yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Move JPAKE state machine logic from driver to core

Browse source 
- Add `alg` and `computation_stage` to `psa_pake_operation_s`.
  Now when logic is moved to core information about `alg` is required.
  `computation_stage` is a structure that provides a union of computation stages for pake algorithms.
- Move the jpake operation logic from driver to core. This requires changing driver entry points for `psa_pake_output`/`psa_pake_input` functions and adding a `computation_stage` parameter. I'm not sure if this solution is correct. Now the driver can check the current computation stage and perform some action. For jpake drivers `step` parameter is now not used, but I think it needs to stay as it might be needed for other pake algorithms.
- Removed test that seems to be redundant as we can't be sure that operation is aborted after failure.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
This commit is contained in:
Przemek Stekiel 2022-12-21 12:54:46 +01:00
parent be5e27b5ad
commit e12ed36a6c
10 changed files with 500 additions and 323 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
include/psa/crypto_builtin_composites.h
View file

@ -195,11 +195,8 @@ typedef struct {
typedef struct { typedef struct {
psa_algorithm_t MBEDTLS_PRIVATE(alg); psa_algorithm_t MBEDTLS_PRIVATE(alg);
unsigned int MBEDTLS_PRIVATE(state);
unsigned int MBEDTLS_PRIVATE(sequence);
#if defined(MBEDTLS_PSA_BUILTIN_PAKE) #if defined(MBEDTLS_PSA_BUILTIN_PAKE)
unsigned int MBEDTLS_PRIVATE(input_step);
unsigned int MBEDTLS_PRIVATE(output_step);
uint8_t *MBEDTLS_PRIVATE(password); uint8_t *MBEDTLS_PRIVATE(password);
size_t MBEDTLS_PRIVATE(password_len); size_t MBEDTLS_PRIVATE(password_len);
uint8_t MBEDTLS_PRIVATE(role); uint8_t MBEDTLS_PRIVATE(role);

56
include/psa/crypto_extra.h
View file

@ -1292,6 +1292,12 @@ typedef struct psa_pake_operation_s psa_pake_operation_t;
/** The type of input values for PAKE operations. */ /** The type of input values for PAKE operations. */
typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t; typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t;
/** The type of compuatation stage for PAKE operations. */
typedef struct psa_pake_computation_stage_s psa_pake_computation_stage_t;
/** The type of compuatation stage for J-PAKE operations. */
typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t;
/** Return an initial value for a PAKE operation object. /** Return an initial value for a PAKE operation object.
*/ */
static psa_pake_operation_t psa_pake_operation_init(void); static psa_pake_operation_t psa_pake_operation_init(void);
@ -1832,7 +1838,8 @@ psa_status_t psa_pake_abort(psa_pake_operation_t *operation);
/** Returns a suitable initializer for a PAKE operation object of type /** Returns a suitable initializer for a PAKE operation object of type
* psa_pake_operation_t. * psa_pake_operation_t.
*/ */
#define PSA_PAKE_OPERATION_INIT { 0, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, { 0 } } #define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS, \
{ { 0 } }, { 0 } }
struct psa_pake_cipher_suite_s { struct psa_pake_cipher_suite_s {
psa_algorithm_t algorithm; psa_algorithm_t algorithm;
@ -1904,7 +1911,6 @@ static inline void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite,
} }
struct psa_crypto_driver_pake_inputs_s { struct psa_crypto_driver_pake_inputs_s {
psa_algorithm_t MBEDTLS_PRIVATE(alg);
uint8_t *MBEDTLS_PRIVATE(password); uint8_t *MBEDTLS_PRIVATE(password);
size_t MBEDTLS_PRIVATE(password_len); size_t MBEDTLS_PRIVATE(password_len);
psa_pake_role_t MBEDTLS_PRIVATE(role); psa_pake_role_t MBEDTLS_PRIVATE(role);
@ -1912,6 +1918,48 @@ struct psa_crypto_driver_pake_inputs_s {
psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite); psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite);
}; };
enum psa_jpake_step {
PSA_PAKE_STEP_INVALID = 0,
PSA_PAKE_STEP_X1_X2 = 1,
PSA_PAKE_STEP_X2S = 2,
PSA_PAKE_STEP_DERIVE = 3,
};
enum psa_jpake_state {
PSA_PAKE_STATE_INVALID = 0,
PSA_PAKE_STATE_SETUP = 1,
PSA_PAKE_STATE_READY = 2,
PSA_PAKE_OUTPUT_X1_X2 = 3,
PSA_PAKE_OUTPUT_X2S = 4,
PSA_PAKE_INPUT_X1_X2 = 5,
PSA_PAKE_INPUT_X4S = 6,
};
enum psa_jpake_sequence {
PSA_PAKE_SEQ_INVALID = 0,
PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */
PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */
PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */
PSA_PAKE_X2_STEP_KEY_SHARE = 4,
PSA_PAKE_X2_STEP_ZK_PUBLIC = 5,
PSA_PAKE_X2_STEP_ZK_PROOF = 6,
PSA_PAKE_SEQ_END = 7,
};
struct psa_jpake_computation_stage_s {
unsigned int MBEDTLS_PRIVATE(state);
unsigned int MBEDTLS_PRIVATE(sequence);
unsigned int MBEDTLS_PRIVATE(input_step);
unsigned int MBEDTLS_PRIVATE(output_step);
};
struct psa_pake_computation_stage_s {
union {
unsigned dummy;
psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake_computation_stage);
} MBEDTLS_PRIVATE(data);
};
struct psa_pake_operation_s { struct psa_pake_operation_s {
/** Unique ID indicating which driver got assigned to do the /** Unique ID indicating which driver got assigned to do the
* operation. Since driver contexts are driver-specific, swapping * operation. Since driver contexts are driver-specific, swapping
@ -1920,10 +1968,14 @@ struct psa_pake_operation_s {
* ID value zero means the context is not valid or not assigned to * ID value zero means the context is not valid or not assigned to
* any driver (i.e. none of the driver contexts are active). */ * any driver (i.e. none of the driver contexts are active). */
unsigned int MBEDTLS_PRIVATE(id); unsigned int MBEDTLS_PRIVATE(id);
/* Algorithm used for PAKE operation */
psa_algorithm_t MBEDTLS_PRIVATE(alg);
/* Based on stage (collecting inputs/computation) we select active structure of data union. /* Based on stage (collecting inputs/computation) we select active structure of data union.
* While switching stage (when driver setup is called) collected inputs * While switching stage (when driver setup is called) collected inputs
are copied to the corresponding operation context. */ are copied to the corresponding operation context. */
uint8_t MBEDTLS_PRIVATE(stage); uint8_t MBEDTLS_PRIVATE(stage);
/* Holds computation stage of the PAKE algorithms. */
psa_pake_computation_stage_t MBEDTLS_PRIVATE(computation_stage);
union { union {
unsigned dummy; unsigned dummy;
psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs); psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs);

324
library/psa_crypto.c
View file

@ -7180,11 +7180,14 @@ psa_status_t psa_pake_setup(
psa_pake_operation_t *operation, psa_pake_operation_t *operation,
const psa_pake_cipher_suite_t *cipher_suite) const psa_pake_cipher_suite_t *cipher_suite)
{ {
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->data.inputs.alg != PSA_ALG_NONE) { if (operation->alg != PSA_ALG_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
@ -7198,9 +7201,16 @@ psa_status_t psa_pake_setup(
memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); memset(&operation->data.inputs, 0, sizeof(operation->data.inputs));
operation->data.inputs.alg = cipher_suite->algorithm; operation->alg = cipher_suite->algorithm;
operation->data.inputs.cipher_suite = *cipher_suite; operation->data.inputs.cipher_suite = *cipher_suite;
if (operation->alg == PSA_ALG_JPAKE) {
computation_stage->state = PSA_PAKE_STATE_SETUP;
computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
computation_stage->input_step = PSA_PAKE_STEP_X1_X2;
computation_stage->output_step = PSA_PAKE_STEP_X1_X2;
}
return PSA_SUCCESS; return PSA_SUCCESS;
} }
@ -7216,7 +7226,7 @@ psa_status_t psa_pake_set_password_key(
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->data.inputs.alg == PSA_ALG_NONE) { if (operation->alg == PSA_ALG_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
@ -7241,7 +7251,8 @@ psa_status_t psa_pake_set_password_key(
operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes); operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes);
if (operation->data.inputs.password == NULL) { if (operation->data.inputs.password == NULL) {
return PSA_ERROR_INSUFFICIENT_MEMORY; status = PSA_ERROR_INSUFFICIENT_MEMORY;
goto error;
} }
memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes);
@ -7264,7 +7275,7 @@ psa_status_t psa_pake_set_user(
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->data.inputs.alg == PSA_ALG_NONE) { if (operation->alg == PSA_ALG_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
@ -7286,7 +7297,7 @@ psa_status_t psa_pake_set_peer(
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->data.inputs.alg == PSA_ALG_NONE) { if (operation->alg == PSA_ALG_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
@ -7305,7 +7316,7 @@ psa_status_t psa_pake_set_role(
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->data.inputs.alg == PSA_ALG_NONE) { if (operation->alg == PSA_ALG_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
@ -7322,6 +7333,98 @@ psa_status_t psa_pake_set_role(
return PSA_SUCCESS; return PSA_SUCCESS;
} }
static psa_status_t psa_jpake_output_prologue(
psa_pake_operation_t *operation,
psa_pake_step_t step)
{
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
if (computation_stage->state == PSA_PAKE_STATE_INVALID) {
return PSA_ERROR_BAD_STATE;
}
if (step != PSA_PAKE_STEP_KEY_SHARE &&
step != PSA_PAKE_STEP_ZK_PUBLIC &&
step != PSA_PAKE_STEP_ZK_PROOF) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (computation_stage->state != PSA_PAKE_STATE_READY &&
computation_stage->state != PSA_PAKE_OUTPUT_X1_X2 &&
computation_stage->state != PSA_PAKE_OUTPUT_X2S) {
return PSA_ERROR_BAD_STATE;
}
if (computation_stage->state == PSA_PAKE_STATE_READY) {
if (step != PSA_PAKE_STEP_KEY_SHARE) {
return PSA_ERROR_BAD_STATE;
}
switch (computation_stage->output_step) {
case PSA_PAKE_STEP_X1_X2:
computation_stage->state = PSA_PAKE_OUTPUT_X1_X2;
break;
case PSA_PAKE_STEP_X2S:
computation_stage->state = PSA_PAKE_OUTPUT_X2S;
break;
default:
return PSA_ERROR_BAD_STATE;
}
computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
}
/* Check if step matches current sequence */
switch (computation_stage->sequence) {
case PSA_PAKE_X1_STEP_KEY_SHARE:
case PSA_PAKE_X2_STEP_KEY_SHARE:
if (step != PSA_PAKE_STEP_KEY_SHARE) {
return PSA_ERROR_BAD_STATE;
}
break;
case PSA_PAKE_X1_STEP_ZK_PUBLIC:
case PSA_PAKE_X2_STEP_ZK_PUBLIC:
if (step != PSA_PAKE_STEP_ZK_PUBLIC) {
return PSA_ERROR_BAD_STATE;
}
break;
case PSA_PAKE_X1_STEP_ZK_PROOF:
case PSA_PAKE_X2_STEP_ZK_PROOF:
if (step != PSA_PAKE_STEP_ZK_PROOF) {
return PSA_ERROR_BAD_STATE;
}
break;
default:
return PSA_ERROR_BAD_STATE;
}
return PSA_SUCCESS;
}
static psa_status_t psa_jpake_output_epilogue(
psa_pake_operation_t *operation)
{
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
if ((computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 &&
computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) ||
(computation_stage->state == PSA_PAKE_OUTPUT_X2S &&
computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) {
computation_stage->state = PSA_PAKE_STATE_READY;
computation_stage->output_step++;
computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
} else {
computation_stage->sequence++;
}
return PSA_SUCCESS;
}
psa_status_t psa_pake_output( psa_status_t psa_pake_output(
psa_pake_operation_t *operation, psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
@ -7330,9 +7433,11 @@ psa_status_t psa_pake_output(
size_t *output_length) size_t *output_length)
{ {
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
if (operation->data.inputs.alg == PSA_ALG_NONE || if (operation->alg == PSA_ALG_NONE ||
operation->data.inputs.password_len == 0 || operation->data.inputs.password_len == 0 ||
operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { operation->data.inputs.role == PSA_PAKE_ROLE_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
@ -7343,6 +7448,12 @@ psa_status_t psa_pake_output(
if (status == PSA_SUCCESS) { if (status == PSA_SUCCESS) {
operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
if (operation->alg == PSA_ALG_JPAKE) {
computation_stage->state = PSA_PAKE_STATE_READY;
computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
computation_stage->input_step = PSA_PAKE_STEP_X1_X2;
computation_stage->output_step = PSA_PAKE_STEP_X1_X2;
}
} else { } else {
return status; return status;
} }
@ -7360,10 +7471,140 @@ psa_status_t psa_pake_output(
return PSA_ERROR_INVALID_ARGUMENT; return PSA_ERROR_INVALID_ARGUMENT;
} }
return psa_driver_wrapper_pake_output(operation, step, output, switch (operation->alg) {
output_size, output_length); case PSA_ALG_JPAKE:
status = psa_jpake_output_prologue(operation, step);
if (status != PSA_SUCCESS) {
return status;
}
break;
default:
return PSA_ERROR_NOT_SUPPORTED;
}
status = psa_driver_wrapper_pake_output(operation, step,
&operation->computation_stage,
output, output_size, output_length);
if (status != PSA_SUCCESS) {
return status;
}
switch (operation->alg) {
case PSA_ALG_JPAKE:
status = psa_jpake_output_epilogue(operation);
if (status != PSA_SUCCESS) {
return status;
}
break;
default:
return PSA_ERROR_NOT_SUPPORTED;
}
return status;
} }
static psa_status_t psa_jpake_input_prologue(
psa_pake_operation_t *operation,
psa_pake_step_t step,
size_t input_length)
{
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
if (computation_stage->state == PSA_PAKE_STATE_INVALID) {
return PSA_ERROR_BAD_STATE;
}
if (step != PSA_PAKE_STEP_KEY_SHARE &&
step != PSA_PAKE_STEP_ZK_PUBLIC &&
step != PSA_PAKE_STEP_ZK_PROOF) {
return PSA_ERROR_INVALID_ARGUMENT;
}
const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE(
PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256);
if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (computation_stage->state != PSA_PAKE_STATE_READY &&
computation_stage->state != PSA_PAKE_INPUT_X1_X2 &&
computation_stage->state != PSA_PAKE_INPUT_X4S) {
return PSA_ERROR_BAD_STATE;
}
if (computation_stage->state == PSA_PAKE_STATE_READY) {
if (step != PSA_PAKE_STEP_KEY_SHARE) {
return PSA_ERROR_BAD_STATE;
}
switch (computation_stage->input_step) {
case PSA_PAKE_STEP_X1_X2:
computation_stage->state = PSA_PAKE_INPUT_X1_X2;
break;
case PSA_PAKE_STEP_X2S:
computation_stage->state = PSA_PAKE_INPUT_X4S;
break;
default:
return PSA_ERROR_BAD_STATE;
}
computation_stage->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
}
/* Check if step matches current sequence */
switch (computation_stage->sequence) {
case PSA_PAKE_X1_STEP_KEY_SHARE:
case PSA_PAKE_X2_STEP_KEY_SHARE:
if (step != PSA_PAKE_STEP_KEY_SHARE) {
return PSA_ERROR_BAD_STATE;
}
break;
case PSA_PAKE_X1_STEP_ZK_PUBLIC:
case PSA_PAKE_X2_STEP_ZK_PUBLIC:
if (step != PSA_PAKE_STEP_ZK_PUBLIC) {
return PSA_ERROR_BAD_STATE;
}
break;
case PSA_PAKE_X1_STEP_ZK_PROOF:
case PSA_PAKE_X2_STEP_ZK_PROOF:
if (step != PSA_PAKE_STEP_ZK_PROOF) {
return PSA_ERROR_BAD_STATE;
}
break;
default:
return PSA_ERROR_BAD_STATE;
}
return PSA_SUCCESS;
}
static psa_status_t psa_jpake_input_epilogue(
psa_pake_operation_t *operation)
{
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
if ((computation_stage->state == PSA_PAKE_INPUT_X1_X2 &&
computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) ||
(computation_stage->state == PSA_PAKE_INPUT_X4S &&
computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) {
computation_stage->state = PSA_PAKE_STATE_READY;
computation_stage->input_step++;
computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
} else {
computation_stage->sequence++;
}
return PSA_SUCCESS;
}
psa_status_t psa_pake_input( psa_status_t psa_pake_input(
psa_pake_operation_t *operation, psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
@ -7371,9 +7612,11 @@ psa_status_t psa_pake_input(
size_t input_length) size_t input_length)
{ {
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
if (operation->data.inputs.alg == PSA_ALG_NONE || if (operation->alg == PSA_ALG_NONE ||
operation->data.inputs.password_len == 0 || operation->data.inputs.password_len == 0 ||
operation->data.inputs.role == PSA_PAKE_ROLE_NONE) { operation->data.inputs.role == PSA_PAKE_ROLE_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
@ -7384,6 +7627,12 @@ psa_status_t psa_pake_input(
if (status == PSA_SUCCESS) { if (status == PSA_SUCCESS) {
operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
if (operation->alg == PSA_ALG_JPAKE) {
computation_stage->state = PSA_PAKE_STATE_READY;
computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
computation_stage->input_step = PSA_PAKE_STEP_X1_X2;
computation_stage->output_step = PSA_PAKE_STEP_X1_X2;
}
} else { } else {
return status; return status;
} }
@ -7401,8 +7650,37 @@ psa_status_t psa_pake_input(
return PSA_ERROR_INVALID_ARGUMENT; return PSA_ERROR_INVALID_ARGUMENT;
} }
return psa_driver_wrapper_pake_input(operation, step, input, switch (operation->alg) {
input_length); case PSA_ALG_JPAKE:
status = psa_jpake_input_prologue(operation, step, input_length);
if (status != PSA_SUCCESS) {
return status;
}
break;
default:
return PSA_ERROR_NOT_SUPPORTED;
}
status = psa_driver_wrapper_pake_input(operation, step,
&operation->computation_stage,
input, input_length);
if (status != PSA_SUCCESS) {
return status;
}
switch (operation->alg) {
case PSA_ALG_JPAKE:
status = psa_jpake_input_epilogue(operation);
if (status != PSA_SUCCESS) {
return status;
}
break;
default:
return PSA_ERROR_NOT_SUPPORTED;
}
return status;
} }
psa_status_t psa_pake_get_implicit_key( psa_status_t psa_pake_get_implicit_key(
@ -7412,11 +7690,20 @@ psa_status_t psa_pake_get_implicit_key(
psa_status_t status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE]; uint8_t shared_key[MBEDTLS_PSA_PAKE_BUFFER_SIZE];
size_t shared_key_len = 0; size_t shared_key_len = 0;
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
if (operation->id == 0) { if (operation->id == 0) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->alg == PSA_ALG_JPAKE) {
if (computation_stage->input_step != PSA_PAKE_STEP_DERIVE ||
computation_stage->output_step != PSA_PAKE_STEP_DERIVE) {
return PSA_ERROR_BAD_STATE;
}
}
status = psa_driver_wrapper_pake_get_implicit_key(operation, status = psa_driver_wrapper_pake_get_implicit_key(operation,
shared_key, shared_key,
&shared_key_len); &shared_key_len);
@ -7436,18 +7723,29 @@ psa_status_t psa_pake_get_implicit_key(
mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_PAKE_BUFFER_SIZE); mbedtls_platform_zeroize(shared_key, MBEDTLS_PSA_PAKE_BUFFER_SIZE);
psa_pake_abort(operation);
return status; return status;
} }
psa_status_t psa_pake_abort( psa_status_t psa_pake_abort(
psa_pake_operation_t *operation) psa_pake_operation_t *operation)
{ {
psa_jpake_computation_stage_t *computation_stage =
&operation->computation_stage.data.jpake_computation_stage;
/* If we are in collecting inputs stage clear inputs. */ /* If we are in collecting inputs stage clear inputs. */
if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
mbedtls_free(operation->data.inputs.password); mbedtls_free(operation->data.inputs.password);
memset(&operation->data.inputs, 0, sizeof(psa_crypto_driver_pake_inputs_t)); memset(&operation->data.inputs, 0, sizeof(psa_crypto_driver_pake_inputs_t));
return PSA_SUCCESS; return PSA_SUCCESS;
} }
if (operation->alg == PSA_ALG_JPAKE) {
computation_stage->input_step = PSA_PAKE_STEP_INVALID;
computation_stage->output_step = PSA_PAKE_STEP_INVALID;
computation_stage->state = PSA_PAKE_STATE_INVALID;
computation_stage->sequence = PSA_PAKE_SEQ_INVALID;
}
return psa_driver_wrapper_pake_abort(operation); return psa_driver_wrapper_pake_abort(operation);
} }

2
library/psa_crypto_driver_wrappers.h
View file

@ -422,6 +422,7 @@ psa_status_t psa_driver_wrapper_pake_setup(
psa_status_t psa_driver_wrapper_pake_output( psa_status_t psa_driver_wrapper_pake_output(
psa_pake_operation_t *operation, psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length); size_t *output_length);
@ -429,6 +430,7 @@ psa_status_t psa_driver_wrapper_pake_output(
psa_status_t psa_driver_wrapper_pake_input( psa_status_t psa_driver_wrapper_pake_input(
psa_pake_operation_t *operation, psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length); size_t input_length);

375
library/psa_crypto_pake.c
View file

@ -79,23 +79,6 @@
* psa_pake_abort() * psa_pake_abort()
*/ */
enum psa_pake_step {
PSA_PAKE_STEP_INVALID = 0,
PSA_PAKE_STEP_X1_X2 = 1,
PSA_PAKE_STEP_X2S = 2,
PSA_PAKE_STEP_DERIVE = 3,
};
enum psa_pake_state {
PSA_PAKE_STATE_INVALID = 0,
PSA_PAKE_STATE_SETUP = 1,
PSA_PAKE_STATE_READY = 2,
PSA_PAKE_OUTPUT_X1_X2 = 3,
PSA_PAKE_OUTPUT_X2S = 4,
PSA_PAKE_INPUT_X1_X2 = 5,
PSA_PAKE_INPUT_X4S = 6,
};
/* /*
* The first PAKE step shares the same sequences of the second PAKE step * The first PAKE step shares the same sequences of the second PAKE step
* but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs. * but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs.
@ -157,16 +140,6 @@ enum psa_pake_state {
* psa_pake_get_implicit_key() * psa_pake_get_implicit_key()
* => Input & Output Step = PSA_PAKE_STEP_INVALID * => Input & Output Step = PSA_PAKE_STEP_INVALID
*/ */
enum psa_pake_sequence {
PSA_PAKE_SEQ_INVALID = 0,
PSA_PAKE_X1_STEP_KEY_SHARE = 1, /* also X2S & X4S KEY_SHARE */
PSA_PAKE_X1_STEP_ZK_PUBLIC = 2, /* also X2S & X4S ZK_PUBLIC */
PSA_PAKE_X1_STEP_ZK_PROOF = 3, /* also X2S & X4S ZK_PROOF */
PSA_PAKE_X2_STEP_KEY_SHARE = 4,
PSA_PAKE_X2_STEP_ZK_PUBLIC = 5,
PSA_PAKE_X2_STEP_ZK_PROOF = 6,
PSA_PAKE_SEQ_END = 7,
};
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
static psa_status_t mbedtls_ecjpake_to_psa_error(int ret) static psa_status_t mbedtls_ecjpake_to_psa_error(int ret)
@ -190,65 +163,6 @@ static psa_status_t mbedtls_ecjpake_to_psa_error(int ret)
} }
#endif #endif
#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
const psa_crypto_driver_pake_inputs_t *inputs)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
uint8_t *password = inputs->password;
size_t password_len = inputs->password_len;
psa_pake_role_t role = inputs->role;
psa_pake_cipher_suite_t cipher_suite = inputs->cipher_suite;
memset(operation, 0, sizeof(mbedtls_psa_pake_operation_t));
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if (cipher_suite.algorithm == PSA_ALG_JPAKE) {
if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC ||
cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 ||
cipher_suite.bits != 256 ||
cipher_suite.hash != PSA_ALG_SHA_256) {
status = PSA_ERROR_NOT_SUPPORTED;
goto error;
}
if (role != PSA_PAKE_ROLE_CLIENT &&
role != PSA_PAKE_ROLE_SERVER) {
status = PSA_ERROR_NOT_SUPPORTED;
goto error;
}
mbedtls_ecjpake_init(&operation->ctx.pake);
operation->state = PSA_PAKE_STATE_SETUP;
operation->sequence = PSA_PAKE_SEQ_INVALID;
operation->input_step = PSA_PAKE_STEP_X1_X2;
operation->output_step = PSA_PAKE_STEP_X1_X2;
operation->password_len = password_len;
operation->password = password;
operation->role = role;
operation->alg = cipher_suite.algorithm;
mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE);
operation->buffer_length = 0;
operation->buffer_offset = 0;
return PSA_SUCCESS;
} else
#else
(void) operation;
(void) inputs;
#endif
{ status = PSA_ERROR_NOT_SUPPORTED; }
error:
mbedtls_free(password);
mbedtls_psa_pake_abort(operation);
return status;
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation) static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation)
{ {
@ -283,31 +197,84 @@ static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operati
return mbedtls_ecjpake_to_psa_error(ret); return mbedtls_ecjpake_to_psa_error(ret);
} }
operation->state = PSA_PAKE_STATE_READY;
return PSA_SUCCESS; return PSA_SUCCESS;
} }
psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
const psa_crypto_driver_pake_inputs_t *inputs)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
uint8_t *password = inputs->password;
size_t password_len = inputs->password_len;
psa_pake_role_t role = inputs->role;
psa_pake_cipher_suite_t cipher_suite = inputs->cipher_suite;
memset(operation, 0, sizeof(mbedtls_psa_pake_operation_t));
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if (cipher_suite.algorithm == PSA_ALG_JPAKE) {
if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC ||
cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 ||
cipher_suite.bits != 256 ||
cipher_suite.hash != PSA_ALG_SHA_256) {
status = PSA_ERROR_NOT_SUPPORTED;
goto error;
}
if (role != PSA_PAKE_ROLE_CLIENT &&
role != PSA_PAKE_ROLE_SERVER) {
status = PSA_ERROR_NOT_SUPPORTED;
goto error;
}
mbedtls_ecjpake_init(&operation->ctx.pake);
operation->password_len = password_len;
operation->password = password;
operation->role = role;
operation->alg = cipher_suite.algorithm;
mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE);
operation->buffer_length = 0;
operation->buffer_offset = 0;
status = psa_pake_ecjpake_setup(operation);
if (status != PSA_SUCCESS) {
goto error;
}
return PSA_SUCCESS;
} else
#else
(void) operation;
(void) inputs;
#endif #endif
{ status = PSA_ERROR_NOT_SUPPORTED; }
error:
mbedtls_free(password);
mbedtls_psa_pake_abort(operation);
return status;
}
static psa_status_t mbedtls_psa_pake_output_internal( static psa_status_t mbedtls_psa_pake_output_internal(
mbedtls_psa_pake_operation_t *operation, mbedtls_psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length) size_t *output_length)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t length; size_t length;
(void) step;
if (operation->alg == PSA_ALG_NONE) { if (operation->alg == PSA_ALG_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->state == PSA_PAKE_STATE_INVALID) {
return PSA_ERROR_BAD_STATE;
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
/* /*
* The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different
@ -324,74 +291,12 @@ static psa_status_t mbedtls_psa_pake_output_internal(
* to return the right parts on each step. * to return the right parts on each step.
*/ */
if (operation->alg == PSA_ALG_JPAKE) { if (operation->alg == PSA_ALG_JPAKE) {
if (step != PSA_PAKE_STEP_KEY_SHARE && const psa_jpake_computation_stage_t *jpake_computation_stage =
step != PSA_PAKE_STEP_ZK_PUBLIC && &computation_stage->data.jpake_computation_stage;
step != PSA_PAKE_STEP_ZK_PROOF) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (operation->state == PSA_PAKE_STATE_SETUP) {
status = psa_pake_ecjpake_setup(operation);
if (status != PSA_SUCCESS) {
return status;
}
}
if (operation->state != PSA_PAKE_STATE_READY &&
operation->state != PSA_PAKE_OUTPUT_X1_X2 &&
operation->state != PSA_PAKE_OUTPUT_X2S) {
return PSA_ERROR_BAD_STATE;
}
if (operation->state == PSA_PAKE_STATE_READY) {
if (step != PSA_PAKE_STEP_KEY_SHARE) {
return PSA_ERROR_BAD_STATE;
}
switch (operation->output_step) {
case PSA_PAKE_STEP_X1_X2:
operation->state = PSA_PAKE_OUTPUT_X1_X2;
break;
case PSA_PAKE_STEP_X2S:
operation->state = PSA_PAKE_OUTPUT_X2S;
break;
default:
return PSA_ERROR_BAD_STATE;
}
operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
}
/* Check if step matches current sequence */
switch (operation->sequence) {
case PSA_PAKE_X1_STEP_KEY_SHARE:
case PSA_PAKE_X2_STEP_KEY_SHARE:
if (step != PSA_PAKE_STEP_KEY_SHARE) {
return PSA_ERROR_BAD_STATE;
}
break;
case PSA_PAKE_X1_STEP_ZK_PUBLIC:
case PSA_PAKE_X2_STEP_ZK_PUBLIC:
if (step != PSA_PAKE_STEP_ZK_PUBLIC) {
return PSA_ERROR_BAD_STATE;
}
break;
case PSA_PAKE_X1_STEP_ZK_PROOF:
case PSA_PAKE_X2_STEP_ZK_PROOF:
if (step != PSA_PAKE_STEP_ZK_PROOF) {
return PSA_ERROR_BAD_STATE;
}
break;
default:
return PSA_ERROR_BAD_STATE;
}
/* Initialize & write round on KEY_SHARE sequences */ /* Initialize & write round on KEY_SHARE sequences */
if (operation->state == PSA_PAKE_OUTPUT_X1_X2 && if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 &&
operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) {
ret = mbedtls_ecjpake_write_round_one(&operation->ctx.pake, ret = mbedtls_ecjpake_write_round_one(&operation->ctx.pake,
operation->buffer, operation->buffer,
MBEDTLS_PSA_PAKE_BUFFER_SIZE, MBEDTLS_PSA_PAKE_BUFFER_SIZE,
@ -403,8 +308,8 @@ static psa_status_t mbedtls_psa_pake_output_internal(
} }
operation->buffer_offset = 0; operation->buffer_offset = 0;
} else if (operation->state == PSA_PAKE_OUTPUT_X2S && } else if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S &&
operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) { jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE) {
ret = mbedtls_ecjpake_write_round_two(&operation->ctx.pake, ret = mbedtls_ecjpake_write_round_two(&operation->ctx.pake,
operation->buffer, operation->buffer,
MBEDTLS_PSA_PAKE_BUFFER_SIZE, MBEDTLS_PSA_PAKE_BUFFER_SIZE,
@ -429,8 +334,8 @@ static psa_status_t mbedtls_psa_pake_output_internal(
* output with a length byte, even less a curve identifier, as that * output with a length byte, even less a curve identifier, as that
* information is already available. * information is already available.
*/ */
if (operation->state == PSA_PAKE_OUTPUT_X2S && if (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S &&
operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE &&
operation->role == PSA_PAKE_ROLE_SERVER) { operation->role == PSA_PAKE_ROLE_SERVER) {
/* Skip ECParameters, with is 3 bytes (RFC 8422) */ /* Skip ECParameters, with is 3 bytes (RFC 8422) */
operation->buffer_offset += 3; operation->buffer_offset += 3;
@ -456,25 +361,20 @@ static psa_status_t mbedtls_psa_pake_output_internal(
operation->buffer_offset += length; operation->buffer_offset += length;
/* Reset buffer after ZK_PROOF sequence */ /* Reset buffer after ZK_PROOF sequence */
if ((operation->state == PSA_PAKE_OUTPUT_X1_X2 && if ((jpake_computation_stage->state == PSA_PAKE_OUTPUT_X1_X2 &&
operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) || jpake_computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) ||
(operation->state == PSA_PAKE_OUTPUT_X2S && (jpake_computation_stage->state == PSA_PAKE_OUTPUT_X2S &&
operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) { jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) {
mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE); mbedtls_platform_zeroize(operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE);
operation->buffer_length = 0; operation->buffer_length = 0;
operation->buffer_offset = 0; operation->buffer_offset = 0;
operation->state = PSA_PAKE_STATE_READY;
operation->output_step++;
operation->sequence = PSA_PAKE_SEQ_INVALID;
} else {
operation->sequence++;
} }
return PSA_SUCCESS; return PSA_SUCCESS;
} else } else
#else #else
(void) step; (void) step;
(void) computation_stage;
(void) output; (void) output;
(void) output_size; (void) output_size;
(void) output_length; (void) output_length;
@ -484,12 +384,13 @@ static psa_status_t mbedtls_psa_pake_output_internal(
psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length) size_t *output_length)
{ {
psa_status_t status = mbedtls_psa_pake_output_internal( psa_status_t status = mbedtls_psa_pake_output_internal(
operation, step, output, output_size, output_length); operation, step, computation_stage, output, output_size, output_length);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
mbedtls_psa_pake_abort(operation); mbedtls_psa_pake_abort(operation);
@ -501,20 +402,16 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
static psa_status_t mbedtls_psa_pake_input_internal( static psa_status_t mbedtls_psa_pake_input_internal(
mbedtls_psa_pake_operation_t *operation, mbedtls_psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length) size_t input_length)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; (void) step;
if (operation->alg == PSA_ALG_NONE) { if (operation->alg == PSA_ALG_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->state == PSA_PAKE_STATE_INVALID) {
return PSA_ERROR_BAD_STATE;
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
/* /*
* The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different * The PSA CRYPTO PAKE and MbedTLS JPAKE API have a different
@ -532,77 +429,8 @@ static psa_status_t mbedtls_psa_pake_input_internal(
* This causes any input error to be only detected on the last step. * This causes any input error to be only detected on the last step.
*/ */
if (operation->alg == PSA_ALG_JPAKE) { if (operation->alg == PSA_ALG_JPAKE) {
if (step != PSA_PAKE_STEP_KEY_SHARE && const psa_jpake_computation_stage_t *jpake_computation_stage =
step != PSA_PAKE_STEP_ZK_PUBLIC && &computation_stage->data.jpake_computation_stage;
step != PSA_PAKE_STEP_ZK_PROOF) {
return PSA_ERROR_INVALID_ARGUMENT;
}
const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE(
PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256);
if (input_length > (size_t) PSA_PAKE_INPUT_SIZE(PSA_ALG_JPAKE, prim, step)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (operation->state == PSA_PAKE_STATE_SETUP) {
status = psa_pake_ecjpake_setup(operation);
if (status != PSA_SUCCESS) {
return status;
}
}
if (operation->state != PSA_PAKE_STATE_READY &&
operation->state != PSA_PAKE_INPUT_X1_X2 &&
operation->state != PSA_PAKE_INPUT_X4S) {
return PSA_ERROR_BAD_STATE;
}
if (operation->state == PSA_PAKE_STATE_READY) {
if (step != PSA_PAKE_STEP_KEY_SHARE) {
return PSA_ERROR_BAD_STATE;
}
switch (operation->input_step) {
case PSA_PAKE_STEP_X1_X2:
operation->state = PSA_PAKE_INPUT_X1_X2;
break;
case PSA_PAKE_STEP_X2S:
operation->state = PSA_PAKE_INPUT_X4S;
break;
default:
return PSA_ERROR_BAD_STATE;
}
operation->sequence = PSA_PAKE_X1_STEP_KEY_SHARE;
}
/* Check if step matches current sequence */
switch (operation->sequence) {
case PSA_PAKE_X1_STEP_KEY_SHARE:
case PSA_PAKE_X2_STEP_KEY_SHARE:
if (step != PSA_PAKE_STEP_KEY_SHARE) {
return PSA_ERROR_BAD_STATE;
}
break;
case PSA_PAKE_X1_STEP_ZK_PUBLIC:
case PSA_PAKE_X2_STEP_ZK_PUBLIC:
if (step != PSA_PAKE_STEP_ZK_PUBLIC) {
return PSA_ERROR_BAD_STATE;
}
break;
case PSA_PAKE_X1_STEP_ZK_PROOF:
case PSA_PAKE_X2_STEP_ZK_PROOF:
if (step != PSA_PAKE_STEP_ZK_PROOF) {
return PSA_ERROR_BAD_STATE;
}
break;
default:
return PSA_ERROR_BAD_STATE;
}
/* /*
* Copy input to local buffer and format it as the Mbed TLS API * Copy input to local buffer and format it as the Mbed TLS API
* expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7. * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7.
@ -612,8 +440,8 @@ static psa_status_t mbedtls_psa_pake_input_internal(
* ECParameters structure - which means we have to prepend that when * ECParameters structure - which means we have to prepend that when
* we're a client. * we're a client.
*/ */
if (operation->state == PSA_PAKE_INPUT_X4S && if (jpake_computation_stage->state == PSA_PAKE_INPUT_X4S &&
operation->sequence == PSA_PAKE_X1_STEP_KEY_SHARE && jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_KEY_SHARE &&
operation->role == PSA_PAKE_ROLE_CLIENT) { operation->role == PSA_PAKE_ROLE_CLIENT) {
/* We only support secp256r1. */ /* We only support secp256r1. */
/* This is the ECParameters structure defined by RFC 8422. */ /* This is the ECParameters structure defined by RFC 8422. */
@ -636,8 +464,8 @@ static psa_status_t mbedtls_psa_pake_input_internal(
operation->buffer_length += input_length; operation->buffer_length += input_length;
/* Load buffer at each last round ZK_PROOF */ /* Load buffer at each last round ZK_PROOF */
if (operation->state == PSA_PAKE_INPUT_X1_X2 && if (jpake_computation_stage->state == PSA_PAKE_INPUT_X1_X2 &&
operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) { jpake_computation_stage->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) {
ret = mbedtls_ecjpake_read_round_one(&operation->ctx.pake, ret = mbedtls_ecjpake_read_round_one(&operation->ctx.pake,
operation->buffer, operation->buffer,
operation->buffer_length); operation->buffer_length);
@ -648,8 +476,8 @@ static psa_status_t mbedtls_psa_pake_input_internal(
if (ret != 0) { if (ret != 0) {
return mbedtls_ecjpake_to_psa_error(ret); return mbedtls_ecjpake_to_psa_error(ret);
} }
} else if (operation->state == PSA_PAKE_INPUT_X4S && } else if (jpake_computation_stage->state == PSA_PAKE_INPUT_X4S &&
operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF) { jpake_computation_stage->sequence == PSA_PAKE_X1_STEP_ZK_PROOF) {
ret = mbedtls_ecjpake_read_round_two(&operation->ctx.pake, ret = mbedtls_ecjpake_read_round_two(&operation->ctx.pake,
operation->buffer, operation->buffer,
operation->buffer_length); operation->buffer_length);
@ -662,21 +490,11 @@ static psa_status_t mbedtls_psa_pake_input_internal(
} }
} }
if ((operation->state == PSA_PAKE_INPUT_X1_X2 &&
operation->sequence == PSA_PAKE_X2_STEP_ZK_PROOF) ||
(operation->state == PSA_PAKE_INPUT_X4S &&
operation->sequence == PSA_PAKE_X1_STEP_ZK_PROOF)) {
operation->state = PSA_PAKE_STATE_READY;
operation->input_step++;
operation->sequence = PSA_PAKE_SEQ_INVALID;
} else {
operation->sequence++;
}
return PSA_SUCCESS; return PSA_SUCCESS;
} else } else
#else #else
(void) step; (void) step;
(void) computation_stage;
(void) input; (void) input;
(void) input_length; (void) input_length;
#endif #endif
@ -685,11 +503,12 @@ static psa_status_t mbedtls_psa_pake_input_internal(
psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length) size_t input_length)
{ {
psa_status_t status = mbedtls_psa_pake_input_internal( psa_status_t status = mbedtls_psa_pake_input_internal(
operation, step, input, input_length); operation, step, computation_stage, input, input_length);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
mbedtls_psa_pake_abort(operation); mbedtls_psa_pake_abort(operation);
@ -703,18 +522,11 @@ psa_status_t mbedtls_psa_pake_get_implicit_key(
uint8_t *output, size_t *output_size) uint8_t *output, size_t *output_size)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
if (operation->alg == PSA_ALG_NONE) { if (operation->alg == PSA_ALG_NONE) {
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if (operation->input_step != PSA_PAKE_STEP_DERIVE ||
operation->output_step != PSA_PAKE_STEP_DERIVE) {
status = PSA_ERROR_BAD_STATE;
goto error;
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if (operation->alg == PSA_ALG_JPAKE) { if (operation->alg == PSA_ALG_JPAKE) {
ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake, ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.pake,
@ -740,12 +552,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key(
#else #else
(void) output; (void) output;
#endif #endif
{ status = PSA_ERROR_NOT_SUPPORTED; } { return PSA_ERROR_NOT_SUPPORTED; }
error:
mbedtls_psa_pake_abort(operation);
return status;
} }
psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation) psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation)
@ -757,8 +564,6 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if (operation->alg == PSA_ALG_JPAKE) { if (operation->alg == PSA_ALG_JPAKE) {
operation->input_step = PSA_PAKE_STEP_INVALID;
operation->output_step = PSA_PAKE_STEP_INVALID;
if (operation->password_len > 0) { if (operation->password_len > 0) {
mbedtls_platform_zeroize(operation->password, operation->password_len); mbedtls_platform_zeroize(operation->password, operation->password_len);
} }
@ -774,8 +579,6 @@ psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation)
#endif #endif
operation->alg = PSA_ALG_NONE; operation->alg = PSA_ALG_NONE;
operation->state = PSA_PAKE_STATE_INVALID;
operation->sequence = PSA_PAKE_SEQ_INVALID;
return PSA_SUCCESS; return PSA_SUCCESS;
} }

4
library/psa_crypto_pake.h
View file

@ -58,6 +58,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
* \param[in,out] operation Active PAKE operation. * \param[in,out] operation Active PAKE operation.
* \param step The step of the algorithm for which the output is * \param step The step of the algorithm for which the output is
* requested. * requested.
* \param computation_stage The structure that holds PAKE computation stage.
* \param[out] output Buffer where the output is to be written in the * \param[out] output Buffer where the output is to be written in the
* format appropriate for this \p step. Refer to * format appropriate for this \p step. Refer to
* the documentation of the individual * the documentation of the individual
@ -97,6 +98,7 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
*/ */
psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation, psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length); size_t *output_length);
@ -110,6 +112,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
* *
* \param[in,out] operation Active PAKE operation. * \param[in,out] operation Active PAKE operation.
* \param step The step for which the input is provided. * \param step The step for which the input is provided.
* \param computation_stage The structure that holds PAKE computation stage.
* \param[in] input Buffer containing the input in the format * \param[in] input Buffer containing the input in the format
* appropriate for this \p step. Refer to the * appropriate for this \p step. Refer to the
* documentation of the individual * documentation of the individual
@ -144,6 +147,7 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
*/ */
psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation, psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length); size_t input_length);

20
scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
View file

@ -2866,6 +2866,7 @@ psa_status_t psa_driver_wrapper_pake_setup(
psa_status_t psa_driver_wrapper_pake_output( psa_status_t psa_driver_wrapper_pake_output(
psa_pake_operation_t *operation, psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length ) size_t *output_length )
@ -2874,7 +2875,8 @@ psa_status_t psa_driver_wrapper_pake_output(
{ {
#if defined(MBEDTLS_PSA_BUILTIN_PAKE) #if defined(MBEDTLS_PSA_BUILTIN_PAKE)
case PSA_CRYPTO_MBED_TLS_DRIVER_ID: case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step, output, return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step,
computation_stage, output,
output_size, output_length ) ); output_size, output_length ) );
#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #endif /* MBEDTLS_PSA_BUILTIN_PAKE */
@ -2883,15 +2885,16 @@ psa_status_t psa_driver_wrapper_pake_output(
case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
return( mbedtls_test_transparent_pake_output( return( mbedtls_test_transparent_pake_output(
&operation->data.ctx.transparent_test_driver_ctx, &operation->data.ctx.transparent_test_driver_ctx,
step, output, output_size, output_length ) ); step, computation_stage, output, output_size, output_length ) );
case MBEDTLS_TEST_OPAQUE_DRIVER_ID: case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
return( mbedtls_test_opaque_pake_output( return( mbedtls_test_opaque_pake_output(
&operation->data.ctx.opaque_test_driver_ctx, &operation->data.ctx.opaque_test_driver_ctx,
step, output, output_size, output_length ) ); step, computation_stage, output, output_size, output_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default: default:
(void) step; (void) step;
(void) computation_stage;
(void) output; (void) output;
(void) output_size; (void) output_size;
(void) output_length; (void) output_length;
@ -2902,6 +2905,7 @@ psa_status_t psa_driver_wrapper_pake_output(
psa_status_t psa_driver_wrapper_pake_input( psa_status_t psa_driver_wrapper_pake_input(
psa_pake_operation_t *operation, psa_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length ) size_t input_length )
{ {
@ -2910,7 +2914,8 @@ psa_status_t psa_driver_wrapper_pake_input(
#if defined(MBEDTLS_PSA_BUILTIN_PAKE) #if defined(MBEDTLS_PSA_BUILTIN_PAKE)
case PSA_CRYPTO_MBED_TLS_DRIVER_ID: case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
return( mbedtls_psa_pake_input( &operation->data.ctx.mbedtls_ctx, return( mbedtls_psa_pake_input( &operation->data.ctx.mbedtls_ctx,
step, input, input_length ) ); step, computation_stage, input,
input_length ) );
#endif /* MBEDTLS_PSA_BUILTIN_PAKE */ #endif /* MBEDTLS_PSA_BUILTIN_PAKE */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@ -2918,15 +2923,18 @@ psa_status_t psa_driver_wrapper_pake_input(
case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID: case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
return( mbedtls_test_transparent_pake_input( return( mbedtls_test_transparent_pake_input(
&operation->data.ctx.transparent_test_driver_ctx, &operation->data.ctx.transparent_test_driver_ctx,
step, input, input_length ) ); step, computation_stage,
input, input_length ) );
case MBEDTLS_TEST_OPAQUE_DRIVER_ID: case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
return( mbedtls_test_opaque_pake_input( return( mbedtls_test_opaque_pake_input(
&operation->data.ctx.opaque_test_driver_ctx, &operation->data.ctx.opaque_test_driver_ctx,
step, input, input_length ) ); step, computation_stage,
input, input_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default: default:
(void) step; (void) step;
(void) computation_stage;
(void) input; (void) input;
(void) input_length; (void) input_length;
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );

4
tests/include/test/drivers/pake.h
View file

@ -58,6 +58,7 @@ psa_status_t mbedtls_test_transparent_pake_setup(
psa_status_t mbedtls_test_transparent_pake_output( psa_status_t mbedtls_test_transparent_pake_output(
mbedtls_transparent_test_driver_pake_operation_t *operation, mbedtls_transparent_test_driver_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length); size_t *output_length);
@ -65,6 +66,7 @@ psa_status_t mbedtls_test_transparent_pake_output(
psa_status_t mbedtls_test_transparent_pake_input( psa_status_t mbedtls_test_transparent_pake_input(
mbedtls_transparent_test_driver_pake_operation_t *operation, mbedtls_transparent_test_driver_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length); size_t input_length);
@ -102,6 +104,7 @@ psa_status_t mbedtls_test_opaque_pake_set_role(
psa_status_t mbedtls_test_opaque_pake_output( psa_status_t mbedtls_test_opaque_pake_output(
mbedtls_opaque_test_driver_pake_operation_t *operation, mbedtls_opaque_test_driver_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length); size_t *output_length);
@ -109,6 +112,7 @@ psa_status_t mbedtls_test_opaque_pake_output(
psa_status_t mbedtls_test_opaque_pake_input( psa_status_t mbedtls_test_opaque_pake_input(
mbedtls_opaque_test_driver_pake_operation_t *operation, mbedtls_opaque_test_driver_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length); size_t input_length);

25
tests/src/drivers/test_driver_pake.c
View file

@ -65,6 +65,7 @@ psa_status_t mbedtls_test_transparent_pake_setup(
psa_status_t mbedtls_test_transparent_pake_output( psa_status_t mbedtls_test_transparent_pake_output(
mbedtls_transparent_test_driver_pake_operation_t *operation, mbedtls_transparent_test_driver_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length) size_t *output_length)
@ -92,14 +93,20 @@ psa_status_t mbedtls_test_transparent_pake_output(
defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE)
mbedtls_test_driver_pake_hooks.driver_status = mbedtls_test_driver_pake_hooks.driver_status =
libtestdriver1_mbedtls_psa_pake_output( libtestdriver1_mbedtls_psa_pake_output(
operation, step, output, output_size, output_length); operation,
step,
(libtestdriver1_psa_pake_computation_stage_t *) computation_stage,
output,
output_size,
output_length);
#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) #elif defined(MBEDTLS_PSA_BUILTIN_PAKE)
mbedtls_test_driver_pake_hooks.driver_status = mbedtls_test_driver_pake_hooks.driver_status =
mbedtls_psa_pake_output( mbedtls_psa_pake_output(
operation, step, output, output_size, output_length); operation, step, computation_stage, output, output_size, output_length);
#else #else
(void) operation; (void) operation;
(void) step; (void) step;
(void) computation_stage;
(void) output; (void) output;
(void) output_size; (void) output_size;
(void) output_length; (void) output_length;
@ -113,6 +120,7 @@ psa_status_t mbedtls_test_transparent_pake_output(
psa_status_t mbedtls_test_transparent_pake_input( psa_status_t mbedtls_test_transparent_pake_input(
mbedtls_transparent_test_driver_pake_operation_t *operation, mbedtls_transparent_test_driver_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length) size_t input_length)
{ {
@ -126,14 +134,19 @@ psa_status_t mbedtls_test_transparent_pake_input(
defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE) defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE)
mbedtls_test_driver_pake_hooks.driver_status = mbedtls_test_driver_pake_hooks.driver_status =
libtestdriver1_mbedtls_psa_pake_input( libtestdriver1_mbedtls_psa_pake_input(
operation, step, input, input_length); operation,
step,
(libtestdriver1_psa_pake_computation_stage_t *) computation_stage,
input,
input_length);
#elif defined(MBEDTLS_PSA_BUILTIN_PAKE) #elif defined(MBEDTLS_PSA_BUILTIN_PAKE)
mbedtls_test_driver_pake_hooks.driver_status = mbedtls_test_driver_pake_hooks.driver_status =
mbedtls_psa_pake_input( mbedtls_psa_pake_input(
operation, step, input, input_length); operation, step, computation_stage, input, input_length);
#else #else
(void) operation; (void) operation;
(void) step; (void) step;
(void) computation_stage;
(void) input; (void) input;
(void) input_length; (void) input_length;
mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; mbedtls_test_driver_pake_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED;
@ -258,12 +271,14 @@ psa_status_t mbedtls_test_opaque_pake_set_role(
psa_status_t mbedtls_test_opaque_pake_output( psa_status_t mbedtls_test_opaque_pake_output(
mbedtls_opaque_test_driver_pake_operation_t *operation, mbedtls_opaque_test_driver_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length) size_t *output_length)
{ {
(void) operation; (void) operation;
(void) step; (void) step;
(void) computation_stage;
(void) output; (void) output;
(void) output_size; (void) output_size;
(void) output_length; (void) output_length;
@ -274,11 +289,13 @@ psa_status_t mbedtls_test_opaque_pake_output(
psa_status_t mbedtls_test_opaque_pake_input( psa_status_t mbedtls_test_opaque_pake_input(
mbedtls_opaque_test_driver_pake_operation_t *operation, mbedtls_opaque_test_driver_pake_operation_t *operation,
psa_pake_step_t step, psa_pake_step_t step,
const psa_pake_computation_stage_t *computation_stage,
const uint8_t *input, const uint8_t *input,
size_t input_length) size_t input_length)
{ {
(void) operation; (void) operation;
(void) step; (void) step;
(void) computation_stage;
(void) input; (void) input;
(void) input_length; (void) input_length;
return PSA_ERROR_NOT_SUPPORTED; return PSA_ERROR_NOT_SUPPORTED;

8
tests/suites/test_suite_psa_crypto_pake.data
View file

@ -70,10 +70,6 @@ PSA PAKE: input buffer too large
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT
PSA PAKE: valid input operation after a failure
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE
PSA PAKE: invalid output PSA PAKE: invalid output
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT
@ -90,10 +86,6 @@ PSA PAKE: output buffer too small
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_BUFFER_TOO_SMALL ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_BUFFER_TOO_SMALL
PSA PAKE: valid output operation after a failure
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE
PSA PAKE: check rounds w/o forced errors PSA PAKE: check rounds w/o forced errors
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE