From 1608e33606489794b0fd361f71e40adcf5d8b3cf Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Tue, 9 Nov 2021 10:46:40 +0100 Subject: [PATCH 01/34] PSA: implement key derivation for ECC keys Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 110 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 98 insertions(+), 12 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 642fc137a..9731932f3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4834,21 +4834,107 @@ static psa_status_t psa_generate_derived_key_internal( size_t storage_size = bytes; psa_status_t status; - if( ! key_type_is_raw_bytes( slot->attr.type ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); - if( bits % 8 != 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - data = mbedtls_calloc( 1, bytes ); - if( data == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); + /* + * ECC key types require the generation of a private key which is an integer + * in the range [1, N - 1], where N is the boundary of the private key domain: + * N is the prime p for Diffie-Hellman, or the order of the + * curve’s base point for ECC. + * + * Let m be the bit size of N, such that 2^m > N >= 2^(m-1). + * This function generates the private key using the following process: + * + * 1. Draw a byte string of length ceiling(m/8) bytes. + * 2. If m is not a multiple of 8, set the most significant + * (8 * ceiling(m/8) - m) bits of the first byte in the string to zero. + * 3. Convert the string to integer k by decoding it as a big-endian byte string. + * 4. If k > N - 2, discard the result and return to step 1. + * 5. Output k + 1 as the private key. + * + * This method allows compliance to NIST standards + */ + if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) + { + int cmp_result; + do { + int ret; + psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( + slot->attr.type ); + mbedtls_ecp_group_id grp_id = + mbedtls_ecc_group_of_psa( curve, bits, 0 ); - status = psa_key_derivation_output_bytes( operation, data, bytes ); - if( status != PSA_SUCCESS ) - goto exit; + mbedtls_ecp_keypair ecp; + mbedtls_ecp_keypair_init( &ecp ); + + if( ( ret = mbedtls_ecp_group_load( &ecp.grp, grp_id ) ) != 0 ) + return( ret ); + + /* N is the boundary of the private key domain */ + mbedtls_mpi N = ecp.grp.N; + /* Let m be the bit size of N */ + size_t m = ecp.grp.nbits; + + size_t m_bytes = PSA_BITS_TO_BYTES( m ); + + /* Alloc buffer once */ + if ( data == NULL ) + data = mbedtls_calloc( 1, m_bytes ); + if( data == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + /* 1. Draw a byte string of length ceiling(m/8) bytes. */ + status = psa_key_derivation_output_bytes( operation, data, m_bytes ); + if( status != PSA_SUCCESS ) + goto exit; + + /* 2. If m is not a multiple of 8 */ + if (m % 8) + { + /* set the most significant + * (8 * ceiling(m/8) - m) bits of the first byte in + * the string to zero. + */ + uint8_t clear_bit_count = ( 8 * m_bytes - m ); + uint8_t clear_bit_mask = ( ( 1 << clear_bit_count ) - 1 ); + clear_bit_mask = ~( clear_bit_mask << ( 8 - clear_bit_count ) ); + data[0] = ( data[0] & clear_bit_mask ); + } + + /* 3. Convert the string to integer k by decoding it as a + * big-endian byte string. + */ + mbedtls_mpi k; + mbedtls_mpi_init( &k ); + mbedtls_mpi_read_binary( &k, data, m_bytes); + + /* 4. If k > N - 2, discard the result and return to step 1. */ + mbedtls_mpi diff_N_2; + mbedtls_mpi_init( &diff_N_2 ); + mbedtls_mpi_sub_int( &diff_N_2, &N, 2); + cmp_result = mbedtls_mpi_cmp_mpi( &k, &diff_N_2 ); + + /* 5. Output k + 1 as the private key. */ + mbedtls_mpi sum_k_1; + mbedtls_mpi_init( &sum_k_1 ); + mbedtls_mpi_add_int( &sum_k_1, &k, 1); + mbedtls_mpi_write_binary( &sum_k_1, data, m_bytes); + } while ( cmp_result == 1 ); + } else { + if( ! key_type_is_raw_bytes( slot->attr.type ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + if( bits % 8 != 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + data = mbedtls_calloc( 1, bytes ); + if( data == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + status = psa_key_derivation_output_bytes( operation, data, bytes ); + if( status != PSA_SUCCESS ) + goto exit; #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) - if( slot->attr.type == PSA_KEY_TYPE_DES ) - psa_des_set_key_parity( data, bytes ); + if( slot->attr.type == PSA_KEY_TYPE_DES ) + psa_des_set_key_parity( data, bytes ); #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ + } slot->attr.bits = (psa_key_bits_t) bits; psa_key_attributes_t attributes = { From d8cdcba970e9c2d813660dcfd9ad36ad3aecf39f Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Mon, 15 Nov 2021 12:38:53 +0100 Subject: [PATCH 02/34] Move derivation of ECC private key to helper function and refactor code Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 207 ++++++++++++++++++++++++++----------------- 1 file changed, 125 insertions(+), 82 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9731932f3..07c0bbd8e 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4824,100 +4824,143 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) } #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ +/* +* ECC key types require the generation of a private key which is an integer +* in the range [1, N - 1], where N is the boundary of the private key domain: +* N is the prime p for Diffie-Hellman, or the order of the +* curve’s base point for ECC. +* +* Let m be the bit size of N, such that 2^m > N >= 2^(m-1). +* This function generates the private key using the following process: +* +* 1. Draw a byte string of length ceiling(m/8) bytes. +* 2. If m is not a multiple of 8, set the most significant +* (8 * ceiling(m/8) - m) bits of the first byte in the string to zero. +* 3. Convert the string to integer k by decoding it as a big-endian byte string. +* 4. If k > N - 2, discard the result and return to step 1. +* 5. Output k + 1 as the private key. +* +* This method allows compliance to NIST standards, specifically the methods titled +* Key-Pair Generation by Testing Candidates in the following publications: +* - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment +* Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for +* Diffie-Hellman keys. +* +* - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature +* Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys. +*/ +static psa_status_t psa_generate_derived_ecc_key_helper( + psa_key_slot_t *slot, + size_t bits, + psa_key_derivation_operation_t *operation, + uint8_t **data, + unsigned *error) +{ + mbedtls_mpi N; + mbedtls_mpi k; + mbedtls_mpi diff_N_2; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_status_t status; + + mbedtls_mpi_init( &k ); + mbedtls_mpi_init( &N ); + mbedtls_mpi_init( &diff_N_2 ); + + psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( + slot->attr.type ); + mbedtls_ecp_group_id grp_id = + mbedtls_ecc_group_of_psa( curve, bits, 0 ); + + mbedtls_ecp_group ecp_group; + + if( ( status = mbedtls_ecp_group_load( &ecp_group, grp_id ) ) != 0 ) + { + ret = status; + goto cleanup; + } + + /* N is the boundary of the private key domain. */ + N = ecp_group.N; + /* Let m be the bit size of N. */ + size_t m = ecp_group.nbits; + + size_t m_bytes = PSA_BITS_TO_BYTES( m ); + if (*data != NULL) + *data = mbedtls_calloc( 1, m_bytes ); + if( *data == NULL ) + { + ret = PSA_ERROR_INSUFFICIENT_MEMORY; + goto cleanup; + } + /* 1. Draw a byte string of length ceiling(m/8) bytes. */ + if ( ( status = psa_key_derivation_output_bytes( operation, *data, m_bytes ) ) != 0 ) + { + ret = status; + goto cleanup; + } + + /* 2. If m is not a multiple of 8 */ + if (m % 8) + { + /* Set the most significant + * (8 * ceiling(m/8) - m) bits of the first byte in + * the string to zero. + */ + uint8_t clear_bit_count = ( 8 * m_bytes - m ); + uint8_t clear_bit_mask = ( ( 1 << clear_bit_count ) - 1 ); + clear_bit_mask = ~( clear_bit_mask << ( 8 - clear_bit_count ) ); + *data[0] = ( *data[0] & clear_bit_mask ); + } + + /* 3. Convert the string to integer k by decoding it as a + * big-endian byte string. + */ + MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary( &k, *data, m_bytes)); + + /* 4. If k > N - 2, discard the result and return to step 1. + * Result of comparison is returned. When it indicates error + * then this fuction is called again. + */ + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &diff_N_2, &N, 2) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &k, diff_N_2.n ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( &diff_N_2, &k, error ) ); + + /* 5. Output k + 1 as the private key. */ + MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &k, &k, 1)); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &k, *data, m_bytes) ); + + ret = 0; +cleanup: + if (ret) { + mbedtls_free( *data ); + *data = NULL; + } + mbedtls_mpi_free( &k ); + mbedtls_mpi_free( &N ); + mbedtls_mpi_free( &diff_N_2 ); + return( ret ); +} + static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, size_t bits, psa_key_derivation_operation_t *operation ) { uint8_t *data = NULL; + unsigned key_err = 0; size_t bytes = PSA_BITS_TO_BYTES( bits ); size_t storage_size = bytes; psa_status_t status; - /* - * ECC key types require the generation of a private key which is an integer - * in the range [1, N - 1], where N is the boundary of the private key domain: - * N is the prime p for Diffie-Hellman, or the order of the - * curve’s base point for ECC. - * - * Let m be the bit size of N, such that 2^m > N >= 2^(m-1). - * This function generates the private key using the following process: - * - * 1. Draw a byte string of length ceiling(m/8) bytes. - * 2. If m is not a multiple of 8, set the most significant - * (8 * ceiling(m/8) - m) bits of the first byte in the string to zero. - * 3. Convert the string to integer k by decoding it as a big-endian byte string. - * 4. If k > N - 2, discard the result and return to step 1. - * 5. Output k + 1 as the private key. - * - * This method allows compliance to NIST standards - */ if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { - int cmp_result; - do { - int ret; - psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( - slot->attr.type ); - mbedtls_ecp_group_id grp_id = - mbedtls_ecc_group_of_psa( curve, bits, 0 ); - - mbedtls_ecp_keypair ecp; - mbedtls_ecp_keypair_init( &ecp ); - - if( ( ret = mbedtls_ecp_group_load( &ecp.grp, grp_id ) ) != 0 ) - return( ret ); - - /* N is the boundary of the private key domain */ - mbedtls_mpi N = ecp.grp.N; - /* Let m be the bit size of N */ - size_t m = ecp.grp.nbits; - - size_t m_bytes = PSA_BITS_TO_BYTES( m ); - - /* Alloc buffer once */ - if ( data == NULL ) - data = mbedtls_calloc( 1, m_bytes ); - if( data == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - - /* 1. Draw a byte string of length ceiling(m/8) bytes. */ - status = psa_key_derivation_output_bytes( operation, data, m_bytes ); - if( status != PSA_SUCCESS ) - goto exit; - - /* 2. If m is not a multiple of 8 */ - if (m % 8) - { - /* set the most significant - * (8 * ceiling(m/8) - m) bits of the first byte in - * the string to zero. - */ - uint8_t clear_bit_count = ( 8 * m_bytes - m ); - uint8_t clear_bit_mask = ( ( 1 << clear_bit_count ) - 1 ); - clear_bit_mask = ~( clear_bit_mask << ( 8 - clear_bit_count ) ); - data[0] = ( data[0] & clear_bit_mask ); - } - - /* 3. Convert the string to integer k by decoding it as a - * big-endian byte string. - */ - mbedtls_mpi k; - mbedtls_mpi_init( &k ); - mbedtls_mpi_read_binary( &k, data, m_bytes); - - /* 4. If k > N - 2, discard the result and return to step 1. */ - mbedtls_mpi diff_N_2; - mbedtls_mpi_init( &diff_N_2 ); - mbedtls_mpi_sub_int( &diff_N_2, &N, 2); - cmp_result = mbedtls_mpi_cmp_mpi( &k, &diff_N_2 ); - - /* 5. Output k + 1 as the private key. */ - mbedtls_mpi sum_k_1; - mbedtls_mpi_init( &sum_k_1 ); - mbedtls_mpi_add_int( &sum_k_1, &k, 1); - mbedtls_mpi_write_binary( &sum_k_1, data, m_bytes); - } while ( cmp_result == 1 ); +gen_ecc_key: + status = psa_generate_derived_ecc_key_helper(slot, bits, operation, &data, &key_err); + if( status != PSA_SUCCESS ) + goto exit; + /* Key has been created, but it doesn't meet criteria. */ + if (key_err) + goto gen_ecc_key; } else { if( ! key_type_is_raw_bytes( slot->attr.type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); From 653481632edb5061345abe1afe8ee1c816449d36 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 18 Nov 2021 11:57:07 +0100 Subject: [PATCH 03/34] psa_generate_derived_ecc_key_helper: fix bugs found during testing Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 07c0bbd8e..bd6c84c05 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4872,6 +4872,7 @@ static psa_status_t psa_generate_derived_ecc_key_helper( mbedtls_ecc_group_of_psa( curve, bits, 0 ); mbedtls_ecp_group ecp_group; + mbedtls_ecp_group_init( &ecp_group ); if( ( status = mbedtls_ecp_group_load( &ecp_group, grp_id ) ) != 0 ) { @@ -4880,12 +4881,12 @@ static psa_status_t psa_generate_derived_ecc_key_helper( } /* N is the boundary of the private key domain. */ - N = ecp_group.N; + MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &N, &ecp_group.N ) ); /* Let m be the bit size of N. */ size_t m = ecp_group.nbits; size_t m_bytes = PSA_BITS_TO_BYTES( m ); - if (*data != NULL) + if (*data == NULL) *data = mbedtls_calloc( 1, m_bytes ); if( *data == NULL ) { From 1dfd1224dc0d0fc7bcab93cdb513ef6f5d668184 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 18 Nov 2021 13:35:00 +0100 Subject: [PATCH 04/34] psa_generate_derived_ecc_key_helper: compile only when ECC is supported Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bd6c84c05..a101e69de 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4849,6 +4849,10 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature * Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys. */ +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) static psa_status_t psa_generate_derived_ecc_key_helper( psa_key_slot_t *slot, size_t bits, @@ -4865,7 +4869,7 @@ static psa_status_t psa_generate_derived_ecc_key_helper( mbedtls_mpi_init( &k ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &diff_N_2 ); - + psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ); mbedtls_ecp_group_id grp_id = @@ -4941,6 +4945,7 @@ cleanup: mbedtls_mpi_free( &diff_N_2 ); return( ret ); } +#endif static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, @@ -4948,13 +4953,17 @@ static psa_status_t psa_generate_derived_key_internal( psa_key_derivation_operation_t *operation ) { uint8_t *data = NULL; - unsigned key_err = 0; size_t bytes = PSA_BITS_TO_BYTES( bits ); size_t storage_size = bytes; psa_status_t status; +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { + unsigned key_err = 0; gen_ecc_key: status = psa_generate_derived_ecc_key_helper(slot, bits, operation, &data, &key_err); if( status != PSA_SUCCESS ) @@ -4962,7 +4971,9 @@ gen_ecc_key: /* Key has been created, but it doesn't meet criteria. */ if (key_err) goto gen_ecc_key; - } else { + } else +#endif + { if( ! key_type_is_raw_bytes( slot->attr.type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); if( bits % 8 != 0 ) From c6e4c512af14308c13c4465038d12f0dcb088070 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Fri, 19 Nov 2021 12:08:38 +0100 Subject: [PATCH 05/34] psa_crypto.c: fix warning on windows compiler Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a101e69de..b957deace 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4911,7 +4911,7 @@ static psa_status_t psa_generate_derived_ecc_key_helper( * (8 * ceiling(m/8) - m) bits of the first byte in * the string to zero. */ - uint8_t clear_bit_count = ( 8 * m_bytes - m ); + uint8_t clear_bit_count = (uint8_t) ( 8 * m_bytes - m ); uint8_t clear_bit_mask = ( ( 1 << clear_bit_count ) - 1 ); clear_bit_mask = ~( clear_bit_mask << ( 8 - clear_bit_count ) ); *data[0] = ( *data[0] & clear_bit_mask ); From ab80c0cd6c0e2fb4d979a673fdc441701782562b Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Tue, 23 Nov 2021 20:09:23 +0100 Subject: [PATCH 06/34] test_psa_compliance.py: checkout fix-pr-5139 tag Signed-off-by: Przemyslaw Stekiel --- tests/scripts/test_psa_compliance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/test_psa_compliance.py b/tests/scripts/test_psa_compliance.py index da5229b89..182fa39ee 100755 --- a/tests/scripts/test_psa_compliance.py +++ b/tests/scripts/test_psa_compliance.py @@ -47,7 +47,7 @@ EXPECTED_FAILURES = { # # Web URL: https://github.com/bensze01/psa-arch-tests/tree/fixes-for-mbedtls-3 PSA_ARCH_TESTS_REPO = 'https://github.com/bensze01/psa-arch-tests.git' -PSA_ARCH_TESTS_REF = 'fix-pr-5272' +PSA_ARCH_TESTS_REF = 'fix-pr-5139-2' #pylint: disable=too-many-branches,too-many-statements def main(): From 705fb0f918fc16e07b49185dd0e5d218ef16cab2 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 24 Nov 2021 08:47:29 +0100 Subject: [PATCH 07/34] Only Weierstrass curves supported Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b957deace..d344c763e 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -27,6 +27,7 @@ #endif #include "psa/crypto.h" +#include "psa/crypto_values.h" #include "psa_crypto_cipher.h" #include "psa_crypto_core.h" @@ -4825,7 +4826,8 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ /* -* ECC key types require the generation of a private key which is an integer +* ECC keys on a Weierstrass elliptic curve require the generation +* of a private key which is an integer * in the range [1, N - 1], where N is the boundary of the private key domain: * N is the prime p for Diffie-Hellman, or the order of the * curve’s base point for ECC. @@ -4961,7 +4963,8 @@ static psa_status_t psa_generate_derived_key_internal( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) - if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) + if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) && + PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ) != PSA_ECC_FAMILY_MONTGOMERY ) { unsigned key_err = 0; gen_ecc_key: From 696b12065041947f1dc74374a00ee31e8168efd9 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 24 Nov 2021 16:29:10 +0100 Subject: [PATCH 08/34] Add tests for ECC key derivation Test code and test vectors are taken from PR #5218 Signed-off-by: Przemyslaw Stekiel --- tests/suites/test_suite_psa_crypto.data | 92 +++++++++++++++++++++ tests/suites/test_suite_psa_crypto.function | 59 +++++++++++++ 2 files changed, 151 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 6bce6bb99..06c164204 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5105,6 +5105,98 @@ PSA key derivation: TLS 1.2 PRF SHA-256, derive key export, 1+41 depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF derive_key_export:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":1:41 +PSA key derivation: HKDF-SHA-256 -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:"3cb25f25faacd57a90434f64d0362f2a" + +PSA key derivation: HKDF-SHA-256 -> AES-256 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:256:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf" + +PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5c0" + +PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"4869212049276d20612074657374206b65792120486f772061726520796f753f":"":"e1ab5d0000000000":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:"46a5850b60ba10b0fd8e0feb8790e2819d46ea26fede564ff6dea94ef1945660" + +PSA key derivation: HKDF-SHA-256 -> raw (same input as secp256r1+redraw) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"4869212049276d20612074657374206b65792120486f772061726520796f753f":"":"e1ab5d0000000000":PSA_KEY_TYPE_RAW_DATA:256:"ffffffff55f60cea989fe02543c81b28aff09b5b51fdc43f91fe5c2511b0b9d9" + +PSA key derivation: HKDF-SHA-256 -> ECC secp384r1 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_384:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993c" + +# For secp521r1, the leading byte of the representation of the private key can +# be either 0 or 1. Have one test case where it's 0 and one where it's 1. +PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_521:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:"00b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993b89b9b65683d60f0106d28fff039d0b6f3409" + +PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_521:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fa":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:"01122f37d10965c8455ecbd2bc73d5da5347d0ce772e54305d528295a64ffb7c567f5042e2d7e5803b407c08d1e110adcefc35564035d706582f723a2f76a32260da" + +# For Curve25519, test a few different outputs to exercise masking. +PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #1 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"38b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c57f" + +PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #2 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fa":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"b8122f37d10965c8455ecbd2bc73d5da5347d0ce772e54305d528295a64ffb7c" + +PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #3 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fb":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"e029d8a4f83cfad631f18dca6aa995f3fa69dd6488a39e8d92fe8de6ca88694f" + +PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #4 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fc":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"90958ef02dae8c97921a6e59eaa79f5445f76d0f4ab16cd97feba5e6586c264d" + +PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #5 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fd":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"c099f692a89df2e9008aebe07012b5e128c9cfc1243bd32b7043ab21912d985d" + +PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #6 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fe":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"d8929e4677193ca3b8b1035d93711ba917edac23c47fd45a403997361ec1475b" + +PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #7 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8ff":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"c89d06c33cec5b3d08221a7228050e6919150a43592ae710162c97c0a2855b65" + +# For Curve448, test a few different outputs to exercise masking. +PSA key derivation: HKDF-SHA-256 -> ECC curve448 #1 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993b89b9b65683d60f81" + +PSA key derivation: HKDF-SHA-256 -> ECC curve448 #2 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fa":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"bc122f37d10965c8455ecbd2bc73d5da5347d0ce772e54305d528295a64ffb7c567f5042e2d7e5803b407c08d1e110adcefc35564035d786" + +PSA key derivation: HKDF-SHA-256 -> ECC curve448 #3 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fb":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"e429d8a4f83cfad631f18dca6aa995f3fa69dd6488a39e8d92fe8de6ca88694fedcdc273f4cefcb73478e8cbcc344c5d713b5eb26e89a9dd" + +PSA key derivation: HKDF-SHA-256 -> ECC curve448 #4 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fc":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"90958ef02dae8c97921a6e59eaa79f5445f76d0f4ab16cd97feba5e6586c264dc114d7391112c6083b48ccc60d63c47642f5693898fe498c" + +PSA key derivation: HKDF-SHA-256 -> ECC curve448 #5 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fd":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"c099f692a89df2e9008aebe07012b5e128c9cfc1243bd32b7043ab21912d98dd4f73c807b5cc60cbf3364e606ecaeccd3ce44ac46595959d" + +PSA key derivation: HKDF-SHA-256 -> ECC curve448 #6 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fe":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"d8929e4677193ca3b8b1035d93711ba917edac23c47fd45a403997361ec1479b4eccf10bc9d1fa1a2e96b5c965a0045295516ab00665fc9b" + +PSA key derivation: HKDF-SHA-256 -> ECC curve448 #7 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8ff":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"cc9d06c33cec5b3d08221a7228050e6919150a43592ae710162c97c0a2855b25c373305784895a1c48ca511ee42fc50c3f67d419569007ea" + PSA key derivation: invalid type (0) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_NONE:128:PSA_ERROR_INVALID_ARGUMENT:0 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index c94c37e8a..f21aa6e34 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6754,6 +6754,65 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void derive_key_type( int alg_arg, + data_t *key_data, + data_t *input1, + data_t *input2, + int key_type_arg, int bits_arg, + data_t *expected_export ) +{ + mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; + mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; + const psa_algorithm_t alg = alg_arg; + const psa_key_type_t key_type = key_type_arg; + const size_t bits = bits_arg; + psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; + const size_t export_buffer_size = + PSA_EXPORT_KEY_OUTPUT_SIZE( key_type, bits ); + uint8_t *export_buffer = NULL; + psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; + size_t export_length; + + ASSERT_ALLOC( export_buffer, export_buffer_size ); + PSA_ASSERT( psa_crypto_init( ) ); + + psa_set_key_usage_flags( &base_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &base_attributes, alg ); + psa_set_key_type( &base_attributes, PSA_KEY_TYPE_DERIVE ); + PSA_ASSERT( psa_import_key( &base_attributes, key_data->x, key_data->len, + &base_key ) ); + + if( !mbedtls_test_psa_setup_key_derivation_wrap( + &operation, base_key, alg, + input1->x, input1->len, + input2->x, input2->len, + PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ) ) + goto exit; + + psa_set_key_usage_flags( &derived_attributes, PSA_KEY_USAGE_EXPORT ); + psa_set_key_algorithm( &derived_attributes, 0 ); + psa_set_key_type( &derived_attributes, key_type ); + psa_set_key_bits( &derived_attributes, bits ); + PSA_ASSERT( psa_key_derivation_output_key( &derived_attributes, &operation, + &derived_key ) ); + + PSA_ASSERT( psa_export_key( derived_key, + export_buffer, export_buffer_size, + &export_length ) ); + ASSERT_COMPARE( export_buffer, export_length, + expected_export->x, expected_export->len ); + +exit: + mbedtls_free( export_buffer ); + psa_key_derivation_abort( &operation ); + psa_destroy_key( base_key ); + psa_destroy_key( derived_key ); + PSA_DONE( ); +} +/* END_CASE */ + /* BEGIN_CASE */ void derive_key( int alg_arg, data_t *key_data, data_t *input1, data_t *input2, From 8590f3b5ff4ddfb1bfd6d4cb29d3453edd212e6a Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 25 Nov 2021 10:26:40 +0100 Subject: [PATCH 09/34] Enable related test vectors Signed-off-by: Przemyslaw Stekiel --- tests/suites/test_suite_psa_crypto.data | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 06c164204..756faa5e8 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5114,11 +5114,11 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:256:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf" PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5c0" PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw) -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"4869212049276d20612074657374206b65792120486f772061726520796f753f":"":"e1ab5d0000000000":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:"46a5850b60ba10b0fd8e0feb8790e2819d46ea26fede564ff6dea94ef1945660" PSA key derivation: HKDF-SHA-256 -> raw (same input as secp256r1+redraw) @@ -5126,17 +5126,17 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"4869212049276d20612074657374206b65792120486f772061726520796f753f":"":"e1ab5d0000000000":PSA_KEY_TYPE_RAW_DATA:256:"ffffffff55f60cea989fe02543c81b28aff09b5b51fdc43f91fe5c2511b0b9d9" PSA key derivation: HKDF-SHA-256 -> ECC secp384r1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_384:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_384 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993c" # For secp521r1, the leading byte of the representation of the private key can # be either 0 or 1. Have one test case where it's 0 and one where it's 1. PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_521:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_521 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:"00b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993b89b9b65683d60f0106d28fff039d0b6f3409" PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_521:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_521 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fa":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:"01122f37d10965c8455ecbd2bc73d5da5347d0ce772e54305d528295a64ffb7c567f5042e2d7e5803b407c08d1e110adcefc35564035d706582f723a2f76a32260da" # For Curve25519, test a few different outputs to exercise masking. From 58ce8d8fb6457918781ab990b87bb4b15a690b7c Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 25 Nov 2021 13:53:28 +0100 Subject: [PATCH 10/34] Add support for Montgomery curves Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 64 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 54 insertions(+), 10 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d344c763e..f85a120a8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4855,7 +4855,7 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) -static psa_status_t psa_generate_derived_ecc_key_helper( +static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( psa_key_slot_t *slot, size_t bits, psa_key_derivation_operation_t *operation, @@ -4963,17 +4963,61 @@ static psa_status_t psa_generate_derived_key_internal( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) - if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) && - PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ) != PSA_ECC_FAMILY_MONTGOMERY ) + if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { - unsigned key_err = 0; + if ( PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ) != PSA_ECC_FAMILY_MONTGOMERY ) + { + /* Weierstrass elliptic curve */ + unsigned key_err = 0; gen_ecc_key: - status = psa_generate_derived_ecc_key_helper(slot, bits, operation, &data, &key_err); - if( status != PSA_SUCCESS ) - goto exit; - /* Key has been created, but it doesn't meet criteria. */ - if (key_err) - goto gen_ecc_key; + status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data, &key_err); + if( status != PSA_SUCCESS ) + goto exit; + /* Key has been created, but it doesn't meet criteria. */ + if (key_err) + goto gen_ecc_key; + } else + { + /* Montgomery elliptic curve */ + size_t output_length; + switch( bits ) + { + case 255: + output_length = 32; + break; + case 448: + output_length = 56; + break; + default: + return( PSA_ERROR_INVALID_ARGUMENT ); + break; + } + + data = mbedtls_calloc( 1, bytes ); + if( data == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + status = psa_key_derivation_output_bytes( operation, data, output_length ); + + if( status != PSA_SUCCESS ) + goto exit; + + switch( bits ) + { + case 255: + data[0] &= 248; + data[31] &= 127; + data[31] |= 64; + break; + case 448: + data[0] &= 252; + data[55] |= 128; + break; + default: + /* already handled */ + break; + } + } } else #endif { From 02cf12ff9205ed420f0a2688c92d011153c8bee8 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 25 Nov 2021 13:57:31 +0100 Subject: [PATCH 11/34] Enable tests for Montgomery curves Signed-off-by: Przemyslaw Stekiel --- tests/suites/test_suite_psa_crypto.data | 28 ++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 756faa5e8..4df081764 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5141,60 +5141,60 @@ derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0 # For Curve25519, test a few different outputs to exercise masking. PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"38b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c57f" PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #2 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fa":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"b8122f37d10965c8455ecbd2bc73d5da5347d0ce772e54305d528295a64ffb7c" PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #3 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fb":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"e029d8a4f83cfad631f18dca6aa995f3fa69dd6488a39e8d92fe8de6ca88694f" PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #4 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fc":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"90958ef02dae8c97921a6e59eaa79f5445f76d0f4ab16cd97feba5e6586c264d" PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #5 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fd":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"c099f692a89df2e9008aebe07012b5e128c9cfc1243bd32b7043ab21912d985d" PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #6 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fe":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"d8929e4677193ca3b8b1035d93711ba917edac23c47fd45a403997361ec1475b" PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #7 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8ff":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"c89d06c33cec5b3d08221a7228050e6919150a43592ae710162c97c0a2855b65" # For Curve448, test a few different outputs to exercise masking. PSA key derivation: HKDF-SHA-256 -> ECC curve448 #1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993b89b9b65683d60f81" PSA key derivation: HKDF-SHA-256 -> ECC curve448 #2 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fa":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"bc122f37d10965c8455ecbd2bc73d5da5347d0ce772e54305d528295a64ffb7c567f5042e2d7e5803b407c08d1e110adcefc35564035d786" PSA key derivation: HKDF-SHA-256 -> ECC curve448 #3 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fb":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"e429d8a4f83cfad631f18dca6aa995f3fa69dd6488a39e8d92fe8de6ca88694fedcdc273f4cefcb73478e8cbcc344c5d713b5eb26e89a9dd" PSA key derivation: HKDF-SHA-256 -> ECC curve448 #4 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fc":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"90958ef02dae8c97921a6e59eaa79f5445f76d0f4ab16cd97feba5e6586c264dc114d7391112c6083b48ccc60d63c47642f5693898fe498c" PSA key derivation: HKDF-SHA-256 -> ECC curve448 #5 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fd":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"c099f692a89df2e9008aebe07012b5e128c9cfc1243bd32b7043ab21912d98dd4f73c807b5cc60cbf3364e606ecaeccd3ce44ac46595959d" PSA key derivation: HKDF-SHA-256 -> ECC curve448 #6 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fe":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"d8929e4677193ca3b8b1035d93711ba917edac23c47fd45a403997361ec1479b4eccf10bc9d1fa1a2e96b5c965a0045295516ab00665fc9b" PSA key derivation: HKDF-SHA-256 -> ECC curve448 #7 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448:NOT_IMPLEMENTED_YET +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8ff":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"cc9d06c33cec5b3d08221a7228050e6919150a43592ae710162c97c0a2855b25c373305784895a1c48ca511ee42fc50c3f67d419569007ea" PSA key derivation: invalid type (0) From 50fcc535e52fc72a3efb82f24530b50c164da401 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Fri, 26 Nov 2021 10:54:52 +0100 Subject: [PATCH 12/34] Add Weierstrass curve/bits consistancy check + negative test vectors Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 52 ++++++++++++++- tests/suites/test_suite_psa_crypto.data | 84 ++++++++++++++++++++++++- 2 files changed, 133 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f85a120a8..1ffebcf0d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4949,6 +4949,50 @@ cleanup: } #endif +static psa_status_t psa_generate_derived_ecc_key_weierstrass_check_config( + psa_ecc_family_t curve, + size_t bits) +{ + switch (curve) + { + case ( PSA_ECC_FAMILY_SECP_K1 ): + if (bits != 192 && bits != 225 && bits != 256) + return ( PSA_ERROR_INVALID_ARGUMENT ); + break; + case ( PSA_ECC_FAMILY_SECP_R1 ): + if (bits != 192 && bits != 224 && bits != 256 && bits != 384 && bits != 521) + return ( PSA_ERROR_INVALID_ARGUMENT ); + break; + case ( PSA_ECC_FAMILY_SECP_R2 ): + if (bits != 160) + return ( PSA_ERROR_INVALID_ARGUMENT ); + break; + case ( PSA_ECC_FAMILY_SECT_K1 ): + if (bits != 163 && bits != 233 && bits != 239 && bits != 283 && bits != 409 && bits != 571) + return ( PSA_ERROR_INVALID_ARGUMENT ); + break; + case ( PSA_ECC_FAMILY_SECT_R1 ): + if (bits != 163 && bits != 233 && bits != 283 && bits != 409 && bits != 571) + return ( PSA_ERROR_INVALID_ARGUMENT ); + break; + case ( PSA_ECC_FAMILY_SECT_R2 ): + if (bits != 163) + return ( PSA_ERROR_INVALID_ARGUMENT ); + break; + case ( PSA_ECC_FAMILY_BRAINPOOL_P_R1 ): + if (bits != 160 && bits != 192 && bits != 224 && bits != 256 && bits != 320 && bits != 384 && bits != 512) + return ( PSA_ERROR_INVALID_ARGUMENT ); + break; +/* + case ( PSA_ECC_FAMILY_FRP ): + if (bits != 256) + return ( PSA_ERROR_INVALID_ARGUMENT ) ; + break; +*/ + } + return PSA_SUCCESS; +} + static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, size_t bits, @@ -4969,6 +5013,11 @@ static psa_status_t psa_generate_derived_key_internal( { /* Weierstrass elliptic curve */ unsigned key_err = 0; + status = psa_generate_derived_ecc_key_weierstrass_check_config( + PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ), + bits ); + if ( status != PSA_SUCCESS ) + return status; gen_ecc_key: status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data, &key_err); if( status != PSA_SUCCESS ) @@ -4976,7 +5025,8 @@ gen_ecc_key: /* Key has been created, but it doesn't meet criteria. */ if (key_err) goto gen_ecc_key; - } else + } + else { /* Montgomery elliptic curve */ size_t output_length; diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 4df081764..8cb0b47bc 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5205,15 +5205,95 @@ PSA key derivation: invalid type (PSA_KEY_TYPE_CATEGORY_MASK) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_CATEGORY_MASK:128:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length (0) +PSA key derivation: invalid length PSA_KEY_TYPE_RAW_DATA (0) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length (7 bits) +PSA key derivation: invalid length PSA_KEY_TYPE_RAW_DATA (7 bits) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) (0) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) (7 bits) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1) (0) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):0:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1) (7 bits) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):7:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2) (0) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):0:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2) (7 bits) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):7:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1) (0) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):0:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1) (7 bits) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):7:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1) (0) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1) (7 bits) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2) (0) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):0:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2) (7 bits) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):7:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1) (0) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1) (7 bits) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY) (0) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):0:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY) (7 bits) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):7:PSA_ERROR_INVALID_ARGUMENT:0 + PSA key derivation: raw data, 8 bits depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:8:PSA_SUCCESS:0 From 7b6e61a132284d70addf8452e38914980bbb7f4d Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Fri, 26 Nov 2021 15:18:53 +0100 Subject: [PATCH 13/34] Add test vectors for ECC key excercise Signed-off-by: Przemyslaw Stekiel --- tests/suites/test_suite_psa_crypto.data | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 8cb0b47bc..116fb8c58 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5089,6 +5089,22 @@ PSA key derivation: TLS 1.2 PRF SHA-256, exercise HKDF-SHA-256 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DERIVE:400:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256) +PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)-CTR +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 +derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_CTR + +PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)-PSA_ALG_CBC_PKCS7 +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 +derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_CBC_PKCS7 + +PSA key derivation: HKDF-SHA-256 -> ECC curve25519, exercise PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY)-CTR +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 +derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_DERIVE:PSA_ALG_CTR + +PSA key derivation: HKDF-SHA-256 -> ECC curve25519, exercise PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY)-PSA_ALG_CBC_PKCS7 +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 +derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_DERIVE:PSA_ALG_CBC_PKCS7 + PSA key derivation: HKDF SHA-256, derive key export, 16+32 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key_export:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":16:32 From aaa1ada0862cf1c6f15dcc7f1aeb05b427fdd924 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Fri, 26 Nov 2021 16:06:05 +0100 Subject: [PATCH 14/34] psa_generate_derived_ecc_key_weierstrass_check_config: Build only when ECC enabled Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 1ffebcf0d..a3a6745d2 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4949,6 +4949,10 @@ cleanup: } #endif +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) static psa_status_t psa_generate_derived_ecc_key_weierstrass_check_config( psa_ecc_family_t curve, size_t bits) @@ -4992,6 +4996,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_check_config( } return PSA_SUCCESS; } +#endif static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, From 871a3360281bc254a02ca19db87d9e72bf00950e Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 2 Dec 2021 08:46:39 +0100 Subject: [PATCH 15/34] Remove redundant psa_generate_derived_ecc_key_weierstrass_check_config() Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 60 +++++--------------------------------------- 1 file changed, 6 insertions(+), 54 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a3a6745d2..485f80579 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4877,6 +4877,12 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( mbedtls_ecp_group_id grp_id = mbedtls_ecc_group_of_psa( curve, bits, 0 ); + if( grp_id == MBEDTLS_ECP_DP_NONE ) + { + ret = PSA_ERROR_INVALID_ARGUMENT; + goto cleanup; + } + mbedtls_ecp_group ecp_group; mbedtls_ecp_group_init( &ecp_group ); @@ -4949,55 +4955,6 @@ cleanup: } #endif -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) -static psa_status_t psa_generate_derived_ecc_key_weierstrass_check_config( - psa_ecc_family_t curve, - size_t bits) -{ - switch (curve) - { - case ( PSA_ECC_FAMILY_SECP_K1 ): - if (bits != 192 && bits != 225 && bits != 256) - return ( PSA_ERROR_INVALID_ARGUMENT ); - break; - case ( PSA_ECC_FAMILY_SECP_R1 ): - if (bits != 192 && bits != 224 && bits != 256 && bits != 384 && bits != 521) - return ( PSA_ERROR_INVALID_ARGUMENT ); - break; - case ( PSA_ECC_FAMILY_SECP_R2 ): - if (bits != 160) - return ( PSA_ERROR_INVALID_ARGUMENT ); - break; - case ( PSA_ECC_FAMILY_SECT_K1 ): - if (bits != 163 && bits != 233 && bits != 239 && bits != 283 && bits != 409 && bits != 571) - return ( PSA_ERROR_INVALID_ARGUMENT ); - break; - case ( PSA_ECC_FAMILY_SECT_R1 ): - if (bits != 163 && bits != 233 && bits != 283 && bits != 409 && bits != 571) - return ( PSA_ERROR_INVALID_ARGUMENT ); - break; - case ( PSA_ECC_FAMILY_SECT_R2 ): - if (bits != 163) - return ( PSA_ERROR_INVALID_ARGUMENT ); - break; - case ( PSA_ECC_FAMILY_BRAINPOOL_P_R1 ): - if (bits != 160 && bits != 192 && bits != 224 && bits != 256 && bits != 320 && bits != 384 && bits != 512) - return ( PSA_ERROR_INVALID_ARGUMENT ); - break; -/* - case ( PSA_ECC_FAMILY_FRP ): - if (bits != 256) - return ( PSA_ERROR_INVALID_ARGUMENT ) ; - break; -*/ - } - return PSA_SUCCESS; -} -#endif - static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, size_t bits, @@ -5018,11 +4975,6 @@ static psa_status_t psa_generate_derived_key_internal( { /* Weierstrass elliptic curve */ unsigned key_err = 0; - status = psa_generate_derived_ecc_key_weierstrass_check_config( - PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ), - bits ); - if ( status != PSA_SUCCESS ) - return status; gen_ecc_key: status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data, &key_err); if( status != PSA_SUCCESS ) From dc8d7d921164e6e7010120b3e984b45cb11e8aae Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 2 Dec 2021 09:15:20 +0100 Subject: [PATCH 16/34] fix mbedtls/psa status code mismatch Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 485f80579..fdb4d6951 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4865,8 +4865,9 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( mbedtls_mpi N; mbedtls_mpi k; mbedtls_mpi diff_N_2; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status; + /* ret variable is used by MBEDTLS_MPI_CHK macro */ + int ret = 0; + psa_status_t status = PSA_SUCCESS; mbedtls_mpi_init( &k ); mbedtls_mpi_init( &N ); @@ -4879,18 +4880,15 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( if( grp_id == MBEDTLS_ECP_DP_NONE ) { - ret = PSA_ERROR_INVALID_ARGUMENT; + status = PSA_ERROR_INVALID_ARGUMENT; goto cleanup; } mbedtls_ecp_group ecp_group; mbedtls_ecp_group_init( &ecp_group ); - if( ( status = mbedtls_ecp_group_load( &ecp_group, grp_id ) ) != 0 ) - { - ret = status; + if( ( status = mbedtls_to_psa_error( mbedtls_ecp_group_load( &ecp_group, grp_id ) ) ) != 0 ) goto cleanup; - } /* N is the boundary of the private key domain. */ MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &N, &ecp_group.N ) ); @@ -4902,15 +4900,12 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( *data = mbedtls_calloc( 1, m_bytes ); if( *data == NULL ) { - ret = PSA_ERROR_INSUFFICIENT_MEMORY; + status = PSA_ERROR_INSUFFICIENT_MEMORY; goto cleanup; } /* 1. Draw a byte string of length ceiling(m/8) bytes. */ if ( ( status = psa_key_derivation_output_bytes( operation, *data, m_bytes ) ) != 0 ) - { - ret = status; goto cleanup; - } /* 2. If m is not a multiple of 8 */ if (m % 8) @@ -4941,17 +4936,17 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( /* 5. Output k + 1 as the private key. */ MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &k, &k, 1)); MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &k, *data, m_bytes) ); - - ret = 0; cleanup: - if (ret) { + if( ret ) + status = mbedtls_to_psa_error( ret ); + if (status) { mbedtls_free( *data ); *data = NULL; } mbedtls_mpi_free( &k ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &diff_N_2 ); - return( ret ); + return( status ); } #endif From d80b6ed46dcc44cc1c6749712e3a793a9e2c8cc6 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 2 Dec 2021 09:50:55 +0100 Subject: [PATCH 17/34] Use loop instead goto and fix misleading variable name Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fdb4d6951..9be1a684e 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4860,7 +4860,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data, - unsigned *error) + unsigned *key_out_of_range) { mbedtls_mpi N; mbedtls_mpi k; @@ -4931,7 +4931,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( */ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &diff_N_2, &N, 2) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &k, diff_N_2.n ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( &diff_N_2, &k, error ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( &diff_N_2, &k, key_out_of_range ) ); /* 5. Output k + 1 as the private key. */ MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &k, &k, 1)); @@ -4969,14 +4969,13 @@ static psa_status_t psa_generate_derived_key_internal( if ( PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ) != PSA_ECC_FAMILY_MONTGOMERY ) { /* Weierstrass elliptic curve */ - unsigned key_err = 0; -gen_ecc_key: - status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data, &key_err); - if( status != PSA_SUCCESS ) - goto exit; - /* Key has been created, but it doesn't meet criteria. */ - if (key_err) - goto gen_ecc_key; + unsigned key_out_of_range = 0; + do + { + status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data, &key_out_of_range); + if( status != PSA_SUCCESS ) + goto exit; + } while ( key_out_of_range ); } else { From f6c2c87492bcc116ac554f7ae88197b37c85aa10 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 2 Dec 2021 11:49:13 +0100 Subject: [PATCH 18/34] Fix ECC derivation tests Signed-off-by: Przemyslaw Stekiel --- tests/suites/test_suite_psa_crypto.data | 52 +++++++++++-------------- 1 file changed, 22 insertions(+), 30 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 116fb8c58..b0ee41267 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5089,21 +5089,13 @@ PSA key derivation: TLS 1.2 PRF SHA-256, exercise HKDF-SHA-256 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DERIVE:400:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256) -PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)-CTR -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 -derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_CTR +PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 +derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY -PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)-PSA_ALG_CBC_PKCS7 -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 -derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_CBC_PKCS7 - -PSA key derivation: HKDF-SHA-256 -> ECC curve25519, exercise PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY)-CTR -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 -derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_DERIVE:PSA_ALG_CTR - -PSA key derivation: HKDF-SHA-256 -> ECC curve25519, exercise PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY)-PSA_ALG_CBC_PKCS7 -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 -derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_DERIVE:PSA_ALG_CBC_PKCS7 +PSA key derivation: HKDF-SHA-256 -> ECC curve25519, exercise ECDH +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 +derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH PSA key derivation: HKDF SHA-256, derive key export, 16+32 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 @@ -5230,82 +5222,82 @@ PSA key derivation: invalid length PSA_KEY_TYPE_RAW_DATA (7 bits) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:7:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) (0) +PSA key derivation: bits=0 invalid for ECC SECP_R1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) (7 bits) +PSA key derivation: bits=7 invalid for ECC SECP_R1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1) (0) +PSA key derivation: bits=0 invalid for ECC SECP_K1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1) (7 bits) +PSA key derivation: bits=7 invalid for ECC SECP_K1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):7:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2) (0) +PSA key derivation: bits=0 invalid for ECC SECP_R2 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2) (7 bits) +PSA key derivation: bits=7 invalid for ECC SECP_R2 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):7:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1) (0) +PSA key derivation: bits=0 invalid for ECC SECT_K1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1) (7 bits) +PSA key derivation: bits=7 invalid for ECC SECT_K1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):7:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1) (0) +PSA key derivation: bits=0 invalid for ECC SECT_R1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1) (7 bits) +PSA key derivation: bits=7 invalid for ECC SECT_R1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2) (0) +PSA key derivation: bits=0 invalid for ECC SECT_R2 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2) (7 bits) +PSA key derivation: bits=7 invalid for ECC SECT_R2 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):7:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1) (0) +PSA key derivation: bits=0 invalid for ECC BRAINPOOL_P_R1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1) (7 bits) +PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY) (0) +PSA key derivation: bits=0 invalid for ECC MONTGOMERY depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: invalid length PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY) (7 bits) +PSA key derivation: bits=7 invalid for ECC MONTGOMERY depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):7:PSA_ERROR_INVALID_ARGUMENT:0 From dc215f4b97f48eabde28d08505c88cf5b6726082 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 2 Dec 2021 12:14:56 +0100 Subject: [PATCH 19/34] Simplify calculations for clear mask Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9be1a684e..6a67b28f4 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4914,10 +4914,8 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( * (8 * ceiling(m/8) - m) bits of the first byte in * the string to zero. */ - uint8_t clear_bit_count = (uint8_t) ( 8 * m_bytes - m ); - uint8_t clear_bit_mask = ( ( 1 << clear_bit_count ) - 1 ); - clear_bit_mask = ~( clear_bit_mask << ( 8 - clear_bit_count ) ); - *data[0] = ( *data[0] & clear_bit_mask ); + uint8_t clear_bit_mask = (1 << (m % 8)) - 1; + *data[0] &= clear_bit_mask; } /* 3. Convert the string to integer k by decoding it as a From e33ae7186e0c2e13275a34d84a2b956258784e3d Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Mon, 3 Jan 2022 13:37:59 +0100 Subject: [PATCH 20/34] psa_crypto.c: adapt macros Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 6a67b28f4..2b1e81ebe 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4853,8 +4853,9 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) */ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( psa_key_slot_t *slot, size_t bits, @@ -4960,8 +4961,9 @@ static psa_status_t psa_generate_derived_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { if ( PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ) != PSA_ECC_FAMILY_MONTGOMERY ) From 924815982aaaa4e164d738418935537baf6f0a26 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Tue, 4 Jan 2022 10:09:46 +0100 Subject: [PATCH 21/34] Workaround for VS compiler build error The following error was reported by CI for win32/release builds: 37>Done Building Project "C:\builds\workspace\mbed-tls-pr-head_PR-5139-head\worktrees\tmp_nn5muy8\visualc\VS2010\gen_entropy.vcxproj.metaproj" (Rebuild target(s)). 67>c:\builds\workspace\mbed-tls-pr-head_pr-5139-head\worktrees\tmp_nn5muy8\library\psa_crypto.c(4840): fatal error C1001: An internal error has occurred in the compiler. [C:\builds\workspace\mbed-tls-pr-head_PR-5139-head\worktrees\tmp_nn5muy8\visualc\VS2010\key_ladder_demo.vcxproj] (compiler file 'f:\dd\vctools\compiler\utc\src\p2\main.c', line 228) To work around this problem, try simplifying or changing the program near the locations listed above. Please choose the Technical Support command on the Visual C++ Help menu, or open the Technical Support help file for more information Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2b1e81ebe..fe46b0dc3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4966,7 +4966,8 @@ static psa_status_t psa_generate_derived_key_internal( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { - if ( PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ) != PSA_ECC_FAMILY_MONTGOMERY ) + psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ); + if ( curve != PSA_ECC_FAMILY_MONTGOMERY ) { /* Weierstrass elliptic curve */ unsigned key_out_of_range = 0; From 6d3d18b2dcb8ace0bd3e24e16b2c9dd1aaafdad3 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 20 Jan 2022 22:41:17 +0100 Subject: [PATCH 22/34] psa_generate_derived_key_internal, psa_generate_derived_ecc_key_weierstrass_helper: optimize the code Perform the following optimizations: - fix used flags for conditional compilation - remove redundant N variable - move loop used to generate valid k value to helper function - fix initial value of status - fix comments Signed-off-by: Przemyslaw Stekiel --- include/psa/crypto_values.h | 3 ++ library/psa_crypto.c | 98 ++++++++++++++++++------------------- 2 files changed, 51 insertions(+), 50 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 5a903f86a..3e7afef02 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -553,6 +553,9 @@ ((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \ 0)) +/** Check if the curve of given family is Weierstrass elliptic curve. */ +#define PSA_ECC_FAMILY_IS_WEIERSTRASS(family) ((family & 0xc0) == 0) + /** SEC Koblitz curves over prime fields. * * This family comprises the following curves: diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fe46b0dc3..eab499322 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4853,25 +4853,24 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) */ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( psa_key_slot_t *slot, size_t bits, psa_key_derivation_operation_t *operation, - uint8_t **data, - unsigned *key_out_of_range) + uint8_t **data + ) { - mbedtls_mpi N; + unsigned key_out_of_range = 1; mbedtls_mpi k; mbedtls_mpi diff_N_2; - /* ret variable is used by MBEDTLS_MPI_CHK macro */ + /* ret variable is initialized to 0 as it is + used only by MBEDTLS_MPI_CHK macro */ int ret = 0; - psa_status_t status = PSA_SUCCESS; + psa_status_t status = PSA_ERROR_GENERIC_ERROR; mbedtls_mpi_init( &k ); - mbedtls_mpi_init( &N ); mbedtls_mpi_init( &diff_N_2 ); psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( @@ -4891,47 +4890,52 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( if( ( status = mbedtls_to_psa_error( mbedtls_ecp_group_load( &ecp_group, grp_id ) ) ) != 0 ) goto cleanup; - /* N is the boundary of the private key domain. */ - MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &N, &ecp_group.N ) ); + /* N is the boundary of the private key domain (ecp_group.N). */ /* Let m be the bit size of N. */ size_t m = ecp_group.nbits; size_t m_bytes = PSA_BITS_TO_BYTES( m ); - if (*data == NULL) - *data = mbedtls_calloc( 1, m_bytes ); + + /* Note: This function is always called with *data == NULL and it + * allocates memory for the data buffer. */ + *data = mbedtls_calloc( 1, m_bytes ); if( *data == NULL ) { status = PSA_ERROR_INSUFFICIENT_MEMORY; goto cleanup; } - /* 1. Draw a byte string of length ceiling(m/8) bytes. */ - if ( ( status = psa_key_derivation_output_bytes( operation, *data, m_bytes ) ) != 0 ) - goto cleanup; - /* 2. If m is not a multiple of 8 */ - if (m % 8) + while ( key_out_of_range ) { - /* Set the most significant - * (8 * ceiling(m/8) - m) bits of the first byte in - * the string to zero. - */ - uint8_t clear_bit_mask = (1 << (m % 8)) - 1; - *data[0] &= clear_bit_mask; + /* 1. Draw a byte string of length ceiling(m/8) bytes. */ + if ( ( status = psa_key_derivation_output_bytes( operation, *data, m_bytes ) ) != 0 ) + goto cleanup; + + /* 2. If m is not a multiple of 8 */ + if (m % 8) + { + /* Set the most significant + * (8 * ceiling(m/8) - m) bits of the first byte in + * the string to zero. + */ + uint8_t clear_bit_mask = (1 << (m % 8)) - 1; + *data[0] &= clear_bit_mask; + } + + /* 3. Convert the string to integer k by decoding it as a + * big-endian byte string. + */ + MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary( &k, *data, m_bytes)); + + /* 4. If k > N - 2, discard the result and return to step 1. + * Result of comparison is returned. When it indicates error + * then this fuction is called again. + */ + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &diff_N_2, &ecp_group.N, 2) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &k, diff_N_2.n ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( &diff_N_2, &k, &key_out_of_range ) ); } - /* 3. Convert the string to integer k by decoding it as a - * big-endian byte string. - */ - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary( &k, *data, m_bytes)); - - /* 4. If k > N - 2, discard the result and return to step 1. - * Result of comparison is returned. When it indicates error - * then this fuction is called again. - */ - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &diff_N_2, &N, 2) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &k, diff_N_2.n ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( &diff_N_2, &k, key_out_of_range ) ); - /* 5. Output k + 1 as the private key. */ MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &k, &k, 1)); MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &k, *data, m_bytes) ); @@ -4943,7 +4947,6 @@ cleanup: *data = NULL; } mbedtls_mpi_free( &k ); - mbedtls_mpi_free( &N ); mbedtls_mpi_free( &diff_N_2 ); return( status ); } @@ -4961,22 +4964,17 @@ static psa_status_t psa_generate_derived_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ); - if ( curve != PSA_ECC_FAMILY_MONTGOMERY ) + if ( PSA_ECC_FAMILY_IS_WEIERSTRASS( curve ) ) { /* Weierstrass elliptic curve */ - unsigned key_out_of_range = 0; - do - { - status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data, &key_out_of_range); - if( status != PSA_SUCCESS ) - goto exit; - } while ( key_out_of_range ); + status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data); + if( status != PSA_SUCCESS ) + goto exit; } else { @@ -5016,7 +5014,7 @@ static psa_status_t psa_generate_derived_key_internal( data[55] |= 128; break; default: - /* already handled */ + /* should never happen */ break; } } From aeaa4f0651812255728d4035ca127f7d878f504f Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Mon, 21 Feb 2022 08:17:43 +0100 Subject: [PATCH 23/34] Code optimization - fix codding style - fix comments and descriptions - add helper function for montgomery curve - move N-2 calculation outside the loop - fix access to bytes: *data[x] -> (*data)[x] Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 149 +++++++++++++++--------- tests/suites/test_suite_psa_crypto.data | 4 +- 2 files changed, 93 insertions(+), 60 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index eab499322..f8a2ae4e3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4850,6 +4850,9 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) * * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature * Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys. +* +* Note: Function allocates memory for *data buffer, so given *data should be +* always NULL. */ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ @@ -4865,9 +4868,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( unsigned key_out_of_range = 1; mbedtls_mpi k; mbedtls_mpi diff_N_2; - /* ret variable is initialized to 0 as it is - used only by MBEDTLS_MPI_CHK macro */ - int ret = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_GENERIC_ERROR; mbedtls_mpi_init( &k ); @@ -4880,15 +4881,14 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( if( grp_id == MBEDTLS_ECP_DP_NONE ) { - status = PSA_ERROR_INVALID_ARGUMENT; + ret = MBEDTLS_ERR_ASN1_INVALID_DATA; goto cleanup; } mbedtls_ecp_group ecp_group; mbedtls_ecp_group_init( &ecp_group ); - if( ( status = mbedtls_to_psa_error( mbedtls_ecp_group_load( &ecp_group, grp_id ) ) ) != 0 ) - goto cleanup; + MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ecp_group, grp_id ) ); /* N is the boundary of the private key domain (ecp_group.N). */ /* Let m be the bit size of N. */ @@ -4896,12 +4896,15 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( size_t m_bytes = PSA_BITS_TO_BYTES( m ); + /* Calculate N - 2 - it will be needed later. */ + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &diff_N_2, &ecp_group.N, 2 ) ); + /* Note: This function is always called with *data == NULL and it * allocates memory for the data buffer. */ *data = mbedtls_calloc( 1, m_bytes ); if( *data == NULL ) { - status = PSA_ERROR_INSUFFICIENT_MEMORY; + ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED; goto cleanup; } @@ -4912,37 +4915,36 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( goto cleanup; /* 2. If m is not a multiple of 8 */ - if (m % 8) + if ( m % 8 != 0 ) { /* Set the most significant - * (8 * ceiling(m/8) - m) bits of the first byte in - * the string to zero. - */ - uint8_t clear_bit_mask = (1 << (m % 8)) - 1; - *data[0] &= clear_bit_mask; + * (8 * ceiling(m/8) - m) bits of the first byte in + * the string to zero. + */ + uint8_t clear_bit_mask = ( 1 << ( m % 8 ) ) - 1; + (*data)[0] &= clear_bit_mask; } /* 3. Convert the string to integer k by decoding it as a * big-endian byte string. */ - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary( &k, *data, m_bytes)); + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &k, *data, m_bytes ) ); /* 4. If k > N - 2, discard the result and return to step 1. * Result of comparison is returned. When it indicates error * then this fuction is called again. */ - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &diff_N_2, &ecp_group.N, 2) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &k, diff_N_2.n ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( &diff_N_2, &k, &key_out_of_range ) ); } /* 5. Output k + 1 as the private key. */ - MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &k, &k, 1)); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &k, *data, m_bytes) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &k, &k, 1 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &k, *data, m_bytes ) ); cleanup: - if( ret ) + if( ret != 0 ) status = mbedtls_to_psa_error( ret ); - if (status) { + if ( status != PSA_SUCCESS ) { mbedtls_free( *data ); *data = NULL; } @@ -4950,6 +4952,71 @@ cleanup: mbedtls_mpi_free( &diff_N_2 ); return( status ); } + +/* ECC keys on a Montgomery elliptic curve draws a byte string whose length + * is determined by the curve, and sets the mandatory bits accordingly. That is: + * + * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits): + * draw a 32-byte string and process it as specified in + * Elliptic Curves for Security [RFC7748] §5. + * + * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits): + * draw a 56-byte string and process it as specified in [RFC7748] §5. + * + * Note: Function allocates memory for *data buffer, so given *data should be + * always NULL. + */ + +static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( + size_t bits, + psa_key_derivation_operation_t *operation, + uint8_t **data + ) +{ + size_t output_length; + psa_status_t status = PSA_ERROR_GENERIC_ERROR; + + switch( bits ) + { + case 255: + output_length = 32; + break; + case 448: + output_length = 56; + break; + default: + return( PSA_ERROR_INVALID_ARGUMENT ); + break; + } + + *data = mbedtls_calloc( 1, output_length ); + + if( *data == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + status = psa_key_derivation_output_bytes( operation, *data, output_length ); + + if( status != PSA_SUCCESS ) + return status; + + switch( bits ) + { + case 255: + (*data)[0] &= 248; + (*data)[31] &= 127; + (*data)[31] |= 64; + break; + case 448: + (*data)[0] &= 252; + (*data)[55] |= 128; + break; + default: + /* should never happen */ + break; + } + + return status; +} #endif static psa_status_t psa_generate_derived_key_internal( @@ -4972,57 +5039,21 @@ static psa_status_t psa_generate_derived_key_internal( if ( PSA_ECC_FAMILY_IS_WEIERSTRASS( curve ) ) { /* Weierstrass elliptic curve */ - status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data); + status = psa_generate_derived_ecc_key_weierstrass_helper( slot, bits, operation, &data ); if( status != PSA_SUCCESS ) goto exit; } else { /* Montgomery elliptic curve */ - size_t output_length; - switch( bits ) - { - case 255: - output_length = 32; - break; - case 448: - output_length = 56; - break; - default: - return( PSA_ERROR_INVALID_ARGUMENT ); - break; - } - - data = mbedtls_calloc( 1, bytes ); - if( data == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - - status = psa_key_derivation_output_bytes( operation, data, output_length ); - + status = psa_generate_derived_ecc_key_montgomery_helper( bits, operation, &data ); if( status != PSA_SUCCESS ) goto exit; - - switch( bits ) - { - case 255: - data[0] &= 248; - data[31] &= 127; - data[31] |= 64; - break; - case 448: - data[0] &= 252; - data[55] |= 128; - break; - default: - /* should never happen */ - break; - } } } else #endif + if( key_type_is_raw_bytes( slot->attr.type ) ) { - if( ! key_type_is_raw_bytes( slot->attr.type ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); if( bits % 8 != 0 ) return( PSA_ERROR_INVALID_ARGUMENT ); data = mbedtls_calloc( 1, bytes ); @@ -5037,6 +5068,8 @@ static psa_status_t psa_generate_derived_key_internal( psa_des_set_key_parity( data, bytes ); #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ } + else + return( PSA_ERROR_INVALID_ARGUMENT ); slot->attr.bits = (psa_key_bits_t) bits; psa_key_attributes_t attributes = { diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index b0ee41267..fb7eede64 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5147,7 +5147,7 @@ PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_521 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fa":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:"01122f37d10965c8455ecbd2bc73d5da5347d0ce772e54305d528295a64ffb7c567f5042e2d7e5803b407c08d1e110adcefc35564035d706582f723a2f76a32260da" -# For Curve25519, test a few different outputs to exercise masking. +# For Curve25519, test a few different outputs to exercise masking (last byte of input_2 variation). PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"38b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c57f" @@ -5176,7 +5176,7 @@ PSA key derivation: HKDF-SHA-256 -> ECC curve25519 #7 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8ff":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:"c89d06c33cec5b3d08221a7228050e6919150a43592ae710162c97c0a2855b65" -# For Curve448, test a few different outputs to exercise masking. +# For Curve448, test a few different outputs to exercise masking (last byte of input_2 variation). PSA key derivation: HKDF-SHA-256 -> ECC curve448 #1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993b89b9b65683d60f81" From 76960a7217e47cc18d225dbd2d00d47016a601db Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Mon, 21 Feb 2022 13:42:09 +0100 Subject: [PATCH 24/34] mbedtls_mpi_read_binary() document that function guarantees to return an MPI with exactly the necessary number of limbs and remove redundant call to mbedtls_mpi_grow() Signed-off-by: Przemyslaw Stekiel --- library/bignum.c | 6 ++++++ library/psa_crypto.c | 1 - 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/library/bignum.c b/library/bignum.c index a7e3fa3de..288f85932 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -785,6 +785,9 @@ static void mpi_bigendian_to_host( mbedtls_mpi_uint * const p, size_t limbs ) /* * Import X from unsigned binary data, little endian + * + * This function is guaranteed to return an MPI with exactly the necessary + * number of limbs (in particular, it does not skip 0s in the input). */ int mbedtls_mpi_read_binary_le( mbedtls_mpi *X, const unsigned char *buf, size_t buflen ) @@ -811,6 +814,9 @@ cleanup: /* * Import X from unsigned binary data, big endian + * + * This function is guaranteed to return an MPI with exactly the necessary + * number of limbs (in particular, it does not skip 0s in the input). */ int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen ) { diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f8a2ae4e3..36a1b0c90 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4934,7 +4934,6 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( * Result of comparison is returned. When it indicates error * then this fuction is called again. */ - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &k, diff_N_2.n ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( &diff_N_2, &k, &key_out_of_range ) ); } From 91ebfc040216d9cb50278b11c5c832f8865947da Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Tue, 22 Feb 2022 15:50:30 +0100 Subject: [PATCH 25/34] Adapt compilation flags for ECC key derivation Use conditional compilation flags for building ECC key derivation code consistent with flags used for mbedtls_ecc_group_of_psa(). Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 36a1b0c90..cfff2aba8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4856,8 +4856,9 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) */ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( psa_key_slot_t *slot, size_t bits, @@ -5030,8 +5031,9 @@ static psa_status_t psa_generate_derived_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ); From dcab6ccb3b18fca4e08ad32ddb6aaef1e9700247 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 1 Mar 2022 14:22:29 +0100 Subject: [PATCH 26/34] Return PSA_ERROR_INVALID_ARGUMENT for a public key, and PSA_ERROR_NOT_SUPPORTED for a type that is not handled. Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 6 +++++- tests/suites/test_suite_psa_crypto.data | 16 ++++++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index cfff2aba8..8eb0ba718 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5034,6 +5034,10 @@ static psa_status_t psa_generate_derived_key_internal( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) + + if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ); @@ -5070,7 +5074,7 @@ static psa_status_t psa_generate_derived_key_internal( #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ } else - return( PSA_ERROR_INVALID_ARGUMENT ); + return( PSA_ERROR_NOT_SUPPORTED ); slot->attr.bits = (psa_key_bits_t) bits; psa_key_attributes_t attributes = { diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index fb7eede64..ff5dae38d 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5207,11 +5207,23 @@ derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0 PSA key derivation: invalid type (0) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 -derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_NONE:128:PSA_ERROR_INVALID_ARGUMENT:0 +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_NONE:128:PSA_ERROR_NOT_SUPPORTED:0 PSA key derivation: invalid type (PSA_KEY_TYPE_CATEGORY_MASK) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 -derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_CATEGORY_MASK:128:PSA_ERROR_INVALID_ARGUMENT:0 +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_CATEGORY_MASK:128:PSA_ERROR_NOT_SUPPORTED:0 + +PSA key derivation: invalid type (PSA_KEY_TYPE_RSA_PUBLIC_KEY) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RSA_PUBLIC_KEY:128:PSA_ERROR_INVALID_ARGUMENT:0 + +PSA key derivation: invalid type (PSA_KEY_TYPE_RSA_KEY_PAIR) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RSA_KEY_PAIR:128:PSA_ERROR_NOT_SUPPORTED:0 + +PSA key derivation: invalid type (PSA_KEY_TYPE_ECC_PUBLIC_KEY) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8ff":PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_ERROR_INVALID_ARGUMENT:0 PSA key derivation: invalid length PSA_KEY_TYPE_RAW_DATA (0) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 From f110dc05beb1f6df67e3f86adaaa5686e4f38d91 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 1 Mar 2022 14:48:05 +0100 Subject: [PATCH 27/34] Clenup conditional compilation flags. Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 31 +++++++------------------------ 1 file changed, 7 insertions(+), 24 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 8eb0ba718..6435f2952 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -325,11 +325,7 @@ psa_status_t mbedtls_to_psa_error( int ret ) /* Key management */ /****************************************************************/ -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, size_t bits, int bits_is_sloppy ) @@ -424,11 +420,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, (void) bits_is_sloppy; return( MBEDTLS_ECP_DP_NONE ); } -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, size_t bits ) @@ -4854,11 +4846,7 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) * Note: Function allocates memory for *data buffer, so given *data should be * always NULL. */ -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( psa_key_slot_t *slot, size_t bits, @@ -5017,7 +5005,7 @@ static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( return status; } -#endif +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, @@ -5029,12 +5017,7 @@ static psa_status_t psa_generate_derived_key_internal( size_t storage_size = bytes; psa_status_t status; -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) - +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -5056,7 +5039,7 @@ static psa_status_t psa_generate_derived_key_internal( goto exit; } } else -#endif +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ if( key_type_is_raw_bytes( slot->attr.type ) ) { if( bits % 8 != 0 ) @@ -5071,7 +5054,7 @@ static psa_status_t psa_generate_derived_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) if( slot->attr.type == PSA_KEY_TYPE_DES ) psa_des_set_key_parity( data, bytes ); -#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */ } else return( PSA_ERROR_NOT_SUPPORTED ); From a81aed2dae61c3f4575253ac6aaa33de6f4014d6 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 1 Mar 2022 15:13:30 +0100 Subject: [PATCH 28/34] Clean up init values of psa crypto status and fix switch default case Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 6435f2952..9178e23d2 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4858,7 +4858,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( mbedtls_mpi k; mbedtls_mpi diff_N_2; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_GENERIC_ERROR; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_mpi_init( &k ); mbedtls_mpi_init( &diff_N_2 ); @@ -4962,7 +4962,7 @@ static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( ) { size_t output_length; - psa_status_t status = PSA_ERROR_GENERIC_ERROR; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; switch( bits ) { @@ -4999,7 +4999,7 @@ static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( (*data)[55] |= 128; break; default: - /* should never happen */ + return( PSA_ERROR_CORRUPTION_DETECTED ); break; } @@ -5015,7 +5015,7 @@ static psa_status_t psa_generate_derived_key_internal( uint8_t *data = NULL; size_t bytes = PSA_BITS_TO_BYTES( bits ); size_t storage_size = bytes; - psa_status_t status; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ) From 15565eeb59e41d204a38897977361151b255adaa Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 1 Mar 2022 17:01:39 +0100 Subject: [PATCH 29/34] Move publick key check out of MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9178e23d2..233d50044 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5017,10 +5017,10 @@ static psa_status_t psa_generate_derived_key_internal( size_t storage_size = bytes; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ); From 4400be408b4959531304527c7332ddfd7b308055 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 1 Mar 2022 17:02:46 +0100 Subject: [PATCH 30/34] Adapt test cases for invalid bits with and without ECC keys enabled Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_psa_crypto.data | 73 +++++++++++++++++++------ 1 file changed, 57 insertions(+), 16 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index ff5dae38d..ba74632d1 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5239,81 +5239,122 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: bits=7 invalid for ECC SECP_R1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC disabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):7:PSA_ERROR_NOT_SUPPORTED:0 + PSA key derivation: bits=0 invalid for ECC SECP_K1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: bits=7 invalid for ECC SECP_K1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC disabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):7:PSA_ERROR_NOT_SUPPORTED:0 + PSA key derivation: bits=0 invalid for ECC SECP_R2 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: bits=7 invalid for ECC SECP_R2 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC disabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):7:PSA_ERROR_NOT_SUPPORTED:0 + PSA key derivation: bits=0 invalid for ECC SECT_K1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: bits=7 invalid for ECC SECT_K1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC disabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):7:PSA_ERROR_NOT_SUPPORTED:0 + PSA key derivation: bits=0 invalid for ECC SECT_R1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: bits=7 invalid for ECC SECT_R1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC disabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):7:PSA_ERROR_NOT_SUPPORTED:0 + PSA key derivation: bits=0 invalid for ECC SECT_R2 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: bits=7 invalid for ECC SECT_R2 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC disabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):7:PSA_ERROR_NOT_SUPPORTED:0 + PSA key derivation: bits=0 invalid for ECC BRAINPOOL_P_R1 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC disabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):7:PSA_ERROR_NOT_SUPPORTED:0 + PSA key derivation: bits=0 invalid for ECC MONTGOMERY depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):0:PSA_ERROR_INVALID_ARGUMENT:0 -PSA key derivation: bits=7 invalid for ECC MONTGOMERY -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 +PSA key derivation: bits=7 invalid for ECC MONTGOMERY (ECC enabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):7:PSA_ERROR_INVALID_ARGUMENT:0 +PSA key derivation: bits=7 invalid for ECC MONTGOMERY (ECC disabled) +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):7:PSA_ERROR_NOT_SUPPORTED:0 + + PSA key derivation: raw data, 8 bits depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:8:PSA_SUCCESS:0 From f25b16caddca6e0ef2d52164f200e779e97a07ae Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 4 Mar 2022 14:25:09 +0100 Subject: [PATCH 31/34] test_psa_compliance: update tag to fix-pr-5139-3 Signed-off-by: Przemek Stekiel --- tests/scripts/test_psa_compliance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/test_psa_compliance.py b/tests/scripts/test_psa_compliance.py index 182fa39ee..3e7a9a6d5 100755 --- a/tests/scripts/test_psa_compliance.py +++ b/tests/scripts/test_psa_compliance.py @@ -47,7 +47,7 @@ EXPECTED_FAILURES = { # # Web URL: https://github.com/bensze01/psa-arch-tests/tree/fixes-for-mbedtls-3 PSA_ARCH_TESTS_REPO = 'https://github.com/bensze01/psa-arch-tests.git' -PSA_ARCH_TESTS_REF = 'fix-pr-5139-2' +PSA_ARCH_TESTS_REF = 'fix-pr-5139-3' #pylint: disable=too-many-branches,too-many-statements def main(): From 7fc0751f78c499ff8f096f1e16ba924f46559175 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 4 Mar 2022 14:41:11 +0100 Subject: [PATCH 32/34] Restore build options for mbedtls_ecc_group_of_psa() and related functions Additional issue created to simplifiy usage of BUILTIN_KEY_TYPE_xxx && BUILTIN_ALG_yy macros https://github.com/ARMmbed/mbedtls/issues/5596 Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 233d50044..cdefcf854 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -325,7 +325,11 @@ psa_status_t mbedtls_to_psa_error( int ret ) /* Key management */ /****************************************************************/ -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, size_t bits, int bits_is_sloppy ) @@ -420,7 +424,11 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, (void) bits_is_sloppy; return( MBEDTLS_ECP_DP_NONE ); } -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, size_t bits ) @@ -4846,7 +4854,11 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) * Note: Function allocates memory for *data buffer, so given *data should be * always NULL. */ -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( psa_key_slot_t *slot, size_t bits, @@ -5005,7 +5017,11 @@ static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( return status; } -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */ static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, @@ -5020,7 +5036,11 @@ static psa_status_t psa_generate_derived_key_internal( if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ); @@ -5039,7 +5059,11 @@ static psa_status_t psa_generate_derived_key_internal( goto exit; } } else -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */ if( key_type_is_raw_bytes( slot->attr.type ) ) { if( bits % 8 != 0 ) From c85f0912c40ab867240a754003ae53f7ac2b662f Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 8 Mar 2022 11:37:54 +0100 Subject: [PATCH 33/34] psa_crypto.c, test_suite_psa_crypto.function: fix style Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 12 ++++++------ tests/suites/test_suite_psa_crypto.function | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index cdefcf854..d9c8235c8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4909,14 +4909,14 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( goto cleanup; } - while ( key_out_of_range ) + while( key_out_of_range ) { /* 1. Draw a byte string of length ceiling(m/8) bytes. */ - if ( ( status = psa_key_derivation_output_bytes( operation, *data, m_bytes ) ) != 0 ) + if( ( status = psa_key_derivation_output_bytes( operation, *data, m_bytes ) ) != 0 ) goto cleanup; /* 2. If m is not a multiple of 8 */ - if ( m % 8 != 0 ) + if( m % 8 != 0 ) { /* Set the most significant * (8 * ceiling(m/8) - m) bits of the first byte in @@ -4944,7 +4944,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( cleanup: if( ret != 0 ) status = mbedtls_to_psa_error( ret ); - if ( status != PSA_SUCCESS ) { + if( status != PSA_SUCCESS ) { mbedtls_free( *data ); *data = NULL; } @@ -5041,10 +5041,10 @@ static psa_status_t psa_generate_derived_key_internal( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) - if ( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) + if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ); - if ( PSA_ECC_FAMILY_IS_WEIERSTRASS( curve ) ) + if( PSA_ECC_FAMILY_IS_WEIERSTRASS( curve ) ) { /* Weierstrass elliptic curve */ status = psa_generate_derived_ecc_key_weierstrass_helper( slot, bits, operation, &data ); diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index f21aa6e34..b7c037131 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -6784,11 +6784,11 @@ void derive_key_type( int alg_arg, PSA_ASSERT( psa_import_key( &base_attributes, key_data->x, key_data->len, &base_key ) ); - if( !mbedtls_test_psa_setup_key_derivation_wrap( + if( mbedtls_test_psa_setup_key_derivation_wrap( &operation, base_key, alg, input1->x, input1->len, input2->x, input2->len, - PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ) ) + PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ) == 0 ) goto exit; psa_set_key_usage_flags( &derived_attributes, PSA_KEY_USAGE_EXPORT ); From b38f797a244c0f91f98ac5c3f6d1a72550c331d2 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 11 Mar 2022 14:12:34 +0100 Subject: [PATCH 34/34] Add change log entry for psa ECC key derivation Signed-off-by: Przemek Stekiel --- ChangeLog.d/psa_crypto_key_derivation_for_ECC_keys.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/psa_crypto_key_derivation_for_ECC_keys.txt diff --git a/ChangeLog.d/psa_crypto_key_derivation_for_ECC_keys.txt b/ChangeLog.d/psa_crypto_key_derivation_for_ECC_keys.txt new file mode 100644 index 000000000..393fa8deb --- /dev/null +++ b/ChangeLog.d/psa_crypto_key_derivation_for_ECC_keys.txt @@ -0,0 +1,3 @@ +Features + * Add support for psa crypto key derivation for elliptic curve + keys. Fixes #3260.