yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #5871 from superna9999/4153-psa-expose-ec-j-pake

Browse source 
Expose ECJPAKE through the PSA Crypto API
This commit is contained in:
Manuel Pégourié-Gonnard 2022-09-15 09:25:55 +02:00 committed by GitHub
commit 18dff1f226
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 1998 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ChangeLog.d/psa_crypto_pake.txt Normal file
View file

@ -0,0 +1,4 @@
Features
* Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
are supported in this implementation.

15
include/mbedtls/config_psa.h
View file

@ -146,6 +146,15 @@ extern "C" {
#define MBEDTLS_MD5_C
#endif
#if defined(PSA_WANT_ALG_JPAKE)
#define MBEDTLS_PSA_BUILTIN_PAKE 1
#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#define MBEDTLS_BIGNUM_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ECJPAKE_C
#endif /* PSA_WANT_ALG_JPAKE */
#if defined(PSA_WANT_ALG_RIPEMD160) && !defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
#define MBEDTLS_RIPEMD160_C
@ -636,6 +645,12 @@ extern "C" {
#define PSA_WANT_ALG_MD5 1
#endif
#if defined(MBEDTLS_ECJPAKE_C)
#define MBEDTLS_PSA_BUILTIN_PAKE 1
#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
#define PSA_WANT_ALG_JPAKE 1
#endif
#if defined(MBEDTLS_RIPEMD160_C)
#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
#define PSA_WANT_ALG_RIPEMD160 1

23
include/mbedtls/ecjpake.h
View file

@ -258,6 +258,29 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/**
* \brief Write the shared key material to be passed to a Key
* Derivation Function as described in RFC8236.
*
* \param ctx The ECJPAKE context to use. This must be initialized,
* set up and have performed both round one and two.
* \param buf The buffer to write the derived secret to. This must
* be a writable buffer of length \p len Bytes.
* \param len The length of \p buf in Bytes.
* \param olen The address at which to store the total number of bytes
* written to \p buf. This must not be \c NULL.
* \param f_rng The RNG function to use. This must not be \c NULL.
* \param p_rng The RNG parameter to be passed to \p f_rng. This
* may be \c NULL if \p f_rng doesn't use a context.
*
* \return \c 0 if successful.
* \return A negative error code on failure.
*/
int mbedtls_ecjpake_write_shared_key( mbedtls_ecjpake_context *ctx,
unsigned char *buf, size_t len, size_t *olen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/**
* \brief This clears an ECJPAKE context and frees any
* embedded data structure.

1
include/psa/crypto_config.h
View file

@ -65,6 +65,7 @@
#define PSA_WANT_ALG_ECB_NO_PADDING 1
#define PSA_WANT_ALG_ECDH 1
#define PSA_WANT_ALG_ECDSA 1
#define PSA_WANT_ALG_JPAKE 1
#define PSA_WANT_ALG_GCM 1
#define PSA_WANT_ALG_HKDF 1
#define PSA_WANT_ALG_HKDF_EXTRACT 1

58
include/psa/crypto_extra.h
View file

@ -1760,7 +1760,16 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation );
* recognized, or the parameters are incompatible,
* return 0.
*/
#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) 0
#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step) \
( alg == PSA_ALG_JPAKE && \
primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, \
PSA_ECC_FAMILY_SECP_R1, 256) ? \
( \
output_step == PSA_PAKE_STEP_KEY_SHARE ? 69 : \
output_step == PSA_PAKE_STEP_ZK_PUBLIC ? 66 : \
33 \
) : \
0 )
/** A sufficient input buffer size for psa_pake_input().
*
@ -1781,7 +1790,16 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation );
* the input type or PAKE algorithm is not recognized, or
* the parameters are incompatible, return 0.
*/
#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) 0
#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step) \
( alg == PSA_ALG_JPAKE && \
primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, \
PSA_ECC_FAMILY_SECP_R1, 256) ? \
( \
input_step == PSA_PAKE_STEP_KEY_SHARE ? 69 : \
input_step == PSA_PAKE_STEP_ZK_PUBLIC ? 66 : \
33 \
) : \
0 )
/** Output buffer size for psa_pake_output() for any of the supported PAKE
* algorithm and primitive suites and output step.
@ -1790,7 +1808,7 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation );
*
* See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p primitive, \p step).
*/
#define PSA_PAKE_OUTPUT_MAX_SIZE 0
#define PSA_PAKE_OUTPUT_MAX_SIZE 69
/** Input buffer size for psa_pake_input() for any of the supported PAKE
* algorithm and primitive suites and input step.
@ -1799,7 +1817,7 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation );
*
* See also #PSA_PAKE_INPUT_SIZE(\p alg, \p primitive, \p step).
*/
#define PSA_PAKE_INPUT_MAX_SIZE 0
#define PSA_PAKE_INPUT_MAX_SIZE 69
/** Returns a suitable initializer for a PAKE cipher suite object of type
* psa_pake_cipher_suite_t.
@ -1809,7 +1827,14 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation );
/** Returns a suitable initializer for a PAKE operation object of type
* psa_pake_operation_t.
*/
#define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, {0}}
#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
#define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, 0, 0, 0, 0, \
MBEDTLS_SVC_KEY_ID_INIT, \
PSA_PAKE_ROLE_NONE, {0}, 0, 0, \
{.dummy = 0}}
#else
#define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, 0, 0, {0}}
#endif
struct psa_pake_cipher_suite_s
{
@ -1879,14 +1904,33 @@ static inline void psa_pake_cs_set_hash( psa_pake_cipher_suite_t *cipher_suite,
cipher_suite->hash = hash;
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
#include <mbedtls/ecjpake.h>
#define PSA_PAKE_BUFFER_SIZE ( ( 69 + 66 + 33 ) * 2 )
#endif
struct psa_pake_operation_s
{
psa_algorithm_t alg;
psa_algorithm_t MBEDTLS_PRIVATE(alg);
unsigned int MBEDTLS_PRIVATE(state);
unsigned int MBEDTLS_PRIVATE(sequence);
#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
unsigned int MBEDTLS_PRIVATE(input_step);
unsigned int MBEDTLS_PRIVATE(output_step);
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(password);
psa_pake_role_t MBEDTLS_PRIVATE(role);
uint8_t MBEDTLS_PRIVATE(buffer[PSA_PAKE_BUFFER_SIZE]);
size_t MBEDTLS_PRIVATE(buffer_length);
size_t MBEDTLS_PRIVATE(buffer_offset);
#endif
union
{
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
mbedtls_ecjpake_context ecjpake;
#endif
/* Make the union non-empty even with no supported algorithms. */
uint8_t dummy;
} ctx;
} MBEDTLS_PRIVATE(ctx);
};
static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init( void )

1
library/CMakeLists.txt
View file

@ -70,6 +70,7 @@ set(src_crypto
psa_crypto_ecp.c
psa_crypto_hash.c
psa_crypto_mac.c
psa_crypto_pake.c
psa_crypto_rsa.c
psa_crypto_se.c
psa_crypto_slot_management.c

1
library/Makefile
View file

@ -135,6 +135,7 @@ OBJS_CRYPTO= \
psa_crypto_ecp.o \
psa_crypto_hash.o \
psa_crypto_mac.o \
psa_crypto_pake.o \
psa_crypto_rsa.o \
psa_crypto_se.o \
psa_crypto_slot_management.o \

97
library/ecjpake.c
View file

@ -760,22 +760,14 @@ cleanup:
/*
* Derive PMS (7.4.2.7 / 7.4.2.8)
*/
int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
unsigned char *buf, size_t len, size_t *olen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
static int mbedtls_ecjpake_derive_k( mbedtls_ecjpake_context *ctx,
mbedtls_ecp_point *K,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ecp_point K;
mbedtls_mpi m_xm2_s, one;
unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
size_t x_bytes;
*olen = mbedtls_hash_info_get_size( ctx->md_type );
if( len < *olen )
return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
mbedtls_ecp_point_init( &K );
mbedtls_mpi_init( &m_xm2_s );
mbedtls_mpi_init( &one );
@ -788,12 +780,39 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
*/
MBEDTLS_MPI_CHK( ecjpake_mul_secret( &m_xm2_s, -1, &ctx->xm2, &ctx->s,
&ctx->grp.N, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K,
MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, K,
&one, &ctx->Xp,
&m_xm2_s, &ctx->Xp2 ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xm2, &K,
MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, K, &ctx->xm2, K,
f_rng, p_rng ) );
cleanup:
mbedtls_mpi_free( &m_xm2_s );
mbedtls_mpi_free( &one );
return( ret );
}
int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
unsigned char *buf, size_t len, size_t *olen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ecp_point K;
unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
size_t x_bytes;
*olen = mbedtls_hash_info_get_size( ctx->md_type );
if( len < *olen )
return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
mbedtls_ecp_point_init( &K );
ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
if( ret )
goto cleanup;
/* PMS = SHA-256( K.X ) */
x_bytes = ( ctx->grp.pbits + 7 ) / 8;
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &K.X, kx, x_bytes ) );
@ -802,8 +821,31 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
cleanup:
mbedtls_ecp_point_free( &K );
mbedtls_mpi_free( &m_xm2_s );
mbedtls_mpi_free( &one );
return( ret );
}
int mbedtls_ecjpake_write_shared_key( mbedtls_ecjpake_context *ctx,
unsigned char *buf, size_t len, size_t *olen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ecp_point K;
mbedtls_ecp_point_init( &K );
ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
if( ret )
goto cleanup;
ret = mbedtls_ecp_point_write_binary( &ctx->grp, &K, ctx->point_format,
olen, buf, len );
if( ret != 0 )
goto cleanup;
cleanup:
mbedtls_ecp_point_free( &K );
return( ret );
}
@ -958,6 +1000,15 @@ static const unsigned char ecjpake_test_cli_two[] = {
0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
};
static const unsigned char ecjpake_test_shared_key[] = {
0x04, 0x01, 0xab, 0xe9, 0xf2, 0xc7, 0x3a, 0x99, 0x14, 0xcb, 0x1f, 0x80,
0xfb, 0x9d, 0xdb, 0x7e, 0x00, 0x12, 0xa8, 0x9c, 0x2f, 0x39, 0x27, 0x79,
0xf9, 0x64, 0x40, 0x14, 0x75, 0xea, 0xc1, 0x31, 0x28, 0x43, 0x8f, 0xe1,
0x12, 0x41, 0xd6, 0xc1, 0xe5, 0x5f, 0x7b, 0x80, 0x88, 0x94, 0xc9, 0xc0,
0x27, 0xa3, 0x34, 0x41, 0xf5, 0xcb, 0xa1, 0xfe, 0x6c, 0xc7, 0xe6, 0x12,
0x17, 0xc3, 0xde, 0x27, 0xb4,
};
static const unsigned char ecjpake_test_pms[] = {
0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
@ -1144,6 +1195,13 @@ int mbedtls_ecjpake_self_test( int verbose )
TEST_ASSERT( len == sizeof( ecjpake_test_pms ) );
TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 );
/* Server derives K as unsigned binary data */
TEST_ASSERT( mbedtls_ecjpake_write_shared_key( &srv,
buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
TEST_ASSERT( len == sizeof( ecjpake_test_shared_key ) );
TEST_ASSERT( memcmp( buf, ecjpake_test_shared_key, len ) == 0 );
memset( buf, 0, len ); /* Avoid interferences with next step */
/* Client derives PMS */
@ -1153,6 +1211,13 @@ int mbedtls_ecjpake_self_test( int verbose )
TEST_ASSERT( len == sizeof( ecjpake_test_pms ) );
TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 );
/* Client derives K as unsigned binary data */
TEST_ASSERT( mbedtls_ecjpake_write_shared_key( &cli,
buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
TEST_ASSERT( len == sizeof( ecjpake_test_shared_key ) );
TEST_ASSERT( memcmp( buf, ecjpake_test_shared_key, len ) == 0 );
if( verbose != 0 )
mbedtls_printf( "passed\n" );
#endif /* ! MBEDTLS_ECJPAKE_ALT */

2
library/psa_crypto.c
View file

@ -445,6 +445,8 @@ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type,
case PSA_KEY_TYPE_RAW_DATA:
case PSA_KEY_TYPE_HMAC:
case PSA_KEY_TYPE_DERIVE:
case PSA_KEY_TYPE_PASSWORD:
case PSA_KEY_TYPE_PASSWORD_HASH:
break;
#if defined(PSA_WANT_KEY_TYPE_AES)
case PSA_KEY_TYPE_AES:

843
library/psa_crypto_pake.c Normal file
View file

@ -0,0 +1,843 @@
/*
* PSA PAKE layer on top of Mbed TLS software crypto
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "common.h"
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include <psa/crypto.h>
#include "psa_crypto_core.h"
#include "psa_crypto_slot_management.h"
#include <mbedtls/ecjpake.h>
#include <mbedtls/psa_util.h>
#include <mbedtls/platform.h>
#include <mbedtls/error.h>
#include <string.h>
/*
* State sequence:
*
* psa_pake_setup()
* |
* |-- In any order:
* | | psa_pake_set_password_key()
* | | psa_pake_set_user()
* | | psa_pake_set_peer()
* | | psa_pake_set_role()
* |
* |--- In any order: (First round input before or after first round output)
* | |
* | |------ In Order
* | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
* | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
* | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
* | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
* | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
* | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
* | |
* | |------ In Order:
* | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
* | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
* | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
* | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
* | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
* | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
* |
* |--- In any order: (Second round input before or after second round output)
* | |
* | |------ In Order
* | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
* | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
* | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
* | |
* | |------ In Order:
* | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
* | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
* | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
* |
* psa_pake_get_implicit_key()
* psa_pake_abort()
*/
enum psa_pake_step
{
PSA_PAKE_STEP_INVALID = 0,
PSA_PAKE_STEP_X1_X2 = 1,
PSA_PAKE_STEP_X2S = 2,
PSA_PAKE_STEP_DERIVE = 3,
};
enum psa_pake_state
{
PSA_PAKE_STATE_INVALID = 0,
PSA_PAKE_STATE_SETUP = 1,
PSA_PAKE_STATE_READY = 2,
PSA_PAKE_OUTPUT_X1_X2 = 3,
PSA_PAKE_OUTPUT_X2S = 4,
PSA_PAKE_INPUT_X1_X2 = 5,
PSA_PAKE_INPUT_X4S = 6,
};
/*
* The first PAKE step shares the same sequences of the second PAKE step
* but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs.
* It's simpler to share the same sequences numbers of the first
* set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs in both PAKE steps.
*
* State sequence with step, state & sequence enums:
* => Input & Output Step = PSA_PAKE_STEP_INVALID
* => state = PSA_PAKE_STATE_INVALID
* psa_pake_setup()
* => Input & Output Step = PSA_PAKE_STEP_X1_X2
* => state = PSA_PAKE_STATE_SETUP
* => sequence = PSA_PAKE_SEQ_INVALID
* |
* |--- In any order: (First round input before or after first round output)
* | | First call of psa_pake_output() or psa_pake_input() sets
* | | state = PSA_PAKE_STATE_READY
* | |
* | |------ In Order: => state = PSA_PAKE_OUTPUT_X1_X2
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
* | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE
* | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC
* | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF
* | | | => state = PSA_PAKE_STATE_READY
* | | | => sequence = PSA_PAKE_SEQ_INVALID
* | | | => Output Step = PSA_PAKE_STEP_X2S
* | |
* | |------ In Order: => state = PSA_PAKE_INPUT_X1_X2
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
* | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE
* | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC
* | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF
* | | | => state = PSA_PAKE_STATE_READY
* | | | => sequence = PSA_PAKE_SEQ_INVALID
* | | | => Output Step = PSA_PAKE_INPUT_X4S
* |
* |--- In any order: (Second round input before or after second round output)
* | |
* | |------ In Order: => state = PSA_PAKE_OUTPUT_X2S
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
* | | | => state = PSA_PAKE_STATE_READY
* | | | => sequence = PSA_PAKE_SEQ_INVALID
* | | | => Output Step = PSA_PAKE_STEP_DERIVE
* | |
* | |------ In Order: => state = PSA_PAKE_INPUT_X4S
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
* | | | => state = PSA_PAKE_STATE_READY
* | | | => sequence = PSA_PAKE_SEQ_INVALID
* | | | => Output Step = PSA_PAKE_STEP_DERIVE
* |
* psa_pake_get_implicit_key()
* => Input & Output Step = PSA_PAKE_STEP_INVALID
*/
enum psa_pake_sequence
{
PSA_PAKE_SEQ_INVALID = 0,
PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */
PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */
PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */
PSA_PAKE_X2_STEP_KEY_SHARE = 4,
PSA_PAKE_X2_STEP_ZK_PUBLIC = 5,
PSA_PAKE_X2_STEP_ZK_PROOF = 6,
PSA_PAKE_SEQ_END = 7,
};
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
static psa_status_t mbedtls_ecjpake_to_psa_error( int ret )
{
switch( ret )
{
case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
case MBEDTLS_ERR_ECP_INVALID_KEY:
case MBEDTLS_ERR_ECP_VERIFY_FAILED:
return( PSA_ERROR_DATA_INVALID );
case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
return( PSA_ERROR_BUFFER_TOO_SMALL );
case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
return( PSA_ERROR_NOT_SUPPORTED );
case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
return( PSA_ERROR_CORRUPTION_DETECTED );
default:
return( PSA_ERROR_GENERIC_ERROR );
}
}
#endif
#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
psa_status_t psa_pake_setup( psa_pake_operation_t *operation,
const psa_pake_cipher_suite_t *cipher_suite)
{
/* A context must be freshly initialized before it can be set up. */
if( operation->alg != PSA_ALG_NONE )
return( PSA_ERROR_BAD_STATE );
if( cipher_suite == NULL ||
PSA_ALG_IS_PAKE(cipher_suite->algorithm ) == 0 ||
( cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC &&
cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH ) ||
PSA_ALG_IS_HASH( cipher_suite->hash ) == 0 )
{
return( PSA_ERROR_INVALID_ARGUMENT );
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if( cipher_suite->algorithm == PSA_ALG_JPAKE )
{
if( cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_ECC ||
cipher_suite->family != PSA_ECC_FAMILY_SECP_R1 ||
cipher_suite->bits != 256 ||
cipher_suite->hash != PSA_ALG_SHA_256 )
{
return( PSA_ERROR_NOT_SUPPORTED );
}
operation->alg = cipher_suite->algorithm;
mbedtls_ecjpake_init( &operation->ctx.ecjpake );
operation->state = PSA_PAKE_STATE_SETUP;
operation->sequence = PSA_PAKE_SEQ_INVALID;
operation->input_step = PSA_PAKE_STEP_X1_X2;
operation->output_step = PSA_PAKE_STEP_X1_X2;
mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
operation->buffer_length = 0;
operation->buffer_offset = 0;
return( PSA_SUCCESS );
}
else
#endif
return( PSA_ERROR_NOT_SUPPORTED );
}
psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
mbedtls_svc_key_id_t password )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = psa_key_attributes_init();
psa_key_type_t type;
psa_key_usage_t usage;
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_SETUP )
{
return( PSA_ERROR_BAD_STATE );
}
status = psa_get_key_attributes( password, &attributes );
if( status != PSA_SUCCESS )
return( status );
type = psa_get_key_type( &attributes );
usage = psa_get_key_usage_flags( &attributes );
psa_reset_key_attributes( &attributes );
if( type != PSA_KEY_TYPE_PASSWORD &&
type != PSA_KEY_TYPE_PASSWORD_HASH )
{
return( PSA_ERROR_INVALID_ARGUMENT );
}
if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 )
return( PSA_ERROR_NOT_PERMITTED );
operation->password = password;
return( PSA_SUCCESS );
}
psa_status_t psa_pake_set_user( psa_pake_operation_t *operation,
const uint8_t *user_id,
size_t user_id_len )
{
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_SETUP )
{
return( PSA_ERROR_BAD_STATE );
}
if( user_id_len == 0 || user_id == NULL )
return( PSA_ERROR_INVALID_ARGUMENT );
return( PSA_ERROR_NOT_SUPPORTED );
}
psa_status_t psa_pake_set_peer( psa_pake_operation_t *operation,
const uint8_t *peer_id,
size_t peer_id_len )
{
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_SETUP )
{
return( PSA_ERROR_BAD_STATE );
}
if( peer_id_len == 0 || peer_id == NULL )
return( PSA_ERROR_INVALID_ARGUMENT );
return( PSA_ERROR_NOT_SUPPORTED );
}
psa_status_t psa_pake_set_role( psa_pake_operation_t *operation,
psa_pake_role_t role )
{
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_SETUP )
{
return( PSA_ERROR_BAD_STATE );
}
if( role != PSA_PAKE_ROLE_NONE &&
role != PSA_PAKE_ROLE_FIRST &&
role != PSA_PAKE_ROLE_SECOND &&
role != PSA_PAKE_ROLE_CLIENT &&
role != PSA_PAKE_ROLE_SERVER )
{
return( PSA_ERROR_INVALID_ARGUMENT );
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if( operation->alg == PSA_ALG_JPAKE )
{
if( role != PSA_PAKE_ROLE_CLIENT &&
role != PSA_PAKE_ROLE_SERVER )
return( PSA_ERROR_NOT_SUPPORTED );
operation->role = role;
return( PSA_SUCCESS );
}
else
#endif
return( PSA_ERROR_NOT_SUPPORTED );
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_ecjpake_role role;
psa_key_slot_t *slot = NULL;
if( operation->role == PSA_PAKE_ROLE_CLIENT )
role = MBEDTLS_ECJPAKE_CLIENT;
else if( operation->role == PSA_PAKE_ROLE_SERVER )
role = MBEDTLS_ECJPAKE_SERVER;
else
return( PSA_ERROR_BAD_STATE );
if( psa_is_valid_key_id( operation->password, 1 ) == 0 )
return( PSA_ERROR_BAD_STATE );
status = psa_get_and_lock_key_slot( operation->password, &slot );
if( status != PSA_SUCCESS )
return( status );
ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake,
role,
MBEDTLS_MD_SHA256,
MBEDTLS_ECP_DP_SECP256R1,
slot->key.data, slot->key.bytes );
psa_unlock_key_slot( slot );
slot = NULL;
if( ret != 0 )
return( mbedtls_ecjpake_to_psa_error( ret ) );
operation->state = PSA_PAKE_STATE_READY;
return( PSA_SUCCESS );
}
#endif
psa_status_t psa_pake_output( psa_pake_operation_t *operation,
psa_pake_step_t step,
uint8_t *output,
size_t output_size,
size_t *output_length )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t length;
if( operation->alg == PSA_ALG_NONE ||
operation->state == PSA_PAKE_STATE_INVALID )
return( PSA_ERROR_BAD_STATE );
if( output == NULL || output_size == 0 || output_length == NULL )
return( PSA_ERROR_INVALID_ARGUMENT );
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
/*
* The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different
* handling of output sequencing.
*
* The MbedTLS JPAKE API outputs the whole X1+X2 and X2S steps data
* at once, on the other side the PSA CRYPTO PAKE api requires
* the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be
* retrieved in sequence.
*
* In order to achieve API compatibility, the whole X1+X2 or X2S steps
* data is stored in an intermediate buffer at first step output call,
* and data is sliced down by parsing the ECPoint records in order
* to return the right parts on each step.
*/
if( operation->alg == PSA_ALG_JPAKE )
{
if( step != PSA_PAKE_STEP_KEY_SHARE &&
step != PSA_PAKE_STEP_ZK_PUBLIC &&
step != PSA_PAKE_STEP_ZK_PROOF )
return( PSA_ERROR_INVALID_ARGUMENT );
if( operation->state == PSA_PAKE_STATE_SETUP ) {
status = psa_pake_ecjpake_setup( operation );
if( status != PSA_SUCCESS )
{
psa_pake_abort( operation );
return( status );
}
}
if( operation->state != PSA_PAKE_STATE_READY &&
operation->state != PSA_PAKE_OUTPUT_X1_X2 &&
operation->state != PSA_PAKE_OUTPUT_X2S )
{
return( PSA_ERROR_BAD_STATE );
}
if( operation->state == PSA_PAKE_STATE_READY )
{
if( step != PSA_PAKE_STEP_KEY_SHARE )
return( PSA_ERROR_BAD_STATE );
switch( operation->output_step )
{
case PSA_PAKE_STEP_X1_X2:
operation->state = PSA_PAKE_OUTPUT_X1_X2;
break;
case PSA_PAKE_STEP_X2S:
operation->state = PSA_PAKE_OUTPUT_X2S;
break;
default:
return( PSA_ERROR_BAD_STATE );
}
operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
}
/* Check if step matches current sequence */
switch( operation->sequence )
{
case PSA_PAKE_X1_STEP_KEY_SHARE:
case PSA_PAKE_X2_STEP_KEY_SHARE:
if( step != PSA_PAKE_STEP_KEY_SHARE )
return( PSA_ERROR_BAD_STATE );
break;
case PSA_PAKE_X1_STEP_ZK_PUBLIC:
case PSA_PAKE_X2_STEP_ZK_PUBLIC:
if( step != PSA_PAKE_STEP_ZK_PUBLIC )
return( PSA_ERROR_BAD_STATE );
break;
case PSA_PAKE_X1_STEP_ZK_PROOF:
case PSA_PAKE_X2_STEP_ZK_PROOF:
if( step != PSA_PAKE_STEP_ZK_PROOF )
return( PSA_ERROR_BAD_STATE );
break;
default:
return( PSA_ERROR_BAD_STATE );
}
/* Initialize & write round on KEY_SHARE sequences */
if( operation->state == PSA_PAKE_OUTPUT_X1_X2 &&
operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE )
{
ret = mbedtls_ecjpake_write_round_one( &operation->ctx.ecjpake,
operation->buffer,
PSA_PAKE_BUFFER_SIZE,
&operation->buffer_length,
mbedtls_psa_get_random,
MBEDTLS_PSA_RANDOM_STATE );
if( ret != 0 )
{
psa_pake_abort( operation );
return( mbedtls_ecjpake_to_psa_error( ret ) );
}
operation->buffer_offset = 0;
}
else if( operation->state == PSA_PAKE_OUTPUT_X2S &&
operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE )
{
ret = mbedtls_ecjpake_write_round_two( &operation->ctx.ecjpake,
operation->buffer,
PSA_PAKE_BUFFER_SIZE,
&operation->buffer_length,
mbedtls_psa_get_random,
MBEDTLS_PSA_RANDOM_STATE );
if( ret != 0 )
{
psa_pake_abort( operation );
return( mbedtls_ecjpake_to_psa_error( ret ) );
}
operation->buffer_offset = 0;
}
/*
* Steps sequences are stored as:
* struct {
* opaque point <1..2^8-1>;
* } ECPoint;
*
* Where byte 0 stores the ECPoint curve point length.
*
* The sequence length is equal to:
* - data length extracted from byte 0
* - byte 0 size (1)
*/
if( operation->state == PSA_PAKE_OUTPUT_X2S &&
operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE )
{
if( operation->role == PSA_PAKE_ROLE_SERVER )
/*
* The X2S KEY SHARE Server steps sequence is stored as:
* struct {
* ECPoint X;
* opaque r <1..2^8-1>;
* } ECSchnorrZKP;
*
* And MbedTLS uses a 3 bytes Ephemeral public key ECPoint,
* so byte 3 stores the r Schnorr signature length.
*
* The sequence length is equal to:
* - curve storage size (3)
* - data length extracted from byte 3
* - byte 3 size (1)
*/
length = 3 + operation->buffer[3] + 1;
else
length = operation->buffer[0] + 1;
}
else
length = operation->buffer[operation->buffer_offset] + 1;
if( length > operation->buffer_length )
return( PSA_ERROR_DATA_CORRUPT );
if( output_size < length )
{
psa_pake_abort( operation );
return( PSA_ERROR_BUFFER_TOO_SMALL );
}
memcpy( output,
operation->buffer + operation->buffer_offset,
length );
*output_length = length;
operation->buffer_offset += length;
/* Reset buffer after ZK_PROOF sequence */
if( ( operation->state == PSA_PAKE_OUTPUT_X1_X2 &&
operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) ||
( operation->state == PSA_PAKE_OUTPUT_X2S &&
operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) )
{
mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
operation->buffer_length = 0;
operation->buffer_offset = 0;
operation->state = PSA_PAKE_STATE_READY;
operation->output_step++;
operation->sequence = PSA_PAKE_SEQ_INVALID;
}
else
operation->sequence++;
return( PSA_SUCCESS );
}
else
#endif
return( PSA_ERROR_NOT_SUPPORTED );
}
psa_status_t psa_pake_input( psa_pake_operation_t *operation,
psa_pake_step_t step,
const uint8_t *input,
size_t input_length )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t buffer_remain;
if( operation->alg == PSA_ALG_NONE ||
operation->state == PSA_PAKE_STATE_INVALID )
return( PSA_ERROR_BAD_STATE );
if( input == NULL || input_length == 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
/*
* The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different
* handling of input sequencing.
*
* The MbedTLS JPAKE API takes the whole X1+X2 or X4S steps data
* at once as input, on the other side the PSA CRYPTO PAKE api requires
* the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be
* given in sequence.
*
* In order to achieve API compatibility, each X1+X2 or X4S step data
* is stored sequentially in an intermediate buffer and given to the
* MbedTLS JPAKE API on the last step.
*
* This causes any input error to be only detected on the last step.
*/
if( operation->alg == PSA_ALG_JPAKE )
{
if( step != PSA_PAKE_STEP_KEY_SHARE &&
step != PSA_PAKE_STEP_ZK_PUBLIC &&
step != PSA_PAKE_STEP_ZK_PROOF )
return( PSA_ERROR_INVALID_ARGUMENT );
if( operation->state == PSA_PAKE_STATE_SETUP )
{
status = psa_pake_ecjpake_setup( operation );
if( status != PSA_SUCCESS )
{
psa_pake_abort( operation );
return( status );
}
}
if( operation->state != PSA_PAKE_STATE_READY &&
operation->state != PSA_PAKE_INPUT_X1_X2 &&
operation->state != PSA_PAKE_INPUT_X4S )
{
return( PSA_ERROR_BAD_STATE );
}
if( operation->state == PSA_PAKE_STATE_READY )
{
if( step != PSA_PAKE_STEP_KEY_SHARE )
return( PSA_ERROR_BAD_STATE );
switch( operation->input_step )
{
case PSA_PAKE_STEP_X1_X2:
operation->state = PSA_PAKE_INPUT_X1_X2;
break;
case PSA_PAKE_STEP_X2S:
operation->state = PSA_PAKE_INPUT_X4S;
break;
default:
return( PSA_ERROR_BAD_STATE );
}
operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
}
buffer_remain = PSA_PAKE_BUFFER_SIZE - operation->buffer_length;
if( input_length == 0 ||
input_length > buffer_remain )
{
psa_pake_abort( operation );
return( PSA_ERROR_INSUFFICIENT_MEMORY );
}
/* Check if step matches current sequence */
switch( operation->sequence )
{
case PSA_PAKE_X1_STEP_KEY_SHARE:
case PSA_PAKE_X2_STEP_KEY_SHARE:
if( step != PSA_PAKE_STEP_KEY_SHARE )
return( PSA_ERROR_BAD_STATE );
break;
case PSA_PAKE_X1_STEP_ZK_PUBLIC:
case PSA_PAKE_X2_STEP_ZK_PUBLIC:
if( step != PSA_PAKE_STEP_ZK_PUBLIC )
return( PSA_ERROR_BAD_STATE );
break;
case PSA_PAKE_X1_STEP_ZK_PROOF:
case PSA_PAKE_X2_STEP_ZK_PROOF:
if( step != PSA_PAKE_STEP_ZK_PROOF )
return( PSA_ERROR_BAD_STATE );
break;
default:
return( PSA_ERROR_BAD_STATE );
}
/* Copy input to local buffer */
memcpy( operation->buffer + operation->buffer_length,
input, input_length );
operation->buffer_length += input_length;
/* Load buffer at each last round ZK_PROOF */
if( operation->state == PSA_PAKE_INPUT_X1_X2 &&
operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF )
{
ret = mbedtls_ecjpake_read_round_one( &operation->ctx.ecjpake,
operation->buffer,
operation->buffer_length );
mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
operation->buffer_length = 0;
if( ret != 0 )
{
psa_pake_abort( operation );
return( mbedtls_ecjpake_to_psa_error( ret ) );
}
}
else if( operation->state == PSA_PAKE_INPUT_X4S &&
operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF )
{
ret = mbedtls_ecjpake_read_round_two( &operation->ctx.ecjpake,
operation->buffer,
operation->buffer_length );
mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
operation->buffer_length = 0;
if( ret != 0 )
{
psa_pake_abort( operation );
return( mbedtls_ecjpake_to_psa_error( ret ) );
}
}
if( ( operation->state == PSA_PAKE_INPUT_X1_X2 &&
operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF ) ||
( operation->state == PSA_PAKE_INPUT_X4S &&
operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF ) )
{
operation->state = PSA_PAKE_STATE_READY;
operation->input_step++;
operation->sequence = PSA_PAKE_SEQ_INVALID;
}
else
operation->sequence++;
return( PSA_SUCCESS );
}
else
#endif
return( PSA_ERROR_NOT_SUPPORTED );
}
psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation,
psa_key_derivation_operation_t *output)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_READY ||
operation->input_step != PSA_PAKE_STEP_DERIVE ||
operation->output_step != PSA_PAKE_STEP_DERIVE )
return( PSA_ERROR_BAD_STATE );
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if( operation->alg == PSA_ALG_JPAKE )
{
ret = mbedtls_ecjpake_write_shared_key( &operation->ctx.ecjpake,
operation->buffer,
PSA_PAKE_BUFFER_SIZE,
&operation->buffer_length,
mbedtls_psa_get_random,
MBEDTLS_PSA_RANDOM_STATE );
if( ret != 0)
{
psa_pake_abort( operation );
return( mbedtls_ecjpake_to_psa_error( ret ) );
}
status = psa_key_derivation_input_bytes( output,
PSA_KEY_DERIVATION_INPUT_SECRET,
operation->buffer,
operation->buffer_length );
mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
psa_pake_abort( operation );
return( status );
}
else
#endif
return( PSA_ERROR_NOT_SUPPORTED );
}
psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
{
if( operation->alg == PSA_ALG_NONE )
{
return( PSA_SUCCESS );
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if( operation->alg == PSA_ALG_JPAKE )
{
operation->input_step = PSA_PAKE_STEP_INVALID;
operation->output_step = PSA_PAKE_STEP_INVALID;
operation->password = MBEDTLS_SVC_KEY_ID_INIT;
operation->role = PSA_PAKE_ROLE_NONE;
mbedtls_platform_zeroize( operation->buffer, PSA_PAKE_BUFFER_SIZE );
operation->buffer_length = 0;
operation->buffer_offset = 0;
mbedtls_ecjpake_free( &operation->ctx.ecjpake );
}
#endif
operation->alg = PSA_ALG_NONE;
operation->state = PSA_PAKE_STATE_INVALID;
operation->sequence = PSA_PAKE_SEQ_INVALID;
return( PSA_SUCCESS );
}
#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
#endif /* MBEDTLS_PSA_CRYPTO_C */

104
tests/suites/test_suite_psa_crypto.data
View file

@ -6445,3 +6445,107 @@ persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY
PSA derive persistent key: HKDF SHA-256, exportable
persistent_key_load_key_from_storage:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_TYPE_RAW_DATA:1024:PSA_KEY_USAGE_EXPORT:0:DERIVE_KEY
PSA PAKE: invalid alg
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:0:0
PSA PAKE: invalid primitive type
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0
PSA PAKE: invalid primitive family
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0
PSA PAKE: invalid primitive bits
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0
PSA PAKE: invalid hash
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0
PSA PAKE: ecjpake setup server output step first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":0:0:0:0
PSA PAKE: ecjpake setup server input step first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":0:0:0:0
PSA PAKE: ecjpake setup server empty password
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":0:0:0:PSA_ERROR_BAD_STATE
PSA PAKE: ecjpake setup client output step first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:0:0
PSA PAKE: ecjpake setup client input step first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:1:"abcd":0:0:0:0
PSA PAKE: ecjpake setup client empty password
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":0:0:0:PSA_ERROR_BAD_STATE
PSA PAKE: ecjpake setup client bad password key type
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:PSA_ERROR_INVALID_ARGUMENT:0
PSA PAKE: ecjpake setup client bad password key usage
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:PSA_ERROR_NOT_PERMITTED:0
PSA PAKE: ecjpake setup invalid role NONE
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":0:PSA_ERROR_NOT_SUPPORTED:0:0
PSA PAKE: ecjpake rounds
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0
PSA PAKE: ecjpake rounds, client input first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1
PSA PAKE: ecjpake no input errors
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef"
PSA PAKE: ecjpake no input errors, client input first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef"
PSA PAKE: ecjpake inject input errors, first round client
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:1:"abcdef"
PSA PAKE: ecjpake inject input errors, first round client, client input first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:1:"abcdef"
PSA PAKE: ecjpake inject input errors, first round server
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:2:"abcdef"
PSA PAKE: ecjpake inject input errors, first round server, client input first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:2:"abcdef"
PSA PAKE: ecjpake inject input errors, second round client
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:3:"abcdef"
PSA PAKE: ecjpake inject input errors, second round client, client input first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:3:"abcdef"
PSA PAKE: ecjpake inject input errors, second round server
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:4:"abcdef"
PSA PAKE: ecjpake inject input errors, second round server, client input first
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:4:"abcdef"

872
tests/suites/test_suite_psa_crypto.function
View file

@ -705,6 +705,570 @@ exit:
return( test_ok );
}
#if defined(PSA_WANT_ALG_JPAKE)
static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive,
psa_pake_operation_t *server,
psa_pake_operation_t *client,
int client_input_first,
int round, int inject_error )
{
unsigned char *buffer0 = NULL, *buffer1 = NULL;
size_t buffer_length = (
PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) +
PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) +
PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2;
size_t buffer0_off = 0;
size_t buffer1_off = 0;
size_t s_g1_len, s_g2_len, s_a_len;
size_t s_g1_off, s_g2_off, s_a_off;
size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len;
size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off;
size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len;
size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off;
size_t c_g1_len, c_g2_len, c_a_len;
size_t c_g1_off, c_g2_off, c_a_off;
size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len;
size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off;
size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len;
size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off;
psa_status_t expected_status = PSA_SUCCESS;
psa_status_t status;
ASSERT_ALLOC( buffer0, buffer_length );
ASSERT_ALLOC( buffer1, buffer_length );
switch( round )
{
case 1:
/* Server first round Output */
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + buffer0_off,
512 - buffer0_off, &s_g1_len ) );
s_g1_off = buffer0_off;
buffer0_off += s_g1_len;
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + buffer0_off,
512 - buffer0_off, &s_x1_pk_len ) );
s_x1_pk_off = buffer0_off;
buffer0_off += s_x1_pk_len;
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + buffer0_off,
512 - buffer0_off, &s_x1_pr_len ) );
s_x1_pr_off = buffer0_off;
buffer0_off += s_x1_pr_len;
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + buffer0_off,
512 - buffer0_off, &s_g2_len ) );
s_g2_off = buffer0_off;
buffer0_off += s_g2_len;
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + buffer0_off,
512 - buffer0_off, &s_x2_pk_len ) );
s_x2_pk_off = buffer0_off;
buffer0_off += s_x2_pk_len;
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + buffer0_off,
512 - buffer0_off, &s_x2_pr_len ) );
s_x2_pr_off = buffer0_off;
buffer0_off += s_x2_pr_len;
if( inject_error == 1 )
{
buffer0[s_x1_pk_off + 8] >>= 4;
buffer0[s_x2_pk_off + 7] <<= 4;
expected_status = PSA_ERROR_DATA_INVALID;
}
/*
* When injecting errors in inputs, the implementation is
* free to detect it right away of with a delay.
* This permits delaying the error until the end of the input
* sequence, if no error appears then, this will be treated
* as an error.
*/
if( client_input_first == 1 )
{
/* Client first round Input */
status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + s_g1_off, s_g1_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + s_x1_pk_off,
s_x1_pk_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + s_x1_pr_off,
s_x1_pr_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + s_g2_off,
s_g2_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + s_x2_pk_off,
s_x2_pk_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + s_x2_pr_off,
s_x2_pr_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
/* Error didn't trigger, make test fail */
if( inject_error == 1 )
TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
}
/* Client first round Output */
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE,
buffer1 + buffer1_off,
512 - buffer1_off, &c_g1_len ) );
c_g1_off = buffer1_off;
buffer1_off += c_g1_len;
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer1 + buffer1_off,
512 - buffer1_off, &c_x1_pk_len ) );
c_x1_pk_off = buffer1_off;
buffer1_off += c_x1_pk_len;
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF,
buffer1 + buffer1_off,
512 - buffer1_off, &c_x1_pr_len ) );
c_x1_pr_off = buffer1_off;
buffer1_off += c_x1_pr_len;
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE,
buffer1 + buffer1_off,
512 - buffer1_off, &c_g2_len ) );
c_g2_off = buffer1_off;
buffer1_off += c_g2_len;
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer1 + buffer1_off,
512 - buffer1_off, &c_x2_pk_len ) );
c_x2_pk_off = buffer1_off;
buffer1_off += c_x2_pk_len;
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF,
buffer1 + buffer1_off,
512 - buffer1_off, &c_x2_pr_len ) );
c_x2_pr_off = buffer1_off;
buffer1_off += c_x2_pr_len;
if( client_input_first == 0 )
{
/* Client first round Input */
status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + s_g1_off, s_g1_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + s_x1_pk_off,
s_x1_pk_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + s_x1_pr_off,
s_x1_pr_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + s_g2_off,
s_g2_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + s_x2_pk_off,
s_x2_pk_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + s_x2_pr_off,
s_x2_pr_len );
if( inject_error == 1 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
/* Error didn't trigger, make test fail */
if( inject_error == 1 )
TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
}
if( inject_error == 2 )
{
buffer1[c_x1_pk_off + 12] >>= 4;
buffer1[c_x2_pk_off + 7] <<= 4;
expected_status = PSA_ERROR_DATA_INVALID;
}
/* Server first round Input */
status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE,
buffer1 + c_g1_off, c_g1_len );
if( inject_error == 2 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC,
buffer1 + c_x1_pk_off, c_x1_pk_len );
if( inject_error == 2 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF,
buffer1 + c_x1_pr_off, c_x1_pr_len );
if( inject_error == 2 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE,
buffer1 + c_g2_off, c_g2_len );
if( inject_error == 2 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC,
buffer1 + c_x2_pk_off, c_x2_pk_len );
if( inject_error == 2 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF,
buffer1 + c_x2_pr_off, c_x2_pr_len );
if( inject_error == 2 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
/* Error didn't trigger, make test fail */
if( inject_error == 2 )
TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
break;
case 2:
/* Server second round Output */
buffer0_off = 0;
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + buffer0_off,
512 - buffer0_off, &s_a_len ) );
s_a_off = buffer0_off;
buffer0_off += s_a_len;
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + buffer0_off,
512 - buffer0_off, &s_x2s_pk_len ) );
s_x2s_pk_off = buffer0_off;
buffer0_off += s_x2s_pk_len;
PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + buffer0_off,
512 - buffer0_off, &s_x2s_pr_len ) );
s_x2s_pr_off = buffer0_off;
buffer0_off += s_x2s_pr_len;
if( inject_error == 3 )
{
buffer0[s_x2s_pk_off + 12] += 0x33;
expected_status = PSA_ERROR_DATA_INVALID;
}
if( client_input_first == 1 )
{
/* Client second round Input */
status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + s_a_off, s_a_len );
if( inject_error == 3 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + s_x2s_pk_off,
s_x2s_pk_len );
if( inject_error == 3 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + s_x2s_pr_off,
s_x2s_pr_len );
if( inject_error == 3 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
/* Error didn't trigger, make test fail */
if( inject_error == 3 )
TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
}
/* Client second round Output */
buffer1_off = 0;
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE,
buffer1 + buffer1_off,
512 - buffer1_off, &c_a_len ) );
c_a_off = buffer1_off;
buffer1_off += c_a_len;
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer1 + buffer1_off,
512 - buffer1_off, &c_x2s_pk_len ) );
c_x2s_pk_off = buffer1_off;
buffer1_off += c_x2s_pk_len;
PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF,
buffer1 + buffer1_off,
512 - buffer1_off, &c_x2s_pr_len ) );
c_x2s_pr_off = buffer1_off;
buffer1_off += c_x2s_pr_len;
if( client_input_first == 0 )
{
/* Client second round Input */
status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
buffer0 + s_a_off, s_a_len );
if( inject_error == 3 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
buffer0 + s_x2s_pk_off,
s_x2s_pk_len );
if( inject_error == 3 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
buffer0 + s_x2s_pr_off,
s_x2s_pr_len );
if( inject_error == 3 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
/* Error didn't trigger, make test fail */
if( inject_error == 3 )
TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
}
if( inject_error == 4 )
{
buffer1[c_x2s_pk_off + 7] += 0x28;
expected_status = PSA_ERROR_DATA_INVALID;
}
/* Server second round Input */
status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE,
buffer1 + c_a_off, c_a_len );
if( inject_error == 4 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC,
buffer1 + c_x2s_pk_off, c_x2s_pk_len );
if( inject_error == 4 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF,
buffer1 + c_x2s_pr_off, c_x2s_pr_len );
if( inject_error == 4 && status != PSA_SUCCESS )
{
TEST_EQUAL( status, expected_status );
break;
}
else
{
TEST_EQUAL( status, PSA_SUCCESS );
}
/* Error didn't trigger, make test fail */
if( inject_error == 4 )
TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
break;
}
exit:
mbedtls_free( buffer0 );
mbedtls_free( buffer1 );
}
#endif /* PSA_WANT_ALG_JPAKE */
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@ -8091,3 +8655,311 @@ exit:
PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
int primitive_arg, int hash_arg, int role_arg,
int input_first, data_t *pw_data,
int expected_status_setup_arg,
int expected_status_set_role_arg,
int expected_status_set_password_key_arg,
int expected_status_input_output_arg)
{
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
psa_pake_operation_t operation = psa_pake_operation_init();
psa_algorithm_t alg = alg_arg;
psa_key_type_t key_type_pw = key_type_pw_arg;
psa_key_usage_t key_usage_pw = key_usage_pw_arg;
psa_algorithm_t hash_alg = hash_arg;
psa_pake_role_t role = role_arg;
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t expected_status_setup = expected_status_setup_arg;
psa_status_t expected_status_set_role = expected_status_set_role_arg;
psa_status_t expected_status_set_password_key =
expected_status_set_password_key_arg;
psa_status_t expected_status_input_output =
expected_status_input_output_arg;
unsigned char *output_buffer = NULL;
size_t output_len = 0;
PSA_INIT( );
ASSERT_ALLOC( output_buffer,
PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg,
PSA_PAKE_STEP_KEY_SHARE) );
if( pw_data->len > 0 )
{
psa_set_key_usage_flags( &attributes, key_usage_pw );
psa_set_key_algorithm( &attributes, alg );
psa_set_key_type( &attributes, key_type_pw );
PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len,
&key ) );
}
psa_pake_cs_set_algorithm( &cipher_suite, alg );
psa_pake_cs_set_primitive( &cipher_suite, primitive_arg );
psa_pake_cs_set_hash( &cipher_suite, hash_alg );
PSA_ASSERT( psa_pake_abort( &operation ) );
TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_set_password_key( &operation, key ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_set_role( &operation, role ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
NULL, 0, NULL ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0),
PSA_ERROR_BAD_STATE );
PSA_ASSERT( psa_pake_abort( &operation ) );
TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ),
expected_status_setup );
if( expected_status_setup != PSA_SUCCESS )
goto exit;
TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_set_role( &operation, role),
expected_status_set_role );
if( expected_status_set_role != PSA_SUCCESS )
goto exit;
if( pw_data->len > 0 )
{
TEST_EQUAL( psa_pake_set_password_key( &operation, key ),
expected_status_set_password_key );
if( expected_status_set_password_key != PSA_SUCCESS )
goto exit;
}
TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ),
PSA_ERROR_INVALID_ARGUMENT );
TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ),
PSA_ERROR_INVALID_ARGUMENT );
const uint8_t unsupported_id[] = "abcd";
TEST_EQUAL( psa_pake_set_user( &operation, unsupported_id, 4 ),
PSA_ERROR_NOT_SUPPORTED );
TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ),
PSA_ERROR_NOT_SUPPORTED );
/* First round */
if( input_first )
{
/* Invalid parameters */
TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF,
NULL, 0 ),
PSA_ERROR_INVALID_ARGUMENT );
TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
output_buffer, 66 ),
PSA_ERROR_INVALID_ARGUMENT );
/* Invalid first step */
TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF,
output_buffer, 66 ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE,
output_buffer, 66 ),
expected_status_input_output);
if( expected_status_input_output == PSA_SUCCESS )
{
/* Buffer too large */
TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
output_buffer, 512 ),
PSA_ERROR_INSUFFICIENT_MEMORY );
/* The operation should be aborted at this point */
TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
output_buffer, 66 ),
PSA_ERROR_BAD_STATE );
}
}
else
{
/* Invalid parameters */
TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
NULL, 0, NULL ),
PSA_ERROR_INVALID_ARGUMENT );
TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
output_buffer, 512, &output_len ),
PSA_ERROR_INVALID_ARGUMENT );
/* Invalid first step */
TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
output_buffer, 512, &output_len ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
output_buffer, 512, &output_len ),
expected_status_input_output );
if( expected_status_input_output == PSA_SUCCESS )
{
TEST_ASSERT( output_len > 0 );
/* Buffer too small */
TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
output_buffer, 5, &output_len ),
PSA_ERROR_BUFFER_TOO_SMALL );
/* The operation should be aborted at this point */
TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
output_buffer, 512, &output_len ),
PSA_ERROR_BAD_STATE );
}
}
exit:
PSA_ASSERT( psa_destroy_key( key ) );
PSA_ASSERT( psa_pake_abort( &operation ) );
mbedtls_free( output_buffer );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
void ecjpake_rounds_inject( int alg_arg, int primitive_arg, int hash_arg,
int client_input_first, int inject_error,
data_t *pw_data )
{
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
psa_pake_operation_t server = psa_pake_operation_init();
psa_pake_operation_t client = psa_pake_operation_init();
psa_algorithm_t alg = alg_arg;
psa_algorithm_t hash_alg = hash_arg;
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
PSA_INIT( );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &attributes, alg );
psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD );
PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len,
&key ) );
psa_pake_cs_set_algorithm( &cipher_suite, alg );
psa_pake_cs_set_primitive( &cipher_suite, primitive_arg );
psa_pake_cs_set_hash( &cipher_suite, hash_alg );
PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) );
PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) );
PSA_ASSERT( psa_pake_set_role( &server, PSA_PAKE_ROLE_SERVER ) );
PSA_ASSERT( psa_pake_set_role( &client, PSA_PAKE_ROLE_CLIENT ) );
PSA_ASSERT( psa_pake_set_password_key( &server, key ) );
PSA_ASSERT( psa_pake_set_password_key( &client, key ) );
ecjpake_do_round( alg, primitive_arg, &server, &client,
client_input_first, 1, inject_error );
if( inject_error == 1 || inject_error == 2 )
goto exit;
ecjpake_do_round( alg, primitive_arg, &server, &client,
client_input_first, 2, inject_error );
exit:
psa_destroy_key( key );
psa_pake_abort( &server );
psa_pake_abort( &client );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg,
int derive_alg_arg, data_t *pw_data,
int client_input_first )
{
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
psa_pake_operation_t server = psa_pake_operation_init();
psa_pake_operation_t client = psa_pake_operation_init();
psa_algorithm_t alg = alg_arg;
psa_algorithm_t hash_alg = hash_arg;
psa_algorithm_t derive_alg = derive_alg_arg;
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_derivation_operation_t server_derive =
PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_derivation_operation_t client_derive =
PSA_KEY_DERIVATION_OPERATION_INIT;
PSA_INIT( );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &attributes, alg );
psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD );
PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len,
&key ) );
psa_pake_cs_set_algorithm( &cipher_suite, alg );
psa_pake_cs_set_primitive( &cipher_suite, primitive_arg );
psa_pake_cs_set_hash( &cipher_suite, hash_alg );
/* Get shared key */
PSA_ASSERT( psa_key_derivation_setup( &server_derive, derive_alg ) );
PSA_ASSERT( psa_key_derivation_setup( &client_derive, derive_alg ) );
if( PSA_ALG_IS_TLS12_PRF( derive_alg ) ||
PSA_ALG_IS_TLS12_PSK_TO_MS( derive_alg ) )
{
PSA_ASSERT( psa_key_derivation_input_bytes( &server_derive,
PSA_KEY_DERIVATION_INPUT_SEED,
(const uint8_t*) "", 0) );
PSA_ASSERT( psa_key_derivation_input_bytes( &client_derive,
PSA_KEY_DERIVATION_INPUT_SEED,
(const uint8_t*) "", 0) );
}
PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) );
PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) );
PSA_ASSERT( psa_pake_set_role( &server, PSA_PAKE_ROLE_SERVER ) );
PSA_ASSERT( psa_pake_set_role( &client, PSA_PAKE_ROLE_CLIENT ) );
PSA_ASSERT( psa_pake_set_password_key( &server, key ) );
PSA_ASSERT( psa_pake_set_password_key( &client, key ) );
TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),
PSA_ERROR_BAD_STATE );
/* First round */
ecjpake_do_round( alg, primitive_arg, &server, &client,
client_input_first, 1, 0 );
TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),
PSA_ERROR_BAD_STATE );
/* Second round */
ecjpake_do_round( alg, primitive_arg, &server, &client,
client_input_first, 2, 0 );
PSA_ASSERT( psa_pake_get_implicit_key( &server, &server_derive ) );
PSA_ASSERT( psa_pake_get_implicit_key( &client, &client_derive ) );
exit:
psa_key_derivation_abort( &server_derive );
psa_key_derivation_abort( &client_derive );
psa_destroy_key( key );
psa_pake_abort( &server );
psa_pake_abort( &client );
PSA_DONE( );
}
/* END_CASE */