeLog.d/empty-retval-description.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/empty-retval-description.txt diff --git a/ChangeLog.d/empty-retval-description.txt b/ChangeLog.d/empty-retval-description.txt new file mode 100644 index 0000000000..491adf55d0 --- /dev/null +++ b/ChangeLog.d/empty-retval-description.txt @@ -0,0 +1,3 @@ +Bugfix + * Silence warnings from clang -Wdocumentation about empty \retval + descriptions, which started appearing with Clang 15. Fixes #6960. From c36743f4e076974076212094de451ad7b51e0988 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 15 Feb 2023 10:20:40 +0800 Subject: [PATCH 052/250] Only check files known to git Signed-off-by: Pengyu Lv --- scripts/code_style.py | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/scripts/code_style.py b/scripts/code_style.py index eaf1f6b88f..e40a20cfc3 100755 --- a/scripts/code_style.py +++ b/scripts/code_style.py @@ -37,8 +37,8 @@ def print_err(*args): def print_skip(files_to_skip): print() print(*files_to_skip, sep=", SKIP\n", end=", SKIP\n") - print("Warn: The listed files will be skipped because\n" - "they are not included in the default list.") + print("Warning: The listed files will be skipped because\n" + "they are not known to git.") print() # Match FILENAME(s) in "check SCRIPT (FILENAME...)" @@ -182,23 +182,27 @@ def main() -> int: parser.add_argument('-f', '--fix', action='store_true', help=('modify source files to fix the code style ' '(default: print diff, do not modify files)')) + # --subset is almost useless: it only matters if there are no files + # ('code_style.py' without arguments checks all files known to Git, + # 'code_style.py --subset' does nothing). In particular, + # 'code_style.py --fix --subset ...' is intended as a stable ("porcelain") + # way to restyle a possibly empty set of files. parser.add_argument('--subset', action='store_true', - help=('check a subset of the files known to git ' - '(default: check all files passed as arguments, ' - 'known to git or not)')) + help='only check the specified files (default with non-option arguments)') parser.add_argument('operands', nargs='*', metavar='FILE', - help='files to check (if none: check files that are known to git)') + help='files to check (files MUST be known to git, if none: check all)') args = parser.parse_args() covered = frozenset(get_src_files()) - src_files = args.operands if args.operands else covered - if args.subset: - # We are to check a subset of the default list + # We only check files that are known to git + if args.subset or args.operands: src_files = [f for f in args.operands if f in covered] skip_src_files = [f for f in args.operands if f not in covered] if skip_src_files: print_skip(skip_src_files) + else: + src_files = covered if args.fix: # Fix mode From 35f2b26fd80c223976eb68c05d305764388fc096 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 15 Feb 2023 11:35:55 +0800 Subject: [PATCH 053/250] move cpu modifier flags check to source file Signed-off-by: Jerry Yu --- include/mbedtls/check_config.h | 39 +--------------------------------- library/sha256.c | 5 +++++ library/sha512.c | 38 +++++++++++++++++++++++++++++++++ 3 files changed, 44 insertions(+), 38 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1efabdc1fd..21daabe489 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -708,41 +708,6 @@ #if defined(MBEDTLS_SHA512_ALT) || defined(MBEDTLS_SHA512_PROCESS_ALT) #error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*" #endif -/* - * Best performance comes from most recent compilers, with intrinsics and -O3. - * Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and - * can't always detect __ARM_FEATURE_SHA512 (notably clang 7-12). - * - * GCC < 8 won't work at all (lacks the sha512 instructions) - * GCC >= 8 uses intrinsics, sets __ARM_FEATURE_SHA512 - * - * Clang < 7 won't work at all (lacks the sha512 instructions) - * Clang 7-12 don't have intrinsics (but we work around that with inline - * assembler) or __ARM_FEATURE_SHA512 - * Clang == 13.0.0 same as clang 12 (only seen on macOS) - * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics - */ -#if defined(__aarch64__) && !defined(__ARM_FEATURE_SHA512) - /* Test Clang first, as it defines __GNUC__ */ -# if defined(__clang__) -# if __clang_major__ < 7 -# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# elif __clang_major__ < 13 || \ - (__clang_major__ == 13 && __clang_minor__ == 0 && __clang_patchlevel__ == 0) - /* We implement the intrinsics with inline assembler, so don't error */ -# else -# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# endif -# elif defined(__GNUC__) -# if __GNUC__ < 8 -# error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# else -# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# endif -# else -# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# endif -#endif #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ @@ -763,9 +728,7 @@ #if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT) #error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_A64_CRYPTO_*" #endif -#if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) -#error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*" -#endif + #endif #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && \ diff --git a/library/sha256.c b/library/sha256.c index cb09a71ec1..010f4bc02f 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -37,6 +37,11 @@ #if defined(__aarch64__) # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +/* *INDENT-OFF* */ +# if !defined(__ARM_FEATURE_CRYPTO) +# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# endif +/* *INDENT-ON* */ # include # endif # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) diff --git a/library/sha512.c b/library/sha512.c index efcbed413f..767857f344 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -43,6 +43,44 @@ #if defined(__aarch64__) # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +/* *INDENT-OFF* */ +/* + * Best performance comes from most recent compilers, with intrinsics and -O3. + * Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and + * can't always detect __ARM_FEATURE_SHA512 (notably clang 7-12). + * + * GCC < 8 won't work at all (lacks the sha512 instructions) + * GCC >= 8 uses intrinsics, sets __ARM_FEATURE_SHA512 + * + * Clang < 7 won't work at all (lacks the sha512 instructions) + * Clang 7-12 don't have intrinsics (but we work around that with inline + * assembler) or __ARM_FEATURE_SHA512 + * Clang == 13.0.0 same as clang 12 (only seen on macOS) + * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics + */ +#if !defined(__ARM_FEATURE_SHA512) + /* Test Clang first, as it defines __GNUC__ */ +# if defined(__clang__) +# if __clang_major__ < 7 +# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# elif __clang_major__ < 13 || \ + (__clang_major__ == 13 && __clang_minor__ == 0 && __clang_patchlevel__ == 0) + /* We implement the intrinsics with inline assembler, so don't error */ +# else +# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# endif +# elif defined(__GNUC__) +# if __GNUC__ < 8 +# error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# else +# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# endif +# else +# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# endif +#endif +/* *INDENT-ON* */ + # include # endif # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) From 64e5d4a2cdb64c274c0001a281b3c5c583c87f0c Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 15 Feb 2023 11:46:57 +0800 Subject: [PATCH 054/250] Replace error output with target pragma if possible Signed-off-by: Jerry Yu --- library/sha256.c | 24 ++++++++++++++++++++- library/sha512.c | 54 +++++++++++++++++++++++++++++------------------- 2 files changed, 56 insertions(+), 22 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index 010f4bc02f..4321765519 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -39,7 +39,29 @@ defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) /* *INDENT-OFF* */ # if !defined(__ARM_FEATURE_CRYPTO) -# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# if defined(__clang__) +# if __clang_major__ < 18 + /* TODO: Re-consider above after https://reviews.llvm.org/D131064 + * merged. + * + * The intrinsic declaration are guarded with ACLE predefined macros + * in clang, and those macros are only enabled with command line. + * Define the macros can enable those declaration and avoid compile + * error on it. + */ +# define __ARM_FEATURE_CRYPTO 1 +# endif +# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) +# define MBEDTLS_POP_TARGET_PRAGMA +# elif defined(__GNUC__) +# if __GNUC__ < 6 /* TODO: check sha256 compatible for GCC */ +# error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# else +# pragma GCC target ("arch=armv8-a+crypto") +# endif +# else +# error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# endif # endif /* *INDENT-ON* */ # include diff --git a/library/sha512.c b/library/sha512.c index 767857f344..fec974a36b 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -58,29 +58,41 @@ * Clang == 13.0.0 same as clang 12 (only seen on macOS) * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics */ -#if !defined(__ARM_FEATURE_SHA512) - /* Test Clang first, as it defines __GNUC__ */ -# if defined(__clang__) -# if __clang_major__ < 7 -# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# elif __clang_major__ < 13 || \ - (__clang_major__ == 13 && __clang_minor__ == 0 && __clang_patchlevel__ == 0) - /* We implement the intrinsics with inline assembler, so don't error */ -# else -# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# if !defined(__ARM_FEATURE_SHA512) + /* Test Clang first, as it defines __GNUC__ */ +# if defined(__clang__) +# if __clang_major__ < 7 +# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# elif __clang_major__ < 13 || \ + (__clang_major__ == 13 && __clang_minor__ == 0 && \ + __clang_patchlevel__ == 0) + /* We implement the intrinsics with inline assembler, so don't error */ +# else +# if __clang_major__ < 18 + /* TODO: Re-consider above after https://reviews.llvm.org/D131064 + * merged. + * + * The intrinsic declaration are guarded with ACLE predefined macros + * in clang, and those macros are only enabled with command line. + * Define the macros can enable those declaration and avoid compile + * error on it. + */ +# define __ARM_FEATURE_SHA512 1 +# endif +# pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) +# define MBEDTLS_POP_TARGET_PRAGMA +# endif +# elif defined(__GNUC__) +# if __GNUC__ < 8 +# error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# else +# pragma GCC target ("arch=armv8.2-a+sha3") +# endif +# else +# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# endif # endif -# elif defined(__GNUC__) -# if __GNUC__ < 8 -# error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# else -# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# endif -# else -# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" -# endif -#endif /* *INDENT-ON* */ - # include # endif # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) From 10f41444a0d4c8d665d98200ffeaf07e3d47abfe Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 15 Feb 2023 16:58:09 +0800 Subject: [PATCH 055/250] Fix CI failure Signed-off-by: Pengyu Lv --- scripts/code_style.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/code_style.py b/scripts/code_style.py index e40a20cfc3..c31fb2949f 100755 --- a/scripts/code_style.py +++ b/scripts/code_style.py @@ -202,7 +202,7 @@ def main() -> int: if skip_src_files: print_skip(skip_src_files) else: - src_files = covered + src_files = list(covered) if args.fix: # Fix mode From 72082dc28e416fde9fa53d3e27582ba9f78453ee Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 6 Feb 2023 10:49:46 +0100 Subject: [PATCH 056/250] Improve tests/scripts/depends.py code As suggested by gilles-peskine-arm. Co-authored-by: Gilles Peskine Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 2f0fbc219b..3e8a2b0e63 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -151,13 +151,12 @@ which will make a symbol defined with a certain value.""" if value is False: log_command(['config.py', 'unset', option]) conf.unset(option) + elif value is True: + log_command(['config.py', 'set', option]) + conf.set(option) else: - if value is True: - log_command(['config.py', 'set', option]) - conf.set(option) - else: - log_command(['config.py', 'set', option, value]) - conf.set(option, value) + log_command(['config.py', 'set', option, value]) + conf.set(option, value) return True def set_reference_config(conf, options, colors): From f01de145bd5fdb2e843bab427f45a566d358b225 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 14 Feb 2023 17:29:16 +0000 Subject: [PATCH 057/250] Add tests for mbedtls_oid_get_numeric_string() Signed-off-by: David Horstmann --- tests/suites/test_suite_oid.data | 24 ++++++++++++++++++++++++ tests/suites/test_suite_oid.function | 21 +++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data index 1738841d59..18b019a05b 100644 --- a/tests/suites/test_suite_oid.data +++ b/tests/suites/test_suite_oid.data @@ -89,3 +89,27 @@ oid_get_md_alg_id:"2b24030201":MBEDTLS_MD_RIPEMD160 OID hash id - invalid oid oid_get_md_alg_id:"2B864886f70d0204":-1 +OID get numeric string - hardware module name +oid_get_numeric_string:"2B06010505070804":0:"1.3.6.1.5.5.7.8.4" + +OID get numeric string - multi-byte subidentifier +oid_get_numeric_string:"29903C":0:"1.1.2108" + +OID get numeric string - second component greater than 39 +oid_get_numeric_string:"81010000863A00":0:"2.49.0.0.826.0" + +OID get numeric string - multi-byte first subidentifier +oid_get_numeric_string:"8837":0:"2.999" + +OID get numeric string - empty oid buffer +oid_get_numeric_string:"":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" + +OID get numeric string - no final / all bytes have top bit set +oid_get_numeric_string:"818181":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" + +# Encodes the number 0x0400000000 as a subidentifier which overflows 32-bits +OID get numeric string - 32-bit overflow +oid_get_numeric_string:"C080808000":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" + +OID get numeric string - 32-bit overflow, second subidentifier +oid_get_numeric_string:"2BC080808000":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" diff --git a/tests/suites/test_suite_oid.function b/tests/suites/test_suite_oid.function index 687b2168a7..3004b65fe1 100644 --- a/tests/suites/test_suite_oid.function +++ b/tests/suites/test_suite_oid.function @@ -96,3 +96,24 @@ void oid_get_md_alg_id(data_t *oid, int exp_md_id) } } /* END_CASE */ + +/* BEGIN_CASE */ +void oid_get_numeric_string(data_t *oid, int error_ret, char *result_str) +{ + char buf[256]; + mbedtls_asn1_buf input_oid = { 0, 0, NULL }; + int ret; + + input_oid.tag = MBEDTLS_ASN1_OID; + input_oid.p = oid->x; + input_oid.len = oid->len; + + ret = mbedtls_oid_get_numeric_string(buf, sizeof(buf), &input_oid); + + if (error_ret == 0) { + TEST_ASSERT(strcmp(buf, result_str) == 0); + } else { + TEST_EQUAL(ret, error_ret); + } +} +/* END_CASE */ From 9c1887c4c7baaa388cf561c11ed32ed07935aa77 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 15 Feb 2023 11:48:13 +0000 Subject: [PATCH 058/250] Disallow overlong encoding when parsing OIDs OID subidentifiers are encoded as follow. For every byte: * The top bit is 1 if there is another byte to come, 0 if this is the last byte. * The other 7 bits form 7 bits of the number. These groups of 7 are concatenated together in big-endian order. Overlong encodings are explicitly disallowed by the BER/DER/X690 specification. For example, the number 1 cannot be encoded as: 0x80 0x80 0x01 It must be encoded as: 0x01 Enforce this in Mbed TLS' OID DER-to-string parser. Signed-off-by: David Horstmann --- library/oid.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/library/oid.c b/library/oid.c index 5668e2aa56..17d3e093a4 100644 --- a/library/oid.c +++ b/library/oid.c @@ -837,6 +837,11 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, /* First subidentifier contains first two OID components */ i = 0; value = 0; + if ((oid->p[0]) == 0x80) { + /* Overlong encoding is not allowed */ + return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + } + while (i < oid->len && ((oid->p[i] & 0x80) != 0)) { /* Prevent overflow in value. */ if (((value << 7) >> 7) != value) { @@ -871,6 +876,10 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, if (((value << 7) >> 7) != value) { return MBEDTLS_ERR_OID_BUF_TOO_SMALL; } + if ((value == 0) && ((oid->p[i]) == 0x80)) { + /* Overlong encoding is not allowed */ + return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + } value <<= 7; value += oid->p[i] & 0x7F; From 895eb7c9b5eb58a2c86650ed6834f9146b214695 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 15 Feb 2023 11:58:40 +0000 Subject: [PATCH 059/250] Add testcases for overlong encoding of OIDs Signed-off-by: David Horstmann --- tests/suites/test_suite_oid.data | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data index 18b019a05b..f4801c4260 100644 --- a/tests/suites/test_suite_oid.data +++ b/tests/suites/test_suite_oid.data @@ -113,3 +113,9 @@ oid_get_numeric_string:"C080808000":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" OID get numeric string - 32-bit overflow, second subidentifier oid_get_numeric_string:"2BC080808000":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" + +OID get numeric string - overlong encoding +oid_get_numeric_string:"8001":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" + +OID get numeric string - overlong encoding, second subidentifier +oid_get_numeric_string:"2B8001":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" From 1265f004941967cbf5cfba0d14d3cb4f63f7d3a1 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 9 Sep 2022 17:15:43 +0100 Subject: [PATCH 060/250] First draft of PSA interruptible ECC signing design Signed-off-by: Paul Elliott --- include/psa/crypto.h | 606 ++++++++++++++++++++++++++++++++++++ include/psa/crypto_struct.h | 42 +++ include/psa/crypto_values.h | 21 ++ 3 files changed, 669 insertions(+) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 2b9b2a27e8..482b58288e 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4045,6 +4045,612 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, /**@}*/ +/** \defgroup interruptible_hash Interruptible sign/verify hash + * @{ + */ + +/** The type of the state data structure for interruptible hash + * signing operations. + * + * Before calling any function on a sign hash operation object, the + * application must initialize it by any of the following means: + * - Set the structure to all-bits-zero, for example: + * \code + * psa_sign_hash_interruptible_operation_t operation; + * memset(&operation, 0, sizeof(operation)); + * \endcode + * - Initialize the structure to logical zero values, for example: + * \code + * psa_sign_hash_interruptible_operation_t operation = {0}; + * \endcode + * - Initialize the structure to the initializer + * #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: + * \code + * psa_sign_hash_interruptible_operation_t operation = + * PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; + * \endcode + * - Assign the result of the function + * psa_sign_hash_interruptible_operation_init() to the structure, for + * example: + * \code + * psa_sign_hash_interruptible_operation_t operation; + * operation = psa_sign_hash_interruptible_operation_init(); + * \endcode + * + * This is an implementation-defined \c struct. Applications should not + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ +typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t; + +/** The type of the state data structure for interruptible hash + * verification operations. + * + * Before calling any function on a sign hash operation object, the + * application must initialize it by any of the following means: + * - Set the structure to all-bits-zero, for example: + * \code + * psa_verify_hash_interruptible_operation_t operation; + * memset(&operation, 0, sizeof(operation)); + * \endcode + * - Initialize the structure to logical zero values, for example: + * \code + * psa_verify_hash_interruptible_operation_t operation = {0}; + * \endcode + * - Initialize the structure to the initializer + * #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example: + * \code + * psa_verify_hash_interruptible_operation_t operation = + * PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; + * \endcode + * - Assign the result of the function + * psa_verify_hash_interruptible_operation_init() to the structure, for + * example: + * \code + * psa_verify_hash_interruptible_operation_t operation; + * operation = psa_verify_hash_interruptible_operation_init(); + * \endcode + * + * This is an implementation-defined \c struct. Applications should not + * make any assumptions about the content of this structure. + * Implementation details can change in future versions without notice. */ +typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_t; + +/** + * \brief Set the maximum number of ops allowed to be + * executed by an interruptible function in a + * single call. + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + * + * \note The time taken to execute a single op is + * implementation specific and depends on + * software, hardware, the algorithm, key type and + * curve chosen. Even within a single operation, + * successive ops can take differing amounts of + * time. The only guarantee is that lower values + * for \p max_ops means functions will block for a + * lesser maximum amount of time. The functions + * \c psa_sign_interruptible_get_num_ops() and + * \c psa_verify_interruptible_get_num_ops() are + * provided to help with tuning this value. + * + * \note This value defaults to + * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which + * means the whole operation will be done in one + * go, regardless of the number of ops required. + * + * \note If more ops are needed to complete a + * computation, #PSA_OPERATION_INCOMPLETE will be + * returned by the function performing the + * computation. It is then the caller's + * responsibility to either call again with the + * same operation context until it returns 0 or an + * error code; or to call the relevant abort + * function if the answer is no longer required. + * + * \note The interpretation of \p max_ops is also + * implementation defined. On a hard real time + * system, this can indicate a hard deadline, as a + * real-time system needs a guarantee of not + * spending more than X time, however care must be + * taken in such an implementation to avoid the + * situation whereby calls just return, not being + * able to do any actual work within the allotted + * time. On a non-real-time system, the + * implementation can be more relaxed, but again + * whether this number should be interpreted as as + * hard or soft limit or even whether a less than + * or equals as regards to ops executed in a + * single call is implementation defined. + * + * \warning With implementations that interpret this number + * as a hard limit, setting this number too small + * may result in an infinite loop, whereby each + * call results in immediate return with no ops + * done (as there is not enough time to execute + * any), and thus no result will ever be achieved. + * + * \note This only applies to functions whose + * documentation mentions they may return + * #PSA_OPERATION_INCOMPLETE. + * + * \param max_ops The maximum number of ops to be executed in a + * single call. This can be a number from 0 to + * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 + * is the least amount of work done per call. + */ +void psa_interruptible_set_max_ops(uint32_t max_ops); + +/** + * \brief Get the maximum number of ops allowed to be + * executed by an interruptible function in a + * single call. This will return the last + * value set by + * \c psa_interruptible_set_max_ops() or + * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if + * that function has never been called. + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + * + * \return Maximum number of ops allowed to be + * executed by an interruptible function in a + * single call. + */ +uint32_t psa_interruptible_get_max_ops(void); + +/** + * \brief Get the number of ops that a hash signing + * operation has taken so far. If the operation + * has completed, then this will represent the + * number of ops required for the entire + * operation. After initialization or calling + * \c psa_sign_hash_interruptible_abort() on + * the operation, a value of 0 will be returned. + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + * + * This is a helper provided to help you tune the + * value passed to \c + * psa_interruptible_set_max_ops(). + * + * \param operation The \c psa_sign_hash_interruptible_operation_t + * to use. This must be initialized first. + * + * \return Number of ops that the operation has taken so + * far. + */ +uint32_t psa_sign_hash_get_num_ops( + const psa_sign_hash_interruptible_operation_t *operation); + +/** + * \brief Get the number of ops that a hash verification + * operation has taken so far. If the operation + * has completed, then this will represent the + * number of ops required for the entire + * operation. After initialization or calling \c + * psa_verify_hash_interruptible_abort() on the + * operation, a value of 0 will be returned. + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + * + * This is a helper provided to help you tune the + * value passed to \c + * psa_interruptible_set_max_ops(). + * + * \param operation The \c + * psa_verify_hash_interruptible_operation_t to + * use. This must be initialized first. + * + * \return Number of ops that the operation has taken so + * far. + */ +uint32_t psa_verify_hash_get_num_ops( + const psa_verify_hash_interruptible_operation_t *operation); + +/** + * \brief Start signing a hash or short message with a + * private key, in an interruptible manner. + * + * \see \c psa_sign_hash_complete() + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + * + * \note This function combined with \c + * psa_sign_hash_complete() is equivalent to + * \c psa_sign_hash() but + * \c psa_sign_hash_complete() can return early and + * resume according to the limit set with \c + * psa_interruptible_set_max_ops() to reduce the + * maximum time spent in a function call. + * + * \note Users should call \c psa_sign_hash_complete() + * repeatedly on the same context after a + * successful call to this function until \c + * psa_sign_hash_complete() either returns 0 or an + * error. \c psa_sign_hash_complete() will return + * #PSA_OPERATION_INCOMPLETE if there is more work + * to do. Alternatively users can call + * \c psa_sign_hash_abort() at any point if they no + * longer want the result. + * + * \note If this function returns an error status, the + * operation enters an error state and must be + * aborted by calling \c psa_sign_hash_abort(). + * + * \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + * to use. This must be initialized first. + * + * \param key Identifier of the key to use for the operation. + * It must be an asymmetric key pair. The key must + * allow the usage #PSA_KEY_USAGE_SIGN_HASH. + * \param alg A signature algorithm (\c PSA_ALG_XXX + * value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + * is true), that is compatible with + * the type of \p key. + * \param[in] hash The hash or message to sign. + * \param hash_length Size of the \p hash buffer in bytes. + * + * \retval #PSA_SUCCESS + * The operation started successfully - call \c psa_sign_hash_complete() + * with the same context to complete the operation + * + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_NOT_PERMITTED + * The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does + * not permit the requested algorithm. + * \retval #PSA_ERROR_BAD_STATE + * An operation has previously been started on this context, and is + * still in progress. + * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_sign_hash_start( + psa_sign_hash_interruptible_operation_t *operation, + mbedtls_svc_key_id_t key, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length); + +/** + * \brief Continue and eventually complete the action of + * signing a hash or short message with a private + * key, in an interruptible manner. + * + * \see \c psa_sign_hash_start() + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + * + * \note This function combined with \c + * psa_sign_hash_start() is equivalent to + * \c psa_sign_hash() but this function can return + * early and resume according to the limit set with + * \c psa_interruptible_set_max_ops() to reduce the + * maximum time spent in a function call. + * + * \note Users should call this function on the same + * operation object repeatedly until it either + * returns 0 or an error. This function will return + * #PSA_OPERATION_INCOMPLETE if there is more work + * to do. Alternatively users can call + * \c psa_sign_hash_abort() at any point if they no + * longer want the result. + * + * \note When this function returns successfully, the + * operation becomes inactive. If this function + * returns an error status, the operation enters an + * error state and must be aborted by calling + * \c psa_sign_hash_abort(). + * + * \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t + * to use. This must be initialized first, and have + * had \c psa_sign_hash_start() called with it + * first. + * + * \param[out] signature Buffer where the signature is to be written. + * \param signature_size Size of the \p signature buffer in bytes. This + * must be appropriate for the selected + * algorithm and key: + * - The required signature size is + * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c + * key_bits, \c alg) where \c key_type and \c + * key_bits are the type and bit-size + * respectively of key. + * - #PSA_SIGNATURE_MAX_SIZE evaluates to the + * maximum signature size of any supported + * signature algorithm. + * \param[out] signature_length On success, the number of bytes that make up + * the returned signature value. + * + * \retval #PSA_SUCCESS + * Operation completed successfully + * + * \retval #PSA_OPERATION_INCOMPLETE + * Operation was interrupted due to the setting of \c + * psa_interruptible_set_max_ops(). There is still work to be done. + * Call this function again with the same operation object. + * + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * The size of the \p signature buffer is too small. You can + * determine a sufficient buffer size by calling + * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + * where \c key_type and \c key_bits are the type and bit-size + * respectively of \p key. + * + * \retval #PSA_ERROR_BAD_STATE + * An operation was not previously started on this context via + * \c psa_sign_hash_start(). + * + * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_BAD_STATE + * The library has either not been previously initialized by + * psa_crypto_init() or you did not previously call + * psa_sign_hash_start() with this operation object. It is + * implementation-dependent whether a failure to initialize results in + * this error code. + */ +psa_status_t psa_sign_hash_complete( + psa_sign_hash_interruptible_operation_t *operation, + uint8_t *signature, size_t signature_size, + size_t *signature_length); + +/** + * \brief Abort a sign hash operation. + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + + * \note Aborting an operation frees all associated + * resources except for the \p operation structure + * itself. Once aborted, the operation object can + * be reused for another operation by calling \c + * psa_sign_hash_start() again. + * + * \note You may call this function any time after the + * operation object has been initialized. In + * particular, calling \c psa_sign_hash_abort() + * after the operation has already been terminated + * by a call to \c psa_sign_hash_abort() or + * psa_sign_hash_complete() is safe and has no + * effect. + * + * \param[in,out] operation Initialized sign hash operation. + * + * \retval #PSA_SUCCESS + * The operation was aborted successfully. + * + * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_sign_hash_abort( + psa_sign_hash_interruptible_operation_t *operation); + +/** + * \brief Start reading and verifying a hash or short + * message, in an interruptible manner. + * + * \see \c psa_verify_hash_complete() + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + * + * \note This function combined with \c + * psa_verify_hash_complete() is equivalent to + * \c psa_verify_hash() but \c + * psa_verify_hash_complete() can return early and + * resume according to the limit set with \c + * psa_interruptible_set_max_ops() to reduce the + * maximum time spent in a function. + * + * \note Users should call \c psa_verify_hash_complete() + * repeatedly on the same operation object after a + * successful call to this function until \c + * psa_verify_hash_complete() either returns 0 or + * an error. \c psa_verify_hash_complete() will + * return #PSA_OPERATION_INCOMPLETE if there is + * more work to do. Alternatively users can call + * \c psa_verify_hash_abort() at any point if they + * no longer want the result. + * + * \note If this function returns an error status, the + * operation enters an error state and must be + * aborted by calling \c psa_verify_hash_abort(). + * + * \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + * to use. This must be initialized first. + * + * \param key Identifier of the key to use for the operation. + * The key must allow the usage + * #PSA_KEY_USAGE_VERIFY_HASH. + * \param alg A signature algorithm (\c PSA_ALG_XXX + * value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + * is true), that is compatible with + * the type of \p key. + * \param[in] hash The hash whose signature is to be verified. + * \param hash_length Size of the \p hash buffer in bytes. + * \param[in] signature Buffer containing the signature to verify. + * \param signature_length Size of the \p signature buffer in bytes. + * + * \retval #PSA_SUCCESS + * The operation started successfully - please call \c + * psa_verify_hash_complete() with the same context to complete the + * operation. + * + * \retval #PSA_ERROR_BAD_STATE + * Another operation has already been started on this context, and is + * still in progress. + * + * \retval #PSA_ERROR_NOT_PERMITTED + * The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does + * not permit the requested algorithm. + * + * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval PSA_ERROR_DATA_CORRUPT + * \retval PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_verify_hash_start( + psa_verify_hash_interruptible_operation_t *operation, + mbedtls_svc_key_id_t key, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length); + +/** + * \brief Continue and eventually complete the action of + * reading and verifying a hash or short message + * signed with a private key, in an interruptible + * manner. + * + * \see \c psa_verify_hash_start() + * + * \warning This is a beta API, and thus subject to change + * at any point. It is not bound by the usual + * interface stability promises. + * + * \note This function combined with \c + * psa_verify_hash_start() is equivalent to + * \c psa_verify_hash() but this function can + * return early and resume according to the limit + * set with \c psa_interruptible_set_max_ops() to + * reduce the maximum time spent in a function + * call. + * + * \note Users should call this function on the same + * operation object repeatedly until it either + * returns 0 or an error. This function will return + * #PSA_OPERATION_INCOMPLETE if there is more work + * to do. Alternatively users can call + * \c psa_verify_hash_abort() at any point if they + * no longer want the result. + * + * \note When this function returns successfully, the + * operation becomes inactive. If this function + * returns an error status, the operation enters an + * error state and must be aborted by calling + * \c psa_verify_hash_abort(). + * + * \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t + * to use. This must be initialized first, and have + * had \c psa_verify_hash_start() called with it + * first. + * + * \retval #PSA_SUCCESS + * Operation completed successfully, and the passed signature is valid. + * + * \retval #PSA_OPERATION_INCOMPLETE + * Operation was interrupted due to the setting of \c + * psa_interruptible_set_max_ops(). There is still work to be done. + * Call this function again with the same operation object. + * + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_INVALID_SIGNATURE + * The calculation was performed successfully, but the passed + * signature is not a valid signature. + *\retval #PSA_ERROR_BAD_STATE + * An operation was not previously started on this context via + * \c psa_verify_hash_start(). + * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_DATA_CORRUPT + * \retval #PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_BAD_STATE + * The library has either not been previously initialized by + * psa_crypto_init() or you did not previously call + * psa_verify_hash_start() on this object. It is + * implementation-dependent whether a failure to initialize results in + * this error code. + */ +psa_status_t psa_verify_hash_complete( + psa_verify_hash_interruptible_operation_t *operation); + +/** + * \brief Abort a verify hash operation. + * + * \warning This is a beta API, and thus subject to change at + * any point. It is not bound by the usual interface + * stability promises. + * + * \note Aborting an operation frees all associated + * resources except for the operation structure + * itself. Once aborted, the operation object can be + * reused for another operation by calling \c + * psa_verify_hash_start() again. + * + * \note You may call this function any time after the + * operation object has been initialized. + * In particular, calling \c psa_verify_hash_abort() + * after the operation has already been terminated by + * a call to \c psa_verify_hash_abort() or + * psa_verify_hash_complete() is safe and has no + * effect. + * + * \param[in,out] operation Initialized verify hash operation. + * + * \retval #PSA_SUCCESS + * The operation was aborted successfully. + * + * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_verify_hash_abort( + psa_verify_hash_interruptible_operation_t *operation); + + +/**@}*/ + #ifdef __cplusplus } #endif diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 7a6caa2ed6..ff49eb962f 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -491,6 +491,48 @@ static inline size_t psa_get_key_bits( return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits); } +/** + * \brief The context for PSA interruptible hash signing. + * + * \note Contents not yet designed as implementation specific. + * + */ +struct psa_sign_hash_interruptible_operation_s { + size_t MBEDTLS_PRIVATE(num_ops); +}; + +#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } + +static inline struct psa_sign_hash_interruptible_operation_s +psa_sign_hash_interruptible_operation_init(void) +{ + const struct psa_sign_hash_interruptible_operation_s v = + PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT; + + return v; +} + +/** + * \brief The context for PSA interruptible hash verification. + * + * \note Contents not yet designed as implementation specific. + * + */ +struct psa_verify_hash_interruptible_operation_s { + size_t MBEDTLS_PRIVATE(num_ops); +}; + +#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } + +static inline struct psa_verify_hash_interruptible_operation_s +psa_verify_hash_interruptible_operation_init(void) +{ + const struct psa_verify_hash_interruptible_operation_s v = + PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT; + + return v; +} + #ifdef __cplusplus } #endif diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index ee95745ade..07e96f70ba 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -335,6 +335,13 @@ */ #define PSA_ERROR_DATA_INVALID ((psa_status_t)-153) +/** The function that returns this status is defined as interruptible and + * still has work to do, thus the user should call the function again with the + * same operation context until it either returns #PSA_SUCCESS or any other + * error. This is not an error per se, more a notification of status. + */ +#define PSA_OPERATION_INCOMPLETE ((psa_status_t)-248) + /* *INDENT-ON* */ /**@}*/ @@ -2739,4 +2746,18 @@ static inline int mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key) /**@}*/ +/**@}*/ + +/** \defgroup interruptible Interruptible operations + * @{ + */ + +/** Maximum value for use with \c psa_interruptible_set_max_ops() to determine + * the maximum number of ops allowed to be executed by an interruptible + * function in a single call. + */ +#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED INT32_MAX + +/**@}*/ + #endif /* PSA_CRYPTO_VALUES_H */ From 2d247923e58ce51959db45b3fa6c66c4810b34c0 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 29 Nov 2022 14:54:44 +0000 Subject: [PATCH 061/250] Initial empty driver wrapper implementation Signed-off-by: Paul Elliott --- include/psa/crypto_struct.h | 20 +- library/psa_crypto_driver_wrappers.h | 41 +++ .../psa_crypto_driver_wrappers.c.jinja | 236 ++++++++++++++++++ 3 files changed, 295 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index ff49eb962f..bd20937e5b 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -498,10 +498,18 @@ static inline size_t psa_get_key_bits( * */ struct psa_sign_hash_interruptible_operation_s { + /** Unique ID indicating which driver got assigned to do the + * operation. Since driver contexts are driver-specific, swapping + * drivers halfway through the operation is not supported. + * ID values are auto-generated in psa_crypto_driver_wrappers.h + * ID value zero means the context is not valid or not assigned to + * any driver (i.e. none of the driver contexts are active). */ + unsigned int MBEDTLS_PRIVATE(id); + size_t MBEDTLS_PRIVATE(num_ops); }; -#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } +#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, 0 } static inline struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_init(void) @@ -519,10 +527,18 @@ psa_sign_hash_interruptible_operation_init(void) * */ struct psa_verify_hash_interruptible_operation_s { + /** Unique ID indicating which driver got assigned to do the + * operation. Since driver contexts are driver-specific, swapping + * drivers halfway through the operation is not supported. + * ID values are auto-generated in psa_crypto_driver_wrappers.h + * ID value zero means the context is not valid or not assigned to + * any driver (i.e. none of the driver contexts are active). */ + unsigned int MBEDTLS_PRIVATE(id); + size_t MBEDTLS_PRIVATE(num_ops); }; -#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } +#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, 0 } static inline struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_init(void) diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index da3cd1d5d6..26df088352 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -66,6 +66,47 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, const uint8_t *signature, size_t signature_length); +/* + * Interruptible Signature functions + */ + +void psa_driver_wrapper_interruptible_set_max_ops(uint32_t max_ops); + +uint32_t psa_driver_wrapper_interruptible_get_max_ops(void); + +uint32_t psa_driver_wrapper_sign_hash_get_num_ops( + const psa_sign_hash_interruptible_operation_t *operation); + +uint32_t psa_driver_wrapper_verify_hash_get_num_ops( + const psa_verify_hash_interruptible_operation_t *operation); + +psa_status_t psa_driver_wrapper_sign_hash_start( + psa_sign_hash_interruptible_operation_t *operation, + const psa_key_attributes_t *attributes, const uint8_t *key_buffer, + size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length); + +psa_status_t psa_driver_wrapper_sign_hash_complete( + psa_sign_hash_interruptible_operation_t *operation, + uint8_t *signature, size_t signature_size, + size_t *signature_length); + +psa_status_t psa_driver_wrapper_sign_hash_abort( + psa_sign_hash_interruptible_operation_t *operation); + +psa_status_t psa_driver_wrapper_verify_hash_start( + psa_verify_hash_interruptible_operation_t *operation, + const psa_key_attributes_t *attributes, const uint8_t *key_buffer, + size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length); + +psa_status_t psa_driver_wrapper_verify_hash_complete( + psa_verify_hash_interruptible_operation_t *operation); + +psa_status_t psa_driver_wrapper_verify_hash_abort( + psa_verify_hash_interruptible_operation_t *operation); + /* * Key handling functions */ diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index bdf331516c..e1f7b1fe8c 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -433,6 +433,242 @@ psa_status_t psa_driver_wrapper_verify_hash( } } +void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops ) +{ + ( void ) max_ops; +} + +uint32_t psa_driver_wrapper_interruptible_get_max_ops( void ) +{ + return( PSA_ERROR_INVALID_ARGUMENT ); +} + +uint32_t psa_driver_wrapper_sign_hash_get_num_ops( + const psa_sign_hash_interruptible_operation_t *operation ) +{ + switch( operation->id ) + { + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + + /* Add cases for opaque driver here */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + } + + return( PSA_ERROR_INVALID_ARGUMENT ); +} + +uint32_t psa_driver_wrapper_verify_hash_get_num_ops( + const psa_verify_hash_interruptible_operation_t *operation ) +{ + switch( operation->id ) + { + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + + /* Add cases for opaque driver here */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + } + + return( PSA_ERROR_INVALID_ARGUMENT ); +} + +psa_status_t psa_driver_wrapper_sign_hash_start( + psa_sign_hash_interruptible_operation_t *operation, + const psa_key_attributes_t *attributes, const uint8_t *key_buffer, + size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_location_t location = + PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + + switch( location ) + { + case PSA_KEY_LOCATION_LOCAL_STORAGE: + /* Key is stored in the slot in export representation, so + * cycle through all known transparent accelerators */ + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + + /* Add test driver tests here */ + + /* Declared with fallback == true */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + + /* Fell through, meaning no accelerator supports this operation */ + operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; + break; + + /* Add cases for opaque driver here */ + + default: + /* Key is declared with a lifetime not known to us */ + ( void ) status; + return( PSA_ERROR_INVALID_ARGUMENT ); + } + + ( void ) operation; + ( void ) key_buffer; + ( void ) key_buffer_size; + ( void ) alg; + ( void ) hash; + ( void ) hash_length; + + return( status ); +} + +psa_status_t psa_driver_wrapper_sign_hash_complete( + psa_sign_hash_interruptible_operation_t *operation, + uint8_t *signature, size_t signature_size, + size_t *signature_length ) +{ + switch( operation->id ) + { + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + + /* Add cases for opaque driver here */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + } + + ( void ) signature; + ( void ) signature_size; + ( void ) signature_length; + + return( PSA_ERROR_INVALID_ARGUMENT ); +} + +psa_status_t psa_driver_wrapper_sign_hash_abort( + psa_sign_hash_interruptible_operation_t *operation ) +{ + switch( operation->id ) + { + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + + /* Add cases for opaque driver here */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + } + + return( PSA_ERROR_INVALID_ARGUMENT ); +} + +psa_status_t psa_driver_wrapper_verify_hash_start( + psa_verify_hash_interruptible_operation_t *operation, + const psa_key_attributes_t *attributes, const uint8_t *key_buffer, + size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length ) +{ + + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_location_t location = + PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + + switch( location ) + { + case PSA_KEY_LOCATION_LOCAL_STORAGE: + /* Key is stored in the slot in export representation, so + * cycle through all known transparent accelerators */ + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + + /* Add test driver tests here */ + + /* Declared with fallback == true */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + + /* Fell through, meaning no accelerator supports this operation */ + operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; + break; + + /* Add cases for opaque driver here */ + + default: + /* Key is declared with a lifetime not known to us */ + ( void ) status; + return( PSA_ERROR_INVALID_ARGUMENT ); + } + + ( void ) operation; + ( void ) key_buffer; + ( void ) key_buffer_size; + ( void ) alg; + ( void ) hash; + ( void ) hash_length; + ( void ) signature; + ( void ) signature_length; + + return( status ); +} + +psa_status_t psa_driver_wrapper_verify_hash_complete( + psa_verify_hash_interruptible_operation_t *operation ) +{ + switch( operation->id ) + { + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + + /* Add cases for opaque driver here */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + } + + return( PSA_ERROR_INVALID_ARGUMENT ); +} + +psa_status_t psa_driver_wrapper_verify_hash_abort( + psa_verify_hash_interruptible_operation_t *operation ) +{ + switch( operation->id ) + { + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: + + /* Add cases for opaque driver here */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + } + + return( PSA_ERROR_INVALID_ARGUMENT ); +} + /** Calculate the key buffer size required to store the key material of a key * associated with an opaque driver from input key data. * From 9fe12f666b9a37de13228fa22427cf17989f2ddf Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 30 Nov 2022 19:16:02 +0000 Subject: [PATCH 062/250] PSA level initial implementation Signed-off-by: Paul Elliott --- library/psa_crypto.c | 236 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 236 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a683fdb8f7..a21f6d9639 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3124,6 +3124,242 @@ exit: return (status == PSA_SUCCESS) ? unlock_status : status; } +/****************************************************************/ +/* Asymmetric interruptible cryptography */ +/****************************************************************/ + +void psa_interruptible_set_max_ops(uint32_t max_ops) +{ + psa_driver_wrapper_interruptible_set_max_ops(max_ops); +} + +uint32_t psa_interruptible_get_max_ops(void) +{ + return psa_driver_wrapper_interruptible_get_max_ops(); +} + + +uint32_t psa_sign_hash_get_num_ops( + const psa_sign_hash_interruptible_operation_t *operation) +{ + return psa_driver_wrapper_sign_hash_get_num_ops(operation); +} + +uint32_t psa_verify_hash_get_num_ops( + const psa_verify_hash_interruptible_operation_t *operation) +{ + return psa_driver_wrapper_verify_hash_get_num_ops(operation); +} + +psa_status_t psa_sign_hash_start( + psa_sign_hash_interruptible_operation_t *operation, + mbedtls_svc_key_id_t key, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_slot_t *slot; + + /* Check that start has not been previously called. */ + if (operation->id != 0) { + return PSA_ERROR_BAD_STATE; + } + + + status = psa_sign_verify_check_alg(0, alg); + if (status != PSA_SUCCESS) { + return status; + } + + status = psa_get_and_lock_key_slot_with_policy(key, &slot, + PSA_KEY_USAGE_SIGN_HASH, + alg); + + if (status != PSA_SUCCESS) { + goto exit; + } + + if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) { + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } + + psa_key_attributes_t attributes = { + .core = slot->attr + }; + + status = psa_driver_wrapper_sign_hash_start(operation, &attributes, + slot->key.data, + slot->key.bytes, alg, + hash, hash_length); +exit: + + if (status != PSA_SUCCESS) { + psa_sign_hash_abort(operation); + } + + unlock_status = psa_unlock_key_slot(slot); + + return (status == PSA_SUCCESS) ? unlock_status : status; + +} + + +psa_status_t psa_sign_hash_complete( + psa_sign_hash_interruptible_operation_t *operation, + uint8_t *signature, size_t signature_size, + size_t *signature_length) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + *signature_length = 0; + + /* Check that start has been called first. */ + if (operation->id == 0) { + status = PSA_ERROR_BAD_STATE; + goto exit; + } + + /* Immediately reject a zero-length signature buffer. This guarantees + * that signature must be a valid pointer. (On the other hand, the input + * buffer can in principle be empty since it doesn't actually have + * to be a hash.) */ + if (signature_size == 0) { + status = PSA_ERROR_BUFFER_TOO_SMALL; + goto exit; + } + + status = psa_driver_wrapper_sign_hash_complete(operation, signature, + signature_size, + signature_length); +exit: + + if (status != PSA_OPERATION_INCOMPLETE) { + /* Fill the unused part of the output buffer (the whole buffer on error, + * the trailing part on success) with something that isn't a valid + * signature (barring an attack on the signature and + * deliberately-crafted input), in case the caller doesn't check the + * return status properly.*/ + if (status == PSA_SUCCESS) { + memset(signature + *signature_length, '!', + signature_size - *signature_length); + } else if (signature_size > 0) { + memset(signature, '!', signature_size); + } + /* If signature_size is 0 then we have nothing to do. We must not + * call memset because signature may be NULL in this case.*/ + + psa_sign_hash_abort(operation); + } + + return status; +} + +psa_status_t psa_sign_hash_abort( + psa_sign_hash_interruptible_operation_t *operation) +{ + if (operation->id == 0) { + /* The object has (apparently) been initialized but it is not (yet) + * in use. It's ok to call abort on such an object, and there's + * nothing to do. */ + return PSA_SUCCESS; + } + + psa_driver_wrapper_sign_hash_abort(operation); + + operation->id = 0; + + return PSA_SUCCESS; +} + +psa_status_t psa_verify_hash_start( + psa_verify_hash_interruptible_operation_t *operation, + mbedtls_svc_key_id_t key, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_slot_t *slot; + + /* Check that start has not been previously called. */ + if (operation->id != 0) { + return PSA_ERROR_BAD_STATE; + } + + status = psa_sign_verify_check_alg(0, alg); + if (status != PSA_SUCCESS) { + return status; + } + + status = psa_get_and_lock_key_slot_with_policy(key, &slot, + PSA_KEY_USAGE_VERIFY_HASH, + alg); + + if (status != PSA_SUCCESS) { + return status; + } + + psa_key_attributes_t attributes = { + .core = slot->attr + }; + + status = psa_driver_wrapper_verify_hash_start(operation, &attributes, + slot->key.data, + slot->key.bytes, + alg, hash, hash_length, + signature, signature_length); + + if (status != PSA_SUCCESS) { + psa_verify_hash_abort(operation); + } + + unlock_status = psa_unlock_key_slot(slot); + + return (status == PSA_SUCCESS) ? unlock_status : status; + + return status; +} + +psa_status_t psa_verify_hash_complete( + psa_verify_hash_interruptible_operation_t *operation) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + /* Check that start has been called first. */ + if (operation->id == 0) { + status = PSA_ERROR_BAD_STATE; + goto exit; + } + + status = psa_driver_wrapper_verify_hash_complete(operation); + +exit: + + if (status != PSA_OPERATION_INCOMPLETE) { + psa_verify_hash_abort(operation); + } + + return status; +} + +psa_status_t psa_verify_hash_abort( + psa_verify_hash_interruptible_operation_t *operation) +{ + if (operation->id == 0) { + /* The object has (apparently) been initialized but it is not (yet) + * in use. It's ok to call abort on such an object, and there's + * nothing to do. */ + return PSA_SUCCESS; + } + + psa_driver_wrapper_verify_hash_abort(operation); + + operation->id = 0; + + return PSA_SUCCESS; +} + /****************************************************************/ From 21b83879299d27c1d3f5b1399354d68e30d89b9e Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 15 Feb 2023 13:07:49 +0000 Subject: [PATCH 063/250] Add ChangeLog for OID-to-string fixes Signed-off-by: David Horstmann --- ChangeLog.d/fix-oid-to-string-bugs.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/fix-oid-to-string-bugs.txt diff --git a/ChangeLog.d/fix-oid-to-string-bugs.txt b/ChangeLog.d/fix-oid-to-string-bugs.txt new file mode 100644 index 0000000000..799f444747 --- /dev/null +++ b/ChangeLog.d/fix-oid-to-string-bugs.txt @@ -0,0 +1,6 @@ +Bugfix + * Fix bug in conversion from OID to string in + mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed + correctly. + * Reject OIDs with overlong-encoded subidentifiers when converting + OID-to-string. From 34b3f1b7576565975715f4732c506e4dd49cccdd Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 15 Feb 2023 13:46:53 +0000 Subject: [PATCH 064/250] Make overflow checks more readable Signed-off-by: David Horstmann --- library/oid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/oid.c b/library/oid.c index 17d3e093a4..22f1f1c230 100644 --- a/library/oid.c +++ b/library/oid.c @@ -844,7 +844,7 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, while (i < oid->len && ((oid->p[i] & 0x80) != 0)) { /* Prevent overflow in value. */ - if (((value << 7) >> 7) != value) { + if (value > (UINT_MAX >> 7)) { return MBEDTLS_ERR_OID_BUF_TOO_SMALL; } @@ -873,7 +873,7 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, value = 0; for (; i < oid->len; i++) { /* Prevent overflow in value. */ - if (((value << 7) >> 7) != value) { + if (value > (UINT_MAX >> 7)) { return MBEDTLS_ERR_OID_BUF_TOO_SMALL; } if ((value == 0) && ((oid->p[i]) == 0x80)) { From f51851dc702c475eb6729fa04c1d3f1bec11e1c2 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 15 Feb 2023 15:44:24 +0000 Subject: [PATCH 065/250] Change += to |= for clearer semantics Signed-off-by: David Horstmann --- library/oid.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/oid.c b/library/oid.c index 22f1f1c230..acea125856 100644 --- a/library/oid.c +++ b/library/oid.c @@ -848,7 +848,7 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, return MBEDTLS_ERR_OID_BUF_TOO_SMALL; } - value += oid->p[i] & 0x7F; + value |= oid->p[i] & 0x7F; value <<= 7; i++; } @@ -856,7 +856,7 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, return MBEDTLS_ERR_OID_BUF_TOO_SMALL; } /* Last byte of first subidentifier */ - value += oid->p[i] & 0x7F; + value |= oid->p[i] & 0x7F; i++; unsigned int component1 = value / 40; @@ -882,7 +882,7 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, } value <<= 7; - value += oid->p[i] & 0x7F; + value |= oid->p[i] & 0x7F; if (!(oid->p[i] & 0x80)) { /* Last byte */ From 42df16c84b4720588d5694700b92493233a092e5 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 1 Feb 2023 13:58:04 +0100 Subject: [PATCH 066/250] Extract Secp521r1 from the prototype Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 65 +++++++++++++++++++++++--------------------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 2a97b8c000..a1a21c27a4 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5189,11 +5189,6 @@ cleanup: MBEDTLS_ECP_DP_SECP384R1_ENABLED */ #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) -/* - * Here we have an actual Mersenne prime, so things are more straightforward. - * However, chunks are aligned on a 'weird' boundary (521 bits). - */ - /* Size of p521 in terms of mbedtls_mpi_uint */ #define P521_WIDTH (521 / 8 / sizeof(mbedtls_mpi_uint) + 1) @@ -5201,48 +5196,56 @@ cleanup: #define P521_MASK 0x01FF /* - * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) - * Write N as A1 + 2^521 A0, return A0 + A1 + * Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5) */ static int ecp_mod_p521(mbedtls_mpi *N) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t i; - mbedtls_mpi M; - mbedtls_mpi_uint Mp[P521_WIDTH + 1]; - /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits: - * we need to hold bits 513 to 1056, which is 34 limbs, that is - * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */ + size_t expected_width = 2 * ((521 + biL - 1) / biL); + MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); + ret = ecp_mod_p521_raw(N->p, expected_width); +cleanup: + return ret; +} +static int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) +{ + mbedtls_mpi_uint carry = 0; - if (N->n < P521_WIDTH) { + if (N_n > 2*P521_WIDTH) { + N_n = 2*P521_WIDTH; + } + if (N_n < P521_WIDTH) { return 0; } - /* M = A1 */ - M.s = 1; - M.n = N->n - (P521_WIDTH - 1); - if (M.n > P521_WIDTH + 1) { - M.n = P521_WIDTH + 1; - } - M.p = Mp; - memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint)); - MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint)))); + /* Step 1: Reduction to P521_WIDTH limbs */ + if (N_n > P521_WIDTH) { + /* Helper references for top part of N */ + mbedtls_mpi_uint *NT_p = N_p + P521_WIDTH; + size_t NT_n = N_n - P521_WIDTH; - /* N = A0 */ - N->p[P521_WIDTH - 1] &= P521_MASK; - for (i = P521_WIDTH; i < N->n; i++) { - N->p[i] = 0; + /* Split N as A0 + 2^(512 + biL) A1 and compute A0 + 2^(biL - 9) * A1. + * This can be done in place. */ + mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9); + carry = MPI_CORE(mla)(N_p, P521_WIDTH, NT_p, NT_n, shift); + + /* Clear top part */ + memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n); } - /* N = A0 + A1 */ - MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M)); + /* Step 2: Reduction to < 2p. + * Now split as A0 + 2^521 * c, with c a scalar, and compute A0 + c. */ + carry <<= (biL - 9); + carry += (N_p[P521_WIDTH-1] >> 9); + N_p[P521_WIDTH-1] &= P521_MASK; + (void) mbedtls_core_add_int(N_p, N_p, carry, P521_WIDTH); -cleanup: - return ret; + return 0; } #undef P521_WIDTH #undef P521_MASK + #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* MBEDTLS_ECP_NIST_OPTIM */ From 8450ab9c60249db6ec0855ca8539756eda6061ab Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Feb 2023 15:47:00 +0100 Subject: [PATCH 067/250] Fix Secp521r1 reduction The prototype calculated with wrong limb size and not taken into account the overflow in the shared limb. Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index a1a21c27a4..f58539d224 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5211,14 +5211,19 @@ static int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) { mbedtls_mpi_uint carry = 0; - if (N_n > 2*P521_WIDTH) { - N_n = 2*P521_WIDTH; + if (N_n > 2 * P521_WIDTH - 1) { + N_n = 2 * P521_WIDTH - 1; } if (N_n < P521_WIDTH) { return 0; } - /* Step 1: Reduction to P521_WIDTH limbs */ + /* Save and clear the A1 content of the shared limb to prevent it + from overwrite. */ + mbedtls_mpi_uint remainder[P521_WIDTH] = {0}; + remainder[0] = N_p[P521_WIDTH - 1] >> 9; + N_p[P521_WIDTH - 1] &= P521_MASK; + if (N_n > P521_WIDTH) { /* Helper references for top part of N */ mbedtls_mpi_uint *NT_p = N_p + P521_WIDTH; @@ -5227,18 +5232,14 @@ static int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) /* Split N as A0 + 2^(512 + biL) A1 and compute A0 + 2^(biL - 9) * A1. * This can be done in place. */ mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9); - carry = MPI_CORE(mla)(N_p, P521_WIDTH, NT_p, NT_n, shift); + carry = mbedtls_mpi_core_mla(N_p, P521_WIDTH - 1, NT_p, NT_n, shift); /* Clear top part */ memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n); } - /* Step 2: Reduction to < 2p. - * Now split as A0 + 2^521 * c, with c a scalar, and compute A0 + c. */ - carry <<= (biL - 9); - carry += (N_p[P521_WIDTH-1] >> 9); - N_p[P521_WIDTH-1] &= P521_MASK; - (void) mbedtls_core_add_int(N_p, N_p, carry, P521_WIDTH); + (void)mbedtls_mpi_core_add(N_p, N_p, remainder, P521_WIDTH); + N_p[P521_WIDTH - 1] += carry; return 0; } From 2cb630edee50c9799e88af39b7d52a3162cd4ec5 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 1 Feb 2023 14:02:16 +0100 Subject: [PATCH 068/250] Change the ecp_mod_p521_raw to be testable Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 6 +++++- library/ecp_invasive.h | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index f58539d224..269f5fcf90 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4584,6 +4584,8 @@ static int ecp_mod_p384(mbedtls_mpi *); #endif #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) static int ecp_mod_p521(mbedtls_mpi *); +MBEDTLS_STATIC_TESTABLE +int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n); #endif #define NIST_MODP(P) grp->modp = ecp_mod_ ## P; @@ -5207,7 +5209,9 @@ static int ecp_mod_p521(mbedtls_mpi *N) cleanup: return ret; } -static int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) + +MBEDTLS_STATIC_TESTABLE +int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) { mbedtls_mpi_uint carry = 0; diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 3ee238ee53..31646b92d7 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -95,6 +95,13 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */ +#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) + +MBEDTLS_STATIC_TESTABLE +int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n); + +#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ + #endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_INVASIVE_H */ From d8f67b975bdaca75a0eed75fad2e968fa8bd34d3 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Feb 2023 15:49:42 +0100 Subject: [PATCH 069/250] Add test generation for ecp_mod_p521_raw Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 83 ++++++++++++++++++++++++++++ tests/suites/test_suite_ecp.function | 44 ++++++++++++++- 2 files changed, 126 insertions(+), 1 deletion(-) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 93cd2123ff..96ddd057fb 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -75,3 +75,86 @@ class EcpP192R1Raw(bignum_common.ModOperationCommon, @property def is_valid(self) -> bool: return True + +class EcpP521R1Raw(bignum_common.ModOperationCommon, + EcpTarget): + """Test cases for ecp quasi_reduction().""" + test_function = "ecp_mod_p521_raw" + test_name = "ecp_mod_p521_raw" + input_style = "fixed" + arity = 1 + + moduli = [("01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff") + ] # type: List[str] + + input_values = [ + "0", "1", + + # Test case for overflow during addition + ("0001efffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "000001ef" + "0000000000000000000000000000000000000000000000000000000000000000" + "000000000000000000000000000000000000000000000000000000000f000000"), + + # First 8 number generated by random.getrandbits(1042) - seed(2,2) + ("0003cc2e82523e86feac7eb7dc38f519b91751dacdbd47d364be8049a372db8f" + "6e405d93ffed9235288bc781ae66267594c9c9500925e4749b575bd13653f8dd" + "9b1f282e" + "4067c3584ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124" + "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"), + ("00017052829e07b0829a48d422fe99a22c70501e533c91352d3d854e061b9030" + "3b08c6e33c7295782d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c5055" + "6c71c4a6" + "6148a86fe8624fab5186ee32ee8d7ee9770348a05d300cb90706a045defc044a" + "09325626e6b58de744ab6cce80877b6f71e1f6d2ef8acd128b4f2fc15f3f57eb"), + ("00021f15a7a83ee0761ebfd2bd143fa9b714210c665d7435c1066932f4767f26" + "294365b2721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b97eeab64" + "ca2ce6bc" + "5d3fd983c34c769fe89204e2e8168561867e5e15bc01bfce6a27e0dfcbf87544" + "72154e76e4c11ab2fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"), + ("000381bc2a838af8d5c44a4eb3172062d08f1bb2531d6460f0caeef038c89b38" + "a8acb5137c9260dc74e088a9b9492f258ebdbfe3eb9ac688b9d39cca91551e82" + "59cc60b1" + "7604e4b4e73695c3e652c71a74667bffe202849da9643a295a9ac6decbd4d3e2" + "d4dec9ef83f0be4e80371eb97f81375eecc1cb6347733e847d718d733ff98ff3"), + ("00034816c8c69069134bccd3e1cf4f589f8e4ce0af29d115ef24bd625dd961e6" + "830b54fa7d28f93435339774bb1e386c4fd5079e681b8f5896838b769da59b74" + "a6c3181c" + "81e220df848b1df78feb994a81167346d4c0dca8b4c9e755cc9c3adcf515a823" + "4da4daeb4f3f87777ad1f45ae9500ec9c5e2486c44a4a8f69dc8db48e86ec9c6"), + ("000397846c4454b90f756132e16dce72f18e859835e1f291d322a7353ead4efe" + "440e2b4fda9c025a22f1a83185b98f5fc11e60de1b343f52ea748db9e020307a" + "aeb6db2c" + "3a038a709779ac1f45e9dd320c855fdfa7251af0930cdbd30f0ad2a81b2d19a2" + "beaa14a7ff3fe32a30ffc4eed0a7bd04e85bfcdd0227eeb7b9d7d01f5769da05"), + ("00002c3296e6bc4d62b47204007ee4fab105d83e85e951862f0981aebc1b00d9" + "2838e766ef9b6bf2d037fe2e20b6a8464174e75a5f834da70569c018eb2b5693" + "babb7fbb" + "0a76c196067cfdcb11457d9cf45e2fa01d7f4275153924800600571fac3a5b26" + "3fdf57cd2c0064975c3747465cc36c270e8a35b10828d569c268a20eb78ac332"), + ("00009d23b4917fc09f20dbb0dcc93f0e66dfe717c17313394391b6e2e6eacb0f" + "0bb7be72bd6d25009aeb7fa0c4169b148d2f527e72daf0a54ef25c0707e33868" + "7d1f7157" + "5653a45c49390aa51cf5192bbf67da14be11d56ba0b4a2969d8055a9f03f2d71" + "581d8e830112ff0f0948eccaf8877acf26c377c13f719726fd70bddacb4deeec"), + + # Next 2 number generated by random.getrandbits(521) + ("12b84ae65e920a63ac1f2b64df6dff07870c9d531ae72a47403063238da1a1fe" + "3f9d6a179fa50f96cd4aff9261aa92c0e6f17ec940639bc2ccdf572df00790813e3"), + ("166049dd332a73fa0b26b75196cf87eb8a09b27ec714307c68c425424a1574f1" + "eedf5b0f16cdfdb839424d201e653f53d6883ca1c107ca6e706649889c0c7f38608") + ] + + @property + def arg_a(self) -> str: + return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits - 2 * self.bits_in_limb // 8) + + def result(self) -> List[str]: + result = self.int_a % self.int_n + return [self.format_result(result)] + + @property + def is_valid(self) -> bool: + return True diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index b9d2b5ea55..b1a096d046 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -4,8 +4,8 @@ #include "mbedtls/ecdh.h" #include "bignum_core.h" -#include "bignum_mod_raw_invasive.h" #include "ecp_invasive.h" +#include "bignum_mod_raw_invasive.h" #if defined(MBEDTLS_TEST_HOOKS) && \ (defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \ @@ -1344,3 +1344,45 @@ exit: mbedtls_free(N); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */ +void ecp_mod_p521_raw(char *input_N, + char *input_X, + char *result) +{ + mbedtls_mpi_uint *X = NULL; + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *res = NULL; + size_t limbs_X; + size_t limbs_N; + size_t limbs_res; + + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init(&m); + + TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0); + TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0); + TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0); + + size_t limbs = limbs_N; + size_t bytes = limbs * sizeof(mbedtls_mpi_uint); + + TEST_EQUAL(limbs_X, 2 * limbs - 1); + TEST_EQUAL(limbs_res, limbs); + + TEST_EQUAL(mbedtls_mpi_mod_modulus_setup( + &m, N, limbs, + MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0); + + TEST_EQUAL(ecp_mod_p521_raw(X, limbs_X), 0); + mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m); + ASSERT_COMPARE(X, bytes, res, bytes); + +exit: + mbedtls_free(X); + mbedtls_free(res); + + mbedtls_mpi_mod_modulus_free(&m); + mbedtls_free(N); +} +/* END_CASE */ From b1c62caa1fce2e6ea10629b44e6efc912ba7c4d4 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Feb 2023 16:02:05 +0100 Subject: [PATCH 070/250] Add documentation Signed-off-by: Gabor Mezei --- library/ecp_invasive.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 31646b92d7..2854fb0a96 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -97,6 +97,12 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +/** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5) + * + * \param[in,out] N_p The address of the MPI to be converted. + * Must have 2 * N - 1 limbs, where N is the modulus. + * \param[in] N_n The length of \p N_p in limbs. + */ MBEDTLS_STATIC_TESTABLE int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n); From b62ad5d569a1df385f6d81df10d1f804e2e27e22 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Feb 2023 17:13:02 +0100 Subject: [PATCH 071/250] Rename function to follow naming convention Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 6 +++--- library/ecp_invasive.h | 2 +- tests/suites/test_suite_ecp.function | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 269f5fcf90..2da4bdd92c 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4585,7 +4585,7 @@ static int ecp_mod_p384(mbedtls_mpi *); #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) static int ecp_mod_p521(mbedtls_mpi *); MBEDTLS_STATIC_TESTABLE -int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n); +int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n); #endif #define NIST_MODP(P) grp->modp = ecp_mod_ ## P; @@ -5205,13 +5205,13 @@ static int ecp_mod_p521(mbedtls_mpi *N) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t expected_width = 2 * ((521 + biL - 1) / biL); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); - ret = ecp_mod_p521_raw(N->p, expected_width); + ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width); cleanup: return ret; } MBEDTLS_STATIC_TESTABLE -int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) +int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) { mbedtls_mpi_uint carry = 0; diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 2854fb0a96..45b0006963 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -104,7 +104,7 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); * \param[in] N_n The length of \p N_p in limbs. */ MBEDTLS_STATIC_TESTABLE -int ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n); +int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n); #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index b1a096d046..a0042ed348 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1374,7 +1374,7 @@ void ecp_mod_p521_raw(char *input_N, &m, N, limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0); - TEST_EQUAL(ecp_mod_p521_raw(X, limbs_X), 0); + TEST_EQUAL(mbedtls_ecp_mod_p521_raw(X, limbs_X), 0); mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m); ASSERT_COMPARE(X, bytes, res, bytes); From 05c138e1722860d603894a340dcfeef5bc05f6be Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Feb 2023 18:03:39 +0100 Subject: [PATCH 072/250] Fix pylint issues Create a new function for calculating the number of hex digits needed for a certain amount of limbs. Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/bignum_common.py | 6 +++++- scripts/mbedtls_dev/ecp.py | 4 +++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 2422175541..5319ec68b2 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -74,6 +74,10 @@ def combination_pairs(values: List[T]) -> List[Tuple[T, T]]: """Return all pair combinations from input values.""" return [(x, y) for x in values for y in values] +def hex_digits_for_limb(limbs: int, bits_in_limb: int) -> int: + """ Retrun the hex digits need for a number of limbs. """ + return 2 * (limbs * bits_in_limb // 8) + class OperationCommon(test_data_generation.BaseTest): """Common features for bignum binary operations. @@ -138,7 +142,7 @@ class OperationCommon(test_data_generation.BaseTest): @property def hex_digits(self) -> int: - return 2 * (self.limbs * self.bits_in_limb // 8) + return hex_digits_for_limb(self.limbs, self.bits_in_limb) def format_arg(self, val: str) -> str: if self.input_style not in self.input_styles: diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 96ddd057fb..c167f6b6ff 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -149,7 +149,9 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon, @property def arg_a(self) -> str: - return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits - 2 * self.bits_in_limb // 8) + # Number of limbs: 2 * N - 1 + hex_digits = bignum_common.hex_digits_for_limb(2 * self.limbs - 1, self.bits_in_limb) + return super().format_arg('{:x}'.format(self.int_a)).zfill(hex_digits) def result(self) -> List[str]: result = self.int_a % self.int_n From 6bfbd3650788bc82216906c9bf540f4090ee7f06 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 6 Feb 2023 18:06:54 +0100 Subject: [PATCH 073/250] Fix coding style issues Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 2da4bdd92c..00642650cc 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5224,7 +5224,7 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) /* Save and clear the A1 content of the shared limb to prevent it from overwrite. */ - mbedtls_mpi_uint remainder[P521_WIDTH] = {0}; + mbedtls_mpi_uint remainder[P521_WIDTH] = { 0 }; remainder[0] = N_p[P521_WIDTH - 1] >> 9; N_p[P521_WIDTH - 1] &= P521_MASK; @@ -5242,7 +5242,7 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n); } - (void)mbedtls_mpi_core_add(N_p, N_p, remainder, P521_WIDTH); + (void) mbedtls_mpi_core_add(N_p, N_p, remainder, P521_WIDTH); N_p[P521_WIDTH - 1] += carry; return 0; From b50aeb8f0533d5f5ed981c6eeb68163fb7e3c909 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 7 Feb 2023 12:46:54 +0100 Subject: [PATCH 074/250] Fix 32-bit issues The 521 bit needs different limb alignment for different word sizes. Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index c167f6b6ff..e0fb000354 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -81,7 +81,7 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon, """Test cases for ecp quasi_reduction().""" test_function = "ecp_mod_p521_raw" test_name = "ecp_mod_p521_raw" - input_style = "fixed" + input_style = "arch_split" arity = 1 moduli = [("01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" From 13c3aa13af220d96b95d98f0bf47bb0105f56267 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 7 Feb 2023 15:24:57 +0000 Subject: [PATCH 075/250] Revert changes to mod_p521 flow It is not necessary to save the middle limb upfront as overwriting it is the desired result: in the first step we are reducing modulo 2^{512+biL}. Arguably, the original flow is more intuitive and easier to see the idea behind it. Signed-off-by: Janos Follath Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 00642650cc..7d029de1fc 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5222,12 +5222,6 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) return 0; } - /* Save and clear the A1 content of the shared limb to prevent it - from overwrite. */ - mbedtls_mpi_uint remainder[P521_WIDTH] = { 0 }; - remainder[0] = N_p[P521_WIDTH - 1] >> 9; - N_p[P521_WIDTH - 1] &= P521_MASK; - if (N_n > P521_WIDTH) { /* Helper references for top part of N */ mbedtls_mpi_uint *NT_p = N_p + P521_WIDTH; @@ -5236,14 +5230,17 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) /* Split N as A0 + 2^(512 + biL) A1 and compute A0 + 2^(biL - 9) * A1. * This can be done in place. */ mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9); - carry = mbedtls_mpi_core_mla(N_p, P521_WIDTH - 1, NT_p, NT_n, shift); + carry = mbedtls_mpi_core_mla(N_p, P521_WIDTH, NT_p, NT_n, shift); /* Clear top part */ memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n); } + mbedtls_mpi_uint remainder[P521_WIDTH] = { 0 }; + remainder[0] = carry << (biL - 9); + remainder[0] += (N_p[P521_WIDTH - 1] >> 9); + N_p[P521_WIDTH - 1] &= P521_MASK; (void) mbedtls_mpi_core_add(N_p, N_p, remainder, P521_WIDTH); - N_p[P521_WIDTH - 1] += carry; return 0; } From 755ff0e6853fbc568abb0414da21991fbabc2411 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 7 Feb 2023 15:27:44 +0000 Subject: [PATCH 076/250] Add corner case to mod_p521 tests Signed-off-by: Janos Follath Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index e0fb000354..fa70dedb55 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -91,6 +91,13 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon, input_values = [ "0", "1", + # Corner case: maximum canonical P521 multiplication result + ("0003ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "fffff800" + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000004"), + # Test case for overflow during addition ("0001efffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" From 666673e83f2e692dfd0720ed0547fdf4eabc7fd6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 7 Feb 2023 15:49:15 +0000 Subject: [PATCH 077/250] modp521: apply naming conventions Apply the usual parameter name and align the local variables and comments. This naming diverges from the standard notation, but this is beneficial as our variable meanings diverge as well and the difference can help avoiding confusion. Signed-off-by: Janos Follath Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 7d029de1fc..186dabef20 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5211,36 +5211,39 @@ cleanup: } MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n) +int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs) { mbedtls_mpi_uint carry = 0; - if (N_n > 2 * P521_WIDTH - 1) { - N_n = 2 * P521_WIDTH - 1; + if (X_limbs > 2 * P521_WIDTH - 1) { + X_limbs = 2 * P521_WIDTH - 1; } - if (N_n < P521_WIDTH) { + if (X_limbs < P521_WIDTH) { return 0; } - if (N_n > P521_WIDTH) { - /* Helper references for top part of N */ - mbedtls_mpi_uint *NT_p = N_p + P521_WIDTH; - size_t NT_n = N_n - P521_WIDTH; + if (X_limbs > P521_WIDTH) { + /* Helper references for bottom part of X */ + mbedtls_mpi_uint *X0 = X; + size_t X0_limbs = P521_WIDTH; + /* Helper references for top part of X */ + mbedtls_mpi_uint *X1 = X + X0_limbs; + size_t X1_limbs = X_limbs - X0_limbs; - /* Split N as A0 + 2^(512 + biL) A1 and compute A0 + 2^(biL - 9) * A1. + /* Split X as X0 + 2^(512 + biL) X1 and compute X0 + 2^(biL - 9) * X1. * This can be done in place. */ mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9); - carry = mbedtls_mpi_core_mla(N_p, P521_WIDTH, NT_p, NT_n, shift); + carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift); /* Clear top part */ - memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n); + memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint)); } - mbedtls_mpi_uint remainder[P521_WIDTH] = { 0 }; - remainder[0] = carry << (biL - 9); - remainder[0] += (N_p[P521_WIDTH - 1] >> 9); - N_p[P521_WIDTH - 1] &= P521_MASK; - (void) mbedtls_mpi_core_add(N_p, N_p, remainder, P521_WIDTH); + mbedtls_mpi_uint addend[P521_WIDTH] = { 0 }; + addend[0] = carry << (biL - 9); + addend[0] += (X[P521_WIDTH - 1] >> 9); + X[P521_WIDTH - 1] &= P521_MASK; + (void) mbedtls_mpi_core_add(X, X, addend, P521_WIDTH); return 0; } From fe24e91a34324a5ee20dd2beda5d81de53dc3fe5 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 8 Feb 2023 10:14:21 +0000 Subject: [PATCH 078/250] mod_p521: document reduction algorithm Signed-off-by: Janos Follath Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 186dabef20..74392661c7 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5222,6 +5222,7 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs) return 0; } + /* Step 1: Reduction to P521_WIDTH limbs */ if (X_limbs > P521_WIDTH) { /* Helper references for bottom part of X */ mbedtls_mpi_uint *X0 = X; @@ -5230,20 +5231,43 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs) mbedtls_mpi_uint *X1 = X + X0_limbs; size_t X1_limbs = X_limbs - X0_limbs; - /* Split X as X0 + 2^(512 + biL) X1 and compute X0 + 2^(biL - 9) * X1. - * This can be done in place. */ + /* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1. + * (We are using that 2^P521_WIDTH = 2^(512 + biL) and that + * 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.) + * The high order limb of the result will be held in carry and the rest + * in X0 (that is the result will be represented as + * 2^P521_WIDTH carry + X0). + * + * Also, note that the resulting carry is either 0 or 1: + * X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512 + * therefore + * X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9) + * which in turn is less than 2 * 2^(512 + biL). + */ mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9); carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift); - /* Clear top part */ + /* Set X to X0 (by clearing the top part). */ memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint)); } - mbedtls_mpi_uint addend[P521_WIDTH] = { 0 }; - addend[0] = carry << (biL - 9); - addend[0] += (X[P521_WIDTH - 1] >> 9); + /* Step 2: Reduction modulo P521 + * + * At this point X is reduced to P521_WIDTH limbs. What remains is to add + * the carry (that is 2^P521_WIDTH carry) and to reduce mod P521. */ + + /* 2^P521_WIDTH carry = 2^(512 + biL) carry = 2^(biL - 9) carry mod P521. + * Also, recall that carry is either 0 or 1. */ + mbedtls_mpi_uint addend = carry << (biL - 9); + /* Keep the top 9 bits and reduce the rest, using 2^521 = 1 mod P521. */ + addend += (X[P521_WIDTH - 1] >> 9); X[P521_WIDTH - 1] &= P521_MASK; - (void) mbedtls_mpi_core_add(X, X, addend, P521_WIDTH); + /* Declare a helper array for carrying out the addition. */ + mbedtls_mpi_uint addend_arr[P521_WIDTH] = { 0 }; + addend_arr[0] = addend; + (void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH); + /* Both addends were less than P521 therefore X < 2 P521. (This also means + * that the result fit in P521_WIDTH limbs and there won't be any carry.) */ return 0; } From d10d429380135040a0af53539ebd9788ef9b09f1 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 8 Feb 2023 16:27:03 +0100 Subject: [PATCH 079/250] Stack usage optimization for mod_p521 Instead of creating an mpi on the stack, reuse the unused part of the input mpi. Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 74392661c7..49182a44f9 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5262,12 +5262,22 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs) /* Keep the top 9 bits and reduce the rest, using 2^521 = 1 mod P521. */ addend += (X[P521_WIDTH - 1] >> 9); X[P521_WIDTH - 1] &= P521_MASK; - /* Declare a helper array for carrying out the addition. */ - mbedtls_mpi_uint addend_arr[P521_WIDTH] = { 0 }; + + /* Resuse the top part of X (already zeroed) as a helper array for + * carrying out the addition. */ + mbedtls_mpi_uint *addend_arr = X + P521_WIDTH; addend_arr[0] = addend; - (void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH); - /* Both addends were less than P521 therefore X < 2 P521. (This also means - * that the result fit in P521_WIDTH limbs and there won't be any carry.) */ + /* The unused part of X is P521_WIDTH - 1 limbs in size and only that + * size can be used for addition. Due to the addend fit in a limb + * the limbs other the first in the helper array are only used for + * propagating the carry. By adding the carry of the P521_WIDTH - 1 limb + * addition to the last limb of X makes the addition of X and the addend + * complete. */ + carry = mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH - 1); + X[P521_WIDTH - 1] += carry; + + /* Clear the reused part of X. */ + addend_arr[0] = 0; return 0; } From cf228706cdb8bab4b3b4d7a8a0281a8eda418a51 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 15 Feb 2023 16:52:33 +0100 Subject: [PATCH 080/250] Restrict input parameter size for ecp_mod_p521_raw The imput mpi parameter must have twice as many limbs as the modulus. Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 70 ++++++++++++---------------- scripts/mbedtls_dev/ecp.py | 7 ++- tests/suites/test_suite_ecp.function | 2 +- 3 files changed, 33 insertions(+), 46 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 49182a44f9..85d634ab01 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5203,7 +5203,7 @@ cleanup: static int ecp_mod_p521(mbedtls_mpi *N) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t expected_width = 2 * ((521 + biL - 1) / biL); + size_t expected_width = 2 * P521_WIDTH; MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width); cleanup: @@ -5215,41 +5215,34 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs) { mbedtls_mpi_uint carry = 0; - if (X_limbs > 2 * P521_WIDTH - 1) { - X_limbs = 2 * P521_WIDTH - 1; - } - if (X_limbs < P521_WIDTH) { - return 0; + if (X_limbs != 2 * P521_WIDTH || X[2 * P521_WIDTH - 1] != 0) { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; } /* Step 1: Reduction to P521_WIDTH limbs */ - if (X_limbs > P521_WIDTH) { - /* Helper references for bottom part of X */ - mbedtls_mpi_uint *X0 = X; - size_t X0_limbs = P521_WIDTH; - /* Helper references for top part of X */ - mbedtls_mpi_uint *X1 = X + X0_limbs; - size_t X1_limbs = X_limbs - X0_limbs; - - /* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1. - * (We are using that 2^P521_WIDTH = 2^(512 + biL) and that - * 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.) - * The high order limb of the result will be held in carry and the rest - * in X0 (that is the result will be represented as - * 2^P521_WIDTH carry + X0). - * - * Also, note that the resulting carry is either 0 or 1: - * X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512 - * therefore - * X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9) - * which in turn is less than 2 * 2^(512 + biL). - */ - mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9); - carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift); - - /* Set X to X0 (by clearing the top part). */ - memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint)); - } + /* Helper references for bottom part of X */ + mbedtls_mpi_uint *X0 = X; + size_t X0_limbs = P521_WIDTH; + /* Helper references for top part of X */ + mbedtls_mpi_uint *X1 = X + X0_limbs; + size_t X1_limbs = X_limbs - X0_limbs; + /* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1. + * (We are using that 2^P521_WIDTH = 2^(512 + biL) and that + * 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.) + * The high order limb of the result will be held in carry and the rest + * in X0 (that is the result will be represented as + * 2^P521_WIDTH carry + X0). + * + * Also, note that the resulting carry is either 0 or 1: + * X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512 + * therefore + * X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9) + * which in turn is less than 2 * 2^(512 + biL). + */ + mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9); + carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift); + /* Set X to X0 (by clearing the top part). */ + memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint)); /* Step 2: Reduction modulo P521 * @@ -5267,14 +5260,9 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs) * carrying out the addition. */ mbedtls_mpi_uint *addend_arr = X + P521_WIDTH; addend_arr[0] = addend; - /* The unused part of X is P521_WIDTH - 1 limbs in size and only that - * size can be used for addition. Due to the addend fit in a limb - * the limbs other the first in the helper array are only used for - * propagating the carry. By adding the carry of the P521_WIDTH - 1 limb - * addition to the last limb of X makes the addition of X and the addend - * complete. */ - carry = mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH - 1); - X[P521_WIDTH - 1] += carry; + (void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH); + /* Both addends were less than P521 therefore X < 2 * P521. (This also means + * that the result fit in P521_WIDTH limbs and there won't be any carry.) */ /* Clear the reused part of X. */ addend_arr[0] = 0; diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index fa70dedb55..d436d0a35c 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -81,7 +81,7 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon, """Test cases for ecp quasi_reduction().""" test_function = "ecp_mod_p521_raw" test_name = "ecp_mod_p521_raw" - input_style = "arch_split" + input_style = "fixed" arity = 1 moduli = [("01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" @@ -156,9 +156,8 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon, @property def arg_a(self) -> str: - # Number of limbs: 2 * N - 1 - hex_digits = bignum_common.hex_digits_for_limb(2 * self.limbs - 1, self.bits_in_limb) - return super().format_arg('{:x}'.format(self.int_a)).zfill(hex_digits) + # Number of limbs: 2 * N + return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits) def result(self) -> List[str]: result = self.int_a % self.int_n diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index a0042ed348..212dfcbf9f 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1367,7 +1367,7 @@ void ecp_mod_p521_raw(char *input_N, size_t limbs = limbs_N; size_t bytes = limbs * sizeof(mbedtls_mpi_uint); - TEST_EQUAL(limbs_X, 2 * limbs - 1); + TEST_EQUAL(limbs_X, 2 * limbs); TEST_EQUAL(limbs_res, limbs); TEST_EQUAL(mbedtls_mpi_mod_modulus_setup( From 2b064ec33221c4f41663cd0f379ef4dcd960cb1d Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 15 Feb 2023 17:04:40 +0100 Subject: [PATCH 081/250] Revert the addition of hex digit calculator function This reverts commit 0f83e15e670565147daa32fd1fac510759520e26. Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/bignum_common.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 5319ec68b2..2422175541 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -74,10 +74,6 @@ def combination_pairs(values: List[T]) -> List[Tuple[T, T]]: """Return all pair combinations from input values.""" return [(x, y) for x in values for y in values] -def hex_digits_for_limb(limbs: int, bits_in_limb: int) -> int: - """ Retrun the hex digits need for a number of limbs. """ - return 2 * (limbs * bits_in_limb // 8) - class OperationCommon(test_data_generation.BaseTest): """Common features for bignum binary operations. @@ -142,7 +138,7 @@ class OperationCommon(test_data_generation.BaseTest): @property def hex_digits(self) -> int: - return hex_digits_for_limb(self.limbs, self.bits_in_limb) + return 2 * (self.limbs * self.bits_in_limb // 8) def format_arg(self, val: str) -> str: if self.input_style not in self.input_styles: From 555b1f7e44480a6231a69328daf0e97ba2e2219c Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 15 Feb 2023 17:13:20 +0100 Subject: [PATCH 082/250] Add check for test Check the bit length of the output of ecp_mod_p521_raw. Signed-off-by: Gabor Mezei --- tests/suites/test_suite_ecp.function | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 212dfcbf9f..4e74d9b8eb 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1375,6 +1375,7 @@ void ecp_mod_p521_raw(char *input_N, MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0); TEST_EQUAL(mbedtls_ecp_mod_p521_raw(X, limbs_X), 0); + TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 522); mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m); ASSERT_COMPARE(X, bytes, res, bytes); From 7e6fcc1fbc83c8d9d613e85001fd4bf559faba88 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 15 Feb 2023 17:51:59 +0100 Subject: [PATCH 083/250] Update documentation Signed-off-by: Gabor Mezei --- library/ecp_invasive.h | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 45b0006963..3d1321c525 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -99,12 +99,21 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn); /** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5) * - * \param[in,out] N_p The address of the MPI to be converted. - * Must have 2 * N - 1 limbs, where N is the modulus. - * \param[in] N_n The length of \p N_p in limbs. + * \param[in,out] X The address of the MPI to be converted. + * Must have twice as many limbs as the modulus + * (the modulus is 521 bits long). Upon return this + * holds the reduced value. The reduced value is + * in range `0 <= X < 2 * N` (where N is the modulus). + * and its the bitlength is one plus the bitlength + * of the modulus. + * \param[in] X_limbs The length of \p X in limbs. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs does not have + * twice as many limbs as the modulus. */ MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n); +int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ From 2ba002cc2f7be32b838490a6f7f2ecb0848a774e Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 9 Dec 2022 18:59:26 +0000 Subject: [PATCH 084/250] Make ECDSA restartable sign and verify functions public Make public the versions of ECSDA sign and verify which return raw signatures rather than returning ASN.1 encoded signatures, in order to use them for the internal implemention of psa_sign/verify_hash_interruptible. Signed-off-by: Paul Elliott --- include/mbedtls/ecdsa.h | 173 ++++++++++++++++++++++++++++++++++++++++ library/ecdsa.c | 71 +++++++++-------- 2 files changed, 209 insertions(+), 35 deletions(-) diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index 9847a68363..1741d2c204 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -222,6 +222,134 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r, void *p_rng_blind); #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ +#if !defined(MBEDTLS_ECDSA_SIGN_ALT) +/** + * \brief This function computes the ECDSA signature of a + * previously-hashed message, in a restartable way. + * + * \note The deterministic version implemented in + * mbedtls_ecdsa_sign_det_restartable() is usually + * preferred. + * + * \note This function is like \c mbedtls_ecdsa_sign() but + * it can return early and restart according to the + * limit set with \c mbedtls_ecp_set_max_ops() to + * reduce blocking. + * + * \note If the bitlength of the message hash is larger + * than the bitlength of the group order, then the + * hash is truncated as defined in Standards for + * Efficient Cryptography Group (SECG): SEC1 Elliptic + * Curve Cryptography, section 4.1.3, step 5. + * + * \see ecp.h + * + * \param grp The context for the elliptic curve to use. + * This must be initialized and have group parameters + * set, for example through mbedtls_ecp_group_load(). + * \param r The MPI context in which to store the first part + * the signature. This must be initialized. + * \param s The MPI context in which to store the second part + * the signature. This must be initialized. + * \param d The private signing key. This must be initialized + * and setup, for example through + * mbedtls_ecp_gen_privkey(). + * \param buf The hashed content to be signed. This must be a readable + * buffer of length \p blen Bytes. It may be \c NULL if + * \p blen is zero. + * \param blen The length of \p buf in Bytes. + * \param f_rng The RNG function. This must not be \c NULL. + * \param p_rng The RNG context to be passed to \p f_rng. This may be + * \c NULL if \p f_rng doesn't need a context parameter. + * \param f_rng_blind The RNG function used for blinding. This must not be + * \c NULL. + * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be + * \c NULL if \p f_rng doesn't need a context parameter. + * \param rs_ctx The restart context to use. This may be \c NULL + * to disable restarting. If it is not \c NULL, it + * must point to an initialized restart context. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + * operations was reached: see \c + * mbedtls_ecp_set_max_ops(). + * \return Another \c MBEDTLS_ERR_ECP_XXX, \c + * MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + * error code on failure. + */ +int mbedtls_ecdsa_sign_restartable( + mbedtls_ecp_group *grp, + mbedtls_mpi *r, mbedtls_mpi *s, + const mbedtls_mpi *d, + const unsigned char *buf, size_t blen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng, + int (*f_rng_blind)(void *, unsigned char *, size_t), + void *p_rng_blind, + mbedtls_ecdsa_restart_ctx *rs_ctx); + +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) + +/** + * \brief This function computes the ECDSA signature of a + * previously-hashed message, in a restartable way. + * + * \note This function is like \c + * mbedtls_ecdsa_sign_det_ext() but it can return + * early and restart according to the limit set with + * \c mbedtls_ecp_set_max_ops() to reduce blocking. + * + * \note If the bitlength of the message hash is larger + * than the bitlength of the group order, then the + * hash is truncated as defined in Standards for + * Efficient Cryptography Group (SECG): SEC1 Elliptic + * Curve Cryptography, section 4.1.3, step 5. + * + * \see ecp.h + * + * \param grp The context for the elliptic curve to use. + * This must be initialized and have group parameters + * set, for example through mbedtls_ecp_group_load(). + * \param r The MPI context in which to store the first part + * the signature. This must be initialized. + * \param s The MPI context in which to store the second part + * the signature. This must be initialized. + * \param d The private signing key. This must be initialized + * and setup, for example through + * mbedtls_ecp_gen_privkey(). + * \param buf The hashed content to be signed. This must be a readable + * buffer of length \p blen Bytes. It may be \c NULL if + * \p blen is zero. + * \param blen The length of \p buf in Bytes. + * \param f_rng_blind The RNG function used for blinding. This must not be + * \c NULL. + * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be + * \c NULL if \p f_rng doesn't need a context parameter. + * \param rs_ctx The restart context to use. This may be \c NULL + * to disable restarting. If it is not \c NULL, it + * must point to an initialized restart context. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + * operations was reached: see \c + * mbedtls_ecp_set_max_ops(). + * \return Another \c MBEDTLS_ERR_ECP_XXX, \c + * MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX + * error code on failure. + */ +int mbedtls_ecdsa_sign_det_restartable( + mbedtls_ecp_group *grp, + mbedtls_mpi *r, mbedtls_mpi *s, + const mbedtls_mpi *d, const unsigned char *buf, size_t blen, + mbedtls_md_type_t md_alg, + int (*f_rng_blind)(void *, unsigned char *, size_t), + void *p_rng_blind, + mbedtls_ecdsa_restart_ctx *rs_ctx); + +#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ + +#endif /* !MBEDTLS_ECDSA_SIGN_ALT */ + /** * \brief This function verifies the ECDSA signature of a * previously-hashed message. @@ -257,6 +385,49 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp, const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s); +#if !defined(MBEDTLS_ECDSA_VERIFY_ALT) +/** + * \brief This function verifies the ECDSA signature of a + * previously-hashed message, in a restartable manner + * + * \note If the bitlength of the message hash is larger than the + * bitlength of the group order, then the hash is truncated as + * defined in Standards for Efficient Cryptography Group + * (SECG): SEC1 Elliptic Curve Cryptography, section + * 4.1.4, step 3. + * + * \see ecp.h + * + * \param grp The ECP group to use. + * This must be initialized and have group parameters + * set, for example through mbedtls_ecp_group_load(). + * \param buf The hashed content that was signed. This must be a readable + * buffer of length \p blen Bytes. It may be \c NULL if + * \p blen is zero. + * \param blen The length of \p buf in Bytes. + * \param Q The public key to use for verification. This must be + * initialized and setup. + * \param r The first integer of the signature. + * This must be initialized. + * \param s The second integer of the signature. + * This must be initialized. + * \param rs_ctx The restart context to use. This may be \c NULL to disable + * restarting. If it is not \c NULL, it must point to an + * initialized restart context. + * + * \return \c 0 on success. + * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + * error code on failure. + */ +int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp, + const unsigned char *buf, size_t blen, + const mbedtls_ecp_point *Q, + const mbedtls_mpi *r, + const mbedtls_mpi *s, + mbedtls_ecdsa_restart_ctx *rs_ctx); + +#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */ + /** * \brief This function computes the ECDSA signature and writes it * to a buffer, serialized as defined in RFC-4492: @@ -303,6 +474,8 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp, * \c NULL if \p f_rng is \c NULL or doesn't use a context. * * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + * operations was reached: see \c mbedtls_ecp_set_max_ops(). * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or * \c MBEDTLS_ERR_ASN1_XXX error code on failure. */ diff --git a/library/ecdsa.c b/library/ecdsa.c index 3ddb82b1e7..eb3c303197 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -239,13 +239,13 @@ cleanup: * Compute ECDSA signature of a hashed message (SEC1 4.1.3) * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message) */ -static int ecdsa_sign_restartable(mbedtls_ecp_group *grp, - mbedtls_mpi *r, mbedtls_mpi *s, - const mbedtls_mpi *d, const unsigned char *buf, size_t blen, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int (*f_rng_blind)(void *, unsigned char *, size_t), - void *p_rng_blind, - mbedtls_ecdsa_restart_ctx *rs_ctx) +int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp, + mbedtls_mpi *r, mbedtls_mpi *s, + const mbedtls_mpi *d, const unsigned char *buf, size_t blen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, + int (*f_rng_blind)(void *, unsigned char *, size_t), + void *p_rng_blind, + mbedtls_ecdsa_restart_ctx *rs_ctx) { int ret, key_tries, sign_tries; int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries; @@ -394,8 +394,8 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { /* Use the same RNG for both blinding and ephemeral key generation */ - return ecdsa_sign_restartable(grp, r, s, d, buf, blen, - f_rng, p_rng, f_rng, p_rng, NULL); + return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen, + f_rng, p_rng, f_rng, p_rng, NULL); } #endif /* !MBEDTLS_ECDSA_SIGN_ALT */ @@ -406,13 +406,13 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, * note: The f_rng_blind parameter must not be NULL. * */ -static int ecdsa_sign_det_restartable(mbedtls_ecp_group *grp, - mbedtls_mpi *r, mbedtls_mpi *s, - const mbedtls_mpi *d, const unsigned char *buf, size_t blen, - mbedtls_md_type_t md_alg, - int (*f_rng_blind)(void *, unsigned char *, size_t), - void *p_rng_blind, - mbedtls_ecdsa_restart_ctx *rs_ctx) +int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp, + mbedtls_mpi *r, mbedtls_mpi *s, + const mbedtls_mpi *d, const unsigned char *buf, size_t blen, + mbedtls_md_type_t md_alg, + int (*f_rng_blind)(void *, unsigned char *, size_t), + void *p_rng_blind, + mbedtls_ecdsa_restart_ctx *rs_ctx) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_hmac_drbg_context rng_ctx; @@ -462,9 +462,9 @@ sign: ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen, mbedtls_hmac_drbg_random, p_rng); #else - ret = ecdsa_sign_restartable(grp, r, s, d, buf, blen, - mbedtls_hmac_drbg_random, p_rng, - f_rng_blind, p_rng_blind, rs_ctx); + ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen, + mbedtls_hmac_drbg_random, p_rng, + f_rng_blind, p_rng_blind, rs_ctx); #endif /* MBEDTLS_ECDSA_SIGN_ALT */ cleanup: @@ -487,8 +487,8 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r, size_t), void *p_rng_blind) { - return ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg, - f_rng_blind, p_rng_blind, NULL); + return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg, + f_rng_blind, p_rng_blind, NULL); } #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ @@ -497,11 +497,12 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r, * Verify ECDSA signature of hashed message (SEC1 4.1.4) * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message) */ -static int ecdsa_verify_restartable(mbedtls_ecp_group *grp, - const unsigned char *buf, size_t blen, - const mbedtls_ecp_point *Q, - const mbedtls_mpi *r, const mbedtls_mpi *s, - mbedtls_ecdsa_restart_ctx *rs_ctx) +int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp, + const unsigned char *buf, size_t blen, + const mbedtls_ecp_point *Q, + const mbedtls_mpi *r, + const mbedtls_mpi *s, + mbedtls_ecdsa_restart_ctx *rs_ctx) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mpi e, s_inv, u1, u2; @@ -610,7 +611,7 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp, const mbedtls_mpi *r, const mbedtls_mpi *s) { - return ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL); + return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL); } #endif /* !MBEDTLS_ECDSA_VERIFY_ALT */ @@ -665,9 +666,9 @@ int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx, mbedtls_mpi_init(&s); #if defined(MBEDTLS_ECDSA_DETERMINISTIC) - MBEDTLS_MPI_CHK(ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d, - hash, hlen, md_alg, f_rng, - p_rng, rs_ctx)); + MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d, + hash, hlen, md_alg, f_rng, + p_rng, rs_ctx)); #else (void) md_alg; @@ -678,9 +679,9 @@ int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx, hash, hlen, f_rng, p_rng)); #else /* Use the same RNG for both blinding and ephemeral key generation */ - MBEDTLS_MPI_CHK(ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d, - hash, hlen, f_rng, p_rng, f_rng, - p_rng, rs_ctx)); + MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d, + hash, hlen, f_rng, p_rng, f_rng, + p_rng, rs_ctx)); #endif /* MBEDTLS_ECDSA_SIGN_ALT */ #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ @@ -760,8 +761,8 @@ int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx, goto cleanup; } #else - if ((ret = ecdsa_verify_restartable(&ctx->grp, hash, hlen, - &ctx->Q, &r, &s, rs_ctx)) != 0) { + if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen, + &ctx->Q, &r, &s, rs_ctx)) != 0) { goto cleanup; } #endif /* MBEDTLS_ECDSA_VERIFY_ALT */ From 588f8ed498216b3f600f6d423328bd290ffe4a97 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 2 Dec 2022 18:10:26 +0000 Subject: [PATCH 085/250] Add internal implementation Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 55 +++ .../psa/crypto_driver_contexts_composites.h | 10 + include/psa/crypto_struct.h | 8 +- library/psa_crypto.c | 421 ++++++++++++++++++ library/psa_crypto_core.h | 299 +++++++++++++ .../psa_crypto_driver_wrappers.c.jinja | 61 ++- 6 files changed, 829 insertions(+), 25 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index b7f0b11621..0f1220de9f 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -107,4 +107,59 @@ typedef struct { #define MBEDTLS_PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, { 0 } } +#include "mbedtls/ecdsa.h" + +/* Context structure for the Mbed TLS interruptible sign hash implementation. */ +typedef struct { + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) + mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); +#if defined(MBEDTLS_ECP_RESTARTABLE) + mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); +#endif /* MBEDTLS_ECP_RESTARTABLE */ + + size_t MBEDTLS_PRIVATE(curve_bytes); + psa_algorithm_t MBEDTLS_PRIVATE(alg); + mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg); + const uint8_t *MBEDTLS_PRIVATE(hash); + size_t MBEDTLS_PRIVATE(hash_length); + + mbedtls_mpi MBEDTLS_PRIVATE(r); + mbedtls_mpi MBEDTLS_PRIVATE(s); + +#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */ + +} mbedtls_psa_sign_hash_interruptible_operation_t; + +#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, { 0 }, \ + { 0 } } + +/* Context structure for the Mbed TLS interruptible verify hash + * implementation.*/ +typedef struct { + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) + mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); +#if defined(MBEDTLS_ECP_RESTARTABLE) + mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); +#endif /* MBEDTLS_ECP_RESTARTABLE */ + + size_t MBEDTLS_PRIVATE(curve_bytes); + const uint8_t *MBEDTLS_PRIVATE(hash); + size_t MBEDTLS_PRIVATE(hash_length); + + mbedtls_mpi MBEDTLS_PRIVATE(r); + mbedtls_mpi MBEDTLS_PRIVATE(s); + +#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */ + +} mbedtls_psa_verify_hash_interruptible_operation_t; + +#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, { 0 }, \ + { 0 } } + + + #endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */ diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h index bcd000e703..1b95814f9e 100644 --- a/include/psa/crypto_driver_contexts_composites.h +++ b/include/psa/crypto_driver_contexts_composites.h @@ -114,5 +114,15 @@ typedef union { #endif } psa_driver_aead_context_t; +typedef union { + unsigned dummy; /* Make sure this union is always non-empty */ + mbedtls_psa_sign_hash_interruptible_operation_t mbedtls_ctx; +} psa_driver_sign_hash_interruptible_context_t; + +typedef union { + unsigned dummy; /* Make sure this union is always non-empty */ + mbedtls_psa_verify_hash_interruptible_operation_t mbedtls_ctx; +} psa_driver_verify_hash_interruptible_context_t; + #endif /* PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H */ /* End of automatically generated file. */ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index bd20937e5b..8874e97a2d 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -506,10 +506,12 @@ struct psa_sign_hash_interruptible_operation_s { * any driver (i.e. none of the driver contexts are active). */ unsigned int MBEDTLS_PRIVATE(id); + psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx); + size_t MBEDTLS_PRIVATE(num_ops); }; -#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, 0 } +#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 } static inline struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_init(void) @@ -535,10 +537,12 @@ struct psa_verify_hash_interruptible_operation_s { * any driver (i.e. none of the driver contexts are active). */ unsigned int MBEDTLS_PRIVATE(id); + psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx); + size_t MBEDTLS_PRIVATE(num_ops); }; -#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, 0 } +#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 } static inline struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_init(void) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a21f6d9639..b31d51b4b6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -81,6 +81,7 @@ #include "mbedtls/sha1.h" #include "mbedtls/sha256.h" #include "mbedtls/sha512.h" +#include "hash_info.h" #define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array))) @@ -310,6 +311,9 @@ psa_status_t mbedtls_to_psa_error(int ret) case MBEDTLS_ERR_ECP_RANDOM_FAILED: return PSA_ERROR_INSUFFICIENT_ENTROPY; + case MBEDTLS_ERR_ECP_IN_PROGRESS: + return PSA_OPERATION_INCOMPLETE; + case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED: return PSA_ERROR_CORRUPTION_DETECTED; @@ -3360,7 +3364,424 @@ psa_status_t psa_verify_hash_abort( return PSA_SUCCESS; } +/****************************************************************/ +/* Asymmetric interruptible cryptography internal */ +/* implementations */ +/****************************************************************/ +static uint32_t mbedtls_psa_interruptible_max_ops = + PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; + +void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops) +{ +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + + /* Internal implementation uses zero to indicate infinite number max ops, + * therefore avoid this value, and set to minimum possible. */ + if (max_ops == 0) { + max_ops = 1; + } + + mbedtls_psa_interruptible_max_ops = max_ops; + mbedtls_ecp_set_max_ops(max_ops); +#else + (void) max_ops; +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ +} + +uint32_t mbedtls_psa_interruptible_get_max_ops(void) +{ + return mbedtls_psa_interruptible_max_ops; +} + +uint32_t mbedtls_psa_sign_hash_get_num_ops( + const mbedtls_psa_sign_hash_interruptible_operation_t *operation) +{ +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + + return operation->restart_ctx.ecp.ops_done; +#else + (void) operation; + return 0; +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ +} + +uint32_t mbedtls_psa_verify_hash_get_num_ops( + const mbedtls_psa_verify_hash_interruptible_operation_t *operation) +{ + #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + + return operation->restart_ctx.ecp.ops_done; +#else + (void) operation; + return 0; +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ +} + +psa_status_t mbedtls_psa_sign_hash_start( + mbedtls_psa_sign_hash_interruptible_operation_t *operation, + const psa_key_attributes_t *attributes, const uint8_t *key_buffer, + size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + if (PSA_ALG_IS_ECDSA(alg)) { + +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + +#if !defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) + if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) { + return PSA_ERROR_NOT_SUPPORTED; + } +#endif + + /* Ensure default is set even if + * mbedtls_psa_interruptible_get_max_ops() has not been called. */ + mbedtls_ecp_set_max_ops(mbedtls_psa_interruptible_get_max_ops()); + + status = mbedtls_psa_ecp_load_representation(attributes->core.type, + attributes->core.bits, + key_buffer, + key_buffer_size, + &operation->ctx); + + if (status != PSA_SUCCESS) { + return status; + } + + mbedtls_ecdsa_restart_init(&operation->restart_ctx); + + mbedtls_mpi_init(&operation->r); + mbedtls_mpi_init(&operation->s); + + operation->curve_bytes = PSA_BITS_TO_BYTES( + operation->ctx->grp.pbits); + + psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); + operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg); + operation->alg = alg; + + operation->hash = hash; + operation->hash_length = hash_length; + +#else + (void) operation; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) hash; + (void) hash_length; + + return PSA_ERROR_NOT_SUPPORTED; +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ + } else { + status = PSA_ERROR_INVALID_ARGUMENT; + } + } else { + status = PSA_ERROR_NOT_SUPPORTED; + } + + return status; +} + +psa_status_t mbedtls_psa_sign_hash_complete( + mbedtls_psa_sign_hash_interruptible_operation_t *operation, + uint8_t *signature, size_t signature_size, + size_t *signature_length) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + + if (signature_size < 2 * operation->curve_bytes) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + + + if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) + status = mbedtls_to_psa_error( + mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp, + &operation->r, + &operation->s, + &operation->ctx->d, + operation->hash, + operation->hash_length, + operation->md_alg, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE, + &operation->restart_ctx)); +#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ + return PSA_ERROR_NOT_SUPPORTED; +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ + } else { + + status = mbedtls_to_psa_error( + mbedtls_ecdsa_sign_restartable(&operation->ctx->grp, + &operation->r, + &operation->s, + &operation->ctx->d, + operation->hash, + operation->hash_length, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE, + &operation->restart_ctx)); + } + + if (status != PSA_SUCCESS) { + return status; + } else { + status = mbedtls_to_psa_error( + mbedtls_mpi_write_binary(&operation->r, + signature, + operation->curve_bytes)); + + if (status != PSA_SUCCESS) { + return status; + } + + status = mbedtls_to_psa_error( + mbedtls_mpi_write_binary(&operation->s, + signature + + operation->curve_bytes, + operation->curve_bytes)); + + if (status != PSA_SUCCESS) { + return status; + } + + *signature_length = operation->curve_bytes * 2; + + return PSA_SUCCESS; + } + #else + + (void) operation; + (void) status; + (void) signature; + (void) signature_size; + (void) signature_length; + + return PSA_ERROR_NOT_SUPPORTED; + +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ +} + +psa_status_t mbedtls_psa_sign_hash_abort( + mbedtls_psa_sign_hash_interruptible_operation_t *operation) +{ + +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + + if (operation->ctx) { + mbedtls_ecdsa_free(operation->ctx); + mbedtls_free(operation->ctx); + } + + mbedtls_ecdsa_restart_free(&operation->restart_ctx); + + mbedtls_mpi_free(&operation->r); + mbedtls_mpi_free(&operation->s); + + return PSA_SUCCESS; + +#else + + (void) operation; + + return PSA_ERROR_NOT_SUPPORTED; + +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ +} + +psa_status_t mbedtls_psa_verify_hash_start( + mbedtls_psa_verify_hash_interruptible_operation_t *operation, + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + if (PSA_ALG_IS_ECDSA(alg)) { + +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + + /* Ensure default is set even if + * mbedtls_psa_interruptible_get_max_ops() has not been called. */ + mbedtls_ecp_set_max_ops(mbedtls_psa_interruptible_get_max_ops()); + + status = mbedtls_psa_ecp_load_representation(attributes->core.type, + attributes->core.bits, + key_buffer, + key_buffer_size, + &operation->ctx); + + if (status != PSA_SUCCESS) { + return status; + } + + operation->curve_bytes = PSA_BITS_TO_BYTES( + operation->ctx->grp.pbits); + + + if (signature_length != 2 * operation->curve_bytes) { + return PSA_ERROR_INVALID_SIGNATURE; + } + + mbedtls_mpi_init(&operation->r); + status = mbedtls_to_psa_error( + mbedtls_mpi_read_binary(&operation->r, + signature, + operation->curve_bytes)); + + if (status != PSA_SUCCESS) { + return status; + } + + mbedtls_mpi_init(&operation->s); + status = mbedtls_to_psa_error( + mbedtls_mpi_read_binary(&operation->s, + signature + + operation->curve_bytes, + operation->curve_bytes)); + + if (status != PSA_SUCCESS) { + return status; + } + + /* Check whether the public part is loaded. If not, load it. */ + if (mbedtls_ecp_is_zero(&operation->ctx->Q)) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_ecp_mul(&operation->ctx->grp, + &operation->ctx->Q, + &operation->ctx->d, + &operation->ctx->grp.G, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE); + + if (ret != 0) { + return mbedtls_to_psa_error(ret); + } + } + + mbedtls_ecdsa_restart_init(&operation->restart_ctx); + + operation->hash = hash; + operation->hash_length = hash_length; +#else + (void) operation; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) hash; + (void) hash_length; + (void) signature; + (void) signature_length; + + return PSA_ERROR_NOT_SUPPORTED; +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ + } else { + status = PSA_ERROR_INVALID_ARGUMENT; + } + } else { + status = PSA_ERROR_NOT_SUPPORTED; + } + + return status; +} + +psa_status_t mbedtls_psa_verify_hash_complete( + mbedtls_psa_verify_hash_interruptible_operation_t *operation) +{ + +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + + return mbedtls_to_psa_error( + mbedtls_ecdsa_verify_restartable(&operation->ctx->grp, + operation->hash, + operation->hash_length, + &operation->ctx->Q, + &operation->r, + &operation->s, + &operation->restart_ctx)); + +#else + (void) operation; + + return PSA_ERROR_NOT_SUPPORTED; + +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ +} + +psa_status_t mbedtls_psa_verify_hash_abort( + mbedtls_psa_verify_hash_interruptible_operation_t *operation) +{ + +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + + if (operation->ctx) { + mbedtls_ecdsa_free(operation->ctx); + mbedtls_free(operation->ctx); + } + + mbedtls_ecdsa_restart_free(&operation->restart_ctx); + + mbedtls_mpi_free(&operation->r); + mbedtls_mpi_free(&operation->s); + + return PSA_SUCCESS; + +#else + (void) operation; + + return PSA_ERROR_NOT_SUPPORTED; + +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ +} /****************************************************************/ /* Symmetric cryptography */ diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 38e4bc5cca..2f3cb64584 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -606,4 +606,303 @@ psa_status_t psa_key_agreement_raw_builtin( size_t shared_secret_size, size_t *shared_secret_length); +/** + * \brief Set the maximum number of ops allowed to be executed by an + * interruptible function in a single call. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * interruptible_set_max_ops entry point. This function behaves as an + * interruptible_set_max_ops entry point as defined in the PSA driver + * interface specification for transparent drivers. + * + * \param[in] max_ops The maximum number of ops to be executed in a + * single call, this can be a number from 0 to + * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0 + * is obviously the least amount of work done per + * call. + */ +void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops); + +/** + * \brief Get the maximum number of ops allowed to be executed by an + * interruptible function in a single call. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * interruptible_get_max_ops entry point. This function behaves as an + * interruptible_get_max_ops entry point as defined in the PSA driver + * interface specification for transparent drivers. + * + * \return Maximum number of ops allowed to be executed + * by an interruptible function in a single call. + */ +uint32_t mbedtls_psa_interruptible_get_max_ops(void); + +/** + * \brief Get the number of ops that a hash signing operation has taken so + * far. If the operation has completed, then this will represent the + * number of ops required for the entire operation. After initialization + * or calling psa_sign_hash_interruptible_abort() on the operation, a + * value of 0 will be returned. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * sign_get_num_ops entry point. This function behaves as a + * sign_get_num_ops entry point as defined in the PSA driver interface + * specification for transparent drivers. + * + * \param[in] operation The \c + * mbedtls_psa_sign_hash_interruptible_operation_t + * to use. This must be initialized first. + * + * \return Number of ops that the operation has taken so + * far. + */ +uint32_t mbedtls_psa_sign_hash_get_num_ops( + const mbedtls_psa_sign_hash_interruptible_operation_t *operation); + +/** + * \brief Get the number of ops that a hash verification operation has taken + * so far. If the operation has completed, then this will represent the + * number of ops required for the entire operation. After initialization + * or calling psa_verify_hash_interruptible_abort() on the operation, a + * value of 0 will be returned. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * verify_get_num_ops entry point. This function behaves as a + * verify_get_num_ops entry point as defined in the PSA driver interface + * specification for transparent drivers. + * + * \param[in] operation The \c + * mbedtls_psa_verify_hash_interruptible_operation_t + * to use. This must be initialized first. + * + * \return Number of ops that the operation has taken so + * far. + */ +uint32_t mbedtls_psa_verify_hash_get_num_ops( + const mbedtls_psa_verify_hash_interruptible_operation_t *operation); + +/** + * \brief Start signing a hash or short message with a private key, in an + * interruptible manner. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * sign_hash_start entry point. This function behaves as a + * sign_hash_start entry point as defined in the PSA driver interface + * specification for transparent drivers. + * + * \param[in] operation The \c + * mbedtls_psa_sign_hash_interruptible_operation_t + * to use. This must be initialized first. + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The buffer containing the key context. + * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. + * \param[in] alg A signature algorithm that is compatible with + * the type of the key. + * \param[in] hash The hash or message to sign. + * \param hash_length Size of the \p hash buffer in bytes. + * + * \retval #PSA_SUCCESS + * The operation started successfully - call \c psa_sign_hash_complete() + * with the same context to complete the operation + * \retval #PSA_ERROR_INVALID_ARGUMENT + * An unsupported, incorrectly formatted or incorrect type of key was + * used. + * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations + * are currently supported, or the key type is currently unsupported. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * There was insufficient memory to load the key representation. + */ +psa_status_t mbedtls_psa_sign_hash_start( + mbedtls_psa_sign_hash_interruptible_operation_t *operation, + const psa_key_attributes_t *attributes, const uint8_t *key_buffer, + size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length); + +/** + * \brief Continue and eventually complete the action of signing a hash or + * short message with a private key, in an interruptible manner. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * sign_hash_complete entry point. This function behaves as a + * sign_hash_complete entry point as defined in the PSA driver interface + * specification for transparent drivers. + * + * \param[in] operation The \c + * mbedtls_psa_sign_hash_interruptible_operation_t + * to use. This must be initialized first. + * + * \param[out] signature Buffer where the signature is to be written. + * \param signature_size Size of the \p signature buffer in bytes. This + * must be appropriate for the selected + * algorithm and key. + * \param[out] signature_length On success, the number of bytes that make up + * the returned signature value. + * + * \retval #PSA_SUCCESS + * Operation completed successfully + * + * \retval #PSA_OPERATION_INCOMPLETE + * Operation was interrupted due to the setting of \c + * psa_interruptible_set_max_ops(), there is still work to be done, + * please call this function again with the same operation object. + * + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * The size of the \p signature buffer is too small. You can + * determine a sufficient buffer size by calling + * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) + * where \c key_type and \c key_bits are the type and bit-size + * respectively of \p key. + * + * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + */ +psa_status_t mbedtls_psa_sign_hash_complete( + mbedtls_psa_sign_hash_interruptible_operation_t *operation, + uint8_t *signature, size_t signature_size, + size_t *signature_length); + +/** + * \brief Abort a sign hash operation. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver sign_hash_abort + * entry point. This function behaves as a sign_hash_abort entry point as + * defined in the PSA driver interface specification for transparent + * drivers. + * + * \param[in] operation The \c + * mbedtls_psa_sign_hash_interruptible_operation_t + * to abort. + * + * \retval #PSA_SUCCESS + * The operation was aborted successfully. + */ +psa_status_t mbedtls_psa_sign_hash_abort( + mbedtls_psa_sign_hash_interruptible_operation_t *operation); + +/** + * \brief Start reading and verifying a hash or short message, in an + * interruptible manner. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * verify_hash_start entry point. This function behaves as a + * verify_hash_start entry point as defined in the PSA driver interface + * specification for transparent drivers. + * + * \param[in] operation The \c + * mbedtls_psa_verify_hash_interruptible_operation_t + * to use. This must be initialized first. + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The buffer containing the key context. + * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. + * \param[in] alg A signature algorithm that is compatible with + * the type of the key. + * \param[in] hash The hash whose signature is to be verified. + * \param hash_length Size of the \p hash buffer in bytes. + * \param[in] signature Buffer containing the signature to verify. + * \param signature_length Size of the \p signature buffer in bytes. + * + * \retval #PSA_SUCCESS + * The operation started successfully - call \c psa_sign_hash_complete() + * with the same context to complete the operation + * \retval #PSA_ERROR_INVALID_ARGUMENT + * An unsupported or incorrect type of key was used. + * \retval #PSA_ERROR_NOT_SUPPORTED + * Either no internal interruptible operations are currently supported, + * or the key type is currently unsupported. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * There was insufficient memory to load the key representation. + */ +psa_status_t mbedtls_psa_verify_hash_start( + mbedtls_psa_verify_hash_interruptible_operation_t *operation, + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length); + +/** + * \brief Continue and eventually complete the action of signing a hash or + * short message with a private key, in an interruptible manner. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * sign_hash_complete entry point. This function behaves as a + * sign_hash_complete entry point as defined in the PSA driver interface + * specification for transparent drivers. + * + * \param[in] operation The \c + * mbedtls_psa_sign_hash_interruptible_operation_t + * to use. This must be initialized first. + * + * \retval #PSA_SUCCESS + * Operation completed successfully, and the passed signature is valid. + * + * \retval #PSA_OPERATION_INCOMPLETE + * Operation was interrupted due to the setting of \c + * psa_interruptible_set_max_ops(), there is still work to be done, + * please call this function again with the same operation object. + * + * \retval #PSA_ERROR_INVALID_SIGNATURE + * The calculation was performed successfully, but the passed + * signature is not a valid signature. + * + * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + */ +psa_status_t mbedtls_psa_verify_hash_complete( + mbedtls_psa_verify_hash_interruptible_operation_t *operation); + +/** + * \brief Abort a verify signed hash operation. + * + * \warning This is a beta API, and thus subject to change at any point. It is + * not bound by the usual interface stability promises. + * + * \note The signature of this function is that of a PSA driver + * verify_hash_abort entry point. This function behaves as a + * verify_hash_abort entry point as defined in the PSA driver interface + * specification for transparent drivers. + * + * \param[in] operation The \c + * mbedtls_psa_verify_hash_interruptible_operation_t + * to abort. + * + * \retval #PSA_SUCCESS + * The operation was aborted successfully. + */ +psa_status_t mbedtls_psa_verify_hash_abort( + mbedtls_psa_verify_hash_interruptible_operation_t *operation); + #endif /* PSA_CRYPTO_CORE_H */ diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index e1f7b1fe8c..6093fdf816 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -435,12 +435,12 @@ psa_status_t psa_driver_wrapper_verify_hash( void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops ) { - ( void ) max_ops; + mbedtls_psa_interruptible_set_max_ops( max_ops ); } uint32_t psa_driver_wrapper_interruptible_get_max_ops( void ) { - return( PSA_ERROR_INVALID_ARGUMENT ); + return mbedtls_psa_interruptible_get_max_ops( ); } uint32_t psa_driver_wrapper_sign_hash_get_num_ops( @@ -449,12 +449,13 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops( switch( operation->id ) { case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_sign_hash_get_num_ops( + &operation->ctx.mbedtls_ctx ) + ); #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - - /* Add cases for opaque driver here */ + /* Add test driver tests here */ #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ @@ -469,15 +470,17 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops( switch( operation->id ) { case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_verify_hash_get_num_ops( + &operation->ctx.mbedtls_ctx ) + ); #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - - /* Add cases for opaque driver here */ + /* Add test driver tests here */ #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + } return( PSA_ERROR_INVALID_ARGUMENT ); @@ -491,7 +494,8 @@ psa_status_t psa_driver_wrapper_sign_hash_start( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + PSA_KEY_LIFETIME_GET_LOCATION( + attributes->core.lifetime ); switch( location ) { @@ -511,6 +515,10 @@ psa_status_t psa_driver_wrapper_sign_hash_start( /* Fell through, meaning no accelerator supports this operation */ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; + return( mbedtls_psa_sign_hash_start( &operation->ctx.mbedtls_ctx, + attributes, + key_buffer, key_buffer_size, + alg, hash, hash_length ) ); break; /* Add cases for opaque driver here */ @@ -539,12 +547,13 @@ psa_status_t psa_driver_wrapper_sign_hash_complete( switch( operation->id ) { case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_sign_hash_complete( &operation->ctx.mbedtls_ctx, + signature, signature_size, + signature_length ) ); #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - - /* Add cases for opaque driver here */ + /* Add test driver tests here */ #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ @@ -563,12 +572,11 @@ psa_status_t psa_driver_wrapper_sign_hash_abort( switch( operation->id ) { case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_sign_hash_abort( &operation->ctx.mbedtls_ctx ) ); #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - - /* Add cases for opaque driver here */ + /* Add test driver tests here */ #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ @@ -586,8 +594,8 @@ psa_status_t psa_driver_wrapper_verify_hash_start( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_location_t location = - PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( + attributes->core.lifetime ); switch( location ) { @@ -607,6 +615,12 @@ psa_status_t psa_driver_wrapper_verify_hash_start( /* Fell through, meaning no accelerator supports this operation */ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; + return( mbedtls_psa_verify_hash_start( &operation->ctx.mbedtls_ctx, + attributes, + key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_length + ) ); break; /* Add cases for opaque driver here */ @@ -635,12 +649,13 @@ psa_status_t psa_driver_wrapper_verify_hash_complete( switch( operation->id ) { case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_verify_hash_complete( + &operation->ctx.mbedtls_ctx + ) ); #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - - /* Add cases for opaque driver here */ + /* Add test driver tests here */ #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ @@ -655,12 +670,12 @@ psa_status_t psa_driver_wrapper_verify_hash_abort( switch( operation->id ) { case PSA_CRYPTO_MBED_TLS_DRIVER_ID: + return( mbedtls_psa_verify_hash_abort( &operation->ctx.mbedtls_ctx + ) ); #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) - case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: - - /* Add cases for opaque driver here */ + /* Add test driver tests here */ #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ From 296ede99c9649c7606f09c4888b0ea157835027d Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 15 Dec 2022 17:00:30 +0000 Subject: [PATCH 086/250] Fix issues with get_{sign/verify}_num_ops Move to accumulate ops in context rather than attempting to read straight out of structures due to structure ops getting reset per operation, and also issues with _abort clearing internal data. Fix usage of size_t in structures Signed-off-by: Paul Elliott --- include/psa/crypto_struct.h | 4 ++-- library/psa_crypto.c | 17 +++++++++++++++-- .../psa_crypto_driver_wrappers.c.jinja | 8 ++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 8874e97a2d..bc56a4fa61 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -508,7 +508,7 @@ struct psa_sign_hash_interruptible_operation_s { psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx); - size_t MBEDTLS_PRIVATE(num_ops); + uint32_t MBEDTLS_PRIVATE(num_ops); }; #define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 } @@ -539,7 +539,7 @@ struct psa_verify_hash_interruptible_operation_s { psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx); - size_t MBEDTLS_PRIVATE(num_ops); + uint32_t MBEDTLS_PRIVATE(num_ops); }; #define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 } diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b31d51b4b6..e3be65013b 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3146,13 +3146,13 @@ uint32_t psa_interruptible_get_max_ops(void) uint32_t psa_sign_hash_get_num_ops( const psa_sign_hash_interruptible_operation_t *operation) { - return psa_driver_wrapper_sign_hash_get_num_ops(operation); + return operation->num_ops; } uint32_t psa_verify_hash_get_num_ops( const psa_verify_hash_interruptible_operation_t *operation) { - return psa_driver_wrapper_verify_hash_get_num_ops(operation); + return operation->num_ops; } psa_status_t psa_sign_hash_start( @@ -3192,6 +3192,9 @@ psa_status_t psa_sign_hash_start( .core = slot->attr }; + /* Ensure ops count gets reset, in case of operation re-use. */ + operation->num_ops = 0; + status = psa_driver_wrapper_sign_hash_start(operation, &attributes, slot->key.data, slot->key.bytes, alg, @@ -3238,6 +3241,9 @@ psa_status_t psa_sign_hash_complete( signature_length); exit: + /* Update ops count with work done. */ + operation->num_ops += psa_driver_wrapper_sign_hash_get_num_ops(operation); + if (status != PSA_OPERATION_INCOMPLETE) { /* Fill the unused part of the output buffer (the whole buffer on error, * the trailing part on success) with something that isn't a valid @@ -3308,6 +3314,9 @@ psa_status_t psa_verify_hash_start( .core = slot->attr }; + /* Ensure ops count gets reset, in case of operation re-use. */ + operation->num_ops = 0; + status = psa_driver_wrapper_verify_hash_start(operation, &attributes, slot->key.data, slot->key.bytes, @@ -3340,6 +3349,10 @@ psa_status_t psa_verify_hash_complete( exit: + /* Update ops count with work done. */ + operation->num_ops += psa_driver_wrapper_verify_hash_get_num_ops( + operation); + if (status != PSA_OPERATION_INCOMPLETE) { psa_verify_hash_abort(operation); } diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 6093fdf816..2b2b02571a 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -448,6 +448,10 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops( { switch( operation->id ) { + /* If uninitialised, return 0, as no work can have been done. */ + case 0: + return 0; + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_sign_hash_get_num_ops( &operation->ctx.mbedtls_ctx ) @@ -469,6 +473,10 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops( { switch( operation->id ) { + /* If uninitialised, return 0, as no work can have been done. */ + case 0: + return 0; + case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_verify_hash_get_num_ops( &operation->ctx.mbedtls_ctx ) From 712d5120072fe9c9e36b78dae54b3d9a4efdd269 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 7 Dec 2022 14:03:10 +0000 Subject: [PATCH 087/250] Basic tests Sign Hash, Verify Hash and Sign and Verify Hash. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 45 ++++ tests/suites/test_suite_psa_crypto.function | 258 ++++++++++++++++++++ 2 files changed, 303 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c3561420b7..c45e168a3c 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4145,6 +4145,18 @@ PSA sign hash: deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f" +PSA sign hash: interruptible ECDSA SECP256R1 SHA - 256 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" + +PSA sign hash: interruptible ECDSA SECP256R1 SHA - 384 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca" + +PSA sign hash: interruptible ECDSA SECP384R1 SHA - 256 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f" + PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C sign_hash_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015":128:PSA_ERROR_INVALID_ARGUMENT @@ -4249,6 +4261,31 @@ PSA sign/verify hash: deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +PSA sign / verify hash interruptible: randomized ECDSA SECP256R1 SHA - 256 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" + +PSA sign / verify hash interruptible: deterministic ECDSA SECP256R1 SHA - 256 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" + +PSA sign / verify hash interruptible: randomized ECDSA SECP256R1 SHA - 384 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f" + +PSA sign / verify hash interruptible: deterministic ECDSA SECP256R1 SHA - 384 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f" + +PSA sign / verify hash interruptible: randomized ECDSA SECP384R1 SHA - 256 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" + +PSA sign / verify hash interruptible: deterministic ECDSA SECP384R1 SHA - 256 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" + + PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311" @@ -4369,6 +4406,14 @@ PSA verify hash with keypair: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" +PSA verify hash interruptible: ECDSA SECP256R1, good +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" + +PSA verify hash interruptible with keypair: ECDSA SECP256R1, good +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" + PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index c414b65fa6..9bf5039fc4 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6444,6 +6444,89 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +void sign_hash_interruptible(int key_type_arg, data_t *key_data, + int alg_arg, data_t *input_data, + data_t *output_data) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + size_t key_bits; + unsigned char *signature = NULL; + size_t signature_size; + size_t signature_length = 0xdeadbeef; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status = PSA_OPERATION_INCOMPLETE; + size_t num_ops = 0; + size_t num_ops_prior = 0; + psa_sign_hash_interruptible_operation_t operation = + psa_sign_hash_interruptible_operation_init(); + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, + &key)); + PSA_ASSERT(psa_get_key_attributes(key, &attributes)); + key_bits = psa_get_key_bits(&attributes); + + /* Allocate a buffer which has the size advertised by the + * library. */ + signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, + key_bits, alg); + TEST_ASSERT(signature_size != 0); + TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); + ASSERT_ALLOC(signature, signature_size); + + num_ops_prior = psa_sign_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops_prior == 0); + + /* Start performing the signature. */ + PSA_ASSERT(psa_sign_hash_start(&operation, key, alg, + input_data->x, input_data->len)); + + num_ops_prior = psa_sign_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops_prior == 0); + + /* Continue performing the signature until complete. */ + while (status == PSA_OPERATION_INCOMPLETE) { + status = psa_sign_hash_complete(&operation, signature, signature_size, + &signature_length); + + if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { + num_ops = psa_sign_hash_get_num_ops(&operation); + + TEST_ASSERT(num_ops > num_ops_prior); + num_ops_prior = num_ops; + } + } + + TEST_ASSERT(status == PSA_SUCCESS); + + /* Verify that the signature is what is expected. */ + ASSERT_COMPARE(output_data->x, output_data->len, + signature, signature_length); + + PSA_ASSERT(psa_sign_hash_abort(&operation)); + +exit: + + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&attributes); + + psa_destroy_key(key); + mbedtls_free(signature); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void sign_hash_fail(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, @@ -6559,6 +6642,116 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, + int alg_arg, data_t *input_data) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + size_t key_bits; + unsigned char *signature = NULL; + size_t signature_size; + size_t signature_length = 0xdeadbeef; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status = PSA_OPERATION_INCOMPLETE; + psa_sign_hash_interruptible_operation_t sign_operation = + psa_sign_hash_interruptible_operation_init(); + psa_verify_hash_interruptible_operation_t verify_operation = + psa_verify_hash_interruptible_operation_init(); + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, + &key)); + PSA_ASSERT(psa_get_key_attributes(key, &attributes)); + key_bits = psa_get_key_bits(&attributes); + + /* Allocate a buffer which has the size advertised by the + * library. */ + signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, + key_bits, alg); + TEST_ASSERT(signature_size != 0); + TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); + ASSERT_ALLOC(signature, signature_size); + + /* Start performing the signature. */ + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + /* Continue performing the signature until complete. */ + while (status == PSA_OPERATION_INCOMPLETE) { + + status = psa_sign_hash_complete(&sign_operation, signature, signature_size, + &signature_length); + } + + TEST_ASSERT(status == PSA_SUCCESS); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + /* Check that the signature length looks sensible. */ + TEST_LE_U(signature_length, signature_size); + TEST_ASSERT(signature_length > 0); + + status = PSA_OPERATION_INCOMPLETE; + + /* Start verification. */ + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + /* Continue performing the signature until complete. */ + while (status == PSA_OPERATION_INCOMPLETE) { + status = psa_verify_hash_complete(&verify_operation); + } + + TEST_ASSERT(status == PSA_SUCCESS); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + verify_operation = psa_verify_hash_interruptible_operation_init(); + + if (input_data->len != 0) { + /* Flip a bit in the input and verify that the signature is now + * detected as invalid. Flip a bit at the beginning, not at the end, + * because ECDSA may ignore the last few bits of the input. */ + input_data->x[0] ^= 1; + + status = PSA_OPERATION_INCOMPLETE; + + /* Start verification. */ + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + /* Continue performing the signature until complete. */ + while (status == PSA_OPERATION_INCOMPLETE) { + status = psa_verify_hash_complete(&verify_operation); + } + + TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE); + } + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&attributes); + + psa_destroy_key(key); + mbedtls_free(signature); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void verify_hash(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, @@ -6591,6 +6784,71 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +void verify_hash_interruptible(int key_type_arg, data_t *key_data, + int alg_arg, data_t *hash_data, + data_t *signature_data) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status = PSA_OPERATION_INCOMPLETE; + size_t num_ops = 0; + size_t num_ops_prior = 0; + psa_verify_hash_interruptible_operation_t operation = + psa_verify_hash_interruptible_operation_init(); + + TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE); + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, + &key)); + + num_ops_prior = psa_verify_hash_get_num_ops(&operation); + + TEST_ASSERT(num_ops_prior == 0); + + /* Start verification. */ + PSA_ASSERT(psa_verify_hash_start(&operation, key, alg, + hash_data->x, hash_data->len, + signature_data->x, signature_data->len) + ); + + num_ops_prior = psa_verify_hash_get_num_ops(&operation); + + TEST_ASSERT(num_ops_prior == 0); + + /* Continue performing the signature until complete. */ + while (status == PSA_OPERATION_INCOMPLETE) { + status = psa_verify_hash_complete(&operation); + + if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { + num_ops = psa_verify_hash_get_num_ops(&operation); + + TEST_ASSERT(num_ops > num_ops_prior); + num_ops_prior = num_ops; + } + } + + TEST_ASSERT(status == PSA_SUCCESS); + + PSA_ASSERT(psa_verify_hash_abort(&operation)); + +exit: + psa_reset_key_attributes(&attributes); + psa_destroy_key(key); + PSA_DONE(); +} +/* END_CASE */ + + + /* BEGIN_CASE */ void verify_hash_fail(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, From e04e15b766cabd682e51a56a86b28b6a74d82819 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 9 Dec 2022 19:27:06 +0000 Subject: [PATCH 088/250] Add Changelog entry Signed-off-by: Paul Elliott --- ChangeLog.d/add_interruptible_sign_hash | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/add_interruptible_sign_hash diff --git a/ChangeLog.d/add_interruptible_sign_hash b/ChangeLog.d/add_interruptible_sign_hash new file mode 100644 index 0000000000..3d933038ea --- /dev/null +++ b/ChangeLog.d/add_interruptible_sign_hash @@ -0,0 +1,5 @@ +Features + * Add an interruptible version of sign and verify hash to the PSA interface, + backed by internal library support for ECDSA signing and verification. + + From 9100797cb3373ba3c999a89b1ec8799ded2eaee5 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 16 Dec 2022 12:21:24 +0000 Subject: [PATCH 089/250] Negative tests Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 52 +++++++ tests/suites/test_suite_psa_crypto.function | 156 +++++++++++++++++++- 2 files changed, 206 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c45e168a3c..fc6ae5c618 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4221,6 +4221,30 @@ PSA sign hash: deterministic ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED +PSA sign hash interruptible: deterministic ECDSA SECP256R1 SHA-256, output buffer too small +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL + +PSA sign hash interruptible: deterministic ECDSA SECP256R1 SHA-256, empty output buffer +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL + +PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (0) +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT + +PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard) +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE + +PSA sign hash interruptible: invalid algorithm for ECC key +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE + +PSA sign hash interruptible: deterministic ECDSA not supported +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE + PSA sign/verify hash: RSA PKCS#1 v1.5, raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C sign_verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263" @@ -4442,6 +4466,34 @@ PSA verify hash: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT +PSA verify hash interruptible: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded) +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE + +PSA verify hash interruptible: ECDSA SECP256R1, wrong signature of correct size +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE + +PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (empty) +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE + +PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (truncated) +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE + +PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (trailing junk) +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE + +PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (leading junk) +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE + +PSA verify hash interruptible: invalid algorithm for ECC key +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE + PSA sign message: RSA PKCS#1 v1.5 SHA-256 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C sign_message_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311" diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 9bf5039fc4..d5141790d7 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6572,6 +6572,89 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, + int alg_arg, data_t *input_data, + int signature_size_arg, + int expected_start_status_arg, + int expected_complete_status_arg) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + size_t signature_size = signature_size_arg; + psa_status_t actual_status; + psa_status_t expected_start_status = expected_start_status_arg; + psa_status_t expected_complete_status = expected_complete_status_arg; + unsigned char *signature = NULL; + size_t signature_length = 0xdeadbeef; + size_t num_ops = 0; + size_t num_ops_prior = 0; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_sign_hash_interruptible_operation_t operation = + psa_sign_hash_interruptible_operation_init(); + + ASSERT_ALLOC(signature, signature_size); + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, + &key)); + + num_ops_prior = psa_sign_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops_prior == 0); + + /* Start performing the signature. */ + actual_status = psa_sign_hash_start(&operation, key, alg, + input_data->x, input_data->len); + + TEST_EQUAL(actual_status, expected_start_status); + + num_ops_prior = psa_sign_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops_prior == 0); + + actual_status = PSA_OPERATION_INCOMPLETE; + + /* Continue performing the signature until complete. */ + while (actual_status == PSA_OPERATION_INCOMPLETE) { + actual_status = psa_sign_hash_complete(&operation, signature, + signature_size, + &signature_length); + + /* If the psa_sign_hash_start() failed, psa_sign_hash_complete() + * should also fail with bad state. */ + if (expected_start_status != PSA_SUCCESS) { + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); + } else if (actual_status != PSA_OPERATION_INCOMPLETE) { + TEST_EQUAL(actual_status, expected_complete_status); + } else { + num_ops = psa_sign_hash_get_num_ops(&operation); + + TEST_ASSERT(num_ops > num_ops_prior); + num_ops_prior = num_ops; + } + } + + PSA_ASSERT(psa_sign_hash_abort(&operation)); + + /* The value of *signature_length is unspecified on error, but + * whatever it is, it should be less than signature_size, so that + * if the caller tries to read *signature_length bytes without + * checking the error code then they don't overflow a buffer. */ + TEST_LE_U(signature_length, signature_size); + +exit: + psa_reset_key_attributes(&attributes); + psa_destroy_key(key); + mbedtls_free(signature); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void sign_verify_hash(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data) @@ -6847,8 +6930,6 @@ exit: } /* END_CASE */ - - /* BEGIN_CASE */ void verify_hash_fail(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, @@ -6883,6 +6964,77 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, + int alg_arg, data_t *hash_data, + data_t *signature_data, + int expected_start_status_arg, + int expected_complete_status_arg) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + psa_status_t actual_status; + psa_status_t expected_start_status = expected_start_status_arg; + psa_status_t expected_complete_status = expected_complete_status_arg; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + size_t num_ops = 0; + size_t num_ops_prior = 0; + psa_verify_hash_interruptible_operation_t operation = + psa_verify_hash_interruptible_operation_init(); + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, + &key)); + + num_ops_prior = psa_verify_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops_prior == 0); + + /* Start verification. */ + actual_status = psa_verify_hash_start(&operation, key, alg, + hash_data->x, hash_data->len, + signature_data->x, + signature_data->len); + + TEST_EQUAL(actual_status, expected_start_status); + + num_ops_prior = psa_verify_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops_prior == 0); + + actual_status = PSA_OPERATION_INCOMPLETE; + + /* Continue performing the signature until complete. */ + while (actual_status == PSA_OPERATION_INCOMPLETE) { + actual_status = psa_verify_hash_complete(&operation); + + /* If the psa_verify_hash_start() failed, + * psa_verify_hash_complete() should also fail with bad state.*/ + if (expected_start_status != PSA_SUCCESS) { + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); + } else if (actual_status != PSA_OPERATION_INCOMPLETE) { + TEST_EQUAL(actual_status, expected_complete_status); + } else { + num_ops = psa_verify_hash_get_num_ops(&operation); + + TEST_ASSERT(num_ops > num_ops_prior); + num_ops_prior = num_ops; + } + } + + PSA_ASSERT(psa_verify_hash_abort(&operation)); + +exit: + psa_reset_key_attributes(&attributes); + psa_destroy_key(key); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void sign_message_deterministic(int key_type_arg, data_t *key_data, From 4cec2f60dc77a21d4a6016f3223a9acf14c8e551 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 16 Dec 2022 14:44:11 +0000 Subject: [PATCH 090/250] Add interruptible to psa_op_fail tests Signed-off-by: Paul Elliott --- .../test_suite_psa_crypto_op_fail.function | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function index 046e3c3a0b..970be84b42 100644 --- a/tests/suites/test_suite_psa_crypto_op_fail.function +++ b/tests/suites/test_suite_psa_crypto_op_fail.function @@ -221,6 +221,13 @@ void sign_fail(int key_type_arg, data_t *key_data, uint8_t input[1] = { 'A' }; uint8_t output[PSA_SIGNATURE_MAX_SIZE] = { 0 }; size_t length = SIZE_MAX; + psa_sign_hash_interruptible_operation_t sign_operation = + psa_sign_hash_interruptible_operation_init(); + + psa_verify_hash_interruptible_operation_t verify_operation = + psa_verify_hash_interruptible_operation_init(); + + PSA_INIT(); @@ -237,6 +244,15 @@ void sign_fail(int key_type_arg, data_t *key_data, psa_sign_hash(key_id, alg, input, sizeof(input), output, sizeof(output), &length)); + + if (PSA_KEY_TYPE_IS_ECC(key_type)) { + TEST_STATUS(expected_status, + psa_sign_hash_start(&sign_operation, key_id, alg, + input, sizeof(input))); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + } + if (!private_only) { /* Determine a plausible signature size to avoid an INVALID_SIGNATURE * error based on this. */ @@ -253,6 +269,15 @@ void sign_fail(int key_type_arg, data_t *key_data, psa_verify_hash(key_id, alg, input, sizeof(input), output, output_length)); + + if (PSA_KEY_TYPE_IS_ECC(key_type)) { + TEST_STATUS(expected_status, + psa_verify_hash_start(&verify_operation, key_id, alg, + input, sizeof(input), + output, output_length)); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + } } exit: From 0c68335a42af6a72f85a0862f18fb8cc03815616 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 16 Dec 2022 19:16:56 +0000 Subject: [PATCH 091/250] Convert tests to configurable max_ops Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 125 ++++++++++++++------ tests/suites/test_suite_psa_crypto.function | 78 ++++++++++-- 2 files changed, 155 insertions(+), 48 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index fc6ae5c618..7164d275b4 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4145,17 +4145,29 @@ PSA sign hash: deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f" -PSA sign hash: interruptible ECDSA SECP256R1 SHA - 256 +PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA sign hash: interruptible ECDSA SECP256R1 SHA - 384 +PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-256 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + +PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca" +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA sign hash: interruptible ECDSA SECP384R1 SHA - 256 +PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-384 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + +PSA sign hash: interruptible (no interrupt) ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f" +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 + +PSA sign hash: interruptible (max interrupt) ECDSA SECP384R1 SHA-256 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C @@ -4221,29 +4233,41 @@ PSA sign hash: deterministic ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED -PSA sign hash interruptible: deterministic ECDSA SECP256R1 SHA-256, output buffer too small +PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA sign hash interruptible: deterministic ECDSA SECP256R1 SHA-256, empty output buffer +PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (0) +PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 + +PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + +PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 + +PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0) +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA sign hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA sign hash interruptible: deterministic ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA sign/verify hash: RSA PKCS#1 v1.5, raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C @@ -4285,30 +4309,53 @@ PSA sign/verify hash: deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" -PSA sign / verify hash interruptible: randomized ECDSA SECP256R1 SHA - 256 +PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA sign / verify hash interruptible: deterministic ECDSA SECP256R1 SHA - 256 +PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-256 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + +PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA sign / verify hash interruptible: randomized ECDSA SECP256R1 SHA - 384 +PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + +PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f" +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA sign / verify hash interruptible: deterministic ECDSA SECP256R1 SHA - 384 +PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-384 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + +PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f" +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA sign / verify hash interruptible: randomized ECDSA SECP384R1 SHA - 256 +PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-384 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + +PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA sign / verify hash interruptible: deterministic ECDSA SECP384R1 SHA - 256 +PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP384R1 SHA-256 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + +PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP384R1 SHA-256 +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C @@ -4432,11 +4479,11 @@ verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30 PSA verify hash interruptible: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" +verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA verify hash interruptible with keypair: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" +verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 @@ -4468,31 +4515,35 @@ verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab4543571264 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 -PSA verify hash interruptible: ECDSA SECP256R1, wrong signature of correct size +PSA verify hash interruptible (no interrupt): ECDSA SECP256R1, wrong signature of correct size depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 + +PSA verify hash interruptible (max interrupt): ECDSA SECP256R1, wrong signature of correct size +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (empty) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (truncated) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (trailing junk) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (leading junk) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA verify hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 PSA sign message: RSA PKCS#1 v1.5 SHA-256 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index d5141790d7..ce5a240b2c 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6447,7 +6447,8 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void sign_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, - data_t *output_data) + data_t *output_data, int max_ops, + int min_completes, int max_completes) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6460,6 +6461,7 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, psa_status_t status = PSA_OPERATION_INCOMPLETE; size_t num_ops = 0; size_t num_ops_prior = 0; + size_t num_completes = 0; psa_sign_hash_interruptible_operation_t operation = psa_sign_hash_interruptible_operation_init(); @@ -6482,6 +6484,8 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); ASSERT_ALLOC(signature, signature_size); + psa_interruptible_set_max_ops(max_ops); + num_ops_prior = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -6497,16 +6501,21 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, status = psa_sign_hash_complete(&operation, signature, signature_size, &signature_length); + num_completes++; + if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { num_ops = psa_sign_hash_get_num_ops(&operation); - TEST_ASSERT(num_ops > num_ops_prior); + num_ops_prior = num_ops; } } TEST_ASSERT(status == PSA_SUCCESS); + TEST_LE_U(min_completes, num_completes); + TEST_LE_U(num_completes, max_completes); + /* Verify that the signature is what is expected. */ ASSERT_COMPARE(output_data->x, output_data->len, signature, signature_length); @@ -6577,7 +6586,9 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, int signature_size_arg, int expected_start_status_arg, - int expected_complete_status_arg) + int expected_complete_status_arg, + int max_ops, int min_completes, + int max_completes) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6590,6 +6601,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, size_t signature_length = 0xdeadbeef; size_t num_ops = 0; size_t num_ops_prior = 0; + size_t num_completes = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_sign_hash_interruptible_operation_t operation = psa_sign_hash_interruptible_operation_init(); @@ -6605,6 +6617,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key)); + psa_interruptible_set_max_ops(max_ops); + num_ops_prior = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -6625,6 +6639,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, signature_size, &signature_length); + num_completes++; + /* If the psa_sign_hash_start() failed, psa_sign_hash_complete() * should also fail with bad state. */ if (expected_start_status != PSA_SUCCESS) { @@ -6633,8 +6649,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_complete_status); } else { num_ops = psa_sign_hash_get_num_ops(&operation); - TEST_ASSERT(num_ops > num_ops_prior); + num_ops_prior = num_ops; } } @@ -6647,6 +6663,9 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, * checking the error code then they don't overflow a buffer. */ TEST_LE_U(signature_length, signature_size); + TEST_LE_U(min_completes, num_completes); + TEST_LE_U(num_completes, max_completes); + exit: psa_reset_key_attributes(&attributes); psa_destroy_key(key); @@ -6727,7 +6746,9 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, - int alg_arg, data_t *input_data) + int alg_arg, data_t *input_data, + int max_ops, int min_completes, + int max_completes) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6738,6 +6759,7 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, size_t signature_length = 0xdeadbeef; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status = PSA_OPERATION_INCOMPLETE; + size_t num_completes = 0; psa_sign_hash_interruptible_operation_t sign_operation = psa_sign_hash_interruptible_operation_init(); psa_verify_hash_interruptible_operation_t verify_operation = @@ -6745,7 +6767,8 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_crypto_init()); - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | + PSA_KEY_USAGE_VERIFY_HASH); psa_set_key_algorithm(&attributes, alg); psa_set_key_type(&attributes, key_type); @@ -6762,6 +6785,8 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); ASSERT_ALLOC(signature, signature_size); + psa_interruptible_set_max_ops(max_ops); + /* Start performing the signature. */ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, input_data->x, input_data->len)); @@ -6769,18 +6794,25 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, /* Continue performing the signature until complete. */ while (status == PSA_OPERATION_INCOMPLETE) { - status = psa_sign_hash_complete(&sign_operation, signature, signature_size, + status = psa_sign_hash_complete(&sign_operation, signature, + signature_size, &signature_length); + + num_completes++; } TEST_ASSERT(status == PSA_SUCCESS); + TEST_LE_U(min_completes, num_completes); + TEST_LE_U(num_completes, max_completes); + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); /* Check that the signature length looks sensible. */ TEST_LE_U(signature_length, signature_size); TEST_ASSERT(signature_length > 0); + num_completes = 0; status = PSA_OPERATION_INCOMPLETE; /* Start verification. */ @@ -6791,10 +6823,15 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, /* Continue performing the signature until complete. */ while (status == PSA_OPERATION_INCOMPLETE) { status = psa_verify_hash_complete(&verify_operation); + + num_completes++; } TEST_ASSERT(status == PSA_SUCCESS); + TEST_LE_U(min_completes, num_completes); + TEST_LE_U(num_completes, max_completes); + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); verify_operation = psa_verify_hash_interruptible_operation_init(); @@ -6870,7 +6907,8 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, - data_t *signature_data) + data_t *signature_data, int max_ops, + int min_completes, int max_completes) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6879,6 +6917,7 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, psa_status_t status = PSA_OPERATION_INCOMPLETE; size_t num_ops = 0; size_t num_ops_prior = 0; + size_t num_completes = 0; psa_verify_hash_interruptible_operation_t operation = psa_verify_hash_interruptible_operation_init(); @@ -6893,6 +6932,8 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key)); + psa_interruptible_set_max_ops(max_ops); + num_ops_prior = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -6911,16 +6952,21 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, while (status == PSA_OPERATION_INCOMPLETE) { status = psa_verify_hash_complete(&operation); + num_completes++; + if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { num_ops = psa_verify_hash_get_num_ops(&operation); - TEST_ASSERT(num_ops > num_ops_prior); + num_ops_prior = num_ops; } } TEST_ASSERT(status == PSA_SUCCESS); + TEST_LE_U(min_completes, num_completes); + TEST_LE_U(num_completes, max_completes); + PSA_ASSERT(psa_verify_hash_abort(&operation)); exit: @@ -6969,7 +7015,9 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, data_t *signature_data, int expected_start_status_arg, - int expected_complete_status_arg) + int expected_complete_status_arg, + int max_ops, int min_completes, + int max_completes) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6980,6 +7028,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; size_t num_ops = 0; size_t num_ops_prior = 0; + size_t num_completes = 0; psa_verify_hash_interruptible_operation_t operation = psa_verify_hash_interruptible_operation_init(); @@ -6992,6 +7041,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key)); + psa_interruptible_set_max_ops(max_ops); + num_ops_prior = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -7012,6 +7063,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, while (actual_status == PSA_OPERATION_INCOMPLETE) { actual_status = psa_verify_hash_complete(&operation); + num_completes++; + /* If the psa_verify_hash_start() failed, * psa_verify_hash_complete() should also fail with bad state.*/ if (expected_start_status != PSA_SUCCESS) { @@ -7020,12 +7073,15 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_complete_status); } else { num_ops = psa_verify_hash_get_num_ops(&operation); - TEST_ASSERT(num_ops > num_ops_prior); + num_ops_prior = num_ops; } } + TEST_LE_U(min_completes, num_completes); + TEST_LE_U(num_completes, max_completes); + PSA_ASSERT(psa_verify_hash_abort(&operation)); exit: From 20a360679b41f7139bbdf13b5eb2a4bdac2332e1 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 18 Dec 2022 13:21:25 +0000 Subject: [PATCH 092/250] Add State tests Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 4 + tests/suites/test_suite_psa_crypto.function | 202 ++++++++++++++++++++ 2 files changed, 206 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 7164d275b4..e6da057dad 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4545,6 +4545,10 @@ PSA verify hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +PSA interruptible hash state test: randomized ECDSA SECP256R1 SHA-256 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +hash_interruptible_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" + PSA sign message: RSA PKCS#1 v1.5 SHA-256 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C sign_message_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311" diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ce5a240b2c..6860f7f072 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7091,6 +7091,208 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +void hash_interruptible_state_test(int key_type_arg, data_t *key_data, + int alg_arg, data_t *input_data) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + size_t key_bits; + unsigned char *signature = NULL; + size_t signature_size; + size_t signature_length = 0xdeadbeef; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_sign_hash_interruptible_operation_t sign_operation = + psa_sign_hash_interruptible_operation_init(); + psa_verify_hash_interruptible_operation_t verify_operation = + psa_verify_hash_interruptible_operation_init(); + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | + PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, + &key)); + PSA_ASSERT(psa_get_key_attributes(key, &attributes)); + key_bits = psa_get_key_bits(&attributes); + + /* Allocate a buffer which has the size advertised by the + * library. */ + signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, + key_bits, alg); + TEST_ASSERT(signature_size != 0); + TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); + ASSERT_ALLOC(signature, signature_size); + + psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + /* --- Attempt completes prior to starts --- */ + TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length), + PSA_ERROR_BAD_STATE); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + TEST_EQUAL(psa_verify_hash_complete(&verify_operation), + PSA_ERROR_BAD_STATE); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + /* --- Aborts in all other places. --- */ + psa_sign_hash_abort(&sign_operation); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + psa_interruptible_set_max_ops(1); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length), + PSA_OPERATION_INCOMPLETE); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length)); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + psa_interruptible_set_max_ops(1); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + TEST_EQUAL(psa_verify_hash_complete(&verify_operation), + PSA_OPERATION_INCOMPLETE); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + /* --- Attempt double starts. --- */ + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len), + PSA_ERROR_BAD_STATE); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length), + PSA_ERROR_BAD_STATE); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + /* --- Ensure changing the max ops mid operation works (operation should + * complete successfully after setting max ops to unlimited --- */ + psa_interruptible_set_max_ops(1); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length), + PSA_OPERATION_INCOMPLETE); + + psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length)); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + psa_interruptible_set_max_ops(1); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + TEST_EQUAL(psa_verify_hash_complete(&verify_operation), + PSA_OPERATION_INCOMPLETE); + + psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + /* --- Change function inputs mid run, to cause an error (sign only, + * verify passes all inputs to start. --- */ + + psa_interruptible_set_max_ops(1); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length), + PSA_OPERATION_INCOMPLETE); + + TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, + 0, + &signature_length), + PSA_ERROR_BUFFER_TOO_SMALL); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&attributes); + + psa_destroy_key(key); + mbedtls_free(signature); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void sign_message_deterministic(int key_type_arg, data_t *key_data, From 59ad9457b6a8036773ca255663f0e9edc6fca6d7 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 18 Dec 2022 15:09:02 +0000 Subject: [PATCH 093/250] Add {sign/verify}_hash_abort_internal Ensure that num_ops is cleared when manual abort is called, but obviously not when an operation just completes, and test this. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 62 ++++++++++++++++----- tests/suites/test_suite_psa_crypto.function | 12 ++++ 2 files changed, 59 insertions(+), 15 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e3be65013b..f7228bc4b5 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3155,6 +3155,25 @@ uint32_t psa_verify_hash_get_num_ops( return operation->num_ops; } +static psa_status_t psa_sign_hash_abort_internal( + psa_sign_hash_interruptible_operation_t *operation) +{ + if (operation->id == 0) { + /* The object has (apparently) been initialized but it is not (yet) + * in use. It's ok to call abort on such an object, and there's + * nothing to do. */ + return PSA_SUCCESS; + } + + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + status = psa_driver_wrapper_sign_hash_abort(operation); + + operation->id = 0; + + return status; +} + psa_status_t psa_sign_hash_start( psa_sign_hash_interruptible_operation_t *operation, mbedtls_svc_key_id_t key, psa_algorithm_t alg, @@ -3202,7 +3221,7 @@ psa_status_t psa_sign_hash_start( exit: if (status != PSA_SUCCESS) { - psa_sign_hash_abort(operation); + psa_sign_hash_abort_internal(operation); } unlock_status = psa_unlock_key_slot(slot); @@ -3259,7 +3278,7 @@ exit: /* If signature_size is 0 then we have nothing to do. We must not * call memset because signature may be NULL in this case.*/ - psa_sign_hash_abort(operation); + psa_sign_hash_abort_internal(operation); } return status; @@ -3267,6 +3286,20 @@ exit: psa_status_t psa_sign_hash_abort( psa_sign_hash_interruptible_operation_t *operation) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + status = psa_sign_hash_abort_internal(operation); + + /* We clear the number of ops done here, so that it is not cleared when + * the operation fails or succeeds, only on manual abort. */ + operation->num_ops = 0; + + return status; +} + +static psa_status_t psa_verify_hash_abort_internal( + psa_verify_hash_interruptible_operation_t *operation) { if (operation->id == 0) { /* The object has (apparently) been initialized but it is not (yet) @@ -3275,11 +3308,13 @@ psa_status_t psa_sign_hash_abort( return PSA_SUCCESS; } - psa_driver_wrapper_sign_hash_abort(operation); + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + status = psa_driver_wrapper_verify_hash_abort(operation); operation->id = 0; - return PSA_SUCCESS; + return status; } psa_status_t psa_verify_hash_start( @@ -3324,7 +3359,7 @@ psa_status_t psa_verify_hash_start( signature, signature_length); if (status != PSA_SUCCESS) { - psa_verify_hash_abort(operation); + psa_verify_hash_abort_internal(operation); } unlock_status = psa_unlock_key_slot(slot); @@ -3354,7 +3389,7 @@ exit: operation); if (status != PSA_OPERATION_INCOMPLETE) { - psa_verify_hash_abort(operation); + psa_verify_hash_abort_internal(operation); } return status; @@ -3363,18 +3398,15 @@ exit: psa_status_t psa_verify_hash_abort( psa_verify_hash_interruptible_operation_t *operation) { - if (operation->id == 0) { - /* The object has (apparently) been initialized but it is not (yet) - * in use. It's ok to call abort on such an object, and there's - * nothing to do. */ - return PSA_SUCCESS; - } + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_driver_wrapper_verify_hash_abort(operation); + status = psa_verify_hash_abort_internal(operation); - operation->id = 0; + /* We clear the number of ops done here, so that it is not cleared when + * the operation fails or succeeds, only on manual abort. */ + operation->num_ops = 0; - return PSA_SUCCESS; + return status; } /****************************************************************/ diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 6860f7f072..21965cfca1 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6522,6 +6522,9 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_sign_hash_abort(&operation)); + num_ops = psa_sign_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops == 0); + exit: /* @@ -6657,6 +6660,9 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_sign_hash_abort(&operation)); + num_ops = psa_sign_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops == 0); + /* The value of *signature_length is unspecified on error, but * whatever it is, it should be less than signature_size, so that * if the caller tries to read *signature_length bytes without @@ -6969,6 +6975,9 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_verify_hash_abort(&operation)); + num_ops = psa_verify_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops == 0); + exit: psa_reset_key_attributes(&attributes); psa_destroy_key(key); @@ -7084,6 +7093,9 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_verify_hash_abort(&operation)); + num_ops = psa_verify_hash_get_num_ops(&operation); + TEST_ASSERT(num_ops == 0); + exit: psa_reset_key_attributes(&attributes); psa_destroy_key(key); From c5c6963d07c5ca423ecf5b57cfdac220ab36a2c9 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 3 Jan 2023 17:07:05 +0000 Subject: [PATCH 094/250] Remove #endif from between testcases Signed-off-by: David Horstmann From 3225f198030bd07535e163013215d2583e64827c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 10 Jan 2023 12:03:12 +0000 Subject: [PATCH 095/250] Fix ecdsa.h documentation error Signed-off-by: Paul Elliott --- include/mbedtls/ecdsa.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index 1741d2c204..c5d9701f6e 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -416,6 +416,8 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp, * initialized restart context. * * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of + * operations was reached: see \c mbedtls_ecp_set_max_ops(). * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX * error code on failure. */ @@ -474,8 +476,6 @@ int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp, * \c NULL if \p f_rng is \c NULL or doesn't use a context. * * \return \c 0 on success. - * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of - * operations was reached: see \c mbedtls_ecp_set_max_ops(). * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or * \c MBEDTLS_ERR_ASN1_XXX error code on failure. */ From 7cc4e816c16df362c0723694d1e2941d2166a70c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 10 Jan 2023 17:14:11 +0000 Subject: [PATCH 096/250] Ensure max ops gets set regardless of having built-in implementation Set the psa level global anyway, regardless of having a built in implementation, to match the set function. Also, ensure that value returned is the same as value passed in, irregardless of internal implementation requirements. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f7228bc4b5..efad510357 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3419,6 +3419,8 @@ static uint32_t mbedtls_psa_interruptible_max_ops = void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops) { + mbedtls_psa_interruptible_max_ops = max_ops; + #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) @@ -3429,10 +3431,7 @@ void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops) max_ops = 1; } - mbedtls_psa_interruptible_max_ops = max_ops; mbedtls_ecp_set_max_ops(max_ops); -#else - (void) max_ops; #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && * defined( MBEDTLS_ECP_RESTARTABLE ) */ @@ -3497,8 +3496,9 @@ psa_status_t mbedtls_psa_sign_hash_start( #endif /* Ensure default is set even if - * mbedtls_psa_interruptible_get_max_ops() has not been called. */ - mbedtls_ecp_set_max_ops(mbedtls_psa_interruptible_get_max_ops()); + * mbedtls_psa_interruptible_set_max_ops() has not been called. */ + mbedtls_psa_interruptible_set_max_ops( + mbedtls_psa_interruptible_get_max_ops()); status = mbedtls_psa_ecp_load_representation(attributes->core.type, attributes->core.bits, @@ -3685,8 +3685,9 @@ psa_status_t mbedtls_psa_verify_hash_start( defined(MBEDTLS_ECP_RESTARTABLE) /* Ensure default is set even if - * mbedtls_psa_interruptible_get_max_ops() has not been called. */ - mbedtls_ecp_set_max_ops(mbedtls_psa_interruptible_get_max_ops()); + * mbedtls_psa_interruptible_set_max_ops() has not been called. */ + mbedtls_psa_interruptible_set_max_ops( + mbedtls_psa_interruptible_get_max_ops()); status = mbedtls_psa_ecp_load_representation(attributes->core.type, attributes->core.bits, From 749dec54effb21db2e9f3036b451144f8652dcf1 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 16 Jan 2023 12:18:46 +0000 Subject: [PATCH 097/250] Clean up structure include guards Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 0f1220de9f..c5a37e63d2 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -138,13 +138,12 @@ typedef struct { /* Context structure for the Mbed TLS interruptible verify hash * implementation.*/ typedef struct { +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); -#if defined(MBEDTLS_ECP_RESTARTABLE) mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); -#endif /* MBEDTLS_ECP_RESTARTABLE */ size_t MBEDTLS_PRIVATE(curve_bytes); const uint8_t *MBEDTLS_PRIVATE(hash); @@ -153,7 +152,9 @@ typedef struct { mbedtls_mpi MBEDTLS_PRIVATE(r); mbedtls_mpi MBEDTLS_PRIVATE(s); -#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA && + * MBEDTLS_ECP_RESTARTABLE */ } mbedtls_psa_verify_hash_interruptible_operation_t; From 068fe0774029c658a295abf1369bd113cb7aa551 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 16 Jan 2023 13:59:15 +0000 Subject: [PATCH 098/250] Improve indentation of hash start functions Signed-off-by: Paul Elliott --- library/psa_crypto.c | 230 +++++++++++++++++++++---------------------- 1 file changed, 115 insertions(+), 115 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index efad510357..ee9e0412c9 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3482,69 +3482,69 @@ psa_status_t mbedtls_psa_sign_hash_start( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { - if (PSA_ALG_IS_ECDSA(alg)) { + if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + return PSA_ERROR_NOT_SUPPORTED; + } + + if (!PSA_ALG_IS_ECDSA(alg)) { + return PSA_ERROR_INVALID_ARGUMENT; + } #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ - defined(MBEDTLS_ECP_RESTARTABLE) + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) #if !defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) - if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) { - return PSA_ERROR_NOT_SUPPORTED; - } + if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) { + return PSA_ERROR_NOT_SUPPORTED; + } #endif - /* Ensure default is set even if - * mbedtls_psa_interruptible_set_max_ops() has not been called. */ - mbedtls_psa_interruptible_set_max_ops( - mbedtls_psa_interruptible_get_max_ops()); + /* Ensure default is set even if + * mbedtls_psa_interruptible_set_max_ops() has not been called. */ + mbedtls_psa_interruptible_set_max_ops( + mbedtls_psa_interruptible_get_max_ops()); - status = mbedtls_psa_ecp_load_representation(attributes->core.type, - attributes->core.bits, - key_buffer, - key_buffer_size, - &operation->ctx); + status = mbedtls_psa_ecp_load_representation(attributes->core.type, + attributes->core.bits, + key_buffer, + key_buffer_size, + &operation->ctx); - if (status != PSA_SUCCESS) { - return status; - } + if (status != PSA_SUCCESS) { + return status; + } - mbedtls_ecdsa_restart_init(&operation->restart_ctx); + mbedtls_ecdsa_restart_init(&operation->restart_ctx); - mbedtls_mpi_init(&operation->r); - mbedtls_mpi_init(&operation->s); + mbedtls_mpi_init(&operation->r); + mbedtls_mpi_init(&operation->s); - operation->curve_bytes = PSA_BITS_TO_BYTES( - operation->ctx->grp.pbits); + operation->curve_bytes = PSA_BITS_TO_BYTES( + operation->ctx->grp.pbits); - psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); - operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg); - operation->alg = alg; + psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); + operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg); + operation->alg = alg; - operation->hash = hash; - operation->hash_length = hash_length; + operation->hash = hash; + operation->hash_length = hash_length; + + return PSA_SUCCESS; #else - (void) operation; - (void) key_buffer; - (void) key_buffer_size; - (void) alg; - (void) hash; - (void) hash_length; + (void) operation; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) hash; + (void) hash_length; + (void) status; - return PSA_ERROR_NOT_SUPPORTED; + return PSA_ERROR_NOT_SUPPORTED; #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && * defined( MBEDTLS_ECP_RESTARTABLE ) */ - } else { - status = PSA_ERROR_INVALID_ARGUMENT; - } - } else { - status = PSA_ERROR_NOT_SUPPORTED; - } - - return status; } psa_status_t mbedtls_psa_sign_hash_complete( @@ -3677,99 +3677,99 @@ psa_status_t mbedtls_psa_verify_hash_start( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { - if (PSA_ALG_IS_ECDSA(alg)) { + if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { + return PSA_ERROR_NOT_SUPPORTED; + } + + if (!PSA_ALG_IS_ECDSA(alg)) { + return PSA_ERROR_INVALID_ARGUMENT; + } #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ - defined(MBEDTLS_ECP_RESTARTABLE) + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) - /* Ensure default is set even if - * mbedtls_psa_interruptible_set_max_ops() has not been called. */ - mbedtls_psa_interruptible_set_max_ops( - mbedtls_psa_interruptible_get_max_ops()); + /* Ensure default is set even if + * mbedtls_psa_interruptible_set_max_ops() has not been called. */ + mbedtls_psa_interruptible_set_max_ops( + mbedtls_psa_interruptible_get_max_ops()); - status = mbedtls_psa_ecp_load_representation(attributes->core.type, - attributes->core.bits, - key_buffer, - key_buffer_size, - &operation->ctx); + status = mbedtls_psa_ecp_load_representation(attributes->core.type, + attributes->core.bits, + key_buffer, + key_buffer_size, + &operation->ctx); - if (status != PSA_SUCCESS) { - return status; - } + if (status != PSA_SUCCESS) { + return status; + } - operation->curve_bytes = PSA_BITS_TO_BYTES( - operation->ctx->grp.pbits); + operation->curve_bytes = PSA_BITS_TO_BYTES( + operation->ctx->grp.pbits); - if (signature_length != 2 * operation->curve_bytes) { - return PSA_ERROR_INVALID_SIGNATURE; - } + if (signature_length != 2 * operation->curve_bytes) { + return PSA_ERROR_INVALID_SIGNATURE; + } - mbedtls_mpi_init(&operation->r); - status = mbedtls_to_psa_error( - mbedtls_mpi_read_binary(&operation->r, - signature, - operation->curve_bytes)); + mbedtls_mpi_init(&operation->r); + status = mbedtls_to_psa_error( + mbedtls_mpi_read_binary(&operation->r, + signature, + operation->curve_bytes)); - if (status != PSA_SUCCESS) { - return status; - } + if (status != PSA_SUCCESS) { + return status; + } - mbedtls_mpi_init(&operation->s); - status = mbedtls_to_psa_error( - mbedtls_mpi_read_binary(&operation->s, - signature + - operation->curve_bytes, - operation->curve_bytes)); + mbedtls_mpi_init(&operation->s); + status = mbedtls_to_psa_error( + mbedtls_mpi_read_binary(&operation->s, + signature + + operation->curve_bytes, + operation->curve_bytes)); - if (status != PSA_SUCCESS) { - return status; - } + if (status != PSA_SUCCESS) { + return status; + } - /* Check whether the public part is loaded. If not, load it. */ - if (mbedtls_ecp_is_zero(&operation->ctx->Q)) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* Check whether the public part is loaded. If not, load it. */ + if (mbedtls_ecp_is_zero(&operation->ctx->Q)) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ret = mbedtls_ecp_mul(&operation->ctx->grp, - &operation->ctx->Q, - &operation->ctx->d, - &operation->ctx->grp.G, - mbedtls_psa_get_random, - MBEDTLS_PSA_RANDOM_STATE); + ret = mbedtls_ecp_mul(&operation->ctx->grp, + &operation->ctx->Q, + &operation->ctx->d, + &operation->ctx->grp.G, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE); - if (ret != 0) { - return mbedtls_to_psa_error(ret); - } - } + if (ret != 0) { + return mbedtls_to_psa_error(ret); + } + } - mbedtls_ecdsa_restart_init(&operation->restart_ctx); + mbedtls_ecdsa_restart_init(&operation->restart_ctx); - operation->hash = hash; - operation->hash_length = hash_length; + operation->hash = hash; + operation->hash_length = hash_length; + + return PSA_SUCCESS; #else - (void) operation; - (void) key_buffer; - (void) key_buffer_size; - (void) alg; - (void) hash; - (void) hash_length; - (void) signature; - (void) signature_length; + (void) operation; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) hash; + (void) hash_length; + (void) signature; + (void) signature_length; + (void) status; - return PSA_ERROR_NOT_SUPPORTED; + return PSA_ERROR_NOT_SUPPORTED; #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && * defined( MBEDTLS_ECP_RESTARTABLE ) */ - } else { - status = PSA_ERROR_INVALID_ARGUMENT; - } - } else { - status = PSA_ERROR_NOT_SUPPORTED; - } - - return status; } psa_status_t mbedtls_psa_verify_hash_complete( From 6ee2408d26302705773b4f134e7b94775d8cbac7 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 16 Jan 2023 14:00:41 +0000 Subject: [PATCH 099/250] Remove deterministic alg restriction on sign hash Signed-off-by: Paul Elliott --- library/psa_crypto.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ee9e0412c9..748cb13f8c 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3494,12 +3494,6 @@ psa_status_t mbedtls_psa_sign_hash_start( defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) -#if !defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) - if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) { - return PSA_ERROR_NOT_SUPPORTED; - } -#endif - /* Ensure default is set even if * mbedtls_psa_interruptible_set_max_ops() has not been called. */ mbedtls_psa_interruptible_set_max_ops( From edfc8835688af22c073a6acd14d2fa24be33488f Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 20 Jan 2023 17:13:10 +0000 Subject: [PATCH 100/250] Change test loops over to do...while Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 35 +++++++++------------ 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 21965cfca1..aaf9d86578 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6497,7 +6497,7 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, TEST_ASSERT(num_ops_prior == 0); /* Continue performing the signature until complete. */ - while (status == PSA_OPERATION_INCOMPLETE) { + do { status = psa_sign_hash_complete(&operation, signature, signature_size, &signature_length); @@ -6509,7 +6509,7 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, num_ops_prior = num_ops; } - } + } while (status == PSA_OPERATION_INCOMPLETE); TEST_ASSERT(status == PSA_SUCCESS); @@ -6634,10 +6634,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, num_ops_prior = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); - actual_status = PSA_OPERATION_INCOMPLETE; - /* Continue performing the signature until complete. */ - while (actual_status == PSA_OPERATION_INCOMPLETE) { + do { actual_status = psa_sign_hash_complete(&operation, signature, signature_size, &signature_length); @@ -6656,7 +6654,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, num_ops_prior = num_ops; } - } + } while (actual_status == PSA_OPERATION_INCOMPLETE); PSA_ASSERT(psa_sign_hash_abort(&operation)); @@ -6798,14 +6796,14 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, input_data->x, input_data->len)); /* Continue performing the signature until complete. */ - while (status == PSA_OPERATION_INCOMPLETE) { + do { status = psa_sign_hash_complete(&sign_operation, signature, signature_size, &signature_length); num_completes++; - } + } while (status == PSA_OPERATION_INCOMPLETE); TEST_ASSERT(status == PSA_SUCCESS); @@ -6819,7 +6817,6 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, TEST_ASSERT(signature_length > 0); num_completes = 0; - status = PSA_OPERATION_INCOMPLETE; /* Start verification. */ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, @@ -6827,11 +6824,11 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, signature, signature_length)); /* Continue performing the signature until complete. */ - while (status == PSA_OPERATION_INCOMPLETE) { + do { status = psa_verify_hash_complete(&verify_operation); num_completes++; - } + } while (status == PSA_OPERATION_INCOMPLETE); TEST_ASSERT(status == PSA_SUCCESS); @@ -6848,17 +6845,15 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, * because ECDSA may ignore the last few bits of the input. */ input_data->x[0] ^= 1; - status = PSA_OPERATION_INCOMPLETE; - /* Start verification. */ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, input_data->x, input_data->len, signature, signature_length)); /* Continue performing the signature until complete. */ - while (status == PSA_OPERATION_INCOMPLETE) { + do { status = psa_verify_hash_complete(&verify_operation); - } + } while (status == PSA_OPERATION_INCOMPLETE); TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE); } @@ -6955,7 +6950,7 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, TEST_ASSERT(num_ops_prior == 0); /* Continue performing the signature until complete. */ - while (status == PSA_OPERATION_INCOMPLETE) { + do { status = psa_verify_hash_complete(&operation); num_completes++; @@ -6966,7 +6961,7 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, num_ops_prior = num_ops; } - } + } while (status == PSA_OPERATION_INCOMPLETE); TEST_ASSERT(status == PSA_SUCCESS); @@ -7066,10 +7061,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, num_ops_prior = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); - actual_status = PSA_OPERATION_INCOMPLETE; - /* Continue performing the signature until complete. */ - while (actual_status == PSA_OPERATION_INCOMPLETE) { + do { actual_status = psa_verify_hash_complete(&operation); num_completes++; @@ -7086,7 +7079,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, num_ops_prior = num_ops; } - } + } while (actual_status == PSA_OPERATION_INCOMPLETE); TEST_LE_U(min_completes, num_completes); TEST_LE_U(num_completes, max_completes); From 334d726d408aa79be8b55da126c17a93cfc70ff4 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 20 Jan 2023 17:29:41 +0000 Subject: [PATCH 101/250] Ensure ops are tested on successful 'fail' tests Make sure the number of ops is tested in the interruptible failure tests, should they get through the interruptible loop part. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 34 ++++++++++++--------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index aaf9d86578..d89afa336c 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6642,13 +6642,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, num_completes++; - /* If the psa_sign_hash_start() failed, psa_sign_hash_complete() - * should also fail with bad state. */ - if (expected_start_status != PSA_SUCCESS) { - TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); - } else if (actual_status != PSA_OPERATION_INCOMPLETE) { - TEST_EQUAL(actual_status, expected_complete_status); - } else { + if (actual_status == PSA_SUCCESS || + actual_status == PSA_OPERATION_INCOMPLETE) { num_ops = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops > num_ops_prior); @@ -6656,6 +6651,14 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, } } while (actual_status == PSA_OPERATION_INCOMPLETE); + /* If the psa_sign_hash_start() failed, psa_sign_hash_complete() + * should also fail with bad state. */ + if (expected_start_status != PSA_SUCCESS) { + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); + } else if (actual_status != PSA_OPERATION_INCOMPLETE) { + TEST_EQUAL(actual_status, expected_complete_status); + } + PSA_ASSERT(psa_sign_hash_abort(&operation)); num_ops = psa_sign_hash_get_num_ops(&operation); @@ -7067,13 +7070,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, num_completes++; - /* If the psa_verify_hash_start() failed, - * psa_verify_hash_complete() should also fail with bad state.*/ - if (expected_start_status != PSA_SUCCESS) { - TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); - } else if (actual_status != PSA_OPERATION_INCOMPLETE) { - TEST_EQUAL(actual_status, expected_complete_status); - } else { + if (actual_status == PSA_SUCCESS || + actual_status == PSA_OPERATION_INCOMPLETE) { num_ops = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops > num_ops_prior); @@ -7081,6 +7079,14 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, } } while (actual_status == PSA_OPERATION_INCOMPLETE); + /* If the psa_verify_hash_start() failed, + * psa_verify_hash_complete() should also fail with bad state.*/ + if (expected_start_status != PSA_SUCCESS) { + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); + } else if (actual_status != PSA_OPERATION_INCOMPLETE) { + TEST_EQUAL(actual_status, expected_complete_status); + } + TEST_LE_U(min_completes, num_completes); TEST_LE_U(num_completes, max_completes); From 97ac7d9090fdbef679f797c7709f0f5bdebb5dfe Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 23 Jan 2023 18:09:06 +0000 Subject: [PATCH 102/250] Calculate min/max completes rather than passing in to test Only 2 options were really possible anyway - complete in 1 op, or somewhere between 2 and max ops. Anything else we cannot test due to implementation specifics. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 74 ++++++++++----------- tests/suites/test_suite_psa_crypto.function | 74 ++++++++++++++++++--- 2 files changed, 101 insertions(+), 47 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index e6da057dad..a00f8ed4c5 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4147,27 +4147,27 @@ sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8 PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1 PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1 PSA sign hash: interruptible (no interrupt) ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash: interruptible (max interrupt) ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1 PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C @@ -4235,39 +4235,39 @@ sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5 PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1 PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1:1:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1 PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible: deterministic ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign/verify hash: RSA PKCS#1 v1.5, raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C @@ -4311,51 +4311,51 @@ sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280 PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1 PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1 PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C @@ -4479,11 +4479,11 @@ verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30 PSA verify hash interruptible: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash interruptible with keypair: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 @@ -4515,35 +4515,35 @@ verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab4543571264 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash interruptible (no interrupt): ECDSA SECP256R1, wrong signature of correct size depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash interruptible (max interrupt): ECDSA SECP256R1, wrong signature of correct size depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1:2:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1 PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (empty) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (truncated) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (trailing junk) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (leading junk) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA verify hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED:1:1 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA interruptible hash state test: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index d89afa336c..7f50e960c8 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6447,8 +6447,7 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void sign_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, - data_t *output_data, int max_ops, - int min_completes, int max_completes) + data_t *output_data, int max_ops) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6462,6 +6461,8 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, size_t num_ops = 0; size_t num_ops_prior = 0; size_t num_completes = 0; + size_t min_completes = 0; + size_t max_completes = 0; psa_sign_hash_interruptible_operation_t operation = psa_sign_hash_interruptible_operation_init(); @@ -6486,6 +6487,14 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); + if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { + min_completes = 1; + max_completes = 1; + } else { + min_completes = 2; + max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; + } + num_ops_prior = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -6590,8 +6599,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, int signature_size_arg, int expected_start_status_arg, int expected_complete_status_arg, - int max_ops, int min_completes, - int max_completes) + int max_ops) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6605,6 +6613,9 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, size_t num_ops = 0; size_t num_ops_prior = 0; size_t num_completes = 0; + size_t min_completes = 0; + size_t max_completes = 0; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_sign_hash_interruptible_operation_t operation = psa_sign_hash_interruptible_operation_init(); @@ -6622,6 +6633,20 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); + if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { + min_completes = 1; + max_completes = 1; + } else { + /* Unfortunate, but failure cases tend to fail on the first op. */ + if (expected_complete_status == PSA_SUCCESS) { + min_completes = 2; + } else { + min_completes = 1; + } + + max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; + } + num_ops_prior = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -6754,8 +6779,7 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, - int max_ops, int min_completes, - int max_completes) + int max_ops) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6767,6 +6791,9 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status = PSA_OPERATION_INCOMPLETE; size_t num_completes = 0; + size_t min_completes = 0; + size_t max_completes = 0; + psa_sign_hash_interruptible_operation_t sign_operation = psa_sign_hash_interruptible_operation_init(); psa_verify_hash_interruptible_operation_t verify_operation = @@ -6794,6 +6821,14 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); + if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { + min_completes = 1; + max_completes = 1; + } else { + min_completes = 2; + max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; + } + /* Start performing the signature. */ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, input_data->x, input_data->len)); @@ -6911,8 +6946,7 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, - data_t *signature_data, int max_ops, - int min_completes, int max_completes) + data_t *signature_data, int max_ops) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6922,6 +6956,9 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, size_t num_ops = 0; size_t num_ops_prior = 0; size_t num_completes = 0; + size_t min_completes = 0; + size_t max_completes = 0; + psa_verify_hash_interruptible_operation_t operation = psa_verify_hash_interruptible_operation_init(); @@ -6938,6 +6975,14 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); + if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { + min_completes = 1; + max_completes = 1; + } else { + min_completes = 2; + max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; + } + num_ops_prior = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -7023,8 +7068,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, data_t *signature_data, int expected_start_status_arg, int expected_complete_status_arg, - int max_ops, int min_completes, - int max_completes) + int max_ops) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -7036,6 +7080,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, size_t num_ops = 0; size_t num_ops_prior = 0; size_t num_completes = 0; + size_t min_completes = 0; + size_t max_completes = 0; psa_verify_hash_interruptible_operation_t operation = psa_verify_hash_interruptible_operation_init(); @@ -7050,6 +7096,14 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); + if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { + min_completes = 1; + max_completes = 1; + } else { + min_completes = 2; + max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; + } + num_ops_prior = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); From 62dfb95993f3713b4de9f2e4b303e33d653ba85b Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 24 Jan 2023 11:29:24 +0000 Subject: [PATCH 103/250] Fix broken negative test Test for unsupported deterministic ECDSA was originally passing due to incorrect code, fixing the code unfortunately broke the test. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index a00f8ed4c5..0c4941f597 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4265,9 +4265,13 @@ PSA sign hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible: deterministic ECDSA not supported +PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1 + +PSA sign hash interruptible (max interrupt): deterministic ECDSA not supported +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign/verify hash: RSA PKCS#1 v1.5, raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C From 90a91f041c10cf45c3a3ffb178346cace93a5453 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 24 Jan 2023 15:23:25 +0000 Subject: [PATCH 104/250] Ensure structs are not empty even if ECDSA not supported Also make previous changes apply to both interruptible sign hash operation structures rather than just the one as it was. Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index c5a37e63d2..ac065c1630 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -111,13 +111,11 @@ typedef struct { /* Context structure for the Mbed TLS interruptible sign hash implementation. */ typedef struct { - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); -#if defined(MBEDTLS_ECP_RESTARTABLE) mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); -#endif /* MBEDTLS_ECP_RESTARTABLE */ size_t MBEDTLS_PRIVATE(curve_bytes); psa_algorithm_t MBEDTLS_PRIVATE(alg); @@ -128,8 +126,13 @@ typedef struct { mbedtls_mpi MBEDTLS_PRIVATE(r); mbedtls_mpi MBEDTLS_PRIVATE(s); -#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */ +#else + /* Make the struct non-empty if algs not supported. */ + unsigned MBEDTLS_PRIVATE(dummy); +#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA && + * MBEDTLS_ECP_RESTARTABLE */ } mbedtls_psa_sign_hash_interruptible_operation_t; #define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, { 0 }, \ @@ -152,6 +155,10 @@ typedef struct { mbedtls_mpi MBEDTLS_PRIVATE(r); mbedtls_mpi MBEDTLS_PRIVATE(s); +#else + /* Make the struct non-empty if algs not supported. */ + unsigned MBEDTLS_PRIVATE(dummy); + #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA && * MBEDTLS_ECP_RESTARTABLE */ From c4e2be86ef4d4448fa03789691414781e000e41c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 25 Jan 2023 12:42:59 +0000 Subject: [PATCH 105/250] Fix incorrect test dependancies Test for not having determnistic ECDSA was also being run when no ECDSA, and this fails earlier. Fixed this and added a specific test for no ECDSA. Also fixed (swapped) incorrect test descriptions. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 0c4941f597..0cb5f85f3b 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4265,13 +4265,17 @@ PSA sign hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +PSA sign hash interruptible: ECDSA not supported +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED + PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported -depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1 +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible (max interrupt): deterministic ECDSA not supported -depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1 PSA sign/verify hash: RSA PKCS#1 v1.5, raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C From cb23311bd012b3206471840cb3904657994d018d Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 26 Jan 2023 14:54:47 +0000 Subject: [PATCH 106/250] Fix incorrect test dependencies part 2 Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 0cb5f85f3b..486a544573 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4266,7 +4266,7 @@ depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_P sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible: ECDSA not supported -depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported From 1b49ef538443fcd008387cf570028cb6bbf026bf Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 3 Feb 2023 14:27:32 +0000 Subject: [PATCH 107/250] Fix abort documentation. Make it clear that these functions reset the number of ops, and remove statements that say they have no effect. Signed-off-by: Paul Elliott --- include/psa/crypto.h | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 482b58288e..d371e1a1c8 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4430,7 +4430,13 @@ psa_status_t psa_sign_hash_complete( * \warning This is a beta API, and thus subject to change * at any point. It is not bound by the usual * interface stability promises. - + * + * \note This function is the only function that clears + * the number of ops completed as part of the + * operation. Please ensure you copy this value via + * \c psa_sign_hash_get_num_ops() if required + * before calling. + * * \note Aborting an operation frees all associated * resources except for the \p operation structure * itself. Once aborted, the operation object can @@ -4442,8 +4448,7 @@ psa_status_t psa_sign_hash_complete( * particular, calling \c psa_sign_hash_abort() * after the operation has already been terminated * by a call to \c psa_sign_hash_abort() or - * psa_sign_hash_complete() is safe and has no - * effect. + * psa_sign_hash_complete() is safe. * * \param[in,out] operation Initialized sign hash operation. * @@ -4620,6 +4625,12 @@ psa_status_t psa_verify_hash_complete( * any point. It is not bound by the usual interface * stability promises. * + * \note This function is the only function that clears the + * number of ops completed as part of the operation. + * Please ensure you copy this value via + * \c psa_verify_hash_get_num_ops() if required + * before calling. + * * \note Aborting an operation frees all associated * resources except for the operation structure * itself. Once aborted, the operation object can be @@ -4631,8 +4642,7 @@ psa_status_t psa_verify_hash_complete( * In particular, calling \c psa_verify_hash_abort() * after the operation has already been terminated by * a call to \c psa_verify_hash_abort() or - * psa_verify_hash_complete() is safe and has no - * effect. + * psa_verify_hash_complete() is safe. * * \param[in,out] operation Initialized verify hash operation. * From a3a8abadff79922668ffcbc649a67c4643f96f4b Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 3 Feb 2023 14:49:37 +0000 Subject: [PATCH 108/250] Fix operation initialisers if no algorithms defined Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index ac065c1630..8000242814 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -135,8 +135,14 @@ typedef struct { * MBEDTLS_ECP_RESTARTABLE */ } mbedtls_psa_sign_hash_interruptible_operation_t; +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) #define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, { 0 }, \ { 0 } } +#else +#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } +#endif /* Context structure for the Mbed TLS interruptible verify hash * implementation.*/ @@ -165,8 +171,14 @@ typedef struct { } mbedtls_psa_verify_hash_interruptible_operation_t; +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) #define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, { 0 }, \ { 0 } } +#else +#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } +#endif From 4684525ae98eec45b36f6a5324f49fe863ec5a6b Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 3 Feb 2023 14:59:11 +0000 Subject: [PATCH 109/250] Remove unrequired mpis from sign operation struct These are only used at the output stage. Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 6 +----- library/psa_crypto.c | 23 +++++++++++------------ 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 8000242814..44fa6de4c2 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -123,9 +123,6 @@ typedef struct { const uint8_t *MBEDTLS_PRIVATE(hash); size_t MBEDTLS_PRIVATE(hash_length); - mbedtls_mpi MBEDTLS_PRIVATE(r); - mbedtls_mpi MBEDTLS_PRIVATE(s); - #else /* Make the struct non-empty if algs not supported. */ unsigned MBEDTLS_PRIVATE(dummy); @@ -138,8 +135,7 @@ typedef struct { #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) -#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, { 0 }, \ - { 0 } } +#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0 } #else #define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } #endif diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 748cb13f8c..78d8702d07 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3511,9 +3511,6 @@ psa_status_t mbedtls_psa_sign_hash_start( mbedtls_ecdsa_restart_init(&operation->restart_ctx); - mbedtls_mpi_init(&operation->r); - mbedtls_mpi_init(&operation->s); - operation->curve_bytes = PSA_BITS_TO_BYTES( operation->ctx->grp.pbits); @@ -3547,6 +3544,8 @@ psa_status_t mbedtls_psa_sign_hash_complete( size_t *signature_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + mbedtls_mpi r; + mbedtls_mpi s; #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ @@ -3556,13 +3555,16 @@ psa_status_t mbedtls_psa_sign_hash_complete( return PSA_ERROR_BUFFER_TOO_SMALL; } + mbedtls_mpi_init(&r); + mbedtls_mpi_init(&s); if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) { + #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) status = mbedtls_to_psa_error( mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp, - &operation->r, - &operation->s, + &r, + &s, &operation->ctx->d, operation->hash, operation->hash_length, @@ -3577,8 +3579,8 @@ psa_status_t mbedtls_psa_sign_hash_complete( status = mbedtls_to_psa_error( mbedtls_ecdsa_sign_restartable(&operation->ctx->grp, - &operation->r, - &operation->s, + &r, + &s, &operation->ctx->d, operation->hash, operation->hash_length, @@ -3593,7 +3595,7 @@ psa_status_t mbedtls_psa_sign_hash_complete( return status; } else { status = mbedtls_to_psa_error( - mbedtls_mpi_write_binary(&operation->r, + mbedtls_mpi_write_binary(&r, signature, operation->curve_bytes)); @@ -3602,7 +3604,7 @@ psa_status_t mbedtls_psa_sign_hash_complete( } status = mbedtls_to_psa_error( - mbedtls_mpi_write_binary(&operation->s, + mbedtls_mpi_write_binary(&s, signature + operation->curve_bytes, operation->curve_bytes)); @@ -3645,9 +3647,6 @@ psa_status_t mbedtls_psa_sign_hash_abort( mbedtls_ecdsa_restart_free(&operation->restart_ctx); - mbedtls_mpi_free(&operation->r); - mbedtls_mpi_free(&operation->s); - return PSA_SUCCESS; #else From 4ca521fcdb5acc9081209b3e09c2244866ec804d Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 3 Feb 2023 15:02:54 +0000 Subject: [PATCH 110/250] Remove obsolete comments Signed-off-by: Paul Elliott --- include/psa/crypto_struct.h | 6 ------ 1 file changed, 6 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index bc56a4fa61..1153b8e781 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -493,9 +493,6 @@ static inline size_t psa_get_key_bits( /** * \brief The context for PSA interruptible hash signing. - * - * \note Contents not yet designed as implementation specific. - * */ struct psa_sign_hash_interruptible_operation_s { /** Unique ID indicating which driver got assigned to do the @@ -524,9 +521,6 @@ psa_sign_hash_interruptible_operation_init(void) /** * \brief The context for PSA interruptible hash verification. - * - * \note Contents not yet designed as implementation specific. - * */ struct psa_verify_hash_interruptible_operation_s { /** Unique ID indicating which driver got assigned to do the From ab7c5c8550443b0fdf565bea1d862a41fd176cb0 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 3 Feb 2023 15:49:42 +0000 Subject: [PATCH 111/250] Change incorrect define for MAX_OPS_UNLIMITED Signed-off-by: Paul Elliott --- include/psa/crypto_values.h | 2 +- tests/suites/test_suite_psa_crypto.function | 24 +++++++++++++-------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 07e96f70ba..39acd96c52 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2756,7 +2756,7 @@ static inline int mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key) * the maximum number of ops allowed to be executed by an interruptible * function in a single call. */ -#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED INT32_MAX +#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED UINT32_MAX /**@}*/ diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 7f50e960c8..7b9daaec1c 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6447,7 +6447,7 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void sign_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, - data_t *output_data, int max_ops) + data_t *output_data, int max_ops_arg) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6458,11 +6458,13 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, size_t signature_length = 0xdeadbeef; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status = PSA_OPERATION_INCOMPLETE; - size_t num_ops = 0; + uint32_t num_ops = 0; + uint32_t max_ops = max_ops_arg; size_t num_ops_prior = 0; size_t num_completes = 0; size_t min_completes = 0; size_t max_completes = 0; + psa_sign_hash_interruptible_operation_t operation = psa_sign_hash_interruptible_operation_init(); @@ -6599,7 +6601,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, int signature_size_arg, int expected_start_status_arg, int expected_complete_status_arg, - int max_ops) + int max_ops_arg) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6610,7 +6612,8 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, psa_status_t expected_complete_status = expected_complete_status_arg; unsigned char *signature = NULL; size_t signature_length = 0xdeadbeef; - size_t num_ops = 0; + uint32_t num_ops = 0; + uint32_t max_ops = max_ops_arg; size_t num_ops_prior = 0; size_t num_completes = 0; size_t min_completes = 0; @@ -6779,7 +6782,7 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, - int max_ops) + int max_ops_arg) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -6790,6 +6793,7 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, size_t signature_length = 0xdeadbeef; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status = PSA_OPERATION_INCOMPLETE; + uint32_t max_ops = max_ops_arg; size_t num_completes = 0; size_t min_completes = 0; size_t max_completes = 0; @@ -6946,14 +6950,15 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ void verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, - data_t *signature_data, int max_ops) + data_t *signature_data, int max_ops_arg) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; psa_algorithm_t alg = alg_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status = PSA_OPERATION_INCOMPLETE; - size_t num_ops = 0; + uint32_t num_ops = 0; + uint32_t max_ops = max_ops_arg; size_t num_ops_prior = 0; size_t num_completes = 0; size_t min_completes = 0; @@ -7068,7 +7073,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, data_t *signature_data, int expected_start_status_arg, int expected_complete_status_arg, - int max_ops) + int max_ops_arg) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -7077,7 +7082,8 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, psa_status_t expected_start_status = expected_start_status_arg; psa_status_t expected_complete_status = expected_complete_status_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - size_t num_ops = 0; + uint32_t num_ops = 0; + uint32_t max_ops = max_ops_arg; size_t num_ops_prior = 0; size_t num_completes = 0; size_t min_completes = 0; From e17a8fd9fd3e8a35c599656efbf86fa8af48193e Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 3 Feb 2023 16:15:36 +0000 Subject: [PATCH 112/250] Remove unneeded warning from internal headers Signed-off-by: Paul Elliott --- library/psa_crypto_core.h | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 2f3cb64584..610d780335 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -610,9 +610,6 @@ psa_status_t psa_key_agreement_raw_builtin( * \brief Set the maximum number of ops allowed to be executed by an * interruptible function in a single call. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * interruptible_set_max_ops entry point. This function behaves as an * interruptible_set_max_ops entry point as defined in the PSA driver @@ -630,9 +627,6 @@ void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops); * \brief Get the maximum number of ops allowed to be executed by an * interruptible function in a single call. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * interruptible_get_max_ops entry point. This function behaves as an * interruptible_get_max_ops entry point as defined in the PSA driver @@ -650,9 +644,6 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void); * or calling psa_sign_hash_interruptible_abort() on the operation, a * value of 0 will be returned. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * sign_get_num_ops entry point. This function behaves as a * sign_get_num_ops entry point as defined in the PSA driver interface @@ -675,9 +666,6 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops( * or calling psa_verify_hash_interruptible_abort() on the operation, a * value of 0 will be returned. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * verify_get_num_ops entry point. This function behaves as a * verify_get_num_ops entry point as defined in the PSA driver interface @@ -697,9 +685,6 @@ uint32_t mbedtls_psa_verify_hash_get_num_ops( * \brief Start signing a hash or short message with a private key, in an * interruptible manner. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * sign_hash_start entry point. This function behaves as a * sign_hash_start entry point as defined in the PSA driver interface @@ -738,9 +723,6 @@ psa_status_t mbedtls_psa_sign_hash_start( * \brief Continue and eventually complete the action of signing a hash or * short message with a private key, in an interruptible manner. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * sign_hash_complete entry point. This function behaves as a * sign_hash_complete entry point as defined in the PSA driver interface @@ -786,9 +768,6 @@ psa_status_t mbedtls_psa_sign_hash_complete( /** * \brief Abort a sign hash operation. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver sign_hash_abort * entry point. This function behaves as a sign_hash_abort entry point as * defined in the PSA driver interface specification for transparent @@ -808,9 +787,6 @@ psa_status_t mbedtls_psa_sign_hash_abort( * \brief Start reading and verifying a hash or short message, in an * interruptible manner. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * verify_hash_start entry point. This function behaves as a * verify_hash_start entry point as defined in the PSA driver interface @@ -853,9 +829,6 @@ psa_status_t mbedtls_psa_verify_hash_start( * \brief Continue and eventually complete the action of signing a hash or * short message with a private key, in an interruptible manner. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * sign_hash_complete entry point. This function behaves as a * sign_hash_complete entry point as defined in the PSA driver interface @@ -887,9 +860,6 @@ psa_status_t mbedtls_psa_verify_hash_complete( /** * \brief Abort a verify signed hash operation. * - * \warning This is a beta API, and thus subject to change at any point. It is - * not bound by the usual interface stability promises. - * * \note The signature of this function is that of a PSA driver * verify_hash_abort entry point. This function behaves as a * verify_hash_abort entry point as defined in the PSA driver interface From 096abc4dc0dd1cabf2f5f3350727e9b1b401c290 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 3 Feb 2023 18:33:23 +0000 Subject: [PATCH 113/250] Remove incorrect copied comment Signed-off-by: Paul Elliott --- library/psa_crypto.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 78d8702d07..2797291dc8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3246,10 +3246,8 @@ psa_status_t psa_sign_hash_complete( goto exit; } - /* Immediately reject a zero-length signature buffer. This guarantees - * that signature must be a valid pointer. (On the other hand, the input - * buffer can in principle be empty since it doesn't actually have - * to be a hash.) */ + /* Immediately reject a zero-length signature buffer. This guarantees that + * signature must be a valid pointer. */ if (signature_size == 0) { status = PSA_ERROR_BUFFER_TOO_SMALL; goto exit; From 1bc59df92c4c82f284635bbb16fb1499e746c5df Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 5 Feb 2023 13:41:57 +0000 Subject: [PATCH 114/250] Rename curve_bytes to coordinate_bytes Also remove unneeded instance from verify operation struct. Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 3 +-- library/psa_crypto.c | 27 +++++++++++++------------ 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 44fa6de4c2..7122cc829e 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -117,7 +117,7 @@ typedef struct { mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); - size_t MBEDTLS_PRIVATE(curve_bytes); + size_t MBEDTLS_PRIVATE(coordinate_bytes); psa_algorithm_t MBEDTLS_PRIVATE(alg); mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg); const uint8_t *MBEDTLS_PRIVATE(hash); @@ -150,7 +150,6 @@ typedef struct { mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); - size_t MBEDTLS_PRIVATE(curve_bytes); const uint8_t *MBEDTLS_PRIVATE(hash); size_t MBEDTLS_PRIVATE(hash_length); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2797291dc8..dcc6ab8573 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3509,7 +3509,7 @@ psa_status_t mbedtls_psa_sign_hash_start( mbedtls_ecdsa_restart_init(&operation->restart_ctx); - operation->curve_bytes = PSA_BITS_TO_BYTES( + operation->coordinate_bytes = PSA_BITS_TO_BYTES( operation->ctx->grp.pbits); psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); @@ -3549,7 +3549,7 @@ psa_status_t mbedtls_psa_sign_hash_complete( defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) - if (signature_size < 2 * operation->curve_bytes) { + if (signature_size < 2 * operation->coordinate_bytes) { return PSA_ERROR_BUFFER_TOO_SMALL; } @@ -3595,7 +3595,8 @@ psa_status_t mbedtls_psa_sign_hash_complete( status = mbedtls_to_psa_error( mbedtls_mpi_write_binary(&r, signature, - operation->curve_bytes)); + operation->coordinate_bytes) + ); if (status != PSA_SUCCESS) { return status; @@ -3604,14 +3605,15 @@ psa_status_t mbedtls_psa_sign_hash_complete( status = mbedtls_to_psa_error( mbedtls_mpi_write_binary(&s, signature + - operation->curve_bytes, - operation->curve_bytes)); + operation->coordinate_bytes, + operation->coordinate_bytes) + ); if (status != PSA_SUCCESS) { return status; } - *signature_length = operation->curve_bytes * 2; + *signature_length = operation->coordinate_bytes * 2; return PSA_SUCCESS; } @@ -3667,6 +3669,7 @@ psa_status_t mbedtls_psa_verify_hash_start( const uint8_t *signature, size_t signature_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t coordinate_bytes = 0; if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { return PSA_ERROR_NOT_SUPPORTED; @@ -3695,11 +3698,9 @@ psa_status_t mbedtls_psa_verify_hash_start( return status; } - operation->curve_bytes = PSA_BITS_TO_BYTES( - operation->ctx->grp.pbits); + coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.pbits); - - if (signature_length != 2 * operation->curve_bytes) { + if (signature_length != 2 * coordinate_bytes) { return PSA_ERROR_INVALID_SIGNATURE; } @@ -3707,7 +3708,7 @@ psa_status_t mbedtls_psa_verify_hash_start( status = mbedtls_to_psa_error( mbedtls_mpi_read_binary(&operation->r, signature, - operation->curve_bytes)); + coordinate_bytes)); if (status != PSA_SUCCESS) { return status; @@ -3717,8 +3718,8 @@ psa_status_t mbedtls_psa_verify_hash_start( status = mbedtls_to_psa_error( mbedtls_mpi_read_binary(&operation->s, signature + - operation->curve_bytes, - operation->curve_bytes)); + coordinate_bytes, + coordinate_bytes)); if (status != PSA_SUCCESS) { return status; From 813f9cdcbbf43307952ee18ce835dadc9d9b478c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 5 Feb 2023 15:28:46 +0000 Subject: [PATCH 115/250] Non ECDSA algorithms should return not supported Signed-off-by: Paul Elliott --- library/psa_crypto.c | 4 ++-- tests/suites/test_suite_psa_crypto.data | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index dcc6ab8573..93b404569f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3485,7 +3485,7 @@ psa_status_t mbedtls_psa_sign_hash_start( } if (!PSA_ALG_IS_ECDSA(alg)) { - return PSA_ERROR_INVALID_ARGUMENT; + return PSA_ERROR_NOT_SUPPORTED; } #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ @@ -3676,7 +3676,7 @@ psa_status_t mbedtls_psa_verify_hash_start( } if (!PSA_ALG_IS_ECDSA(alg)) { - return PSA_ERROR_INVALID_ARGUMENT; + return PSA_ERROR_NOT_SUPPORTED; } #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 486a544573..8981adc0b0 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4263,7 +4263,7 @@ sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):" PSA sign hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible: ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED @@ -4551,7 +4551,7 @@ verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R PSA verify hash interruptible: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA interruptible hash state test: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 From 0e9d6bd3f8041e86a77d3b592bc730e18ca37f93 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 5 Feb 2023 15:32:53 +0000 Subject: [PATCH 116/250] Replace MBEDTLS_ECP_DP_SECP384R1_ENABLED With more appropriate PSA_WANT_ECC_SECP_R1_384 Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 8981adc0b0..ccee39b6f9 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4230,7 +4230,7 @@ depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_P sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT PSA sign hash: deterministic ECDSA not supported -depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small @@ -4266,15 +4266,15 @@ depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_P sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible: ECDSA not supported -depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported -depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED PSA sign hash interruptible (max interrupt): deterministic ECDSA not supported -depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1 PSA sign/verify hash: RSA PKCS#1 v1.5, raw From f9c91a7fb5766cdb5b85a6dc3292c155e8309c26 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 5 Feb 2023 18:06:38 +0000 Subject: [PATCH 117/250] Store the hash, rather than the pointer For sign and verify, the pointer passed in to the hash is not guaranteed to remain valid inbetween calls, thus we need to store the hash in the operation. Added a test to ensure this is the case. Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 4 +-- library/psa_crypto.c | 24 +++++++++++-- library/psa_crypto_core.h | 6 ++-- tests/suites/test_suite_psa_crypto.function | 40 +++++++++++++++++++++ 4 files changed, 68 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 7122cc829e..ba3d253022 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -120,7 +120,7 @@ typedef struct { size_t MBEDTLS_PRIVATE(coordinate_bytes); psa_algorithm_t MBEDTLS_PRIVATE(alg); mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg); - const uint8_t *MBEDTLS_PRIVATE(hash); + uint8_t *MBEDTLS_PRIVATE(hash); size_t MBEDTLS_PRIVATE(hash_length); #else @@ -150,7 +150,7 @@ typedef struct { mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); - const uint8_t *MBEDTLS_PRIVATE(hash); + uint8_t *MBEDTLS_PRIVATE(hash); size_t MBEDTLS_PRIVATE(hash_length); mbedtls_mpi MBEDTLS_PRIVATE(r); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 93b404569f..a3bc80698a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3516,7 +3516,13 @@ psa_status_t mbedtls_psa_sign_hash_start( operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg); operation->alg = alg; - operation->hash = hash; + operation->hash = mbedtls_calloc(1, hash_length); + + if (operation->hash == NULL) { + return PSA_ERROR_INSUFFICIENT_MEMORY; + } + + memcpy(operation->hash, hash, hash_length); operation->hash_length = hash_length; return PSA_SUCCESS; @@ -3643,8 +3649,12 @@ psa_status_t mbedtls_psa_sign_hash_abort( if (operation->ctx) { mbedtls_ecdsa_free(operation->ctx); mbedtls_free(operation->ctx); + operation->ctx = NULL; } + mbedtls_free(operation->hash); + operation->hash = NULL; + mbedtls_ecdsa_restart_free(&operation->restart_ctx); return PSA_SUCCESS; @@ -3743,7 +3753,13 @@ psa_status_t mbedtls_psa_verify_hash_start( mbedtls_ecdsa_restart_init(&operation->restart_ctx); - operation->hash = hash; + operation->hash = mbedtls_calloc(1, hash_length); + + if (operation->hash == NULL) { + return PSA_ERROR_INSUFFICIENT_MEMORY; + } + + memcpy(operation->hash, hash, hash_length); operation->hash_length = hash_length; return PSA_SUCCESS; @@ -3802,8 +3818,12 @@ psa_status_t mbedtls_psa_verify_hash_abort( if (operation->ctx) { mbedtls_ecdsa_free(operation->ctx); mbedtls_free(operation->ctx); + operation->ctx = NULL; } + mbedtls_free(operation->hash); + operation->hash = NULL; + mbedtls_ecdsa_restart_free(&operation->restart_ctx); mbedtls_mpi_free(&operation->r); diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 610d780335..f74db70888 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -711,7 +711,8 @@ uint32_t mbedtls_psa_verify_hash_get_num_ops( * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations * are currently supported, or the key type is currently unsupported. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * There was insufficient memory to load the key representation. + * There was insufficient memory either to load the key representation, + * or to store the hash. */ psa_status_t mbedtls_psa_sign_hash_start( mbedtls_psa_sign_hash_interruptible_operation_t *operation, @@ -815,7 +816,8 @@ psa_status_t mbedtls_psa_sign_hash_abort( * Either no internal interruptible operations are currently supported, * or the key type is currently unsupported. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * There was insufficient memory to load the key representation. + * There was insufficient memory either to load the key representation, + * or to store the hash. */ psa_status_t mbedtls_psa_verify_hash_start( mbedtls_psa_verify_hash_interruptible_operation_t *operation, diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 7b9daaec1c..f050abfa42 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7174,6 +7174,7 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data, size_t signature_size; size_t signature_length = 0xdeadbeef; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + uint8_t *input_buffer = NULL; psa_sign_hash_interruptible_operation_t sign_operation = psa_sign_hash_interruptible_operation_init(); psa_verify_hash_interruptible_operation_t verify_operation = @@ -7351,6 +7352,45 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + /* Trash the hash buffer in between start and complete, to ensure + * no reliance on external buffers. */ + psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + input_buffer = mbedtls_calloc(1, input_data->len); + TEST_ASSERT(input_buffer != NULL); + + memcpy(input_buffer, input_data->x, input_data->len); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_buffer, input_data->len)); + + memset(input_buffer, '!', input_data->len); + mbedtls_free(input_buffer); + input_buffer = NULL; + + PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length)); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + input_buffer = mbedtls_calloc(1, input_data->len); + TEST_ASSERT(input_buffer != NULL); + + memcpy(input_buffer, input_data->x, input_data->len); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_buffer, input_data->len, + signature, signature_length)); + + memset(input_buffer, '!', input_data->len); + mbedtls_free(input_buffer); + input_buffer = NULL; + + PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + exit: /* * Key attributes may have been returned by psa_get_key_attributes() From c9774411d4b90d32b6f0821aca4d53dec461f8c4 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 6 Feb 2023 15:14:07 +0000 Subject: [PATCH 118/250] Ensure that operation is put into error state if error occurs If an error occurs, calling any function on the same operation should return PSA_ERROR_BAD_STATE, and we were not honouring that for all errors. Add extra failure tests to try and ratify this. Signed-off-by: Paul Elliott --- include/psa/crypto_struct.h | 8 +++- library/psa_crypto.c | 51 ++++++++++++++++----- tests/suites/test_suite_psa_crypto.function | 44 ++++++++++++++---- 3 files changed, 79 insertions(+), 24 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 1153b8e781..934bc176ef 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -505,10 +505,12 @@ struct psa_sign_hash_interruptible_operation_s { psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx); + unsigned int MBEDTLS_PRIVATE(error_occurred) : 1; + uint32_t MBEDTLS_PRIVATE(num_ops); }; -#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 } +#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 } static inline struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_init(void) @@ -533,10 +535,12 @@ struct psa_verify_hash_interruptible_operation_s { psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx); + unsigned int MBEDTLS_PRIVATE(error_occurred) : 1; + uint32_t MBEDTLS_PRIVATE(num_ops); }; -#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0 } +#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 } static inline struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_init(void) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a3bc80698a..882cb968fe 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3183,14 +3183,15 @@ psa_status_t psa_sign_hash_start( psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - /* Check that start has not been previously called. */ - if (operation->id != 0) { + /* Check that start has not been previously called, or operation has not + * previously errored. */ + if (operation->id != 0 || operation->error_occurred) { return PSA_ERROR_BAD_STATE; } - status = psa_sign_verify_check_alg(0, alg); if (status != PSA_SUCCESS) { + operation->error_occurred = 1; return status; } @@ -3221,13 +3222,17 @@ psa_status_t psa_sign_hash_start( exit: if (status != PSA_SUCCESS) { + operation->error_occurred = 1; psa_sign_hash_abort_internal(operation); } unlock_status = psa_unlock_key_slot(slot); - return (status == PSA_SUCCESS) ? unlock_status : status; + if (unlock_status != PSA_SUCCESS) { + operation->error_occurred = 1; + } + return (status == PSA_SUCCESS) ? unlock_status : status; } @@ -3240,8 +3245,9 @@ psa_status_t psa_sign_hash_complete( *signature_length = 0; - /* Check that start has been called first. */ - if (operation->id == 0) { + /* Check that start has been called first, and that operation has not + * previously errored. */ + if (operation->id == 0 || operation->error_occurred) { status = PSA_ERROR_BAD_STATE; goto exit; } @@ -3276,6 +3282,10 @@ exit: /* If signature_size is 0 then we have nothing to do. We must not * call memset because signature may be NULL in this case.*/ + if (status != PSA_SUCCESS) { + operation->error_occurred = 1; + } + psa_sign_hash_abort_internal(operation); } @@ -3293,6 +3303,9 @@ psa_status_t psa_sign_hash_abort( * the operation fails or succeeds, only on manual abort. */ operation->num_ops = 0; + /* Likewise, failure state. */ + operation->error_occurred = 0; + return status; } @@ -3325,13 +3338,15 @@ psa_status_t psa_verify_hash_start( psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; - /* Check that start has not been previously called. */ - if (operation->id != 0) { + /* Check that start has not been previously called, or operation has not + * previously errored. */ + if (operation->id != 0 || operation->error_occurred) { return PSA_ERROR_BAD_STATE; } status = psa_sign_verify_check_alg(0, alg); if (status != PSA_SUCCESS) { + operation->error_occurred = 1; return status; } @@ -3340,6 +3355,7 @@ psa_status_t psa_verify_hash_start( alg); if (status != PSA_SUCCESS) { + operation->error_occurred = 1; return status; } @@ -3357,14 +3373,17 @@ psa_status_t psa_verify_hash_start( signature, signature_length); if (status != PSA_SUCCESS) { + operation->error_occurred = 1; psa_verify_hash_abort_internal(operation); } unlock_status = psa_unlock_key_slot(slot); - return (status == PSA_SUCCESS) ? unlock_status : status; + if (unlock_status != PSA_SUCCESS) { + operation->error_occurred = 1; + } - return status; + return (status == PSA_SUCCESS) ? unlock_status : status; } psa_status_t psa_verify_hash_complete( @@ -3372,8 +3391,9 @@ psa_status_t psa_verify_hash_complete( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - /* Check that start has been called first. */ - if (operation->id == 0) { + /* Check that start has been called first, and that operation has not + * previously errored. */ + if (operation->id == 0 || operation->error_occurred) { status = PSA_ERROR_BAD_STATE; goto exit; } @@ -3387,6 +3407,10 @@ exit: operation); if (status != PSA_OPERATION_INCOMPLETE) { + if (status != PSA_SUCCESS) { + operation->error_occurred = 1; + } + psa_verify_hash_abort_internal(operation); } @@ -3404,6 +3428,9 @@ psa_status_t psa_verify_hash_abort( * the operation fails or succeeds, only on manual abort. */ operation->num_ops = 0; + /* Likewise, failure state. */ + operation->error_occurred = 0; + return status; } diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index f050abfa42..bee923229f 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6659,6 +6659,13 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_start_status); + if (expected_start_status != PSA_SUCCESS) { + actual_status = psa_sign_hash_start(&operation, key, alg, + input_data->x, input_data->len); + + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); + } + num_ops_prior = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -6679,12 +6686,14 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, } } while (actual_status == PSA_OPERATION_INCOMPLETE); - /* If the psa_sign_hash_start() failed, psa_sign_hash_complete() - * should also fail with bad state. */ - if (expected_start_status != PSA_SUCCESS) { + TEST_EQUAL(actual_status, expected_complete_status); + + if (expected_complete_status != PSA_SUCCESS) { + actual_status = psa_sign_hash_complete(&operation, signature, + signature_size, + &signature_length); + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); - } else if (actual_status != PSA_OPERATION_INCOMPLETE) { - TEST_EQUAL(actual_status, expected_complete_status); } PSA_ASSERT(psa_sign_hash_abort(&operation)); @@ -7121,6 +7130,15 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_start_status); + if (expected_start_status != PSA_SUCCESS) { + actual_status = psa_verify_hash_start(&operation, key, alg, + hash_data->x, hash_data->len, + signature_data->x, + signature_data->len); + + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); + } + num_ops_prior = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -7139,12 +7157,12 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, } } while (actual_status == PSA_OPERATION_INCOMPLETE); - /* If the psa_verify_hash_start() failed, - * psa_verify_hash_complete() should also fail with bad state.*/ - if (expected_start_status != PSA_SUCCESS) { + TEST_EQUAL(actual_status, expected_complete_status); + + if (expected_complete_status != PSA_SUCCESS) { + actual_status = psa_verify_hash_complete(&operation); + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); - } else if (actual_status != PSA_OPERATION_INCOMPLETE) { - TEST_EQUAL(actual_status, expected_complete_status); } TEST_LE_U(min_completes, num_completes); @@ -7350,6 +7368,12 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data, &signature_length), PSA_ERROR_BUFFER_TOO_SMALL); + /* And test that this invalidates the operation. */ + TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, + 0, + &signature_length), + PSA_ERROR_BAD_STATE); + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); /* Trash the hash buffer in between start and complete, to ensure From eefe47292ca04717ffca05e3b6abbc5429cc96c9 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 6 Feb 2023 15:59:09 +0000 Subject: [PATCH 119/250] Move loading of public part of ECP into function Signed-off-by: Paul Elliott --- library/psa_crypto.c | 16 +++------------- library/psa_crypto_ecp.c | 23 +++++++++++++++++------ library/psa_crypto_ecp.h | 9 +++++++++ 3 files changed, 29 insertions(+), 19 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 882cb968fe..62828bdb43 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3762,20 +3762,10 @@ psa_status_t mbedtls_psa_verify_hash_start( return status; } - /* Check whether the public part is loaded. If not, load it. */ - if (mbedtls_ecp_is_zero(&operation->ctx->Q)) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int ret = mbedtls_psa_ecp_load_public_part(operation->ctx); - ret = mbedtls_ecp_mul(&operation->ctx->grp, - &operation->ctx->Q, - &operation->ctx->d, - &operation->ctx->grp.G, - mbedtls_psa_get_random, - MBEDTLS_PSA_RANDOM_STATE); - - if (ret != 0) { - return mbedtls_to_psa_error(ret); - } + if (ret != 0) { + return mbedtls_to_psa_error(ret); } mbedtls_ecdsa_restart_init(&operation->restart_ctx); diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index c4ccefd757..cc80f27760 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -404,6 +404,21 @@ cleanup: return mbedtls_to_psa_error(ret); } +int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp) +{ + int ret = 0; + + /* Check whether the public part is loaded. If not, load it. */ + if (mbedtls_ecp_is_zero(&ecp->Q)) { + ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q, + &ecp->d, &ecp->grp.G, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE); + } + + return ret; +} + psa_status_t mbedtls_psa_ecdsa_verify_hash( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, @@ -443,12 +458,8 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( signature + curve_bytes, curve_bytes)); - /* Check whether the public part is loaded. If not, load it. */ - if (mbedtls_ecp_is_zero(&ecp->Q)) { - MBEDTLS_MPI_CHK( - mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G, - mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE)); - } + MBEDTLS_MPI_CHK(mbedtls_psa_ecp_load_public_part(ecp)); + ret = mbedtls_ecdsa_verify(&ecp->grp, hash, hash_length, &ecp->Q, &r, &s); diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h index 71f9d6acca..8b567fe3bf 100644 --- a/library/psa_crypto_ecp.h +++ b/library/psa_crypto_ecp.h @@ -48,6 +48,15 @@ psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type, size_t data_length, mbedtls_ecp_keypair **p_ecp); +/** Load the public part of an internal ECP, if required. + * + * \param ecp The ECP context to load the public part for. + * + * \return 0 on success, otherwise an MPI error. + */ + +int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp); + /** Import an ECP key in binary format. * * \note The signature of this function is that of a PSA driver From 6f60037589394947ebc08bfc3030231b2e08cd66 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 6 Feb 2023 18:41:05 +0000 Subject: [PATCH 120/250] Move {min|max}_complete choice logic into function Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 80 ++++++++++----------- 1 file changed, 39 insertions(+), 41 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index bee923229f..a1b3c902b6 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1220,6 +1220,31 @@ typedef enum { INJECT_ANTICIPATE_KEY_DERIVATION_2, } ecjpake_injected_failure_t; +static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, + psa_status_t expected_status, + size_t *min_completes, + size_t *max_completes) +{ + + /* This is slightly contrived, but we only really know that with a minimum + value of max_ops that a successful operation should take more than one op + to complete, and likewise that with a max_ops of + PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */ + if (max_ops == 0 || max_ops == 1) { + /* Failure test cases will fail on the first op. */ + if (expected_status == PSA_SUCCESS) { + *min_completes = 2; + } else { + *min_completes = 1; + } + + *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; + } else { + *min_completes = 1; + *max_completes = 1; + } +} + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -6489,13 +6514,8 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); - if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { - min_completes = 1; - max_completes = 1; - } else { - min_completes = 2; - max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; - } + interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, + &min_completes, &max_completes); num_ops_prior = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -6636,19 +6656,10 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); - if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { - min_completes = 1; - max_completes = 1; - } else { - /* Unfortunate, but failure cases tend to fail on the first op. */ - if (expected_complete_status == PSA_SUCCESS) { - min_completes = 2; - } else { - min_completes = 1; - } - - max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; - } + interruptible_signverify_get_minmax_completes(max_ops, + expected_complete_status, + &min_completes, + &max_completes); num_ops_prior = psa_sign_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); @@ -6834,13 +6845,8 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); - if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { - min_completes = 1; - max_completes = 1; - } else { - min_completes = 2; - max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; - } + interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, + &min_completes, &max_completes); /* Start performing the signature. */ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, @@ -6989,13 +6995,8 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); - if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { - min_completes = 1; - max_completes = 1; - } else { - min_completes = 2; - max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; - } + interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, + &min_completes, &max_completes); num_ops_prior = psa_verify_hash_get_num_ops(&operation); @@ -7111,13 +7112,10 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, psa_interruptible_set_max_ops(max_ops); - if (max_ops == PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED) { - min_completes = 1; - max_completes = 1; - } else { - min_completes = 2; - max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; - } + interruptible_signverify_get_minmax_completes(max_ops, + expected_complete_status, + &min_completes, + &max_completes); num_ops_prior = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops_prior == 0); From 1243f93ccaeb1b4b41e67cbb89af42270de4969e Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 11:21:10 +0000 Subject: [PATCH 121/250] Fix build fails with non ECDSA / restartable builds Signed-off-by: Paul Elliott --- library/psa_crypto.c | 6 ++++-- tests/suites/test_suite_psa_crypto.function | 7 +++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 62828bdb43..b8abfd09e4 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3575,13 +3575,14 @@ psa_status_t mbedtls_psa_sign_hash_complete( size_t *signature_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - mbedtls_mpi r; - mbedtls_mpi s; #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) + mbedtls_mpi r; + mbedtls_mpi s; + if (signature_size < 2 * operation->coordinate_bytes) { return PSA_ERROR_BUFFER_TOO_SMALL; } @@ -3790,6 +3791,7 @@ psa_status_t mbedtls_psa_verify_hash_start( (void) signature; (void) signature_length; (void) status; + (void) coordinate_bytes; return PSA_ERROR_NOT_SUPPORTED; #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index a1b3c902b6..7ad856924e 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1220,6 +1220,10 @@ typedef enum { INJECT_ANTICIPATE_KEY_DERIVATION_2, } ecjpake_injected_failure_t; +#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ + defined(MBEDTLS_ECP_RESTARTABLE) + static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, psa_status_t expected_status, size_t *min_completes, @@ -1244,6 +1248,9 @@ static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, *max_completes = 1; } } +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ /* END_HEADER */ From 939bd9485d2051fb816902c007c5d34e4739ca6c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 12:15:24 +0000 Subject: [PATCH 122/250] Move output buffer wiping code to seperate function. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 60 ++++++++++++++++++++++++++------------------ 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b8abfd09e4..d3ac4ce618 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2683,6 +2683,37 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message, return PSA_SUCCESS; } +/** + * \brief Fill the unused part of the output buffer(the + * whole buffer on error, the trailing part on + * success) with something that isn't a valid + * signature (barring an attack on the signature + * and deliberately-crafted input), in case the + * caller doesn't check the return status properly. + * + * \param output_buffer pointer to buffer to wipe. May not be NULL + * unless /p output_buffer_size is zero. + * \param status status of function called to generate + * output_buffer originally + * \param output_buffer_size Size of output buffer. If zero, /p output_buffer + * could be NULL + * \param output_buffer_length Length of data written to output_buffer, must be + * less than /p output_buffer_size + */ +static void psa_wipe_output_buffer(uint8_t *output_buffer, psa_status_t status, + size_t output_buffer_size, size_t output_buffer_length) +{ + if (status == PSA_SUCCESS) { + memset(output_buffer + output_buffer_length, '!', + output_buffer_size - output_buffer_length); + } else if (output_buffer_size > 0) { + memset(output_buffer, '!', output_buffer_size); + } + /* If output_buffer_size is 0 then we have nothing to do. We must + * not call memset because output_buffer may be NULL in this + * case.*/ +} + static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, int input_is_message, psa_algorithm_t alg, @@ -2745,18 +2776,8 @@ static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, exit: - /* Fill the unused part of the output buffer (the whole buffer on error, - * the trailing part on success) with something that isn't a valid signature - * (barring an attack on the signature and deliberately-crafted input), - * in case the caller doesn't check the return status properly. */ - if (status == PSA_SUCCESS) { - memset(signature + *signature_length, '!', - signature_size - *signature_length); - } else { - memset(signature, '!', signature_size); - } - /* If signature_size is 0 then we have nothing to do. We must not call - * memset because signature may be NULL in this case. */ + psa_wipe_output_buffer(signature, status, signature_size, + *signature_length); unlock_status = psa_unlock_key_slot(slot); @@ -3268,19 +3289,8 @@ exit: operation->num_ops += psa_driver_wrapper_sign_hash_get_num_ops(operation); if (status != PSA_OPERATION_INCOMPLETE) { - /* Fill the unused part of the output buffer (the whole buffer on error, - * the trailing part on success) with something that isn't a valid - * signature (barring an attack on the signature and - * deliberately-crafted input), in case the caller doesn't check the - * return status properly.*/ - if (status == PSA_SUCCESS) { - memset(signature + *signature_length, '!', - signature_size - *signature_length); - } else if (signature_size > 0) { - memset(signature, '!', signature_size); - } - /* If signature_size is 0 then we have nothing to do. We must not - * call memset because signature may be NULL in this case.*/ + psa_wipe_output_buffer(signature, status, signature_size, + *signature_length); if (status != PSA_SUCCESS) { operation->error_occurred = 1; From de1114c8830cb86ecf1e1dba6d4bb19af969cf73 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 12:43:11 +0000 Subject: [PATCH 123/250] Fix {sign|verify}_get_num_ops Move the obfuscation of the internal library only returning a delta of ops done into the driver wrapper, thus meaning driver wrapper and API call both return absolute values of work done. Document the differences at the internal implementation level. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 4 +- library/psa_crypto_core.h | 40 +++++++++---------- .../psa_crypto_driver_wrappers.c.jinja | 12 +++++- 3 files changed, 32 insertions(+), 24 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d3ac4ce618..419be1649c 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3286,7 +3286,7 @@ psa_status_t psa_sign_hash_complete( exit: /* Update ops count with work done. */ - operation->num_ops += psa_driver_wrapper_sign_hash_get_num_ops(operation); + operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation); if (status != PSA_OPERATION_INCOMPLETE) { psa_wipe_output_buffer(signature, status, signature_size, @@ -3413,7 +3413,7 @@ psa_status_t psa_verify_hash_complete( exit: /* Update ops count with work done. */ - operation->num_ops += psa_driver_wrapper_verify_hash_get_num_ops( + operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops( operation); if (status != PSA_OPERATION_INCOMPLETE) { diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index f74db70888..a00728918c 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -638,45 +638,45 @@ void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops); uint32_t mbedtls_psa_interruptible_get_max_ops(void); /** - * \brief Get the number of ops that a hash signing operation has taken so - * far. If the operation has completed, then this will represent the - * number of ops required for the entire operation. After initialization - * or calling psa_sign_hash_interruptible_abort() on the operation, a - * value of 0 will be returned. + * \brief Get the number of ops that a hash signing operation has taken for the + * previous call. If no call or work has taken place, this will return + * zero. * * \note The signature of this function is that of a PSA driver - * sign_get_num_ops entry point. This function behaves as a - * sign_get_num_ops entry point as defined in the PSA driver interface - * specification for transparent drivers. + * sign_get_num_ops entry point, however it differs in behaviour from the + * driver function in that this function returns a delta of work done in + * the last call rather than all of the ops done ever by the whole + * operation, due to internal implementation differences. * * \param[in] operation The \c * mbedtls_psa_sign_hash_interruptible_operation_t * to use. This must be initialized first. * - * \return Number of ops that the operation has taken so - * far. + * \return Number of ops that were completed + * in the last call to \c + * mbedtls_psa_sign_hash_complete(). */ uint32_t mbedtls_psa_sign_hash_get_num_ops( const mbedtls_psa_sign_hash_interruptible_operation_t *operation); /** - * \brief Get the number of ops that a hash verification operation has taken - * so far. If the operation has completed, then this will represent the - * number of ops required for the entire operation. After initialization - * or calling psa_verify_hash_interruptible_abort() on the operation, a - * value of 0 will be returned. + * \brief Get the number of ops that a hash verification operation has taken for + * the previous call. If no call or work has taken place, this will + * return zero. * * \note The signature of this function is that of a PSA driver - * verify_get_num_ops entry point. This function behaves as a - * verify_get_num_ops entry point as defined in the PSA driver interface - * specification for transparent drivers. + * verify_get_num_ops entry point however it differs in behaviour from the + * driver function in that this function returns a delta of work done in + * the last call rather than all of the ops done ever by the whole + * operation, due to internal implementation differences. * * \param[in] operation The \c * mbedtls_psa_verify_hash_interruptible_operation_t * to use. This must be initialized first. * - * \return Number of ops that the operation has taken so - * far. + * \return Number of ops that were completed + * in the last call to \c + * mbedtls_psa_verify_hash_complete(). */ uint32_t mbedtls_psa_verify_hash_get_num_ops( const mbedtls_psa_verify_hash_interruptible_operation_t *operation); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 2b2b02571a..fba8990337 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -453,7 +453,11 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops( return 0; case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_sign_hash_get_num_ops( + /* Internal implementation returns a delta of ops completed in the + * last call to complete(), so need to add in ops already completed + * before this.*/ + return( operation->num_ops + + mbedtls_psa_sign_hash_get_num_ops( &operation->ctx.mbedtls_ctx ) ); @@ -478,7 +482,11 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops( return 0; case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_verify_hash_get_num_ops( + /* Internal implementation returns a delta of ops completed in the + * last call to complete(), so need to add in ops already completed + * before this.*/ + return ( operation->num_ops + + mbedtls_psa_verify_hash_get_num_ops( &operation->ctx.mbedtls_ctx ) ); From e6145dc47fdcbaf51428cf5b5bba42eae20995af Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 12:51:21 +0000 Subject: [PATCH 124/250] Add documentation comment to internal abort functions Explain the reasoning behind not clearing some variables. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 419be1649c..97edc15a44 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3192,6 +3192,10 @@ static psa_status_t psa_sign_hash_abort_internal( operation->id = 0; + /* Do not clear either the error_occurred or num_ops elements here as they + * only want to be cleared by the application calling abort, not by abort + * being called at completion of an operation. */ + return status; } @@ -3335,6 +3339,10 @@ static psa_status_t psa_verify_hash_abort_internal( operation->id = 0; + /* Do not clear either the error_occurred or num_ops elements here as they + * only want to be cleared by the application calling abort, not by abort + * being called at completion of an operation. */ + return status; } From b830b35fb1b743db4292a732bbc5e12b375c53c1 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 15:30:41 +0000 Subject: [PATCH 125/250] Shorten test descriptions. Also mark some tests as being deterministic ECDSA where this was lacking. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 80 ++++++++++++------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index ccee39b6f9..b44fb2e6df 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4145,27 +4145,27 @@ PSA sign hash: deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f" -PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-256 +PSA sgn hash int (ops=inf): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-256 +PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1 -PSA sign hash: interruptible (no interrupt) ECDSA SECP256R1 SHA-384 +PSA sgn hash int (ops=inf) det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash: interruptible (max interrupt) ECDSA SECP256R1 SHA-384 +PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1 -PSA sign hash: interruptible (no interrupt) ECDSA SECP384R1 SHA-256 +PSA sign hash int (ops=inf): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash: interruptible (max interrupt) ECDSA SECP384R1 SHA-256 +PSA sign hash int (ops=min): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1 @@ -4233,47 +4233,47 @@ PSA sign hash: deterministic ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED -PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small +PSA Sgn hash int (ops=inf): det ECDSA SECP256R1 SHA-256, out buf too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, output buffer too small +PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1 -PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer +PSA sgn hash int(ops=inf): deterministic ECDSA SECP256R1 SHA-256, empty output buffer depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256, empty output buffer +PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1 -PSA sign hash interruptible (no interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0) +PSA sgn hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible (max interrupt): deterministic ECDSA SECP256R1, invalid hash algorithm (0) +PSA sgn hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1 -PSA sign hash interruptible: deterministic ECDSA SECP256R1, invalid hash algorithm (wildcard) +PSA sgn hash int: det ECDSA SECP256R1, invld hash alg (wildcard) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible: invalid algorithm for ECC key +PSA sgn hash int: invld alg for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible: ECDSA not supported +PSA sgn hash int: ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible (no interrupt): deterministic ECDSA not supported +PSA sgn hash int (ops=inf): det ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign hash interruptible (max interrupt): deterministic ECDSA not supported +PSA sgn hash int (ops=min): det ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1 @@ -4317,51 +4317,51 @@ PSA sign/verify hash: deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" -PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-256 +PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-256 +PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 -PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-256 +PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-256 +PSA sgn/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 -PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP256R1 SHA-384 +PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP256R1 SHA-384 +PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1 -PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP256R1 SHA-384 +PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP256R1 SHA-384 +PSA sgn/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1 -PSA sign / verify hash interruptible (no interrupt): randomized ECDSA SECP384R1 SHA-256 +PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign / verify hash interruptible (max interrupt): randomized ECDSA SECP384R1 SHA-256 +PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 -PSA sign / verify hash interruptible (no interrupt): deterministic ECDSA SECP384R1 SHA-256 +PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sign / verify hash interruptible (max interrupt): deterministic ECDSA SECP384R1 SHA-256 +PSA sgn/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 @@ -4485,11 +4485,11 @@ PSA verify hash with keypair: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" -PSA verify hash interruptible: ECDSA SECP256R1, good +PSA vrfy hash int: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA verify hash interruptible with keypair: ECDSA SECP256R1, good +PSA vrfy hash int w/keypair: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED @@ -4521,39 +4521,39 @@ PSA verify hash: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT -PSA verify hash interruptible: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded) +PSA vrfy hash int: ECDSA SECP256R1, wrng sig size (correct but ASN1-encoded) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA verify hash interruptible (no interrupt): ECDSA SECP256R1, wrong signature of correct size +PSA vrfy hash int (ops=inf): ECDSA SECP256R1, wrng sig of correct size depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA verify hash interruptible (max interrupt): ECDSA SECP256R1, wrong signature of correct size +PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrng sig of correct size depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1 -PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (empty) +PSA vrfy hash int: ECDSA SECP256R1, wrng sig (empty) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (truncated) +PSA vrfy hash int: ECDSA SECP256R1, wrng sig (truncated) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (trailing junk) +PSA vrfy hash int: ECDSA SECP256R1, wrng sig (trailing junk) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA verify hash interruptible: ECDSA SECP256R1, wrong signature (leading junk) +PSA vrfy hash int: ECDSA SECP256R1, wrng sig (leading junk) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA verify hash interruptible: invalid algorithm for ECC key +PSA vrfy hash int: invld alg for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA interruptible hash state test: randomized ECDSA SECP256R1 SHA-256 +PSA int hash state test: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 hash_interruptible_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" From 84329464d51693574367baceeed567224e29dfeb Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 17:32:04 +0000 Subject: [PATCH 126/250] Replace allocated hash buffer with array Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 4 ++-- library/psa_crypto.c | 18 ------------------ 2 files changed, 2 insertions(+), 20 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index ba3d253022..2ba9133983 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -120,7 +120,7 @@ typedef struct { size_t MBEDTLS_PRIVATE(coordinate_bytes); psa_algorithm_t MBEDTLS_PRIVATE(alg); mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg); - uint8_t *MBEDTLS_PRIVATE(hash); + uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; size_t MBEDTLS_PRIVATE(hash_length); #else @@ -150,7 +150,7 @@ typedef struct { mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); - uint8_t *MBEDTLS_PRIVATE(hash); + uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; size_t MBEDTLS_PRIVATE(hash_length); mbedtls_mpi MBEDTLS_PRIVATE(r); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 97edc15a44..ab52918cd9 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3561,12 +3561,6 @@ psa_status_t mbedtls_psa_sign_hash_start( operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg); operation->alg = alg; - operation->hash = mbedtls_calloc(1, hash_length); - - if (operation->hash == NULL) { - return PSA_ERROR_INSUFFICIENT_MEMORY; - } - memcpy(operation->hash, hash, hash_length); operation->hash_length = hash_length; @@ -3698,9 +3692,6 @@ psa_status_t mbedtls_psa_sign_hash_abort( operation->ctx = NULL; } - mbedtls_free(operation->hash); - operation->hash = NULL; - mbedtls_ecdsa_restart_free(&operation->restart_ctx); return PSA_SUCCESS; @@ -3789,12 +3780,6 @@ psa_status_t mbedtls_psa_verify_hash_start( mbedtls_ecdsa_restart_init(&operation->restart_ctx); - operation->hash = mbedtls_calloc(1, hash_length); - - if (operation->hash == NULL) { - return PSA_ERROR_INSUFFICIENT_MEMORY; - } - memcpy(operation->hash, hash, hash_length); operation->hash_length = hash_length; @@ -3858,9 +3843,6 @@ psa_status_t mbedtls_psa_verify_hash_abort( operation->ctx = NULL; } - mbedtls_free(operation->hash); - operation->hash = NULL; - mbedtls_ecdsa_restart_free(&operation->restart_ctx); mbedtls_mpi_free(&operation->r); From 76d671ad731143b3e0f4187bf885c87a48ce9936 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 17:45:18 +0000 Subject: [PATCH 127/250] Split state tests into two functions Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 8 ++- tests/suites/test_suite_psa_crypto.function | 57 +++++++++++++++++++-- 2 files changed, 60 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index b44fb2e6df..c1f4e48667 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4553,9 +4553,13 @@ PSA vrfy hash int: invld alg for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA int hash state test: randomized ECDSA SECP256R1 SHA-256 +PSA sgn/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -hash_interruptible_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +interruptible_signverify_hash_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" + +PSA sgn/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +interruptible_signverify_hash_negative_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" PSA sign message: RSA PKCS#1 v1.5 SHA-256 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 7ad856924e..471f42676f 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7186,8 +7186,8 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ -void hash_interruptible_state_test(int key_type_arg, data_t *key_data, - int alg_arg, data_t *input_data) +void interruptible_signverify_hash_state_test(int key_type_arg, + data_t *key_data, int alg_arg, data_t *input_data) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; @@ -7197,7 +7197,6 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data, size_t signature_size; size_t signature_length = 0xdeadbeef; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - uint8_t *input_buffer = NULL; psa_sign_hash_interruptible_operation_t sign_operation = psa_sign_hash_interruptible_operation_init(); psa_verify_hash_interruptible_operation_t verify_operation = @@ -7320,6 +7319,57 @@ void hash_interruptible_state_test(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&attributes); + + psa_destroy_key(key); + mbedtls_free(signature); + PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +void interruptible_signverify_hash_negative_tests(int key_type_arg, + data_t *key_data, int alg_arg, data_t *input_data) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + size_t key_bits; + unsigned char *signature = NULL; + size_t signature_size; + size_t signature_length = 0xdeadbeef; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + uint8_t *input_buffer = NULL; + psa_sign_hash_interruptible_operation_t sign_operation = + psa_sign_hash_interruptible_operation_init(); + psa_verify_hash_interruptible_operation_t verify_operation = + psa_verify_hash_interruptible_operation_init(); + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | + PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, + &key)); + PSA_ASSERT(psa_get_key_attributes(key, &attributes)); + key_bits = psa_get_key_bits(&attributes); + + /* Allocate a buffer which has the size advertised by the + * library. */ + signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, + key_bits, alg); + TEST_ASSERT(signature_size != 0); + TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); + ASSERT_ALLOC(signature, signature_size); + /* --- Ensure changing the max ops mid operation works (operation should * complete successfully after setting max ops to unlimited --- */ psa_interruptible_set_max_ops(1); @@ -7433,6 +7483,7 @@ exit: } /* END_CASE */ + /* BEGIN_CASE */ void sign_message_deterministic(int key_type_arg, data_t *key_data, From a4cb909fcd218639a5fa16fcb33d6a1096cbbece Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 18:01:55 +0000 Subject: [PATCH 128/250] Add max ops tests Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 4 ++ tests/suites/test_suite_psa_crypto.function | 48 +++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c1f4e48667..9511d1f5c5 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4561,6 +4561,10 @@ PSA sgn/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 interruptible_signverify_hash_negative_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +PSA sgn/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +interruptible_signverify_hash_maxops_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" + PSA sign message: RSA PKCS#1 v1.5 SHA-256 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C sign_message_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311" diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 471f42676f..5f6aa42d5c 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7483,6 +7483,54 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +void interruptible_signverify_hash_maxops_tests(int key_type_arg, + data_t *key_data, int alg_arg, data_t *input_data) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_sign_hash_interruptible_operation_t sign_operation = + psa_sign_hash_interruptible_operation_init(); + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | + PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, + &key)); + + /* Check that default max ops gets set if we don't set it. */ + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + TEST_EQUAL(psa_interruptible_get_max_ops(), + PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + /* Check that max ops gets set properly. */ + + psa_interruptible_set_max_ops(0xbeef); + + TEST_EQUAL(psa_interruptible_get_max_ops(), + 0xbeef); + +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&attributes); + + psa_destroy_key(key); + PSA_DONE(); +} +/* END_CASE */ /* BEGIN_CASE */ void sign_message_deterministic(int key_type_arg, From c08112160a319d5e3ef9b85b370beb442df791b1 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 7 Feb 2023 18:06:25 +0000 Subject: [PATCH 129/250] Add comment to explain lack of driver dispatch Signed-off-by: Paul Elliott --- .../driver_templates/psa_crypto_driver_wrappers.c.jinja | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index fba8990337..a8a8991a27 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -435,11 +435,19 @@ psa_status_t psa_driver_wrapper_verify_hash( void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops ) { + /* TODO - dispatch to drivers dynamically registered for this + * service when registering is implemented. For now, fall + * through to internal implementation. */ + mbedtls_psa_interruptible_set_max_ops( max_ops ); } uint32_t psa_driver_wrapper_interruptible_get_max_ops( void ) { + /* TODO - dispatch to drivers dynamically registered for this + * service when registering is implemented. For now, fall + * through to internal implementation. */ + return mbedtls_psa_interruptible_get_max_ops( ); } From 724bd25f4b061713885afa1c2512dedd6bb7a9d4 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 8 Feb 2023 12:35:08 +0000 Subject: [PATCH 130/250] Fix missing mbedtls_mpi_free() on signing. After moving the MPIs used to output from the operation into the complete function, I failed to move the accompanying free as well. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ab52918cd9..6e0d06b36b 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3617,10 +3617,10 @@ psa_status_t mbedtls_psa_sign_hash_complete( MBEDTLS_PSA_RANDOM_STATE, &operation->restart_ctx)); #else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ - return PSA_ERROR_NOT_SUPPORTED; + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ } else { - status = mbedtls_to_psa_error( mbedtls_ecdsa_sign_restartable(&operation->ctx->grp, &r, @@ -3635,9 +3635,7 @@ psa_status_t mbedtls_psa_sign_hash_complete( &operation->restart_ctx)); } - if (status != PSA_SUCCESS) { - return status; - } else { + if (status == PSA_SUCCESS) { status = mbedtls_to_psa_error( mbedtls_mpi_write_binary(&r, signature, @@ -3645,7 +3643,7 @@ psa_status_t mbedtls_psa_sign_hash_complete( ); if (status != PSA_SUCCESS) { - return status; + goto exit; } status = mbedtls_to_psa_error( @@ -3656,13 +3654,20 @@ psa_status_t mbedtls_psa_sign_hash_complete( ); if (status != PSA_SUCCESS) { - return status; + goto exit; } *signature_length = operation->coordinate_bytes * 2; - return PSA_SUCCESS; + status = PSA_SUCCESS; } + +exit: + + mbedtls_mpi_free(&r); + mbedtls_mpi_free(&s); + return status; + #else (void) operation; From 01885fa5e576d5e3f4cdf84aeb49f7d696d801cf Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 9 Feb 2023 12:07:30 +0000 Subject: [PATCH 131/250] Fix include guards on auxiliary test function. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 5f6aa42d5c..66f932b7e1 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1220,9 +1220,7 @@ typedef enum { INJECT_ANTICIPATE_KEY_DERIVATION_2, } ecjpake_injected_failure_t; -#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ - defined(MBEDTLS_ECP_RESTARTABLE) +#if defined(MBEDTLS_ECP_RESTARTABLE) static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, psa_status_t expected_status, @@ -1248,9 +1246,7 @@ static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, *max_completes = 1; } } -#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || - * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && - * defined( MBEDTLS_ECP_RESTARTABLE ) */ +#endif /* MBEDTLS_ECP_RESTARTABLE */ /* END_HEADER */ From 0290a76fc27cf365f79ac7bb1b7622c5c597ed30 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 9 Feb 2023 14:30:24 +0000 Subject: [PATCH 132/250] Fix buffer overflow with hashes larger than key size. Truncate input hashes to curve private key size as that is all that is required for the internal implementation. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 6e0d06b36b..5013c5d920 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3524,6 +3524,7 @@ psa_status_t mbedtls_psa_sign_hash_start( const uint8_t *hash, size_t hash_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t required_hash_length; if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { return PSA_ERROR_NOT_SUPPORTED; @@ -3561,8 +3562,13 @@ psa_status_t mbedtls_psa_sign_hash_start( operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg); operation->alg = alg; - memcpy(operation->hash, hash, hash_length); - operation->hash_length = hash_length; + /* We only need to store the same length of hash as the private key size + * here, it would be truncated by the internal implementation anyway. */ + required_hash_length = (hash_length < operation->coordinate_bytes ? + hash_length : operation->coordinate_bytes); + + memcpy(operation->hash, hash, required_hash_length); + operation->hash_length = required_hash_length; return PSA_SUCCESS; @@ -3574,6 +3580,7 @@ psa_status_t mbedtls_psa_sign_hash_start( (void) hash; (void) hash_length; (void) status; + (void) required_hash_length; return PSA_ERROR_NOT_SUPPORTED; #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || @@ -3722,6 +3729,7 @@ psa_status_t mbedtls_psa_verify_hash_start( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t coordinate_bytes = 0; + size_t required_hash_length = 0; if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) { return PSA_ERROR_NOT_SUPPORTED; @@ -3785,8 +3793,13 @@ psa_status_t mbedtls_psa_verify_hash_start( mbedtls_ecdsa_restart_init(&operation->restart_ctx); - memcpy(operation->hash, hash, hash_length); - operation->hash_length = hash_length; + /* We only need to store the same length of hash as the private key size + * here, it would be truncated by the internal implementation anyway. */ + required_hash_length = (hash_length < coordinate_bytes ? hash_length : + coordinate_bytes); + + memcpy(operation->hash, hash, required_hash_length); + operation->hash_length = required_hash_length; return PSA_SUCCESS; #else @@ -3800,6 +3813,7 @@ psa_status_t mbedtls_psa_verify_hash_start( (void) signature_length; (void) status; (void) coordinate_bytes; + (void) required_hash_length; return PSA_ERROR_NOT_SUPPORTED; #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || From fe9e77ff7adc8ecc8e161b6dedd6c9e98edcb482 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 10 Feb 2023 11:04:27 +0000 Subject: [PATCH 133/250] Better formatting of include guard comments Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 2ba9133983..b23199afc2 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -127,9 +127,9 @@ typedef struct { /* Make the struct non-empty if algs not supported. */ unsigned MBEDTLS_PRIVATE(dummy); -#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || - * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA && - * MBEDTLS_ECP_RESTARTABLE */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ } mbedtls_psa_sign_hash_interruptible_operation_t; #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ @@ -160,9 +160,9 @@ typedef struct { /* Make the struct non-empty if algs not supported. */ unsigned MBEDTLS_PRIVATE(dummy); -#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || - * MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA && - * MBEDTLS_ECP_RESTARTABLE */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && + * defined( MBEDTLS_ECP_RESTARTABLE ) */ } mbedtls_psa_verify_hash_interruptible_operation_t; From 6d99f0c265305fddecf05b2f63c948163c380660 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 10 Feb 2023 12:58:09 +0000 Subject: [PATCH 134/250] Fix errors in psa_wipe_output_buffer() doc comment. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5013c5d920..2328e3590a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2684,7 +2684,7 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message, } /** - * \brief Fill the unused part of the output buffer(the + * \brief Fill the unused part of the output buffer (the * whole buffer on error, the trailing part on * success) with something that isn't a valid * signature (barring an attack on the signature @@ -2692,13 +2692,13 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message, * caller doesn't check the return status properly. * * \param output_buffer pointer to buffer to wipe. May not be NULL - * unless /p output_buffer_size is zero. + * unless \p output_buffer_size is zero. * \param status status of function called to generate * output_buffer originally - * \param output_buffer_size Size of output buffer. If zero, /p output_buffer + * \param output_buffer_size Size of output buffer. If zero, \p output_buffer * could be NULL * \param output_buffer_length Length of data written to output_buffer, must be - * less than /p output_buffer_size + * less than \p output_buffer_size */ static void psa_wipe_output_buffer(uint8_t *output_buffer, psa_status_t status, size_t output_buffer_size, size_t output_buffer_length) From c569fc268f9195fd19decbcd6cfe1954767a54cf Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 10 Feb 2023 13:02:54 +0000 Subject: [PATCH 135/250] Switch from nbits to pbits Correct coordinate size is grp.nbits, not grp.pbits. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2328e3590a..776a9c8586 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3556,7 +3556,7 @@ psa_status_t mbedtls_psa_sign_hash_start( mbedtls_ecdsa_restart_init(&operation->restart_ctx); operation->coordinate_bytes = PSA_BITS_TO_BYTES( - operation->ctx->grp.pbits); + operation->ctx->grp.nbits); psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg); @@ -3758,7 +3758,7 @@ psa_status_t mbedtls_psa_verify_hash_start( return status; } - coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.pbits); + coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits); if (signature_length != 2 * coordinate_bytes) { return PSA_ERROR_INVALID_SIGNATURE; From 53bb3120544d23473370f8e75f6d2fe89241e880 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 10 Feb 2023 14:22:22 +0000 Subject: [PATCH 136/250] Wipe output buffer even when INCOMPLETE is returned. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 776a9c8586..e10c34cc53 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3292,10 +3292,10 @@ exit: /* Update ops count with work done. */ operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation); - if (status != PSA_OPERATION_INCOMPLETE) { - psa_wipe_output_buffer(signature, status, signature_size, - *signature_length); + psa_wipe_output_buffer(signature, status, signature_size, + *signature_length); + if (status != PSA_OPERATION_INCOMPLETE) { if (status != PSA_SUCCESS) { operation->error_occurred = 1; } From ebe225cf7b3395de91290788031d6e84e9200169 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 10 Feb 2023 14:32:53 +0000 Subject: [PATCH 137/250] Move num ops update to only point where work can be done. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e10c34cc53..d458b0297d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3287,11 +3287,12 @@ psa_status_t psa_sign_hash_complete( status = psa_driver_wrapper_sign_hash_complete(operation, signature, signature_size, signature_length); -exit: /* Update ops count with work done. */ operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation); +exit: + psa_wipe_output_buffer(signature, status, signature_size, *signature_length); @@ -3418,12 +3419,12 @@ psa_status_t psa_verify_hash_complete( status = psa_driver_wrapper_verify_hash_complete(operation); -exit: - /* Update ops count with work done. */ operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops( operation); +exit: + if (status != PSA_OPERATION_INCOMPLETE) { if (status != PSA_SUCCESS) { operation->error_occurred = 1; From a1c9409d88b838ffe3f5208a084bdd59257f4477 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 16:38:04 +0000 Subject: [PATCH 138/250] Move structure init calls as early as possible Signed-off-by: Paul Elliott --- library/psa_crypto.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d458b0297d..927b9d45fb 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3539,6 +3539,8 @@ psa_status_t mbedtls_psa_sign_hash_start( defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) + mbedtls_ecdsa_restart_init(&operation->restart_ctx); + /* Ensure default is set even if * mbedtls_psa_interruptible_set_max_ops() has not been called. */ mbedtls_psa_interruptible_set_max_ops( @@ -3554,8 +3556,6 @@ psa_status_t mbedtls_psa_sign_hash_start( return status; } - mbedtls_ecdsa_restart_init(&operation->restart_ctx); - operation->coordinate_bytes = PSA_BITS_TO_BYTES( operation->ctx->grp.nbits); @@ -3594,22 +3594,22 @@ psa_status_t mbedtls_psa_sign_hash_complete( uint8_t *signature, size_t signature_size, size_t *signature_length) { - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_mpi r; mbedtls_mpi s; - if (signature_size < 2 * operation->coordinate_bytes) { - return PSA_ERROR_BUFFER_TOO_SMALL; - } - mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); + if (signature_size < 2 * operation->coordinate_bytes) { + status = PSA_ERROR_BUFFER_TOO_SMALL; + goto exit; + } + if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) @@ -3679,7 +3679,6 @@ exit: #else (void) operation; - (void) status; (void) signature; (void) signature_size; (void) signature_length; @@ -3744,6 +3743,10 @@ psa_status_t mbedtls_psa_verify_hash_start( defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) + mbedtls_ecdsa_restart_init(&operation->restart_ctx); + mbedtls_mpi_init(&operation->r); + mbedtls_mpi_init(&operation->s); + /* Ensure default is set even if * mbedtls_psa_interruptible_set_max_ops() has not been called. */ mbedtls_psa_interruptible_set_max_ops( @@ -3765,7 +3768,6 @@ psa_status_t mbedtls_psa_verify_hash_start( return PSA_ERROR_INVALID_SIGNATURE; } - mbedtls_mpi_init(&operation->r); status = mbedtls_to_psa_error( mbedtls_mpi_read_binary(&operation->r, signature, @@ -3775,7 +3777,6 @@ psa_status_t mbedtls_psa_verify_hash_start( return status; } - mbedtls_mpi_init(&operation->s); status = mbedtls_to_psa_error( mbedtls_mpi_read_binary(&operation->s, signature + @@ -3792,8 +3793,6 @@ psa_status_t mbedtls_psa_verify_hash_start( return mbedtls_to_psa_error(ret); } - mbedtls_ecdsa_restart_init(&operation->restart_ctx); - /* We only need to store the same length of hash as the private key size * here, it would be truncated by the internal implementation anyway. */ required_hash_length = (hash_length < coordinate_bytes ? hash_length : From 7ef174b285b86c8c8e49d479bf6fe552b7eae3f5 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 16:45:20 +0000 Subject: [PATCH 139/250] Correct insufficient memory return documentation. Signed-off-by: Paul Elliott --- library/psa_crypto_core.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index a00728918c..5648321b2f 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -711,8 +711,7 @@ uint32_t mbedtls_psa_verify_hash_get_num_ops( * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations * are currently supported, or the key type is currently unsupported. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * There was insufficient memory either to load the key representation, - * or to store the hash. + * There was insufficient memory to load the key representation. */ psa_status_t mbedtls_psa_sign_hash_start( mbedtls_psa_sign_hash_interruptible_operation_t *operation, @@ -817,7 +816,7 @@ psa_status_t mbedtls_psa_sign_hash_abort( * or the key type is currently unsupported. * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * There was insufficient memory either to load the key representation, - * or to store the hash. + * or to prepare the operation. */ psa_status_t mbedtls_psa_verify_hash_start( mbedtls_psa_verify_hash_interruptible_operation_t *operation, From efebad0d67c63d3b734f898a5624b52be8fbf9e4 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 16:56:45 +0000 Subject: [PATCH 140/250] Run extra complete in failure tests regardless. We do not need to expect to fail, running another complete in either sign or verify after successful completion should also return BAD_STATE. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 66f932b7e1..2f5b50db90 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6702,13 +6702,12 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_complete_status); - if (expected_complete_status != PSA_SUCCESS) { - actual_status = psa_sign_hash_complete(&operation, signature, - signature_size, - &signature_length); + /* Check that another complete returns BAD_STATE. */ + actual_status = psa_sign_hash_complete(&operation, signature, + signature_size, + &signature_length); - TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); - } + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); PSA_ASSERT(psa_sign_hash_abort(&operation)); @@ -7160,11 +7159,9 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_complete_status); - if (expected_complete_status != PSA_SUCCESS) { - actual_status = psa_verify_hash_complete(&operation); - - TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); - } + /* Check that another complete returns BAD_STATE. */ + actual_status = psa_verify_hash_complete(&operation); + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); TEST_LE_U(min_completes, num_completes); TEST_LE_U(num_completes, max_completes); From 2c9843f2a440be3fdaab73e0bdddba8d28845c8c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 17:32:42 +0000 Subject: [PATCH 141/250] Make mbedtls_sa_ecp_load_public_part return psa_status_t Signed-off-by: Paul Elliott --- library/psa_crypto.c | 6 +++--- library/psa_crypto_ecp.c | 38 +++++++++++++++++++++++--------------- library/psa_crypto_ecp.h | 4 ++-- 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 927b9d45fb..2c6f108a16 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3787,10 +3787,10 @@ psa_status_t mbedtls_psa_verify_hash_start( return status; } - int ret = mbedtls_psa_ecp_load_public_part(operation->ctx); + status = mbedtls_psa_ecp_load_public_part(operation->ctx); - if (ret != 0) { - return mbedtls_to_psa_error(ret); + if (status != PSA_SUCCESS) { + return status; } /* We only need to store the same length of hash as the private key size diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index cc80f27760..f70d804b0f 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -404,7 +404,7 @@ cleanup: return mbedtls_to_psa_error(ret); } -int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp) +psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp) { int ret = 0; @@ -416,7 +416,7 @@ int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp) MBEDTLS_PSA_RANDOM_STATE); } - return ret; + return mbedtls_to_psa_error(ret); } psa_status_t mbedtls_psa_ecdsa_verify_hash( @@ -427,7 +427,6 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_ecp_keypair *ecp = NULL; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t curve_bytes; mbedtls_mpi r, s; @@ -447,30 +446,39 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( mbedtls_mpi_init(&s); if (signature_length != 2 * curve_bytes) { - ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; + status = PSA_ERROR_INVALID_SIGNATURE; goto cleanup; } - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r, - signature, - curve_bytes)); - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&s, - signature + curve_bytes, - curve_bytes)); + status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r, + signature, + curve_bytes)); + if (status != PSA_SUCCESS) { + goto cleanup; + } - MBEDTLS_MPI_CHK(mbedtls_psa_ecp_load_public_part(ecp)); + status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s, + signature + curve_bytes, + curve_bytes)); + if (status != PSA_SUCCESS) { + goto cleanup; + } + status = mbedtls_psa_ecp_load_public_part(ecp); + if (status != PSA_SUCCESS) { + goto cleanup; + } - ret = mbedtls_ecdsa_verify(&ecp->grp, hash, hash_length, - &ecp->Q, &r, &s); - + status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash, + hash_length, &ecp->Q, + &r, &s)); cleanup: mbedtls_mpi_free(&r); mbedtls_mpi_free(&s); mbedtls_ecp_keypair_free(ecp); mbedtls_free(ecp); - return mbedtls_to_psa_error(ret); + return status; } #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h index 8b567fe3bf..c7ef534b1f 100644 --- a/library/psa_crypto_ecp.h +++ b/library/psa_crypto_ecp.h @@ -52,10 +52,10 @@ psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type, * * \param ecp The ECP context to load the public part for. * - * \return 0 on success, otherwise an MPI error. + * \return PSA_SUCCESS on success, otherwise an MPI error. */ -int mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp); +psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp); /** Import an ECP key in binary format. * From c86d45e8a1aff38d1cea21b4be93cbe16b6b12d1 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 17:38:05 +0000 Subject: [PATCH 142/250] Remove spurious incorrect comment Comment originated from original version of this code, and the newer comment which was added when it was pulled into a seperate function covers all cases. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 2f5b50db90..fd355de9a4 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1233,7 +1233,7 @@ static void interruptible_signverify_get_minmax_completes(uint32_t max_ops, to complete, and likewise that with a max_ops of PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */ if (max_ops == 0 || max_ops == 1) { - /* Failure test cases will fail on the first op. */ + if (expected_status == PSA_SUCCESS) { *min_completes = 2; } else { From 751e76bb04727f5aeb55c8b85ac7df8f77fdfdf6 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Feb 2023 10:48:15 +0800 Subject: [PATCH 143/250] Replace `crypto engine` with `crypto extension` Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 6cea050115..3dea18ca10 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2068,7 +2068,7 @@ /** * \def MBEDTLS_AESCE_C * - * Enable AES crypto engine support on Arm64. + * Enable AES crypto extension support on Arm64. * * Module: library/aesce.c * Caller: library/aes.c From 92fc538a22b94fa8e8ef47935ccc69be603a5bf7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Feb 2023 11:17:11 +0800 Subject: [PATCH 144/250] Add attribute popup Signed-off-by: Jerry Yu --- library/sha256.c | 5 +++++ library/sha512.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/library/sha256.c b/library/sha256.c index 4321765519..49a233d63f 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -380,6 +380,11 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, SHA256_BLOCK_SIZE) ? 0 : -1; } +#if defined(MBEDTLS_POP_TARGET_PRAGMA) +#pragma clang attribute pop +#undef MBEDTLS_POP_TARGET_PRAGMA +#endif + #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */ diff --git a/library/sha512.c b/library/sha512.c index fec974a36b..827c08f34f 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -566,6 +566,11 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, SHA512_BLOCK_SIZE) ? 0 : -1; } +#if defined(MBEDTLS_POP_TARGET_PRAGMA) +#pragma clang attribute pop +#undef MBEDTLS_POP_TARGET_PRAGMA +#endif + #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ From 2f2c04956dead5d508a4b9af808a1e6892dd225b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Feb 2023 14:24:46 +0800 Subject: [PATCH 145/250] Add GCC options pop Reduce the scope of target pragma to meet behavior of clang. Signed-off-by: Jerry Yu --- library/sha256.c | 6 ++++++ library/sha512.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/library/sha256.c b/library/sha256.c index 49a233d63f..81c011b338 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -57,7 +57,9 @@ # if __GNUC__ < 6 /* TODO: check sha256 compatible for GCC */ # error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" # else +# pragma GCC push_options # pragma GCC target ("arch=armv8-a+crypto") +# define MBEDTLS_POP_TARGET_PRAGMA # endif # else # error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_A64_CRYPTO_*" @@ -381,7 +383,11 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, } #if defined(MBEDTLS_POP_TARGET_PRAGMA) +#if defined(__clang__) #pragma clang attribute pop +#elif defined(__GNUC__) +#pragma GCC pop_options +#endif #undef MBEDTLS_POP_TARGET_PRAGMA #endif diff --git a/library/sha512.c b/library/sha512.c index 827c08f34f..df8c5a9c1d 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -86,7 +86,9 @@ # if __GNUC__ < 8 # error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" # else +# pragma GCC push_options # pragma GCC target ("arch=armv8.2-a+sha3") +# define MBEDTLS_POP_TARGET_PRAGMA # endif # else # error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" @@ -567,7 +569,11 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, } #if defined(MBEDTLS_POP_TARGET_PRAGMA) +#if defined(__clang__) #pragma clang attribute pop +#elif defined(__GNUC__) +#pragma GCC pop_options +#endif #undef MBEDTLS_POP_TARGET_PRAGMA #endif From 8ae6a0193c04fa76759791c31d43f36313e43ce0 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Feb 2023 15:16:20 +0800 Subject: [PATCH 146/250] Add comments about gcc-5 Signed-off-by: Jerry Yu --- library/sha256.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/sha256.c b/library/sha256.c index 81c011b338..bf9af6b5a9 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -54,7 +54,10 @@ # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # elif defined(__GNUC__) -# if __GNUC__ < 6 /* TODO: check sha256 compatible for GCC */ + /* FIXME: GCC-5 annouce crypto extension, but some intrinsic are missed. + * Known miss intrinsic can be workaround. + */ +# if __GNUC__ < 6 # error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" # else # pragma GCC push_options From 383cbf42a03f4aebf8184f3e340db5bb05748e0f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Feb 2023 15:16:43 +0800 Subject: [PATCH 147/250] Add minimum version of sha256 for clang Signed-off-by: Jerry Yu --- library/sha256.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/sha256.c b/library/sha256.c index bf9af6b5a9..d5be7aa19c 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -40,7 +40,9 @@ /* *INDENT-OFF* */ # if !defined(__ARM_FEATURE_CRYPTO) # if defined(__clang__) -# if __clang_major__ < 18 +# if __clang_major__ < 4 +# error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# elif __clang_major__ < 18 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 * merged. * From 2c8e144ef6796cb0a7b20b89bae6a9d415a4204a Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 16 Feb 2023 10:25:08 +0100 Subject: [PATCH 148/250] Fix tests for 32bit Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/ecp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index d436d0a35c..6370d258aa 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -81,7 +81,7 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon, """Test cases for ecp quasi_reduction().""" test_function = "ecp_mod_p521_raw" test_name = "ecp_mod_p521_raw" - input_style = "fixed" + input_style = "arch_split" arity = 1 moduli = [("01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" From a135deeece11aa23ce2002336c87a64405d6ef58 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Feb 2023 16:56:22 +0800 Subject: [PATCH 149/250] Move clang bug workaround to the head of file Signed-off-by: Jerry Yu --- library/sha256.c | 34 +++++++++++++++++++++++----------- library/sha512.c | 37 ++++++++++++++++++++++++++----------- 2 files changed, 49 insertions(+), 22 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index d5be7aa19c..c167dbe1a8 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -22,8 +22,31 @@ * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf */ +#if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) && \ + defined(__clang__) && __clang_major__ < 18 && __clang_major__ > 3 +/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. + * + * The intrinsic declaration are guarded with ACLE predefined macros in clang, + * and those macros are only enabled with command line. Define the macros can + * enable those declaration and avoid compile error on it. + */ +#define __ARM_FEATURE_CRYPTO 1 +#pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) +#define MBEDTLS_POP_TARGET_PRAGMA +#endif /* __aarch64__ && __clang__ && + !__ARM_FEATURE_CRYPTO && __clang_major__ < 18 && __clang_major__ > 3 */ + #include "common.h" +#if defined(MBEDTLS_POP_TARGET_PRAGMA) && \ + !(defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)) +#if defined(__clang__) +#pragma clang attribute pop +#endif +#undef MBEDTLS_POP_TARGET_PRAGMA +#endif + #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C) #include "mbedtls/sha256.h" @@ -42,16 +65,6 @@ # if defined(__clang__) # if __clang_major__ < 4 # error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" -# elif __clang_major__ < 18 - /* TODO: Re-consider above after https://reviews.llvm.org/D131064 - * merged. - * - * The intrinsic declaration are guarded with ACLE predefined macros - * in clang, and those macros are only enabled with command line. - * Define the macros can enable those declaration and avoid compile - * error on it. - */ -# define __ARM_FEATURE_CRYPTO 1 # endif # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA @@ -398,7 +411,6 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */ - #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process diff --git a/library/sha512.c b/library/sha512.c index df8c5a9c1d..d0e6d47df8 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -22,8 +22,34 @@ * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf */ +#if defined(__aarch64__) && !defined(__ARM_FEATURE_SHA512) && \ + defined(__clang__) && __clang_major__ < 18 && \ + __clang_major__ >= 13 && __clang_minor__ > 0 && __clang_patchlevel__ > 0 +/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. + * + * The intrinsic declaration are guarded with ACLE predefined macros in clang, + * and those macros are only enabled with command line. Define the macros can + * enable those declaration and avoid compile error on it. + */ +#define __ARM_FEATURE_SHA512 1 +#pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) +#define MBEDTLS_POP_TARGET_PRAGMA +#endif /* __aarch64__ && __clang__ && + !__ARM_FEATURE_SHA512 && __clang_major__ < 18 && + __clang_major__ >= 13 && __clang_minor__ > 0 && + __clang_patchlevel__ > 0 */ + #include "common.h" +#if defined(MBEDTLS_POP_TARGET_PRAGMA) && \ + !(defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)) +#if defined(__clang__) +#pragma clang attribute pop +#endif +#undef MBEDTLS_POP_TARGET_PRAGMA +#endif + #if defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA384_C) #include "mbedtls/sha512.h" @@ -68,17 +94,6 @@ __clang_patchlevel__ == 0) /* We implement the intrinsics with inline assembler, so don't error */ # else -# if __clang_major__ < 18 - /* TODO: Re-consider above after https://reviews.llvm.org/D131064 - * merged. - * - * The intrinsic declaration are guarded with ACLE predefined macros - * in clang, and those macros are only enabled with command line. - * Define the macros can enable those declaration and avoid compile - * error on it. - */ -# define __ARM_FEATURE_SHA512 1 -# endif # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # endif From f7dccb303b0472ecc7a8071ec166b48fa70b2a39 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Feb 2023 17:37:58 +0800 Subject: [PATCH 150/250] Remove limitation for sha256/512 arm64 accelerator Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 9ae51c964a..244dcca537 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3087,9 +3087,6 @@ * \note If MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT is defined when building * for a non-Aarch64 build it will be silently ignored. * - * \note The code uses Neon intrinsics, so \c CFLAGS must be set to a minimum - * of \c -march=armv8-a+crypto. - * * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the * same time as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. * @@ -3112,9 +3109,6 @@ * \note This allows builds with a smaller code size than with * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT * - * \note The code uses Neon intrinsics, so \c CFLAGS must be set to a minimum - * of \c -march=armv8-a+crypto. - * * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY cannot be defined at the same * time as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT. * @@ -3169,9 +3163,7 @@ * for a non-Aarch64 build it will be silently ignored. * * \note The code uses the SHA-512 Neon intrinsics, so requires GCC >= 8 or - * Clang >= 7, and \c CFLAGS must be set to a minimum of - * \c -march=armv8.2-a+sha3. An optimisation level of \c -O3 generates the - * fastest code. + * Clang >= 7. * * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the * same time as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. @@ -3196,9 +3188,7 @@ * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT * * \note The code uses the SHA-512 Neon intrinsics, so requires GCC >= 8 or - * Clang >= 7, and \c CFLAGS must be set to a minimum of - * \c -march=armv8.2-a+sha3. An optimisation level of \c -O3 generates the - * fastest code. + * Clang >= 7. * * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY cannot be defined at the same * time as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT. From 81b0b89a34eed11d7e5c3136d1f620d24e41e6f8 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 16 Feb 2023 06:55:10 -0500 Subject: [PATCH 151/250] Clarify comments on subjectAltName types Signed-off-by: Andrzej Kurek --- include/mbedtls/x509.h | 5 +++-- library/x509.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 40b75a2b99..9f92ed6ac7 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -385,8 +385,9 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); * \param san The target structure to populate with the parsed presentation * of the subject alternative name encoded in \p san_raw. * - * \note Only "dnsName", "uniformResourceIdentifier" and "otherName", - * as defined in RFC 5280, is supported. + * \note Supported GeneralName types, as defined in RFC 5280: + * "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + * of type "otherName", as defined in RFC 4108. * * \note This function should be called on a single raw data of * subject alternative name. For example, after successful diff --git a/library/x509.c b/library/x509.c index 9f0dc6253b..b859df9d3a 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1227,8 +1227,9 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name, * nameAssigner [0] DirectoryString OPTIONAL, * partyName [1] DirectoryString } * - * NOTE: we list all types, but only use "dnsName", "otherName" and - * "uniformResourceIdentifier", as defined in RFC 5280, at this point. + * We list all types, but use the following GeneralName types from RFC 5280: + * "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + * of type "otherName", as defined in RFC 4108. */ int mbedtls_x509_get_subject_alt_name(unsigned char **p, const unsigned char *end, From 93d9ca83ea6e91c7d24c8da980af832448a4151a Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 18:14:21 +0000 Subject: [PATCH 152/250] Move num_ops ECP abstraction fully into internal implementation Signed-off-by: Paul Elliott --- include/psa/crypto_builtin_composites.h | 8 +++++-- library/psa_crypto.c | 24 +++++++++++++++---- library/psa_crypto_core.h | 22 ++++++++--------- library/psa_crypto_driver_wrappers.h | 4 ++-- .../psa_crypto_driver_wrappers.c.jinja | 20 ++++------------ 5 files changed, 42 insertions(+), 36 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index b23199afc2..9f23551eb1 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -117,6 +117,8 @@ typedef struct { mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); + uint32_t MBEDTLS_PRIVATE(num_ops); + size_t MBEDTLS_PRIVATE(coordinate_bytes); psa_algorithm_t MBEDTLS_PRIVATE(alg); mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg); @@ -135,7 +137,7 @@ typedef struct { #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) -#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0 } +#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, 0 } #else #define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } #endif @@ -150,6 +152,8 @@ typedef struct { mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx); mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx); + uint32_t MBEDTLS_PRIVATE(num_ops); + uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; size_t MBEDTLS_PRIVATE(hash_length); @@ -169,7 +173,7 @@ typedef struct { #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) -#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, { 0 }, \ +#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, { 0 }, \ { 0 } } #else #define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 } diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2c6f108a16..39da74b489 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3487,13 +3487,16 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void) } uint32_t mbedtls_psa_sign_hash_get_num_ops( - const mbedtls_psa_sign_hash_interruptible_operation_t *operation) + mbedtls_psa_sign_hash_interruptible_operation_t *operation) { #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) - return operation->restart_ctx.ecp.ops_done; + /* Hide the fact that the restart context only holds a delta of number of + * ops done during the last operation, not an absolute value. */ + operation->num_ops += operation->restart_ctx.ecp.ops_done; + return operation->num_ops; #else (void) operation; return 0; @@ -3503,13 +3506,16 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops( } uint32_t mbedtls_psa_verify_hash_get_num_ops( - const mbedtls_psa_verify_hash_interruptible_operation_t *operation) + mbedtls_psa_verify_hash_interruptible_operation_t *operation) { #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) - return operation->restart_ctx.ecp.ops_done; + /* Hide the fact that the restart context only holds a delta of number of + * ops done during the last operation, not an absolute value. */ + operation->num_ops += operation->restart_ctx.ecp.ops_done; + return operation->num_ops; #else (void) operation; return 0; @@ -3541,6 +3547,9 @@ psa_status_t mbedtls_psa_sign_hash_start( mbedtls_ecdsa_restart_init(&operation->restart_ctx); + /* Ensure num_ops is zero'ed in case of context re-use. */ + operation->num_ops = 0; + /* Ensure default is set even if * mbedtls_psa_interruptible_set_max_ops() has not been called. */ mbedtls_psa_interruptible_set_max_ops( @@ -3706,6 +3715,8 @@ psa_status_t mbedtls_psa_sign_hash_abort( mbedtls_ecdsa_restart_free(&operation->restart_ctx); + operation->num_ops = 0; + return PSA_SUCCESS; #else @@ -3747,6 +3758,9 @@ psa_status_t mbedtls_psa_verify_hash_start( mbedtls_mpi_init(&operation->r); mbedtls_mpi_init(&operation->s); + /* Ensure num_ops is zero'ed in case of context re-use. */ + operation->num_ops = 0; + /* Ensure default is set even if * mbedtls_psa_interruptible_set_max_ops() has not been called. */ mbedtls_psa_interruptible_set_max_ops( @@ -3864,6 +3878,8 @@ psa_status_t mbedtls_psa_verify_hash_abort( mbedtls_ecdsa_restart_free(&operation->restart_ctx); + operation->num_ops = 0; + mbedtls_mpi_free(&operation->r); mbedtls_mpi_free(&operation->s); diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 5648321b2f..0ef0131fa3 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -643,12 +643,11 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void); * zero. * * \note The signature of this function is that of a PSA driver - * sign_get_num_ops entry point, however it differs in behaviour from the - * driver function in that this function returns a delta of work done in - * the last call rather than all of the ops done ever by the whole - * operation, due to internal implementation differences. + * sign_hash_get_num_ops entry point. This function behaves as an + * sign_hash_get_num_ops entry point as defined in the PSA driver + * interface specification for transparent drivers. * - * \param[in] operation The \c + * \param operation The \c * mbedtls_psa_sign_hash_interruptible_operation_t * to use. This must be initialized first. * @@ -657,7 +656,7 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void); * mbedtls_psa_sign_hash_complete(). */ uint32_t mbedtls_psa_sign_hash_get_num_ops( - const mbedtls_psa_sign_hash_interruptible_operation_t *operation); + mbedtls_psa_sign_hash_interruptible_operation_t *operation); /** * \brief Get the number of ops that a hash verification operation has taken for @@ -665,12 +664,11 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops( * return zero. * * \note The signature of this function is that of a PSA driver - * verify_get_num_ops entry point however it differs in behaviour from the - * driver function in that this function returns a delta of work done in - * the last call rather than all of the ops done ever by the whole - * operation, due to internal implementation differences. + * verify_hash_get_num_ops entry point. This function behaves as an + * verify_hash_get_num_ops entry point as defined in the PSA driver + * interface specification for transparent drivers. * - * \param[in] operation The \c + * \param operation The \c * mbedtls_psa_verify_hash_interruptible_operation_t * to use. This must be initialized first. * @@ -679,7 +677,7 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops( * mbedtls_psa_verify_hash_complete(). */ uint32_t mbedtls_psa_verify_hash_get_num_ops( - const mbedtls_psa_verify_hash_interruptible_operation_t *operation); + mbedtls_psa_verify_hash_interruptible_operation_t *operation); /** * \brief Start signing a hash or short message with a private key, in an diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 26df088352..e3edec791e 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -75,10 +75,10 @@ void psa_driver_wrapper_interruptible_set_max_ops(uint32_t max_ops); uint32_t psa_driver_wrapper_interruptible_get_max_ops(void); uint32_t psa_driver_wrapper_sign_hash_get_num_ops( - const psa_sign_hash_interruptible_operation_t *operation); + psa_sign_hash_interruptible_operation_t *operation); uint32_t psa_driver_wrapper_verify_hash_get_num_ops( - const psa_verify_hash_interruptible_operation_t *operation); + psa_verify_hash_interruptible_operation_t *operation); psa_status_t psa_driver_wrapper_sign_hash_start( psa_sign_hash_interruptible_operation_t *operation, diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index a8a8991a27..b35e726a0c 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -452,7 +452,7 @@ uint32_t psa_driver_wrapper_interruptible_get_max_ops( void ) } uint32_t psa_driver_wrapper_sign_hash_get_num_ops( - const psa_sign_hash_interruptible_operation_t *operation ) + psa_sign_hash_interruptible_operation_t *operation ) { switch( operation->id ) { @@ -461,13 +461,7 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops( return 0; case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - /* Internal implementation returns a delta of ops completed in the - * last call to complete(), so need to add in ops already completed - * before this.*/ - return( operation->num_ops + - mbedtls_psa_sign_hash_get_num_ops( - &operation->ctx.mbedtls_ctx ) - ); + return(mbedtls_psa_sign_hash_get_num_ops(&operation->ctx.mbedtls_ctx)); #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) @@ -481,7 +475,7 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops( } uint32_t psa_driver_wrapper_verify_hash_get_num_ops( - const psa_verify_hash_interruptible_operation_t *operation ) + psa_verify_hash_interruptible_operation_t *operation ) { switch( operation->id ) { @@ -490,13 +484,7 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops( return 0; case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - /* Internal implementation returns a delta of ops completed in the - * last call to complete(), so need to add in ops already completed - * before this.*/ - return ( operation->num_ops + - mbedtls_psa_verify_hash_get_num_ops( - &operation->ctx.mbedtls_ctx ) - ); + return (mbedtls_psa_verify_hash_get_num_ops(&operation->ctx.mbedtls_ctx)); #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) From ba70ad49446e3e814cb3dc0413b3956ade0e3265 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 18:23:53 +0000 Subject: [PATCH 153/250] Add safety for keys larger than we currently support. Prevent buffer overflow with keys whos grp.nbits is greater than PSA_VENDOR_ECC_MAX_CURVE_BITS. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 39da74b489..36d48ad8f2 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3577,6 +3577,11 @@ psa_status_t mbedtls_psa_sign_hash_start( required_hash_length = (hash_length < operation->coordinate_bytes ? hash_length : operation->coordinate_bytes); + if (required_hash_length > sizeof(operation->hash)) { + /* Shouldn't happen, but better safe than sorry. */ + return PSA_ERROR_CORRUPTION_DETECTED; + } + memcpy(operation->hash, hash, required_hash_length); operation->hash_length = required_hash_length; @@ -3812,6 +3817,11 @@ psa_status_t mbedtls_psa_verify_hash_start( required_hash_length = (hash_length < coordinate_bytes ? hash_length : coordinate_bytes); + if (required_hash_length > sizeof(operation->hash)) { + /* Shouldn't happen, but better safe than sorry. */ + return PSA_ERROR_CORRUPTION_DETECTED; + } + memcpy(operation->hash, hash, required_hash_length); operation->hash_length = required_hash_length; From f1743e2440e7f5e3b702195aeaf846e2cec5e33b Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 18:44:16 +0000 Subject: [PATCH 154/250] Add verify call to max ops tests Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 31 ++++++++++++++++++--- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index fd355de9a4..5379eafd10 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7484,8 +7484,13 @@ void interruptible_signverify_hash_maxops_tests(int key_type_arg, psa_key_type_t key_type = key_type_arg; psa_algorithm_t alg = alg_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + size_t key_bits; + unsigned char *signature = NULL; + size_t signature_size; psa_sign_hash_interruptible_operation_t sign_operation = psa_sign_hash_interruptible_operation_init(); + psa_verify_hash_interruptible_operation_t verify_operation = + psa_verify_hash_interruptible_operation_init(); PSA_ASSERT(psa_crypto_init()); @@ -7494,8 +7499,17 @@ void interruptible_signverify_hash_maxops_tests(int key_type_arg, psa_set_key_algorithm(&attributes, alg); psa_set_key_type(&attributes, key_type); - PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, - &key)); + PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key)); + PSA_ASSERT(psa_get_key_attributes(key, &attributes)); + key_bits = psa_get_key_bits(&attributes); + + /* Allocate a buffer which has the size advertised by the + * library. */ + signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg); + + TEST_ASSERT(signature_size != 0); + TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); + ASSERT_ALLOC(signature, signature_size); /* Check that default max ops gets set if we don't set it. */ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, @@ -7506,12 +7520,20 @@ void interruptible_signverify_hash_maxops_tests(int key_type_arg, PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_size)); + + TEST_EQUAL(psa_interruptible_get_max_ops(), + PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + /* Check that max ops gets set properly. */ psa_interruptible_set_max_ops(0xbeef); - TEST_EQUAL(psa_interruptible_get_max_ops(), - 0xbeef); + TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef); exit: /* @@ -7521,6 +7543,7 @@ exit: psa_reset_key_attributes(&attributes); psa_destroy_key(key); + mbedtls_free(signature); PSA_DONE(); } /* END_CASE */ From 21c395113983e621dd92a56b35e30d1daca4f33f Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 19:47:39 +0000 Subject: [PATCH 155/250] Add reference to mbedtls_ecp_set_max_ops() to docs Signed-off-by: Paul Elliott --- include/psa/crypto.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index d371e1a1c8..80bf5c9690 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4165,6 +4165,12 @@ typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interru * or equals as regards to ops executed in a * single call is implementation defined. * + * \note For keys in local storage when no accelerator + * driver applies, please see also the + * documentation for \c mbedtls_ecp_set_max_ops(), + * which is the internal implementation in these + * cases. + * * \warning With implementations that interpret this number * as a hard limit, setting this number too small * may result in an infinite loop, whereby each From 5686533ba23aee02e21861e598e0b9119894f840 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 22:57:44 +0000 Subject: [PATCH 156/250] Add warning to mbedtls_ecp_set_max_ops() Using PSA interruptible interfaces will cause previously set values to be overwritten. Signed-off-by: Paul Elliott --- include/mbedtls/ecp.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 7a28a19573..1590ef21e5 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -472,6 +472,12 @@ mbedtls_ecp_keypair; * only enabled for specific sides and key exchanges * (currently only for clients and ECDHE-ECDSA). * + * \warning Using the PSA interruptible interfaces with keys in local + * storage and no accelerator driver will also call this + * function to set the values specified via those interfaces, + * overwriting values previously set. Care should be taken if + * mixing these two interfaces. + * * \param max_ops Maximum number of basic operations done in a row. * Default: 0 (unlimited). * Lower (non-zero) values mean ECC functions will block for From 96b89b208a7f42d9b02c29b8be57925af4aba9a5 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 23:10:37 +0000 Subject: [PATCH 157/250] Add comment to indicate non-PSA spec assertion. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 5379eafd10..c79217fbe6 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6539,6 +6539,10 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { num_ops = psa_sign_hash_get_num_ops(&operation); + /* We are asserting here that every complete makes progress + * (completes some ops), which is true of the internal + * implementation and probably any implementation, however this is + * not mandated by the PSA specification. */ TEST_ASSERT(num_ops > num_ops_prior); num_ops_prior = num_ops; @@ -6694,6 +6698,10 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, if (actual_status == PSA_SUCCESS || actual_status == PSA_OPERATION_INCOMPLETE) { num_ops = psa_sign_hash_get_num_ops(&operation); + /* We are asserting here that every complete makes progress + * (completes some ops), which is true of the internal + * implementation and probably any implementation, however this is + * not mandated by the PSA specification. */ TEST_ASSERT(num_ops > num_ops_prior); num_ops_prior = num_ops; @@ -7022,6 +7030,10 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { num_ops = psa_verify_hash_get_num_ops(&operation); + /* We are asserting here that every complete makes progress + * (completes some ops), which is true of the internal + * implementation and probably any implementation, however this is + * not mandated by the PSA specification. */ TEST_ASSERT(num_ops > num_ops_prior); num_ops_prior = num_ops; @@ -7151,6 +7163,10 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, if (actual_status == PSA_SUCCESS || actual_status == PSA_OPERATION_INCOMPLETE) { num_ops = psa_verify_hash_get_num_ops(&operation); + /* We are asserting here that every complete makes progress + * (completes some ops), which is true of the internal + * implementation and probably any implementation, however this is + * not mandated by the PSA specification. */ TEST_ASSERT(num_ops > num_ops_prior); num_ops_prior = num_ops; From 0af1b5367b362d3c33eb540ed3a58cfdb7ab742d Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 15 Feb 2023 23:25:54 +0000 Subject: [PATCH 158/250] Remove some abbrevations from test descriptions. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 74 ++++++++++++------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 9511d1f5c5..697cdd7b7e 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4145,19 +4145,19 @@ PSA sign hash: deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f" -PSA sgn hash int (ops=inf): det ECDSA SECP256R1 SHA-256 +PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256 +PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1 -PSA sgn hash int (ops=inf) det ECDSA SECP256R1 SHA-384 +PSA sign hash int (ops=inf) det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-384 +PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1 @@ -4233,47 +4233,47 @@ PSA sign hash: deterministic ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED -PSA Sgn hash int (ops=inf): det ECDSA SECP256R1 SHA-256, out buf too small +PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, out buf too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small +PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1 -PSA sgn hash int(ops=inf): deterministic ECDSA SECP256R1 SHA-256, empty output buffer +PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, empty out buf depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf +PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1 -PSA sgn hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0) +PSA sign hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0) +PSA sign hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1 -PSA sgn hash int: det ECDSA SECP256R1, invld hash alg (wildcard) +PSA sign hash int: det ECDSA SECP256R1, invld hash alg (wildcard) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int: invld alg for ECC key +PSA sign hash int: invld alg for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int: ECDSA not supported +PSA sign hash int: ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int (ops=inf): det ECDSA not supported +PSA sign hash int (ops=inf): det ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn hash int (ops=min): det ECDSA not supported +PSA sign hash int (ops=min): det ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1 @@ -4317,51 +4317,51 @@ PSA sign/verify hash: deterministic ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" -PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 -PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 -PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP256R1 SHA-384 +PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP256R1 SHA-384 +PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1 -PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384 +PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384 +PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1 -PSA sgn/vrfy hash int (ops=inf): randomized ECDSA SECP384R1 SHA-256 +PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn/vrfy hash int (ops=min): randomized ECDSA SECP384R1 SHA-256 +PSA sign/vrfy hash int (ops=min): rand ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 -PSA sgn/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256 +PSA sign/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256 +PSA sign/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 @@ -4521,31 +4521,31 @@ PSA verify hash: invalid algorithm for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT -PSA vrfy hash int: ECDSA SECP256R1, wrng sig size (correct but ASN1-encoded) +PSA vrfy hash int: ECDSA SECP256R1, wrong sig size (correct but ASN1-encoded) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA vrfy hash int (ops=inf): ECDSA SECP256R1, wrng sig of correct size +PSA vrfy hash int (ops=inf): ECDSA SECP256R1, wrong sig of correct size depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrng sig of correct size +PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrong sig of correct size depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1 -PSA vrfy hash int: ECDSA SECP256R1, wrng sig (empty) +PSA vrfy hash int: ECDSA SECP256R1, wrong sig (empty) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA vrfy hash int: ECDSA SECP256R1, wrng sig (truncated) +PSA vrfy hash int: ECDSA SECP256R1, wrong sig (truncated) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA vrfy hash int: ECDSA SECP256R1, wrng sig (trailing junk) +PSA vrfy hash int: ECDSA SECP256R1, wrong sig (trailing junk) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA vrfy hash int: ECDSA SECP256R1, wrng sig (leading junk) +PSA vrfy hash int: ECDSA SECP256R1, wrong sig (leading junk) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED @@ -4553,15 +4553,15 @@ PSA vrfy hash int: invld alg for ECC key depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED -PSA sgn/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 interruptible_signverify_hash_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" -PSA sgn/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 interruptible_signverify_hash_negative_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" -PSA sgn/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 interruptible_signverify_hash_maxops_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" From c5874db5b079d491316b298724eff0702d10398c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 16 Feb 2023 16:14:46 +0000 Subject: [PATCH 159/250] Add test-case for signature over zero-length data Signed-off-by: Dave Rodgman --- tests/data_files/Makefile | 9 +++++++++ tests/data_files/pkcs7_zerolendata.bin | 0 tests/data_files/pkcs7_zerolendata_detached.der | Bin 0 -> 435 bytes tests/suites/test_suite_pkcs7.data | 4 ++++ tests/suites/test_suite_pkcs7.function | 3 ++- 5 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/pkcs7_zerolendata.bin create mode 100644 tests/data_files/pkcs7_zerolendata_detached.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 070f538fe8..6680bf944a 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1205,6 +1205,10 @@ $(pkcs7_test_file): echo -e "Hello\xd" > $@ all_final += $(pkcs7_test_file) +pkcs7_zerolendata.bin: + printf '' > $@ +all_final += pkcs7_zerolendata.bin + pkcs7_data_1.bin: echo -e "2\xd" > $@ all_final += pkcs7_data_1.bin @@ -1238,6 +1242,11 @@ pkcs7-rsa-sha256-2.der: $(pkcs7_test_cert_2) $(OPENSSL) x509 -in pkcs7-rsa-sha256-2.crt -out $@ -outform DER all_final += pkcs7-rsa-sha256-2.der +# pkcs7 signature file over zero-len data +pkcs7_zerolendata_detached.der: pkcs7_zerolendata.bin pkcs7-rsa-sha256-1.key pkcs7-rsa-sha256-1.crt + $(OPENSSL) smime -sign -md sha256 -nocerts -noattr -in pkcs7_zerolendata.bin -inkey pkcs7-rsa-sha256-1.key -outform DER -binary -signer pkcs7-rsa-sha256-1.crt -out pkcs7_zerolendata_detached.der +all_final += pkcs7_zerolendata_detached.der + # pkcs7 signature file with CERT pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ diff --git a/tests/data_files/pkcs7_zerolendata.bin b/tests/data_files/pkcs7_zerolendata.bin new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/data_files/pkcs7_zerolendata_detached.der b/tests/data_files/pkcs7_zerolendata_detached.der new file mode 100644 index 0000000000000000000000000000000000000000..2a389ab484991c53322dc87f998c23666c7f40d8 GIT binary patch literal 435 zcmXqLVqDM0snzDu_MMlJooPW6;{t;w#yL!kjE4LMylk8aZ61uN%q&cdtPBR+2!)J> zO^oG0g~dRH20jKRhTI06Y|No7Y{E=_K8Ab-JRlAi4{Lz8bFjIgsDUtu&&B(8VOS!kJ#%#A}``N(1;c{&~>lHDkH?uEo%Mn-I)RcHtyiZfMa^p+ZsUNpi zPgR!4Nqe^XP|J(iZ9iYV4VC)5eD}1>LYA_Ut0%UoTPg6KocZ~>nDc7CFrFCCvQ4f5 z&!6=E=2F~OeeSW~iYJ$z8m>7r$$s(fnJ=H)XRc*m#@BnKV2R)M=?|hk7C)IVU>KY#=_d1=v@T Date: Thu, 16 Feb 2023 16:23:09 +0000 Subject: [PATCH 160/250] Adjust position of empty line Signed-off-by: Dave Rodgman --- library/pkcs7.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 60d1175289..ba43f49715 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -684,8 +684,8 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, if (hash == NULL) { return MBEDTLS_ERR_PKCS7_ALLOC_FAILED; } - /* BEGIN must free hash before jumping out */ + /* BEGIN must free hash before jumping out */ if (is_data_hash) { if (datalen != mbedtls_md_get_size(md_info)) { ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; From d652dce9eacad8eba19b0f54abbcfd6cb8a5a64e Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 16 Feb 2023 16:39:34 +0000 Subject: [PATCH 161/250] Add failing test case (invalid signature) for zero-length data Signed-off-by: Dave Rodgman --- tests/suites/test_suite_pkcs7.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 70233ded7a..9948537aa2 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -42,6 +42,10 @@ PKCS7 Signed Data Verification Pass zero-len data depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_zerolendata.bin":0:0 +PKCS7 Signed Data Verification Fail zero-len data +depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C +pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED + PKCS7 Signed Data Verification Pass SHA256 #9 depends_on:MBEDTLS_SHA256_C pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 From ac70ad657650580e4b3dbc7425f52d4360cf863c Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 16 Feb 2023 19:31:21 +0100 Subject: [PATCH 162/250] Fix coding style Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 85d634ab01..1a027d6aa3 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5216,7 +5216,7 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs) mbedtls_mpi_uint carry = 0; if (X_limbs != 2 * P521_WIDTH || X[2 * P521_WIDTH - 1] != 0) { - return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; } /* Step 1: Reduction to P521_WIDTH limbs */ From f8e5b56ad8395f7da9d496c5a21b3334e40c8047 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 19 Feb 2023 18:43:45 +0000 Subject: [PATCH 163/250] Fix get_num_ops internal code. Previously calling get_num_ops more than once would have ended up with ops getting double counted, and not calling inbetween completes would have ended up with ops getting missed. Fix this by moving this to where the work is actually done, and add tests for double calls to get_num_ops(). Signed-off-by: Paul Elliott --- library/psa_crypto.c | 23 +++++++++++++-------- library/psa_crypto_core.h | 4 ++-- tests/suites/test_suite_psa_crypto.function | 12 +++++++++++ 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 36d48ad8f2..3ec9273de9 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3487,15 +3487,12 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void) } uint32_t mbedtls_psa_sign_hash_get_num_ops( - mbedtls_psa_sign_hash_interruptible_operation_t *operation) + const mbedtls_psa_sign_hash_interruptible_operation_t *operation) { #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) - /* Hide the fact that the restart context only holds a delta of number of - * ops done during the last operation, not an absolute value. */ - operation->num_ops += operation->restart_ctx.ecp.ops_done; return operation->num_ops; #else (void) operation; @@ -3506,15 +3503,12 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops( } uint32_t mbedtls_psa_verify_hash_get_num_ops( - mbedtls_psa_verify_hash_interruptible_operation_t *operation) + const mbedtls_psa_verify_hash_interruptible_operation_t *operation) { #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) - /* Hide the fact that the restart context only holds a delta of number of - * ops done during the last operation, not an absolute value. */ - operation->num_ops += operation->restart_ctx.ecp.ops_done; return operation->num_ops; #else (void) operation; @@ -3657,6 +3651,10 @@ psa_status_t mbedtls_psa_sign_hash_complete( &operation->restart_ctx)); } + /* Hide the fact that the restart context only holds a delta of number of + * ops done during the last operation, not an absolute value. */ + operation->num_ops += operation->restart_ctx.ecp.ops_done; + if (status == PSA_SUCCESS) { status = mbedtls_to_psa_error( mbedtls_mpi_write_binary(&r, @@ -3853,7 +3851,9 @@ psa_status_t mbedtls_psa_verify_hash_complete( defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ defined(MBEDTLS_ECP_RESTARTABLE) - return mbedtls_to_psa_error( + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + status = mbedtls_to_psa_error( mbedtls_ecdsa_verify_restartable(&operation->ctx->grp, operation->hash, operation->hash_length, @@ -3862,6 +3862,11 @@ psa_status_t mbedtls_psa_verify_hash_complete( &operation->s, &operation->restart_ctx)); + /* Hide the fact that the restart context only holds a delta of number of + * ops done during the last operation, not an absolute value. */ + operation->num_ops += operation->restart_ctx.ecp.ops_done; + + return status; #else (void) operation; diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 0ef0131fa3..b1817e2da9 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -656,7 +656,7 @@ uint32_t mbedtls_psa_interruptible_get_max_ops(void); * mbedtls_psa_sign_hash_complete(). */ uint32_t mbedtls_psa_sign_hash_get_num_ops( - mbedtls_psa_sign_hash_interruptible_operation_t *operation); + const mbedtls_psa_sign_hash_interruptible_operation_t *operation); /** * \brief Get the number of ops that a hash verification operation has taken for @@ -677,7 +677,7 @@ uint32_t mbedtls_psa_sign_hash_get_num_ops( * mbedtls_psa_verify_hash_complete(). */ uint32_t mbedtls_psa_verify_hash_get_num_ops( - mbedtls_psa_verify_hash_interruptible_operation_t *operation); + const mbedtls_psa_verify_hash_interruptible_operation_t *operation); /** * \brief Start signing a hash or short message with a private key, in an diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index c79217fbe6..20e43c6ac7 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6546,6 +6546,12 @@ void sign_hash_interruptible(int key_type_arg, data_t *key_data, TEST_ASSERT(num_ops > num_ops_prior); num_ops_prior = num_ops; + + /* Ensure calling get_num_ops() twice still returns the same + * number of ops as previously reported. */ + num_ops = psa_sign_hash_get_num_ops(&operation); + + TEST_EQUAL(num_ops, num_ops_prior); } } while (status == PSA_OPERATION_INCOMPLETE); @@ -7037,6 +7043,12 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, TEST_ASSERT(num_ops > num_ops_prior); num_ops_prior = num_ops; + + /* Ensure calling get_num_ops() twice still returns the same + * number of ops as previously reported. */ + num_ops = psa_verify_hash_get_num_ops(&operation); + + TEST_EQUAL(num_ops, num_ops_prior); } } while (status == PSA_OPERATION_INCOMPLETE); From 1c0e4c013a18ae03b7f76d3bee4c78aae75ba3fc Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 20 Feb 2023 18:05:21 +0800 Subject: [PATCH 164/250] compat.sh: skip static ECDH cases if unsupported in openssl This commit add support to detect if openssl used for testing supports static ECDH key exchange. Skip the ciphersutes if openssl doesn't support them. Signed-off-by: Pengyu Lv --- tests/compat.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index 8f7d72c7b6..6c58a1befb 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -534,6 +534,15 @@ add_mbedtls_ciphersuites() esac } +# o_check_ciphersuite STANDARD_CIPHER_SUITE +o_check_ciphersuite() +{ + if [ "${1#*ECDH_ECDSA*}" != "$1" ] && \ + [ "X${O_SUPPORT_ECDH}" = "XNO" ]; then + SKIP_NEXT="YES" + fi +} + setup_arguments() { O_MODE="" @@ -603,6 +612,11 @@ setup_arguments() ;; esac + case $($OPENSSL ciphers ALL) in + *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; + *)O_SUPPORT_ECDH="NO";; + esac + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" @@ -1033,6 +1047,7 @@ for MODE in $MODES; do start_server "OpenSSL" translate_ciphers m $M_CIPHERS for i in $ciphers; do + o_check_ciphersuite "$i" run_client mbedTLS ${i%%=*} ${i#*=} done stop_server From d2ca8023293c6f263c1cb08f578c90899a14e38e Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 3 Feb 2023 19:07:39 +0000 Subject: [PATCH 165/250] ecp_curves: Added `mbedtls_ecp_modulus_setup()`. This patch introduces a new static method, responsible for automatically initialising an modulus structure, based on the curve id and a modulus type selector. Signed-off-by: Minos Galanakis --- include/mbedtls/ecp.h | 8 ++ library/ecp_curves.c | 200 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 207 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 7a28a19573..20b663e794 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -141,6 +141,14 @@ typedef enum { MBEDTLS_ECP_TYPE_MONTGOMERY, /* y^2 = x^3 + a x^2 + x */ } mbedtls_ecp_curve_type; +/* + * Curve moduli types + */ +typedef enum { + MBEDTLS_ECP_MOD_COORDINATE = 0, + MBEDTLS_ECP_MOD_SCALAR +} mbedtls_ecp_modulus_type; + /** * Curve information, for use by other modules. * diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 1a027d6aa3..d4d8c089e5 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5534,6 +5534,204 @@ static int ecp_mod_p256k1(mbedtls_mpi *N) } #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ -#endif /* !MBEDTLS_ECP_ALT */ +#if defined(MBEDTLS_TEST_HOOKS) +/** Initialise a modulus with hard-coded const curve data. + * + * \param[out] N The address of the modulus structure to populate. + * Must be initialized. + * \param[in] id The mbedtls_ecp_group_id for which to initialise the modulus. + * \param[in] ctype The mbedtls_ecp_curve_type identifier for a coordinate modulus (P) + * or a scalar modulus (N). + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not + * have the correct number of limbs. + * + * \note The caller is responsible for the \p N moduli lifecycle. + * + */ +MBEDTLS_STATIC_TESTABLE +int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N, + const mbedtls_ecp_group_id id, + const mbedtls_ecp_curve_type ctype) +{ + mbedtls_mpi_uint *p = NULL; + size_t p_limbs; + + if (!(ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE || \ + ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_SCALAR)) { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + + switch (id) { +#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) + case MBEDTLS_ECP_DP_SECP192R1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) secp192r1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_p)); + } else { + p = (mbedtls_mpi_uint *) secp192r1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) + case MBEDTLS_ECP_DP_SECP224R1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) secp224r1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_p)); + } else { + p = (mbedtls_mpi_uint *) secp224r1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + case MBEDTLS_ECP_DP_SECP256R1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) secp256r1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_p)); + } else { + p = (mbedtls_mpi_uint *) secp256r1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + case MBEDTLS_ECP_DP_SECP384R1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) secp384r1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_p)); + } else { + p = (mbedtls_mpi_uint *) secp384r1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) + case MBEDTLS_ECP_DP_SECP521R1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) secp521r1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_p)); + } else { + p = (mbedtls_mpi_uint *) secp521r1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) + case MBEDTLS_ECP_DP_BP256R1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) brainpoolP256r1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_p)); + } else { + p = (mbedtls_mpi_uint *) brainpoolP256r1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) + case MBEDTLS_ECP_DP_BP384R1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) brainpoolP384r1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_p)); + } else { + p = (mbedtls_mpi_uint *) brainpoolP384r1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) + case MBEDTLS_ECP_DP_BP512R1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) brainpoolP512r1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_p)); + } else { + p = (mbedtls_mpi_uint *) brainpoolP512r1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) + case MBEDTLS_ECP_DP_CURVE25519: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) curve25519_p; + p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_p)); + } else { + p = (mbedtls_mpi_uint *) curve25519_n; + p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) + case MBEDTLS_ECP_DP_SECP192K1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) secp192k1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_p)); + } else { + p = (mbedtls_mpi_uint *) secp192k1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) + case MBEDTLS_ECP_DP_SECP224K1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) secp224k1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_p)); + } else { + p = (mbedtls_mpi_uint *) secp224k1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) + case MBEDTLS_ECP_DP_SECP256K1: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) secp256k1_p; + p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_p)); + } else { + p = (mbedtls_mpi_uint *) secp256k1_n; + p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_n)); + } + break; +#endif + +#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) + case MBEDTLS_ECP_DP_CURVE448: + if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) { + p = (mbedtls_mpi_uint *) curve448_p; + p_limbs = CHARS_TO_LIMBS(sizeof(curve448_p)); + } else { + p = (mbedtls_mpi_uint *) curve448_n; + p_limbs = CHARS_TO_LIMBS(sizeof(curve448_n)); + } + break; +#endif + + default: + case MBEDTLS_ECP_DP_NONE: + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + + if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs, + MBEDTLS_MPI_MOD_REP_MONTGOMERY)) { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + return 0; +} +#endif /* MBEDTLS_TEST_HOOKS */ +#endif /* !MBEDTLS_ECP_ALT */ #endif /* MBEDTLS_ECP_C */ From dd556921c9cbcec5ba053d85f8ee014cae8acac6 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 3 Feb 2023 19:12:21 +0000 Subject: [PATCH 166/250] ecp_curves: Exposed `mbedtls_ecp_modulus_setup()` through `ecp_invasive.h` Signed-off-by: Minos Galanakis --- library/ecp_invasive.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 3d1321c525..10aa34bb17 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -28,6 +28,7 @@ #include "common.h" #include "mbedtls/bignum.h" +#include "bignum_mod.h" #include "mbedtls/ecp.h" #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_C) @@ -117,6 +118,11 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ +MBEDTLS_STATIC_TESTABLE +int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N, + const mbedtls_ecp_group_id id, + const mbedtls_ecp_curve_type ctype); + #endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_INVASIVE_H */ From 9a1d02d738243c3b01b0bdd0351adce1722d9e84 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 3 Feb 2023 19:14:56 +0000 Subject: [PATCH 167/250] test_suite_ecp: Added test for `mbedtls_ecp_modulus_setup()` Signed-off-by: Minos Galanakis --- tests/suites/test_suite_ecp.function | 41 ++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 4e74d9b8eb..96537c2b3b 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1,5 +1,6 @@ /* BEGIN_HEADER */ #include "mbedtls/ecp.h" +#include "ecp_invasive.h" #include "mbedtls/ecdsa.h" #include "mbedtls/ecdh.h" @@ -1387,3 +1388,43 @@ exit: mbedtls_free(N); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */ +void ecp_mod_setup(char *input_A, int id, int ctype, int iret) +{ + int ret; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init(&m); + mbedtls_mpi_uint *p = NULL; + size_t p_limbs; + size_t bytes; + + TEST_EQUAL(mbedtls_test_read_mpi_core(&p, &p_limbs, input_A), 0); + + ret = mbedtls_ecp_modulus_setup(&m, id, ctype); + TEST_EQUAL(ret, iret); + + if (ret == 0) { + + /* Test for limb sizes */ + TEST_EQUAL(m.limbs, p_limbs); + bytes = p_limbs * sizeof(mbedtls_mpi_uint); + + /* Test for validity of moduli by the presence of Montgomery consts */ + + TEST_ASSERT(m.rep.mont.mm != 0); + TEST_ASSERT(m.rep.mont.rr != NULL); + + + /* Compare output byte-by-byte */ + ASSERT_COMPARE(p, bytes, m.p, bytes); + + /* Test for user free-ing allocated memory */ + mbedtls_mpi_mod_modulus_free(&m); + } + +exit: + mbedtls_mpi_mod_modulus_free(&m); + mbedtls_free(p); +} +/* END_CASE */ From 36f7c0e69bb6e7e19603e4c144f3c553c4690dd5 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 13 Feb 2023 16:25:17 +0000 Subject: [PATCH 168/250] test_suite_ecp: Added .data for `ecp_setup_test()` Signed-off-by: Minos Galanakis --- tests/suites/test_suite_ecp.data | 112 +++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 9a13793892..8d838984b7 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -1038,3 +1038,115 @@ ecp_check_order:MBEDTLS_ECP_DP_SECP256K1:"fffffffffffffffffffffffffffffffebaaedc ECP check order for CURVE448 depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED ecp_check_order:MBEDTLS_ECP_DP_CURVE448:"3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3" + +ecp_setup #1 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP192R1) +depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffffffffffeffffffffffffffff":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #2 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP224R1) +depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED +ecp_mod_setup:"00000000ffffffffffffffffffffffffffffffff000000000000000000000001":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #3 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP256R1) +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_mod_setup:"ffffffff00000001000000000000000000000000ffffffffffffffffffffffff":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #4 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP384R1) +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #5 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP521R1) +depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED +ecp_mod_setup:"1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #6 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1) +depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED +ecp_mod_setup:"a9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #7 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1) +depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED +ecp_mod_setup:"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #8 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1) +depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED +ecp_mod_setup:"aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #9 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_CURVE25519) +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_mod_setup:"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #10 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP192K1) +depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffffffffffffffffffeffffee37":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #11 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP224K1) +depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffffffffffffffffffffffffffeffffe56d":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #12 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP256K1) +depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #13 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_CURVE448) +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_mod_setup:"000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #14 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1) +depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED +ecp_mod_setup:"ffffffffffffffffffffffff99def836146bc9b1b4d22831":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #15 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1) +depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED +ecp_mod_setup:"ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #16 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1) +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED +ecp_mod_setup:"ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #17 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1) +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED +ecp_mod_setup:"ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #18 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1) +depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED +ecp_mod_setup:"1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #19 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1) +depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED +ecp_mod_setup:"a9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #20 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1) +depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED +ecp_mod_setup:"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE:0 + +ecp_setup #21 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1) +depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED +ecp_mod_setup:"aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #22 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519) +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED +ecp_mod_setup:"1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #23 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1) +depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffe26f2fc170f69466a74defd8d":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #24 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1) +depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED +ecp_mod_setup:"000000010000000000000000000000000001dce8d2ec6184caf0a971769fb1f7":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #25 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1) +depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup #26 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448) +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_mod_setup:"0000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR:0 + +ecp_setup_negative_test #27 Invalid Moduli Type +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR+1:MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ecp_setup_negative_test #28 Invalid Curve Type +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED +ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_CURVE448+1:MBEDTLS_ECP_MOD_SCALAR:MBEDTLS_ERR_ECP_BAD_INPUT_DATA From a30afe2216748997a1f184e16ddd1faf66f802b5 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 15 Feb 2023 15:36:29 +0000 Subject: [PATCH 169/250] ecp_curves: Minor refactoring. This patch introduces the following changes: * Documentation for `mbedtls_ecp_modulus_setup()` moved to `ecp_invasive.h`. * Added invalid modulus selector `MBEDTLS_ECP_MOD_NONE`. * Adjusted negative tests to use invalid selectors. * Reworded documentation. Signed-off-by: Minos Galanakis --- include/mbedtls/ecp.h | 5 +++-- library/ecp_curves.c | 18 +----------------- library/ecp_invasive.h | 17 +++++++++++++++++ tests/suites/test_suite_ecp.data | 4 ++-- 4 files changed, 23 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 20b663e794..83d5b6ae6a 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -142,10 +142,11 @@ typedef enum { } mbedtls_ecp_curve_type; /* - * Curve moduli types + * Curve modulus types */ typedef enum { - MBEDTLS_ECP_MOD_COORDINATE = 0, + MBEDTLS_ECP_MOD_NONE = 0, + MBEDTLS_ECP_MOD_COORDINATE, MBEDTLS_ECP_MOD_SCALAR } mbedtls_ecp_modulus_type; diff --git a/library/ecp_curves.c b/library/ecp_curves.c index d4d8c089e5..b352e7633d 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5535,22 +5535,6 @@ static int ecp_mod_p256k1(mbedtls_mpi *N) #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ #if defined(MBEDTLS_TEST_HOOKS) - -/** Initialise a modulus with hard-coded const curve data. - * - * \param[out] N The address of the modulus structure to populate. - * Must be initialized. - * \param[in] id The mbedtls_ecp_group_id for which to initialise the modulus. - * \param[in] ctype The mbedtls_ecp_curve_type identifier for a coordinate modulus (P) - * or a scalar modulus (N). - * - * \return \c 0 if successful. - * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not - * have the correct number of limbs. - * - * \note The caller is responsible for the \p N moduli lifecycle. - * - */ MBEDTLS_STATIC_TESTABLE int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N, const mbedtls_ecp_group_id id, @@ -5728,7 +5712,7 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N, if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY)) { - return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } return 0; } diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 10aa34bb17..aba7cca1ce 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -118,6 +118,23 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */ +/** Initialise a modulus with hard-coded const curve data. + * + * \note The caller is responsible for the \p N modulus' memory. + * mbedtls_mpi_mod_modulus_free(&N) should be invoked at the + * end of its lifecycle. + * + * \param[in,out] N The address of the modulus structure to populate. + * Must be initialized. + * \param[in] id The mbedtls_ecp_group_id for which to initialise the modulus. + * \param[in] ctype The mbedtls_ecp_curve_type identifier for a coordinate modulus (P) + * or a scalar modulus (N). + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not + * have the correct number of limbs. + * + */ MBEDTLS_STATIC_TESTABLE int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N, const mbedtls_ecp_group_id id, diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 8d838984b7..3fbad92a59 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -1145,8 +1145,8 @@ ecp_mod_setup:"0000000000000003fffffffffffffffffffffffffffffffffffffffffffffffff ecp_setup_negative_test #27 Invalid Moduli Type depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED -ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR+1:MBEDTLS_ERR_ECP_BAD_INPUT_DATA +ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_NONE:MBEDTLS_ERR_ECP_BAD_INPUT_DATA ecp_setup_negative_test #28 Invalid Curve Type depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED -ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_CURVE448+1:MBEDTLS_ECP_MOD_SCALAR:MBEDTLS_ERR_ECP_BAD_INPUT_DATA +ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_NONE:MBEDTLS_ECP_MOD_SCALAR:MBEDTLS_ERR_ECP_BAD_INPUT_DATA From ecee12f04fc118cff187a896d43ff4648a21b2d3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 9 Feb 2023 14:43:49 +0100 Subject: [PATCH 170/250] Add parsing of SAN: rfc822Name Signed-off-by: Przemek Stekiel --- include/mbedtls/x509.h | 4 ++-- library/x509.c | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 9f92ed6ac7..bd1947e465 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -294,7 +294,7 @@ typedef struct mbedtls_x509_subject_alternative_name { int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ union { mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ - mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only dnsName and uniformResourceIdentifier are currently supported */ + mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported */ } san; /**< A union of the supported SAN types */ } @@ -386,7 +386,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from); * of the subject alternative name encoded in \p san_raw. * * \note Supported GeneralName types, as defined in RFC 5280: - * "dnsName", "uniformResourceIdentifier" and "hardware_module_name" + * "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name" * of type "otherName", as defined in RFC 4108. * * \note This function should be called on a single raw data of diff --git a/library/x509.c b/library/x509.c index b859df9d3a..07a118f267 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1421,7 +1421,17 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf, memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf)); + } + break; + /* + * RFC822 Name + */ + case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_RFC822_NAME): + { + memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name)); + san->type = MBEDTLS_X509_SAN_RFC822_NAME; + memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf)); } break; From 608e3efc477c02f30e2717feaa904b62212b59bd Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 9 Feb 2023 14:47:50 +0100 Subject: [PATCH 171/250] Add test for parsing SAN: rfc822Name Signed-off-by: Przemek Stekiel --- tests/data_files/Makefile | 3 +++ tests/data_files/test-ca.opensslconf | 3 +++ tests/data_files/test_cert_rfc822name.crt.der | Bin 0 -> 677 bytes tests/suites/test_suite_x509parse.data | 4 ++++ tests/suites/test_suite_x509parse.function | 13 ++++++++++++- 5 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/test_cert_rfc822name.crt.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 7f39d318d4..01b46f13b1 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -140,6 +140,9 @@ test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der: te test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der: test_csr_v3_all.csr.der (hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3050300B0603551D0F04/" | xxd -r -p ) > $@ +test_cert_rfc822name.crt.der: cert_example_multi.csr + $(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -outform DER -extensions rfc822name_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@ + $(test_ca_key_file_rsa_alt):test-ca.opensslconf $(OPENSSL) genrsa -out $@ 2048 test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file) diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index bd127609e0..8f8385a489 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -24,6 +24,9 @@ subjectAltName=otherName:1.2.3.4;UTF8:some other identifier [dns_alt_names] subjectAltName=DNS:example.com, DNS:example.net, DNS:*.example.org +[rfc822name_names] +subjectAltName=email:my@other.address,email:second@other.address + [alt_names] DNS.1=example.com otherName.1=1.3.6.1.5.5.7.8.4;SEQ:hw_module_name diff --git a/tests/data_files/test_cert_rfc822name.crt.der b/tests/data_files/test_cert_rfc822name.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..cdc8189d024239e5e5eaf931eb2b9922e62fd54c GIT binary patch literal 677 zcmXqLVp?d>#MrrjnTe5!iBZsimyJ`a&7|-ctAPy2@<`IAiDTJgJmnb+p8pw(B8W|fH8CV(`n;02eMv3zp zBXbR`2pTS7AOYW;3>rI`8XFmoTTD87 z_)CERNA?e4(>I?PWx7=Pr#6|%t&*E26e_jmM|G(&cR{%EoSRcW`uez-pV)U~f&G&d zo6Db1GCA8Gu8HoeT*cY4u1VOOYkzCzUM5yNN zky@men37VIT3p;HQk%O>dvw!pJ_z=eP zMVgPD=5bB^8rSslWlW$|$8L_dyO!^4EQx%R%_kG%UvSyt3ZLcz?(NwOEcFR*W9D<8 zcaT5w_IT+bMu}q=BUMtbOV2w|S(%~vQjBL?=)C)%1A4T3=G_0(Yv*HYUK_A?;gjnY z$&;cFoU3y7sOq|!;(>n=}tsdHiBg(rR;6I1l`_fGRSTC?1NRqNp&-8TCZ0QQ>vN&o-= literal 0 HcmV?d00001 diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 961b25ac1e..48c4fceed7 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -206,6 +206,10 @@ X509 SAN parsing, unsupported otherName name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_parse_san:"data_files/server5-unsupported_othername.crt":"" +X509 SAN parsing rfc822Name +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n" + X509 CRL information #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO mbedtls_x509_crl_info:"data_files/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 3454da352f..f6e4a0625e 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -279,7 +279,18 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san, *p++ = san->san.unstructured_name.p[i]; } break;/* MBEDTLS_X509_SAN_DNS_NAME */ - + case (MBEDTLS_X509_SAN_RFC822_NAME): + ret = mbedtls_snprintf(p, n, "\nrfc822Name : "); + MBEDTLS_X509_SAFE_SNPRINTF; + if (san->san.unstructured_name.len >= n) { + *p = '\0'; + return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; + } + n -= san->san.unstructured_name.len; + for (i = 0; i < san->san.unstructured_name.len; i++) { + *p++ = san->san.unstructured_name.p[i]; + } + break;/* MBEDTLS_X509_SAN_RFC822_NAME */ default: /* * Should not happen. From d7820b70261f22ea45151fe4bca3e94b63823ff1 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 9 Feb 2023 15:14:27 +0100 Subject: [PATCH 172/250] Add change log entry: SAN rfc822Name Signed-off-by: Przemek Stekiel --- ChangeLog.d/san_rfc822Name.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/san_rfc822Name.txt diff --git a/ChangeLog.d/san_rfc822Name.txt b/ChangeLog.d/san_rfc822Name.txt new file mode 100644 index 0000000000..9720e5275c --- /dev/null +++ b/ChangeLog.d/san_rfc822Name.txt @@ -0,0 +1,3 @@ +Features + * Add parsing of rfc822Name subtype for subjectAltName + extension in x509 certificates. From 5b9e4168cfc51d18530c490f803f13ef5abe7708 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 15 Feb 2023 12:56:37 +0100 Subject: [PATCH 173/250] Add rfc822Name support in mbedtls_x509_info_subject_alt_name + adapt test Signed-off-by: Przemek Stekiel --- library/x509.c | 8 +++++++- tests/suites/test_suite_x509parse.data | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/library/x509.c b/library/x509.c index 07a118f267..ab4f68e293 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1530,10 +1530,16 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, break; /* * dNSName + * RFC822 Name */ case MBEDTLS_X509_SAN_DNS_NAME: + case MBEDTLS_X509_SAN_RFC822_NAME: { - ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix); + char * dns_name = "dNSName"; + char * rfc822_name = "rfc822Name"; + + ret = mbedtls_snprintf(p, n, "\n%s %s : ", prefix, + san.type == MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name); MBEDTLS_X509_SAFE_SNPRINTF; if (san.san.unstructured_name.len >= n) { *p = '\0'; diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 48c4fceed7..9b6e29831b 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -176,7 +176,7 @@ x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number X509 CRT information Bitstring in subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n \next key usage \: TLS Web Client Authentication\n" +x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n" X509 CRT information Non-ASCII string in issuer name and subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA From 82d250d8b071cbc31accc9b0961352b3ddf920cd Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 15 Feb 2023 15:00:50 +0100 Subject: [PATCH 174/250] Use const char for names and adapt style Signed-off-by: Przemek Stekiel --- library/x509.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/library/x509.c b/library/x509.c index ab4f68e293..fc13b92133 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1535,11 +1535,14 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size, case MBEDTLS_X509_SAN_DNS_NAME: case MBEDTLS_X509_SAN_RFC822_NAME: { - char * dns_name = "dNSName"; - char * rfc822_name = "rfc822Name"; + const char *dns_name = "dNSName"; + const char *rfc822_name = "rfc822Name"; - ret = mbedtls_snprintf(p, n, "\n%s %s : ", prefix, - san.type == MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name); + ret = mbedtls_snprintf(p, n, + "\n%s %s : ", + prefix, + san.type == + MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name); MBEDTLS_X509_SAFE_SNPRINTF; if (san.san.unstructured_name.len >= n) { *p = '\0'; From 5b5a0b618c21b372f3db800991181a6f41e12e1f Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 20 Feb 2023 14:21:23 +0000 Subject: [PATCH 175/250] Change error codes to more appropriate codes The more precise error codes are borrowed from the ASN1 module. Signed-off-by: David Horstmann --- library/oid.c | 10 +++++----- tests/suites/test_suite_oid.data | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/library/oid.c b/library/oid.c index acea125856..86214b23a0 100644 --- a/library/oid.c +++ b/library/oid.c @@ -839,13 +839,13 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, value = 0; if ((oid->p[0]) == 0x80) { /* Overlong encoding is not allowed */ - return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + return MBEDTLS_ERR_ASN1_INVALID_DATA; } while (i < oid->len && ((oid->p[i] & 0x80) != 0)) { /* Prevent overflow in value. */ if (value > (UINT_MAX >> 7)) { - return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + return MBEDTLS_ERR_ASN1_INVALID_DATA; } value |= oid->p[i] & 0x7F; @@ -853,7 +853,7 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, i++; } if (i >= oid->len) { - return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + return MBEDTLS_ERR_ASN1_OUT_OF_DATA; } /* Last byte of first subidentifier */ value |= oid->p[i] & 0x7F; @@ -874,11 +874,11 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size, for (; i < oid->len; i++) { /* Prevent overflow in value. */ if (value > (UINT_MAX >> 7)) { - return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + return MBEDTLS_ERR_ASN1_INVALID_DATA; } if ((value == 0) && ((oid->p[i]) == 0x80)) { /* Overlong encoding is not allowed */ - return MBEDTLS_ERR_OID_BUF_TOO_SMALL; + return MBEDTLS_ERR_ASN1_INVALID_DATA; } value <<= 7; diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data index f4801c4260..b9fa6543d9 100644 --- a/tests/suites/test_suite_oid.data +++ b/tests/suites/test_suite_oid.data @@ -102,20 +102,20 @@ OID get numeric string - multi-byte first subidentifier oid_get_numeric_string:"8837":0:"2.999" OID get numeric string - empty oid buffer -oid_get_numeric_string:"":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" +oid_get_numeric_string:"":MBEDTLS_ERR_ASN1_OUT_OF_DATA:"" OID get numeric string - no final / all bytes have top bit set -oid_get_numeric_string:"818181":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" +oid_get_numeric_string:"818181":MBEDTLS_ERR_ASN1_OUT_OF_DATA:"" # Encodes the number 0x0400000000 as a subidentifier which overflows 32-bits OID get numeric string - 32-bit overflow -oid_get_numeric_string:"C080808000":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" +oid_get_numeric_string:"C080808000":MBEDTLS_ERR_ASN1_INVALID_DATA:"" OID get numeric string - 32-bit overflow, second subidentifier -oid_get_numeric_string:"2BC080808000":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" +oid_get_numeric_string:"2BC080808000":MBEDTLS_ERR_ASN1_INVALID_DATA:"" OID get numeric string - overlong encoding -oid_get_numeric_string:"8001":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" +oid_get_numeric_string:"8001":MBEDTLS_ERR_ASN1_INVALID_DATA:"" OID get numeric string - overlong encoding, second subidentifier -oid_get_numeric_string:"2B8001":MBEDTLS_ERR_OID_BUF_TOO_SMALL:"" +oid_get_numeric_string:"2B8001":MBEDTLS_ERR_ASN1_INVALID_DATA:"" From a1b2bfff467d114365d5b9cd17a798de9201651e Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 20 Feb 2023 14:45:09 +0000 Subject: [PATCH 176/250] Add clarifying comments Signed-off-by: Dave Rodgman --- library/pkcs7.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/pkcs7.c b/library/pkcs7.c index ba43f49715..010d7066e8 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -607,13 +607,16 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, } if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_DATA, p, len)) { + /* OID is not MBEDTLS_OID_PKCS7_SIGNED_DATA, which is the only supported feature */ if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DATA, p, len) || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, p, len) || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, p, len) || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, p, len) || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DIGESTED_DATA, p, len)) { + /* OID is valid according to the spec, but unsupported */ ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; } else { + /* OID is invalid according to the spec */ ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; } goto out; From 716163e82445dadc39ecb77ff8f4064b7e1a7846 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 20 Feb 2023 14:46:51 +0000 Subject: [PATCH 177/250] Improve allocation bounds in testing Signed-off-by: Dave Rodgman --- tests/suites/test_suite_pkcs7.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 9dce25e04e..91fe47b897 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -125,8 +125,8 @@ void pkcs7_verify(char *pkcs7_file, TEST_ASSERT(file != NULL); datalen = st.st_size; - /* Add 1 so that data is non-NULL for zero length input */ - ASSERT_ALLOC(data, datalen + 1); + /* Special-case for zero-length input so that data will be non-NULL */ + ASSERT_ALLOC(data, datalen == 0 ? 1 : datalen); buflen = fread((void *) data, sizeof(unsigned char), datalen, file); TEST_EQUAL(buflen, datalen); From a4fad2ba6742699ba6daa9a82f9c461b3cda7f66 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 20 Feb 2023 14:57:47 +0000 Subject: [PATCH 178/250] Correct error code in test_suite_x509parse.data Signed-off-by: David Horstmann --- tests/suites/test_suite_x509parse.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 01da08b54c..048e4f74cb 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2550,7 +2550,7 @@ X509 OID numstring #4 (larger number) x509_oid_numstr:"2a864886f70d":"1.2.840.113549":15:14 X509 OID numstring #5 (arithmetic overflow) -x509_oid_numstr:"2a8648f9f8f7f6f5f4f3f2f1f001":"":100:MBEDTLS_ERR_OID_BUF_TOO_SMALL +x509_oid_numstr:"2a8648f9f8f7f6f5f4f3f2f1f001":"":100:MBEDTLS_ERR_ASN1_INVALID_DATA X509 CRT keyUsage #1 (no extension, expected KU) depends_on:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA From 5e780df3e38043e035f698de2cc3ece164395648 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 21 Feb 2023 14:19:27 +0800 Subject: [PATCH 179/250] Only use standard cipher name Signed-off-by: Pengyu Lv --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 6c58a1befb..ae7c6829f8 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1047,7 +1047,7 @@ for MODE in $MODES; do start_server "OpenSSL" translate_ciphers m $M_CIPHERS for i in $ciphers; do - o_check_ciphersuite "$i" + o_check_ciphersuite "${i%%=*}" run_client mbedTLS ${i%%=*} ${i#*=} done stop_server From c8bcdc8b91244200f306809217ad917f053c8c0b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 21 Feb 2023 14:49:02 +0800 Subject: [PATCH 180/250] fix various issues - Improve some function names - Improve comments - improve readability Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 2 +- library/aesce.c | 51 ++++++++++++++++++++++---------- library/aesce.h | 4 +-- 3 files changed, 38 insertions(+), 19 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 3dea18ca10..5f7aed26cc 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2080,7 +2080,7 @@ * * \warning `MBEDTLS_SHA512_USE_A64_CRYPTO_*` should be disabled when enabled * - * This modules adds support for the AES crypto instructions on Arm64 + * This module adds support for the AES crypto instructions on Arm64 */ #define MBEDTLS_AESCE_C diff --git a/library/aesce.c b/library/aesce.c index 18322a62a6..29a4ce0183 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -1,5 +1,5 @@ /* - * Arm64 crypto engine support functions + * Arm64 crypto extension support functions * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -70,15 +70,18 @@ static uint8x16_t aesce_encrypt_block(uint8x16_t block, int rounds) { for (int i = 0; i < rounds - 1; i++) { + /* AES AddRoundKey, SubBytes, ShiftRows (in this order). + * AddRoundKey adds the round key for the previous round. */ block = vaeseq_u8(block, vld1q_u8(keys + i * 16)); /* AES mix columns */ block = vaesmcq_u8(block); } - /* AES single round encryption */ + /* AES AddRoundKey for the previous round. + * SubBytes, ShiftRows for the final round. */ block = vaeseq_u8(block, vld1q_u8(keys + (rounds -1) * 16)); - /* Final Add (bitwise Xor) */ + /* Final round: no MixColumns */ block = veorq_u8(block, vld1q_u8(keys + rounds * 16)); return block; @@ -90,15 +93,28 @@ static uint8x16_t aesce_decrypt_block(uint8x16_t block, { for (int i = 0; i < rounds - 1; i++) { + /* AES AddRoundKey, SubBytes, ShiftRows */ block = vaesdq_u8(block, vld1q_u8(keys + i * 16)); - /* AES inverse mix columns */ + /* AES inverse MixColumns for the next round. + * + * This means that we switch the order of the inverse AddRoundKey and + * inverse MixColumns operations. We have to do this as AddRoundKey is + * done in an atomic instruction together with the inverses of SubBytes + * and ShiftRows. + * + * It works because MixColumns is a linear operation over GF(2^8) and + * AddRoundKey is an exclusive or, which is equivalent to addition over + * GF(2^8). (The inverse of MixColumns needs to be applied to the + * affected round keys separately which has been done when the + * decryption round keys were calculated.) */ block = vaesimcq_u8(block); } - /* AES single round encryption */ + /* The inverses of AES AddRoundKey, SubBytes, ShiftRows finishing up the + * last full round. */ block = vaesdq_u8(block, vld1q_u8(keys + (rounds - 1) * 16)); - /* Final Add (bitwise Xor) */ + /* Inverse AddRoundKey for inverting the initial round key addition. */ block = veorq_u8(block, vld1q_u8(keys + rounds * 16)); return block; @@ -147,18 +163,20 @@ void mbedtls_aesce_inverse_key(unsigned char *invkey, static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 }; -static inline uint32_t ror32_8(uint32_t word) +static inline uint32_t aes_rot_word(uint32_t word) { return (word << (32 - 8)) | (word >> 8); } -static inline uint32_t aes_sub(uint32_t in) +static inline uint32_t aes_sub_word(uint32_t in) { - uint32x4_t _in = vdupq_n_u32(in); - uint32x4_t v; + uint8x16_t v = vreinterpretq_u8_u32(vdupq_n_u32(in)); uint8x16_t zero = vdupq_n_u8(0); - v = vreinterpretq_u32_u8(vaeseq_u8(zero, vreinterpretq_u8_u32(_in))); - return vgetq_lane_u32(v, 0); + + /* vaeseq_u8 does both SubBytes and ShiftRows. Taking the first row yields + * the correct result as ShiftRows doesn't change the first row. */ + v = vaeseq_u8(zero, v); + return vgetq_lane_u32(vreinterpretq_u32_u8(v), 0); } /* @@ -170,12 +188,13 @@ static void aesce_setkey_enc_128(unsigned char *rk, uint32_t *rki; uint32_t *rko; uint32_t *rk_u32 = (uint32_t *) rk; + memcpy(rk, key, (128 / 8)); for (size_t i = 0; i < sizeof(rcon); i++) { rki = rk_u32 + i * (128 / 32); rko = rki + (128 / 32); - rko[0] = ror32_8(aes_sub(rki[(128 / 32) - 1])) ^ rcon[i] ^ rki[0]; + rko[0] = aes_rot_word(aes_sub_word(rki[(128 / 32) - 1])) ^ rcon[i] ^ rki[0]; rko[1] = rko[0] ^ rki[1]; rko[2] = rko[1] ^ rki[2]; rko[3] = rko[2] ^ rki[3]; @@ -196,7 +215,7 @@ static void aesce_setkey_enc_192(unsigned char *rk, for (size_t i = 0; i < 8; i++) { rki = rk_u32 + i * (192 / 32); rko = rki + (192 / 32); - rko[0] = ror32_8(aes_sub(rki[(192 / 32) - 1])) ^ rcon[i] ^ rki[0]; + rko[0] = aes_rot_word(aes_sub_word(rki[(192 / 32) - 1])) ^ rcon[i] ^ rki[0]; rko[1] = rko[0] ^ rki[1]; rko[2] = rko[1] ^ rki[2]; rko[3] = rko[2] ^ rki[3]; @@ -221,12 +240,12 @@ static void aesce_setkey_enc_256(unsigned char *rk, for (size_t i = 0; i < 7; i++) { rki = rk_u32 + i * (256 / 32); rko = rki + (256 / 32); - rko[0] = ror32_8(aes_sub(rki[(256 / 32) - 1])) ^ rcon[i] ^ rki[0]; + rko[0] = aes_rot_word(aes_sub_word(rki[(256 / 32) - 1])) ^ rcon[i] ^ rki[0]; rko[1] = rko[0] ^ rki[1]; rko[2] = rko[1] ^ rki[2]; rko[3] = rko[2] ^ rki[3]; if (i < 6) { - rko[4] = aes_sub(rko[3]) ^ rki[4]; + rko[4] = aes_sub_word(rko[3]) ^ rki[4]; rko[5] = rko[4] ^ rki[5]; rko[6] = rko[5] ^ rki[6]; rko[7] = rko[6] ^ rki[7]; diff --git a/library/aesce.h b/library/aesce.h index 741519cfe4..0d6d09e507 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -2,7 +2,7 @@ * \file aesce.h * * \brief AES-CE for hardware AES acceleration on ARMv8 processors with crypto - * engine. + * extension. * * \warning These functions are only for internal use by other library * functions; you must not call them directly. @@ -43,7 +43,7 @@ extern "C" { #endif /** - * \brief Internal function to detect the crypto engine in CPUs. + * \brief Internal function to detect the crypto extension in CPUs. * * \return 1 if CPU has support for the feature, 0 otherwise */ From 330e6ae11152b23ecf1bb4a8d0b290e72aee9ea6 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 21 Feb 2023 14:51:38 +0800 Subject: [PATCH 181/250] Add document about runtime detection of AESCE Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 5f7aed26cc..cba133c4f6 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2080,6 +2080,9 @@ * * \warning `MBEDTLS_SHA512_USE_A64_CRYPTO_*` should be disabled when enabled * + * \warning Runtime detection only works on linux. For non-linux operation + * system, crypto extension MUST be supported by CPU. + * * This module adds support for the AES crypto instructions on Arm64 */ #define MBEDTLS_AESCE_C From 97b31d8ca304d97bbc2c4e7435e4ce621ff1fc7d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 21 Feb 2023 14:52:33 +0800 Subject: [PATCH 182/250] Revert "Disable clang tests" This reverts commit e908c57f95d05cac83bb9532ba50a82e925e3df1. Signed-off-by: Jerry Yu --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index a97a3c2ef8..3d735bb5c7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -112,7 +112,7 @@ jobs: addons: apt: packages: - - gcc + - clang - gnutls-bin script: # See above @@ -122,7 +122,7 @@ jobs: - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - make generated_files - - make CFLAGS='-march=armv8-a+crypto -O3 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' LDFLAGS='-Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + - make CC=clang CFLAGS='-march=armv8-a+crypto -O3 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' LDFLAGS='-Werror -fsanitize=address,undefined -fno-sanitize-recover=all' # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. - tests/compat.sh -p GnuTLS -e 'CAMELLIA' - tests/scripts/travis-log-failure.sh From baae4012bf9a175bd8d2bf202db493f387e3f1b3 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 21 Feb 2023 15:26:13 +0800 Subject: [PATCH 183/250] merge setkey_enc* functions Signed-off-by: Jerry Yu --- library/aesce.c | 100 +++++++++++++++++------------------------------- 1 file changed, 35 insertions(+), 65 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index 29a4ce0183..b4ebdadc0a 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -160,9 +160,6 @@ void mbedtls_aesce_inverse_key(unsigned char *invkey, } -static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10, - 0x20, 0x40, 0x80, 0x1b, 0x36 }; - static inline uint32_t aes_rot_word(uint32_t word) { return (word << (32 - 8)) | (word >> 8); @@ -180,75 +177,47 @@ static inline uint32_t aes_sub_word(uint32_t in) } /* - * Key expansion, 128-bit case + * Key expansion function */ -static void aesce_setkey_enc_128(unsigned char *rk, - const unsigned char *key) +static void aesce_setkey_enc(unsigned char *rk, + const unsigned char *key, + const size_t key_bit_length) { uint32_t *rki; uint32_t *rko; uint32_t *rk_u32 = (uint32_t *) rk; + const uint32_t key_len_in_words = key_bit_length / 32; + const uint32_t key_len_in_bytes = key_bit_length / 8; + static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10, + 0x20, 0x40, 0x80, 0x1b, 0x36 }; + const uint32_t rounds = + key_bit_length == 128 ? sizeof(rcon) : key_bit_length == 192 ? 8 : 7; - memcpy(rk, key, (128 / 8)); + memcpy(rk, key, key_len_in_bytes); - for (size_t i = 0; i < sizeof(rcon); i++) { - rki = rk_u32 + i * (128 / 32); - rko = rki + (128 / 32); - rko[0] = aes_rot_word(aes_sub_word(rki[(128 / 32) - 1])) ^ rcon[i] ^ rki[0]; + for (size_t i = 0; i < rounds; i++) { + rki = rk_u32 + i * key_len_in_words; + rko = rki + key_len_in_words; + rko[0] = aes_rot_word(aes_sub_word(rki[key_len_in_words - 1])); + rko[0] ^= rcon[i] ^ rki[0]; rko[1] = rko[0] ^ rki[1]; rko[2] = rko[1] ^ rki[2]; rko[3] = rko[2] ^ rki[3]; - } -} - -/* - * Key expansion, 192-bit case - */ -static void aesce_setkey_enc_192(unsigned char *rk, - const unsigned char *key) -{ - uint32_t *rki; - uint32_t *rko; - uint32_t *rk_u32 = (uint32_t *) rk; - memcpy(rk, key, (192 / 8)); - - for (size_t i = 0; i < 8; i++) { - rki = rk_u32 + i * (192 / 32); - rko = rki + (192 / 32); - rko[0] = aes_rot_word(aes_sub_word(rki[(192 / 32) - 1])) ^ rcon[i] ^ rki[0]; - rko[1] = rko[0] ^ rki[1]; - rko[2] = rko[1] ^ rki[2]; - rko[3] = rko[2] ^ rki[3]; - if (i < 7) { - rko[4] = rko[3] ^ rki[4]; - rko[5] = rko[4] ^ rki[5]; - } - } -} - -/* - * Key expansion, 256-bit case - */ -static void aesce_setkey_enc_256(unsigned char *rk, - const unsigned char *key) -{ - uint32_t *rki; - uint32_t *rko; - uint32_t *rk_u32 = (uint32_t *) rk; - memcpy(rk, key, (256 / 8)); - - for (size_t i = 0; i < 7; i++) { - rki = rk_u32 + i * (256 / 32); - rko = rki + (256 / 32); - rko[0] = aes_rot_word(aes_sub_word(rki[(256 / 32) - 1])) ^ rcon[i] ^ rki[0]; - rko[1] = rko[0] ^ rki[1]; - rko[2] = rko[1] ^ rki[2]; - rko[3] = rko[2] ^ rki[3]; - if (i < 6) { - rko[4] = aes_sub_word(rko[3]) ^ rki[4]; - rko[5] = rko[4] ^ rki[5]; - rko[6] = rko[5] ^ rki[6]; - rko[7] = rko[6] ^ rki[7]; + switch (key_bit_length) { + case 192: + if (i < 7) { + rko[4] = rko[3] ^ rki[4]; + rko[5] = rko[4] ^ rki[5]; + } + break; + case 256: + if (i < 6) { + rko[4] = aes_sub_word(rko[3]) ^ rki[4]; + rko[5] = rko[4] ^ rki[5]; + rko[6] = rko[5] ^ rki[6]; + rko[7] = rko[6] ^ rki[7]; + } + break; } } } @@ -261,9 +230,10 @@ int mbedtls_aesce_setkey_enc(unsigned char *rk, size_t bits) { switch (bits) { - case 128: aesce_setkey_enc_128(rk, key); break; - case 192: aesce_setkey_enc_192(rk, key); break; - case 256: aesce_setkey_enc_256(rk, key); break; + case 128: + case 192: + case 256: + aesce_setkey_enc(rk, key, bits); break; default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; } From ba4ec24c79289fcc82609e02ceb9a4da180a5550 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 21 Feb 2023 15:59:13 +0800 Subject: [PATCH 184/250] fix code style failure Signed-off-by: Jerry Yu --- library/sha256.c | 4 ++-- library/sha512.c | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index c167dbe1a8..8c2e6f9e07 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -34,13 +34,13 @@ #pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) #define MBEDTLS_POP_TARGET_PRAGMA #endif /* __aarch64__ && __clang__ && - !__ARM_FEATURE_CRYPTO && __clang_major__ < 18 && __clang_major__ > 3 */ + !__ARM_FEATURE_CRYPTO && __clang_major__ < 18 && __clang_major__ > 3 */ #include "common.h" #if defined(MBEDTLS_POP_TARGET_PRAGMA) && \ !(defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)) + defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)) #if defined(__clang__) #pragma clang attribute pop #endif diff --git a/library/sha512.c b/library/sha512.c index d0e6d47df8..26b46318d3 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -35,15 +35,15 @@ #pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) #define MBEDTLS_POP_TARGET_PRAGMA #endif /* __aarch64__ && __clang__ && - !__ARM_FEATURE_SHA512 && __clang_major__ < 18 && - __clang_major__ >= 13 && __clang_minor__ > 0 && - __clang_patchlevel__ > 0 */ + !__ARM_FEATURE_SHA512 && __clang_major__ < 18 && + __clang_major__ >= 13 && __clang_minor__ > 0 && + __clang_patchlevel__ > 0 */ #include "common.h" #if defined(MBEDTLS_POP_TARGET_PRAGMA) && \ !(defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)) + defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)) #if defined(__clang__) #pragma clang attribute pop #endif From 787f7c8d10b43ce25f648de47a879c264bb2eb24 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 21 Feb 2023 10:21:12 +0100 Subject: [PATCH 185/250] Improve documentation of documentation workaround Signed-off-by: Gilles Peskine --- doxygen/mbedtls.doxyfile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 7e8d196113..1077f86dbd 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -32,10 +32,13 @@ DOT_TRANSPARENT = YES # but clang -Wdocumentation doesn't (since Clang 15, for \retval). # https://github.com/Mbed-TLS/mbedtls/issues/6960 # https://github.com/llvm/llvm-project/issues/60315 -# As a workaround, when documenting the status codes that a function can -# return, if you don't have anything to say beyond the status code's -# description, you can write something like -# \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription +# We often use \retval declarations with just a constant name to +# document which error codes a function can return. If the documentation +# of the error code is enough to explain the error, then an empty +# description on the \retval statement is ok. However, the source code +# of the description needs to be made non-empty to pacify Clang. +# In such cases, you can write something like +# \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription # This does not change the documentation generated by Doxygen, but # it pacifies clang -Wdocumentation. ALIASES += emptydescription="" From a006f8c17ba8f46634e4fe8e837241cd4eb1d474 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 21 Feb 2023 13:36:56 +0100 Subject: [PATCH 186/250] Adapt dependencies for parsing rfc822Name test Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_x509parse.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 9b6e29831b..c6dbad786f 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -207,7 +207,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R x509_parse_san:"data_files/server5-unsupported_othername.crt":"" X509 SAN parsing rfc822Name -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n" X509 CRL information #1 From 226aa15702b204cda49adc31662f62522391bc2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 5 Feb 2023 09:46:59 +0100 Subject: [PATCH 187/250] Make handshake hashing functions return int MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are three family of functions: update_checksum, calc_verify, calc_finished, that perform hashing operations and were returning void so far. This is not correct, as hashing functions can return errors (for example, on hardware failure when accelerated). Change them to return int. This commit just changes the types: for now the functions always return 0, and their return value is not checked; this will be fixed in the next few commits. There is a related function in TLS 1.3, mbedtls_ssl_reset_transcript_for_hrr, which also handles hashes, and already returns int but does not correctly check for errors from hashing functions so far, it will also be handled in the next few commits. There's a special case with handshake_params_init: _init functions should return void, so we'll need to split out the part that can return errors, see the next commit. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_misc.h | 8 +++--- library/ssl_tls.c | 64 +++++++++++++++++++++++++--------------------- 2 files changed, 39 insertions(+), 33 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 2668a05b6e..bffbef2cf5 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -705,9 +705,9 @@ struct mbedtls_ssl_handshake_params { mbedtls_ssl_ciphersuite_t const *ciphersuite_info; - void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); - void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); - void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); + int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); + int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); + int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); mbedtls_ssl_tls_prf_cb *tls_prf; /* @@ -1317,7 +1317,7 @@ static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl); -void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); +int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); #if defined(MBEDTLS_SSL_PROTO_TLS1_2) MBEDTLS_CHECK_RETURN_CRITICAL diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 86f5c0b555..319628529a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -418,8 +418,8 @@ static int tls_prf_sha256(const unsigned char *secret, size_t slen, const char *label, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen); -static void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *); -static void ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int); +static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *); +static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int); #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ @@ -430,8 +430,8 @@ static int tls_prf_sha384(const unsigned char *secret, size_t slen, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen); -static void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *); -static void ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int); +static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *); +static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int); #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, @@ -444,14 +444,14 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session, size_t len); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -static void ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t); +static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t); #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) -static void ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t); +static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t); #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) -static void ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t); +static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t); #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, @@ -812,7 +812,7 @@ void mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, ssl->handshake->update_checksum(ssl, msg, msg_len); } -void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) +int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) { ((void) ssl); #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) @@ -831,9 +831,10 @@ void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1); #endif #endif + return 0; } -static void ssl_update_checksum_start(mbedtls_ssl_context *ssl, +static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) @@ -856,10 +857,11 @@ static void ssl_update_checksum_start(mbedtls_ssl_context *ssl, (void) buf; (void) len; #endif + return 0; } #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) -static void ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, +static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -867,11 +869,12 @@ static void ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, #else mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len); #endif + return 0; } #endif #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) -static void ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, +static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -879,6 +882,7 @@ static void ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, #else mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len); #endif + return 0; } #endif @@ -6513,9 +6517,9 @@ int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) } #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) -void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, - unsigned char *hash, - size_t *hlen) +int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, + unsigned char *hash, + size_t *hlen) { #if defined(MBEDTLS_USE_PSA_CRYPTO) size_t hash_size; @@ -6526,13 +6530,13 @@ void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa); if (status != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); - return; + return 0; } status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size); if (status != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); - return; + return 0; } *hlen = 32; @@ -6555,14 +6559,14 @@ void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, mbedtls_sha256_free(&sha256); #endif /* MBEDTLS_USE_PSA_CRYPTO */ - return; + return 0; } #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) -void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, - unsigned char *hash, - size_t *hlen) +int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, + unsigned char *hash, + size_t *hlen) { #if defined(MBEDTLS_USE_PSA_CRYPTO) size_t hash_size; @@ -6573,13 +6577,13 @@ void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa); if (status != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); - return; + return 0; } status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size); if (status != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); - return; + return 0; } *hlen = 48; @@ -6602,7 +6606,7 @@ void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, mbedtls_sha512_free(&sha512); #endif /* MBEDTLS_USE_PSA_CRYPTO */ - return; + return 0; } #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ @@ -7545,7 +7549,7 @@ exit: #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) -static void ssl_calc_finished_tls_sha256( +static int ssl_calc_finished_tls_sha256( mbedtls_ssl_context *ssl, unsigned char *buf, int from) { int len = 12; @@ -7576,13 +7580,13 @@ static void ssl_calc_finished_tls_sha256( status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa); if (status != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); - return; + return 0; } status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size); if (status != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); - return; + return 0; } MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32); #else @@ -7616,12 +7620,13 @@ static void ssl_calc_finished_tls_sha256( mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); + return 0; } #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) -static void ssl_calc_finished_tls_sha384( +static int ssl_calc_finished_tls_sha384( mbedtls_ssl_context *ssl, unsigned char *buf, int from) { int len = 12; @@ -7652,13 +7657,13 @@ static void ssl_calc_finished_tls_sha384( status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa); if (status != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); - return; + return 0; } status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size); if (status != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); - return; + return 0; } MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48); #else @@ -7691,6 +7696,7 @@ static void ssl_calc_finished_tls_sha384( mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); + return 0; } #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ From 537f231fd92e6b9c8946892dfc280fe44336a0ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 5 Feb 2023 10:17:45 +0100 Subject: [PATCH 188/250] Split hash start out of handshake_params_init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This part can fail, so it shouldn't be intermixed with the part that can't fail and is there to ensure all structures are in a clean state, should any error happen. Fortunately, the part that should be split out already had a function doing it: reset_checksum. Also, handshake_params_init had only one calling site to update. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 319628529a..c881872c94 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -893,19 +893,15 @@ static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake) #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) handshake->fin_sha256_psa = psa_hash_operation_init(); - psa_hash_setup(&handshake->fin_sha256_psa, PSA_ALG_SHA_256); #else mbedtls_sha256_init(&handshake->fin_sha256); - mbedtls_sha256_starts(&handshake->fin_sha256, 0); #endif #endif #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) handshake->fin_sha384_psa = psa_hash_operation_init(); - psa_hash_setup(&handshake->fin_sha384_psa, PSA_ALG_SHA_384); #else mbedtls_sha512_init(&handshake->fin_sha384); - mbedtls_sha512_starts(&handshake->fin_sha384, 1); #endif #endif @@ -1042,6 +1038,9 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) mbedtls_ssl_transform_init(ssl->transform_negotiate); #endif + /* Setup handshake checksums */ + mbedtls_ssl_reset_checksum(ssl); + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_SSL_SRV_C) && \ defined(MBEDTLS_SSL_SESSION_TICKETS) From d7a7a23308e8725f00b847bfd6a169299610a3fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 5 Feb 2023 10:26:49 +0100 Subject: [PATCH 189/250] Use reset_checksum in reset_transcript_for_hrr MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This function was manually resetting just the hash that would be used; it's simpler to just call the function that resets all hashes. This also avoids calling low-level code from TLS 1.3. While at it, remove the guards about SHA-256 || SHA-384 that were around update_checksum, as they are redundant: update_checksum already has appropriate guards (and TLS 1.3 already depends on one of those tow hashes being present anyway). Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls13_generic.c | 32 ++------------------------------ 1 file changed, 2 insertions(+), 30 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 4fb73f91b9..214f3ffb58 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1399,37 +1399,9 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl) hash_len += 4; -#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) - if (ciphersuite_info->mac == MBEDTLS_MD_SHA256) { - MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-256 handshake transcript", - hash_transcript, hash_len); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_abort(&ssl->handshake->fin_sha256_psa); - psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256); -#else - mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0); -#endif - } -#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) - if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) { - MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-384 handshake transcript", - hash_transcript, hash_len); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_abort(&ssl->handshake->fin_sha384_psa); - psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384); -#else - mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1); -#endif - } -#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ -#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ - defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + /* Reset running hash and replace it with a hash of the transcript */ + mbedtls_ssl_reset_checksum(ssl); ssl->handshake->update_checksum(ssl, hash_transcript, hash_len); -#endif \ - /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ return ret; } From b8b07aa24a34618a35743f21088358c627a5d12c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 6 Feb 2023 00:34:21 +0100 Subject: [PATCH 190/250] Handle errors from functions that now return int MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A few functions were changed from returning void to returning int three commits ago. Make sure their callers check the return values. This commits was basically a matter of declaring newly-int-returning functions MBEDTLS_CHECK_RETURN_CRITICAL and then fixing the resulting warnings. A few functions had to be made int in the process; they were applied the same process as well. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_client.c | 21 ++++++++++--- library/ssl_misc.h | 13 ++++++-- library/ssl_msg.c | 23 +++++++++++--- library/ssl_tls.c | 36 ++++++++++++++++------ library/ssl_tls12_client.c | 13 ++++++-- library/ssl_tls12_server.c | 18 +++++++++-- library/ssl_tls13_client.c | 17 ++++++----- library/ssl_tls13_generic.c | 37 ++++++++++++++--------- library/ssl_tls13_server.c | 60 ++++++++++++++++++++++++------------- 9 files changed, 171 insertions(+), 67 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 963f8bb7c7..42ff6748cf 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -945,16 +945,29 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */ { - mbedtls_ssl_add_hs_hdr_to_checksum(ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, - msg_len); - ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len); + ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, + MBEDTLS_SSL_HS_CLIENT_HELLO, + msg_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_add_hs_hdr_to_checksum", ret); + return ret; + } + ret = ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); + return ret; + } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) if (binders_len > 0) { MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( ssl, buf + msg_len - binders_len, buf + msg_len)); - ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len, + ret = ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len, binders_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); + return ret; + } } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index bffbef2cf5..6dd7cb07bb 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -705,8 +705,11 @@ struct mbedtls_ssl_handshake_params { mbedtls_ssl_ciphersuite_t const *ciphersuite_info; + MBEDTLS_CHECK_RETURN_CRITICAL int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); + MBEDTLS_CHECK_RETURN_CRITICAL int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); + MBEDTLS_CHECK_RETURN_CRITICAL int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); mbedtls_ssl_tls_prf_cb *tls_prf; @@ -1317,6 +1320,7 @@ static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl); +MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); #if defined(MBEDTLS_SSL_PROTO_TLS1_2) @@ -1328,7 +1332,8 @@ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl); -void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl); +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl); /** * \brief Update record layer @@ -1461,12 +1466,14 @@ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, /* * Update checksum of handshake messages. */ -void mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, unsigned hs_type, unsigned char const *msg, size_t msg_len); -void mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, unsigned hs_type, size_t total_hs_len); diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 9bedc25467..d26d950864 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2639,7 +2639,12 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl, /* Update running hashes of handshake messages seen */ if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0) { - ssl->handshake->update_checksum(ssl, ssl->out_msg, ssl->out_msglen); + ret = ssl->handshake->update_checksum(ssl, ssl->out_msg, + ssl->out_msglen); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); + return ret; + } } } @@ -3067,12 +3072,17 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) return 0; } -void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl) +int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ssl_handshake_params * const hs = ssl->handshake; if (mbedtls_ssl_is_handshake_over(ssl) == 0 && hs != NULL) { - ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen); + ret = ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); + return ret; + } } /* Handshake message is complete, increment counter */ @@ -3103,6 +3113,7 @@ void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl) memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer)); } #endif + return 0; } /* @@ -3928,7 +3939,11 @@ int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && update_hs_digest == 1) { - mbedtls_ssl_update_handshake_status(ssl); + ret = mbedtls_ssl_update_handshake_status(ssl); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret); + return ret; + } } } else { MBEDTLS_SSL_DEBUG_MSG(2, ("reuse previously read message")); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c881872c94..cbc60ec96e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -788,7 +788,7 @@ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, } } -void mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, +int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, unsigned hs_type, size_t total_hs_len) { @@ -800,16 +800,19 @@ void mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len); hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len); - ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr)); + return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr)); } -void mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, +int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, unsigned hs_type, unsigned char const *msg, size_t msg_len) { - mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len); - ssl->handshake->update_checksum(ssl, msg, msg_len); + int ret; + ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len); + if (ret != 0) + return ret; + return ssl->handshake->update_checksum(ssl, msg, msg_len); } int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) @@ -971,6 +974,8 @@ void mbedtls_ssl_session_init(mbedtls_ssl_session *session) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_handshake_init(mbedtls_ssl_context *ssl) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* Clear old handshake information if present */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if (ssl->transform_negotiate) { @@ -1039,7 +1044,11 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) #endif /* Setup handshake checksums */ - mbedtls_ssl_reset_checksum(ssl); + ret = mbedtls_ssl_reset_checksum(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret); + return ret; + } #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_SSL_SRV_C) && \ @@ -6288,7 +6297,10 @@ static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake, if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { lbl = "extended master secret"; seed = session_hash; - handshake->calc_verify(ssl, session_hash, &seed_len); + ret = handshake->calc_verify(ssl, session_hash, &seed_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret); + } MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret", session_hash, seed_len); @@ -7792,7 +7804,10 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate); - ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); + ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); + } /* * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites @@ -7902,7 +7917,10 @@ int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished")); - ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); + ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); + } if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index b427ae9444..fc99fdebeb 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1090,6 +1090,7 @@ static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl) { + int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); uint16_t dtls_legacy_version; @@ -1160,7 +1161,11 @@ static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl) /* Start over at ClientHello */ ssl->state = MBEDTLS_SSL_CLIENT_HELLO; - mbedtls_ssl_reset_checksum(ssl); + ret = mbedtls_ssl_reset_checksum(ssl); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret); + return ret; + } mbedtls_ssl_recv_flight_completed(ssl); @@ -3283,7 +3288,11 @@ static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) sign: #endif - ssl->handshake->calc_verify(ssl, hash, &hashlen); + ret = ssl->handshake->calc_verify(ssl, hash, &hashlen); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); + return ret; + } /* * digitally-signed struct { diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 929829249f..d5c8b7ce49 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1020,7 +1020,11 @@ read_record_header: MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len); - ssl->handshake->update_checksum(ssl, buf, msg_len); + ret = ssl->handshake->update_checksum(ssl, buf, msg_len); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); + return ret; + } /* * Handshake layer: @@ -4129,7 +4133,11 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* Calculate hash and verify signature */ { size_t dummy_hlen; - ssl->handshake->calc_verify(ssl, hash, &dummy_hlen); + ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); + return ret; + } } if ((ret = mbedtls_pk_verify(peer_pk, @@ -4139,7 +4147,11 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) return ret; } - mbedtls_ssl_update_handshake_status(ssl); + ret = mbedtls_ssl_update_handshake_status(ssl); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret); + return ret; + } MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 1e79afab84..7948753e36 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1489,8 +1489,9 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl, ssl->keep_current_message = 1; ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_SERVER_HELLO, - buf, (size_t) (end - buf)); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_SERVER_HELLO, + buf, (size_t) (end - buf))); if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { ret = ssl_tls13_reset_key_share(ssl); @@ -2056,8 +2057,8 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl)); } - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_SERVER_HELLO, - buf, buf_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len)); if (is_hrr) { MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl)); @@ -2214,8 +2215,8 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) } #endif - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, - buf, buf_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, buf_len)); #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { @@ -2458,8 +2459,8 @@ static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(ssl, buf, buf + buf_len)); - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, - buf, buf_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, buf_len)); } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) { ret = 0; } else { diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 214f3ffb58..f81979a7f5 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -322,8 +322,9 @@ int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl) buf + buf_len, verify_buffer, verify_buffer_len)); - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, - buf, buf_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, + buf, buf_len)); cleanup: @@ -752,8 +753,8 @@ int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl) /* Validate the certificate chain and set the verification results. */ MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl)); - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE, - buf, buf_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len)); cleanup: #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ @@ -868,8 +869,8 @@ int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl) buf + buf_len, &msg_len)); - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE, - buf, msg_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -1070,8 +1071,8 @@ int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body( ssl, buf, buf + buf_len, &msg_len)); - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, - buf, msg_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -1171,8 +1172,8 @@ int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(ssl, buf, buf + buf_len)); - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED, - buf, buf_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_FINISHED, buf, buf_len)); cleanup: @@ -1248,8 +1249,8 @@ int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body( ssl, buf, buf + buf_len, &msg_len)); - mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED, - buf, msg_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, + MBEDTLS_SSL_HS_FINISHED, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -1400,8 +1401,16 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl) hash_len += 4; /* Reset running hash and replace it with a hash of the transcript */ - mbedtls_ssl_reset_checksum(ssl); - ssl->handshake->update_checksum(ssl, hash_transcript, hash_len); + ret = mbedtls_ssl_reset_checksum(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret); + return ret; + } + ret = ssl->handshake->update_checksum(ssl, hash_transcript, hash_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); + return ret; + } return ret; } diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 81c289aee5..047b97a658 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -486,6 +486,7 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl, const unsigned char *ciphersuites, const unsigned char *ciphersuites_end) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const unsigned char *identities = pre_shared_key_ext; const unsigned char *p_identity_len; size_t identities_len; @@ -521,8 +522,12 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len); binders_end = p_binder_len + binders_len; - ssl->handshake->update_checksum(ssl, pre_shared_key_ext, - identities_end - pre_shared_key_ext); + ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext, + identities_end - pre_shared_key_ext); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); + return ret; + } while (p_identity_len < identities_end && p_binder_len < binders_end) { const unsigned char *identity; @@ -530,7 +535,6 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl, uint32_t obfuscated_ticket_age; const unsigned char *binder; size_t binder_len; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int psk_type; uint16_t cipher_suite; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -642,9 +646,13 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl, } /* Update the handshake transcript with the binder list. */ - ssl->handshake->update_checksum(ssl, - identities_end, - (size_t) (binders_end - identities_end)); + ret = ssl->handshake->update_checksum(ssl, + identities_end, + (size_t) (binders_end - identities_end)); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); + return ret; + } if (matched_identity == -1) { MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket.")); return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; @@ -1590,9 +1598,13 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->received_extensions); - mbedtls_ssl_add_hs_hdr_to_checksum(ssl, - MBEDTLS_SSL_HS_CLIENT_HELLO, - p - buf); + ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, + MBEDTLS_SSL_HS_CLIENT_HELLO, + p - buf); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret); + return ret; + } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* Update checksum with either @@ -1603,8 +1615,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, if (mbedtls_ssl_tls13_some_psk_enabled(ssl) && mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) && (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) { - handshake->update_checksum(ssl, buf, - pre_shared_key_ext - buf); + ret = handshake->update_checksum(ssl, buf, + pre_shared_key_ext - buf); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); + return ret; + } ret = ssl_tls13_parse_pre_shared_key_ext(ssl, pre_shared_key_ext, pre_shared_key_ext_end, @@ -1620,7 +1636,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } else #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ { - handshake->update_checksum(ssl, buf, p - buf); + ret = handshake->update_checksum(ssl, buf, p - buf); + if (0 != ret) { + MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); + return ret; + } } ret = ssl_tls13_determine_key_exchange_mode(ssl); @@ -2134,8 +2154,8 @@ static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl) &msg_len, 0)); - mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -2207,8 +2227,8 @@ static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl) buf + buf_len, &msg_len, 1)); - mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len, @@ -2306,8 +2326,8 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body( ssl, buf, buf + buf_len, &msg_len)); - mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -2439,8 +2459,8 @@ static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body( ssl, buf, buf + buf_len, &msg_len)); - mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); From b72ff498c95a937a1d0eebb5769ceda15a7d4395 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 6 Feb 2023 09:54:49 +0100 Subject: [PATCH 191/250] Handle hash errors in reset_checksum MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index cbc60ec96e..afcec4671b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -817,21 +817,44 @@ int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#else + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif ((void) ssl); #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_abort(&ssl->handshake->fin_sha256_psa); - psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256); + status = psa_hash_abort(&ssl->handshake->fin_sha256_psa); + if (status != PSA_SUCCESS) { + return mbedtls_md_error_from_psa(status); + } + status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256); + if (status != PSA_SUCCESS) { + return mbedtls_md_error_from_psa(status); + } #else - mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0); + ret = mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0); + if (ret != 0) { + return ret; + } #endif #endif #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_abort(&ssl->handshake->fin_sha384_psa); - psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384); + status = psa_hash_abort(&ssl->handshake->fin_sha384_psa); + if (status != PSA_SUCCESS) { + return mbedtls_md_error_from_psa(status); + } + status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384); + if (status != PSA_SUCCESS) { + return mbedtls_md_error_from_psa(status); + } #else - mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1); + ret = mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1); + if (ret != 0) { + return ret; + } #endif #endif return 0; From df94901566f73e64ecce239cd54c8a12a7b08c7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 6 Feb 2023 10:00:52 +0100 Subject: [PATCH 192/250] Handle hash errors in update_checksum MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index afcec4671b..ccea3bbd05 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -863,18 +863,35 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#else + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len); + status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len); + if (status != PSA_SUCCESS) { + return mbedtls_md_error_from_psa(status); + } #else - mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len); + ret = mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len); + if (ret != 0) { + return ret; + } #endif #endif #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len); + status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len); + if (status != PSA_SUCCESS) { + return mbedtls_md_error_from_psa(status); + } #else - mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len); + ret = mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len); + if (ret != 0) { + return ret; + } #endif #endif #if !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ @@ -891,11 +908,11 @@ static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len); + return mbedtls_md_error_from_psa(psa_hash_update( + &ssl->handshake->fin_sha256_psa, buf, len)); #else - mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len); + return mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len); #endif - return 0; } #endif @@ -904,11 +921,11 @@ static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len); + return mbedtls_md_error_from_psa(psa_hash_update( + &ssl->handshake->fin_sha384_psa, buf, len)); #else - mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len); + return mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len); #endif - return 0; } #endif From b9b564e64b12b8a1537a7d7f0f5d0ff25845024f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 6 Feb 2023 10:06:04 +0100 Subject: [PATCH 193/250] Handle hash errors in calc_verify MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On top on some calls not being checked, the PSA path was missing a call to abort() on errors. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 38 +++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ccea3bbd05..d072ddb1b8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6580,20 +6580,23 @@ int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256")); status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa); if (status != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); - return 0; + goto exit; } status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size); if (status != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); - return 0; + goto exit; } *hlen = 32; MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); + +exit: + psa_hash_abort(&sha256_psa); + return mbedtls_md_error_from_psa(status); #else + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_sha256_context sha256; mbedtls_sha256_init(&sha256); @@ -6601,13 +6604,18 @@ int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256")); mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); - mbedtls_sha256_finish(&sha256, hash); + + ret = mbedtls_sha256_finish(&sha256, hash); + if (ret != 0) { + goto exit; + } *hlen = 32; MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); +exit: mbedtls_sha256_free(&sha256); #endif /* MBEDTLS_USE_PSA_CRYPTO */ return 0; @@ -6627,20 +6635,23 @@ int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384")); status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa); if (status != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); - return 0; + goto exit; } status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size); if (status != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); - return 0; + goto exit; } *hlen = 48; MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); + +exit: + psa_hash_abort(&sha384_psa); + return mbedtls_md_error_from_psa(status); #else + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_sha512_context sha512; mbedtls_sha512_init(&sha512); @@ -6648,16 +6659,21 @@ int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384")); mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha384); - mbedtls_sha512_finish(&sha512, hash); + + ret = mbedtls_sha512_finish(&sha512, hash); + if (ret != 0) { + goto exit; + } *hlen = 48; MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); +exit: mbedtls_sha512_free(&sha512); + return ret; #endif /* MBEDTLS_USE_PSA_CRYPTO */ - return 0; } #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ From e1a4caa9342a0c469169d061b85fd9502821da27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 6 Feb 2023 10:14:25 +0100 Subject: [PATCH 194/250] Handle hash errors in calc_finished MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit That's the last family of functions. All calls to mbedtls_sha* and psa_hash_* in library/ssl_tls.c are now checked for errors. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d072ddb1b8..1a00baaf61 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7627,6 +7627,7 @@ static int ssl_calc_finished_tls_sha256( psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT; psa_status_t status; #else + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_sha256_context sha256; #endif @@ -7646,14 +7647,12 @@ static int ssl_calc_finished_tls_sha256( status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa); if (status != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); - return 0; + goto exit; } status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size); if (status != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); - return 0; + goto exit; } MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32); #else @@ -7675,8 +7674,10 @@ static int ssl_calc_finished_tls_sha256( sha256.state, sizeof(sha256.state)); #endif - mbedtls_sha256_finish(&sha256, padbuf); - mbedtls_sha256_free(&sha256); + ret = mbedtls_sha256_finish(&sha256, padbuf); + if (ret != 0) { + goto exit; + } #endif /* MBEDTLS_USE_PSA_CRYPTO */ ssl->handshake->tls_prf(session->master, 48, sender, @@ -7687,7 +7688,15 @@ static int ssl_calc_finished_tls_sha256( mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); - return 0; + +exit: +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort(&sha256_psa); + return mbedtls_md_error_from_psa(status); +#else + mbedtls_sha256_free(&sha256); + return ret; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ @@ -7704,6 +7713,7 @@ static int ssl_calc_finished_tls_sha384( psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT; psa_status_t status; #else + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_sha512_context sha512; #endif @@ -7723,14 +7733,12 @@ static int ssl_calc_finished_tls_sha384( status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa); if (status != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed")); - return 0; + goto exit; } status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size); if (status != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed")); - return 0; + goto exit; } MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48); #else @@ -7750,9 +7758,10 @@ static int ssl_calc_finished_tls_sha384( MBEDTLS_SSL_DEBUG_BUF(4, "finished sha512 state", (unsigned char *) sha512.state, sizeof(sha512.state)); #endif - mbedtls_sha512_finish(&sha512, padbuf); - - mbedtls_sha512_free(&sha512); + ret = mbedtls_sha512_finish(&sha512, padbuf); + if (ret != 0) { + goto exit; + } #endif ssl->handshake->tls_prf(session->master, 48, sender, @@ -7763,7 +7772,15 @@ static int ssl_calc_finished_tls_sha384( mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); - return 0; + +exit: +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort(&sha384_psa); + return mbedtls_md_error_from_psa(status); +#else + mbedtls_sha512_free(&sha512); + return ret; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ From 43cc127d3aa9ccff30c0210fa246144142d2e0e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 6 Feb 2023 11:48:19 +0100 Subject: [PATCH 195/250] Fix code style MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_client.c | 2 +- library/ssl_misc.h | 10 +++++----- library/ssl_tls.c | 23 ++++++++++++----------- library/ssl_tls13_client.c | 13 ++++++++----- library/ssl_tls13_generic.c | 17 ++++++++++------- library/ssl_tls13_server.c | 8 ++++---- 6 files changed, 40 insertions(+), 33 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 42ff6748cf..ea64b216e0 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -963,7 +963,7 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( ssl, buf + msg_len - binders_len, buf + msg_len)); ret = ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len, - binders_len); + binders_len); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret); return ret; diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 6dd7cb07bb..7385c6ee39 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1468,14 +1468,14 @@ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, */ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char const *msg, - size_t msg_len); + unsigned hs_type, + unsigned char const *msg, + size_t msg_len); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, - unsigned hs_type, - size_t total_hs_len); + unsigned hs_type, + size_t total_hs_len); #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if !defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1a00baaf61..55c6c3d3c7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -789,8 +789,8 @@ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, } int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, - unsigned hs_type, - size_t total_hs_len) + unsigned hs_type, + size_t total_hs_len) { unsigned char hs_hdr[4]; @@ -804,14 +804,15 @@ int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, } int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char const *msg, - size_t msg_len) + unsigned hs_type, + unsigned char const *msg, + size_t msg_len) { int ret; ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len); - if (ret != 0) + if (ret != 0) { return ret; + } return ssl->handshake->update_checksum(ssl, msg, msg_len); } @@ -861,7 +862,7 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) } static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len) + const unsigned char *buf, size_t len) { #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; @@ -905,11 +906,11 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len) + const unsigned char *buf, size_t len) { #if defined(MBEDTLS_USE_PSA_CRYPTO) return mbedtls_md_error_from_psa(psa_hash_update( - &ssl->handshake->fin_sha256_psa, buf, len)); + &ssl->handshake->fin_sha256_psa, buf, len)); #else return mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len); #endif @@ -918,11 +919,11 @@ static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len) + const unsigned char *buf, size_t len) { #if defined(MBEDTLS_USE_PSA_CRYPTO) return mbedtls_md_error_from_psa(psa_hash_update( - &ssl->handshake->fin_sha384_psa, buf, len)); + &ssl->handshake->fin_sha384_psa, buf, len)); #else return mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len); #endif diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 7948753e36..8dea1c47a2 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1490,8 +1490,8 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl, ssl->keep_current_message = 1; ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_SERVER_HELLO, - buf, (size_t) (end - buf))); + MBEDTLS_SSL_HS_SERVER_HELLO, + buf, (size_t) (end - buf))); if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { ret = ssl_tls13_reset_key_share(ssl); @@ -2058,7 +2058,8 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl) } MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len)); + MBEDTLS_SSL_HS_SERVER_HELLO, buf, + buf_len)); if (is_hrr) { MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl)); @@ -2216,7 +2217,8 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) #endif MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, buf_len)); + MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, + buf, buf_len)); #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { @@ -2460,7 +2462,8 @@ static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl) buf, buf + buf_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, buf_len)); + MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, + buf, buf_len)); } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) { ret = 0; } else { diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f81979a7f5..db2e2e3fe2 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -323,8 +323,8 @@ int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl) verify_buffer_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, - buf, buf_len)); + MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, + buf, buf_len)); cleanup: @@ -754,7 +754,8 @@ int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len)); + MBEDTLS_SSL_HS_CERTIFICATE, buf, + buf_len)); cleanup: #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ @@ -870,7 +871,8 @@ int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl) &msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len)); + MBEDTLS_SSL_HS_CERTIFICATE, buf, + msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -1072,7 +1074,8 @@ int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) ssl, buf, buf + buf_len, &msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, msg_len)); + MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, + msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -1173,7 +1176,7 @@ int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(ssl, buf, buf + buf_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_FINISHED, buf, buf_len)); + MBEDTLS_SSL_HS_FINISHED, buf, buf_len)); cleanup: @@ -1250,7 +1253,7 @@ int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl) ssl, buf, buf + buf_len, &msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl, - MBEDTLS_SSL_HS_FINISHED, buf, msg_len)); + MBEDTLS_SSL_HS_FINISHED, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 047b97a658..6b1c4c5e6b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2155,7 +2155,7 @@ static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl) 0)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); + ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -2228,7 +2228,7 @@ static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl) &msg_len, 1)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); + ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len, @@ -2327,7 +2327,7 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl) ssl, buf, buf + buf_len, &msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len)); + ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); @@ -2460,7 +2460,7 @@ static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl) ssl, buf, buf + buf_len, &msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len)); + ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); From 626aaed213a52a4cebcdfcb813b8c69065e2d6d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 6 Feb 2023 22:03:06 +0100 Subject: [PATCH 196/250] Fix unused variable warnings in some builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found by depends.py MBEDTLS_SHA512_C In principle, the case where neither SHA-256 nor SHA-384 are available should never occur, as both TLS 1.2 and TLS 1.3 depend on one of those being defined. However for now dependencies for TLS 1.2 are not as tight as they should be; this will be fixed later and is tracked as #6441. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 55c6c3d3c7..4802732701 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -818,12 +818,16 @@ int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) { +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ + defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; #else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #endif +#else /* SHA-256 or SHA-384 */ ((void) ssl); +#endif /* SHA-256 or SHA-384 */ #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) status = psa_hash_abort(&ssl->handshake->fin_sha256_psa); @@ -864,11 +868,18 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ + defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; #else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #endif +#else /* SHA-256 or SHA-384 */ + ((void) ssl); + (void) buf; + (void) len; +#endif /* SHA-256 or SHA-384 */ #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_USE_PSA_CRYPTO) status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len); @@ -894,12 +905,6 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, return ret; } #endif -#endif -#if !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ - !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) - (void) ssl; - (void) buf; - (void) len; #endif return 0; } From 8e176f747c2278ef540d2863d2cfaec411dc4084 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 9 Feb 2023 10:33:54 +0100 Subject: [PATCH 197/250] Fix wrong return statement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4802732701..441089f164 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6623,8 +6623,8 @@ exit: exit: mbedtls_sha256_free(&sha256); + return ret; #endif /* MBEDTLS_USE_PSA_CRYPTO */ - return 0; } #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ From da7979bb91b9cd36a330ccd909f0c799c94f98fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 21 Feb 2023 09:31:10 +0100 Subject: [PATCH 198/250] Restore debug message removed by mistake MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also while at it, fix debug level for existing DEBUG_RET: errors should always be level 1. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls13_generic.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index db2e2e3fe2..f607e364cc 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1392,7 +1392,7 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl) PSA_HASH_MAX_SIZE, &hash_len); if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(4, "mbedtls_ssl_get_handshake_transcript", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret); return ret; } @@ -1403,6 +1403,9 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl) hash_len += 4; + MBEDTLS_SSL_DEBUG_BUF(4, "Truncated handshake transcript", + hash_transcript, hash_len); + /* Reset running hash and replace it with a hash of the transcript */ ret = mbedtls_ssl_reset_checksum(ssl); if (ret != 0) { From 48c591cb5654937de75ac53c8760caafd4cd6ceb Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 13 Feb 2023 18:15:30 +0000 Subject: [PATCH 199/250] Fix warning with GCC 12 Fix warning about variable being used uninitialised. Signed-off-by: Paul Elliott --- tests/suites/test_suite_constant_time.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_constant_time.function b/tests/suites/test_suite_constant_time.function index 14dc8ae5cd..a2bf3967f5 100644 --- a/tests/suites/test_suite_constant_time.function +++ b/tests/suites/test_suite_constant_time.function @@ -18,7 +18,7 @@ /* BEGIN_CASE */ void mbedtls_ct_memcmp_null() { - uint32_t x; + uint32_t x = 0; TEST_ASSERT(mbedtls_ct_memcmp(&x, NULL, 0) == 0); TEST_ASSERT(mbedtls_ct_memcmp(NULL, &x, 0) == 0); TEST_ASSERT(mbedtls_ct_memcmp(NULL, NULL, 0) == 0); From a64c277588b070a93f88be3fcce68bbf2d986dc9 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 09:30:20 +0800 Subject: [PATCH 200/250] compat.sh: Skip all *ECDH_* ciphersuites Signed-off-by: Pengyu Lv --- tests/compat.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index ae7c6829f8..c6653f8727 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -537,9 +537,10 @@ add_mbedtls_ciphersuites() # o_check_ciphersuite STANDARD_CIPHER_SUITE o_check_ciphersuite() { - if [ "${1#*ECDH_ECDSA*}" != "$1" ] && \ - [ "X${O_SUPPORT_ECDH}" = "XNO" ]; then - SKIP_NEXT="YES" + if [ "${O_SUPPORT_ECDH}" = "NO" ]; then + case "$1" in + *ECDH_*) SKIP_NEXT="YES" + esac fi } @@ -614,7 +615,7 @@ setup_arguments() case $($OPENSSL ciphers ALL) in *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; - *)O_SUPPORT_ECDH="NO";; + *) O_SUPPORT_ECDH="NO";; esac if [ "X$VERIFY" = "XYES" ]; From f01ac3af0ea35cdce95f577cf569e7684328642f Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 10:07:16 +0800 Subject: [PATCH 201/250] Remove explicit ECDH exclusion for Travis CI Signed-off-by: Pengyu Lv --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 54df776060..39b742d414 100644 --- a/.travis.yml +++ b/.travis.yml @@ -53,7 +53,7 @@ jobs: - tests/scripts/test_psa_constant_names.py - tests/ssl-opt.sh # Modern OpenSSL does not support fixed ECDH or null ciphers. - - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH_' + - tests/compat.sh -p OpenSSL -e 'NULL' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. - tests/compat.sh -p GnuTLS -e 'CAMELLIA' From 4d786a732bbff893d1ce6abf8b30c6d5fecf3588 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 22 Feb 2023 11:01:07 +0800 Subject: [PATCH 202/250] Fix regression issue for clang workaround. Signed-off-by: Jerry Yu --- library/sha256.c | 17 +++++------------ library/sha512.c | 8 +++++--- 2 files changed, 10 insertions(+), 15 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index 8c2e6f9e07..d18f228487 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -29,24 +29,17 @@ * The intrinsic declaration are guarded with ACLE predefined macros in clang, * and those macros are only enabled with command line. Define the macros can * enable those declaration and avoid compile error on it. + * + * `arm_neon.h` might be included in any head files. On the top of this file, we + * can guarantee this workaround always work. */ #define __ARM_FEATURE_CRYPTO 1 -#pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) -#define MBEDTLS_POP_TARGET_PRAGMA +#define NEED_TARGET_OPTIONS #endif /* __aarch64__ && __clang__ && !__ARM_FEATURE_CRYPTO && __clang_major__ < 18 && __clang_major__ > 3 */ #include "common.h" -#if defined(MBEDTLS_POP_TARGET_PRAGMA) && \ - !(defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)) -#if defined(__clang__) -#pragma clang attribute pop -#endif -#undef MBEDTLS_POP_TARGET_PRAGMA -#endif - #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C) #include "mbedtls/sha256.h" @@ -61,7 +54,7 @@ # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) /* *INDENT-OFF* */ -# if !defined(__ARM_FEATURE_CRYPTO) +# if !defined(__ARM_FEATURE_CRYPTO) || defined(NEED_TARGET_OPTIONS) # if defined(__clang__) # if __clang_major__ < 4 # error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" diff --git a/library/sha512.c b/library/sha512.c index 26b46318d3..919cf20410 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -30,10 +30,12 @@ * The intrinsic declaration are guarded with ACLE predefined macros in clang, * and those macros are only enabled with command line. Define the macros can * enable those declaration and avoid compile error on it. + * + * `arm_neon.h` might be included in any head files. On the top of this file, we + * can guarantee this workaround always work. */ #define __ARM_FEATURE_SHA512 1 -#pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) -#define MBEDTLS_POP_TARGET_PRAGMA +#define NEED_TARGET_OPTIONS #endif /* __aarch64__ && __clang__ && !__ARM_FEATURE_SHA512 && __clang_major__ < 18 && __clang_major__ >= 13 && __clang_minor__ > 0 && @@ -84,7 +86,7 @@ * Clang == 13.0.0 same as clang 12 (only seen on macOS) * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics */ -# if !defined(__ARM_FEATURE_SHA512) +# if !defined(__ARM_FEATURE_SHA512) || defined(NEED_TARGET_OPTIONS) /* Test Clang first, as it defines __GNUC__ */ # if defined(__clang__) # if __clang_major__ < 7 From 07d5085fcfd11ff460342268437838b64e336727 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 12:17:26 +0800 Subject: [PATCH 203/250] Skip ECDH ciphersuites for O->m pair The mechanism of detecting unsupported ciphersuites for OpenSSL client doesn't work on a modern OpenSSL. At least, it fails on Travis CI which is installed with OpenSSL 1.1.1f. So we need to skip ECDH cipher- suites for O->m. Signed-off-by: Pengyu Lv --- tests/compat.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/compat.sh b/tests/compat.sh index c6653f8727..5ad48b2e8e 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1058,6 +1058,7 @@ for MODE in $MODES; do start_server "mbedTLS" translate_ciphers o $O_CIPHERS for i in $ciphers; do + o_check_ciphersuite "${i%%=*}" run_client OpenSSL ${i%%=*} ${i#*=} done stop_server From 3304c204bab34d823da7f125d233c1f3ab3388da Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 22 Feb 2023 14:37:11 +0800 Subject: [PATCH 204/250] Improve readabilities - Add more comments - Adjust setkey_enc Signed-off-by: Jerry Yu --- library/aesce.c | 49 +++++++++++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index b4ebdadc0a..64811227c7 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -82,6 +82,8 @@ static uint8x16_t aesce_encrypt_block(uint8x16_t block, block = vaeseq_u8(block, vld1q_u8(keys + (rounds -1) * 16)); /* Final round: no MixColumns */ + + /* Final AddRoundKey */ block = veorq_u8(block, vld1q_u8(keys + rounds * 16)); return block; @@ -183,40 +185,47 @@ static void aesce_setkey_enc(unsigned char *rk, const unsigned char *key, const size_t key_bit_length) { - uint32_t *rki; - uint32_t *rko; - uint32_t *rk_u32 = (uint32_t *) rk; + const uint32_t key_len_in_words = key_bit_length / 32; - const uint32_t key_len_in_bytes = key_bit_length / 8; + const size_t round_key_len_in_words = 4; static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 }; - const uint32_t rounds = - key_bit_length == 128 ? sizeof(rcon) : key_bit_length == 192 ? 8 : 7; + /* Require max(key_len_in_words, round_key_len_len_in_words) + 7 */ + const size_t round_keys_needed = key_len_in_words + 7; + const size_t key_expansion_size_in_words = + round_keys_needed * round_key_len_in_words; + const uint32_t *rko_end = (uint32_t *) rk + key_expansion_size_in_words; - memcpy(rk, key, key_len_in_bytes); + memcpy(rk, key, key_len_in_words * 4); - for (size_t i = 0; i < rounds; i++) { - rki = rk_u32 + i * key_len_in_words; + for (uint32_t *rki = (uint32_t *) rk; + rki + key_len_in_words < rko_end; + rki += key_len_in_words) { + + size_t iteration = (rki- (uint32_t *) rk)/key_len_in_words; + uint32_t *rko; rko = rki + key_len_in_words; rko[0] = aes_rot_word(aes_sub_word(rki[key_len_in_words - 1])); - rko[0] ^= rcon[i] ^ rki[0]; + rko[0] ^= rcon[iteration] ^ rki[0]; rko[1] = rko[0] ^ rki[1]; rko[2] = rko[1] ^ rki[2]; rko[3] = rko[2] ^ rki[3]; + if (rko+key_len_in_words > rko_end) { + /* Do not write overflow words.*/ + continue; + } switch (key_bit_length) { + case 128: + break; case 192: - if (i < 7) { - rko[4] = rko[3] ^ rki[4]; - rko[5] = rko[4] ^ rki[5]; - } + rko[4] = rko[3] ^ rki[4]; + rko[5] = rko[4] ^ rki[5]; break; case 256: - if (i < 6) { - rko[4] = aes_sub_word(rko[3]) ^ rki[4]; - rko[5] = rko[4] ^ rki[5]; - rko[6] = rko[5] ^ rki[6]; - rko[7] = rko[6] ^ rki[7]; - } + rko[4] = aes_sub_word(rko[3]) ^ rki[4]; + rko[5] = rko[4] ^ rki[5]; + rko[6] = rko[5] ^ rki[6]; + rko[7] = rko[6] ^ rki[7]; break; } } From 63e33dd175471af9d7d5e39df1d95addca162b65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 21 Feb 2023 15:45:15 +0100 Subject: [PATCH 205/250] Fix unchecked return value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls13_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 8dea1c47a2..0dd762ef39 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2262,8 +2262,8 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len)); - mbedtls_ssl_add_hs_hdr_to_checksum( - ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0)); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); From 59200a22aa4b7c32559affb41ab89f3c0c573e93 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 21 Feb 2023 15:07:40 +0000 Subject: [PATCH 206/250] Improve psa_wipe_output_buffer Change name and document to ensure suitability only for "tags" is explicit. Add support for output size of zero in PSA_SUCCESS case. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 49 +++++++++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3ec9273de9..fa6991e9fd 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2684,34 +2684,41 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message, } /** - * \brief Fill the unused part of the output buffer (the - * whole buffer on error, the trailing part on - * success) with something that isn't a valid - * signature (barring an attack on the signature - * and deliberately-crafted input), in case the - * caller doesn't check the return status properly. + * \brief For output buffers which contain "tags" + * (outputs that may be checked for validity like + * Hashes, MACs and signatures), fill the unused + * part of the output buffer (the whole buffer on + * error, the trailing part on success) with + * something that isn't a valid tag (barring an + * attack on the tag and deliberately-crafted + * input), in case the caller doesn't check the + * return status properly. * * \param output_buffer pointer to buffer to wipe. May not be NULL * unless \p output_buffer_size is zero. * \param status status of function called to generate * output_buffer originally * \param output_buffer_size Size of output buffer. If zero, \p output_buffer - * could be NULL + * could be NULL. * \param output_buffer_length Length of data written to output_buffer, must be * less than \p output_buffer_size */ -static void psa_wipe_output_buffer(uint8_t *output_buffer, psa_status_t status, - size_t output_buffer_size, size_t output_buffer_length) +static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status, + size_t output_buffer_size, size_t output_buffer_length) { - if (status == PSA_SUCCESS) { - memset(output_buffer + output_buffer_length, '!', - output_buffer_size - output_buffer_length); - } else if (output_buffer_size > 0) { - memset(output_buffer, '!', output_buffer_size); + size_t offset = 0; + + if (output_buffer_size == 0) { + /* If output_buffer_size is 0 then we have nothing to do. We must not + call memset because output_buffer may be NULL in this case */ + return; } - /* If output_buffer_size is 0 then we have nothing to do. We must - * not call memset because output_buffer may be NULL in this - * case.*/ + + if (status == PSA_SUCCESS) { + offset = output_buffer_length; + } + + memset(output_buffer + offset, '!', output_buffer_size - offset); } static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, @@ -2776,8 +2783,8 @@ static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, exit: - psa_wipe_output_buffer(signature, status, signature_size, - *signature_length); + psa_wipe_tag_output_buffer(signature, status, signature_size, + *signature_length); unlock_status = psa_unlock_key_slot(slot); @@ -3293,8 +3300,8 @@ psa_status_t psa_sign_hash_complete( exit: - psa_wipe_output_buffer(signature, status, signature_size, - *signature_length); + psa_wipe_tag_output_buffer(signature, status, signature_size, + *signature_length); if (status != PSA_OPERATION_INCOMPLETE) { if (status != PSA_SUCCESS) { From b1176f2583407bb80838f8760e0824eae50cc0fb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 22 Feb 2023 22:07:28 +0100 Subject: [PATCH 207/250] Allow alternative names for overridden PSA headers Integrators of Mbed TLS may override the header files "psa/crypto_platform.h" and "psa/crypto_struct.h" by overwriting the files or by placing alternative versions earlier in the include file search path. These two methods are sometimes inconvenient, so allow a third method which doesn't require overwriting files or having a precise order for the include path: integrators can now specify alternative names for the headers. Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-alt-headers.txt | 4 +++ include/mbedtls/mbedtls_config.h | 47 ++++++++++++++++++++++++++++++++ include/psa/crypto.h | 8 ++++++ include/psa/crypto_types.h | 4 +++ 4 files changed, 63 insertions(+) create mode 100644 ChangeLog.d/psa-alt-headers.txt diff --git a/ChangeLog.d/psa-alt-headers.txt b/ChangeLog.d/psa-alt-headers.txt new file mode 100644 index 0000000000..95556290a5 --- /dev/null +++ b/ChangeLog.d/psa-alt-headers.txt @@ -0,0 +1,4 @@ +Features + * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and + MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for + the headers "psa/crypto_platform.h" and "psa/crypto_struct.h". diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 9ae51c964a..f596417ffa 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3537,6 +3537,53 @@ */ //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" +/** + * \def MBEDTLS_PSA_CRYPTO_PLATFORM_FILE + * + * If defined, this is a header which will be included instead of + * `"psa/crypto_platform.h"`. This file should declare the same identifiers + * as the one in Mbed TLS, but with definitions adapted to the platform on + * which the library code will run. + * + * \note The required content of this header can vary from one version of + * Mbed TLS to the next. Integrators who provide an alternative file + * should review the changes in the original file whenever they + * upgrade Mbed TLS. + * + * This macro is expanded after an \#include directive. This is a popular but + * non-standard feature of the C language, so this feature is only available + * with compilers that perform macro expansion on an \#include line. + * + * The value of this symbol is typically a path in double quotes, either + * absolute or relative to a directory on the include search path. + */ +//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" + +/** + * \def MBEDTLS_PSA_CRYPTO_STRUCT_FILE + * + * If defined, this is a header which will be included instead of + * `"psa/crypto_struct.h"`. This file should declare the same identifiers + * as the one in Mbed TLS, but with definitions adapted to the environment + * in which the library code will run. The typical use for this feature + * is to provide alternative type definitions on the client side in + * client-server integrations of PSA crypto, where operation structures + * contain handles instead of cryptographic data. + * + * \note The required content of this header can vary from one version of + * Mbed TLS to the next. Integrators who provide an alternative file + * should review the changes in the original file whenever they + * upgrade Mbed TLS. + * + * This macro is expanded after an \#include directive. This is a popular but + * non-standard feature of the C language, so this feature is only available + * with compilers that perform macro expansion on an \#include line. + * + * The value of this symbol is typically a path in double quotes, either + * absolute or relative to a directory on the include search path. + */ +//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" + /** \} name SECTION: General configuration options */ /** diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 80bf5c9690..bd544224d4 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -22,7 +22,11 @@ #ifndef PSA_CRYPTO_H #define PSA_CRYPTO_H +#if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE) +#include MBEDTLS_PSA_CRYPTO_PLATFORM_FILE +#else #include "crypto_platform.h" +#endif #include @@ -4677,7 +4681,11 @@ psa_status_t psa_verify_hash_abort( /* The file "crypto_struct.h" contains definitions for * implementation-specific structs that are declared above. */ +#if defined(MBEDTLS_PSA_CRYPTO_STRUCT_FILE) +#include MBEDTLS_PSA_CRYPTO_STRUCT_FILE +#else #include "crypto_struct.h" +#endif /* The file "crypto_extra.h" contains vendor-specific definitions. This * can include vendor-defined algorithms, extra functions, etc. */ diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 95bf32fd98..dd4d4fca3d 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -34,7 +34,11 @@ #define PSA_CRYPTO_TYPES_H #include "mbedtls/private_access.h" +#if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE) +#include MBEDTLS_PSA_CRYPTO_PLATFORM_FILE +#else #include "crypto_platform.h" +#endif /* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT * is defined as well to include all PSA code. From fac5a54f8ad5ae52ea10f22b86faa1ffea9db4ef Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 23 Feb 2023 10:13:40 +0800 Subject: [PATCH 208/250] fix code style issues Signed-off-by: Jerry Yu --- library/aesce.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index 64811227c7..356d0a3af1 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -193,7 +193,7 @@ static void aesce_setkey_enc(unsigned char *rk, /* Require max(key_len_in_words, round_key_len_len_in_words) + 7 */ const size_t round_keys_needed = key_len_in_words + 7; const size_t key_expansion_size_in_words = - round_keys_needed * round_key_len_in_words; + round_keys_needed * round_key_len_in_words; const uint32_t *rko_end = (uint32_t *) rk + key_expansion_size_in_words; memcpy(rk, key, key_len_in_words * 4); @@ -202,7 +202,7 @@ static void aesce_setkey_enc(unsigned char *rk, rki + key_len_in_words < rko_end; rki += key_len_in_words) { - size_t iteration = (rki- (uint32_t *) rk)/key_len_in_words; + size_t iteration = (rki - (uint32_t *) rk) / key_len_in_words; uint32_t *rko; rko = rki + key_len_in_words; rko[0] = aes_rot_word(aes_sub_word(rki[key_len_in_words - 1])); @@ -210,7 +210,7 @@ static void aesce_setkey_enc(unsigned char *rk, rko[1] = rko[0] ^ rki[1]; rko[2] = rko[1] ^ rki[2]; rko[3] = rko[2] ^ rki[3]; - if (rko+key_len_in_words > rko_end) { + if (rko + key_len_in_words > rko_end) { /* Do not write overflow words.*/ continue; } From 947bf969e0b40e11b187c92557672bc07064975f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 23 Feb 2023 11:07:57 +0800 Subject: [PATCH 209/250] Improve readability of expansion size Signed-off-by: Jerry Yu --- library/aesce.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index 356d0a3af1..e47665a50c 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -185,15 +185,17 @@ static void aesce_setkey_enc(unsigned char *rk, const unsigned char *key, const size_t key_bit_length) { - - const uint32_t key_len_in_words = key_bit_length / 32; - const size_t round_key_len_in_words = 4; static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 }; - /* Require max(key_len_in_words, round_key_len_len_in_words) + 7 */ - const size_t round_keys_needed = key_len_in_words + 7; + /* See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf + * - Section 5, Nr = Nk + 6 + * - Section 5.2, the key expansion size is Nb*(Nr+1) + */ + const uint32_t key_len_in_words = key_bit_length / 32; /* Nk */ + const size_t round_key_len_in_words = 4; /* Nb */ + const size_t round_keys_needed = key_len_in_words + 6; /* Nr */ const size_t key_expansion_size_in_words = - round_keys_needed * round_key_len_in_words; + round_key_len_in_words * (round_keys_needed + 1); /* Nb*(Nr+1) */ const uint32_t *rko_end = (uint32_t *) rk + key_expansion_size_in_words; memcpy(rk, key, key_len_in_words * 4); From 9e7bb2a92c4db6ebabedac470dcf5fc9048a8e7c Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 23 Feb 2023 15:24:47 +0800 Subject: [PATCH 210/250] Update some comments Signed-off-by: Pengyu Lv --- .travis.yml | 2 +- tests/compat.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 39b742d414..1062d9906d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -52,7 +52,7 @@ jobs: - programs/test/selftest - tests/scripts/test_psa_constant_names.py - tests/ssl-opt.sh - # Modern OpenSSL does not support fixed ECDH or null ciphers. + # Modern OpenSSL does not support null ciphers. - tests/compat.sh -p OpenSSL -e 'NULL' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. diff --git a/tests/compat.sh b/tests/compat.sh index 5ad48b2e8e..12613bfe8a 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -614,7 +614,7 @@ setup_arguments() esac case $($OPENSSL ciphers ALL) in - *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; + *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; *) O_SUPPORT_ECDH="NO";; esac @@ -834,7 +834,7 @@ run_client() { if [ $EXIT -eq 0 ]; then RESULT=0 else - # If the cipher isn't supported... + # If it is NULL cipher ... if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then RESULT=1 else From 4348a83bc8070ef30ae91976d5a3c37ee20ab0f1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 23 Feb 2023 13:03:30 +0100 Subject: [PATCH 211/250] Further documentation improvements Signed-off-by: Gilles Peskine --- doxygen/mbedtls.doxyfile | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 1077f86dbd..aa8eb4192c 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,17 +28,17 @@ DOT_GRAPH_MAX_NODES = 200 MAX_DOT_GRAPH_DEPTH = 1000 DOT_TRANSPARENT = YES -# Doxygen accepts empty descriptions for commands such as \retval, -# but clang -Wdocumentation doesn't (since Clang 15, for \retval). +# We mostly \retval declarations to document which error codes a function +# can return. The reader can follow the hyperlink to the definition of the +# constant to get the generic documentation of that error code. If we don't +# have anything to say about the specific error code for the specific +# function, we can leave the description part of the \retval command blank. +# This is perfectly valid as far as Doxygen is concerned. However, with +# Clang >=15, the -Wdocumentation option emits a warning for empty +# descriptions. # https://github.com/Mbed-TLS/mbedtls/issues/6960 # https://github.com/llvm/llvm-project/issues/60315 -# We often use \retval declarations with just a constant name to -# document which error codes a function can return. If the documentation -# of the error code is enough to explain the error, then an empty -# description on the \retval statement is ok. However, the source code -# of the description needs to be made non-empty to pacify Clang. -# In such cases, you can write something like +# As a workaround, you can write something like # \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription -# This does not change the documentation generated by Doxygen, but -# it pacifies clang -Wdocumentation. +# This avoids writing redundant text and keeps Clang happy. ALIASES += emptydescription="" From 2fb4e1439755084b23e07d999dcdb3131034829e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 23 Feb 2023 13:37:54 +0100 Subject: [PATCH 212/250] Words. Use them! Signed-off-by: Gilles Peskine --- doxygen/mbedtls.doxyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index aa8eb4192c..c33c7e362e 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOT_GRAPH_MAX_NODES = 200 MAX_DOT_GRAPH_DEPTH = 1000 DOT_TRANSPARENT = YES -# We mostly \retval declarations to document which error codes a function +# We mostly use \retval declarations to document which error codes a function # can return. The reader can follow the hyperlink to the definition of the # constant to get the generic documentation of that error code. If we don't # have anything to say about the specific error code for the specific From df6e84a4471e257d6db13986db592c959886ea01 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 22 Feb 2023 22:09:51 +0100 Subject: [PATCH 213/250] Test the PSA alternative header configuration macros Test that MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and MBEDTLS_PSA_CRYPTO_STRUCT_FILE can be set to files in a directory that comes after the standard directory in the include file search path. Signed-off-by: Gilles Peskine --- programs/.gitignore | 1 + programs/Makefile | 5 ++++ programs/test/CMakeLists.txt | 1 + programs/test/query_included_headers.c | 41 ++++++++++++++++++++++++++ tests/.gitignore | 2 ++ tests/Makefile | 5 ++++ tests/include/alt-extra/psa/crypto.h | 7 +++++ tests/scripts/all.sh | 21 +++++++++++++ 8 files changed, 83 insertions(+) create mode 100644 programs/test/query_included_headers.c create mode 100644 tests/include/alt-extra/psa/crypto.h diff --git a/programs/.gitignore b/programs/.gitignore index 44e904a954..398152dcbc 100644 --- a/programs/.gitignore +++ b/programs/.gitignore @@ -64,6 +64,7 @@ test/cpp_dummy_build.cpp test/dlopen test/ecp-bench test/query_compile_time_config +test/query_included_headers test/selftest test/ssl_cert_test test/udp_proxy diff --git a/programs/Makefile b/programs/Makefile index fdfece72ac..3509fc374d 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -123,6 +123,7 @@ APPS = \ ssl/ssl_server2 \ test/benchmark \ test/query_compile_time_config \ + test/query_included_headers \ test/selftest \ test/udp_proxy \ test/zeroize \ @@ -403,6 +404,10 @@ test/query_config.o: test/query_config.c test/query_config.h $(DEP) echo " CC test/query_config.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c test/query_config.c -o $@ +test/query_included_headers$(EXEXT): test/query_included_headers.c $(DEP) + echo " CC test/query_included_headers.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_included_headers.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + test/selftest$(EXEXT): test/selftest.c $(DEP) echo " CC test/selftest.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/selftest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index c3e7d2e98e..735684ebf6 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -3,6 +3,7 @@ set(libs ) set(executables_libs + query_included_headers selftest udp_proxy ) diff --git a/programs/test/query_included_headers.c b/programs/test/query_included_headers.c new file mode 100644 index 0000000000..383a2ffc8e --- /dev/null +++ b/programs/test/query_included_headers.c @@ -0,0 +1,41 @@ +/* Ad hoc report on included headers. */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include + +int main(void) +{ + + /* Which PSA platform header? */ +#if defined(PSA_CRYPTO_PLATFORM_H) + mbedtls_printf("PSA_CRYPTO_PLATFORM_H\n"); +#endif +#if defined(PSA_CRYPTO_PLATFORM_ALT_H) + mbedtls_printf("PSA_CRYPTO_PLATFORM_ALT_H\n"); +#endif + + /* Which PSA struct header? */ +#if defined(PSA_CRYPTO_STRUCT_H) + mbedtls_printf("PSA_CRYPTO_STRUCT_H\n"); +#endif +#if defined(PSA_CRYPTO_STRUCT_ALT_H) + mbedtls_printf("PSA_CRYPTO_STRUCT_ALT_H\n"); +#endif + +} diff --git a/tests/.gitignore b/tests/.gitignore index 15fce6888b..b85d66aa46 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -13,6 +13,8 @@ data_files/hmac_drbg_seed data_files/ctr_drbg_seed data_files/entropy_seed +include/alt-extra/psa/crypto_platform_alt.h +include/alt-extra/psa/crypto_struct_alt.h include/test/instrument_record_status.h src/*.o diff --git a/tests/Makefile b/tests/Makefile index c9283c984f..26947f4b99 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -219,6 +219,7 @@ ifndef WINDOWS rm -rf $(BINARIES) *.c *.datax rm -f src/*.o src/drivers/*.o src/libmbed* rm -f include/test/instrument_record_status.h + rm -f include/alt-extra/*/*_alt.h rm -rf libtestdriver1 rm -f ../library/libtestdriver1.a else @@ -244,6 +245,10 @@ check: $(BINARIES) test: check +# Generate variants of some headers for testing +include/alt-extra/%_alt.h: ../include/%.h + perl -p -e 's/^(# *(define|ifndef) +\w+_)H\b/$${1}ALT_H/' $< >$@ + # Generate test library # Perl code that is executed to transform each original line from a library diff --git a/tests/include/alt-extra/psa/crypto.h b/tests/include/alt-extra/psa/crypto.h new file mode 100644 index 0000000000..005f3aeea0 --- /dev/null +++ b/tests/include/alt-extra/psa/crypto.h @@ -0,0 +1,7 @@ +/* The goal of the include/alt-extra directory is to test what happens + * if certain files come _after_ the normal include directory. + * Make sure that if the alt-extra directory comes before the normal + * directory (so we wouldn't be achieving our test objective), the build + * will fail. + */ +#error "The normal include directory must come first in the include path" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7d91fa27d3..a851d0e7b6 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3258,6 +3258,27 @@ component_build_psa_config_file () { rm -f psa_test_config.h psa_user_config.h } +component_build_psa_alt_headers () { + msg "build: make with PSA alt headers" # ~20s + + # Generate alternative versions of the substitutable headers with the + # same content except different include guards. + make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h + + # Build the library and some programs. + # Don't build the fuzzers to avoid having to go through hoops to set + # a correct include path for programs/fuzz/Makefile. + make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib + make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" + + # Check that we're getting the alternative include guards and not the + # original include guards. + programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H + programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H + programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H + programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H +} + component_test_m32_o0 () { # Build without optimization, so as to use portable C code (in a 32-bit # build) and not the i386-specific inline assembly. From 361b5f992ff215af199b7922088fad2ab8907cd9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 22 Feb 2023 22:15:18 +0100 Subject: [PATCH 214/250] Make sure the configuration is always included Before, if psa/crypto_platform.h was overridden and the override didn't include "mbedtls/build_info.h", it was possible to end up with parts of the headers not taking the library configuration into account, if no mbedtls header was included before "psa/crypto.h". Make sure that the mbedtls configuration is visible from the start, no matter what is or is not in the platform header. Signed-off-by: Gilles Peskine --- include/psa/crypto_types.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index dd4d4fca3d..5e2e334a1e 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -32,6 +32,10 @@ #ifndef PSA_CRYPTO_TYPES_H #define PSA_CRYPTO_TYPES_H + +/* Make sure the Mbed TLS configuration is visible. */ +#include "mbedtls/build_info.h" +/* Define the MBEDTLS_PRIVATE macro. */ #include "mbedtls/private_access.h" #if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE) From 95c915201e76a9bac790722bedf12fe0c3c07948 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 22 Feb 2023 22:20:24 +0100 Subject: [PATCH 215/250] Move the implication of MBEDTLS_PSA_CRYPTO_CLIENT where it belongs If MBEDTLS_PSA_CRYPTO_C is enabled, we always enable MBEDTLS_PSA_CRYPTO_CLIENT, since the client-side functions are part of the full PSA crypto feature set. Historically, we didn't have a good place for configuration modification, so we did this early in the crypto.h include tree. Since Mbed TLS 3.0, we have mbedtls/build_info.h for that. Addresses https://github.com/Mbed-TLS/mbedtls/issues/7144 . Signed-off-by: Gilles Peskine --- include/mbedtls/build_info.h | 7 +++++++ include/psa/crypto_types.h | 7 ------- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index bbfd5d48df..2edf015197 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -80,6 +80,13 @@ #include MBEDTLS_USER_CONFIG_FILE #endif +/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT + * is defined as well to include all PSA code. + */ +#if defined(MBEDTLS_PSA_CRYPTO_C) +#define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /* MBEDTLS_PSA_CRYPTO_C */ + /* The PK wrappers need pk_write functions to format RSA key objects * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO, * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 5e2e334a1e..a5154fcd6b 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -44,13 +44,6 @@ #include "crypto_platform.h" #endif -/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT - * is defined as well to include all PSA code. - */ -#if defined(MBEDTLS_PSA_CRYPTO_C) -#define MBEDTLS_PSA_CRYPTO_CLIENT -#endif /* MBEDTLS_PSA_CRYPTO_C */ - #include /** \defgroup error Error codes From ba1e78f1c206d1fabc21394c0fffbda9896f028d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 24 Feb 2023 11:18:16 +0800 Subject: [PATCH 216/250] fix code style and comment issues Signed-off-by: Jerry Yu --- library/aesce.c | 9 +++++---- library/aesce.h | 1 - 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index e47665a50c..ee0c8e12cf 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -60,7 +60,7 @@ int mbedtls_aesce_has_support(void) return (auxval & (HWCAP_ASIMD | HWCAP_AES)) == (HWCAP_ASIMD | HWCAP_AES); #else - /* Suppose aes instructions are supported. */ + /* Assume AES instructions are supported. */ return 1; #endif } @@ -143,7 +143,6 @@ int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx, return 0; } - /* * Compute decryption round keys from encryption round keys */ @@ -244,8 +243,10 @@ int mbedtls_aesce_setkey_enc(unsigned char *rk, case 128: case 192: case 256: - aesce_setkey_enc(rk, key, bits); break; - default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; + aesce_setkey_enc(rk, key, bits); + break; + default: + return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; } return 0; diff --git a/library/aesce.h b/library/aesce.h index 0d6d09e507..1e72e5ba46 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -64,7 +64,6 @@ int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16]); - /** * \brief Internal round key inversion. This function computes * decryption round keys from the encryption round keys. From aa18c4bf9627204dc0629d9d3fa5e694c2474cba Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 24 Feb 2023 11:18:41 +0800 Subject: [PATCH 217/250] Add comments about travis test. Signed-off-by: Jerry Yu --- .travis.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 3d735bb5c7..2e9bdb4ede 100644 --- a/.travis.yml +++ b/.travis.yml @@ -89,7 +89,9 @@ jobs: packages: - gcc script: - # See above + # Do a manual build+test sequence rather than using all.sh, because + # there's no all.sh component that does what we want. We should set + # CFLAGS for arm64 host CC. - scripts/config.py full - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY @@ -115,7 +117,9 @@ jobs: - clang - gnutls-bin script: - # See above + # Do a manual build+test sequence rather than using all.sh, because + # there's no all.sh component that does what we want. We should set + # CFLAGS for arm64 host CC. - scripts/config.py full - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY @@ -128,7 +132,6 @@ jobs: - tests/scripts/travis-log-failure.sh - tests/context-info.sh - after_failure: - tests/scripts/travis-log-failure.sh From c66deda4c59d23e07f9e8d850d980021190b0c45 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 24 Feb 2023 11:42:07 +0800 Subject: [PATCH 218/250] Add explanation for aesce limitation Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index cba133c4f6..774fc948a1 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2079,6 +2079,10 @@ * of \c -march=armv8-a+crypto . * * \warning `MBEDTLS_SHA512_USE_A64_CRYPTO_*` should be disabled when enabled + * because unexpected instruction will be generated in AESCE module. + * `MBEDTLS_SHA512_USE_A64_CRYPTO_*` requires \c -march=armv8.2-a+sha3, + * compiler optimizes the code with `eor3` that is part of sha3 + * extension and unexpected in AESCE. * * \warning Runtime detection only works on linux. For non-linux operation * system, crypto extension MUST be supported by CPU. From 86f30ff626655fa9c7fa6dec62b74ca9ea4359a1 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 24 Feb 2023 07:44:57 -0500 Subject: [PATCH 219/250] Reduce the default MBEDTLS_ECP_WINDOW_SIZE value to 2 As tested in https://github.com/Mbed-TLS/mbedtls/issues/6790, after introducing side-channel counter-measures to bignum, the performance of RSA decryption in correlation to the MBEDTLS_ECP_WINDOW_SIZE has changed. The default value of 2 has been chosen as it provides best or close-to-best results for tests on Cortex-M4 and Intel i7. Signed-off-by: Andrzej Kurek --- ChangeLog.d/mpi-window-perf | 7 +++++++ include/mbedtls/bignum.h | 4 ++-- include/mbedtls/mbedtls_config.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 ChangeLog.d/mpi-window-perf diff --git a/ChangeLog.d/mpi-window-perf b/ChangeLog.d/mpi-window-perf new file mode 100644 index 0000000000..0f75d6af1e --- /dev/null +++ b/ChangeLog.d/mpi-window-perf @@ -0,0 +1,7 @@ +Changes + * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2. + As tested in issue 6790, the correlation between this define and + RSA decryption performance has changed lately due to security fixes. + To fix the performance degradation when using default values the + window was reduced from 6 to 2, a value that gives the best or close + to best results when tested on Cortex-M4 and Intel i7. diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index e8fb2de4bd..b1d4b88ba5 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -63,7 +63,7 @@ #if !defined(MBEDTLS_MPI_WINDOW_SIZE) /* - * Maximum window size used for modular exponentiation. Default: 6 + * Maximum window size used for modular exponentiation. Default: 2 * Minimum value: 1. Maximum value: 6. * * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used @@ -71,7 +71,7 @@ * * Reduction in size, reduces speed. */ -#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */ +#define MBEDTLS_MPI_WINDOW_SIZE 2 /**< Maximum window size used. */ #endif /* !MBEDTLS_MPI_WINDOW_SIZE */ #if !defined(MBEDTLS_MPI_MAX_SIZE) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 9ae51c964a..b874995f4c 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3559,7 +3559,7 @@ * comment in the specific module. */ /* MPI / BIGNUM options */ -//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */ +//#define MBEDTLS_MPI_WINDOW_SIZE 2 /**< Maximum window size used. */ //#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ /* CTR_DRBG options */ From 248971348b36d0dc5473499f19981ee51f877de0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Thu, 19 Jan 2023 20:57:44 +0100 Subject: [PATCH 220/250] Replace fuzzer-generated PKCS7 regression tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit adds well-formed reproducers for the memory management issues fixed in the following commits: 290f01b3f54a16045be201699becda8f500eebd5 e7f8c616d0b9388fd20ffd6c9730ea8188f27716 f7641544eafeaf0c71d109fbbec1d9f8aa2e74d8 Signed-off-by: Bence Szépkúti --- tests/data_files/Makefile | 12 ++++++++++++ ...info_set-leak-fuzz_pkcs7-4541044530479104.der | Bin 108 -> 0 bytes ...-missing_free-fuzz_pkcs7-6213931373035520.der | Bin 108 -> 0 bytes ...Info_1_serial_invalid_tag_after_long_name.der | Bin 0 -> 810 bytes .../pkcs7_signerInfo_2_invalid_tag.der | Bin 0 -> 1185 bytes tests/suites/test_suite_pkcs7.data | 12 ++++++------ 6 files changed, 18 insertions(+), 6 deletions(-) delete mode 100644 tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der delete mode 100644 tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der create mode 100644 tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der create mode 100644 tests/data_files/pkcs7_signerInfo_2_invalid_tag.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 622a28977c..a7517bf781 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1369,6 +1369,18 @@ pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der echo -en '\xa1' | dd of=$@ bs=1 seek=918 conv=notrunc all_final += pkcs7_data_signed_badsigner.der +# pkcs7 signature file with invalid tag in signerInfo[1].serial after long issuer name +pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der: pkcs7_data_multiple_signed.der + cp $< $@ + echo -en '\xa1' | dd of=$@ bs=1 seek=498 conv=notrunc +all_final += pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der + +# pkcs7 signature file with invalid tag in signerInfo[2] +pkcs7_signerInfo_2_invalid_tag.der: pkcs7_data_3_signed.der + cp $< $@ + echo -en '\xa1' | dd of=$@ bs=1 seek=810 conv=notrunc +all_final += pkcs7_signerInfo_2_invalid_tag.der + # pkcs7 file with version 2 pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der cp pkcs7_data_cert_signed_sha256.der $@ diff --git a/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der b/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der deleted file mode 100644 index 51aef0d0929043a6c080846758c96bf08a945216..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 108 zcmXrWVq#=8FQ)N1o+`_9YA&S+?7APZDrz-_=`$Y#L8#=yhC l!~mq36ch}Y*cezCVA3LnLJ(;XDFadhBo)BmKZH_H004ib3yc5& diff --git a/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der b/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der deleted file mode 100644 index ce4fb3bd49fdaf0ccd10069af549eb55ec9554fe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 108 zcmXrWVq#=8FQ)N1o+`_9YA&S>avAPZDrz-_=`$Y#L8#=y+L V!~mq36ch}Y*cezC2uLd+0|0Qt3R(aF diff --git a/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der b/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der new file mode 100644 index 0000000000000000000000000000000000000000..fe5539006c9ec85d67bb841a63c2767a643c1179 GIT binary patch literal 810 zcmXqLVpe10)N1o+`_9YA&a|M3S=^wBS(u5D(U9MOmyI)_&4V$OnT3gwmBD};p^(wA ziRqm|6Js$@p@ENqi6OTECmVAp3!5;LpN}D*0S}17#lsrl?Hp`wC~6=K;xqH`fcXl} zsYN9UhD;*W_wHVD@ws^RUyS1l0iDk6_w{o2qgx7e1JrelKsT^7F)~EIxluUv;JyD7 z4*5(}n;p9OL*^c(7^56RAF05K{C^@R4EFhXAGg_McCxH|i(`iR?3Z#i_iH3AvK~n! z70wl2yx{+b23t4Iq)%s8n2WTu8wDM{&g#2E#7>(-%0lcd2g|8|nd{=;ys(YYF>l^D zqubl<&XlL2?F-poiMs7qy41y4pQ`1Mc1JT+Z9?XH{lK!_Jugq?3jRzF|6s)OJ*>dA z{Q}n&mCBq+f2v;Rd%76ToOjD$CZB(JakAc}h<{9F>83Mp<)1S>yS7|y!EPp>wKKCj z9-N-h>hn5=JMXy1&7bG8a;})ScCXnXlGvrL|9Oe%u?O|G8)meZ|9#UEHGO}rfbIp# zg57ALNSJS^gX;Roc}4}5n~L~8@P4lOT|+q7SrTU4iPxU_c#qz-6y18R#P_QY##kIr zHr{jQ-8-{c{$9~{SGiufEP22YUvi1{cFwg3#x2dhuO0V4g zu_IChH$WOk=G!d%3Z2+p)Uqhct5budx5I zF#Y(RLe6#1uRokH`*O?gKZ%q3{w$U0oP1n%vv@JT*z@OQZBDcuZZyRM%7_+Yxjn=Du9|G|F06a(g4FRyN7+$p#GY3%KPB8-6r r>DM<%X>nA3=!og`YCpfN$G7gqganVqbvtX6E`BzDKgo_cDun?6%%4K* literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der b/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der new file mode 100644 index 0000000000000000000000000000000000000000..3a4287426c1758419224ca36729255bee68c32c5 GIT binary patch literal 1185 zcmXqLVwuavsnzDu_MMlJooPW6OP@g#OBWL(qanWmFB@k(-%0lcd2g|8|nd{=;ys(YYF>l^D zqubl<&XlL2?F-poiMs7qy41y4pQ`1Mc1JT+Z9?XH{lK!_Jugq?3jRzF|6s)OJ*>dA z{Q}n&mCBq+f2v;Rd%76ToOjD$CZB(JakAc}h<{9F>83Mp<)1S>yS7|y!EPp>wKKCj z9-N-h>hn5=JMXy1&7bG8a;})ScCXnXlGvrL|9Oe%u?O|G8)meZ|9#UEHGO}rfbIp# zg58KoB+NI|L3MrPJfnijO+|bkct6+tt|1)kED1C2#B0xdyhra^if%nu;``MHV=Rs* z8}B*u?w#2zf3N7fD_%vaIjTI-{Lp5UVS9UF^?o(orfvIvS^J4Jm}m9W+tk)+rC09$ z*p#%Ywf4m!E}?CU&h`1$8{Uv^Xk1bi{OewV&VC<6HM)LV`!*x}7yj7eAZ7pJc}zmBO%)qSS88B$DJ_G^2E0 zA4_4^(`33vX}Q9+54o_a4zHC=QW;J zd&MqqdMTrq_`<+u@%6WhE9-A;j#;j~(OYzpci8TNJHj5WsSS++|6{lIgneJ&9LE0m zaM15BUjx}b&EUU$*2%JVf1&xidO4%B4U4z07TS^{Hc3Ifw_JRCmyPQ+%P3*4?uZtd zJ(_&}jkS-L{1ba~q5PEbf>o-IOwZJ(g|6UUvF=U#gy>DnLn62DIl9pJ(@c}eTjc+I fv$?)_;^SxE8>XCc(P Date: Tue, 21 Feb 2023 14:19:23 +0000 Subject: [PATCH 221/250] Remove driver entry points for {get|set}_max_ops(). Move the global variable to the PSA layer, and just set that when calling PSA level functions. Move the internal ecp set to before each ecp call. Signed-off-by: Paul Elliott --- include/psa/crypto.h | 3 ++ library/psa_crypto.c | 34 +++++++------------ library/psa_crypto_driver_wrappers.h | 4 --- .../psa_crypto_driver_wrappers.c.jinja | 18 ---------- 4 files changed, 15 insertions(+), 44 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 80bf5c9690..48c45dfa31 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4217,6 +4217,9 @@ uint32_t psa_interruptible_get_max_ops(void); * \c psa_sign_hash_interruptible_abort() on * the operation, a value of 0 will be returned. * + * \note This interface is guaranteed re-entrant and + * thus may be called from driver code. + * * \warning This is a beta API, and thus subject to change * at any point. It is not bound by the usual * interface stability promises. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3ec9273de9..8e2cecc68b 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3153,17 +3153,18 @@ exit: /* Asymmetric interruptible cryptography */ /****************************************************************/ +static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; + void psa_interruptible_set_max_ops(uint32_t max_ops) { - psa_driver_wrapper_interruptible_set_max_ops(max_ops); + psa_interruptible_max_ops = max_ops; } uint32_t psa_interruptible_get_max_ops(void) { - return psa_driver_wrapper_interruptible_get_max_ops(); + return psa_interruptible_max_ops; } - uint32_t psa_sign_hash_get_num_ops( const psa_sign_hash_interruptible_operation_t *operation) { @@ -3458,12 +3459,8 @@ psa_status_t psa_verify_hash_abort( /* implementations */ /****************************************************************/ -static uint32_t mbedtls_psa_interruptible_max_ops = - PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; - void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops) { - mbedtls_psa_interruptible_max_ops = max_ops; #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ @@ -3476,16 +3473,13 @@ void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops) } mbedtls_ecp_set_max_ops(max_ops); +#else + (void) max_ops; #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && * defined( MBEDTLS_ECP_RESTARTABLE ) */ } -uint32_t mbedtls_psa_interruptible_get_max_ops(void) -{ - return mbedtls_psa_interruptible_max_ops; -} - uint32_t mbedtls_psa_sign_hash_get_num_ops( const mbedtls_psa_sign_hash_interruptible_operation_t *operation) { @@ -3544,11 +3538,6 @@ psa_status_t mbedtls_psa_sign_hash_start( /* Ensure num_ops is zero'ed in case of context re-use. */ operation->num_ops = 0; - /* Ensure default is set even if - * mbedtls_psa_interruptible_set_max_ops() has not been called. */ - mbedtls_psa_interruptible_set_max_ops( - mbedtls_psa_interruptible_get_max_ops()); - status = mbedtls_psa_ecp_load_representation(attributes->core.type, attributes->core.bits, key_buffer, @@ -3613,6 +3602,9 @@ psa_status_t mbedtls_psa_sign_hash_complete( mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); + /* Ensure max_ops is set to the current value (or default). */ + mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops()); + if (signature_size < 2 * operation->coordinate_bytes) { status = PSA_ERROR_BUFFER_TOO_SMALL; goto exit; @@ -3764,11 +3756,6 @@ psa_status_t mbedtls_psa_verify_hash_start( /* Ensure num_ops is zero'ed in case of context re-use. */ operation->num_ops = 0; - /* Ensure default is set even if - * mbedtls_psa_interruptible_set_max_ops() has not been called. */ - mbedtls_psa_interruptible_set_max_ops( - mbedtls_psa_interruptible_get_max_ops()); - status = mbedtls_psa_ecp_load_representation(attributes->core.type, attributes->core.bits, key_buffer, @@ -3853,6 +3840,9 @@ psa_status_t mbedtls_psa_verify_hash_complete( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + /* Ensure max_ops is set to the current value (or default). */ + mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops()); + status = mbedtls_to_psa_error( mbedtls_ecdsa_verify_restartable(&operation->ctx->grp, operation->hash, diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index e3edec791e..b16750658f 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -70,10 +70,6 @@ psa_status_t psa_driver_wrapper_verify_hash( * Interruptible Signature functions */ -void psa_driver_wrapper_interruptible_set_max_ops(uint32_t max_ops); - -uint32_t psa_driver_wrapper_interruptible_get_max_ops(void); - uint32_t psa_driver_wrapper_sign_hash_get_num_ops( psa_sign_hash_interruptible_operation_t *operation); diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index b35e726a0c..e1a20784c3 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -433,24 +433,6 @@ psa_status_t psa_driver_wrapper_verify_hash( } } -void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops ) -{ - /* TODO - dispatch to drivers dynamically registered for this - * service when registering is implemented. For now, fall - * through to internal implementation. */ - - mbedtls_psa_interruptible_set_max_ops( max_ops ); -} - -uint32_t psa_driver_wrapper_interruptible_get_max_ops( void ) -{ - /* TODO - dispatch to drivers dynamically registered for this - * service when registering is implemented. For now, fall - * through to internal implementation. */ - - return mbedtls_psa_interruptible_get_max_ops( ); -} - uint32_t psa_driver_wrapper_sign_hash_get_num_ops( psa_sign_hash_interruptible_operation_t *operation ) { From 7bc24cc512518a2d21a652a19caee835c4228820 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 24 Feb 2023 18:04:16 +0000 Subject: [PATCH 222/250] Fix typos in documentation. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fa6991e9fd..9dddb8f88f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2686,7 +2686,7 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message, /** * \brief For output buffers which contain "tags" * (outputs that may be checked for validity like - * Hashes, MACs and signatures), fill the unused + * hashes, MACs and signatures), fill the unused * part of the output buffer (the whole buffer on * error, the trailing part on success) with * something that isn't a valid tag (barring an @@ -2694,9 +2694,9 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message, * input), in case the caller doesn't check the * return status properly. * - * \param output_buffer pointer to buffer to wipe. May not be NULL + * \param output_buffer Pointer to buffer to wipe. May not be NULL * unless \p output_buffer_size is zero. - * \param status status of function called to generate + * \param status Status of function called to generate * output_buffer originally * \param output_buffer_size Size of output buffer. If zero, \p output_buffer * could be NULL. From dc42ca8a7eb8774bb58b0669766b732556eec36c Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 24 Feb 2023 18:11:59 +0000 Subject: [PATCH 223/250] Use psa_wipe_tag_buffer() for MAC and aead code. Signed-off-by: Paul Elliott --- library/psa_crypto.c | 95 ++++++++++++++++++++------------------------ 1 file changed, 43 insertions(+), 52 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9dddb8f88f..9cc2aa924f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -322,6 +322,43 @@ psa_status_t mbedtls_to_psa_error(int ret) } } +/** + * \brief For output buffers which contain "tags" + * (outputs that may be checked for validity like + * hashes, MACs and signatures), fill the unused + * part of the output buffer (the whole buffer on + * error, the trailing part on success) with + * something that isn't a valid tag (barring an + * attack on the tag and deliberately-crafted + * input), in case the caller doesn't check the + * return status properly. + * + * \param output_buffer Pointer to buffer to wipe. May not be NULL + * unless \p output_buffer_size is zero. + * \param status Status of function called to generate + * output_buffer originally + * \param output_buffer_size Size of output buffer. If zero, \p output_buffer + * could be NULL. + * \param output_buffer_length Length of data written to output_buffer, must be + * less than \p output_buffer_size + */ +static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status, + size_t output_buffer_size, size_t output_buffer_length) { + size_t offset = 0; + + if (output_buffer_size == 0) { + /* If output_buffer_size is 0 then we have nothing to do. We must not + call memset because output_buffer may be NULL in this case */ + return; + } + + if (status == PSA_SUCCESS) { + offset = output_buffer_length; + } + + memset(output_buffer + offset, '!', output_buffer_size - offset); +} + @@ -2504,10 +2541,7 @@ exit: operation->mac_size = 0; } - if (mac_size > operation->mac_size) { - memset(&mac[operation->mac_size], '!', - mac_size - operation->mac_size); - } + psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length); abort_status = psa_mac_abort(operation); @@ -2601,9 +2635,8 @@ exit: *mac_length = mac_size; operation_mac_size = 0; } - if (mac_size > operation_mac_size) { - memset(&mac[operation_mac_size], '!', mac_size - operation_mac_size); - } + + psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length); unlock_status = psa_unlock_key_slot(slot); @@ -2683,44 +2716,6 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message, return PSA_SUCCESS; } -/** - * \brief For output buffers which contain "tags" - * (outputs that may be checked for validity like - * hashes, MACs and signatures), fill the unused - * part of the output buffer (the whole buffer on - * error, the trailing part on success) with - * something that isn't a valid tag (barring an - * attack on the tag and deliberately-crafted - * input), in case the caller doesn't check the - * return status properly. - * - * \param output_buffer Pointer to buffer to wipe. May not be NULL - * unless \p output_buffer_size is zero. - * \param status Status of function called to generate - * output_buffer originally - * \param output_buffer_size Size of output buffer. If zero, \p output_buffer - * could be NULL. - * \param output_buffer_length Length of data written to output_buffer, must be - * less than \p output_buffer_size - */ -static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status, - size_t output_buffer_size, size_t output_buffer_length) -{ - size_t offset = 0; - - if (output_buffer_size == 0) { - /* If output_buffer_size is 0 then we have nothing to do. We must not - call memset because output_buffer may be NULL in this case */ - return; - } - - if (status == PSA_SUCCESS) { - offset = output_buffer_length; - } - - memset(output_buffer + offset, '!', output_buffer_size - offset); -} - static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, int input_is_message, psa_algorithm_t alg, @@ -4917,18 +4912,14 @@ psa_status_t psa_aead_finish(psa_aead_operation_t *operation, tag, tag_size, tag_length); exit: + + /* In case the operation fails and the user fails to check for failure or * the zero tag size, make sure the tag is set to something implausible. * Even if the operation succeeds, make sure we clear the rest of the * buffer to prevent potential leakage of anything previously placed in * the same buffer.*/ - if (tag != NULL) { - if (status != PSA_SUCCESS) { - memset(tag, '!', tag_size); - } else if (*tag_length < tag_size) { - memset(tag + *tag_length, '!', (tag_size - *tag_length)); - } - } + psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length); psa_aead_abort(operation); From 7118d17df148cbf2d67ea8f90ccef4feaa6e5e45 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 26 Feb 2023 16:57:05 +0000 Subject: [PATCH 224/250] Pacify code style checker Signed-off-by: Paul Elliott --- library/psa_crypto.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9cc2aa924f..f5bd65b036 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -343,7 +343,8 @@ psa_status_t mbedtls_to_psa_error(int ret) * less than \p output_buffer_size */ static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status, - size_t output_buffer_size, size_t output_buffer_length) { + size_t output_buffer_size, size_t output_buffer_length) +{ size_t offset = 0; if (output_buffer_size == 0) { From c7f6882995ac0df0a82a6ee694ee219682e255a9 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 24 Feb 2023 17:37:04 +0000 Subject: [PATCH 225/250] Add comments to each test case to show intent Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 104 ++++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 20e43c6ac7..884295828f 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6473,6 +6473,24 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +/** + * sign_hash_interruptible() test intentions: + * + * Note: This test can currently only handle ECDSA. + * + * 1. Test interruptible sign hash with known outcomes (deterministic ECDSA + * only). + * + * 2. Test the number of calls to psa_sign_hash_complete() required are as + * expected for different max_ops values. + * + * 3. Test that the number of ops done prior to start and after abort is zero + * and that each successful stage completes some ops (this is not mandated by + * the PSA specification, but is currently the case). + * + * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between + * complete() calls does not alter the number of ops returned. + */ void sign_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, data_t *output_data, int max_ops_arg) @@ -6629,6 +6647,22 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +/** + * sign_hash_fail_interruptible() test intentions: + * + * Note: This test can currently only handle ECDSA. + * + * 1. Test that various failure cases for interruptible sign hash fail with the + * correct error codes, and at the correct point (at start or during + * complete). + * + * 2. Test the number of calls to psa_sign_hash_complete() required are as + * expected for different max_ops values. + * + * 3. Test that the number of ops done prior to start and after abort is zero + * and that each successful stage completes some ops (this is not mandated by + * the PSA specification, but is currently the case). + */ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, int signature_size_arg, @@ -6816,6 +6850,21 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +/** + * sign_verify_hash_interruptible() test intentions: + * + * Note: This test can currently only handle ECDSA. + * + * 1. Test that we can sign an input hash with the given key and then afterwards + * verify that signature. This is currently the only way to test non + * deterministic ECDSA, but this test can also handle deterministic. + * + * 2. Test that after corrupting the hash, the verification detects an invalid + * signature. + * + * 3. Test the number of calls to psa_sign_hash_complete() required are as + * expected for different max_ops values. + */ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, int max_ops_arg) @@ -6979,6 +7028,21 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +/** + * verify_hash_interruptible() test intentions: + * + * Note: This test can currently only handle ECDSA. + * + * 1. Test interruptible verify hash with known outcomes (deterministic ECDSA + * only). + * + * 2. Test the number of calls to psa_verify_hash_complete() required are as + * expected for different max_ops values. + * + * 3. Test that the number of ops done prior to start and after abort is zero + * and that each successful stage completes some ops (this is not mandated by + * the PSA specification, but is currently the case). + */ void verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, data_t *signature_data, int max_ops_arg) @@ -7104,6 +7168,22 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +/** + * verify_hash_fail_interruptible() test intentions: + * + * Note: This test can currently only handle ECDSA. + * + * 1. Test that various failure cases for interruptible verify hash fail with + * the correct error codes, and at the correct point (at start or during + * complete). + * + * 2. Test the number of calls to psa_verify_hash_complete() required are as + * expected for different max_ops values. + * + * 3. Test that the number of ops done prior to start and after abort is zero + * and that each successful stage completes some ops (this is not mandated by + * the PSA specification, but is currently the case). + */ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, data_t *signature_data, @@ -7207,6 +7287,14 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +/** + * interruptible_signverify_hash_state_test() test intentions: + * + * Note: This test can currently only handle ECDSA. + * + * 1. Test that calling the various interruptible sign and verify hash functions + * in incorrect orders returns BAD_STATE errors. + */ void interruptible_signverify_hash_state_test(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data) { @@ -7354,6 +7442,14 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +/** + * interruptible_signverify_hash_negative_tests() test intentions: + * + * Note: This test can currently only handle ECDSA. + * + * 1. Test various edge cases in the interruptible sign and verify hash + * interfaces. + */ void interruptible_signverify_hash_negative_tests(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data) { @@ -7505,6 +7601,14 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ +/** + * interruptible_signverify_hash_maxops_tests() test intentions: + * + * Note: This test can currently only handle ECDSA. + * + * 1. Test that setting max ops is reflected in both interruptible sign and + * verify hash + */ void interruptible_signverify_hash_maxops_tests(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data) { From c2033502f5c2eaf1a6d9db9ab02cba366572ffca Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 26 Feb 2023 17:09:14 +0000 Subject: [PATCH 226/250] Give edge case tests a better name Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 4 ++-- tests/suites/test_suite_psa_crypto.function | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 697cdd7b7e..bbeef601cb 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4557,9 +4557,9 @@ PSA sign/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 interruptible_signverify_hash_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" -PSA sign/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int edge case tests: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -interruptible_signverify_hash_negative_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +interruptible_signverify_hash_edgecase_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" PSA sign/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 884295828f..994bd6b544 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7443,14 +7443,14 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ /** - * interruptible_signverify_hash_negative_tests() test intentions: + * interruptible_signverify_hash_edgecase_tests() test intentions: * * Note: This test can currently only handle ECDSA. * * 1. Test various edge cases in the interruptible sign and verify hash * interfaces. */ -void interruptible_signverify_hash_negative_tests(int key_type_arg, +void interruptible_signverify_hash_edgecase_tests(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; From fc2e128fc9a858d04fd6dc8624fd07ef5f04f6b7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 27 Feb 2023 11:16:56 +0800 Subject: [PATCH 227/250] Fix grammar issues and remove useless code Signed-off-by: Jerry Yu --- library/sha256.c | 11 ++++++----- library/sha512.c | 20 ++++++-------------- 2 files changed, 12 insertions(+), 19 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index d18f228487..23cd406c37 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -26,12 +26,13 @@ defined(__clang__) && __clang_major__ < 18 && __clang_major__ > 3 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. * - * The intrinsic declaration are guarded with ACLE predefined macros in clang, - * and those macros are only enabled with command line. Define the macros can - * enable those declaration and avoid compile error on it. + * The intrinsic declaration are guarded by predefined ACLE macros in clang: + * these are normally only enabled by the -march option on the command line. + * By defining the macros ourselves we gain access to those declarations without + * requiring -march on the command line. * - * `arm_neon.h` might be included in any head files. On the top of this file, we - * can guarantee this workaround always work. + * `arm_neon.h` could be included by any header file, so we put these defines + * at the top of this file, before any includes. */ #define __ARM_FEATURE_CRYPTO 1 #define NEED_TARGET_OPTIONS diff --git a/library/sha512.c b/library/sha512.c index 919cf20410..bc92a8de21 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -27,12 +27,13 @@ __clang_major__ >= 13 && __clang_minor__ > 0 && __clang_patchlevel__ > 0 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. * - * The intrinsic declaration are guarded with ACLE predefined macros in clang, - * and those macros are only enabled with command line. Define the macros can - * enable those declaration and avoid compile error on it. + * The intrinsic declaration are guarded by predefined ACLE macros in clang: + * these are normally only enabled by the -march option on the command line. + * By defining the macros ourselves we gain access to those declarations without + * requiring -march on the command line. * - * `arm_neon.h` might be included in any head files. On the top of this file, we - * can guarantee this workaround always work. + * `arm_neon.h` could be included by any header file, so we put these defines + * at the top of this file, before any includes. */ #define __ARM_FEATURE_SHA512 1 #define NEED_TARGET_OPTIONS @@ -43,15 +44,6 @@ #include "common.h" -#if defined(MBEDTLS_POP_TARGET_PRAGMA) && \ - !(defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)) -#if defined(__clang__) -#pragma clang attribute pop -#endif -#undef MBEDTLS_POP_TARGET_PRAGMA -#endif - #if defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA384_C) #include "mbedtls/sha512.h" From 10c0f770ce5388234b4f5d9ff8ab910804e27219 Mon Sep 17 00:00:00 2001 From: oberon-sk Date: Mon, 13 Feb 2023 13:42:02 +0100 Subject: [PATCH 228/250] asymmetric_encrypt: check output length only if return code is PSA_SUCCESS. Signed-off-by: Stephan Koch --- tests/suites/test_suite_psa_crypto.function | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 20e43c6ac7..4304811ae5 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7853,7 +7853,9 @@ void asymmetric_encrypt(int key_type_arg, output, output_size, &output_length); TEST_EQUAL(actual_status, expected_status); - TEST_EQUAL(output_length, expected_output_length); + if (actual_status == PSA_SUCCESS) { + TEST_EQUAL(output_length, expected_output_length); + } /* If the label is empty, the test framework puts a non-null pointer * in label->x. Test that a null pointer works as well. */ @@ -7868,7 +7870,9 @@ void asymmetric_encrypt(int key_type_arg, output, output_size, &output_length); TEST_EQUAL(actual_status, expected_status); - TEST_EQUAL(output_length, expected_output_length); + if (actual_status == PSA_SUCCESS) { + TEST_EQUAL(output_length, expected_output_length); + } } exit: From 5819d2c14156cf155a2247ac3fc074d48ab604fe Mon Sep 17 00:00:00 2001 From: Stephan Koch Date: Wed, 22 Feb 2023 13:39:21 +0100 Subject: [PATCH 229/250] Feedback from Arm: guarantee that output_length <= output_size even on error, to reduce the risk that a missing error check escalates into a buffer overflow in the application code Signed-off-by: Stephan Koch --- tests/suites/test_suite_psa_crypto.function | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 4304811ae5..8f0ea253c6 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7855,6 +7855,8 @@ void asymmetric_encrypt(int key_type_arg, TEST_EQUAL(actual_status, expected_status); if (actual_status == PSA_SUCCESS) { TEST_EQUAL(output_length, expected_output_length); + } else { + TEST_LE_U(output_length, output_size); } /* If the label is empty, the test framework puts a non-null pointer @@ -7872,6 +7874,8 @@ void asymmetric_encrypt(int key_type_arg, TEST_EQUAL(actual_status, expected_status); if (actual_status == PSA_SUCCESS) { TEST_EQUAL(output_length, expected_output_length); + } else { + TEST_LE_U(output_length, output_size); } } From cd7e8bce030b39807eba1cbde33fc31dc9b55ddb Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 27 Feb 2023 12:21:36 +0000 Subject: [PATCH 230/250] Change max_ops=min tests to use zero Zero is the minimum value defined by the spec, just because the internal implementation treats zero and one as the same thing does not mean that other implementations will also do so. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 28 ++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 697cdd7b7e..17984c80c1 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4151,7 +4151,7 @@ sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab454 PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":0 PSA sign hash int (ops=inf) det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 @@ -4159,7 +4159,7 @@ sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":0 PSA sign hash int (ops=inf): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 @@ -4167,7 +4167,7 @@ sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8 PSA sign hash int (ops=min): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1 +sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":0 PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C @@ -4239,7 +4239,7 @@ sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):" PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:0 PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, empty out buf depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 @@ -4247,7 +4247,7 @@ sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):" PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:0 PSA sign hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 @@ -4255,7 +4255,7 @@ sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):" PSA sign hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:0 PSA sign hash int: det ECDSA SECP256R1, invld hash alg (wildcard) depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 @@ -4275,7 +4275,7 @@ sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):" PSA sign hash int (ops=min): det ECDSA not supported depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1 +sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:0 PSA sign/verify hash: RSA PKCS#1 v1.5, raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C @@ -4323,7 +4323,7 @@ sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0 PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 @@ -4331,7 +4331,7 @@ sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0 PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA @@ -4339,7 +4339,7 @@ sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":0 PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA @@ -4347,7 +4347,7 @@ sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":0 PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 @@ -4355,7 +4355,7 @@ sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) PSA sign/vrfy hash int (ops=min): rand ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0 PSA sign/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 @@ -4363,7 +4363,7 @@ sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) PSA sign/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384 -sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1 +sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0 PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C @@ -4531,7 +4531,7 @@ verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrong sig of correct size depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1 +verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:0 PSA vrfy hash int: ECDSA SECP256R1, wrong sig (empty) depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 From 15d7d43904ec0f247621224bb1fed0a61e76a72d Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 27 Feb 2023 17:17:56 +0000 Subject: [PATCH 231/250] Pacify Clang 15 Changes for interruptible {sign|verify} hash were not merged at the time of the previous clang 15 /retval fixes, thus this fixes code added at that time. Signed-off-by: Paul Elliott --- include/psa/crypto.h | 90 +++++++++++++++++++-------------------- library/psa_crypto_core.h | 16 +++---- 2 files changed, 53 insertions(+), 53 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 5394eeef52..8dd89fa99a 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -4310,23 +4310,23 @@ uint32_t psa_verify_hash_get_num_ops( * The operation started successfully - call \c psa_sign_hash_complete() * with the same context to complete the operation * - * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription * \retval #PSA_ERROR_NOT_PERMITTED * The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does * not permit the requested algorithm. * \retval #PSA_ERROR_BAD_STATE * An operation has previously been started on this context, and is * still in progress. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -4408,19 +4408,19 @@ psa_status_t psa_sign_hash_start( * An operation was not previously started on this context via * \c psa_sign_hash_start(). * - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has either not been previously initialized by - * psa_crypto_init() or you did not previously call + * psa_crypto_init() or you did not previously call * psa_sign_hash_start() with this operation object. It is * implementation-dependent whether a failure to initialize results in * this error code. @@ -4461,7 +4461,7 @@ psa_status_t psa_sign_hash_complete( * \retval #PSA_SUCCESS * The operation was aborted successfully. * - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -4530,15 +4530,15 @@ psa_status_t psa_sign_hash_abort( * The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does * not permit the requested algorithm. * - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval PSA_ERROR_DATA_CORRUPT - * \retval PSA_ERROR_DATA_INVALID + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval PSA_ERROR_DATA_INVALID \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize @@ -4597,23 +4597,23 @@ psa_status_t psa_verify_hash_start( * psa_interruptible_set_max_ops(). There is still work to be done. * Call this function again with the same operation object. * - * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription * \retval #PSA_ERROR_INVALID_SIGNATURE * The calculation was performed successfully, but the passed * signature is not a valid signature. - *\retval #PSA_ERROR_BAD_STATE + * \retval #PSA_ERROR_BAD_STATE * An operation was not previously started on this context via * \c psa_verify_hash_start(). - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_STORAGE_FAILURE - * \retval #PSA_ERROR_DATA_CORRUPT - * \retval #PSA_ERROR_DATA_INVALID - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has either not been previously initialized by * psa_crypto_init() or you did not previously call @@ -4655,7 +4655,7 @@ psa_status_t psa_verify_hash_complete( * \retval #PSA_SUCCESS * The operation was aborted successfully. * - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription * \retval #PSA_ERROR_BAD_STATE * The library has not been previously initialized by psa_crypto_init(). * It is implementation-dependent whether a failure to initialize diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 4acd7aa248..5260cf7a7f 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -752,11 +752,11 @@ psa_status_t mbedtls_psa_sign_hash_start( * where \c key_type and \c key_bits are the type and bit-size * respectively of \p key. * - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription */ psa_status_t mbedtls_psa_sign_hash_complete( mbedtls_psa_sign_hash_interruptible_operation_t *operation, @@ -849,9 +849,9 @@ psa_status_t mbedtls_psa_verify_hash_start( * The calculation was performed successfully, but the passed * signature is not a valid signature. * - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription */ psa_status_t mbedtls_psa_verify_hash_complete( mbedtls_psa_verify_hash_interruptible_operation_t *operation); From 608e1093de045e927f8af8fa261a0e33581edd34 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 28 Feb 2023 12:50:00 +0800 Subject: [PATCH 232/250] Improve comment about conflicts between aesce and sha512-crypto Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 12 +++++++----- library/aesce.h | 2 +- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 774fc948a1..4f51d0a9f3 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2078,11 +2078,13 @@ * \note The code uses Neon intrinsics, so \c CFLAGS must be set to a minimum * of \c -march=armv8-a+crypto . * - * \warning `MBEDTLS_SHA512_USE_A64_CRYPTO_*` should be disabled when enabled - * because unexpected instruction will be generated in AESCE module. - * `MBEDTLS_SHA512_USE_A64_CRYPTO_*` requires \c -march=armv8.2-a+sha3, - * compiler optimizes the code with `eor3` that is part of sha3 - * extension and unexpected in AESCE. + * \warning If the target architecture is set to something that includes the + * SHA3 feature (e.g. `-march=armv8.2-a+sha3`), for example because + * `MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT` is desired, compilers + * generate code for `MBEDTLS_AESCE_C` that includes instructions + * only present with the (optional) SHA3 feature. This will lead to an + * undefined instruction exception if the code is run on a CPU without + * that feature. * * \warning Runtime detection only works on linux. For non-linux operation * system, crypto extension MUST be supported by CPU. diff --git a/library/aesce.h b/library/aesce.h index 1e72e5ba46..da42446997 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -31,7 +31,7 @@ #include "mbedtls/aes.h" -#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ +#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ defined(__aarch64__) && !defined(MBEDTLS_HAVE_ARM64) #define MBEDTLS_HAVE_ARM64 #endif From 4a2fff6369545191fd9e6ff82b4076c9aa1b0347 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Tue, 28 Feb 2023 16:40:27 +0100 Subject: [PATCH 233/250] Fix expected error code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was overlooked during the rebase. Signed-off-by: Bence Szépkúti --- tests/suites/test_suite_pkcs7.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 2a71e7a45e..da8146bc15 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -80,7 +80,7 @@ pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PK PKCS7 Signed Data Parse Fail Corrupt signerInfos[2] (6213931373035520) depends_on:MBEDTLS_SHA256_C -pkcs7_parse:"data_files/pkcs7_signerInfo_2_invalid_tag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) +pkcs7_parse:"data_files/pkcs7_signerInfo_2_invalid_tag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Signed Data Parse Fail Corrupt signerInfos[1].issuerAndSerialNumber.serialNumber, after multi-element .name (4541044530479104) depends_on:MBEDTLS_SHA256_C From 35d674a6eec5da754519effca8239a3c852b4b41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Tue, 28 Feb 2023 16:59:50 +0100 Subject: [PATCH 234/250] Replace usage of echo -e in pkcs7 data Makefile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This use of the shell builtin is not portable. Signed-off-by: Bence Szépkúti --- tests/data_files/Makefile | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index a7517bf781..2029f4f1c8 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1272,7 +1272,7 @@ pkcs7_test_cert_3 = pkcs7-rsa-sha256-3.crt pkcs7_test_file = pkcs7_data.bin $(pkcs7_test_file): - echo -e "Hello\xd" > $@ + printf "Hello\15\n" > $@ all_final += $(pkcs7_test_file) pkcs7_zerolendata.bin: @@ -1280,7 +1280,7 @@ pkcs7_zerolendata.bin: all_final += pkcs7_zerolendata.bin pkcs7_data_1.bin: - echo -e "2\xd" > $@ + printf "2\15\n" > $@ all_final += pkcs7_data_1.bin # Generate signing cert @@ -1360,31 +1360,31 @@ all_final += pkcs7_data_multiple_certs_signed.der # pkcs7 signature file with corrupted CERT pkcs7_data_signed_badcert.der: pkcs7_data_cert_signed_sha256.der cp pkcs7_data_cert_signed_sha256.der $@ - echo -en '\xa1' | dd of=$@ bs=1 seek=547 conv=notrunc + echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=547 conv=notrunc all_final += pkcs7_data_signed_badcert.der # pkcs7 signature file with corrupted signer info pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der cp pkcs7_data_cert_signed_sha256.der $@ - echo -en '\xa1' | dd of=$@ bs=1 seek=918 conv=notrunc + echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=918 conv=notrunc all_final += pkcs7_data_signed_badsigner.der # pkcs7 signature file with invalid tag in signerInfo[1].serial after long issuer name pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der: pkcs7_data_multiple_signed.der cp $< $@ - echo -en '\xa1' | dd of=$@ bs=1 seek=498 conv=notrunc + echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=498 conv=notrunc all_final += pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der # pkcs7 signature file with invalid tag in signerInfo[2] pkcs7_signerInfo_2_invalid_tag.der: pkcs7_data_3_signed.der cp $< $@ - echo -en '\xa1' | dd of=$@ bs=1 seek=810 conv=notrunc + echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=810 conv=notrunc all_final += pkcs7_signerInfo_2_invalid_tag.der # pkcs7 file with version 2 pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der cp pkcs7_data_cert_signed_sha256.der $@ - echo -en '\x02' | dd of=$@ bs=1 seek=25 conv=notrunc + echo '02' | xxd -r -p | dd of=$@ bs=1 seek=25 conv=notrunc all_final += pkcs7_data_cert_signed_v2.der pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) @@ -1395,12 +1395,12 @@ all_final += pkcs7_data_cert_encrypted.der # For some interesting sizes, what happens if we make them off-by-one? pkcs7_signerInfo_issuer_invalid_size.der: pkcs7_data_cert_signed_sha256.der cp $< $@ - echo -en '\x35' | dd of=$@ seek=919 bs=1 conv=notrunc + echo '35' | xxd -r -p | dd of=$@ seek=919 bs=1 conv=notrunc all_final += pkcs7_signerInfo_issuer_invalid_size.der pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der cp $< $@ - echo -en '\x15' | dd of=$@ seek=973 bs=1 conv=notrunc + echo '15' | xxd -r -p | dd of=$@ seek=973 bs=1 conv=notrunc all_final += pkcs7_signerInfo_serial_invalid_size.der # pkcs7 signature file just with signed data From 587e7808127221e4242016b2a925fbacdcc48174 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 27 Feb 2023 09:53:08 +0000 Subject: [PATCH 235/250] Test calling complete() after {sign|verify}_hash_start fails Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 28 +++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ab39fba554..cbe0b19636 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6662,6 +6662,12 @@ exit: * 3. Test that the number of ops done prior to start and after abort is zero * and that each successful stage completes some ops (this is not mandated by * the PSA specification, but is currently the case). + * + * 4. Check that calling complete() when start() fails and complete() + * after completion results in a BAD_STATE error. + * + * 5. Check that calling start() again after start fails results in a BAD_STATE + * error. */ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, @@ -6718,6 +6724,15 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_start_status); if (expected_start_status != PSA_SUCCESS) { + /* Emulate poor implementation, and call complete anyway, even though + * start failed. */ + actual_status = psa_sign_hash_complete(&operation, signature, + signature_size, + &signature_length); + + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); + + /* Test that calling start again after failure also causes BAD_STATE. */ actual_status = psa_sign_hash_start(&operation, key, alg, input_data->x, input_data->len); @@ -7183,6 +7198,12 @@ exit: * 3. Test that the number of ops done prior to start and after abort is zero * and that each successful stage completes some ops (this is not mandated by * the PSA specification, but is currently the case). + * + * 4. Check that calling complete() when start() fails and complete() + * after completion results in a BAD_STATE error. + * + * 5. Check that calling start() again after start fails results in a BAD_STATE + * error. */ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, @@ -7235,6 +7256,13 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_start_status); if (expected_start_status != PSA_SUCCESS) { + /* Emulate poor implementation, and call complete anyway, even though + * start failed. */ + actual_status = psa_verify_hash_complete(&operation); + + TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE); + + /* Test that calling start again after failure also causes BAD_STATE. */ actual_status = psa_verify_hash_start(&operation, key, alg, hash_data->x, hash_data->len, signature_data->x, From 5770224ef3372b0cb505793003ced75d7c31d68f Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 26 Feb 2023 20:36:10 +0000 Subject: [PATCH 236/250] Rename max ops tests to ops tests Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.data | 4 ++-- tests/suites/test_suite_psa_crypto.function | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index f340a7ff2c..cfcdac1021 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -4561,9 +4561,9 @@ PSA sign/vrfy hash int edge case tests: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 interruptible_signverify_hash_edgecase_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" -PSA sign/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256 +PSA sign/vrfy hash int ops tests: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 -interruptible_signverify_hash_maxops_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" +interruptible_signverify_hash_ops_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" PSA sign message: RSA PKCS#1 v1.5 SHA-256 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ab39fba554..f3ccac01b3 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7602,15 +7602,17 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */ /** - * interruptible_signverify_hash_maxops_tests() test intentions: + * interruptible_signverify_hash_ops_tests() test intentions: * * Note: This test can currently only handle ECDSA. * * 1. Test that setting max ops is reflected in both interruptible sign and * verify hash + */ -void interruptible_signverify_hash_maxops_tests(int key_type_arg, - data_t *key_data, int alg_arg, data_t *input_data) +void interruptible_signverify_hash_ops_tests(int key_type_arg, + data_t *key_data, int alg_arg, + data_t *input_data) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; From 9e8819f356f296cb8f062ce2207f6e690220ebce Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 26 Feb 2023 19:01:35 +0000 Subject: [PATCH 237/250] Move 'change max_ops' test into ops tests Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 74 +++++++++++---------- 1 file changed, 38 insertions(+), 36 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index f3ccac01b3..ce531e1b00 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7487,41 +7487,6 @@ void interruptible_signverify_hash_edgecase_tests(int key_type_arg, TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE); ASSERT_ALLOC(signature, signature_size); - /* --- Ensure changing the max ops mid operation works (operation should - * complete successfully after setting max ops to unlimited --- */ - psa_interruptible_set_max_ops(1); - - PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, - input_data->x, input_data->len)); - - TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, - signature_size, - &signature_length), - PSA_OPERATION_INCOMPLETE); - - psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); - - PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, - signature_size, - &signature_length)); - - PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); - - psa_interruptible_set_max_ops(1); - - PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, - input_data->x, input_data->len, - signature, signature_length)); - - TEST_EQUAL(psa_verify_hash_complete(&verify_operation), - PSA_OPERATION_INCOMPLETE); - - psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); - - PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); - - PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); - /* --- Change function inputs mid run, to cause an error (sign only, * verify passes all inputs to start. --- */ @@ -7608,7 +7573,8 @@ exit: * * 1. Test that setting max ops is reflected in both interruptible sign and * verify hash - + * 2. Test that changing the value of max_ops to unlimited during an operation + * causes that operation to complete in the next call. */ void interruptible_signverify_hash_ops_tests(int key_type_arg, data_t *key_data, int alg_arg, @@ -7621,6 +7587,7 @@ void interruptible_signverify_hash_ops_tests(int key_type_arg, size_t key_bits; unsigned char *signature = NULL; size_t signature_size; + size_t signature_length = 0xdeadbeef; psa_sign_hash_interruptible_operation_t sign_operation = psa_sign_hash_interruptible_operation_init(); psa_verify_hash_interruptible_operation_t verify_operation = @@ -7669,6 +7636,41 @@ void interruptible_signverify_hash_ops_tests(int key_type_arg, TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef); + /* --- Ensure changing the max ops mid operation works (operation should + * complete successfully after setting max ops to unlimited --- */ + psa_interruptible_set_max_ops(1); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length), + PSA_OPERATION_INCOMPLETE); + + psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length)); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + psa_interruptible_set_max_ops(1); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + TEST_EQUAL(psa_verify_hash_complete(&verify_operation), + PSA_OPERATION_INCOMPLETE); + + psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); + + PSA_ASSERT(psa_verify_hash_complete(&verify_operation)); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + exit: /* * Key attributes may have been returned by psa_get_key_attributes() From c1e0400bac3e409e85b44739a5037c24912fe261 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 26 Feb 2023 20:27:23 +0000 Subject: [PATCH 238/250] Add test to check not calling get_num_ops() Make sure that not calling get_num_ops() inbetweeen calls to complete() does not mean that ops get lost (Regression test for previous fix). Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 76 +++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ce531e1b00..62f2fbf683 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7575,6 +7575,9 @@ exit: * verify hash * 2. Test that changing the value of max_ops to unlimited during an operation * causes that operation to complete in the next call. + * + * 3. Test that calling get_num_ops() between complete calls gives the same + * result as calling get_num_ops() once at the end of the operation. */ void interruptible_signverify_hash_ops_tests(int key_type_arg, data_t *key_data, int alg_arg, @@ -7588,6 +7591,9 @@ void interruptible_signverify_hash_ops_tests(int key_type_arg, unsigned char *signature = NULL; size_t signature_size; size_t signature_length = 0xdeadbeef; + uint32_t num_ops = 0; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_sign_hash_interruptible_operation_t sign_operation = psa_sign_hash_interruptible_operation_init(); psa_verify_hash_interruptible_operation_t verify_operation = @@ -7671,6 +7677,76 @@ void interruptible_signverify_hash_ops_tests(int key_type_arg, PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + /* --- Test that not calling get_num_ops inbetween complete calls does not + * result in lost ops. ---*/ + + psa_interruptible_set_max_ops(1); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + /* Continue performing the signature until complete. */ + do { + status = psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length); + + num_ops = psa_sign_hash_get_num_ops(&sign_operation); + + } while (status == PSA_OPERATION_INCOMPLETE); + + PSA_ASSERT(status); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, + input_data->x, input_data->len)); + + /* Continue performing the signature until complete. */ + do { + status = psa_sign_hash_complete(&sign_operation, signature, + signature_size, + &signature_length); + } while (status == PSA_OPERATION_INCOMPLETE); + + PSA_ASSERT(status); + + TEST_EQUAL(num_ops, psa_sign_hash_get_num_ops(&sign_operation)); + + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + /* Continue performing the verification until complete. */ + do { + status = psa_verify_hash_complete(&verify_operation); + + num_ops = psa_verify_hash_get_num_ops(&verify_operation); + + } while (status == PSA_OPERATION_INCOMPLETE); + + PSA_ASSERT(status); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + + PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg, + input_data->x, input_data->len, + signature, signature_length)); + + /* Continue performing the verification until complete. */ + do { + status = psa_verify_hash_complete(&verify_operation); + + } while (status == PSA_OPERATION_INCOMPLETE); + + PSA_ASSERT(status); + + TEST_EQUAL(num_ops, psa_verify_hash_get_num_ops(&verify_operation)); + + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); + exit: /* * Key attributes may have been returned by psa_get_key_attributes() From 8359c14c14d5ac9b8a6e163319650a8751e0c926 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 24 Feb 2023 18:40:10 +0000 Subject: [PATCH 239/250] Add hash corruption test to interruptible verify test Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 25 +++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ab39fba554..844d9bcba3 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7042,6 +7042,12 @@ exit: * 3. Test that the number of ops done prior to start and after abort is zero * and that each successful stage completes some ops (this is not mandated by * the PSA specification, but is currently the case). + * + * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between + * complete() calls does not alter the number of ops returned. + * + * 5. Test that after corrupting the hash, the verification detects an invalid + * signature. */ void verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *hash_data, @@ -7126,6 +7132,25 @@ void verify_hash_interruptible(int key_type_arg, data_t *key_data, num_ops = psa_verify_hash_get_num_ops(&operation); TEST_ASSERT(num_ops == 0); + if (hash_data->len != 0) { + /* Flip a bit in the hash and verify that the signature is now detected + * as invalid. Flip a bit at the beginning, not at the end, because + * ECDSA may ignore the last few bits of the input. */ + hash_data->x[0] ^= 1; + + /* Start verification. */ + PSA_ASSERT(psa_verify_hash_start(&operation, key, alg, + hash_data->x, hash_data->len, + signature_data->x, signature_data->len)); + + /* Continue performing the signature until complete. */ + do { + status = psa_verify_hash_complete(&operation); + } while (status == PSA_OPERATION_INCOMPLETE); + + TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE); + } + exit: psa_reset_key_attributes(&attributes); psa_destroy_key(key); From 7c173082532b2014cfce0295104fc5be7357a65a Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Sun, 26 Feb 2023 18:44:45 +0000 Subject: [PATCH 240/250] Add num_ops tests to sign and verify interruptible hash This is the only test usable for non-deterministic ECDSA, thus needs this code path testing as well. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 26 +++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 844d9bcba3..0cf1f53da5 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6864,6 +6864,10 @@ exit: * * 3. Test the number of calls to psa_sign_hash_complete() required are as * expected for different max_ops values. + * + * 4. Test that the number of ops done prior to starting signing and after abort + * is zero and that each successful signing stage completes some ops (this is + * not mandated by the PSA specification, but is currently the case). */ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, int alg_arg, data_t *input_data, @@ -6879,6 +6883,8 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status = PSA_OPERATION_INCOMPLETE; uint32_t max_ops = max_ops_arg; + uint32_t num_ops = 0; + uint32_t num_ops_prior = 0; size_t num_completes = 0; size_t min_completes = 0; size_t max_completes = 0; @@ -6913,10 +6919,16 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS, &min_completes, &max_completes); + num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation); + TEST_ASSERT(num_ops_prior == 0); + /* Start performing the signature. */ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg, input_data->x, input_data->len)); + num_ops_prior = psa_sign_hash_get_num_ops(&sign_operation); + TEST_ASSERT(num_ops_prior == 0); + /* Continue performing the signature until complete. */ do { @@ -6925,6 +6937,17 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, &signature_length); num_completes++; + + if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) { + num_ops = psa_sign_hash_get_num_ops(&sign_operation); + /* We are asserting here that every complete makes progress + * (completes some ops), which is true of the internal + * implementation and probably any implementation, however this is + * not mandated by the PSA specification. */ + TEST_ASSERT(num_ops > num_ops_prior); + + num_ops_prior = num_ops; + } } while (status == PSA_OPERATION_INCOMPLETE); TEST_ASSERT(status == PSA_SUCCESS); @@ -6934,6 +6957,9 @@ void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data, PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); + num_ops = psa_sign_hash_get_num_ops(&sign_operation); + TEST_ASSERT(num_ops == 0); + /* Check that the signature length looks sensible. */ TEST_LE_U(signature_length, signature_size); TEST_ASSERT(signature_length > 0); From e47899df2004b8f15f12b293b1bf80fb8f8f05d6 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 28 Feb 2023 17:39:03 +0000 Subject: [PATCH 241/250] Fix macro redefinition warning from armcc Signed-off-by: Dave Rodgman --- library/alignment.h | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/library/alignment.h b/library/alignment.h index aa09ff8569..57ddaa53ca 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -155,13 +155,13 @@ inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x) * Detect Clang built-in byteswap routines */ #if defined(__clang__) && defined(__has_builtin) -#if __has_builtin(__builtin_bswap16) +#if __has_builtin(__builtin_bswap16) && !defined(MBEDTLS_BSWAP16) #define MBEDTLS_BSWAP16 __builtin_bswap16 #endif /* __has_builtin(__builtin_bswap16) */ -#if __has_builtin(__builtin_bswap32) +#if __has_builtin(__builtin_bswap32) && !defined(MBEDTLS_BSWAP32) #define MBEDTLS_BSWAP32 __builtin_bswap32 #endif /* __has_builtin(__builtin_bswap32) */ -#if __has_builtin(__builtin_bswap64) +#if __has_builtin(__builtin_bswap64) && !defined(MBEDTLS_BSWAP64) #define MBEDTLS_BSWAP64 __builtin_bswap64 #endif /* __has_builtin(__builtin_bswap64) */ #endif /* defined(__clang__) && defined(__has_builtin) */ @@ -170,13 +170,19 @@ inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x) * Detect MSVC built-in byteswap routines */ #if defined(_MSC_VER) +#if !defined(MBEDTLS_BSWAP16) #define MBEDTLS_BSWAP16 _byteswap_ushort +#endif +#if !defined(MBEDTLS_BSWAP32) #define MBEDTLS_BSWAP32 _byteswap_ulong +#endif +#if !defined(MBEDTLS_BSWAP64) #define MBEDTLS_BSWAP64 _byteswap_uint64 +#endif #endif /* defined(_MSC_VER) */ /* Detect armcc built-in byteswap routine */ -#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000) +#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000) && !defined(MBEDTLS_BSWAP32) #define MBEDTLS_BSWAP32 __rev #endif From 914c632646ff24eb5435d97021478f649eb07d6a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 1 Mar 2023 09:30:14 +0000 Subject: [PATCH 242/250] Whitespace Signed-off-by: Dave Rodgman --- library/alignment.h | 86 ++++++++++++++++++++++----------------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/library/alignment.h b/library/alignment.h index 57ddaa53ca..f7330c9897 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -130,7 +130,7 @@ inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x) * byte from x, where byte 0 is the least significant byte. */ #define MBEDTLS_BYTE_0(x) ((uint8_t) ((x) & 0xff)) -#define MBEDTLS_BYTE_1(x) ((uint8_t) (((x) >> 8) & 0xff)) +#define MBEDTLS_BYTE_1(x) ((uint8_t) (((x) >> 8) & 0xff)) #define MBEDTLS_BYTE_2(x) ((uint8_t) (((x) >> 16) & 0xff)) #define MBEDTLS_BYTE_3(x) ((uint8_t) (((x) >> 24) & 0xff)) #define MBEDTLS_BYTE_4(x) ((uint8_t) (((x) >> 32) & 0xff)) @@ -245,8 +245,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the four bytes to build the 32 bits unsigned * integer from. */ -#define MBEDTLS_GET_UINT32_BE(data, offset) \ - ((MBEDTLS_IS_BIG_ENDIAN) \ +#define MBEDTLS_GET_UINT32_BE(data, offset) \ + ((MBEDTLS_IS_BIG_ENDIAN) \ ? mbedtls_get_unaligned_uint32((data) + (offset)) \ : MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \ ) @@ -260,11 +260,11 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * \param offset Offset from \p data where to put the most significant * byte of the 32 bits unsigned integer \p n. */ -#define MBEDTLS_PUT_UINT32_BE(n, data, offset) \ +#define MBEDTLS_PUT_UINT32_BE(n, data, offset) \ { \ - if (MBEDTLS_IS_BIG_ENDIAN) \ + if (MBEDTLS_IS_BIG_ENDIAN) \ { \ - mbedtls_put_unaligned_uint32((data) + (offset), (uint32_t) (n)); \ + mbedtls_put_unaligned_uint32((data) + (offset), (uint32_t) (n)); \ } \ else \ { \ @@ -281,8 +281,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the four bytes to build the 32 bits unsigned * integer from. */ -#define MBEDTLS_GET_UINT32_LE(data, offset) \ - ((MBEDTLS_IS_BIG_ENDIAN) \ +#define MBEDTLS_GET_UINT32_LE(data, offset) \ + ((MBEDTLS_IS_BIG_ENDIAN) \ ? MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \ : mbedtls_get_unaligned_uint32((data) + (offset)) \ ) @@ -297,15 +297,15 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * \param offset Offset from \p data where to put the least significant * byte of the 32 bits unsigned integer \p n. */ -#define MBEDTLS_PUT_UINT32_LE(n, data, offset) \ +#define MBEDTLS_PUT_UINT32_LE(n, data, offset) \ { \ - if (MBEDTLS_IS_BIG_ENDIAN) \ + if (MBEDTLS_IS_BIG_ENDIAN) \ { \ mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \ } \ else \ { \ - mbedtls_put_unaligned_uint32((data) + (offset), ((uint32_t) (n))); \ + mbedtls_put_unaligned_uint32((data) + (offset), ((uint32_t) (n))); \ } \ } @@ -318,8 +318,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the two bytes to build the 16 bits unsigned * integer from. */ -#define MBEDTLS_GET_UINT16_LE(data, offset) \ - ((MBEDTLS_IS_BIG_ENDIAN) \ +#define MBEDTLS_GET_UINT16_LE(data, offset) \ + ((MBEDTLS_IS_BIG_ENDIAN) \ ? MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \ : mbedtls_get_unaligned_uint16((data) + (offset)) \ ) @@ -333,15 +333,15 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * \param offset Offset from \p data where to put the least significant * byte of the 16 bits unsigned integer \p n. */ -#define MBEDTLS_PUT_UINT16_LE(n, data, offset) \ +#define MBEDTLS_PUT_UINT16_LE(n, data, offset) \ { \ - if (MBEDTLS_IS_BIG_ENDIAN) \ + if (MBEDTLS_IS_BIG_ENDIAN) \ { \ mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \ } \ else \ { \ - mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \ + mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \ } \ } @@ -354,8 +354,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the two bytes to build the 16 bits unsigned * integer from. */ -#define MBEDTLS_GET_UINT16_BE(data, offset) \ - ((MBEDTLS_IS_BIG_ENDIAN) \ +#define MBEDTLS_GET_UINT16_BE(data, offset) \ + ((MBEDTLS_IS_BIG_ENDIAN) \ ? mbedtls_get_unaligned_uint16((data) + (offset)) \ : MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \ ) @@ -369,11 +369,11 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * \param offset Offset from \p data where to put the most significant * byte of the 16 bits unsigned integer \p n. */ -#define MBEDTLS_PUT_UINT16_BE(n, data, offset) \ +#define MBEDTLS_PUT_UINT16_BE(n, data, offset) \ { \ - if (MBEDTLS_IS_BIG_ENDIAN) \ + if (MBEDTLS_IS_BIG_ENDIAN) \ { \ - mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \ + mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \ } \ else \ { \ @@ -390,11 +390,11 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the three bytes to build the 24 bits unsigned * integer from. */ -#define MBEDTLS_GET_UINT24_BE(data, offset) \ - ( \ - ((uint32_t) (data)[(offset)] << 16) \ - | ((uint32_t) (data)[(offset) + 1] << 8) \ - | ((uint32_t) (data)[(offset) + 2]) \ +#define MBEDTLS_GET_UINT24_BE(data, offset) \ + ( \ + ((uint32_t) (data)[(offset)] << 16) \ + | ((uint32_t) (data)[(offset) + 1] << 8) \ + | ((uint32_t) (data)[(offset) + 2]) \ ) /** @@ -407,8 +407,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the 24 bits unsigned integer \p n. */ #define MBEDTLS_PUT_UINT24_BE(n, data, offset) \ - { \ - (data)[(offset)] = MBEDTLS_BYTE_2(n); \ + { \ + (data)[(offset)] = MBEDTLS_BYTE_2(n); \ (data)[(offset) + 1] = MBEDTLS_BYTE_1(n); \ (data)[(offset) + 2] = MBEDTLS_BYTE_0(n); \ } @@ -422,9 +422,9 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the three bytes to build the 24 bits unsigned * integer from. */ -#define MBEDTLS_GET_UINT24_LE(data, offset) \ - ( \ - ((uint32_t) (data)[(offset)]) \ +#define MBEDTLS_GET_UINT24_LE(data, offset) \ + ( \ + ((uint32_t) (data)[(offset)]) \ | ((uint32_t) (data)[(offset) + 1] << 8) \ | ((uint32_t) (data)[(offset) + 2] << 16) \ ) @@ -439,8 +439,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the 24 bits unsigned integer \p n. */ #define MBEDTLS_PUT_UINT24_LE(n, data, offset) \ - { \ - (data)[(offset)] = MBEDTLS_BYTE_0(n); \ + { \ + (data)[(offset)] = MBEDTLS_BYTE_0(n); \ (data)[(offset) + 1] = MBEDTLS_BYTE_1(n); \ (data)[(offset) + 2] = MBEDTLS_BYTE_2(n); \ } @@ -454,8 +454,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the eight bytes to build the 64 bits unsigned * integer from. */ -#define MBEDTLS_GET_UINT64_BE(data, offset) \ - ((MBEDTLS_IS_BIG_ENDIAN) \ +#define MBEDTLS_GET_UINT64_BE(data, offset) \ + ((MBEDTLS_IS_BIG_ENDIAN) \ ? mbedtls_get_unaligned_uint64((data) + (offset)) \ : MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \ ) @@ -469,11 +469,11 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * \param offset Offset from \p data where to put the most significant * byte of the 64 bits unsigned integer \p n. */ -#define MBEDTLS_PUT_UINT64_BE(n, data, offset) \ +#define MBEDTLS_PUT_UINT64_BE(n, data, offset) \ { \ - if (MBEDTLS_IS_BIG_ENDIAN) \ + if (MBEDTLS_IS_BIG_ENDIAN) \ { \ - mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \ + mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \ } \ else \ { \ @@ -490,8 +490,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * byte of the eight bytes to build the 64 bits unsigned * integer from. */ -#define MBEDTLS_GET_UINT64_LE(data, offset) \ - ((MBEDTLS_IS_BIG_ENDIAN) \ +#define MBEDTLS_GET_UINT64_LE(data, offset) \ + ((MBEDTLS_IS_BIG_ENDIAN) \ ? MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \ : mbedtls_get_unaligned_uint64((data) + (offset)) \ ) @@ -505,15 +505,15 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 }; * \param offset Offset from \p data where to put the least significant * byte of the 64 bits unsigned integer \p n. */ -#define MBEDTLS_PUT_UINT64_LE(n, data, offset) \ +#define MBEDTLS_PUT_UINT64_LE(n, data, offset) \ { \ - if (MBEDTLS_IS_BIG_ENDIAN) \ + if (MBEDTLS_IS_BIG_ENDIAN) \ { \ mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \ } \ else \ { \ - mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \ + mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \ } \ } From de7c31e08281692143f0fdb27a01570320ebb3eb Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 1 Mar 2023 14:37:48 +0000 Subject: [PATCH 243/250] Improve comment wording Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index cbe0b19636..4113c97a72 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6724,7 +6724,7 @@ void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_start_status); if (expected_start_status != PSA_SUCCESS) { - /* Emulate poor implementation, and call complete anyway, even though + /* Emulate poor application code, and call complete anyway, even though * start failed. */ actual_status = psa_sign_hash_complete(&operation, signature, signature_size, @@ -7256,7 +7256,7 @@ void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data, TEST_EQUAL(actual_status, expected_start_status); if (expected_start_status != PSA_SUCCESS) { - /* Emulate poor implementation, and call complete anyway, even though + /* Emulate poor application code, and call complete anyway, even though * start failed. */ actual_status = psa_verify_hash_complete(&operation); From 7d3186d18ad9e1ad9755514ded08dd79670db7e3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Aug 2022 22:43:18 +0200 Subject: [PATCH 244/250] Disable MBEDTLS_SSL_RENEGOTIATION in tls13-only configuration There's no renegotiation in TLS 1.3, so this option should have no effect. Insist on having it disabled, to avoid the risk of accidentally having different behavior in TLS 1.3 if the option is enabled (as happened in https://github.com/Mbed-TLS/mbedtls/issues/6200). Signed-off-by: Gilles Peskine --- include/mbedtls/check_config.h | 5 +++++ tests/configs/tls13-only.h | 1 + 2 files changed, 6 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ac374d2a4b..2d2fae5812 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -936,6 +936,11 @@ #error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_RENEGOTIATION) && \ + !defined(MBEDTLS_SSL_PROTO_TLS1_2) +#error "MBEDTLS_SSL_RENEGOTIATION defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_SSL_TICKET_C) && ( !defined(MBEDTLS_CIPHER_C) && \ !defined(MBEDTLS_USE_PSA_CRYPTO) ) #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 963086f316..1f212e7d8f 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -29,6 +29,7 @@ /* Disable TLS 1.2 and 1.2-specific features */ #undef MBEDTLS_SSL_ENCRYPT_THEN_MAC #undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#undef MBEDTLS_SSL_RENEGOTIATION #undef MBEDTLS_SSL_PROTO_TLS1_2 #undef MBEDTLS_SSL_PROTO_DTLS #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY From 136d25c416e2364b433e4b894fa5fb225624a42f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Aug 2022 22:49:12 +0200 Subject: [PATCH 245/250] Explicitly disable all DTLS options in tls13-only.h This makes no difference when starting from the default configuration. It allows tls13-only.h to be used with other base configurations such as `full`. Signed-off-by: Gilles Peskine --- tests/configs/tls13-only.h | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 1f212e7d8f..38286d1fd6 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -34,6 +34,7 @@ #undef MBEDTLS_SSL_PROTO_DTLS #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY +#undef MBEDTLS_SSL_DTLS_SRTP #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE #undef MBEDTLS_SSL_DTLS_CONNECTION_ID #undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT From cc29bfd92aaa586ff681757f0f9c9b23e478e575 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Aug 2022 23:12:35 +0200 Subject: [PATCH 246/250] Bug fixes from the split of ssl_handle_hs_message_post_handshake The split of ssl_handle_hs_message_post_handshake() into ssl_tls12_handle_hs_message_post_handshake() and ssl_tls13_handle_hs_message_post_handshake() fixed some user-visible bugs. Add a changelog entry for those bugs. Signed-off-by: Gilles Peskine --- ChangeLog.d/tls13-only-renegotiation.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/tls13-only-renegotiation.txt diff --git a/ChangeLog.d/tls13-only-renegotiation.txt b/ChangeLog.d/tls13-only-renegotiation.txt new file mode 100644 index 0000000000..f463de1af2 --- /dev/null +++ b/ChangeLog.d/tls13-only-renegotiation.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix the handling of renegotiation attempts in TLS 1.3. They are now + systematically rejected. + * Fix an unused-variable warning in TLS 1.3-only builds if + MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200. From 2f386c55ffde293c9e51e77e8f6b0d6c29637408 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 2 Mar 2023 13:38:33 +0000 Subject: [PATCH 247/250] Disable MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT for armclang Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 353ec69070..7bac408cb9 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3479,6 +3479,10 @@ component_build_armcc () { scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + + # stop armclang warning about feature detection for A64_CRYPTO + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py set MBEDTLS_HAVE_ASM make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib From 1c232a831116f7f5584cc36e5a178fbfc9bebd5b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 2 Mar 2023 13:39:04 +0000 Subject: [PATCH 248/250] Enable -Werror for armclang Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7bac408cb9..865e18bef9 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -388,7 +388,7 @@ armc6_build_test() msg "build: ARM Compiler 6 ($FLAGS)" ARM_TOOL_VARIANT="ult" CC="$ARMC6_CC" AR="$ARMC6_AR" CFLAGS="$FLAGS" \ - WARNING_CFLAGS='-xc -std=c99' make lib + WARNING_CFLAGS='-Werror -xc -std=c99' make lib msg "size: ARM Compiler 6 ($FLAGS)" "$ARMC6_FROMELF" -z library/*.o From 0fddf829d529b396dc829a4aa4ab152c5782b12d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 2 Mar 2023 15:32:12 +0000 Subject: [PATCH 249/250] Add more detailed comment Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 865e18bef9..61233f877b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3480,7 +3480,12 @@ component_build_armcc () { # armc[56] don't support SHA-512 intrinsics scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - # stop armclang warning about feature detection for A64_CRYPTO + # Stop armclang warning about feature detection for A64_CRYPTO. + # With this enabled, the library does build correctly under armclang, + # but in baremetal builds (as tested here), feature detection is + # unavailable, and the user is notified via a #warning. So enabling + # this feature would prevent us from building with -Werror on + # armclang. Tracked in #7198. scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_HAVE_ASM From ddbc6ed6cd1157f7f2b65d8496138d6b594d73a0 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 2 Mar 2023 16:00:18 +0000 Subject: [PATCH 250/250] Enable all keys for interruptible op fail tests Due to a misunderstanding about the purpose of the test, I had limited this to ECC keys only, however this defeats the purpose of the test, and left gaps in test coverage. Signed-off-by: Paul Elliott --- .../test_suite_psa_crypto_op_fail.function | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function index 970be84b42..55dce8931f 100644 --- a/tests/suites/test_suite_psa_crypto_op_fail.function +++ b/tests/suites/test_suite_psa_crypto_op_fail.function @@ -245,13 +245,11 @@ void sign_fail(int key_type_arg, data_t *key_data, input, sizeof(input), output, sizeof(output), &length)); - if (PSA_KEY_TYPE_IS_ECC(key_type)) { - TEST_STATUS(expected_status, - psa_sign_hash_start(&sign_operation, key_id, alg, - input, sizeof(input))); + TEST_STATUS(expected_status, + psa_sign_hash_start(&sign_operation, key_id, alg, + input, sizeof(input))); - PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); - } + PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); if (!private_only) { /* Determine a plausible signature size to avoid an INVALID_SIGNATURE @@ -270,14 +268,12 @@ void sign_fail(int key_type_arg, data_t *key_data, input, sizeof(input), output, output_length)); - if (PSA_KEY_TYPE_IS_ECC(key_type)) { - TEST_STATUS(expected_status, - psa_verify_hash_start(&verify_operation, key_id, alg, - input, sizeof(input), - output, output_length)); + TEST_STATUS(expected_status, + psa_verify_hash_start(&verify_operation, key_id, alg, + input, sizeof(input), + output, output_length)); - PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); - } + PSA_ASSERT(psa_verify_hash_abort(&verify_operation)); } exit: