From ec7012dbc766611395c55b3f6760b6bca0180797 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 5 Oct 2022 12:17:34 +0200 Subject: [PATCH 1/6] Fix I/O format of PSA EC J-PAKE for compliance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The format used by the mbedtls_ecjpake_xxx() APIs and that defined by the PSA Crypto PAKE extension are quite different; the former is tailored to the needs of TLS while the later is quite generic and plain. Previously we only addressed some part of this impedance mismatch: the different number of I/O rounds, but failed to address the part where the legacy API adds some extras (length bytes, ECParameters) that shouldn't be present in the PSA Crypto version. See comments in the code. Add some length testing as well; would have caught the issue. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_extra.h | 21 +++--- library/psa_crypto_pake.c | 81 ++++++++++++--------- tests/suites/test_suite_psa_crypto.data | 4 + tests/suites/test_suite_psa_crypto.function | 71 ++++++++++++++++++ 4 files changed, 134 insertions(+), 43 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 6c2e06e503..ef9d13886e 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1765,9 +1765,9 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, \ PSA_ECC_FAMILY_SECP_R1, 256) ? \ ( \ - output_step == PSA_PAKE_STEP_KEY_SHARE ? 69 : \ - output_step == PSA_PAKE_STEP_ZK_PUBLIC ? 66 : \ - 33 \ + output_step == PSA_PAKE_STEP_KEY_SHARE ? 65 : \ + output_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 : \ + 32 \ ) : \ 0 ) @@ -1795,9 +1795,9 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, \ PSA_ECC_FAMILY_SECP_R1, 256) ? \ ( \ - input_step == PSA_PAKE_STEP_KEY_SHARE ? 69 : \ - input_step == PSA_PAKE_STEP_ZK_PUBLIC ? 66 : \ - 33 \ + input_step == PSA_PAKE_STEP_KEY_SHARE ? 65 : \ + input_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 : \ + 32 \ ) : \ 0 ) @@ -1808,7 +1808,7 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); * * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p primitive, \p step). */ -#define PSA_PAKE_OUTPUT_MAX_SIZE 69 +#define PSA_PAKE_OUTPUT_MAX_SIZE 65 /** Input buffer size for psa_pake_input() for any of the supported PAKE * algorithm and primitive suites and input step. @@ -1817,7 +1817,7 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); * * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p primitive, \p step). */ -#define PSA_PAKE_INPUT_MAX_SIZE 69 +#define PSA_PAKE_INPUT_MAX_SIZE 65 /** Returns a suitable initializer for a PAKE cipher suite object of type * psa_pake_cipher_suite_t. @@ -1906,7 +1906,10 @@ static inline void psa_pake_cs_set_hash( psa_pake_cipher_suite_t *cipher_suite, #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) #include -#define PSA_PAKE_BUFFER_SIZE ( ( 69 + 66 + 33 ) * 2 ) +/* Note: the format for mbedtls_ecjpake_read/write function has an extra + * length byte for each step, plus an extra 3 bytes for ECParameters in the + * server's 2nd round. */ +#define PSA_PAKE_BUFFER_SIZE ( ( 3 + 1 + 65 + 1 + 65 + 1 + 32 ) * 2 ) #endif struct psa_pake_operation_s diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 10d3e4a1b0..df091bc2ca 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -522,44 +522,29 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, } /* - * Steps sequences are stored as: - * struct { - * opaque point <1..2^8-1>; - * } ECPoint; + * mbedtls_ecjpake_write_round_xxx() outputs thing in the format + * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is + * that the data for each step is prepended with a length byte, and + * then they're concatenated. Additionally, the server's second round + * output is prepended with a 3-bytes ECParameters structure. * - * Where byte 0 stores the ECPoint curve point length. - * - * The sequence length is equal to: - * - data length extracted from byte 0 - * - byte 0 size (1) + * In PSA, we output each step separately, and don't prepend the + * output with a length byte, even less a curve identifier, as that + * information is already available. */ if( operation->state == PSA_PAKE_OUTPUT_X2S && - operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE ) + operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + operation->role == PSA_PAKE_ROLE_SERVER ) { - if( operation->role == PSA_PAKE_ROLE_SERVER ) - /* - * The X2S KEY SHARE Server steps sequence is stored as: - * struct { - * ECPoint X; - * opaque r <1..2^8-1>; - * } ECSchnorrZKP; - * - * And MbedTLS uses a 3 bytes Ephemeral public key ECPoint, - * so byte 3 stores the r Schnorr signature length. - * - * The sequence length is equal to: - * - curve storage size (3) - * - data length extracted from byte 3 - * - byte 3 size (1) - */ - length = 3 + operation->buffer[3] + 1; - else - length = operation->buffer[0] + 1; + /* Skip ECParameters, with is 3 bytes (RFC 8422) */ + operation->buffer_offset += 3; } - else - length = operation->buffer[operation->buffer_offset] + 1; - if( length > operation->buffer_length ) + /* Read the length byte then move past it to the data */ + length = operation->buffer[operation->buffer_offset]; + operation->buffer_offset += 1; + + if( operation->buffer_offset + length > operation->buffer_length ) return( PSA_ERROR_DATA_CORRUPT ); if( output_size < length ) @@ -569,7 +554,7 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, } memcpy( output, - operation->buffer + operation->buffer_offset, + operation->buffer + operation->buffer_offset, length ); *output_length = length; @@ -709,7 +694,35 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, return( PSA_ERROR_BAD_STATE ); } - /* Copy input to local buffer */ + /* + * Copy input to local buffer and format it as the Mbed TLS API + * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. + * The summary is that the data for each step is prepended with a + * length byte, and then they're concatenated. Additionally, the + * server's second round output is prepended with a 3-bytes + * ECParameters structure - which means we have to prepend that when + * we're a client. + */ + if( operation->state == PSA_PAKE_INPUT_X4S && + operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && + operation->role == PSA_PAKE_ROLE_CLIENT ) + { + /* We only support secp256r1. */ + /* This is the ECParameters structure defined by RFC 8422. */ + unsigned char ecparameters[3] = { + 3, /* named_curve */ + 0, 23 /* secp256r1 */ + }; + memcpy( operation->buffer + operation->buffer_length, + ecparameters, sizeof( ecparameters ) ); + operation->buffer_length += sizeof( ecparameters ); + } + + /* Write the length byte */ + operation->buffer[operation->buffer_length] = input_length; + operation->buffer_length += 1; + + /* Finally copy the data */ memcpy( operation->buffer + operation->buffer_length, input, input_length ); operation->buffer_length += input_length; diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index f2478be5f5..91fced88b1 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6594,3 +6594,7 @@ ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_E PSA PAKE: ecjpake inject input errors, second round server, client input first depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:4:"abcdef" + +PSA PAKE: ecjpake size macros +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 +ecjpake_size_macros: diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index fa237d3667..1b144df35a 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -717,6 +717,15 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; + /* The output should be exactly this size according to the spec */ + const size_t expected_size_key_share = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); + /* The output should be exactly this size according to the spec */ + const size_t expected_size_zk_public = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); + /* The output can be smaller: the spec allows stripping leading zeroes */ + const size_t max_expected_size_zk_proof = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); size_t buffer0_off = 0; size_t buffer1_off = 0; size_t s_g1_len, s_g2_len, s_a_len; @@ -744,31 +753,37 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, buffer0 + buffer0_off, 512 - buffer0_off, &s_g1_len ) ); + TEST_EQUAL( s_g1_len, expected_size_key_share ); s_g1_off = buffer0_off; buffer0_off += s_g1_len; PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x1_pk_len ) ); + TEST_EQUAL( s_x1_pk_len, expected_size_zk_public ); s_x1_pk_off = buffer0_off; buffer0_off += s_x1_pk_len; PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x1_pr_len ) ); + TEST_LE_U( s_x1_pr_len, max_expected_size_zk_proof ); s_x1_pr_off = buffer0_off; buffer0_off += s_x1_pr_len; PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, buffer0 + buffer0_off, 512 - buffer0_off, &s_g2_len ) ); + TEST_EQUAL( s_g2_len, expected_size_key_share ); s_g2_off = buffer0_off; buffer0_off += s_g2_len; PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2_pk_len ) ); + TEST_EQUAL( s_x2_pk_len, expected_size_zk_public ); s_x2_pk_off = buffer0_off; buffer0_off += s_x2_pk_len; PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2_pr_len ) ); + TEST_LE_U( s_x2_pr_len, max_expected_size_zk_proof ); s_x2_pr_off = buffer0_off; buffer0_off += s_x2_pr_len; @@ -876,31 +891,37 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, buffer1 + buffer1_off, 512 - buffer1_off, &c_g1_len ) ); + TEST_EQUAL( c_g1_len, expected_size_key_share ); c_g1_off = buffer1_off; buffer1_off += c_g1_len; PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x1_pk_len ) ); + TEST_EQUAL( c_x1_pk_len, expected_size_zk_public ); c_x1_pk_off = buffer1_off; buffer1_off += c_x1_pk_len; PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x1_pr_len ) ); + TEST_LE_U( c_x1_pr_len, max_expected_size_zk_proof ); c_x1_pr_off = buffer1_off; buffer1_off += c_x1_pr_len; PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, buffer1 + buffer1_off, 512 - buffer1_off, &c_g2_len ) ); + TEST_EQUAL( c_g2_len, expected_size_key_share ); c_g2_off = buffer1_off; buffer1_off += c_g2_len; PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2_pk_len ) ); + TEST_EQUAL( c_x2_pk_len, expected_size_zk_public ); c_x2_pk_off = buffer1_off; buffer1_off += c_x2_pk_len; PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2_pr_len ) ); + TEST_LE_U( c_x2_pr_len, max_expected_size_zk_proof ); c_x2_pr_off = buffer1_off; buffer1_off += c_x2_pr_len; @@ -1082,16 +1103,19 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, buffer0 + buffer0_off, 512 - buffer0_off, &s_a_len ) ); + TEST_EQUAL( s_a_len, expected_size_key_share ); s_a_off = buffer0_off; buffer0_off += s_a_len; PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2s_pk_len ) ); + TEST_EQUAL( s_x2s_pk_len, expected_size_zk_public ); s_x2s_pk_off = buffer0_off; buffer0_off += s_x2s_pk_len; PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2s_pr_len ) ); + TEST_LE_U( s_x2s_pr_len, max_expected_size_zk_proof ); s_x2s_pr_off = buffer0_off; buffer0_off += s_x2s_pr_len; @@ -1153,16 +1177,19 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, buffer1 + buffer1_off, 512 - buffer1_off, &c_a_len ) ); + TEST_EQUAL( c_a_len, expected_size_key_share ); c_a_off = buffer1_off; buffer1_off += c_a_len; PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2s_pk_len ) ); + TEST_EQUAL( c_x2s_pk_len, expected_size_zk_public ); c_x2s_pk_off = buffer1_off; buffer1_off += c_x2s_pk_len; PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2s_pr_len ) ); + TEST_LE_U( c_x2s_pr_len, max_expected_size_zk_proof ); c_x2s_pr_off = buffer1_off; buffer1_off += c_x2s_pr_len; @@ -9008,3 +9035,47 @@ exit: PSA_DONE( ); } /* END_CASE */ + +/* BEGIN_CASE */ +void ecjpake_size_macros( ) +{ + const psa_algorithm_t alg = PSA_ALG_JPAKE; + const size_t bits = 256; + const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits ); + const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( + PSA_ECC_FAMILY_SECP_R1 ); + + // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types + /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */ + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), + PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( key_type, bits ) ); + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), + PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( key_type, bits ) ); + /* The output for ZK_PROOF is the same bitsize as the curve */ + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), + PSA_BITS_TO_BYTES( bits ) ); + + /* Input sizes are the same as output sizes */ + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), + PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE) ); + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), + PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC) ); + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), + PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF) ); + + /* These inequalities will always hold even when other PAKEs are added */ + TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), + PSA_PAKE_OUTPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), + PSA_PAKE_OUTPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), + PSA_PAKE_OUTPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), + PSA_PAKE_INPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), + PSA_PAKE_INPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), + PSA_PAKE_INPUT_MAX_SIZE ); +} +/* END_CASE */ From 79617d99aefff403e0e82c84cdd4ae1419d1d6c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 5 Oct 2022 12:55:50 +0200 Subject: [PATCH 2/6] Fix namespacing issue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This macro is specific to the Mbed TLS implementation and not part of the public API, so it shouldn't used the PSA_ namespace. Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto_extra.h | 4 ++-- library/psa_crypto_pake.c | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index ef9d13886e..4f65398e24 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1909,7 +1909,7 @@ static inline void psa_pake_cs_set_hash( psa_pake_cipher_suite_t *cipher_suite, /* Note: the format for mbedtls_ecjpake_read/write function has an extra * length byte for each step, plus an extra 3 bytes for ECParameters in the * server's 2nd round. */ -#define PSA_PAKE_BUFFER_SIZE ( ( 3 + 1 + 65 + 1 + 65 + 1 + 32 ) * 2 ) +#define MBEDTLS_PSA_PAKE_BUFFER_SIZE ( ( 3 + 1 + 65 + 1 + 65 + 1 + 32 ) * 2 ) #endif struct psa_pake_operation_s @@ -1922,7 +1922,7 @@ struct psa_pake_operation_s unsigned int MBEDTLS_PRIVATE(output_step); mbedtls_svc_key_id_t MBEDTLS_PRIVATE(password); psa_pake_role_t MBEDTLS_PRIVATE(role); - uint8_t MBEDTLS_PRIVATE(buffer[PSA_PAKE_BUFFER_SIZE]); + uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); size_t MBEDTLS_PRIVATE(buffer_length); size_t MBEDTLS_PRIVATE(buffer_offset); #endif diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index df091bc2ca..a8b02e3961 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -230,7 +230,7 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, operation->input_step = PSA_PAKE_STEP_X1_X2; operation->output_step = PSA_PAKE_STEP_X1_X2; - mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE ); + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; operation->buffer_offset = 0; @@ -491,7 +491,7 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, { ret = mbedtls_ecjpake_write_round_one( &operation->ctx.ecjpake, operation->buffer, - PSA_PAKE_BUFFER_SIZE, + MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ); @@ -508,7 +508,7 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, { ret = mbedtls_ecjpake_write_round_two( &operation->ctx.ecjpake, operation->buffer, - PSA_PAKE_BUFFER_SIZE, + MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ); @@ -566,7 +566,7 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, ( operation->state == PSA_PAKE_OUTPUT_X2S && operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) ) { - mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE ); + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; operation->buffer_offset = 0; @@ -660,7 +660,7 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; } - buffer_remain = PSA_PAKE_BUFFER_SIZE - operation->buffer_length; + buffer_remain = MBEDTLS_PSA_PAKE_BUFFER_SIZE - operation->buffer_length; if( input_length == 0 || input_length > buffer_remain ) @@ -735,7 +735,7 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, operation->buffer, operation->buffer_length ); - mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE ); + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; if( ret != 0 ) @@ -751,7 +751,7 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, operation->buffer, operation->buffer_length ); - mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE ); + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; if( ret != 0 ) @@ -797,7 +797,7 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, { ret = mbedtls_ecjpake_write_shared_key( &operation->ctx.ecjpake, operation->buffer, - PSA_PAKE_BUFFER_SIZE, + MBEDTLS_PSA_PAKE_BUFFER_SIZE, &operation->buffer_length, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ); @@ -812,7 +812,7 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, operation->buffer, operation->buffer_length ); - mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE ); + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); psa_pake_abort( operation ); @@ -837,7 +837,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation) operation->output_step = PSA_PAKE_STEP_INVALID; operation->password = MBEDTLS_SVC_KEY_ID_INIT; operation->role = PSA_PAKE_ROLE_NONE; - mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE ); + mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; operation->buffer_offset = 0; mbedtls_ecjpake_free( &operation->ctx.ecjpake ); From 0771d41584fc9c72514e798624473fe1ef6d3318 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 6 Oct 2022 09:30:34 +0200 Subject: [PATCH 3/6] Fix missing length check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There was a check against the remaining size of the buffer, which used to be correct, but was broken two commits ago when we started not just copying the input but also adding to it. Replace it with a check that the input length is not greater that what's expected for this step. This guarantees we won't overflow the internal buffer. While at it, add an explicit cast to uint8_t when writing the length to the buffer, so silence an MSVC warning. This cast is safe because we checked that the length is no larger than 65 or 32 (depending on the step), so in any case is fits in one byte. This was found because some lengths had not been adjusted in the test suite, and instead of failing cleanly, library code performed buffer overflows. I'll fix the tests in the next commit. Signed-off-by: Manuel Pégourié-Gonnard --- library/psa_crypto_pake.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index a8b02e3961..262d44d203 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -591,7 +591,6 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - size_t buffer_remain; if( operation->alg == PSA_ALG_NONE || operation->state == PSA_PAKE_STATE_INVALID ) @@ -623,6 +622,11 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, step != PSA_PAKE_STEP_ZK_PROOF ) return( PSA_ERROR_INVALID_ARGUMENT ); + const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256 ); + if( input_length > PSA_PAKE_INPUT_SIZE( PSA_ALG_JPAKE, prim, step ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + if( operation->state == PSA_PAKE_STATE_SETUP ) { status = psa_pake_ecjpake_setup( operation ); @@ -660,15 +664,6 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE; } - buffer_remain = MBEDTLS_PSA_PAKE_BUFFER_SIZE - operation->buffer_length; - - if( input_length == 0 || - input_length > buffer_remain ) - { - psa_pake_abort( operation ); - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - } - /* Check if step matches current sequence */ switch( operation->sequence ) { @@ -719,7 +714,7 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, } /* Write the length byte */ - operation->buffer[operation->buffer_length] = input_length; + operation->buffer[operation->buffer_length] = (uint8_t) input_length; operation->buffer_length += 1; /* Finally copy the data */ From b63a9ef09f6dd8d03ebcbf4b6c8744ffa90ef877 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 6 Oct 2022 10:55:19 +0200 Subject: [PATCH 4/6] Fix buffer sizes in ecjpake_setup test function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also, the error code changed from INSUFFICIENT_MEMORY to INVALID_DATA. Temporarily remove a test about aborting the operation on error. Auto-abort will be re-introduced in the next commit in a more systematic way. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_psa_crypto.function | 44 ++++++++++----------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 1b144df35a..49887b5fc7 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -8740,6 +8740,7 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t operation = psa_pake_operation_init(); psa_algorithm_t alg = alg_arg; + psa_pake_primitive_t primitive = primitive_arg; psa_key_type_t key_type_pw = key_type_pw_arg; psa_key_usage_t key_usage_pw = key_usage_pw_arg; psa_algorithm_t hash_alg = hash_arg; @@ -8757,9 +8758,9 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, PSA_INIT( ); - ASSERT_ALLOC( output_buffer, - PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, - PSA_PAKE_STEP_KEY_SHARE) ); + size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, + PSA_PAKE_STEP_KEY_SHARE); + ASSERT_ALLOC( output_buffer, buf_size ); if( pw_data->len > 0 ) { @@ -8771,7 +8772,7 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, } psa_pake_cs_set_algorithm( &cipher_suite, alg ); - psa_pake_cs_set_primitive( &cipher_suite, primitive_arg ); + psa_pake_cs_set_primitive( &cipher_suite, primitive ); psa_pake_cs_set_hash( &cipher_suite, hash_alg ); PSA_ASSERT( psa_pake_abort( &operation ) ); @@ -8825,6 +8826,13 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ), PSA_ERROR_NOT_SUPPORTED ); + const size_t size_key_share = PSA_PAKE_INPUT_SIZE( alg, primitive, + PSA_PAKE_STEP_KEY_SHARE ); + const size_t size_zk_public = PSA_PAKE_INPUT_SIZE( alg, primitive, + PSA_PAKE_STEP_ZK_PUBLIC ); + const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE( alg, primitive, + PSA_PAKE_STEP_ZK_PROOF ); + /* First round */ if( input_first ) { @@ -8833,28 +8841,23 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, NULL, 0 ), PSA_ERROR_INVALID_ARGUMENT ); TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, - output_buffer, 66 ), + output_buffer, size_zk_proof ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid first step */ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, - output_buffer, 66 ), + output_buffer, size_zk_proof ), PSA_ERROR_BAD_STATE ); TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, - output_buffer, 66 ), + output_buffer, size_key_share ), expected_status_input_output); if( expected_status_input_output == PSA_SUCCESS ) { /* Buffer too large */ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, 512 ), - PSA_ERROR_INSUFFICIENT_MEMORY ); - - /* The operation should be aborted at this point */ - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, 66 ), - PSA_ERROR_BAD_STATE ); + output_buffer, size_zk_public + 1 ), + PSA_ERROR_INVALID_ARGUMENT ); } } else @@ -8864,15 +8867,15 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, NULL, 0, NULL ), PSA_ERROR_INVALID_ARGUMENT ); TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, - output_buffer, 512, &output_len ), + output_buffer, buf_size, &output_len ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid first step */ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, - output_buffer, 512, &output_len ), + output_buffer, buf_size, &output_len ), PSA_ERROR_BAD_STATE ); TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, - output_buffer, 512, &output_len ), + output_buffer, buf_size, &output_len ), expected_status_input_output ); if( expected_status_input_output == PSA_SUCCESS ) @@ -8881,13 +8884,8 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, /* Buffer too small */ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, 5, &output_len ), + output_buffer, size_zk_public - 1, &output_len ), PSA_ERROR_BUFFER_TOO_SMALL ); - - /* The operation should be aborted at this point */ - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, 512, &output_len ), - PSA_ERROR_BAD_STATE ); } } From f155ab9a9102820d478f8aa375a737a582922916 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Oct 2022 13:11:52 +0200 Subject: [PATCH 5/6] Abort on errors when we should MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're not strictly required to abort, but at least to leave the context is an invalid state. For "late" functions like input() and output(), calling abort() is the easiest way to do that. Do it systematically for input() and output() by using a wrapper. psa_pake_get_implicit_key() was already doing it. For "early" function, we can just leave the operation in its current state which is already invalid. Restore previous tests about that. Not adding systematic tests, though, just test the two functions that are the most important, and more likely to return errors. Since we now abort in more cases, we need to make sure we don't invalidate the operation that's going to be re-used later in the test. For that reason, use a copy of the operation for calls to input() and output() that are expected to return errors. Signed-off-by: Manuel Pégourié-Gonnard --- library/psa_crypto_pake.c | 56 ++++++++++++--------- tests/suites/test_suite_psa_crypto.function | 37 +++++++++++--- 2 files changed, 62 insertions(+), 31 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 262d44d203..541e6c44b6 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -385,7 +385,8 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) } #endif -psa_status_t psa_pake_output( psa_pake_operation_t *operation, +static psa_status_t psa_pake_output_internal( + psa_pake_operation_t *operation, psa_pake_step_t step, uint8_t *output, size_t output_size, @@ -427,10 +428,7 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, if( operation->state == PSA_PAKE_STATE_SETUP ) { status = psa_pake_ecjpake_setup( operation ); if( status != PSA_SUCCESS ) - { - psa_pake_abort( operation ); return( status ); - } } if( operation->state != PSA_PAKE_STATE_READY && @@ -496,10 +494,7 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ); if( ret != 0 ) - { - psa_pake_abort( operation ); return( mbedtls_ecjpake_to_psa_error( ret ) ); - } operation->buffer_offset = 0; } @@ -513,10 +508,7 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ); if( ret != 0 ) - { - psa_pake_abort( operation ); return( mbedtls_ecjpake_to_psa_error( ret ) ); - } operation->buffer_offset = 0; } @@ -548,10 +540,7 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, return( PSA_ERROR_DATA_CORRUPT ); if( output_size < length ) - { - psa_pake_abort( operation ); return( PSA_ERROR_BUFFER_TOO_SMALL ); - } memcpy( output, operation->buffer + operation->buffer_offset, @@ -584,7 +573,23 @@ psa_status_t psa_pake_output( psa_pake_operation_t *operation, return( PSA_ERROR_NOT_SUPPORTED ); } -psa_status_t psa_pake_input( psa_pake_operation_t *operation, +psa_status_t psa_pake_output( psa_pake_operation_t *operation, + psa_pake_step_t step, + uint8_t *output, + size_t output_size, + size_t *output_length ) +{ + psa_status_t status = psa_pake_output_internal( + operation, step, output, output_size, output_length ); + + if( status != PSA_SUCCESS ) + psa_pake_abort( operation ); + + return( status ); +} + +static psa_status_t psa_pake_input_internal( + psa_pake_operation_t *operation, psa_pake_step_t step, const uint8_t *input, size_t input_length ) @@ -631,10 +636,7 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, { status = psa_pake_ecjpake_setup( operation ); if( status != PSA_SUCCESS ) - { - psa_pake_abort( operation ); return( status ); - } } if( operation->state != PSA_PAKE_STATE_READY && @@ -734,10 +736,7 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, operation->buffer_length = 0; if( ret != 0 ) - { - psa_pake_abort( operation ); return( mbedtls_ecjpake_to_psa_error( ret ) ); - } } else if( operation->state == PSA_PAKE_INPUT_X4S && operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) @@ -750,10 +749,7 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, operation->buffer_length = 0; if( ret != 0 ) - { - psa_pake_abort( operation ); return( mbedtls_ecjpake_to_psa_error( ret ) ); - } } if( ( operation->state == PSA_PAKE_INPUT_X1_X2 && @@ -775,6 +771,20 @@ psa_status_t psa_pake_input( psa_pake_operation_t *operation, return( PSA_ERROR_NOT_SUPPORTED ); } +psa_status_t psa_pake_input( psa_pake_operation_t *operation, + psa_pake_step_t step, + const uint8_t *input, + size_t input_length ) +{ + psa_status_t status = psa_pake_input_internal( + operation, step, input, input_length ); + + if( status != PSA_SUCCESS ) + psa_pake_abort( operation ); + + return( status ); +} + psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, psa_key_derivation_operation_t *output) { diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 49887b5fc7..a44c67b6ac 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -8739,6 +8739,7 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_operation_t op_copy = psa_pake_operation_init(); psa_algorithm_t alg = alg_arg; psa_pake_primitive_t primitive = primitive_arg; psa_key_type_t key_type_pw = key_type_pw_arg; @@ -8836,18 +8837,23 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, /* First round */ if( input_first ) { - /* Invalid parameters */ - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, + /* Invalid parameters (input) */ + op_copy = operation; + TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ), PSA_ERROR_INVALID_ARGUMENT ); - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, + /* Invalid parameters (step) */ + op_copy = operation; + TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF + 10, output_buffer, size_zk_proof ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid first step */ - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, + op_copy = operation; + TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF, output_buffer, size_zk_proof ), PSA_ERROR_BAD_STATE ); + /* Possibly valid */ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, size_key_share ), expected_status_input_output); @@ -8858,22 +8864,32 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, output_buffer, size_zk_public + 1 ), PSA_ERROR_INVALID_ARGUMENT ); + + /* The operation's state should be invalidated at this point */ + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public ), + PSA_ERROR_BAD_STATE ); } } else { - /* Invalid parameters */ - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, + /* Invalid parameters (output) */ + op_copy = operation; + TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF, NULL, 0, NULL ), PSA_ERROR_INVALID_ARGUMENT ); - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, + op_copy = operation; + /* Invalid parameters (step) */ + TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF + 10, output_buffer, buf_size, &output_len ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid first step */ - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, + op_copy = operation; + TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF, output_buffer, buf_size, &output_len ), PSA_ERROR_BAD_STATE ); + /* Possibly valid */ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, buf_size, &output_len ), expected_status_input_output ); @@ -8886,6 +8902,11 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, output_buffer, size_zk_public - 1, &output_len ), PSA_ERROR_BUFFER_TOO_SMALL ); + + /* The operation's state should be invalidated at this point */ + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, buf_size, &output_len ), + PSA_ERROR_BAD_STATE ); } } From 02f82bbfa9fbc9eaad4007464c0d53717ae12b10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Oct 2022 13:32:02 +0200 Subject: [PATCH 6/6] Fix MSVC warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/psa_crypto_pake.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 541e6c44b6..870b5b5654 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -629,7 +629,7 @@ static psa_status_t psa_pake_input_internal( const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256 ); - if( input_length > PSA_PAKE_INPUT_SIZE( PSA_ALG_JPAKE, prim, step ) ) + if( input_length > (size_t) PSA_PAKE_INPUT_SIZE( PSA_ALG_JPAKE, prim, step ) ) return( PSA_ERROR_INVALID_ARGUMENT ); if( operation->state == PSA_PAKE_STATE_SETUP )