From 85e6bdb7ad7fe3c48a109b71e4c871c1f524d7ca Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Mon, 5 Jun 2023 14:48:28 +0530 Subject: [PATCH 01/18] Add additional members to pbkdf2 struct Signed-off-by: Kusumit Ghoderao --- include/psa/crypto_builtin_key_derivation.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/psa/crypto_builtin_key_derivation.h b/include/psa/crypto_builtin_key_derivation.h index d54291f819..cd6d51df02 100644 --- a/include/psa/crypto_builtin_key_derivation.h +++ b/include/psa/crypto_builtin_key_derivation.h @@ -121,6 +121,9 @@ typedef struct { size_t MBEDTLS_PRIVATE(salt_length); uint8_t MBEDTLS_PRIVATE(password)[PSA_HMAC_MAX_HASH_BLOCK_SIZE]; size_t MBEDTLS_PRIVATE(password_length); + uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; + uint8_t MBEDTLS_PRIVATE(bytes_used); + uint32_t MBEDTLS_PRIVATE(block_number); } psa_pbkdf2_key_derivation_t; #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ From a4346cdc502d9bd26266e79311221eed17d7f122 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Mon, 5 Jun 2023 14:50:20 +0530 Subject: [PATCH 02/18] Add pbkdf2_generate_block function Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 57 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 85451bf649..f438c87ce1 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5474,6 +5474,63 @@ static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read( } #endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) +static psa_status_t psa_key_derivation_pbkdf2_generate_block( + psa_pbkdf2_key_derivation_t *pbkdf2, + psa_algorithm_t prf_alg, + uint8_t prf_output_length, + psa_key_attributes_t *attributes) +{ + psa_status_t status; + size_t mac_output_length; + uint8_t U_i[PSA_HASH_MAX_SIZE]; + uint8_t U_accumulator[PSA_HASH_MAX_SIZE]; + uint8_t j; + uint64_t i; + + uint8_t *input = mbedtls_calloc(pbkdf2->salt_length + 4, 1); + memcpy(input, pbkdf2->salt, pbkdf2->salt_length); + MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, input, pbkdf2->salt_length); + + status = psa_driver_wrapper_mac_compute(attributes, pbkdf2->password, + pbkdf2->password_length, prf_alg, + input, (pbkdf2->salt_length + 4), + U_i, prf_output_length, + &mac_output_length); + if (status != PSA_SUCCESS) { + goto cleanup; + } + memcpy(U_accumulator, U_i, mac_output_length); + + for (i = 1; i < pbkdf2->input_cost; i++) { + status = psa_driver_wrapper_mac_compute(attributes, + pbkdf2->password, + pbkdf2->password_length, + prf_alg, U_i, prf_output_length, + U_i, prf_output_length, + &mac_output_length); + if (status != PSA_SUCCESS) { + goto cleanup; + } + + // U1 xor U2 + for (j = 0; j < prf_output_length; j++) { + U_accumulator[j] ^= U_i[j]; + } + } + + memcpy(pbkdf2->output_block, U_accumulator, prf_output_length); + +cleanup: + /* Zeroise buffers to clear sensitive data from memory. */ + mbedtls_platform_zeroize(U_accumulator, PSA_HASH_MAX_SIZE); + mbedtls_platform_zeroize(U_i, PSA_HASH_MAX_SIZE); + mbedtls_platform_zeroize(input, pbkdf2->salt_length + 4); + mbedtls_free(input); + return status; +} +#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ + psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *operation, uint8_t *output, From f6a0d57e4d08806723d63fd108805f6e34bcdf7d Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Mon, 5 Jun 2023 14:55:56 +0530 Subject: [PATCH 03/18] Add pbkdf2 function to key_derivation_output_bytes Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 67 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 62 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f438c87ce1..38ceb46f13 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5529,6 +5529,66 @@ cleanup: mbedtls_free(input); return status; } + +static psa_status_t psa_key_derivation_pbkdf2_read( + psa_pbkdf2_key_derivation_t *pbkdf2, + psa_algorithm_t kdf_alg, + uint8_t *output, + size_t output_length) +{ + psa_status_t status; + psa_algorithm_t prf_alg; + uint8_t prf_output_length; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length)); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); + + if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { + prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg)); + prf_output_length = PSA_HASH_LENGTH(prf_alg); + psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); + } + + switch (pbkdf2->state) { + case PSA_PBKDF2_STATE_PASSWORD_SET: + /* Initially we need a new block so bytes_used is equal to block size*/ + pbkdf2->bytes_used = prf_output_length; + pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT; + break; + case PSA_PBKDF2_STATE_OUTPUT: + break; + default: + return PSA_ERROR_BAD_STATE; + } + + while (output_length != 0) { + uint8_t n = prf_output_length - pbkdf2->bytes_used; + if (n > output_length) { + n = (uint8_t) output_length; + } + memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n); + output += n; + output_length -= n; + pbkdf2->bytes_used += n; + + if (output_length == 0) { + break; + } + + /* We need a new block */ + pbkdf2->bytes_used = 0; + pbkdf2->block_number++; + + status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg, + prf_output_length, + &attributes); + if (status != PSA_SUCCESS) { + return status; + } + } + + return PSA_SUCCESS; +} #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ psa_status_t psa_key_derivation_output_bytes( @@ -5586,11 +5646,8 @@ psa_status_t psa_key_derivation_output_bytes( #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { - /* As output functionality is not added yet return - * PSA_ERROR_NOT_SUPPORTED for now if inputs are passed correctly. - * If input validation fails operation is aborted and output_bytes - * will return PSA_ERROR_BAD_STATE */ - status = PSA_ERROR_NOT_SUPPORTED; + status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg, + output, output_length); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ From 81797fc27052223bebd6336fb6ac5d0d5716f875 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Mon, 5 Jun 2023 15:05:09 +0530 Subject: [PATCH 04/18] Add cost and password steps to derive_output_test function Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.function | 23 +++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index b0123d9c8f..cdd7a81e43 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -8713,6 +8713,20 @@ void derive_output(int alg_arg, switch (steps[i]) { case 0: break; + case PSA_KEY_DERIVATION_INPUT_COST: + TEST_EQUAL(psa_key_derivation_input_integer( + &operation, steps[i], + parse_binary_string(inputs[i])), + statuses[i]); + if (statuses[i] != PSA_SUCCESS) { + goto exit; + } + break; + case PSA_KEY_DERIVATION_INPUT_PASSWORD: + if (!PSA_ALG_IS_PBKDF2_HMAC(alg)) { + goto exit; + } + // fall through case PSA_KEY_DERIVATION_INPUT_SECRET: switch (key_input_type) { case 0: // input bytes @@ -8740,9 +8754,14 @@ void derive_output(int alg_arg, PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE); } - PSA_ASSERT(psa_key_derivation_input_key(&operation, + TEST_EQUAL(psa_key_derivation_input_key(&operation, steps[i], - keys[i])); + keys[i]), + statuses[i]); + + if (statuses[i] != PSA_SUCCESS) { + goto exit; + } break; default: TEST_ASSERT(!"default case not supported"); From e70a8bbb088956dfab79cde2dc8cc119cba75b26 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Mon, 5 Jun 2023 15:07:10 +0530 Subject: [PATCH 05/18] Change derive_input test cases for implemented output_bytes The tests earlier reported PSA_ERROR_NOT_SUPPORTED as final output as the output_bytes function was not implemented for pbkdf2. The test cases have now been modified to the correct error codes. Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index a83140d7e1..da7e1908ba 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5469,15 +5469,15 @@ derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KE PSA key derivation: PBKDF2-HMAC-SHA256, good case, direct output depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED +derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_SUCCESS PSA key derivation: PBKDF2-HMAC-SHA256, good case, key output depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_DERIVE:PSA_ERROR_NOT_SUPPORTED +derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_DERIVE:PSA_SUCCESS PSA key derivation: PBKDF2-HMAC-SHA256, good case, DERIVE key as password, key output depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_DERIVE:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_DERIVE:PSA_ERROR_NOT_SUPPORTED +derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_DERIVE:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_DERIVE:PSA_SUCCESS PSA key derivation: PBKDF2-HMAC-SHA256, input cost greater than PSA_VENDOR_PBKDF2_MAX_ITERATIONS #Input cost is passed as hex number. Value of PSA_VENDOR_PBKDF2_MAX_ITERATIONS is 0xffffffff @@ -5490,7 +5490,7 @@ derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST: PSA key derivation: PBKDF2-HMAC-SHA256, password missing depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED +derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE PSA key derivation: PBKDF2-HMAC-SHA256, salt and password before cost depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 @@ -5506,11 +5506,11 @@ derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST: PSA key derivation: PBKDF2-HMAC-SHA256, direct password, direct output depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED +derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_SUCCESS PSA key derivation: PBKDF2-HMAC-SHA256, direct empty password, direct output depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED +derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_SUCCESS PSA key derivation: PBKDF2-HMAC-SHA256, direct password, key output depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 @@ -5526,7 +5526,7 @@ derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST: PSA key derivation: PBKDF2-HMAC-SHA256, duplicate salt step depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED +derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"7361":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"6c74":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE PSA key derivation: PBKDF2-HMAC-SHA256, reject secret step depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 From 2b5c91b757897a3ef6f791dd693ae3e4242a558f Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Mon, 5 Jun 2023 15:10:04 +0530 Subject: [PATCH 06/18] Add RFC tests for pbkdf2 output Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 41 +++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index da7e1908ba..dbbe06b764 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6257,6 +6257,47 @@ PSA key derivation: over capacity 42: output 43+1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865ff":"ff":0:1:0 +PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #1, 64+0 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"55ac046e56e3089fec1691c22544b605f94185216dde0465e68b9d57c20dacbc49ca9cccf179b645991664b39d77ef317c71b845b1e30bd509112041d3a19783":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #1, 54+10 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"55ac046e56e3089fec1691c22544b605f94185216dde0465e68b9d57c20dacbc49ca9cccf179b645991664b39d77ef317c71b845b1e3":"0bd509112041d3a19783":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, 20+0 +# https://www.rfc-editor.org/rfc/rfc6070#section-2:~:text=shortcoming.%0A%0A2.-,PBKDF2%20HMAC%2DSHA1%20Test%20Vectors,-The%20input%20strings +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"0c60c80f961f0e71f3a9b524af6012062fe037a6":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, 0+20 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"":"0c60c80f961f0e71f3a9b524af6012062fe037a6":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, 1+19 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"0c":"60c80f961f0e71f3a9b524af6012062fe037a6":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, 10+10 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"0c60c80f961f0e71f3a9":"b524af6012062fe037a6":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #2 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"02":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #3 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"1000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"4b007901b765489abead49d926f721d065a429c1":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #5gs +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"1000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c7453414c5473616c7453414c5473616c7453414c5473616c7453414c5473616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f726450415353574f524470617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":25:"3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #6 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"1000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"7361006c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"7061737300776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":16:"56fa6aa75548099dcc37d7f03425e0c3":"":0:1:0 + PSA key derivation: ECJPAKE to PMS, no input depends_on:PSA_WANT_ALG_SHA_256 derive_ecjpake_to_pms:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT From c63d1404364a971fa88edebfee4a786dc5554a97 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Mon, 5 Jun 2023 15:10:51 +0530 Subject: [PATCH 07/18] Add negative cases for pbkdf2 output Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 40 +++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index dbbe06b764..1e64c2aef4 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6298,6 +6298,46 @@ PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #6 depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"1000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"7361006c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"7061737300776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":16:"56fa6aa75548099dcc37d7f03425e0c3":"":0:1:0 +PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #1, salt in two step +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"7361":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"6c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:"":64:"55ac046e56e3089fec1691c22544b605f94185216dde0465e68b9d57c20dacbc49ca9cccf179b645991664b39d77ef317c71b845b1e30bd509112041d3a19783":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #1, password as key, derive key +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"55ac046e56e3089fec1691c22544b605f94185216dde0465e68b9d57c20dacbc49ca9cccf179b645991664b39d77ef317c71b845b1e30bd509112041d3a19783":"":0:1:1 + +PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #1, password as bytes +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"55ac046e56e3089fec1691c22544b605f94185216dde0465e68b9d57c20dacbc49ca9cccf179b645991664b39d77ef317c71b845b1e30bd509112041d3a19783":"":0:0:0 + +PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #1, password as bytes, derive key +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":1:0:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, salt before cost +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_ERROR_BAD_STATE:0:"":PSA_SUCCESS:"":20:"0c60c80f961f0e71f3a9b524af6012062fe037a6":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, 20+1 (over capacity) +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"0c60c80f961f0e71f3a9b524af6012062fe037a6":"00":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-256), input secret +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-256), input label +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_LABEL:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-256), input seed +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-256), input info +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_INFO:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:1:0 + PSA key derivation: ECJPAKE to PMS, no input depends_on:PSA_WANT_ALG_SHA_256 derive_ecjpake_to_pms:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT From 354434c4661fd25ed8972f77f60ee531b85d11b4 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Tue, 6 Jun 2023 12:18:28 +0530 Subject: [PATCH 08/18] Add changelog entry Signed-off-by: Kusumit Ghoderao --- ChangeLog.d/add-pbkdf2-hmac.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/add-pbkdf2-hmac.txt diff --git a/ChangeLog.d/add-pbkdf2-hmac.txt b/ChangeLog.d/add-pbkdf2-hmac.txt new file mode 100644 index 0000000000..97b7b46b8f --- /dev/null +++ b/ChangeLog.d/add-pbkdf2-hmac.txt @@ -0,0 +1,3 @@ +Features + * Add PBKDF2-HMAC implementation with PSA API for + key derivation From f28e0f5beda1c147413bcca58af29ef3ef9191ee Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Tue, 6 Jun 2023 15:03:22 +0530 Subject: [PATCH 09/18] Fix code style Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index cdd7a81e43..ff6066a14b 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -8715,9 +8715,9 @@ void derive_output(int alg_arg, break; case PSA_KEY_DERIVATION_INPUT_COST: TEST_EQUAL(psa_key_derivation_input_integer( - &operation, steps[i], - parse_binary_string(inputs[i])), - statuses[i]); + &operation, steps[i], + parse_binary_string(inputs[i])), + statuses[i]); if (statuses[i] != PSA_SUCCESS) { goto exit; } @@ -8726,7 +8726,7 @@ void derive_output(int alg_arg, if (!PSA_ALG_IS_PBKDF2_HMAC(alg)) { goto exit; } - // fall through + // fall through case PSA_KEY_DERIVATION_INPUT_SECRET: switch (key_input_type) { case 0: // input bytes From 28daefab0790487aa1b4d460ba1b7f5dfbdf9fab Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Tue, 6 Jun 2023 16:31:39 +0530 Subject: [PATCH 10/18] Fix fall through warning Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.function | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ff6066a14b..234764af30 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -8723,10 +8723,6 @@ void derive_output(int alg_arg, } break; case PSA_KEY_DERIVATION_INPUT_PASSWORD: - if (!PSA_ALG_IS_PBKDF2_HMAC(alg)) { - goto exit; - } - // fall through case PSA_KEY_DERIVATION_INPUT_SECRET: switch (key_input_type) { case 0: // input bytes From b821a5fd674fd91cd19fd46cd6965315c3aca01d Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 8 Jun 2023 16:35:55 +0530 Subject: [PATCH 11/18] Use multipart mac operation for adding salt and counter Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 38ceb46f13..8ea731bfe7 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5482,24 +5482,44 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( psa_key_attributes_t *attributes) { psa_status_t status; + psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT; size_t mac_output_length; - uint8_t U_i[PSA_HASH_MAX_SIZE]; - uint8_t U_accumulator[PSA_HASH_MAX_SIZE]; - uint8_t j; + uint8_t U_i[PSA_MAC_MAX_SIZE]; + uint8_t U_accumulator[PSA_MAC_MAX_SIZE]; uint64_t i; + uint8_t block_counter[4]; - uint8_t *input = mbedtls_calloc(pbkdf2->salt_length + 4, 1); - memcpy(input, pbkdf2->salt, pbkdf2->salt_length); - MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, input, pbkdf2->salt_length); + mac_operation.is_sign = 1; + mac_operation.mac_size = prf_output_length; + MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0); - status = psa_driver_wrapper_mac_compute(attributes, pbkdf2->password, - pbkdf2->password_length, prf_alg, - input, (pbkdf2->salt_length + 4), - U_i, prf_output_length, - &mac_output_length); + status = psa_driver_wrapper_mac_sign_setup(&mac_operation, + attributes, + pbkdf2->password, + pbkdf2->password_length, + prf_alg); if (status != PSA_SUCCESS) { goto cleanup; } + status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length); + if (status != PSA_SUCCESS) { + goto cleanup; + } + status = psa_mac_update(&mac_operation, block_counter, 4UL); + if (status != PSA_SUCCESS) { + goto cleanup; + } + status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i), + &mac_output_length); + if (status != PSA_SUCCESS) { + goto cleanup; + } + + if (mac_output_length != prf_output_length) { + status = PSA_ERROR_INVALID_ARGUMENT; + goto cleanup; + } + memcpy(U_accumulator, U_i, mac_output_length); for (i = 1; i < pbkdf2->input_cost; i++) { From 109ee3de36453387aa107d89723ecabe44737836 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 8 Jun 2023 16:36:45 +0530 Subject: [PATCH 12/18] Use size of buffer for mac_size Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 8ea731bfe7..baac97cde5 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5527,26 +5527,21 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( pbkdf2->password, pbkdf2->password_length, prf_alg, U_i, prf_output_length, - U_i, prf_output_length, + U_i, sizeof(U_i), &mac_output_length); if (status != PSA_SUCCESS) { goto cleanup; } - // U1 xor U2 - for (j = 0; j < prf_output_length; j++) { - U_accumulator[j] ^= U_i[j]; - } + mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length); } memcpy(pbkdf2->output_block, U_accumulator, prf_output_length); cleanup: /* Zeroise buffers to clear sensitive data from memory. */ - mbedtls_platform_zeroize(U_accumulator, PSA_HASH_MAX_SIZE); - mbedtls_platform_zeroize(U_i, PSA_HASH_MAX_SIZE); - mbedtls_platform_zeroize(input, pbkdf2->salt_length + 4); - mbedtls_free(input); + mbedtls_platform_zeroize(U_accumulator, PSA_MAC_MAX_SIZE); + mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE); return status; } From b31059f072dfd97bdfa50d7ed067407477e60e2f Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 8 Jun 2023 16:42:37 +0530 Subject: [PATCH 13/18] Remove negative tests for input validation Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.data | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 1e64c2aef4..d0f8b3bc24 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6266,7 +6266,7 @@ depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"55ac046e56e3089fec1691c22544b605f94185216dde0465e68b9d57c20dacbc49ca9cccf179b645991664b39d77ef317c71b845b1e3":"0bd509112041d3a19783":0:1:0 PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, 20+0 -# https://www.rfc-editor.org/rfc/rfc6070#section-2:~:text=shortcoming.%0A%0A2.-,PBKDF2%20HMAC%2DSHA1%20Test%20Vectors,-The%20input%20strings +# https://www.rfc-editor.org/rfc/rfc6070#section-2 depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"0c60c80f961f0e71f3a9b524af6012062fe037a6":"":0:1:0 @@ -6290,7 +6290,7 @@ PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #3 depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"1000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"4b007901b765489abead49d926f721d065a429c1":"":0:1:0 -PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #5gs +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #5 depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"1000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c7453414c5473616c7453414c5473616c7453414c5473616c7453414c5473616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f726450415353574f524470617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":25:"3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038":"":0:1:0 @@ -6312,7 +6312,7 @@ derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #1, password as bytes, derive key depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":1:0:0 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"706173737764":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:0:1 PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, salt before cost depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 @@ -6322,22 +6322,6 @@ PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #1, 20+1 (over capacity) depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"0c60c80f961f0e71f3a9b524af6012062fe037a6":"00":0:1:0 -PSA key derivation: PBKDF2-HMAC(SHA-256), input secret -depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:1:0 - -PSA key derivation: PBKDF2-HMAC(SHA-256), input label -depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_LABEL:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:1:0 - -PSA key derivation: PBKDF2-HMAC(SHA-256), input seed -depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:1:0 - -PSA key derivation: PBKDF2-HMAC(SHA-256), input info -depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 -derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_INFO:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"":"":0:1:0 - PSA key derivation: ECJPAKE to PMS, no input depends_on:PSA_WANT_ALG_SHA_256 derive_ecjpake_to_pms:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:32:PSA_SUCCESS:"":PSA_ERROR_INVALID_ARGUMENT From e5dd11164a66651169ab8e9a659001a332f20eb4 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 8 Jun 2023 16:43:32 +0530 Subject: [PATCH 14/18] Edit changelog Signed-off-by: Kusumit Ghoderao --- ChangeLog.d/add-pbkdf2-hmac.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ChangeLog.d/add-pbkdf2-hmac.txt b/ChangeLog.d/add-pbkdf2-hmac.txt index 97b7b46b8f..2708098a3b 100644 --- a/ChangeLog.d/add-pbkdf2-hmac.txt +++ b/ChangeLog.d/add-pbkdf2-hmac.txt @@ -1,3 +1,2 @@ Features - * Add PBKDF2-HMAC implementation with PSA API for - key derivation + * Add support for PBKDF2-HMAC through the PSA API. From d9ec1afd136d48b926f1890cb50b45e88a297333 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 8 Jun 2023 20:19:51 +0530 Subject: [PATCH 15/18] Fix failing Ci Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index baac97cde5..35bd42eb0f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5541,7 +5541,7 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( cleanup: /* Zeroise buffers to clear sensitive data from memory. */ mbedtls_platform_zeroize(U_accumulator, PSA_MAC_MAX_SIZE); - mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE); + mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE); return status; } @@ -5562,6 +5562,8 @@ static psa_status_t psa_key_derivation_pbkdf2_read( prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg)); prf_output_length = PSA_HASH_LENGTH(prf_alg); psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); + } else { + return PSA_ERROR_INVALID_ARGUMENT; } switch (pbkdf2->state) { From 257ea001990fbbaf8f5cb133686692b01a86973f Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Wed, 14 Jun 2023 15:55:11 +0530 Subject: [PATCH 16/18] Use output block as U_accumulator Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 35bd42eb0f..a76eb0580d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5485,7 +5485,7 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT; size_t mac_output_length; uint8_t U_i[PSA_MAC_MAX_SIZE]; - uint8_t U_accumulator[PSA_MAC_MAX_SIZE]; + uint8_t *U_accumulator = pbkdf2->output_block; uint64_t i; uint8_t block_counter[4]; @@ -5499,28 +5499,28 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( pbkdf2->password_length, prf_alg); if (status != PSA_SUCCESS) { - goto cleanup; + return status; } status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length); if (status != PSA_SUCCESS) { - goto cleanup; + return status; } - status = psa_mac_update(&mac_operation, block_counter, 4UL); + status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter)); if (status != PSA_SUCCESS) { - goto cleanup; + return status; } status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i), &mac_output_length); if (status != PSA_SUCCESS) { - goto cleanup; + return status; } if (mac_output_length != prf_output_length) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto cleanup; + status = PSA_ERROR_CORRUPTION_DETECTED; + return status; } - memcpy(U_accumulator, U_i, mac_output_length); + memcpy(U_accumulator, U_i, prf_output_length); for (i = 1; i < pbkdf2->input_cost; i++) { status = psa_driver_wrapper_mac_compute(attributes, @@ -5530,19 +5530,11 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( U_i, sizeof(U_i), &mac_output_length); if (status != PSA_SUCCESS) { - goto cleanup; + return status; } mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length); } - - memcpy(pbkdf2->output_block, U_accumulator, prf_output_length); - -cleanup: - /* Zeroise buffers to clear sensitive data from memory. */ - mbedtls_platform_zeroize(U_accumulator, PSA_MAC_MAX_SIZE); - mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE); - return status; } static psa_status_t psa_key_derivation_pbkdf2_read( From d07761c19c8144daa5c976ada427d93980d8ede8 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 15 Jun 2023 12:11:15 +0530 Subject: [PATCH 17/18] add return statement Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a76eb0580d..41f13cdfe9 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5535,6 +5535,7 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length); } + return PSA_SUCCESS; } static psa_status_t psa_key_derivation_pbkdf2_read( From 246e51fd0b4b73db848f8e102ff341bce91a04d4 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 15 Jun 2023 22:15:43 +0530 Subject: [PATCH 18/18] Add cleanup for intermediate buffer Signed-off-by: Kusumit Ghoderao --- library/psa_crypto.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 41f13cdfe9..258a4057e0 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5499,25 +5499,25 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( pbkdf2->password_length, prf_alg); if (status != PSA_SUCCESS) { - return status; + goto cleanup; } status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length); if (status != PSA_SUCCESS) { - return status; + goto cleanup; } status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter)); if (status != PSA_SUCCESS) { - return status; + goto cleanup; } status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i), &mac_output_length); if (status != PSA_SUCCESS) { - return status; + goto cleanup; } if (mac_output_length != prf_output_length) { status = PSA_ERROR_CORRUPTION_DETECTED; - return status; + goto cleanup; } memcpy(U_accumulator, U_i, prf_output_length); @@ -5530,12 +5530,16 @@ static psa_status_t psa_key_derivation_pbkdf2_generate_block( U_i, sizeof(U_i), &mac_output_length); if (status != PSA_SUCCESS) { - return status; + goto cleanup; } mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length); } - return PSA_SUCCESS; + +cleanup: + /* Zeroise buffers to clear sensitive data from memory. */ + mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE); + return status; } static psa_status_t psa_key_derivation_pbkdf2_read(