Merge pull request #6426 from aditya-deshpande-arm/driver-wrapper-key-agreement
Add driver dispatch layer for raw key agreement, along with test call for transparent drivers.
diff --git a/.travis.yml b/.travis.yml
index 67cb3ca..eaf817a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -25,8 +25,40 @@
- tests/scripts/all.sh -k build_arm_linux_gnueabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus
- name: full configuration
+ os: linux
+ dist: focal
+ addons:
+ apt:
+ packages:
+ - clang-10
+ - gnutls-bin
script:
- - tests/scripts/all.sh -k test_full_cmake_gcc_asan
+ # Do a manual build+test sequence rather than using all.sh,
+ # because there's no all.sh component that does what we want,
+ # which is a build with Clang >= 10 and ASan, running all the SSL
+ # testing.
+ # - The clang executable in the default PATH is Clang 7 on
+ # Travis's focal instances, but we want Clang >= 10.
+ # - Running all the SSL testing requires a specific set of
+ # OpenSSL and GnuTLS versions and we don't want to bother
+ # with those on Travis.
+ # So we explicitly select clang-10 as the compiler, and we
+ # have ad hoc restrictions on SSL testing based on what is
+ # passing at the time of writing. We will remove these limitations
+ # gradually.
+ - make generated_files
+ - make CC=clang-10 CFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all -O2' LDFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all'
+ - make test
+ - programs/test/selftest
+ - tests/scripts/test_psa_constant_names.py
+ - tests/ssl-opt.sh
+ # Modern OpenSSL does not support fixed ECDH or null ciphers.
+ - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-'
+ - tests/scripts/travis-log-failure.sh
+ # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it.
+ - tests/compat.sh -p GnuTLS -e 'CAMELLIA'
+ - tests/scripts/travis-log-failure.sh
+ - tests/context-info.sh
- name: Windows
os: windows
diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt
index 2062bcb..6ccd199 100644
--- a/ChangeLog.d/driver-only-hashes.txt
+++ b/ChangeLog.d/driver-only-hashes.txt
@@ -1,20 +1,19 @@
Features
- * Some crypto modules that previously depended on MD or a low-level hash
- module, either unconditionally (RSA, PK, PKCS5, PKCS12, EC J-PAKE), or
- for some features (PEM for encrypted files), are now able to use PSA
- Crypto instead when the legacy API is not available. This means it is
- now possible to use all features from those modules in configurations
- where the built-in implementations of hashes are excluded and the hashes
- are only provided by PSA drivers. In these configurations, you need to
- call `psa_crypto_init()` before you call any function from those
- modules; this is not required in configurations where the built-in
- implementation is still available. Note that some crypto modules and
- features still depend on the built-in implementation of hashes:
- MBEDTLS_HKDF_C (but the PSA HKDF function do not depend on it),
- MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and MBEDTLS_ECDSA_DETERMINISTIC.
- In particular, for now, compiling without built-in hashes requires use
- of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
- * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no
- longer depend on MD. This means it is now possible to use them in
- configurations where the built-in implementations of hashes are excluded
- and the hashes are only provided by PSA drivers.
+ * Some modules can now use PSA drivers for hashes, including with no
+ built-in implementation present, but only in some configurations.
+ - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
+ hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
+ - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
+ when) MBEDTLS_MD5_C is disabled.
+ See the documentation of the corresponding macros in mbedtls_config.h for
+ details.
+ Note that some modules are not able to use hashes from PSA yet, including
+ the entropy module. As a consequence, for now the only way to build with
+ all hashes only provided by drivers (no built-in hash) is to use
+ MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
+ * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
+ properly negotiate/accept hashes based on their availability in PSA.
+ As a consequence, they now work in configurations where the built-in
+ implementations of (some) hashes are excluded and those hashes are only
+ provided by PSA drivers. (See previous entry for limitation on RSA-PSS
+ though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
diff --git a/ChangeLog.d/dtls-connection-id.txt b/ChangeLog.d/dtls-connection-id.txt
new file mode 100644
index 0000000..eb9e216
--- /dev/null
+++ b/ChangeLog.d/dtls-connection-id.txt
@@ -0,0 +1,16 @@
+Features
+ * Add support for DTLS Connection ID as defined by RFC 9146, controlled by
+ MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
+ mbedtls_ssl_set_cid().
+
+Changes
+ * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
+ of the draft, and was marked experimental and disabled by default. It is
+ now no longer experimental, and implements the final version from RFC 9146,
+ which is not interoperable with the draft-05 version. If you need to
+ communicate with peers that use earlier versions of Mbed TLS, you
+ need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT to 1, but then you
+ won't be able to communicate with peers that use the standard (non-draft)
+ version. If you need to interoperate with both classes of peers with the
+ same build of Mbed TLS, please let us know about your situation on the
+ mailing list or GitHub.
diff --git a/ChangeLog.d/ecjpake-in-tls.txt b/ChangeLog.d/ecjpake-in-tls.txt
new file mode 100644
index 0000000..b84caab
--- /dev/null
+++ b/ChangeLog.d/ecjpake-in-tls.txt
@@ -0,0 +1,5 @@
+Features
+ * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
+ Additional PSA key slots will be allocated in the process of such key
+ exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
+ MBEDTLS_USE_PSA_CRYPTO.
diff --git a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt
new file mode 100644
index 0000000..1f9e0aa
--- /dev/null
+++ b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt
@@ -0,0 +1,5 @@
+Changes
+ * Calling AEAD tag-specific functions for non-AEAD algorithms (which
+ should not be done - they are documented for use only by AES-GCM and
+ ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+ instead of success (0).
diff --git a/ChangeLog.d/move-ssl-modules.txt b/ChangeLog.d/move-ssl-modules.txt
new file mode 100644
index 0000000..f00e5ad
--- /dev/null
+++ b/ChangeLog.d/move-ssl-modules.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Move some SSL-specific code out of libmbedcrypto where it had been placed
+ accidentally.
diff --git a/ChangeLog.d/pkcs7-parser.txt b/ChangeLog.d/pkcs7-parser.txt
new file mode 100644
index 0000000..7f85f0c
--- /dev/null
+++ b/ChangeLog.d/pkcs7-parser.txt
@@ -0,0 +1,13 @@
+Features
+ * Added partial support for parsing the PKCS7 cryptographic message syntax,
+ as defined in RFC 2315. Currently, support is limited to the following:
+ - Only the signed data content type, version 1 is supported.
+ - Only DER encoding is supported.
+ - Only a single digest algorithm per message is supported.
+ - Only 0 or 1, certificate is supported per message, which must be in
+ X509 format.
+ - There is no support for certificate-revocation lists.
+ - The authenticated and unauthenticated attribute fields of SignerInfo
+ must be empty.
+ Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
+ contributing this feature.
diff --git a/ChangeLog.d/psa-ecb-ub.txt b/ChangeLog.d/psa-ecb-ub.txt
new file mode 100644
index 0000000..9d725ac
--- /dev/null
+++ b/ChangeLog.d/psa-ecb-ub.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix undefined behavior (typically harmless in practice) in PSA ECB
+ encryption and decryption.
diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md
index f30590b..85482ba 100644
--- a/docs/architecture/tls13-support.md
+++ b/docs/architecture/tls13-support.md
@@ -478,3 +478,175 @@
* state change: the state change is done in the main state handler to ease
the navigation of the state machine transitions.
+
+
+Writing and reading early or 0-RTT data
+---------------------------------------
+
+An application function to write and send a buffer of data to a server through
+TLS may plausibly look like:
+
+```
+int write_data( mbedtls_ssl_context *ssl,
+ const unsigned char *data_to_write,
+ size_t data_to_write_len,
+ size_t *data_written )
+{
+ *data_written = 0;
+
+ while( *data_written < data_to_write_len )
+ {
+ ret = mbedtls_ssl_write( ssl, data_to_write + *data_written,
+ data_to_write_len - *data_written );
+
+ if( ret < 0 &&
+ ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ {
+ return( ret );
+ }
+
+ *data_written += ret;
+ }
+
+ return( 0 );
+}
+```
+where ssl is the SSL context to use, data_to_write the address of the data
+buffer and data_to_write_len the number of data bytes. The handshake may
+not be completed, not even started for the SSL context ssl when the function is
+called and in that case the mbedtls_ssl_write() API takes care transparently of
+completing the handshake before to write and send data to the server. The
+mbedtls_ssl_write() may not been able to write and send all data in one go thus
+the need for a loop calling it as long as there are still data to write and
+send.
+
+An application function to write and send early data and only early data,
+data sent during the first flight of client messages while the handshake is in
+its initial phase, would look completely similar but the call to
+mbedtls_ssl_write_early_data() instead of mbedtls_ssl_write().
+```
+int write_early_data( mbedtls_ssl_context *ssl,
+ const unsigned char *data_to_write,
+ size_t data_to_write_len,
+ size_t *data_written )
+{
+ *data_written = 0;
+
+ while( *data_written < data_to_write_len )
+ {
+ ret = mbedtls_ssl_write_early_data( ssl, data_to_write + *data_written,
+ data_to_write_len - *data_written );
+
+ if( ret < 0 &&
+ ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ {
+ return( ret );
+ }
+
+ *data_written += ret;
+ }
+
+ return( 0 );
+}
+```
+Note that compared to write_data(), write_early_data() can also return
+MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA and that should be handled
+specifically by the user of write_early_data(). A fresh SSL context (typically
+just after a call to mbedtls_ssl_setup() or mbedtls_ssl_session_reset()) would
+be expected when calling `write_early_data`.
+
+All together, code to write and send a buffer of data as long as possible as
+early data and then as standard post-handshake application data could
+plausibly look like:
+
+```
+ret = write_early_data( ssl, data_to_write, data_to_write_len,
+ &early_data_written );
+if( ret < 0 &&
+ ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA )
+{
+ goto error;
+}
+
+ret = write_data( ssl, data_to_write + early_data_written,
+ data_to_write_len - early_data_written, &data_written );
+if( ret < 0 )
+ goto error;
+
+data_written += early_data_written;
+```
+
+Finally, taking into account that the server may reject early data, application
+code to write and send a buffer of data could plausibly look like:
+```
+ret = write_early_data( ssl, data_to_write, data_to_write_len,
+ &early_data_written );
+if( ret < 0 &&
+ ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA )
+{
+ goto error;
+}
+
+/*
+ * Make sure the handshake is completed as it is a requisite to
+ * mbedtls_ssl_get_early_data_status().
+ */
+while( !mbedtls_ssl_is_handshake_over( ssl ) )
+{
+ ret = mbedtls_ssl_handshake( ssl );
+ if( ret < 0 &&
+ ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ {
+ goto error;
+ }
+}
+
+ret = mbedtls_ssl_get_early_data_status( ssl );
+if( ret < 0 )
+ goto error;
+
+if( ret == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED )
+ early_data_written = 0;
+
+ret = write_data( ssl, data_to_write + early_data_written,
+ data_to_write_len - early_data_written, &data_written );
+if( ret < 0 )
+ goto error;
+
+data_written += early_data_written;
+```
+
+Basically, the same holds for reading early data on the server side without the
+complication of possible rejection. An application function to read early data
+into a given buffer could plausibly look like:
+```
+int read_early_data( mbedtls_ssl_context *ssl,
+ unsigned char *buffer,
+ size_t buffer_size,
+ size_t *data_len )
+{
+ *data_len = 0;
+
+ while( *data_len < buffer_size )
+ {
+ ret = mbedtls_ssl_read_early_data( ssl, buffer + *data_len,
+ buffer_size - *data_len );
+
+ if( ret < 0 &&
+ ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ {
+ return( ret );
+ }
+
+ *data_len += ret;
+ }
+
+ return( 0 );
+}
+```
+with again calls to read_early_data() expected to be done with a fresh SSL
+context.
diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index b22d37f..11442ed 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md
@@ -86,7 +86,6 @@
Current exceptions:
-- EC J-PAKE (when `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED` is defined)
- finite-field (non-EC) Diffie-Hellman (used in key exchanges: DHE-RSA,
DHE-PSK)
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index c359011..1cd20fe 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@@ -61,11 +61,6 @@
/** Invalid input data. */
#define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h
index 8b66ee2..5e3f387 100644
--- a/include/mbedtls/asn1.h
+++ b/include/mbedtls/asn1.h
@@ -39,8 +39,9 @@
/**
* \name ASN1 Error codes
- * These error codes are OR'ed to X509 error codes for
+ * These error codes are combined with other error codes for
* higher error granularity.
+ * e.g. X.509 and PKCS #7 error codes
* ASN1 is a standard to specify data structures.
* \{
*/
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 170cbeb..362ce2f 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -53,6 +53,12 @@
#define _CRT_SECURE_NO_DEPRECATE 1
#endif
+/* Define `inline` on some non-C99-compliant compilers. */
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+ !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/mbedtls_config.h"
#else
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 3918639..7f55580 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -903,6 +903,19 @@
#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
#endif
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && \
+ !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequsites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 */
+
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_2)
#error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequisites"
@@ -1062,6 +1075,14 @@
#error "MBEDTLS_SSL_TRUNCATED_HMAC was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4341"
#endif
+#if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \
+ ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \
+ ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) ||\
+ ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) || \
+ ( !defined(MBEDTLS_MD_C) ) )
+#error "MBEDTLS_PKCS7_C is defined, but not all prerequisites"
+#endif
+
/*
* Avoid warning from -pedantic. This is a convenient place for this
* workaround since this is included by every single file before the
diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index a3f52ea..151da1d 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -46,11 +46,6 @@
#define MBEDTLS_CIPHER_MODE_STREAM
#endif
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
/** The selected feature is not available. */
#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080
/** Bad input parameters. */
diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h
index e7ca1b2..3dd3361 100644
--- a/include/mbedtls/ecjpake.h
+++ b/include/mbedtls/ecjpake.h
@@ -113,7 +113,7 @@
* \param curve The identifier of the elliptic curve to use,
* for example #MBEDTLS_ECP_DP_SECP256R1.
* \param secret The pre-shared secret (passphrase). This must be
- * a readable buffer of length \p len Bytes. It need
+ * a readable not empty buffer of length \p len Bytes. It need
* only be valid for the duration of this call.
* \param len The length of the pre-shared secret \p secret.
*
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index eb83913..4a97d65 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -26,11 +26,6 @@
#include <stddef.h>
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
/**
* Error code layout.
*
@@ -96,6 +91,7 @@
* ECP 4 10 (Started from top)
* MD 5 5
* HKDF 5 1 (Started from top)
+ * PKCS7 5 12 (Started from 0x5300)
* SSL 5 2 (Started from 0x5F00)
* CIPHER 6 8 (Started from 0x6080)
* SSL 6 22 (Started from top, plus 0x6000)
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 3f869b9..c719073 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1146,6 +1146,11 @@
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
* before doing any PKCS#1 v2.1 operation.
*
+ * \warning When building with MBEDTLS_MD_C, all hashes used with this
+ * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C,
+ * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by
+ * this module in builds where MBEDTLS_MD_C is disabled.
+ *
* This enables support for RSAES-OAEP and RSASSA-PSS operations.
*/
#define MBEDTLS_PKCS1_V21
@@ -1320,21 +1325,16 @@
/**
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
*
- * Enable support for the DTLS Connection ID extension
- * (version draft-ietf-tls-dtls-connection-id-05,
- * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
+ * Enable support for the DTLS Connection ID (CID) extension,
* which allows to identify DTLS connections across changes
- * in the underlying transport.
+ * in the underlying transport. The CID functionality is described
+ * in RFC 9146.
*
* Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
* mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and
* `mbedtls_ssl_conf_cid()`. See the corresponding documentation for
* more information.
*
- * \warning The Connection ID extension is still in draft state.
- * We make no stability promises for the availability
- * or the shape of the API controlled by this option.
- *
* The maximum lengths of outgoing and incoming CIDs can be configured
* through the options
* - MBEDTLS_SSL_CID_OUT_LEN_MAX
@@ -1344,7 +1344,30 @@
*
* Uncomment to enable the Connection ID extension.
*/
-//#define MBEDTLS_SSL_DTLS_CONNECTION_ID
+#define MBEDTLS_SSL_DTLS_CONNECTION_ID
+
+
+/**
+ * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
+ *
+ * Defines whether RFC 9146 (default) or the legacy version
+ * (version draft-ietf-tls-dtls-connection-id-05,
+ * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
+ * is used.
+ *
+ * Set the value to 0 for the standard version, and
+ * 1 for the legacy draft version.
+ *
+ * \deprecated Support for the legacy version of the DTLS
+ * Connection ID feature is deprecated. Please
+ * switch to the standardized version defined
+ * in RFC 9146 enabled by utilizing
+ * MBEDTLS_SSL_DTLS_CONNECTION_ID without use
+ * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT.
+ *
+ * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID
+ */
+#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
/**
* \def MBEDTLS_SSL_ASYNC_PRIVATE
@@ -1648,7 +1671,7 @@
* production.
*
*/
-#define MBEDTLS_SSL_EARLY_DATA
+//#define MBEDTLS_SSL_EARLY_DATA
/**
* \def MBEDTLS_SSL_PROTO_DTLS
@@ -2433,6 +2456,11 @@
*
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
* before doing any EC J-PAKE operations.
+ *
+ * \warning When building with MBEDTLS_MD_C, all hashes used with this
+ * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C,
+ * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by
+ * this module in builds where MBEDTLS_MD_C is disabled.
*/
#define MBEDTLS_ECJPAKE_C
@@ -2777,11 +2805,32 @@
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
* before doing any PKCS5 operation.
*
+ * \warning When building with MBEDTLS_MD_C, all hashes used with this
+ * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C,
+ * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by
+ * this module in builds where MBEDTLS_MD_C is disabled.
+ *
* This module adds support for the PKCS#5 functions.
*/
#define MBEDTLS_PKCS5_C
/**
+ * \def MBEDTLS_PKCS7_C
+ *
+ * Enable PKCS7 core for using PKCS7 formatted signatures.
+ * RFC Link - https://tools.ietf.org/html/rfc2315
+ *
+ * Module: library/pkcs7.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
+ * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C,
+ * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
+ *
+ * This module is required for the PKCS7 parsing modules.
+ */
+#define MBEDTLS_PKCS7_C
+
+/**
* \def MBEDTLS_PKCS12_C
*
* Enable PKCS#12 PBE functions.
@@ -2796,6 +2845,11 @@
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
* before doing any PKCS12 operation.
*
+ * \warning When building with MBEDTLS_MD_C, all hashes used with this
+ * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C,
+ * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by
+ * this module in builds where MBEDTLS_MD_C is disabled.
+ *
* This module enables PKCS#12 functions.
*/
#define MBEDTLS_PKCS12_C
@@ -3661,17 +3715,6 @@
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
-/** \def MBEDTLS_TLS_EXT_CID
- *
- * At the time of writing, the CID extension has not been assigned its
- * final value. Set this configuration option to make Mbed TLS use a
- * different value.
- *
- * A future minor revision of Mbed TLS may change the default value of
- * this option to match evolving standards and usage.
- */
-//#define MBEDTLS_TLS_EXT_CID 254
-
/**
* Complete list of ciphersuites to use, in order of preference.
*
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
index 4ee3f93..e5c4b92 100644
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@@ -220,6 +220,7 @@
#define MBEDTLS_OID_PKCS MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
#define MBEDTLS_OID_PKCS1 MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
#define MBEDTLS_OID_PKCS5 MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
+#define MBEDTLS_OID_PKCS7 MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 } */
#define MBEDTLS_OID_PKCS9 MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
#define MBEDTLS_OID_PKCS12 MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */
@@ -301,6 +302,16 @@
#define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
/*
+ * PKCS#7 OIDs
+ */
+#define MBEDTLS_OID_PKCS7_DATA MBEDTLS_OID_PKCS7 "\x01" /**< Content type is Data OBJECT IDENTIFIER ::= {pkcs-7 1} */
+#define MBEDTLS_OID_PKCS7_SIGNED_DATA MBEDTLS_OID_PKCS7 "\x02" /**< Content type is Signed Data OBJECT IDENTIFIER ::= {pkcs-7 2} */
+#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x03" /**< Content type is Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 3} */
+#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x04" /**< Content type is Signed and Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 4} */
+#define MBEDTLS_OID_PKCS7_DIGESTED_DATA MBEDTLS_OID_PKCS7 "\x05" /**< Content type is Digested Data OBJECT IDENTIFIER ::= {pkcs-7 5} */
+#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA MBEDTLS_OID_PKCS7 "\x06" /**< Content type is Encrypted Data OBJECT IDENTIFIER ::= {pkcs-7 6} */
+
+/*
* PKCS#8 OIDs
*/
#define MBEDTLS_OID_PKCS9_CSR_EXT_REQ MBEDTLS_OID_PKCS9 "\x0e" /**< extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14} */
diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h
index c75a124..a4c6fb8 100644
--- a/include/mbedtls/pem.h
+++ b/include/mbedtls/pem.h
@@ -27,11 +27,6 @@
#include <stddef.h>
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
/**
* \name PEM Error codes
* These error codes are returned in case of errors reading the
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 867961d..db0bfac 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -44,11 +44,6 @@
#include "psa/crypto.h"
#endif
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
/** Memory allocation failed. */
#define MBEDTLS_ERR_PK_ALLOC_FAILED -0x3F80
/** Type mismatch, eg attempt to encrypt with an ECDSA key */
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
new file mode 100644
index 0000000..52895ac
--- /dev/null
+++ b/include/mbedtls/pkcs7.h
@@ -0,0 +1,241 @@
+/**
+ * \file pkcs7.h
+ *
+ * \brief PKCS7 generic defines and structures
+ * https://tools.ietf.org/html/rfc2315
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Note: For the time being, this implementation of the PKCS7 cryptographic
+ * message syntax is a partial implementation of RFC 2315.
+ * Differences include:
+ * - The RFC specifies 6 different content types. The only type currently
+ * supported in Mbed TLS is the signed data content type.
+ * - The only supported PKCS7 Signed Data syntax version is version 1
+ * - The RFC specifies support for BER. This implementation is limited to
+ * DER only.
+ * - The RFC specifies that multiple digest algorithms can be specified
+ * in the Signed Data type. Only one digest algorithm is supported in Mbed TLS.
+ * - The RFC specifies the Signed Data type can contain multiple X509 or PKCS6
+ * certificates. In Mbed TLS, this list can only contain 0 or 1 certificates
+ * and they must be in X509 format.
+ * - The RFC specifies the Signed Data type can contain
+ * certificate-revocation lists (crls). This implementation has no support
+ * for crls so it is assumed to be an empty list.
+ * - The RFC allows for SignerInfo structure to optionally contain
+ * unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is
+ * assumed these fields are empty.
+ */
+
+#ifndef MBEDTLS_PKCS7_H
+#define MBEDTLS_PKCS7_H
+
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crt.h"
+
+/**
+ * \name PKCS7 Module Error codes
+ * \{
+ */
+#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x5300 /**< The format is invalid, e.g. different type expected. */
+#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x5380 /**< Unavailable feature, e.g. anything other than signed data. */
+#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS7 version element is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS7 content info invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */
+#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */
+#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */
+#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */
+#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS7 date issued/expired dates are invalid */
+/* \} name */
+
+/**
+ * \name PKCS7 Supported Version
+ * \{
+ */
+#define MBEDTLS_PKCS7_SUPPORTED_VERSION 0x01
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Type-length-value structure that allows for ASN1 using DER.
+ */
+typedef mbedtls_asn1_buf mbedtls_pkcs7_buf;
+
+/**
+ * Container for ASN1 named information objects.
+ * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
+ */
+typedef mbedtls_asn1_named_data mbedtls_pkcs7_name;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence;
+
+/**
+ * PKCS7 types
+ */
+typedef enum {
+ MBEDTLS_PKCS7_NONE=0,
+ MBEDTLS_PKCS7_DATA,
+ MBEDTLS_PKCS7_SIGNED_DATA,
+ MBEDTLS_PKCS7_ENVELOPED_DATA,
+ MBEDTLS_PKCS7_SIGNED_AND_ENVELOPED_DATA,
+ MBEDTLS_PKCS7_DIGESTED_DATA,
+ MBEDTLS_PKCS7_ENCRYPTED_DATA,
+}
+mbedtls_pkcs7_type;
+
+/**
+ * Structure holding PKCS7 signer info
+ */
+typedef struct mbedtls_pkcs7_signer_info
+{
+ int MBEDTLS_PRIVATE(version);
+ mbedtls_x509_buf MBEDTLS_PRIVATE(serial);
+ mbedtls_x509_name MBEDTLS_PRIVATE(issuer);
+ mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw);
+ mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier);
+ mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier);
+ mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
+ struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next);
+}
+mbedtls_pkcs7_signer_info;
+
+/**
+ * Structure holding attached data as part of PKCS7 signed data format
+ */
+typedef struct mbedtls_pkcs7_data
+{
+ mbedtls_pkcs7_buf MBEDTLS_PRIVATE(oid);
+ mbedtls_pkcs7_buf MBEDTLS_PRIVATE(data);
+}
+mbedtls_pkcs7_data;
+
+/**
+ * Structure holding the signed data section
+ */
+typedef struct mbedtls_pkcs7_signed_data
+{
+ int MBEDTLS_PRIVATE(version);
+ mbedtls_pkcs7_buf MBEDTLS_PRIVATE(digest_alg_identifiers);
+ struct mbedtls_pkcs7_data MBEDTLS_PRIVATE(content);
+ int MBEDTLS_PRIVATE(no_of_certs);
+ mbedtls_x509_crt MBEDTLS_PRIVATE(certs);
+ int MBEDTLS_PRIVATE(no_of_crls);
+ mbedtls_x509_crl MBEDTLS_PRIVATE(crl);
+ int MBEDTLS_PRIVATE(no_of_signers);
+ mbedtls_pkcs7_signer_info MBEDTLS_PRIVATE(signers);
+}
+mbedtls_pkcs7_signed_data;
+
+/**
+ * Structure holding PKCS7 structure, only signed data for now
+ */
+typedef struct mbedtls_pkcs7
+{
+ mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
+ mbedtls_pkcs7_buf MBEDTLS_PRIVATE(content_type_oid);
+ mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
+}
+mbedtls_pkcs7;
+
+/**
+ * \brief Initialize pkcs7 structure.
+ *
+ * \param pkcs7 pkcs7 structure.
+ */
+void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 );
+
+/**
+ * \brief Parse a single DER formatted pkcs7 content.
+ *
+ * \param pkcs7 The pkcs7 structure to be filled by parser for the output.
+ * \param buf The buffer holding the DER encoded pkcs7.
+ * \param buflen The size in Bytes of \p buf.
+ *
+ * \note This function makes an internal copy of the PKCS7 buffer
+ * \p buf. In particular, \p buf may be destroyed or reused
+ * after this call returns.
+ *
+ * \return The \c mbedtls_pkcs7_type of \p buf, if successful.
+ * \return A negative error code on failure.
+ */
+int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
+ const size_t buflen );
+
+/**
+ * \brief Verification of PKCS7 signature.
+ *
+ * \param pkcs7 PKCS7 structure containing signature.
+ * \param cert Certificate containing key to verify signature.
+ * \param data Plain data on which signature has to be verified.
+ * \param datalen Length of the data.
+ *
+ * \note This function internally calculates the hash on the supplied
+ * plain data for signature verification.
+ *
+ * \return A negative error code on failure.
+ */
+int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *data,
+ size_t datalen );
+
+/**
+ * \brief Verification of PKCS7 signature.
+ *
+ * \param pkcs7 PKCS7 structure containing signature.
+ * \param cert Certificate containing key to verify signature.
+ * \param hash Hash of the plain data on which signature has to be verified.
+ * \param hashlen Length of the hash.
+ *
+ * \note This function is different from mbedtls_pkcs7_signed_data_verify()
+ * in a way that it directly recieves the hash of the data.
+ *
+ * \return A negative error code on failure.
+ */
+int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *hash, size_t hashlen);
+
+/**
+ * \brief Unallocate all PKCS7 data and zeroize the memory.
+ * It doesn't free pkcs7 itself. It should be done by the caller.
+ *
+ * \param pkcs7 PKCS7 structure to free.
+ */
+void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs7.h */
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index d055851..3165cd5 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -96,12 +96,16 @@
/* Error space gap */
/** Processing of the Certificate handshake message failed. */
#define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00
-/** Received NewSessionTicket Post Handshake Message */
+/* Error space gap */
+/**
+ * Received NewSessionTicket Post Handshake Message.
+ * This error code is experimental and may be changed or removed without notice.
+ */
#define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00
-/* Error space gap */
-/* Error space gap */
-/* Error space gap */
-/* Error space gap */
+/** Not possible to read early data */
+#define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80
+/** Not possible to write early data */
+#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C00
/* Error space gap */
/* Error space gap */
/* Error space gap */
@@ -405,6 +409,14 @@
/** \} name SECTION: Module settings */
/*
+ * Default to standard CID mode
+ */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT)
+#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
+#endif
+
+/*
* Length of the verify data for secure renegotiation
*/
#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 12
@@ -572,15 +584,10 @@
#define MBEDTLS_TLS_EXT_SIG_ALG_CERT 50 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_KEY_SHARE 51 /* RFC 8446 TLS 1.3 */
-/* The value of the CID extension is still TBD as of
- * draft-ietf-tls-dtls-connection-id-05
- * (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05).
- *
- * A future minor revision of Mbed TLS may change the default value of
- * this option to match evolving standards and usage.
- */
-#if !defined(MBEDTLS_TLS_EXT_CID)
-#define MBEDTLS_TLS_EXT_CID 254 /* TBD */
+#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
+#define MBEDTLS_TLS_EXT_CID 54 /* RFC 9146 DTLS 1.2 CID */
+#else
+#define MBEDTLS_TLS_EXT_CID 254 /* Pre-RFC 9146 DTLS 1.2 CID */
#endif
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */
@@ -661,7 +668,7 @@
MBEDTLS_SSL_SERVER_FINISHED,
MBEDTLS_SSL_FLUSH_BUFFERS,
MBEDTLS_SSL_HANDSHAKE_WRAPUP,
- MBEDTLS_SSL_HANDSHAKE_OVER,
+
MBEDTLS_SSL_NEW_SESSION_TICKET,
MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
MBEDTLS_SSL_HELLO_RETRY_REQUEST,
@@ -671,7 +678,9 @@
MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,
MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO,
MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST,
- MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH,
+ MBEDTLS_SSL_HANDSHAKE_OVER,
+ MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET,
+ MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH,
}
mbedtls_ssl_states;
@@ -801,14 +810,6 @@
typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
#endif
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT 2
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 3
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 4
-#endif
-
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
@@ -2076,8 +2077,9 @@
* \brief Configure the use of the Connection ID (CID)
* extension in the next handshake.
*
- * Reference: draft-ietf-tls-dtls-connection-id-05
+ * Reference: RFC 9146 (or draft-ietf-tls-dtls-connection-id-05
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
+ * for legacy version)
*
* The DTLS CID extension allows the reliable association of
* DTLS records to DTLS connections across changes in the
@@ -3851,9 +3853,10 @@
* \note The SSL context needs to be already set up. The right place
* to call this function is between \c mbedtls_ssl_setup() or
* \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake().
+ * Password cannot be empty (see RFC 8236).
*
* \param ssl SSL context
- * \param pw EC J-PAKE password (pre-shared secret)
+ * \param pw EC J-PAKE password (pre-shared secret). It cannot be empty
* \param pw_len length of pw in bytes
*
* \return 0 on success, or a negative error code.
@@ -4651,7 +4654,7 @@
*/
static inline int mbedtls_ssl_is_handshake_over( mbedtls_ssl_context *ssl )
{
- return( ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_HANDSHAKE_OVER );
+ return( ssl->MBEDTLS_PRIVATE( state ) >= MBEDTLS_SSL_HANDSHAKE_OVER );
}
/**
@@ -4891,6 +4894,151 @@
*/
int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl );
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief Read at most 'len' application data bytes while performing
+ * the handshake (early data).
+ *
+ * \note This function behaves mainly as mbedtls_ssl_read(). The
+ * specification of mbedtls_ssl_read() relevant to TLS 1.3
+ * (thus not the parts specific to (D)TLS 1.2) applies to this
+ * function and the present documentation is restricted to the
+ * differences with mbedtls_ssl_read().
+ *
+ * \param ssl SSL context
+ * \param buf buffer that will hold the data
+ * \param len maximum number of bytes to read
+ *
+ * \return One additional specific return value:
+ * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA.
+ *
+ * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA is returned when it
+ * is not possible to read early data for the SSL context
+ * \p ssl.
+ *
+ * It may have been possible and it is not possible
+ * anymore because the server received the End of Early Data
+ * message or the maximum number of allowed early data for the
+ * PSK in use has been reached.
+ *
+ * It may never have been possible and will never be possible
+ * for the SSL context \p ssl because the use of early data
+ * is disabled for that context or more generally the context
+ * is not suitably configured to enable early data or the
+ * client does not use early data or the first call to the
+ * function was done while the handshake was already too
+ * advanced to gather and accept early data.
+ *
+ * It is not possible to read early data for the SSL context
+ * \p ssl but this does not preclude for using it with
+ * mbedtls_ssl_write(), mbedtls_ssl_read() or
+ * mbedtls_ssl_handshake().
+ *
+ * \note When a server wants to retrieve early data, it is expected
+ * that this function starts the handshake for the SSL context
+ * \p ssl. But this is not mandatory.
+ *
+ */
+int mbedtls_ssl_read_early_data( mbedtls_ssl_context *ssl,
+ unsigned char *buf, size_t len );
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief Try to write exactly 'len' application data bytes while
+ * performing the handshake (early data).
+ *
+ * \note This function behaves mainly as mbedtls_ssl_write(). The
+ * specification of mbedtls_ssl_write() relevant to TLS 1.3
+ * (thus not the parts specific to (D)TLS1.2) applies to this
+ * function and the present documentation is restricted to the
+ * differences with mbedtls_ssl_write().
+ *
+ * \param ssl SSL context
+ * \param buf buffer holding the data
+ * \param len how many bytes must be written
+ *
+ * \return One additional specific return value:
+ * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA.
+ *
+ * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA is returned when it
+ * is not possible to write early data for the SSL context
+ * \p ssl.
+ *
+ * It may have been possible and it is not possible
+ * anymore because the client received the server Finished
+ * message, the server rejected early data or the maximum
+ * number of allowed early data for the PSK in use has been
+ * reached.
+ *
+ * It may never have been possible and will never be possible
+ * for the SSL context \p ssl because the use of early data
+ * is disabled for that context or more generally the context
+ * is not suitably configured to enable early data or the first
+ * call to the function was done while the handshake was
+ * already completed.
+ *
+ * It is not possible to write early data for the SSL context
+ * \p ssl but this does not preclude for using it with
+ * mbedtls_ssl_write(), mbedtls_ssl_read() or
+ * mbedtls_ssl_handshake().
+ *
+ * \note This function may write early data only if the SSL context
+ * has been configured for the handshake with a PSK for which
+ * early data is allowed.
+ *
+ * \note To maximize the number of early data that can be written in
+ * the course of the handshake, it is expected that this
+ * function starts the handshake for the SSL context \p ssl.
+ * But this is not mandatory.
+ *
+ * \note This function does not provide any information on whether
+ * the server has accepted or will accept early data or not.
+ * When it returns a positive value, it just means that it
+ * has written early data to the server. To know whether the
+ * server has accepted early data or not, you should call
+ * mbedtls_ssl_get_early_data_status() with the handshake
+ * completed.
+ */
+int mbedtls_ssl_write_early_data( mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len );
+
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 0
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 1
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2
+/**
+ * \brief Get the status of the negotiation of the use of early data.
+ *
+ * \param ssl The SSL context to query
+ *
+ * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called
+ * from the server-side.
+ *
+ * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called
+ * prior to completion of the handshake.
+ *
+ * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT if the client has
+ * not indicated the use of early data to the server.
+ *
+ * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED if the client has
+ * indicated the use of early data and the server has accepted
+ * it.
+ *
+ * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED if the client has
+ * indicated the use of early data but the server has rejected
+ * it. In this situation, the client may want to re-send the
+ * early data it may have tried to send by calling
+ * mbedtls_ssl_write_early_data() as ordinary post-handshake
+ * application data by calling mbedtls_ssl_write().
+ *
+ */
+int mbedtls_ssl_get_early_data_status( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
/**
* \brief Free referenced items in an SSL context and clear memory
*
diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h
index 47ab1cf..573b33c 100644
--- a/include/psa/crypto_platform.h
+++ b/include/psa/crypto_platform.h
@@ -45,11 +45,6 @@
/* PSA requires several types which C99 provides in stdint.h. */
#include <stdint.h>
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
/* Building for the PSA Crypto service on a PSA platform, a key owner is a PSA
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 7c325f7..8106dab 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -49,8 +49,6 @@
md.c
md5.c
memory_buffer_alloc.c
- mps_reader.c
- mps_trace.c
nist_kw.c
oid.c
padlock.c
@@ -84,7 +82,6 @@
sha1.c
sha256.c
sha512.c
- ssl_debug_helpers_generated.c
threading.c
timing.c
version.c
@@ -92,6 +89,7 @@
)
set(src_x509
+ pkcs7.c
x509.c
x509_create.c
x509_crl.c
@@ -103,11 +101,14 @@
set(src_tls
debug.c
+ mps_reader.c
+ mps_trace.c
net_sockets.c
ssl_cache.c
ssl_ciphersuites.c
ssl_client.c
ssl_cookie.c
+ ssl_debug_helpers_generated.c
ssl_msg.c
ssl_ticket.c
ssl_tls.c
diff --git a/library/Makefile b/library/Makefile
index b1cdc7f..5073517 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -114,8 +114,6 @@
md.o \
md5.o \
memory_buffer_alloc.o \
- mps_reader.o \
- mps_trace.o \
nist_kw.o \
oid.o \
padlock.o \
@@ -149,7 +147,6 @@
sha1.o \
sha256.o \
sha512.o \
- ssl_debug_helpers_generated.o \
threading.o \
timing.o \
version.o \
@@ -168,15 +165,19 @@
x509_csr.o \
x509write_crt.o \
x509write_csr.o \
+ pkcs7.o \
# This line is intentionally left blank
OBJS_TLS= \
debug.o \
+ mps_reader.o \
+ mps_trace.o \
net_sockets.o \
ssl_cache.o \
ssl_ciphersuites.o \
ssl_client.o \
ssl_cookie.o \
+ ssl_debug_helpers_generated.o \
ssl_msg.o \
ssl_ticket.o \
ssl_tls.o \
diff --git a/library/aria.c b/library/aria.c
index 924f952..5e52eea 100644
--- a/library/aria.c
+++ b/library/aria.c
@@ -37,11 +37,6 @@
#include "mbedtls/platform_util.h"
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
/* Parameter validation macros */
#define ARIA_VALIDATE_RET( cond ) \
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
diff --git a/library/bignum.c b/library/bignum.c
index ba03988..a68957a 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -968,17 +968,15 @@
carry = mbedtls_mpi_core_sub( X->p, A->p, B->p, n );
if( carry != 0 )
{
- /* Propagate the carry to the first nonzero limb of X. */
- for( ; n < X->n && X->p[n] == 0; n++ )
- --X->p[n];
- /* If we ran out of space for the carry, it means that the result
- * is negative. */
- if( n == X->n )
+ /* Propagate the carry through the rest of X. */
+ carry = mbedtls_mpi_core_sub_int( X->p + n, X->p + n, carry, X->n - n );
+
+ /* If we have further carry/borrow, the result is negative. */
+ if( carry != 0 )
{
ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
goto cleanup;
}
- --X->p[n];
}
/* X should always be positive as a result of unsigned subtractions. */
diff --git a/library/bignum_core.c b/library/bignum_core.c
index 34aecda..6635351 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -540,6 +540,7 @@
return( ret );
}
+MBEDTLS_STATIC_TESTABLE
void mbedtls_mpi_core_ct_uint_table_lookup( mbedtls_mpi_uint *dest,
const mbedtls_mpi_uint *table,
size_t limbs,
@@ -582,6 +583,162 @@
/* BEGIN MERGE SLOT 1 */
+static size_t exp_mod_get_window_size( size_t Ebits )
+{
+ size_t wsize = ( Ebits > 671 ) ? 6 : ( Ebits > 239 ) ? 5 :
+ ( Ebits > 79 ) ? 4 : 1;
+
+#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
+ if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
+ wsize = MBEDTLS_MPI_WINDOW_SIZE;
+#endif
+
+ return( wsize );
+}
+
+static void exp_mod_precompute_window( const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ mbedtls_mpi_uint mm,
+ const mbedtls_mpi_uint *RR,
+ size_t welem,
+ mbedtls_mpi_uint *Wtable,
+ mbedtls_mpi_uint *temp )
+{
+ /* W[0] = 1 (in Montgomery presentation) */
+ memset( Wtable, 0, AN_limbs * ciL );
+ Wtable[0] = 1;
+ mbedtls_mpi_core_montmul( Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp );
+
+ /* W[1] = A * R^2 * R^-1 mod N = A * R mod N */
+ mbedtls_mpi_uint *W1 = Wtable + AN_limbs;
+ mbedtls_mpi_core_montmul( W1, A, RR, AN_limbs, N, AN_limbs, mm, temp );
+
+ /* W[i+1] = W[i] * W[1], i >= 2 */
+ mbedtls_mpi_uint *Wprev = W1;
+ for( size_t i = 2; i < welem; i++ )
+ {
+ mbedtls_mpi_uint *Wcur = Wprev + AN_limbs;
+ mbedtls_mpi_core_montmul( Wcur, Wprev, W1, AN_limbs, N, AN_limbs, mm, temp );
+ Wprev = Wcur;
+ }
+}
+
+/* Exponentiation: X := A^E mod N.
+ *
+ * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero.
+ *
+ * RR must contain 2^{2*biL} mod N.
+ *
+ * The algorithm is a variant of Left-to-right k-ary exponentiation: HAC 14.82
+ * (The difference is that the body in our loop processes a single bit instead
+ * of a full window.)
+ */
+int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ const mbedtls_mpi_uint *E,
+ size_t E_limbs,
+ const mbedtls_mpi_uint *RR )
+{
+ const size_t wsize = exp_mod_get_window_size( E_limbs * biL );
+ const size_t welem = ( (size_t) 1 ) << wsize;
+
+ /* Allocate memory pool and set pointers to parts of it */
+ const size_t table_limbs = welem * AN_limbs;
+ const size_t temp_limbs = 2 * AN_limbs + 1;
+ const size_t select_limbs = AN_limbs;
+ const size_t total_limbs = table_limbs + temp_limbs + select_limbs;
+
+ /* heap allocated memory pool */
+ mbedtls_mpi_uint *mempool =
+ mbedtls_calloc( total_limbs, sizeof(mbedtls_mpi_uint) );
+ if( mempool == NULL )
+ {
+ return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+ }
+
+ /* pointers to temporaries within memory pool */
+ mbedtls_mpi_uint *const Wtable = mempool;
+ mbedtls_mpi_uint *const Wselect = Wtable + table_limbs;
+ mbedtls_mpi_uint *const temp = Wselect + select_limbs;
+
+ /*
+ * Window precomputation
+ */
+
+ const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init( N );
+
+ /* Set Wtable[i] = A^(2^i) (in Montgomery representation) */
+ exp_mod_precompute_window( A, N, AN_limbs,
+ mm, RR,
+ welem, Wtable, temp );
+
+ /*
+ * Fixed window exponentiation
+ */
+
+ /* X = 1 (in Montgomery presentation) initially */
+ memcpy( X, Wtable, AN_limbs * ciL );
+
+ /* We'll process the bits of E from most significant
+ * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
+ * (limb_index=0, E_bit_index=0). */
+ size_t E_limb_index = E_limbs;
+ size_t E_bit_index = 0;
+ /* At any given time, window contains window_bits bits from E.
+ * window_bits can go up to wsize. */
+ size_t window_bits = 0;
+ mbedtls_mpi_uint window = 0;
+
+ do
+ {
+ /* Square */
+ mbedtls_mpi_core_montmul( X, X, X, AN_limbs, N, AN_limbs, mm, temp );
+
+ /* Move to the next bit of the exponent */
+ if( E_bit_index == 0 )
+ {
+ --E_limb_index;
+ E_bit_index = biL - 1;
+ }
+ else
+ {
+ --E_bit_index;
+ }
+ /* Insert next exponent bit into window */
+ ++window_bits;
+ window <<= 1;
+ window |= ( E[E_limb_index] >> E_bit_index ) & 1;
+
+ /* Clear window if it's full. Also clear the window at the end,
+ * when we've finished processing the exponent. */
+ if( window_bits == wsize ||
+ ( E_bit_index == 0 && E_limb_index == 0 ) )
+ {
+ /* Select Wtable[window] without leaking window through
+ * memory access patterns. */
+ mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtable,
+ AN_limbs, welem, window );
+ /* Multiply X by the selected element. */
+ mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm,
+ temp );
+ window = 0;
+ window_bits = 0;
+ }
+ }
+ while( ! ( E_bit_index == 0 && E_limb_index == 0 ) );
+
+ /* Convert X back to normal presentation */
+ const mbedtls_mpi_uint one = 1;
+ mbedtls_mpi_core_montmul( X, X, &one, 1, N, AN_limbs, mm, temp );
+
+ mbedtls_platform_zeroize( mempool, total_limbs * sizeof(mbedtls_mpi_uint) );
+ mbedtls_free( mempool );
+ return( 0 );
+}
+
/* END MERGE SLOT 1 */
/* BEGIN MERGE SLOT 2 */
@@ -590,6 +747,22 @@
/* BEGIN MERGE SLOT 3 */
+mbedtls_mpi_uint mbedtls_mpi_core_sub_int( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ mbedtls_mpi_uint c, /* doubles as carry */
+ size_t limbs )
+{
+ for( size_t i = 0; i < limbs; i++ )
+ {
+ mbedtls_mpi_uint s = A[i];
+ mbedtls_mpi_uint t = s - c;
+ c = ( t > s );
+ X[i] = t;
+ }
+
+ return( c );
+}
+
/* END MERGE SLOT 3 */
/* BEGIN MERGE SLOT 4 */
diff --git a/library/bignum_core.h b/library/bignum_core.h
index ad04e08..24559c6 100644
--- a/library/bignum_core.h
+++ b/library/bignum_core.h
@@ -452,6 +452,7 @@
int mbedtls_mpi_core_get_mont_r2_unsafe( mbedtls_mpi *X,
const mbedtls_mpi *N );
+#if defined(MBEDTLS_TEST_HOOKS)
/**
* Copy an MPI from a table without leaking the index.
*
@@ -469,6 +470,7 @@
size_t limbs,
size_t count,
size_t index );
+#endif /* MBEDTLS_TEST_HOOKS */
/**
* \brief Fill an integer with a number of random bytes.
@@ -496,6 +498,29 @@
/* BEGIN MERGE SLOT 1 */
+/**
+ * \brief Perform a modular exponentiation with secret exponent:
+ * X = A^E mod N
+ *
+ * \param[out] X The destination MPI, as a little endian array of length
+ * \p AN_limbs.
+ * \param[in] A The base MPI, as a little endian array of length \p AN_limbs.
+ * \param[in] N The modulus, as a little endian array of length \p AN_limbs.
+ * \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR.
+ * \param[in] E The exponent, as a little endian array of length \p E_limbs.
+ * \param E_limbs The number of limbs in \p E.
+ * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little
+ * endian array of length \p AN_limbs.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ */
+int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N, size_t AN_limbs,
+ const mbedtls_mpi_uint *E, size_t E_limbs,
+ const mbedtls_mpi_uint *RR );
+
/* END MERGE SLOT 1 */
/* BEGIN MERGE SLOT 2 */
@@ -504,6 +529,23 @@
/* BEGIN MERGE SLOT 3 */
+/**
+ * \brief Subtract unsigned integer from known-size large unsigned integers.
+ * Return the borrow.
+ *
+ * \param[out] X The result of the subtraction.
+ * \param[in] A The left operand.
+ * \param b The unsigned scalar to subtract.
+ * \param limbs Number of limbs of \p X and \p A.
+ *
+ * \return 1 if `A < b`.
+ * 0 if `A >= b`.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_sub_int( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ mbedtls_mpi_uint b,
+ size_t limbs );
+
/* END MERGE SLOT 3 */
/* BEGIN MERGE SLOT 4 */
diff --git a/library/bignum_mod.c b/library/bignum_mod.c
index 13108c5..7a5539d 100644
--- a/library/bignum_mod.c
+++ b/library/bignum_mod.c
@@ -39,7 +39,7 @@
mbedtls_mpi_uint *p,
size_t p_limbs )
{
- if( p_limbs < m->limbs || !mbedtls_mpi_core_lt_ct( m->p, p, p_limbs ) )
+ if( p_limbs != m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, m->limbs ) )
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
r->limbs = m->limbs;
@@ -50,7 +50,7 @@
void mbedtls_mpi_mod_residue_release( mbedtls_mpi_mod_residue *r )
{
- if ( r == NULL )
+ if( r == NULL )
return;
r->limbs = 0;
@@ -59,19 +59,18 @@
void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m )
{
- if ( m == NULL )
+ if( m == NULL )
return;
m->p = NULL;
m->limbs = 0;
m->bits = 0;
- m->ext_rep = MBEDTLS_MPI_MOD_EXT_REP_INVALID;
m->int_rep = MBEDTLS_MPI_MOD_REP_INVALID;
}
void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m )
{
- if ( m == NULL )
+ if( m == NULL )
return;
switch( m->int_rep )
@@ -96,7 +95,6 @@
m->p = NULL;
m->limbs = 0;
m->bits = 0;
- m->ext_rep = MBEDTLS_MPI_MOD_EXT_REP_INVALID;
m->int_rep = MBEDTLS_MPI_MOD_REP_INVALID;
}
@@ -112,17 +110,17 @@
mbedtls_mpi_init( &N );
mbedtls_mpi_init( &RR );
- if ( A == NULL || limbs == 0 || limbs >= ( MBEDTLS_MPI_MAX_LIMBS / 2 ) - 2 )
+ if( A == NULL || limbs == 0 || limbs >= ( MBEDTLS_MPI_MAX_LIMBS / 2 ) - 2 )
goto cleanup;
- if ( mbedtls_mpi_grow( &N, limbs ) )
+ if( mbedtls_mpi_grow( &N, limbs ) )
goto cleanup;
memcpy( N.p, A, sizeof(mbedtls_mpi_uint) * limbs );
ret = mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N);
- if ( ret == 0 )
+ if( ret == 0 )
{
*X = RR.p;
RR.p = NULL;
@@ -138,7 +136,6 @@
int mbedtls_mpi_mod_modulus_setup( mbedtls_mpi_mod_modulus *m,
const mbedtls_mpi_uint *p,
size_t p_limbs,
- mbedtls_mpi_mod_ext_rep ext_rep,
mbedtls_mpi_mod_rep_selector int_rep )
{
int ret = 0;
@@ -147,17 +144,6 @@
m->limbs = p_limbs;
m->bits = mbedtls_mpi_core_bitlen( p, p_limbs );
- switch( ext_rep )
- {
- case MBEDTLS_MPI_MOD_EXT_REP_LE:
- case MBEDTLS_MPI_MOD_EXT_REP_BE:
- m->ext_rep = ext_rep;
- break;
- default:
- ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
- goto exit;
- }
-
switch( int_rep )
{
case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
@@ -209,7 +195,71 @@
/* END MERGE SLOT 6 */
/* BEGIN MERGE SLOT 7 */
+int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *m,
+ const unsigned char *buf,
+ size_t buflen,
+ mbedtls_mpi_mod_ext_rep ext_rep )
+{
+ int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ /* Do our best to check if r and m have been set up */
+ if( r->limbs == 0 || m->limbs == 0 )
+ goto cleanup;
+ if( r->limbs != m->limbs )
+ goto cleanup;
+
+ ret = mbedtls_mpi_mod_raw_read( r->p, m, buf, buflen, ext_rep );
+ if( ret != 0 )
+ goto cleanup;
+
+ r->limbs = m->limbs;
+
+ if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY )
+ ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m );
+
+cleanup:
+ return ( ret );
+}
+
+int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *m,
+ unsigned char *buf,
+ size_t buflen,
+ mbedtls_mpi_mod_ext_rep ext_rep )
+{
+ int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+ /* Do our best to check if r and m have been set up */
+ if( r->limbs == 0 || m->limbs == 0 )
+ goto cleanup;
+ if( r->limbs != m->limbs )
+ goto cleanup;
+
+ if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY )
+ {
+ ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m );
+ if( ret != 0 )
+ goto cleanup;
+ }
+
+ ret = mbedtls_mpi_mod_raw_write( r->p, m, buf, buflen, ext_rep );
+
+ if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY )
+ {
+ /* If this fails, the value of r is corrupted and we want to return
+ * this error (as opposed to the error code from the write above) to
+ * let the caller know. If it succeeds, we want to return the error
+ * code from write above. */
+ int conv_ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m );
+ if( ret == 0 )
+ ret = conv_ret;
+ }
+
+cleanup:
+
+ return ( ret );
+}
/* END MERGE SLOT 7 */
/* BEGIN MERGE SLOT 8 */
diff --git a/library/bignum_mod.h b/library/bignum_mod.h
index 29c26f2..d92f21e 100644
--- a/library/bignum_mod.h
+++ b/library/bignum_mod.h
@@ -64,7 +64,6 @@
const mbedtls_mpi_uint *p;
size_t limbs; // number of limbs
size_t bits; // bitlen of p
- mbedtls_mpi_mod_ext_rep ext_rep; // signals external representation (eg. byte order)
mbedtls_mpi_mod_rep_selector int_rep; // selector to signal the active member of the union
union rep
{
@@ -75,16 +74,27 @@
/** Setup a residue structure.
*
- * \param[out] r The address of residue to setup. The size is determined by
- * \p m.
- * (In particular, it must have at least as many limbs as the
- * modulus \p m.)
+ * The residue will be set up with the buffer \p p and modulus \p m.
+ *
+ * The memory pointed to by \p p will be used by the resulting residue structure.
+ * The value at the pointed-to memory will be the initial value of \p r and must
+ * hold a value that is less than the modulus. This value will be used as-is
+ * and interpreted according to the value of the `m->int_rep` field.
+ *
+ * The modulus \p m will be the modulus associated with \p r. The residue \p r
+ * should only be used in operations where the modulus is \p m.
+ *
+ * \param[out] r The address of the residue to setup.
* \param[in] m The address of the modulus related to \p r.
- * \param[in] p The address of the limb array storing the value of \p r.
+ * \param[in] p The address of the limb array containing the value of \p r.
* The memory pointed to by \p p will be used by \p r and must
* not be modified in any way until after
- * mbedtls_mpi_mod_residue_release() is called.
- * \param p_limbs The number of limbs of \p p.
+ * mbedtls_mpi_mod_residue_release() is called. The data
+ * pointed to by \p p must be less than the modulus (the value
+ * pointed to by `m->p`) and already in the representation
+ * indicated by `m->int_rep`.
+ * \param p_limbs The number of limbs of \p p. Must be the same as the number
+ * of limbs in the modulus \p m.
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the
@@ -121,19 +131,15 @@
* not be modified in any way until after
* mbedtls_mpi_mod_modulus_free() is called.
* \param p_limbs The number of limbs of \p p.
- * \param ext_rep The external representation to be used for residues
- * associated with \p m (see #mbedtls_mpi_mod_ext_rep).
* \param int_rep The internal representation to be used for residues
* associated with \p m (see #mbedtls_mpi_mod_rep_selector).
*
* \return \c 0 if successful.
- * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep or \p int_rep is
- * invalid.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p int_rep is invalid.
*/
int mbedtls_mpi_mod_modulus_setup( mbedtls_mpi_mod_modulus *m,
const mbedtls_mpi_uint *p,
size_t p_limbs,
- mbedtls_mpi_mod_ext_rep ext_rep,
mbedtls_mpi_mod_rep_selector int_rep );
/** Free elements of a modulus structure.
@@ -173,7 +179,72 @@
/* END MERGE SLOT 6 */
/* BEGIN MERGE SLOT 7 */
+/** Read a residue from a byte buffer.
+ *
+ * The residue will be automatically converted to the internal representation
+ * based on the value of the `m->int_rep` field.
+ *
+ * The modulus \p m will be the modulus associated with \p r. The residue \p r
+ * should only be used in operations where the modulus is \p m or a modulus
+ * equivalent to \p m (in the sense that all their fields or memory pointed by
+ * their fields hold the same value).
+ *
+ * \param[out] r The address of the residue. It must have exactly the same
+ * number of limbs as the modulus \p m.
+ * \param[in] m The address of the modulus.
+ * \param[in] buf The input buffer to import from.
+ * \param buflen The length in bytes of \p buf.
+ * \param ext_rep The endianness of the number in the input buffer.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p r isn't
+ * large enough to hold the value in \p buf.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep
+ * is invalid or the value in the buffer is not less than \p m.
+ */
+int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *m,
+ const unsigned char *buf,
+ size_t buflen,
+ mbedtls_mpi_mod_ext_rep ext_rep );
+/** Write a residue into a byte buffer.
+ *
+ * The modulus \p m must be the modulus associated with \p r (see
+ * mbedtls_mpi_mod_residue_setup() and mbedtls_mpi_mod_read()).
+ *
+ * The residue will be automatically converted from the internal representation
+ * based on the value of `m->int_rep` field.
+ *
+ * \warning If the buffer is smaller than `m->bits`, the number of
+ * leading zeroes is leaked through timing. If \p r is
+ * secret, the caller must ensure that \p buflen is at least
+ * (`m->bits`+7)/8.
+ *
+ * \param[in] r The address of the residue. It must have the same number of
+ * limbs as the modulus \p m. (\p r is an input parameter, but
+ * its value will be modified during execution and restored
+ * before the function returns.)
+ * \param[in] m The address of the modulus associated with \r.
+ * \param[out] buf The output buffer to export to.
+ * \param buflen The length in bytes of \p buf.
+ * \param ext_rep The endianness in which the number should be written into
+ * the output buffer.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ * large enough to hold the value of \p r (without leading
+ * zeroes).
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep is invalid.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough
+ * memory for conversion. Can occur only for moduli with
+ * MBEDTLS_MPI_MOD_REP_MONTGOMERY.
+ */
+int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *m,
+ unsigned char *buf,
+ size_t buflen,
+ mbedtls_mpi_mod_ext_rep ext_rep );
/* END MERGE SLOT 7 */
/* BEGIN MERGE SLOT 8 */
diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c
index b43add7..22e56b7 100644
--- a/library/bignum_mod_raw.c
+++ b/library/bignum_mod_raw.c
@@ -52,11 +52,12 @@
int mbedtls_mpi_mod_raw_read( mbedtls_mpi_uint *X,
const mbedtls_mpi_mod_modulus *m,
const unsigned char *input,
- size_t input_length )
+ size_t input_length,
+ mbedtls_mpi_mod_ext_rep ext_rep )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- switch( m->ext_rep )
+ switch( ext_rep )
{
case MBEDTLS_MPI_MOD_EXT_REP_LE:
ret = mbedtls_mpi_core_read_le( X, m->limbs,
@@ -87,9 +88,10 @@
int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A,
const mbedtls_mpi_mod_modulus *m,
unsigned char *output,
- size_t output_length )
+ size_t output_length,
+ mbedtls_mpi_mod_ext_rep ext_rep )
{
- switch( m->ext_rep )
+ switch( ext_rep )
{
case MBEDTLS_MPI_MOD_EXT_REP_LE:
return( mbedtls_mpi_core_write_le( A, m->limbs,
@@ -108,6 +110,16 @@
/* BEGIN MERGE SLOT 2 */
+void mbedtls_mpi_mod_raw_sub( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N )
+{
+ mbedtls_mpi_uint c = mbedtls_mpi_core_sub( X, A, B, N->limbs );
+
+ (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, (unsigned) c );
+}
+
/* END MERGE SLOT 2 */
/* BEGIN MERGE SLOT 3 */
@@ -119,7 +131,16 @@
/* END MERGE SLOT 4 */
/* BEGIN MERGE SLOT 5 */
-
+void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N )
+{
+ mbedtls_mpi_uint carry, borrow;
+ carry = mbedtls_mpi_core_add( X, A, B, N->limbs );
+ borrow = mbedtls_mpi_core_sub( X, X, N->p, N->limbs );
+ (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, (unsigned) ( carry ^ borrow ) );
+}
/* END MERGE SLOT 5 */
/* BEGIN MERGE SLOT 6 */
diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h
index f738e91..d7b6dd1 100644
--- a/library/bignum_mod_raw.h
+++ b/library/bignum_mod_raw.h
@@ -106,6 +106,7 @@
* \param[in] m The address of the modulus related to \p X.
* \param[in] input The input buffer to import from.
* \param input_length The length in bytes of \p input.
+ * \param ext_rep The endianness of the number in the input buffer.
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
@@ -116,7 +117,8 @@
int mbedtls_mpi_mod_raw_read( mbedtls_mpi_uint *X,
const mbedtls_mpi_mod_modulus *m,
const unsigned char *input,
- size_t input_length );
+ size_t input_length,
+ mbedtls_mpi_mod_ext_rep ext_rep );
/** Export A into unsigned binary data.
*
@@ -126,6 +128,7 @@
* \param[in] m The address of the modulus related to \p A.
* \param[out] output The output buffer to export to.
* \param output_length The length in bytes of \p output.
+ * \param ext_rep The endianness in which the number should be written into the output buffer.
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
@@ -136,7 +139,8 @@
int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A,
const mbedtls_mpi_mod_modulus *m,
unsigned char *output,
- size_t output_length );
+ size_t output_length,
+ mbedtls_mpi_mod_ext_rep ext_rep );
/* BEGIN MERGE SLOT 1 */
@@ -144,6 +148,28 @@
/* BEGIN MERGE SLOT 2 */
+/** \brief Subtract two MPIs, returning the residue modulo the specified
+ * modulus.
+ *
+ * The size of the operation is determined by \p N. \p A and \p B must have
+ * the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \param[out] X The address of the result MPI.
+ * This must be initialized. Must have enough limbs to
+ * store the full value of the result.
+ * \param[in] A The address of the first MPI. This must be initialized.
+ * \param[in] B The address of the second MPI. This must be initialized.
+ * \param[in] N The address of the modulus. Used to perform a modulo
+ * operation on the result of the subtraction.
+ */
+void mbedtls_mpi_mod_raw_sub( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N );
+
/* END MERGE SLOT 2 */
/* BEGIN MERGE SLOT 3 */
@@ -155,7 +181,28 @@
/* END MERGE SLOT 4 */
/* BEGIN MERGE SLOT 5 */
-
+/**
+ * \brief Perform a known-size modular addition.
+ *
+ * Calculate `A + B modulo N`.
+ *
+ * The number of limbs in each operand, and the result, is given by the
+ * modulus \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \param[out] X The result of the modular addition.
+ * \param[in] A Little-endian presentation of the left operand. This
+ * must be smaller than \p N.
+ * \param[in] B Little-endian presentation of the right operand. This
+ * must be smaller than \p N.
+ * \param[in] N The address of the modulus.
+ */
+void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N );
/* END MERGE SLOT 5 */
/* BEGIN MERGE SLOT 6 */
diff --git a/library/chacha20.c b/library/chacha20.c
index e53eb82..85d7461 100644
--- a/library/chacha20.c
+++ b/library/chacha20.c
@@ -36,11 +36,6 @@
#if !defined(MBEDTLS_CHACHA20_ALT)
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
#define ROTL32( value, amount ) \
( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) )
diff --git a/library/cipher.c b/library/cipher.c
index dfb7329..dffe3ad 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -500,7 +500,7 @@
}
#endif
- return( 0 );
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
@@ -1129,7 +1129,7 @@
}
#endif
- return( 0 );
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
@@ -1156,11 +1156,8 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
- /* Status to return on a non-authenticated algorithm. It would make sense
- * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps
- * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our
- * unit tests assume 0. */
- ret = 0;
+ /* Status to return on a non-authenticated algorithm. */
+ ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
#if defined(MBEDTLS_GCM_C)
if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
diff --git a/library/common.h b/library/common.h
index a630fcc..25d5294 100644
--- a/library/common.h
+++ b/library/common.h
@@ -25,6 +25,7 @@
#include "mbedtls/build_info.h"
+#include <stddef.h>
#include <stdint.h>
/** Helper to define a function as static except when building invasive tests.
@@ -68,6 +69,44 @@
*/
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+/** Return an offset into a buffer.
+ *
+ * This is just the addition of an offset to a pointer, except that this
+ * function also accepts an offset of 0 into a buffer whose pointer is null.
+ * (`p + n` has undefined behavior when `p` is null, even when `n == 0`.
+ * A null pointer is a valid buffer pointer when the size is 0, for example
+ * as the result of `malloc(0)` on some platforms.)
+ *
+ * \param p Pointer to a buffer of at least n bytes.
+ * This may be \p NULL if \p n is zero.
+ * \param n An offset in bytes.
+ * \return Pointer to offset \p n in the buffer \p p.
+ * Note that this is only a valid pointer if the size of the
+ * buffer is at least \p n + 1.
+ */
+static inline unsigned char *mbedtls_buffer_offset(
+ unsigned char *p, size_t n )
+{
+ return( p == NULL ? NULL : p + n );
+}
+
+/** Return an offset into a read-only buffer.
+ *
+ * Similar to mbedtls_buffer_offset(), but for const pointers.
+ *
+ * \param p Pointer to a buffer of at least n bytes.
+ * This may be \p NULL if \p n is zero.
+ * \param n An offset in bytes.
+ * \return Pointer to offset \p n in the buffer \p p.
+ * Note that this is only a valid pointer if the size of the
+ * buffer is at least \p n + 1.
+ */
+static inline const unsigned char *mbedtls_buffer_offset_const(
+ const unsigned char *p, size_t n )
+{
+ return( p == NULL ? NULL : p + n );
+}
+
/** Byte Reading Macros
*
* Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th
diff --git a/library/debug.c b/library/debug.c
index bdbf6dd..6114a46 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -30,11 +30,6 @@
#include <stdio.h>
#include <string.h>
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
#define DEBUG_BUF_SIZE 512
static int debug_threshold = 0;
diff --git a/library/ecp.c b/library/ecp.c
index 37f6090..cd7d554 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -88,11 +88,6 @@
#include "ecp_internal_alt.h"
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
#if defined(MBEDTLS_SELF_TEST)
/*
* Counts of point addition and doubling, and field multiplications.
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 7b14237..5cd2828 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -39,11 +39,6 @@
#define ECP_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
#define ECP_MPI_INIT_ARRAY(x) \
diff --git a/library/mps_reader.c b/library/mps_reader.c
index 36958b4..6f823bd 100644
--- a/library/mps_reader.c
+++ b/library/mps_reader.c
@@ -29,11 +29,6 @@
#include <string.h>
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
#if defined(MBEDTLS_MPS_ENABLE_TRACE)
static int mbedtls_mps_trace_id = MBEDTLS_MPS_TRACE_BIT_READER;
#endif /* MBEDTLS_MPS_ENABLE_TRACE */
diff --git a/library/pkcs7.c b/library/pkcs7.c
new file mode 100644
index 0000000..e4238b6
--- /dev/null
+++ b/library/pkcs7.c
@@ -0,0 +1,727 @@
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "common.h"
+
+#include "mbedtls/build_info.h"
+#if defined(MBEDTLS_PKCS7_C)
+#include "mbedtls/pkcs7.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/error.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#if defined(MBEDTLS_FS_IO)
+#include <sys/types.h>
+#include <sys/stat.h>
+#endif
+
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include <time.h>
+#endif
+
+/**
+ * Initializes the pkcs7 structure.
+ */
+void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 )
+{
+ memset( pkcs7, 0, sizeof( *pkcs7 ) );
+}
+
+static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end,
+ size_t *len )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_CONTEXT_SPECIFIC );
+ if( ret != 0 )
+ {
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret );
+ }
+
+ return( ret );
+}
+
+/**
+ * version Version
+ * Version ::= INTEGER
+ **/
+static int pkcs7_get_version( unsigned char **p, unsigned char *end, int *ver )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_asn1_get_int( p, end, ver );
+ if( ret != 0 )
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_VERSION, ret );
+
+ /* If version != 1, return invalid version */
+ if( *ver != MBEDTLS_PKCS7_SUPPORTED_VERSION )
+ ret = MBEDTLS_ERR_PKCS7_INVALID_VERSION;
+
+ return( ret );
+}
+
+/**
+ * ContentInfo ::= SEQUENCE {
+ * contentType ContentType,
+ * content
+ * [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+ **/
+static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end,
+ mbedtls_pkcs7_buf *pkcs7 )
+{
+ size_t len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *start = *p;
+
+ ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE );
+ if( ret != 0 ) {
+ *p = start;
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ) );
+ }
+
+ ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID );
+ if( ret != 0 ) {
+ *p = start;
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ) );
+ }
+
+ pkcs7->tag = MBEDTLS_ASN1_OID;
+ pkcs7->len = len;
+ pkcs7->p = *p;
+ *p += len;
+
+ return( ret );
+}
+
+/**
+ * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+ *
+ * This is from x509.h
+ **/
+static int pkcs7_get_digest_algorithm( unsigned char **p, unsigned char *end,
+ mbedtls_x509_buf *alg )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 )
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret );
+
+ return( ret );
+}
+
+/**
+ * DigestAlgorithmIdentifiers :: SET of DigestAlgorithmIdentifier
+ **/
+static int pkcs7_get_digest_algorithm_set( unsigned char **p,
+ unsigned char *end,
+ mbedtls_x509_buf *alg )
+{
+ size_t len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SET );
+ if( ret != 0 )
+ {
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ) );
+ }
+
+ end = *p + len;
+
+ ret = mbedtls_asn1_get_alg_null( p, end, alg );
+ if( ret != 0 )
+ {
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ) );
+ }
+
+ /** For now, it assumes there is only one digest algorithm specified **/
+ if ( *p != end )
+ return( MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE );
+
+ return( 0 );
+}
+
+/**
+ * certificates :: SET OF ExtendedCertificateOrCertificate,
+ * ExtendedCertificateOrCertificate ::= CHOICE {
+ * certificate Certificate -- x509,
+ * extendedCertificate[0] IMPLICIT ExtendedCertificate }
+ * Return number of certificates added to the signed data,
+ * 0 or higher is valid.
+ * Return negative error code for failure.
+ **/
+static int pkcs7_get_certificates( unsigned char **p, unsigned char *end,
+ mbedtls_x509_crt *certs )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len1 = 0;
+ size_t len2 = 0;
+ unsigned char *end_set, *end_cert, *start;
+
+ if( ( ret = mbedtls_asn1_get_tag( p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
+ {
+ if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+ return( 0 );
+ else
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ) );
+ }
+ start = *p;
+ end_set = *p + len1;
+
+ ret = mbedtls_asn1_get_tag( p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE );
+ if( ret != 0 )
+ {
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CERT, ret ) );
+ }
+
+ end_cert = *p + len2;
+
+ /*
+ * This is to verify that there is only one signer certificate. It seems it is
+ * not easy to differentiate between the chain vs different signer's certificate.
+ * So, we support only the root certificate and the single signer.
+ * The behaviour would be improved with addition of multiple signer support.
+ */
+ if ( end_cert != end_set )
+ {
+ return( MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE );
+ }
+
+ *p = start;
+ if( ( ret = mbedtls_x509_crt_parse_der( certs, *p, len1 ) ) < 0 )
+ {
+ return( MBEDTLS_ERR_PKCS7_INVALID_CERT );
+ }
+
+ *p = *p + len1;
+
+ /*
+ * Since in this version we strictly support single certificate, and reaching
+ * here implies we have parsed successfully, we return 1.
+ */
+ return( 1 );
+}
+
+/**
+ * EncryptedDigest ::= OCTET STRING
+ **/
+static int pkcs7_get_signature( unsigned char **p, unsigned char *end,
+ mbedtls_pkcs7_buf *signature )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OCTET_STRING );
+ if( ret != 0 )
+ return( ret );
+
+ signature->tag = MBEDTLS_ASN1_OCTET_STRING;
+ signature->len = len;
+ signature->p = *p;
+
+ *p = *p + len;
+
+ return( 0 );
+}
+
+/**
+ * SignerInfo ::= SEQUENCE {
+ * version Version;
+ * issuerAndSerialNumber IssuerAndSerialNumber,
+ * digestAlgorithm DigestAlgorithmIdentifier,
+ * authenticatedAttributes
+ * [0] IMPLICIT Attributes OPTIONAL,
+ * digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
+ * encryptedDigest EncryptedDigest,
+ * unauthenticatedAttributes
+ * [1] IMPLICIT Attributes OPTIONAL,
+ * Returns 0 if the signerInfo is valid.
+ * Return negative error code for failure.
+ * Structure must not contain vales for authenticatedAttributes
+ * and unauthenticatedAttributes.
+ **/
+static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end,
+ mbedtls_pkcs7_signer_info *signer )
+{
+ unsigned char *end_signer;
+ int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ asn1_ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE );
+ if( asn1_ret != 0 )
+ goto out;
+
+ end_signer = *p + len;
+
+ ret = pkcs7_get_version( p, end_signer, &signer->version );
+ if( ret != 0 )
+ goto out;
+
+ asn1_ret = mbedtls_asn1_get_tag( p, end_signer, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
+ if( asn1_ret != 0 )
+ goto out;
+
+ /* Parsing IssuerAndSerialNumber */
+ signer->issuer_raw.p = *p;
+
+ asn1_ret = mbedtls_asn1_get_tag( p, end_signer, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
+ if( asn1_ret != 0 )
+ goto out;
+
+ ret = mbedtls_x509_get_name( p, *p + len, &signer->issuer );
+ if( ret != 0 )
+ goto out;
+
+ signer->issuer_raw.len = *p - signer->issuer_raw.p;
+
+ ret = mbedtls_x509_get_serial( p, end_signer, &signer->serial );
+ if( ret != 0 )
+ goto out;
+
+ ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->alg_identifier );
+ if( ret != 0 )
+ goto out;
+
+ /* Asssume authenticatedAttributes is nonexistent */
+
+ ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier );
+ if( ret != 0 )
+ goto out;
+
+ ret = pkcs7_get_signature( p, end_signer, &signer->sig );
+ if( ret != 0 )
+ goto out;
+
+ /* Do not permit any unauthenticated attributes */
+ if( *p != end_signer )
+ ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
+
+out:
+ if( asn1_ret != 0 )
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,
+ asn1_ret );
+ else if( ret != 0 )
+ ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
+
+ return( ret );
+}
+
+static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer )
+{
+ mbedtls_x509_name *name_cur;
+ mbedtls_x509_name *name_prv;
+
+ if( signer == NULL )
+ return;
+
+ name_cur = signer->issuer.next;
+ while( name_cur != NULL )
+ {
+ name_prv = name_cur;
+ name_cur = name_cur->next;
+ mbedtls_free( name_prv );
+ }
+ signer->issuer.next = NULL;
+}
+
+/**
+ * SignerInfos ::= SET of SignerInfo
+ * Return number of signers added to the signed data,
+ * 0 or higher is valid.
+ * Return negative error code for failure.
+ **/
+static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end,
+ mbedtls_pkcs7_signer_info *signers_set )
+{
+ unsigned char *end_set;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int count = 0;
+ size_t len = 0;
+
+ ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SET );
+ if( ret != 0 )
+ {
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, ret ) );
+ }
+
+ /* Detect zero signers */
+ if( len == 0 )
+ {
+ return( 0 );
+ }
+
+ end_set = *p + len;
+
+ ret = pkcs7_get_signer_info( p, end_set, signers_set );
+ if( ret != 0 )
+ goto cleanup;
+ count++;
+
+ mbedtls_pkcs7_signer_info *prev = signers_set;
+ while( *p != end_set )
+ {
+ mbedtls_pkcs7_signer_info *signer =
+ mbedtls_calloc( 1, sizeof( mbedtls_pkcs7_signer_info ) );
+ if( !signer )
+ {
+ ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ ret = pkcs7_get_signer_info( p, end_set, signer );
+ if( ret != 0 ) {
+ mbedtls_free( signer );
+ goto cleanup;
+ }
+ prev->next = signer;
+ prev = signer;
+ count++;
+ }
+
+ return( count );
+
+cleanup:
+ pkcs7_free_signer_info( signers_set );
+ mbedtls_pkcs7_signer_info *signer = signers_set->next;
+ while( signer != NULL )
+ {
+ prev = signer;
+ signer = signer->next;
+ pkcs7_free_signer_info( prev );
+ mbedtls_free( prev );
+ }
+ signers_set->next = NULL;
+ return( ret );
+}
+
+/**
+ * SignedData ::= SEQUENCE {
+ * version Version,
+ * digestAlgorithms DigestAlgorithmIdentifiers,
+ * contentInfo ContentInfo,
+ * certificates
+ * [0] IMPLICIT ExtendedCertificatesAndCertificates
+ * OPTIONAL,
+ * crls
+ * [0] IMPLICIT CertificateRevocationLists OPTIONAL,
+ * signerInfos SignerInfos }
+ */
+static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen,
+ mbedtls_pkcs7_signed_data *signed_data )
+{
+ unsigned char *p = buf;
+ unsigned char *end = buf + buflen;
+ unsigned char *end_set;
+ size_t len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_type_t md_alg;
+
+ ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE );
+ if( ret != 0 )
+ {
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ) );
+ }
+
+ end_set = p + len;
+
+ /* Get version of signed data */
+ ret = pkcs7_get_version( &p, end_set, &signed_data->version );
+ if( ret != 0 )
+ return( ret );
+
+ /* Get digest algorithm */
+ ret = pkcs7_get_digest_algorithm_set( &p, end_set,
+ &signed_data->digest_alg_identifiers );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_oid_get_md_alg( &signed_data->digest_alg_identifiers, &md_alg );
+ if( ret != 0 )
+ {
+ return( MBEDTLS_ERR_PKCS7_INVALID_ALG );
+ }
+
+ /* Do not expect any content */
+ ret = pkcs7_get_content_info_type( &p, end_set, &signed_data->content.oid );
+ if( ret != 0 )
+ return( ret );
+
+ if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid ) )
+ {
+ return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO );
+ }
+
+ /* Look for certificates, there may or may not be any */
+ mbedtls_x509_crt_init( &signed_data->certs );
+ ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs );
+ if( ret < 0 )
+ return( ret );
+
+ signed_data->no_of_certs = ret;
+
+ /*
+ * Currently CRLs are not supported. If CRL exist, the parsing will fail
+ * at next step of getting signers info and return error as invalid
+ * signer info.
+ */
+
+ signed_data->no_of_crls = 0;
+
+ /* Get signers info */
+ ret = pkcs7_get_signers_info_set( &p, end_set, &signed_data->signers );
+ if( ret < 0 )
+ return( ret );
+
+ signed_data->no_of_signers = ret;
+
+ /* Don't permit trailing data */
+ if ( p != end )
+ return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT );
+
+ return( 0 );
+}
+
+int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
+ const size_t buflen )
+{
+ unsigned char *p;
+ unsigned char *end;
+ size_t len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int isoidset = 0;
+
+ if( pkcs7 == NULL )
+ {
+ return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA );
+ }
+
+ /* make an internal copy of the buffer for parsing */
+ pkcs7->raw.p = p = mbedtls_calloc( 1, buflen );
+ if( pkcs7->raw.p == NULL )
+ {
+ ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
+ goto out;
+ }
+ memcpy( p, buf, buflen );
+ pkcs7->raw.len = buflen;
+ end = p + buflen;
+
+ ret = pkcs7_get_content_info_type( &p, end, &pkcs7->content_type_oid );
+ if( ret != 0 )
+ {
+ len = buflen;
+ goto try_data;
+ }
+
+ if( ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid )
+ || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid )
+ || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid )
+ || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid )
+ || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid )
+ || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) )
+ {
+ ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+ goto out;
+ }
+
+ if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_SIGNED_DATA, &pkcs7->content_type_oid ) )
+ {
+ ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ goto out;
+ }
+
+ isoidset = 1;
+
+ ret = pkcs7_get_next_content_len( &p, end, &len );
+ if( ret != 0 )
+ goto out;
+
+try_data:
+ ret = pkcs7_get_signed_data( p, len, &pkcs7->signed_data );
+ if ( ret != 0 )
+ goto out;
+
+ if ( !isoidset )
+ {
+ pkcs7->content_type_oid.tag = MBEDTLS_ASN1_OID;
+ pkcs7->content_type_oid.len = MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS7_SIGNED_DATA );
+ pkcs7->content_type_oid.p = (unsigned char *)MBEDTLS_OID_PKCS7_SIGNED_DATA;
+ }
+
+ ret = MBEDTLS_PKCS7_SIGNED_DATA;
+
+out:
+ if ( ret < 0 )
+ mbedtls_pkcs7_free( pkcs7 );
+
+ return( ret );
+}
+
+static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *data,
+ size_t datalen,
+ const int is_data_hash )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *hash;
+ mbedtls_pk_context pk_cxt = cert->pk;
+ const mbedtls_md_info_t *md_info;
+ mbedtls_md_type_t md_alg;
+ mbedtls_pkcs7_signer_info *signer;
+
+ if( pkcs7->signed_data.no_of_signers == 0 )
+ {
+ return( MBEDTLS_ERR_PKCS7_INVALID_CERT );
+ }
+
+ if( mbedtls_x509_time_is_past( &cert->valid_to ) ||
+ mbedtls_x509_time_is_future( &cert->valid_from ))
+ {
+ return( MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID );
+ }
+
+ /*
+ * Potential TODOs
+ * Currently we iterate over all signers and return success if any of them
+ * verify.
+ *
+ * However, we could make this better by checking against the certificate's
+ * identification and SignerIdentifier fields first. That would also allow
+ * us to distinguish between 'no signature for key' and 'signature for key
+ * failed to validate'.
+ *
+ * We could also cache hashes by md, so if there are several sigs all using
+ * the same algo we don't recalculate the hash each time.
+ */
+ for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next )
+ {
+ ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg );
+ if( ret != 0 )
+ {
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ continue;
+ }
+
+ md_info = mbedtls_md_info_from_type( md_alg );
+ if( md_info == NULL )
+ {
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ continue;
+ }
+
+ hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 );
+ if( hash == NULL ) {
+ return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED );
+ }
+ /* BEGIN must free hash before jumping out */
+ if( is_data_hash )
+ {
+ if( datalen != mbedtls_md_get_size( md_info ))
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ else
+ memcpy(hash, data, datalen);
+ }
+ else
+ {
+ ret = mbedtls_md( md_info, data, datalen, hash );
+ }
+ if( ret != 0 )
+ {
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ mbedtls_free( hash );
+ continue;
+ }
+
+ ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash,
+ mbedtls_md_get_size( md_info ),
+ signer->sig.p, signer->sig.len );
+ mbedtls_free( hash );
+ /* END must free hash before jumping out */
+
+ if( ret == 0 )
+ break;
+ }
+
+ return( ret );
+}
+int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *data,
+ size_t datalen )
+{
+ return( mbedtls_pkcs7_data_or_hash_verify( pkcs7, cert, data, datalen, 0 ) );
+}
+
+int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *hash,
+ size_t hashlen )
+{
+ return( mbedtls_pkcs7_data_or_hash_verify( pkcs7, cert, hash, hashlen, 1 ) );
+}
+
+/*
+ * Unallocate all pkcs7 data
+ */
+void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 )
+{
+ mbedtls_pkcs7_signer_info *signer_cur;
+ mbedtls_pkcs7_signer_info *signer_prev;
+
+ if( pkcs7 == NULL || pkcs7->raw.p == NULL )
+ return;
+
+ mbedtls_free( pkcs7->raw.p );
+
+ mbedtls_x509_crt_free( &pkcs7->signed_data.certs );
+ mbedtls_x509_crl_free( &pkcs7->signed_data.crl );
+
+ signer_cur = pkcs7->signed_data.signers.next;
+ pkcs7_free_signer_info( &pkcs7->signed_data.signers );
+ while( signer_cur != NULL )
+ {
+ signer_prev = signer_cur;
+ signer_cur = signer_prev->next;
+ pkcs7_free_signer_info( signer_prev );
+ mbedtls_free( signer_prev );
+ }
+
+ pkcs7->raw.p = NULL;
+}
+
+#endif
diff --git a/library/poly1305.c b/library/poly1305.c
index 0850f66..4d0cdee 100644
--- a/library/poly1305.c
+++ b/library/poly1305.c
@@ -32,11 +32,6 @@
#if !defined(MBEDTLS_POLY1305_ALT)
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
/*
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index fe0eaa6..c73f342 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3454,8 +3454,8 @@
status = psa_driver_wrapper_cipher_encrypt(
&attributes, slot->key.data, slot->key.bytes,
alg, local_iv, default_iv_length, input, input_length,
- output + default_iv_length, output_size - default_iv_length,
- output_length );
+ mbedtls_buffer_offset( output, default_iv_length ),
+ output_size - default_iv_length, output_length );
exit:
unlock_status = psa_unlock_key_slot( slot );
diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c
index 70dc74d..91a0e3b 100644
--- a/library/psa_crypto_cipher.c
+++ b/library/psa_crypto_cipher.c
@@ -516,10 +516,10 @@
if( status != PSA_SUCCESS )
goto exit;
- status = mbedtls_psa_cipher_finish( &operation,
- output + update_output_length,
- output_size - update_output_length,
- &finish_output_length );
+ status = mbedtls_psa_cipher_finish(
+ &operation,
+ mbedtls_buffer_offset( output, update_output_length ),
+ output_size - update_output_length, &finish_output_length );
if( status != PSA_SUCCESS )
goto exit;
@@ -563,17 +563,20 @@
goto exit;
}
- status = mbedtls_psa_cipher_update( &operation, input + operation.iv_length,
- input_length - operation.iv_length,
- output, output_size, &olength );
+ status = mbedtls_psa_cipher_update(
+ &operation,
+ mbedtls_buffer_offset_const( input, operation.iv_length ),
+ input_length - operation.iv_length,
+ output, output_size, &olength );
if( status != PSA_SUCCESS )
goto exit;
accumulated_length = olength;
- status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length,
- output_size - accumulated_length,
- &olength );
+ status = mbedtls_psa_cipher_finish(
+ &operation,
+ mbedtls_buffer_offset( output, accumulated_length ),
+ output_size - accumulated_length, &olength );
if( status != PSA_SUCCESS )
goto exit;
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index 659b712..da66dae 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -197,9 +197,14 @@
psa_status_t psa_pake_setup( psa_pake_operation_t *operation,
const psa_pake_cipher_suite_t *cipher_suite)
{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
/* A context must be freshly initialized before it can be set up. */
if( operation->alg != PSA_ALG_NONE )
- return( PSA_ERROR_BAD_STATE );
+ {
+ status = PSA_ERROR_BAD_STATE;
+ goto error;
+ }
if( cipher_suite == NULL ||
PSA_ALG_IS_PAKE(cipher_suite->algorithm ) == 0 ||
@@ -207,7 +212,8 @@
cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH ) ||
PSA_ALG_IS_HASH( cipher_suite->hash ) == 0 )
{
- return( PSA_ERROR_INVALID_ARGUMENT );
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto error;
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
@@ -218,7 +224,8 @@
cipher_suite->bits != 256 ||
cipher_suite->hash != PSA_ALG_SHA_256 )
{
- return( PSA_ERROR_NOT_SUPPORTED );
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto error;
}
operation->alg = cipher_suite->algorithm;
@@ -238,7 +245,11 @@
}
else
#endif
- return( PSA_ERROR_NOT_SUPPORTED );
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+error:
+ psa_pake_abort( operation );
+ return status;
}
psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
@@ -253,12 +264,13 @@
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_SETUP )
{
- return( PSA_ERROR_BAD_STATE );
+ status = PSA_ERROR_BAD_STATE;
+ goto error;
}
status = psa_get_key_attributes( password, &attributes );
if( status != PSA_SUCCESS )
- return( status );
+ goto error;
type = psa_get_key_type( &attributes );
usage = psa_get_key_usage_flags( &attributes );
@@ -268,11 +280,14 @@
if( type != PSA_KEY_TYPE_PASSWORD &&
type != PSA_KEY_TYPE_PASSWORD_HASH )
{
- return( PSA_ERROR_INVALID_ARGUMENT );
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto error;
}
- if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 )
- return( PSA_ERROR_NOT_PERMITTED );
+ if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 ) {
+ status = PSA_ERROR_NOT_PERMITTED;
+ goto error;
+ }
if( operation->password != NULL )
return( PSA_ERROR_BAD_STATE );
@@ -297,47 +312,74 @@
return( status );
return( PSA_SUCCESS );
+
+error:
+ psa_pake_abort(operation);
+ return( status );
}
psa_status_t psa_pake_set_user( psa_pake_operation_t *operation,
const uint8_t *user_id,
size_t user_id_len )
{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_SETUP )
{
- return( PSA_ERROR_BAD_STATE );
+ status = PSA_ERROR_BAD_STATE;
+ goto error;
}
if( user_id_len == 0 || user_id == NULL )
- return( PSA_ERROR_INVALID_ARGUMENT );
+ {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto error;
+ }
- return( PSA_ERROR_NOT_SUPPORTED );
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+error:
+ psa_pake_abort(operation);
+ return( status );
}
psa_status_t psa_pake_set_peer( psa_pake_operation_t *operation,
const uint8_t *peer_id,
size_t peer_id_len )
{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_SETUP )
{
- return( PSA_ERROR_BAD_STATE );
+ status = PSA_ERROR_BAD_STATE;
+ goto error;
}
if( peer_id_len == 0 || peer_id == NULL )
- return( PSA_ERROR_INVALID_ARGUMENT );
+ {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto error;
+ }
- return( PSA_ERROR_NOT_SUPPORTED );
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+error:
+ psa_pake_abort(operation);
+ return( status );
}
psa_status_t psa_pake_set_role( psa_pake_operation_t *operation,
psa_pake_role_t role )
{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
if( operation->alg == PSA_ALG_NONE ||
operation->state != PSA_PAKE_STATE_SETUP )
{
- return( PSA_ERROR_BAD_STATE );
+ status = PSA_ERROR_BAD_STATE;
+ goto error;
}
if( role != PSA_PAKE_ROLE_NONE &&
@@ -346,7 +388,8 @@
role != PSA_PAKE_ROLE_CLIENT &&
role != PSA_PAKE_ROLE_SERVER )
{
- return( PSA_ERROR_INVALID_ARGUMENT );
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto error;
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
@@ -362,7 +405,11 @@
}
else
#endif
- return( PSA_ERROR_NOT_SUPPORTED );
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+error:
+ psa_pake_abort(operation);
+ return( status );
}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
@@ -812,7 +859,10 @@
operation->state != PSA_PAKE_STATE_READY ||
operation->input_step != PSA_PAKE_STEP_DERIVE ||
operation->output_step != PSA_PAKE_STEP_DERIVE )
- return( PSA_ERROR_BAD_STATE );
+ {
+ status = PSA_ERROR_BAD_STATE;
+ goto error;
+ }
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if( operation->alg == PSA_ALG_JPAKE )
@@ -842,7 +892,13 @@
}
else
#endif
- return( PSA_ERROR_NOT_SUPPORTED );
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+error:
+ psa_key_derivation_abort( output );
+ psa_pake_abort( operation );
+
+ return( status );
}
psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 4d7f635..53d50f2 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -50,17 +50,13 @@
#include "mbedtls/sha512.h"
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
+ !defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/ecjpake.h"
#endif
#include "common.h"
-#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
- !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
/* Shorthand for restartable ECC */
#if defined(MBEDTLS_ECP_RESTARTABLE) && \
defined(MBEDTLS_SSL_CLI_C) && \
@@ -776,7 +772,13 @@
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
+ mbedtls_svc_key_id_t psa_pake_password;
+ uint8_t psa_pake_ctx_is_ok;
+#else
mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_CLI_C)
unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
size_t ecjpake_cache_len; /*!< Length of cached data */
@@ -888,13 +890,6 @@
uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages.
- * Those pointers own the transforms they reference. */
- mbedtls_ssl_transform *transform_handshake;
- mbedtls_ssl_transform *transform_earlydata;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
/*
* Checksum contexts
*/
@@ -979,6 +974,8 @@
unsigned char *certificate_request_context;
#endif
+ /** TLS 1.3 transform for encrypted handshake messages. */
+ mbedtls_ssl_transform *transform_handshake;
union
{
unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE];
@@ -987,6 +984,11 @@
} tls13_master_secrets;
mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
+ /** TLS 1.3 transform for early data and handshake messages. */
+ mbedtls_ssl_transform *transform_earlydata;
+#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
@@ -2493,6 +2495,52 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
+ defined(MBEDTLS_USE_PSA_CRYPTO)
+
+typedef enum {
+ MBEDTLS_ECJPAKE_ROUND_ONE,
+ MBEDTLS_ECJPAKE_ROUND_TWO
+} mbedtls_ecjpake_rounds_t;
+
+/**
+ * \brief Parse the provided input buffer for getting the first round
+ * of key exchange. This code is common between server and client
+ *
+ * \param pake_ctx [in] the PAKE's operation/context structure
+ * \param buf [in] input buffer to parse
+ * \param len [in] length of the input buffer
+ * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
+ * MBEDTLS_ECJPAKE_ROUND_TWO
+ *
+ * \return 0 on success or a negative error code in case of failure
+ */
+int mbedtls_psa_ecjpake_read_round(
+ psa_pake_operation_t *pake_ctx,
+ const unsigned char *buf,
+ size_t len, mbedtls_ecjpake_rounds_t round );
+
+/**
+ * \brief Write the first round of key exchange into the provided output
+ * buffer. This code is common between server and client
+ *
+ * \param pake_ctx [in] the PAKE's operation/context structure
+ * \param buf [out] the output buffer in which data will be written to
+ * \param len [in] length of the output buffer
+ * \param olen [out] the length of the data really written on the buffer
+ * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
+ * MBEDTLS_ECJPAKE_ROUND_TWO
+ *
+ * \return 0 on success or a negative error code in case of failure
+ */
+int mbedtls_psa_ecjpake_write_round(
+ psa_pake_operation_t *pake_ctx,
+ unsigned char *buf,
+ size_t len, size_t *olen,
+ mbedtls_ecjpake_rounds_t round );
+
+#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
+
/**
* \brief TLS record protection modes
*/
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index dbc6391..040dc80 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -382,30 +382,80 @@
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */
-/* `add_data` must have size 13 Bytes if the CID extension is disabled,
- * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
+/* The size of the `add_data` structure depends on various
+ * factors, namely
+ *
+ * 1) CID functionality disabled
+ *
+ * additional_data =
+ * 8: seq_num +
+ * 1: type +
+ * 2: version +
+ * 2: length of inner plaintext +
+ *
+ * size = 13 bytes
+ *
+ * 2) CID functionality based on RFC 9146 enabled
+ *
+ * size = 8 + 1 + 1 + 1 + 2 + 2 + 6 + 2 + CID-length
+ * = 23 + CID-length
+ *
+ * 3) CID functionality based on legacy CID version
+ according to draft-ietf-tls-dtls-connection-id-05
+ * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
+ *
+ * size = 13 + 1 + CID-length
+ *
+ * More information about the CID usage:
+ *
+ * Per Section 5.3 of draft-ietf-tls-dtls-connection-id-05 the
+ * size of the additional data structure is calculated as:
+ *
+ * additional_data =
+ * 8: seq_num +
+ * 1: tls12_cid +
+ * 2: DTLSCipherText.version +
+ * n: cid +
+ * 1: cid_length +
+ * 2: length_of_DTLSInnerPlaintext
+ *
+ * Per RFC 9146 the size of the add_data structure is calculated as:
+ *
+ * additional_data =
+ * 8: seq_num_placeholder +
+ * 1: tls12_cid +
+ * 1: cid_length +
+ * 1: tls12_cid +
+ * 2: DTLSCiphertext.version +
+ * 2: epoch +
+ * 6: sequence_number +
+ * n: cid +
+ * 2: length_of_DTLSInnerPlaintext
+ *
+ */
static void ssl_extract_add_data_from_record( unsigned char* add_data,
size_t *add_data_len,
mbedtls_record *rec,
mbedtls_ssl_protocol_version
- tls_version,
+ tls_version,
size_t taglen )
{
- /* Quoting RFC 5246 (TLS 1.2):
+ /* Several types of ciphers have been defined for use with TLS and DTLS,
+ * and the MAC calculations for those ciphers differ slightly. Further
+ * variants were added when the CID functionality was added with RFC 9146.
+ * This implementations also considers the use of a legacy version of the
+ * CID specification published in draft-ietf-tls-dtls-connection-id-05,
+ * which is used in deployments.
+ *
+ * We will distinguish between the non-CID and the CID cases below.
+ *
+ * --- Non-CID cases ---
+ *
+ * Quoting RFC 5246 (TLS 1.2):
*
* additional_data = seq_num + TLSCompressed.type +
* TLSCompressed.version + TLSCompressed.length;
*
- * For the CID extension, this is extended as follows
- * (quoting draft-ietf-tls-dtls-connection-id-05,
- * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
- *
- * additional_data = seq_num + DTLSPlaintext.type +
- * DTLSPlaintext.version +
- * cid +
- * cid_length +
- * length_of_DTLSInnerPlaintext;
- *
* For TLS 1.3, the record sequence number is dropped from the AAD
* and encoded within the nonce of the AEAD operation instead.
* Moreover, the additional data involves the length of the TLS
@@ -421,11 +471,72 @@
*
* TLSCiphertext.length = TLSInnerPlaintext.length + taglen.
*
- */
+ * --- CID cases ---
+ *
+ * RFC 9146 uses a common pattern when constructing the data
+ * passed into a MAC / AEAD cipher.
+ *
+ * Data concatenation for MACs used with block ciphers with
+ * Encrypt-then-MAC Processing (with CID):
+ *
+ * data = seq_num_placeholder +
+ * tls12_cid +
+ * cid_length +
+ * tls12_cid +
+ * DTLSCiphertext.version +
+ * epoch +
+ * sequence_number +
+ * cid +
+ * DTLSCiphertext.length +
+ * IV +
+ * ENC(content + padding + padding_length)
+ *
+ * Data concatenation for MACs used with block ciphers (with CID):
+ *
+ * data = seq_num_placeholder +
+ * tls12_cid +
+ * cid_length +
+ * tls12_cid +
+ * DTLSCiphertext.version +
+ * epoch +
+ * sequence_number +
+ * cid +
+ * length_of_DTLSInnerPlaintext +
+ * DTLSInnerPlaintext.content +
+ * DTLSInnerPlaintext.real_type +
+ * DTLSInnerPlaintext.zeros
+ *
+ * AEAD ciphers use the following additional data calculation (with CIDs):
+ *
+ * additional_data = seq_num_placeholder +
+ * tls12_cid +
+ * cid_length +
+ * tls12_cid +
+ * DTLSCiphertext.version +
+ * epoch +
+ * sequence_number +
+ * cid +
+ * length_of_DTLSInnerPlaintext
+ *
+ * Section 5.3 of draft-ietf-tls-dtls-connection-id-05 (for legacy CID use)
+ * defines the additional data calculation as follows:
+ *
+ * additional_data = seq_num +
+ * tls12_cid +
+ * DTLSCipherText.version +
+ * cid +
+ * cid_length +
+ * length_of_DTLSInnerPlaintext
+ */
unsigned char *cur = add_data;
size_t ad_len_field = rec->data_len;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
+ const unsigned char seq_num_placeholder[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+#endif
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{
@@ -439,25 +550,72 @@
{
((void) tls_version);
((void) taglen);
- memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
- cur += sizeof( rec->ctr );
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
+ if( rec->cid_len != 0 )
+ {
+ // seq_num_placeholder
+ memcpy( cur, seq_num_placeholder, sizeof(seq_num_placeholder) );
+ cur += sizeof( seq_num_placeholder );
+
+ // tls12_cid type
+ *cur = rec->type;
+ cur++;
+
+ // cid_length
+ *cur = rec->cid_len;
+ cur++;
+ }
+ else
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ {
+ // epoch + sequence number
+ memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
+ cur += sizeof( rec->ctr );
+ }
}
+ // type
*cur = rec->type;
cur++;
+ // version
memcpy( cur, rec->ver, sizeof( rec->ver ) );
cur += sizeof( rec->ver );
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- if( rec->cid_len != 0 )
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 1
+
+ if (rec->cid_len != 0)
{
- memcpy( cur, rec->cid, rec->cid_len );
+ // CID
+ memcpy(cur, rec->cid, rec->cid_len);
cur += rec->cid_len;
+ // cid_length
*cur = rec->cid_len;
cur++;
+ // length of inner plaintext
+ MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0);
+ cur += 2;
+ }
+ else
+#elif defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
+
+ if( rec->cid_len != 0 )
+ {
+ // epoch + sequence number
+ memcpy(cur, rec->ctr, sizeof(rec->ctr));
+ cur += sizeof(rec->ctr);
+
+ // CID
+ memcpy( cur, rec->cid, rec->cid_len );
+ cur += rec->cid_len;
+
+ // length of inner plaintext
MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
cur += 2;
}
@@ -532,7 +690,14 @@
mbedtls_ssl_mode_t ssl_mode;
int auth_done = 0;
unsigned char * data;
- unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
+ /* For an explanation of the additional data length see
+ * the descrpition of ssl_extract_add_data_from_record().
+ */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ unsigned char add_data[23 + MBEDTLS_SSL_CID_OUT_LEN_MAX];
+#else
+ unsigned char add_data[13];
+#endif
size_t add_data_len;
size_t post_avail;
@@ -1015,13 +1180,7 @@
size_t sign_mac_length = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
- /*
- * MAC(MAC_write_key, seq_num +
- * TLSCipherText.type +
- * TLSCipherText.version +
- * length_of( (IV +) ENC(...) ) +
- * IV +
- * ENC(content + padding + padding_length));
+ /* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length))
*/
if( post_avail < transform->maclen)
@@ -1129,7 +1288,14 @@
size_t padlen = 0, correct = 1;
#endif
unsigned char* data;
- unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
+ /* For an explanation of the additional data length see
+ * the descrpition of ssl_extract_add_data_from_record().
+ */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ unsigned char add_data[23 + MBEDTLS_SSL_CID_IN_LEN_MAX];
+#else
+ unsigned char add_data[13];
+#endif
size_t add_data_len;
#if !defined(MBEDTLS_DEBUG_C)
@@ -1907,7 +2073,7 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
mbedtls_ssl_set_timer( ssl, 0 );
- if( mbedtls_ssl_is_handshake_over( ssl ) == 0 )
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
{
if( ssl_double_retransmit_timeout( ssl ) != 0 )
{
@@ -3481,7 +3647,7 @@
{
/* Shift pointers to account for record header including CID
* struct {
- * ContentType special_type = tls12_cid;
+ * ContentType outer_type = tls12_cid;
* ProtocolVersion version;
* uint16 epoch;
* uint48 sequence_number;
@@ -5299,7 +5465,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket received" ) );
mbedtls_ssl_handshake_set_state( ssl,
- MBEDTLS_SSL_NEW_SESSION_TICKET );
+ MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET );
return( MBEDTLS_ERR_SSL_WANT_READ );
}
@@ -5502,7 +5668,7 @@
}
#endif
- if( mbedtls_ssl_is_handshake_over( ssl ) == 0 )
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
{
ret = mbedtls_ssl_handshake( ssl );
if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
@@ -5758,7 +5924,7 @@
}
#endif
- if( mbedtls_ssl_is_handshake_over( ssl ) == 0 )
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
{
if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index da90b23..83f2b3c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -907,7 +907,12 @@
mbedtls_ecdh_init( &handshake->ecdh_ctx );
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ handshake->psa_pake_ctx = psa_pake_operation_init();
+ handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
+#else
mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_CLI_C)
handshake->ecjpake_cache = NULL;
handshake->ecjpake_cache_len = 0;
@@ -1442,9 +1447,11 @@
if( ssl->handshake != NULL )
{
+#if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata );
mbedtls_free( ssl->handshake->transform_earlydata );
ssl->handshake->transform_earlydata = NULL;
+#endif
mbedtls_ssl_transform_free( ssl->handshake->transform_handshake );
mbedtls_free( ssl->handshake->transform_handshake );
@@ -1850,6 +1857,73 @@
/*
* Set EC J-PAKE password for current handshake
*/
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
+ const unsigned char *pw,
+ size_t pw_len )
+{
+ psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_pake_role_t psa_role;
+ psa_status_t status;
+
+ if( ssl->handshake == NULL || ssl->conf == NULL )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ psa_role = PSA_PAKE_ROLE_SERVER;
+ else
+ psa_role = PSA_PAKE_ROLE_CLIENT;
+
+ /* Empty password is not valid */
+ if( ( pw == NULL) || ( pw_len == 0 ) )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE );
+ psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD );
+
+ status = psa_import_key( &attributes, pw, pw_len,
+ &ssl->handshake->psa_pake_password );
+ if( status != PSA_SUCCESS )
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+
+ psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE );
+ psa_pake_cs_set_primitive( &cipher_suite,
+ PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC,
+ PSA_ECC_FAMILY_SECP_R1,
+ 256) );
+ psa_pake_cs_set_hash( &cipher_suite, PSA_ALG_SHA_256 );
+
+ status = psa_pake_setup( &ssl->handshake->psa_pake_ctx, &cipher_suite );
+ if( status != PSA_SUCCESS )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ }
+
+ status = psa_pake_set_role( &ssl->handshake->psa_pake_ctx, psa_role );
+ if( status != PSA_SUCCESS )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ }
+
+ psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx,
+ ssl->handshake->psa_pake_password );
+ if( status != PSA_SUCCESS )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ }
+
+ ssl->handshake->psa_pake_ctx_is_ok = 1;
+
+ return( 0 );
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
const unsigned char *pw,
size_t pw_len )
@@ -1870,6 +1944,7 @@
MBEDTLS_ECP_DP_SECP256R1,
pw, pw_len ) );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
@@ -3602,7 +3677,7 @@
if( ssl == NULL ||
ssl->conf == NULL ||
ssl->handshake == NULL ||
- mbedtls_ssl_is_handshake_over( ssl ) == 1 )
+ ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -3706,7 +3781,7 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
/* Main handshake loop */
- while( mbedtls_ssl_is_handshake_over( ssl ) == 0 )
+ while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
{
ret = mbedtls_ssl_handshake_step( ssl );
@@ -3908,8 +3983,15 @@
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
mbedtls_ecdh_free( &handshake->ecdh_ctx );
#endif
+
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_pake_abort( &handshake->psa_pake_ctx );
+ psa_destroy_key( handshake->psa_pake_password );
+ handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
+#else
mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_CLI_C)
mbedtls_free( handshake->ecjpake_cache );
handshake->ecjpake_cache = NULL;
@@ -3987,9 +4069,11 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_transform_free( handshake->transform_handshake );
+ mbedtls_free( handshake->transform_handshake );
+#if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_transform_free( handshake->transform_earlydata );
mbedtls_free( handshake->transform_earlydata );
- mbedtls_free( handshake->transform_handshake );
+#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@@ -6123,6 +6207,55 @@
else
#endif
{
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+ {
+ psa_status_t status;
+ psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
+ psa_key_derivation_operation_t derivation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PMS KDF for ECJPAKE" ) );
+
+ handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
+
+ status = psa_key_derivation_setup( &derivation, alg );
+ if( status != PSA_SUCCESS )
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+
+ status = psa_key_derivation_set_capacity( &derivation,
+ PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE );
+ if( status != PSA_SUCCESS )
+ {
+ psa_key_derivation_abort( &derivation );
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ }
+
+ status = psa_pake_get_implicit_key( &handshake->psa_pake_ctx,
+ &derivation );
+ if( status != PSA_SUCCESS )
+ {
+ psa_key_derivation_abort( &derivation );
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ }
+
+ status = psa_key_derivation_output_bytes( &derivation,
+ handshake->premaster,
+ handshake->pmslen );
+ if( status != PSA_SUCCESS )
+ {
+ psa_key_derivation_abort( &derivation );
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ }
+
+ status = psa_key_derivation_abort( &derivation );
+ if( status != PSA_SUCCESS )
+ {
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ }
+ }
+#endif
ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
lbl, seed, seed_len,
master,
@@ -7544,7 +7677,7 @@
#endif
mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
- ssl->state++;
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
}
@@ -8306,6 +8439,99 @@
return( ret );
}
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
+ defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_psa_ecjpake_read_round(
+ psa_pake_operation_t *pake_ctx,
+ const unsigned char *buf,
+ size_t len, mbedtls_ecjpake_rounds_t round )
+{
+ psa_status_t status;
+ size_t input_offset = 0;
+ /*
+ * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
+ * At round two perform a single cycle
+ */
+ unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
+
+ for( ; remaining_steps > 0; remaining_steps-- )
+ {
+ for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
+ step <= PSA_PAKE_STEP_ZK_PROOF;
+ ++step )
+ {
+ /* Length is stored at the first byte */
+ size_t length = buf[input_offset];
+ input_offset += 1;
+
+ if( input_offset + length > len )
+ {
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ status = psa_pake_input( pake_ctx, step,
+ buf + input_offset, length );
+ if( status != PSA_SUCCESS)
+ {
+ return psa_ssl_status_to_mbedtls( status );
+ }
+
+ input_offset += length;
+ }
+ }
+
+ if( input_offset != len )
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+
+ return( 0 );
+}
+
+int mbedtls_psa_ecjpake_write_round(
+ psa_pake_operation_t *pake_ctx,
+ unsigned char *buf,
+ size_t len, size_t *olen,
+ mbedtls_ecjpake_rounds_t round )
+{
+ psa_status_t status;
+ size_t output_offset = 0;
+ size_t output_len;
+ /*
+ * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
+ * At round two perform a single cycle
+ */
+ unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
+
+ for( ; remaining_steps > 0; remaining_steps-- )
+ {
+ for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
+ step <= PSA_PAKE_STEP_ZK_PROOF;
+ ++step )
+ {
+ /*
+ * For each step, prepend 1 byte with the length of the data as
+ * given by psa_pake_output().
+ */
+ status = psa_pake_output( pake_ctx, step,
+ buf + output_offset + 1,
+ len - output_offset - 1,
+ &output_len );
+ if( status != PSA_SUCCESS )
+ {
+ return( psa_ssl_status_to_mbedtls( status ) );
+ }
+
+ *(buf + output_offset) = (uint8_t) output_len;
+
+ output_offset += output_len + 1;
+ }
+ }
+
+ *olen = output_offset;
+
+ return( 0 );
+}
+#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
+
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
unsigned char *hash, size_t *hashlen,
@@ -8864,8 +9090,13 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+ ssl->handshake->psa_pake_ctx_is_ok != 1 )
+#else
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
return( -1 );
}
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 21b3ba6..5def8b6 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -132,13 +132,18 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = buf;
- size_t kkpp_len;
+ size_t kkpp_len = 0;
*olen = 0;
/* Skip costly extension if we can't use EC J-PAKE anyway */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( ssl->handshake->psa_pake_ctx_is_ok != 1 )
+ return( 0 );
+#else
if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
return( 0 );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_MSG( 3,
( "client hello, adding ecjpake_kkpp extension" ) );
@@ -158,6 +163,18 @@
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
+ p + 2, end - p - 2, &kkpp_len,
+ MBEDTLS_ECJPAKE_ROUND_ONE );
+ if ( ret != 0 )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+ MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret );
+ return( ret );
+ }
+#else
ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
p + 2, end - p - 2, &kkpp_len,
ssl->conf->f_rng, ssl->conf->p_rng );
@@ -167,6 +184,7 @@
"mbedtls_ecjpake_write_round_one", ret );
return( ret );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
if( ssl->handshake->ecjpake_cache == NULL )
@@ -208,9 +226,6 @@
size_t ext_len;
/*
- * Quoting draft-ietf-tls-dtls-connection-id-05
- * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
- *
* struct {
* opaque cid<0..2^8-1>;
* } ConnectionId;
@@ -849,10 +864,11 @@
ssl->handshake->ecdh_ctx.point_format = p[0];
#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx,
p[0] );
-#endif
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
return( 0 );
}
@@ -889,6 +905,24 @@
ssl->handshake->ecjpake_cache = NULL;
ssl->handshake->ecjpake_cache_len = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( ( ret = mbedtls_psa_ecjpake_read_round(
+ &ssl->handshake->psa_pake_ctx, buf, len,
+ MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+
+ MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( ret );
+ }
+
+ return( 0 );
+#else
if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
buf, len ) ) != 0 )
{
@@ -901,6 +935,7 @@
}
return( 0 );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@@ -2296,6 +2331,47 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ /*
+ * The first 3 bytes are:
+ * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
+ * [1, 2] elliptic curve's TLS ID
+ *
+ * However since we only support secp256r1 for now, we check only
+ * that TLS ID here
+ */
+ uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE( p, 1 );
+ const mbedtls_ecp_curve_info *curve_info;
+
+ if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id(
+ MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL )
+ {
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+ }
+
+ if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) ||
+ ( read_tls_id != curve_info->tls_id ) )
+ {
+ return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ }
+
+ p += 3;
+
+ if( ( ret = mbedtls_psa_ecjpake_read_round(
+ &ssl->handshake->psa_pake_ctx, p, end - p,
+ MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+
+ MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+ }
+#else
ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
p, end - p );
if( ret != 0 )
@@ -2307,6 +2383,7 @@
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
else
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@@ -3227,6 +3304,21 @@
{
header_len = 4;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char *out_p = ssl->out_msg + header_len;
+ unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
+ header_len;
+ ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx,
+ out_p, end_p - out_p, &content_len,
+ MBEDTLS_ECJPAKE_ROUND_TWO );
+ if ( ret != 0 )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+ MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret );
+ return( ret );
+ }
+#else
ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
ssl->out_msg + header_len,
MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
@@ -3246,6 +3338,7 @@
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
return( ret );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 3dab246..eeb579a 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -268,10 +268,11 @@
ssl->handshake->ecdh_ctx.point_format = p[0];
#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx,
p[0] );
-#endif
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
return( 0 );
}
@@ -289,16 +290,37 @@
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
const unsigned char *buf,
- size_t len )
+ size_t len)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( ssl->handshake->psa_pake_ctx_is_ok != 1 )
+#else
if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
return( 0 );
}
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( ( ret = mbedtls_psa_ecjpake_read_round(
+ &ssl->handshake->psa_pake_ctx, buf, len,
+ MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+
+ MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+
+ return( ret );
+ }
+#else
if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
buf, len ) ) != 0 )
{
@@ -307,6 +329,7 @@
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( ret );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Only mark the extension as OK when we're sure it is */
ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
@@ -353,9 +376,6 @@
}
/*
- * Quoting draft-ietf-tls-dtls-connection-id-05
- * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
- *
* struct {
* opaque cid<0..2^8-1>;
* } ConnectionId;
@@ -1752,9 +1772,6 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) );
/*
- * Quoting draft-ietf-tls-dtls-connection-id-05
- * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
- *
* struct {
* opaque cid<0..2^8-1>;
* } ConnectionId;
@@ -1996,6 +2013,18 @@
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 );
p += 2;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx,
+ p + 2, end - p - 2, &kkpp_len,
+ MBEDTLS_ECJPAKE_ROUND_ONE );
+ if ( ret != 0 )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+ MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret );
+ return;
+ }
+#else
ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
p + 2, end - p - 2, &kkpp_len,
ssl->conf->f_rng, ssl->conf->p_rng );
@@ -2004,6 +2033,7 @@
MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
return;
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 );
p += 2;
@@ -2813,6 +2843,46 @@
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
+ unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
+ ssl->out_msglen;
+ size_t output_offset = 0;
+ size_t output_len = 0;
+ const mbedtls_ecp_curve_info *curve_info;
+
+ /*
+ * The first 3 bytes are:
+ * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
+ * [1, 2] elliptic curve's TLS ID
+ *
+ * However since we only support secp256r1 for now, we hardcode its
+ * TLS ID here
+ */
+ if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id(
+ MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL )
+ {
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+ }
+ *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
+ MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 );
+ output_offset += 3;
+
+ ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx,
+ out_p + output_offset,
+ end_p - out_p - output_offset, &output_len,
+ MBEDTLS_ECJPAKE_ROUND_TWO );
+ if( ret != 0 )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+ MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret );
+ return( ret );
+ }
+
+ output_offset += output_len;
+ ssl->out_msglen += output_offset;
+#else
size_t len = 0;
ret = mbedtls_ecjpake_write_round_two(
@@ -2827,6 +2897,7 @@
}
ssl->out_msglen += len;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@@ -4044,6 +4115,18 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( ( ret = mbedtls_psa_ecjpake_read_round(
+ &ssl->handshake->psa_pake_ctx, p, end - p,
+ MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 )
+ {
+ psa_destroy_key( ssl->handshake->psa_pake_password );
+ psa_pake_abort( &ssl->handshake->psa_pake_ctx );
+
+ MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret );
+ return( ret );
+ }
+#else
ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
p, end - p );
if( ret != 0 )
@@ -4060,6 +4143,7 @@
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
return( ret );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
else
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 0372f2d..0109f77 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1183,11 +1183,11 @@
return( ret );
p += ext_len;
- /* Initializes the status to `indication sent`. It will be updated to
- * `accepted` or `rejected` depending on whether the EncryptedExtension
- * message will contain an early data indication extension or not.
+ /* Initializes the status to `rejected`. It will be updated to
+ * `accepted` if the EncryptedExtension message contain an early data
+ * indication extension.
*/
- ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT;
+ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
}
else
{
@@ -2060,6 +2060,21 @@
break;
#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ case MBEDTLS_TLS_EXT_EARLY_DATA:
+
+ if( extension_data_len != 0 )
+ {
+ /* The message must be empty. */
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
default:
MBEDTLS_SSL_PRINT_EXT(
3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
@@ -2102,6 +2117,14 @@
MBEDTLS_SSL_PROC_CHK(
ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if( ssl->handshake->received_extensions &
+ MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
+ {
+ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
+ }
+#endif
+
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
buf, buf_len );
@@ -2743,7 +2766,7 @@
}
/*
- * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
+ * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl )
@@ -2857,7 +2880,7 @@
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- case MBEDTLS_SSL_NEW_SESSION_TICKET:
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
ret = ssl_tls13_process_new_session_ticket( ssl );
if( ret != 0 )
break;
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index ec84a99..cef6144 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -215,6 +215,33 @@
return( psa_ssl_status_to_mbedtls ( status ) );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_make_traffic_key(
+ psa_algorithm_t hash_alg,
+ const unsigned char *secret, size_t secret_len,
+ unsigned char *key, size_t key_len,
+ unsigned char *iv, size_t iv_len )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
+ hash_alg,
+ secret, secret_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
+ NULL, 0,
+ key, key_len );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
+ hash_alg,
+ secret, secret_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
+ NULL, 0,
+ iv, iv_len );
+ return( ret );
+}
+
/*
* The traffic keying material is generated from the following inputs:
*
@@ -240,35 +267,17 @@
{
int ret = 0;
- ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
- client_secret, secret_len,
- MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
- NULL, 0,
- keys->client_write_key, key_len );
+ ret = ssl_tls13_make_traffic_key(
+ hash_alg, client_secret, secret_len,
+ keys->client_write_key, key_len,
+ keys->client_write_iv, iv_len );
if( ret != 0 )
return( ret );
- ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
- server_secret, secret_len,
- MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
- NULL, 0,
- keys->server_write_key, key_len );
- if( ret != 0 )
- return( ret );
-
- ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
- client_secret, secret_len,
- MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
- NULL, 0,
- keys->client_write_iv, iv_len );
- if( ret != 0 )
- return( ret );
-
- ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
- server_secret, secret_len,
- MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
- NULL, 0,
- keys->server_write_iv, iv_len );
+ ret = ssl_tls13_make_traffic_key(
+ hash_alg, server_secret, secret_len,
+ keys->server_write_key, key_len,
+ keys->server_write_iv, iv_len );
if( ret != 0 )
return( ret );
@@ -1052,6 +1061,194 @@
return( 0 );
}
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_get_cipher_key_info(
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
+ size_t *key_len, size_t *iv_len )
+{
+ psa_key_type_t key_type;
+ psa_algorithm_t alg;
+ size_t taglen;
+ size_t key_bits;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG )
+ taglen = 8;
+ else
+ taglen = 16;
+
+ status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen,
+ &alg, &key_type, &key_bits );
+ if( status != PSA_SUCCESS )
+ return psa_ssl_status_to_mbedtls( status );
+
+ *key_len = PSA_BITS_TO_BYTES( key_bits );
+
+ /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */
+ *iv_len = 12;
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/*
+ * ssl_tls13_generate_early_key() generates the key necessary for protecting
+ * the early application data and handshake messages as described in section 7
+ * of RFC 8446.
+ *
+ * NOTE: Only one key is generated, the key for the traffic from the client to
+ * the server. The TLS 1.3 specification does not define a secret and thus
+ * a key for server early traffic.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl,
+ mbedtls_ssl_key_set *traffic_keys )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_type_t md_type;
+ psa_algorithm_t hash_alg;
+ size_t hash_len;
+ unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t transcript_len;
+ size_t key_len;
+ size_t iv_len;
+
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
+ mbedtls_ssl_tls13_early_secrets *tls13_early_secrets = &handshake->tls13_early_secrets;
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_key" ) );
+
+ ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret );
+ goto cleanup;
+ }
+
+ md_type = ciphersuite_info->mac;
+
+ hash_alg = mbedtls_hash_info_psa_from_md( ciphersuite_info->mac );
+ hash_len = PSA_HASH_LENGTH( hash_alg );
+
+ ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
+ transcript,
+ sizeof( transcript ),
+ &transcript_len );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1,
+ "mbedtls_ssl_get_handshake_transcript",
+ ret );
+ goto cleanup;
+ }
+
+ ret = mbedtls_ssl_tls13_derive_early_secrets(
+ hash_alg, handshake->tls13_master_secrets.early,
+ transcript, transcript_len, tls13_early_secrets );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_derive_early_secrets", ret );
+ goto cleanup;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(
+ 4, "Client early traffic secret",
+ tls13_early_secrets->client_early_traffic_secret, hash_len );
+
+ /*
+ * Export client handshake traffic secret
+ */
+ if( ssl->f_export_keys != NULL )
+ {
+ ssl->f_export_keys(
+ ssl->p_export_keys,
+ MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET,
+ tls13_early_secrets->client_early_traffic_secret,
+ hash_len,
+ handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+ MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
+ }
+
+ ret = ssl_tls13_make_traffic_key(
+ hash_alg,
+ tls13_early_secrets->client_early_traffic_secret,
+ hash_len, traffic_keys->client_write_key, key_len,
+ traffic_keys->client_write_iv, iv_len );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_make_traffic_key", ret );
+ goto cleanup;
+ }
+ traffic_keys->key_len = key_len;
+ traffic_keys->iv_len = iv_len;
+
+ MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_key",
+ traffic_keys->client_write_key,
+ traffic_keys->key_len);
+
+ MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_iv",
+ traffic_keys->client_write_iv,
+ traffic_keys->iv_len);
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) );
+
+cleanup:
+ /* Erase secret and transcript */
+ mbedtls_platform_zeroize(
+ tls13_early_secrets, sizeof( mbedtls_ssl_tls13_early_secrets ) );
+ mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
+ return( ret );
+}
+
+int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_key_set traffic_keys;
+ mbedtls_ssl_transform *transform_earlydata = NULL;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* Next evolution in key schedule: Establish early_data secret and
+ * key material. */
+ ret = ssl_tls13_generate_early_key( ssl, &traffic_keys );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_key",
+ ret );
+ goto cleanup;
+ }
+
+ transform_earlydata = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
+ if( transform_earlydata == NULL )
+ {
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ ret = mbedtls_ssl_tls13_populate_transform(
+ transform_earlydata,
+ ssl->conf->endpoint,
+ ssl->session_negotiate->ciphersuite,
+ &traffic_keys,
+ ssl );
+ if( ret != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
+ goto cleanup;
+ }
+ handshake->transform_earlydata = transform_earlydata;
+
+cleanup:
+ mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
+ if( ret != 0 )
+ mbedtls_free( transform_earlydata );
+
+ return( ret );
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1098,51 +1295,19 @@
return( 0 );
}
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int mbedtls_ssl_tls13_get_cipher_key_info(
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
- size_t *key_len, size_t *iv_len )
-{
- psa_key_type_t key_type;
- psa_algorithm_t alg;
- size_t taglen;
- size_t key_bits;
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
- if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG )
- taglen = 8;
- else
- taglen = 16;
-
- status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen,
- &alg, &key_type, &key_bits );
- if( status != PSA_SUCCESS )
- return psa_ssl_status_to_mbedtls( status );
-
- *key_len = PSA_BITS_TO_BYTES( key_bits );
-
- /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */
- *iv_len = 12;
-
- return 0;
-}
-
/* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for
* protecting the handshake messages, as described in Section 7 of TLS 1.3. */
int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
mbedtls_ssl_key_set *traffic_keys )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
mbedtls_md_type_t md_type;
-
psa_algorithm_t hash_alg;
size_t hash_len;
-
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len;
-
- size_t key_len, iv_len;
+ size_t key_len;
+ size_t iv_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
@@ -1150,11 +1315,10 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) );
- ret = mbedtls_ssl_tls13_get_cipher_key_info( ciphersuite_info,
- &key_len, &iv_len );
+ ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len );
if( ret != 0 )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret );
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret );
return ret;
}
@@ -1370,11 +1534,11 @@
/* Extract basic information about hash and ciphersuite */
- ret = mbedtls_ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info,
- &key_len, &iv_len );
+ ret = ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info,
+ &key_len, &iv_len );
if( ret != 0 )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret );
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret );
goto cleanup;
}
diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
index 966b5c5..fc64737 100644
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -667,6 +667,27 @@
size_t *actual_len,
int which );
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/**
+ * \brief Compute TLS 1.3 early transform
+ *
+ * \param ssl The SSL context to operate on.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ *
+ * \warning The function does not compute the early master secret. Call
+ * mbedtls_ssl_tls13_key_schedule_stage_early() before to
+ * call this function to generate the early master secret.
+ * \note For a client/server endpoint, the function computes only the
+ * encryption/decryption part of the transform as the decryption/
+ * encryption part is not defined by the specification (no early
+ * traffic from the server to the client).
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
/**
* \brief Compute TLS 1.3 handshake transform
*
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 3cd0310..ce8767c 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -2628,7 +2628,7 @@
mbedtls_ssl_tls13_handshake_wrapup( ssl );
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET );
#else
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
#endif
@@ -2636,7 +2636,7 @@
}
/*
- * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
+ * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
*/
#define SSL_NEW_SESSION_TICKET_SKIP 0
#define SSL_NEW_SESSION_TICKET_WRITE 1
@@ -2872,7 +2872,7 @@
}
/*
- * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
+ * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
*/
static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl )
{
@@ -2908,8 +2908,8 @@
else
ssl->handshake->new_session_tickets_count--;
- mbedtls_ssl_handshake_set_state( ssl,
- MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH );
}
else
{
@@ -3045,7 +3045,7 @@
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- case MBEDTLS_SSL_NEW_SESSION_TICKET:
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
ret = ssl_tls13_write_new_session_ticket( ssl );
if( ret != 0 )
{
@@ -3054,9 +3054,9 @@
ret );
}
break;
- case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH:
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
/* This state is necessary to do the flush of the New Session
- * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET
+ * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
* as part of ssl_prepare_handshake_step.
*/
ret = 0;
@@ -3064,7 +3064,7 @@
if( ssl->handshake->new_session_tickets_count == 0 )
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
else
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET );
break;
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
diff --git a/programs/fuzz/.gitignore b/programs/fuzz/.gitignore
index 5dc0960..34e3ed0 100644
--- a/programs/fuzz/.gitignore
+++ b/programs/fuzz/.gitignore
@@ -1,6 +1,7 @@
fuzz_client
fuzz_dtlsclient
fuzz_dtlsserver
+fuzz_pkcs7
fuzz_privkey
fuzz_pubkey
fuzz_server
diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt
index c7fcd35..7747744 100644
--- a/programs/fuzz/CMakeLists.txt
+++ b/programs/fuzz/CMakeLists.txt
@@ -12,6 +12,7 @@
fuzz_x509crl
fuzz_x509crt
fuzz_x509csr
+ fuzz_pkcs7
)
set(executables_with_common_c
diff --git a/programs/fuzz/fuzz_pkcs7.c b/programs/fuzz/fuzz_pkcs7.c
new file mode 100644
index 0000000..960007d
--- /dev/null
+++ b/programs/fuzz/fuzz_pkcs7.c
@@ -0,0 +1,19 @@
+#include <stdint.h>
+#include "mbedtls/pkcs7.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef MBEDTLS_PKCS7_C
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ mbedtls_pkcs7_parse_der( &pkcs7, Data, Size );
+
+ mbedtls_pkcs7_free( &pkcs7 );
+#else
+ (void) Data;
+ (void) Size;
+#endif
+
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_pkcs7.options b/programs/fuzz/fuzz_pkcs7.options
new file mode 100644
index 0000000..0824b19
--- /dev/null
+++ b/programs/fuzz/fuzz_pkcs7.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535
diff --git a/scripts/config.py b/scripts/config.py
index 470c63d..7e58acd 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -311,6 +311,7 @@
if name in [
'MBEDTLS_DEBUG_C', # part of libmbedtls
'MBEDTLS_NET_C', # part of libmbedtls
+ 'MBEDTLS_PKCS7_C', # part of libmbedx509
]:
return False
return True
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index 41b0337..5395abf 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -52,7 +52,7 @@
SHA1 SHA256 SHA512 THREADING );
my @high_level_modules = qw( CIPHER DHM ECP MD
PEM PK PKCS12 PKCS5
- RSA SSL X509 );
+ RSA SSL X509 PKCS7 );
undef $/;
@@ -136,6 +136,7 @@
$define_name = "ASN1_PARSE" if ($define_name eq "ASN1");
$define_name = "SSL_TLS" if ($define_name eq "SSL");
$define_name = "PEM_PARSE,PEM_WRITE" if ($define_name eq "PEM");
+ $define_name = "PKCS7" if ($define_name eq "PKCS7");
my $include_name = $module_name;
$include_name =~ tr/A-Z/a-z/;
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 4910dae..2960d24 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -755,6 +755,23 @@
# BEGIN MERGE SLOT 1
+class BignumCoreExpMod(BignumCoreTarget, bignum_common.ModOperationCommon):
+ """Test cases for bignum core exponentiation."""
+ symbol = "^"
+ test_function = "mpi_core_exp_mod"
+ test_name = "Core modular exponentiation"
+ input_style = "fixed"
+
+ def result(self) -> List[str]:
+ result = pow(self.int_a, self.int_b, self.int_n)
+ return [self.format_result(result)]
+
+ @property
+ def is_valid(self) -> bool:
+ # The base needs to be canonical, but the exponent can be larger than
+ # the modulus (see for example exponent blinding)
+ return bool(self.int_a < self.int_n)
+
# END MERGE SLOT 1
# BEGIN MERGE SLOT 2
@@ -763,6 +780,37 @@
# BEGIN MERGE SLOT 3
+class BignumCoreSubInt(BignumCoreTarget, bignum_common.OperationCommon):
+ """Test cases for bignum core sub int."""
+ count = 0
+ symbol = "-"
+ test_function = "mpi_core_sub_int"
+ test_name = "mpi_core_sub_int"
+ input_style = "arch_split"
+
+ @property
+ def is_valid(self) -> bool:
+ # This is "sub int", so b is only one limb
+ if bignum_common.limbs_mpi(self.int_b, self.bits_in_limb) > 1:
+ return False
+ return True
+
+ # Overriding because we don't want leading zeros on b
+ @property
+ def arg_b(self) -> str:
+ return self.val_b
+
+ def result(self) -> List[str]:
+ result = self.int_a - self.int_b
+
+ borrow, result = divmod(result, self.limb_boundary)
+
+ # Borrow will be -1 if non-zero, but we want it to be 1 in the test data
+ return [
+ self.format_result(result),
+ str(-borrow)
+ ]
+
# END MERGE SLOT 3
# BEGIN MERGE SLOT 4
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 60f2fed..0bbad5d 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -30,6 +30,25 @@
# BEGIN MERGE SLOT 2
+class BignumModRawSub(bignum_common.ModOperationCommon,
+ BignumModRawTarget):
+ """Test cases for bignum mpi_mod_raw_sub()."""
+ symbol = "-"
+ test_function = "mpi_mod_raw_sub"
+ test_name = "mbedtls_mpi_mod_raw_sub"
+ input_style = "fixed"
+ arity = 2
+
+ def arguments(self) -> List[str]:
+ return [bignum_common.quote_str(n) for n in [self.arg_a,
+ self.arg_b,
+ self.arg_n]
+ ] + self.result()
+
+ def result(self) -> List[str]:
+ result = (self.int_a - self.int_b) % self.int_n
+ return [self.format_result(result)]
+
# END MERGE SLOT 2
# BEGIN MERGE SLOT 3
@@ -42,6 +61,19 @@
# BEGIN MERGE SLOT 5
+class BignumModRawAdd(bignum_common.ModOperationCommon,
+ BignumModRawTarget):
+ """Test cases for bignum mpi_mod_raw_add()."""
+ symbol = "+"
+ test_function = "mpi_mod_raw_add"
+ test_name = "mbedtls_mpi_mod_raw_add"
+ input_style = "fixed"
+ arity = 2
+
+ def result(self) -> List[str]:
+ result = (self.int_a + self.int_b) % self.int_n
+ return [self.format_result(result)]
+
# END MERGE SLOT 5
# BEGIN MERGE SLOT 6
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index c23cb6b..ae3d054 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -70,6 +70,7 @@
${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_bignum_tests.py
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_core.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_mod_raw.py
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py
)
@@ -106,6 +107,10 @@
# the risk of a race.
add_custom_target(test_suite_bignum_generated_data DEPENDS ${bignum_generated_data_files})
add_custom_target(test_suite_psa_generated_data DEPENDS ${psa_generated_data_files})
+# If SKIP_TEST_SUITES is not defined with -D, get it from the environment.
+if((NOT DEFINED SKIP_TEST_SUITES) AND (DEFINED ENV{SKIP_TEST_SUITES}))
+ set(SKIP_TEST_SUITES $ENV{SKIP_TEST_SUITES})
+endif()
# Test suites caught by SKIP_TEST_SUITES are built but not executed.
# "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar"
# but not "test_suite_foobar".
diff --git a/tests/Makefile b/tests/Makefile
index 7c08f54..0b31cdd 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -94,6 +94,7 @@
generated_bignum_test_data: scripts/generate_bignum_tests.py
generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_common.py
generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_core.py
+generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_mod_raw.py
generated_bignum_test_data: ../scripts/mbedtls_dev/test_case.py
generated_bignum_test_data: ../scripts/mbedtls_dev/test_data_generation.py
generated_bignum_test_data:
diff --git a/tests/compat.sh b/tests/compat.sh
index d681217..529c2c5 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -595,6 +595,20 @@
G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
+ # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
+ # low-security ones. This covers not just cipher suites but also protocol
+ # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
+ # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
+ # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
+ # a way to discover it from -help, so check the openssl version.
+ case $($OPENSSL_CMD version) in
+ "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
+ *)
+ O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
+ O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0"
+ ;;
+ esac
+
if [ "X$VERIFY" = "XYES" ];
then
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h
index 7483f1c..963086f 100644
--- a/tests/configs/tls13-only.h
+++ b/tests/configs/tls13-only.h
@@ -34,6 +34,8 @@
#undef MBEDTLS_SSL_DTLS_ANTI_REPLAY
#undef MBEDTLS_SSL_DTLS_HELLO_VERIFY
#undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+#undef MBEDTLS_SSL_DTLS_CONNECTION_ID
+#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
/* Enable some invasive tests */
#define MBEDTLS_TEST_HOOKS
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index d4f2011..388b0ce 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -280,7 +280,7 @@
$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS non-printable othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions nonprintable_othername_san -days 3650 -sha256 -key $< -out $@
server5-unsupported_othername.crt: server5.key
- $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupoported_othername_san -days 3650 -sha256 -key $< -out $@
+ $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupported_othername_san -days 3650 -sha256 -key $< -out $@
server5-fan.crt: server5.key
$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS FAN" -set_serial 77 -config $(test_ca_config_file) -extensions fan_cert -days 3650 -sha256 -key server5.key -out $@
@@ -1139,6 +1139,108 @@
all_final += ecdsa_secp521r1.crt ecdsa_secp521r1.key
tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key
+# PKCS7 test data
+pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt
+pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt
+pkcs7_test_file = pkcs7_data.bin
+
+$(pkcs7_test_file):
+ echo -e "Hello\xd" > $@
+all_final += $(pkcs7_test_file)
+
+pkcs7_data_1.bin:
+ echo -e "2\xd" > $@
+all_final += pkcs7_data_1.bin
+
+# Generate signing cert
+pkcs7-rsa-sha256-1.crt:
+ $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt
+ cat pkcs7-rsa-sha256-1.crt pkcs7-rsa-sha256-1.key > pkcs7-rsa-sha256-1.pem
+all_final += pkcs7-rsa-sha256-1.crt
+
+pkcs7-rsa-sha256-2.crt:
+ $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 2" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-2.key -out pkcs7-rsa-sha256-2.crt
+ cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem
+all_final += pkcs7-rsa-sha256-2.crt
+
+# Convert signing certs to DER for testing PEM-free builds
+pkcs7-rsa-sha256-1.der: $(pkcs7_test_cert_1)
+ $(OPENSSL) x509 -in pkcs7-rsa-sha256-1.crt -out $@ -outform DER
+all_final += pkcs7-rsa-sha256-1.der
+
+pkcs7-rsa-sha256-2.der: $(pkcs7_test_cert_2)
+ $(OPENSSL) x509 -in pkcs7-rsa-sha256-2.crt -out $@ -outform DER
+all_final += pkcs7-rsa-sha256-2.der
+
+# pkcs7 signature file with CERT
+pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
+all_final += pkcs7_data_cert_signed_sha256.der
+
+# pkcs7 signature file with CERT and sha1
+pkcs7_data_cert_signed_sha1.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
+all_final += pkcs7_data_cert_signed_sha1.der
+
+# pkcs7 signature file with CERT and sha512
+pkcs7_data_cert_signed_sha512.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
+all_final += pkcs7_data_cert_signed_sha512.der
+
+# pkcs7 signature file without CERT
+pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@
+all_final += pkcs7_data_without_cert_signed.der
+
+# pkcs7 signature file with multiple signers
+pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@
+all_final += pkcs7_data_multiple_signed.der
+
+# pkcs7 signature file with multiple certificates
+pkcs7_data_multiple_certs_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@
+all_final += pkcs7_data_multiple_certs_signed.der
+
+# pkcs7 signature file with corrupted CERT
+pkcs7_data_signed_badcert.der: pkcs7_data_cert_signed_sha256.der
+ cp pkcs7_data_cert_signed_sha256.der $@
+ echo -en '\xa1' | dd of=$@ bs=1 seek=547 conv=notrunc
+all_final += pkcs7_data_signed_badcert.der
+
+# pkcs7 signature file with corrupted signer info
+pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der
+ cp pkcs7_data_cert_signed_sha256.der $@
+ echo -en '\xa1' | dd of=$@ bs=1 seek=918 conv=notrunc
+all_final += pkcs7_data_signed_badsigner.der
+
+# pkcs7 file with version 2
+pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der
+ cp pkcs7_data_cert_signed_sha256.der $@
+ echo -en '\x02' | dd of=$@ bs=1 seek=25 conv=notrunc
+all_final += pkcs7_data_cert_signed_v2.der
+
+pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.bin -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt
+all_final += pkcs7_data_cert_encrypted.der
+
+## Negative tests
+# For some interesting sizes, what happens if we make them off-by-one?
+pkcs7_signerInfo_issuer_invalid_size.der: pkcs7_data_cert_signed_sha256.der
+ cp $< $@
+ echo -en '\x35' | dd of=$@ seek=919 bs=1 conv=notrunc
+all_final += pkcs7_signerInfo_issuer_invalid_size.der
+
+pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der
+ cp $< $@
+ echo -en '\x15' | dd of=$@ seek=973 bs=1 conv=notrunc
+all_final += pkcs7_signerInfo_serial_invalid_size.der
+
+# pkcs7 signature file just with signed data
+pkcs7_data_cert_signeddata_sha256.der: pkcs7_data_cert_signed_sha256.der
+ dd if=pkcs7_data_cert_signed_sha256.der of=$@ skip=19 bs=1
+all_final += pkcs7_data_cert_signeddata_sha256.der
+
################################################################
#### Diffie-Hellman parameters
################################################################
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.crt b/tests/data_files/pkcs7-rsa-sha256-1.crt
new file mode 100644
index 0000000..9e461cd
--- /dev/null
+++ b/tests/data_files/pkcs7-rsa-sha256-1.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUe97d0kRM0c3+XEGoECyJt98ubL8wDQYJKoZIhvcNAQEL
+BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
+NyBDZXJ0IDEwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD
+VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMi2z2mJnNHw67TKZFwF5w4N
+Lv7dzGHQicvVFaOaNXm5I0O2HsdQBg+07TeHYzJADkJfHTdsfnXClzMU7fS7MMj4
+3QO5/P+VWiRdSRN61uYAVsrBlVKoZdUhhxh8wELJxJ4+OpwXpTS0U82rwMsRO09j
+9bMXS57pkCsZENEUlqJ5p0Mmrc/uEL/Z5+uvuzd76bY5WRZdE91XURccra08HTra
+xovIAR1htUz2AXi+NoOaiayRq0GePKN9a6iB0lUYxNtovKb3yDYC9pmoaxf7Hnc7
+y+dLuTpJslGuhkKLV0Dhhoux1vq54ocS6Y7DGa2Pyk1zAQxLCcS4BFiWHnzwg1MC
+AwEAAaNTMFEwHQYDVR0OBBYEFIru5ZR8xnxd1RWnbip+zTHuUv3IMB8GA1UdIwQY
+MBaAFIru5ZR8xnxd1RWnbip+zTHuUv3IMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAIIda5jNRX3r0rCBrKJ+vs1Pk6zIKEQ7Oeq/+p+k6eRUO0b8
+wx4rW0gXeQPeppaaxKLMZXBlA5DxsI1DpML5dcfti/M1bHIYOAISRRqPEd5GVTy8
+1ltCVN249mg06yHdoqjzO1geFIRVesoblO6JMd3xYDe3pxcTIakZNq/Cf/zjld51
+1fcMuLWu4F/1BwiNZa8eQ5Zs1Cy+b3+s+NrgVd2CIrFpZSFyP4EkUXhZXJha6Rf9
+SzmYdz4al7e9EAhURvQlm8wJpFSSkoLBuJtx7Vh6d14KPUU2NB9F2ulp6AbJb+/H
+EGd3bAK6IhIrkZmxTAwowESHUJBwuX890tbZcnM=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.der b/tests/data_files/pkcs7-rsa-sha256-1.der
new file mode 100644
index 0000000..0d799ea
--- /dev/null
+++ b/tests/data_files/pkcs7-rsa-sha256-1.der
Binary files differ
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.key b/tests/data_files/pkcs7-rsa-sha256-1.key
new file mode 100644
index 0000000..e31159d
--- /dev/null
+++ b/tests/data_files/pkcs7-rsa-sha256-1.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDIts9piZzR8Ou0
+ymRcBecODS7+3cxh0InL1RWjmjV5uSNDth7HUAYPtO03h2MyQA5CXx03bH51wpcz
+FO30uzDI+N0Dufz/lVokXUkTetbmAFbKwZVSqGXVIYcYfMBCycSePjqcF6U0tFPN
+q8DLETtPY/WzF0ue6ZArGRDRFJaieadDJq3P7hC/2efrr7s3e+m2OVkWXRPdV1EX
+HK2tPB062saLyAEdYbVM9gF4vjaDmomskatBnjyjfWuogdJVGMTbaLym98g2AvaZ
+qGsX+x53O8vnS7k6SbJRroZCi1dA4YaLsdb6ueKHEumOwxmtj8pNcwEMSwnEuARY
+lh588INTAgMBAAECggEBAIg+P1B+TurbRMQ11iX5A7wwCsSKPh/vdHneLJAfL0lu
++JcP2piko1iqEZPt3NHRVVyMP8LNbJH3Ardz74p+PkFNXIkZCLlc4hFpGR+V9KWv
+eTqsaPXwxR8FYTSoCcHMQCDCUPp/um6qMXCcs4OkMMRVMATfPT+jf28h1p52AUJL
+aAoBJfn7gP3WiB0FWq0bRZgSZzNYowE/MhGAQ+DuBGTSASSK3YJcxE94044fBVE8
+EqYKrxoY/x56li5cZ0v9kaURCrvhqCeq2+U5kIkgtvp2l6wF0Mm1du3BLxo2LQEI
+Y2j+6BFEV74Mtv48GTwrZcyit787zyo9vVGcviSD5VECgYEA/mgLc5KfF/cQLmM/
+20T4k0edvktkRIJHFUBphowt5Hb0a0wM5C1VM4z3yN3b9ikQK+ZaQXETdPATBXIe
+LntX1D1xtbMxdcAfd1FSq8QxAuaPknJZBgtzlpCsx3ZvMnNuzKZN/TU8kR1biwPE
+9HaeEG3bouUu+CI/l/DqrBbQRacCgYEAyfiqsLWGhXQ7e3pLk47PDYlMOsjDWPjs
+SGcatH1/lIMWyZue4W2IUcFMbpbjA6QWibo3VnOavIRSTn97JNUWYvgc5MmaQ7iX
+Iss4m3vJ1LIqx30iUgw3EfDoWdpufEEYssZ/VxJPs3sdmZGALgd3CaqxHJuhuS+U
+eVhWzD6LonUCgYBRCbt8GRxsedrBrAPPSO0VnR52W3WZDRavglEa9tQ3jlzVQOhq
+VrZpMWJMrb8/bl0kXsApUGeuPDsS5QMQM2IKzXfHNUlwBL8BNvpqlJg4IFFjiOEq
+t8MeFv+ymdtZ6sNElUUKf0bHwt5CLfUzGgXHnfb0sKSBjgdL0wYtwyacyQKBgQDJ
+NcyG4zEy/srLhtiIFnu8Fo40+hFzL/nlX6JBMc3KHJa1Hy43krF+ET6d5gAffndd
+moDKxbzgFksRHPuHhCobSucuHpJq6RjYdvDcJYS7OwxXVRi9+KFcZE52RaBQdWGv
+qQTvr7RrMDoa5dN3B8TVgpGT2JBTN02JXjKKo7zkiQKBgCZwKDiXl7qsGidvlFZc
+4CEtFsCgnNgdRTzsTL/Pr8q9CBK3BhjZjNzQALF1iGFDC1FdFYFOwI1E3j+MRHJB
+rQMF8zbmmlZ6SC5QtqatCSCCKUyrUjD5J+4UfJqWFjiBBdwz+5VJojHw1yijEwl4
+LrS/V2yBrDJVczQQM4psonLF
+-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.pem b/tests/data_files/pkcs7-rsa-sha256-1.pem
new file mode 100644
index 0000000..3795b71
--- /dev/null
+++ b/tests/data_files/pkcs7-rsa-sha256-1.pem
@@ -0,0 +1,48 @@
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUe97d0kRM0c3+XEGoECyJt98ubL8wDQYJKoZIhvcNAQEL
+BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
+NyBDZXJ0IDEwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD
+VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMi2z2mJnNHw67TKZFwF5w4N
+Lv7dzGHQicvVFaOaNXm5I0O2HsdQBg+07TeHYzJADkJfHTdsfnXClzMU7fS7MMj4
+3QO5/P+VWiRdSRN61uYAVsrBlVKoZdUhhxh8wELJxJ4+OpwXpTS0U82rwMsRO09j
+9bMXS57pkCsZENEUlqJ5p0Mmrc/uEL/Z5+uvuzd76bY5WRZdE91XURccra08HTra
+xovIAR1htUz2AXi+NoOaiayRq0GePKN9a6iB0lUYxNtovKb3yDYC9pmoaxf7Hnc7
+y+dLuTpJslGuhkKLV0Dhhoux1vq54ocS6Y7DGa2Pyk1zAQxLCcS4BFiWHnzwg1MC
+AwEAAaNTMFEwHQYDVR0OBBYEFIru5ZR8xnxd1RWnbip+zTHuUv3IMB8GA1UdIwQY
+MBaAFIru5ZR8xnxd1RWnbip+zTHuUv3IMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAIIda5jNRX3r0rCBrKJ+vs1Pk6zIKEQ7Oeq/+p+k6eRUO0b8
+wx4rW0gXeQPeppaaxKLMZXBlA5DxsI1DpML5dcfti/M1bHIYOAISRRqPEd5GVTy8
+1ltCVN249mg06yHdoqjzO1geFIRVesoblO6JMd3xYDe3pxcTIakZNq/Cf/zjld51
+1fcMuLWu4F/1BwiNZa8eQ5Zs1Cy+b3+s+NrgVd2CIrFpZSFyP4EkUXhZXJha6Rf9
+SzmYdz4al7e9EAhURvQlm8wJpFSSkoLBuJtx7Vh6d14KPUU2NB9F2ulp6AbJb+/H
+EGd3bAK6IhIrkZmxTAwowESHUJBwuX890tbZcnM=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDIts9piZzR8Ou0
+ymRcBecODS7+3cxh0InL1RWjmjV5uSNDth7HUAYPtO03h2MyQA5CXx03bH51wpcz
+FO30uzDI+N0Dufz/lVokXUkTetbmAFbKwZVSqGXVIYcYfMBCycSePjqcF6U0tFPN
+q8DLETtPY/WzF0ue6ZArGRDRFJaieadDJq3P7hC/2efrr7s3e+m2OVkWXRPdV1EX
+HK2tPB062saLyAEdYbVM9gF4vjaDmomskatBnjyjfWuogdJVGMTbaLym98g2AvaZ
+qGsX+x53O8vnS7k6SbJRroZCi1dA4YaLsdb6ueKHEumOwxmtj8pNcwEMSwnEuARY
+lh588INTAgMBAAECggEBAIg+P1B+TurbRMQ11iX5A7wwCsSKPh/vdHneLJAfL0lu
++JcP2piko1iqEZPt3NHRVVyMP8LNbJH3Ardz74p+PkFNXIkZCLlc4hFpGR+V9KWv
+eTqsaPXwxR8FYTSoCcHMQCDCUPp/um6qMXCcs4OkMMRVMATfPT+jf28h1p52AUJL
+aAoBJfn7gP3WiB0FWq0bRZgSZzNYowE/MhGAQ+DuBGTSASSK3YJcxE94044fBVE8
+EqYKrxoY/x56li5cZ0v9kaURCrvhqCeq2+U5kIkgtvp2l6wF0Mm1du3BLxo2LQEI
+Y2j+6BFEV74Mtv48GTwrZcyit787zyo9vVGcviSD5VECgYEA/mgLc5KfF/cQLmM/
+20T4k0edvktkRIJHFUBphowt5Hb0a0wM5C1VM4z3yN3b9ikQK+ZaQXETdPATBXIe
+LntX1D1xtbMxdcAfd1FSq8QxAuaPknJZBgtzlpCsx3ZvMnNuzKZN/TU8kR1biwPE
+9HaeEG3bouUu+CI/l/DqrBbQRacCgYEAyfiqsLWGhXQ7e3pLk47PDYlMOsjDWPjs
+SGcatH1/lIMWyZue4W2IUcFMbpbjA6QWibo3VnOavIRSTn97JNUWYvgc5MmaQ7iX
+Iss4m3vJ1LIqx30iUgw3EfDoWdpufEEYssZ/VxJPs3sdmZGALgd3CaqxHJuhuS+U
+eVhWzD6LonUCgYBRCbt8GRxsedrBrAPPSO0VnR52W3WZDRavglEa9tQ3jlzVQOhq
+VrZpMWJMrb8/bl0kXsApUGeuPDsS5QMQM2IKzXfHNUlwBL8BNvpqlJg4IFFjiOEq
+t8MeFv+ymdtZ6sNElUUKf0bHwt5CLfUzGgXHnfb0sKSBjgdL0wYtwyacyQKBgQDJ
+NcyG4zEy/srLhtiIFnu8Fo40+hFzL/nlX6JBMc3KHJa1Hy43krF+ET6d5gAffndd
+moDKxbzgFksRHPuHhCobSucuHpJq6RjYdvDcJYS7OwxXVRi9+KFcZE52RaBQdWGv
+qQTvr7RrMDoa5dN3B8TVgpGT2JBTN02JXjKKo7zkiQKBgCZwKDiXl7qsGidvlFZc
+4CEtFsCgnNgdRTzsTL/Pr8q9CBK3BhjZjNzQALF1iGFDC1FdFYFOwI1E3j+MRHJB
+rQMF8zbmmlZ6SC5QtqatCSCCKUyrUjD5J+4UfJqWFjiBBdwz+5VJojHw1yijEwl4
+LrS/V2yBrDJVczQQM4psonLF
+-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.crt b/tests/data_files/pkcs7-rsa-sha256-2.crt
new file mode 100644
index 0000000..a0df7d9
--- /dev/null
+++ b/tests/data_files/pkcs7-rsa-sha256-2.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUVk1VQCWvWZ4ycHmycg7wDfN8+3wwDQYJKoZIhvcNAQEL
+BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
+NyBDZXJ0IDIwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD
+VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmVNZZ0/qcT+h/lVNO+gP65
+lERTTudQ15h8QTLjaKhx5SSTLnuUhD0jLbR+ng8PMqdJ8ePkZEh1+7mi9MHzID4Y
+c47jH8M+Jc/JdBr6cSjbFd23QHESUjKKmV1IjSHc6Llbxe962z4gEXYjJAMkfr6B
+g1iecK3AlnEI4F0BsQfC5dgA4Qce2okvcTuhYgvHtLZ+UN4ca50Kw0o4u5FYdl89
+KDCE4zNp8MaaxGC83xcM4A9XqjHyZ7a2wvACTlmLQ2q/E+RN/8THEel4Y+yv82Uj
+j2LqqEaA06dvSdOPdaGz9jUZauqBw7TcuGGVzrrsZ0g/sHXKng9TppehAV/HrJUC
+AwEAAaNTMFEwHQYDVR0OBBYEFI5FVrtfLwPXRERcyVX6qBVvfoduMB8GA1UdIwQY
+MBaAFI5FVrtfLwPXRERcyVX6qBVvfoduMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAKRl0wgREe6eAduJSV5fs+Ec0s2qs2lHQqt/0JGEIbZBBtka
+q1UH9CIMMAd6Kb0kh5GlJT2shg/EAYWoitMwntkeRYTln2k2/B5jux+U5Ph4HyC+
+ad2GqmsoXWDru79rltT7Pv1hS1ofJyQ4Jv88vQA/SuIIRGdTC24VAVgg00JxvDRB
+xeqsQ9Pld4ebg4VvqsInnSpmKCcxfWxFhJk/Ax8bK/tV/GnrPiwsvry1j9nZyebS
+IyI01/6DwJS2ZhFnsLGyPHFOAFNtomjIdQ6gf2L1wq0qiGOKj/K9IzFNCpCz82a+
+gMgqFzCT5TCZC16kUG2NA2pXAx9O4uppKjRk97U=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.der b/tests/data_files/pkcs7-rsa-sha256-2.der
new file mode 100644
index 0000000..fc7a3ea
--- /dev/null
+++ b/tests/data_files/pkcs7-rsa-sha256-2.der
Binary files differ
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.key b/tests/data_files/pkcs7-rsa-sha256-2.key
new file mode 100644
index 0000000..659c015
--- /dev/null
+++ b/tests/data_files/pkcs7-rsa-sha256-2.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlTWWdP6nE/of
+5VTTvoD+uZREU07nUNeYfEEy42ioceUkky57lIQ9Iy20fp4PDzKnSfHj5GRIdfu5
+ovTB8yA+GHOO4x/DPiXPyXQa+nEo2xXdt0BxElIyipldSI0h3Oi5W8Xvets+IBF2
+IyQDJH6+gYNYnnCtwJZxCOBdAbEHwuXYAOEHHtqJL3E7oWILx7S2flDeHGudCsNK
+OLuRWHZfPSgwhOMzafDGmsRgvN8XDOAPV6ox8me2tsLwAk5Zi0NqvxPkTf/ExxHp
+eGPsr/NlI49i6qhGgNOnb0nTj3Whs/Y1GWrqgcO03Lhhlc667GdIP7B1yp4PU6aX
+oQFfx6yVAgMBAAECggEBAMVHm3w134qQCHfyroPTqtaftDTx+wRyn6yB3iT5XdGM
+NZ8H07Pp80kKBo7gY7uFOiNyQKKxQFuR69sPWc3+LI3YzC8IpGslhUfHdjN46gn7
+73hfAVgnf/4qmlEq0cRUOAY/hIUMjUhNhglB9tqEeu3iPjMaTFgfZJwW/czH/QMD
+w4zj5XoLgwRkqVvUceu/dBgV8KP5DpON+q8wpfWtjunv7rg5Nc3BVBrpb5SadJ7T
+i5TsS+pZQyp+mTvyCI3A1hkr2Vw5tULWO8SPhuEQkdtC/CL+luCUO7L16lU6KhFB
+qP5Fduik5skyLCVvAMUkjKcrC22k0gkhOHvfmMhjaAECgYEA68+hAQIiV9ErZGk9
+ZLu+VJHBSPmEQCkUcbviwzoRo8YSyka12TZERy+NJcvmD9deNgFbp8GyZf01XJWH
+slSYt6LyInrJrTpv+3q2Vl5GQp0f+39i7MHnwGGKbWsDbSAm+L9yKTJzYJz1O5fo
+in06AiyyGPwnXd1cm5bTXVX+dQECgYEA2tdi6DXF8awE23pv4HphPBhXS5hmYP/D
+NC7CtP8wQsxjPdiIxkBFFVEaFCC2njq1VhTyJb5noJM4kOIwcoaQ/zgyyxQa0u7w
++CqvAh1WwG+sT/B7vivrtDmmYeyGQapFo5DRIz+MflKAhzDhtnEyT9vLuCdn8J95
+0YvxZJ9+k5UCgYEAh+e7SER9nJUt6AoLWyIlGMKEXlWIFh5W7RG3KIMwJW6D59aG
++fAfu9M5Cx6PsnOSlZeExpOJCOS9O2Xmti2xcqzT1nFkCJWUcqCPtAlTfxLlmuIZ
+FpDOy36r9FHnwJ32OAjGd93ex0DOyZDMcfyoURaHcoTo/10UAYwUt0dXhwECgYAI
+xad2TWmA1XdgYNkJM36gTQ16v0IjUz084z70yGHj25OC0CIzaDIct6KG+gS39Px9
+1dsa/jXjLuOOkzKD9LbtNBB9KXIl0GQiXnujZw+qKQ/MKISdS99n2wO7WyLKkQu3
+kb+AXTTBf4cdZC04BfORVesll5bIA2x7pNNpSCdnvQKBgG7VXYcPlIV7iAyi2xFa
+uN1jccu/AK7xA0G1jz2SHNlpet74LmWR8XsTujJeo8WG1IRFxSky4h/pAP0XWIFO
+0LPK7eeDtnFq6y1/DXpI+/9BWX5T/8+4Yk93p37YrBVWKfd21dhrAklQs11m3rlQ
+Qn6c/zyvMKSyrCVxo5pTd5Il
+-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.pem b/tests/data_files/pkcs7-rsa-sha256-2.pem
new file mode 100644
index 0000000..b11a00a
--- /dev/null
+++ b/tests/data_files/pkcs7-rsa-sha256-2.pem
@@ -0,0 +1,48 @@
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUVk1VQCWvWZ4ycHmycg7wDfN8+3wwDQYJKoZIhvcNAQEL
+BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
+NyBDZXJ0IDIwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD
+VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmVNZZ0/qcT+h/lVNO+gP65
+lERTTudQ15h8QTLjaKhx5SSTLnuUhD0jLbR+ng8PMqdJ8ePkZEh1+7mi9MHzID4Y
+c47jH8M+Jc/JdBr6cSjbFd23QHESUjKKmV1IjSHc6Llbxe962z4gEXYjJAMkfr6B
+g1iecK3AlnEI4F0BsQfC5dgA4Qce2okvcTuhYgvHtLZ+UN4ca50Kw0o4u5FYdl89
+KDCE4zNp8MaaxGC83xcM4A9XqjHyZ7a2wvACTlmLQ2q/E+RN/8THEel4Y+yv82Uj
+j2LqqEaA06dvSdOPdaGz9jUZauqBw7TcuGGVzrrsZ0g/sHXKng9TppehAV/HrJUC
+AwEAAaNTMFEwHQYDVR0OBBYEFI5FVrtfLwPXRERcyVX6qBVvfoduMB8GA1UdIwQY
+MBaAFI5FVrtfLwPXRERcyVX6qBVvfoduMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAKRl0wgREe6eAduJSV5fs+Ec0s2qs2lHQqt/0JGEIbZBBtka
+q1UH9CIMMAd6Kb0kh5GlJT2shg/EAYWoitMwntkeRYTln2k2/B5jux+U5Ph4HyC+
+ad2GqmsoXWDru79rltT7Pv1hS1ofJyQ4Jv88vQA/SuIIRGdTC24VAVgg00JxvDRB
+xeqsQ9Pld4ebg4VvqsInnSpmKCcxfWxFhJk/Ax8bK/tV/GnrPiwsvry1j9nZyebS
+IyI01/6DwJS2ZhFnsLGyPHFOAFNtomjIdQ6gf2L1wq0qiGOKj/K9IzFNCpCz82a+
+gMgqFzCT5TCZC16kUG2NA2pXAx9O4uppKjRk97U=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlTWWdP6nE/of
+5VTTvoD+uZREU07nUNeYfEEy42ioceUkky57lIQ9Iy20fp4PDzKnSfHj5GRIdfu5
+ovTB8yA+GHOO4x/DPiXPyXQa+nEo2xXdt0BxElIyipldSI0h3Oi5W8Xvets+IBF2
+IyQDJH6+gYNYnnCtwJZxCOBdAbEHwuXYAOEHHtqJL3E7oWILx7S2flDeHGudCsNK
+OLuRWHZfPSgwhOMzafDGmsRgvN8XDOAPV6ox8me2tsLwAk5Zi0NqvxPkTf/ExxHp
+eGPsr/NlI49i6qhGgNOnb0nTj3Whs/Y1GWrqgcO03Lhhlc667GdIP7B1yp4PU6aX
+oQFfx6yVAgMBAAECggEBAMVHm3w134qQCHfyroPTqtaftDTx+wRyn6yB3iT5XdGM
+NZ8H07Pp80kKBo7gY7uFOiNyQKKxQFuR69sPWc3+LI3YzC8IpGslhUfHdjN46gn7
+73hfAVgnf/4qmlEq0cRUOAY/hIUMjUhNhglB9tqEeu3iPjMaTFgfZJwW/czH/QMD
+w4zj5XoLgwRkqVvUceu/dBgV8KP5DpON+q8wpfWtjunv7rg5Nc3BVBrpb5SadJ7T
+i5TsS+pZQyp+mTvyCI3A1hkr2Vw5tULWO8SPhuEQkdtC/CL+luCUO7L16lU6KhFB
+qP5Fduik5skyLCVvAMUkjKcrC22k0gkhOHvfmMhjaAECgYEA68+hAQIiV9ErZGk9
+ZLu+VJHBSPmEQCkUcbviwzoRo8YSyka12TZERy+NJcvmD9deNgFbp8GyZf01XJWH
+slSYt6LyInrJrTpv+3q2Vl5GQp0f+39i7MHnwGGKbWsDbSAm+L9yKTJzYJz1O5fo
+in06AiyyGPwnXd1cm5bTXVX+dQECgYEA2tdi6DXF8awE23pv4HphPBhXS5hmYP/D
+NC7CtP8wQsxjPdiIxkBFFVEaFCC2njq1VhTyJb5noJM4kOIwcoaQ/zgyyxQa0u7w
++CqvAh1WwG+sT/B7vivrtDmmYeyGQapFo5DRIz+MflKAhzDhtnEyT9vLuCdn8J95
+0YvxZJ9+k5UCgYEAh+e7SER9nJUt6AoLWyIlGMKEXlWIFh5W7RG3KIMwJW6D59aG
++fAfu9M5Cx6PsnOSlZeExpOJCOS9O2Xmti2xcqzT1nFkCJWUcqCPtAlTfxLlmuIZ
+FpDOy36r9FHnwJ32OAjGd93ex0DOyZDMcfyoURaHcoTo/10UAYwUt0dXhwECgYAI
+xad2TWmA1XdgYNkJM36gTQ16v0IjUz084z70yGHj25OC0CIzaDIct6KG+gS39Px9
+1dsa/jXjLuOOkzKD9LbtNBB9KXIl0GQiXnujZw+qKQ/MKISdS99n2wO7WyLKkQu3
+kb+AXTTBf4cdZC04BfORVesll5bIA2x7pNNpSCdnvQKBgG7VXYcPlIV7iAyi2xFa
+uN1jccu/AK7xA0G1jz2SHNlpet74LmWR8XsTujJeo8WG1IRFxSky4h/pAP0XWIFO
+0LPK7eeDtnFq6y1/DXpI+/9BWX5T/8+4Yk93p37YrBVWKfd21dhrAklQs11m3rlQ
+Qn6c/zyvMKSyrCVxo5pTd5Il
+-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7_data.bin b/tests/data_files/pkcs7_data.bin
new file mode 100644
index 0000000..40ee264
--- /dev/null
+++ b/tests/data_files/pkcs7_data.bin
@@ -0,0 +1 @@
+Hello
diff --git a/tests/data_files/pkcs7_data_1.bin b/tests/data_files/pkcs7_data_1.bin
new file mode 100644
index 0000000..78c6bae
--- /dev/null
+++ b/tests/data_files/pkcs7_data_1.bin
@@ -0,0 +1 @@
+2
diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der
new file mode 100644
index 0000000..b7b1c83
--- /dev/null
+++ b/tests/data_files/pkcs7_data_cert_encrypted.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha1.der b/tests/data_files/pkcs7_data_cert_signed_sha1.der
new file mode 100644
index 0000000..fb1deb0
--- /dev/null
+++ b/tests/data_files/pkcs7_data_cert_signed_sha1.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha256.der b/tests/data_files/pkcs7_data_cert_signed_sha256.der
new file mode 100644
index 0000000..8dc2f4c
--- /dev/null
+++ b/tests/data_files/pkcs7_data_cert_signed_sha256.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha512.der b/tests/data_files/pkcs7_data_cert_signed_sha512.der
new file mode 100644
index 0000000..a4aa587
--- /dev/null
+++ b/tests/data_files/pkcs7_data_cert_signed_sha512.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der
new file mode 100644
index 0000000..4f4cb04
--- /dev/null
+++ b/tests/data_files/pkcs7_data_cert_signed_v2.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der
new file mode 100644
index 0000000..cb7d751
--- /dev/null
+++ b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_multiple_certs_signed.der b/tests/data_files/pkcs7_data_multiple_certs_signed.der
new file mode 100644
index 0000000..4a237e9
--- /dev/null
+++ b/tests/data_files/pkcs7_data_multiple_certs_signed.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_multiple_signed.der b/tests/data_files/pkcs7_data_multiple_signed.der
new file mode 100644
index 0000000..095b80c
--- /dev/null
+++ b/tests/data_files/pkcs7_data_multiple_signed.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_signed_badcert.der b/tests/data_files/pkcs7_data_signed_badcert.der
new file mode 100644
index 0000000..ed00f65
--- /dev/null
+++ b/tests/data_files/pkcs7_data_signed_badcert.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_signed_badsigner.der b/tests/data_files/pkcs7_data_signed_badsigner.der
new file mode 100644
index 0000000..aa5447c
--- /dev/null
+++ b/tests/data_files/pkcs7_data_signed_badsigner.der
Binary files differ
diff --git a/tests/data_files/pkcs7_data_without_cert_signed.der b/tests/data_files/pkcs7_data_without_cert_signed.der
new file mode 100644
index 0000000..b47fe92
--- /dev/null
+++ b/tests/data_files/pkcs7_data_without_cert_signed.der
Binary files differ
diff --git a/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der b/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der
new file mode 100644
index 0000000..51aef0d
--- /dev/null
+++ b/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der
Binary files differ
diff --git a/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der b/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der
new file mode 100644
index 0000000..ce4fb3b
--- /dev/null
+++ b/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der
Binary files differ
diff --git a/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der b/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der
new file mode 100644
index 0000000..898ca67
--- /dev/null
+++ b/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der
Binary files differ
diff --git a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der
new file mode 100644
index 0000000..f4b4e38
--- /dev/null
+++ b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der
Binary files differ
diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
index 3bb2379..b2c2fa1 100644
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -18,7 +18,7 @@
[nonprintable_othername_san]
subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name
-[unsupoported_othername_san]
+[unsupported_othername_san]
subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
[dns_alt_names]
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index edece45..ed42848 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -301,7 +301,7 @@
-c "NewSessionTicket: early_data(42) extension received." \
-c "ClientHello: early_data(42) extension exists." \
-c "EncryptedExtensions: early_data(42) extension received." \
- -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
+ -c "EncryptedExtensions: early_data(42) extension exists." \
-s "Parsing extension 'Early Data/42' (0 bytes)" \
-s "Sending extension Early Data/42 (0 bytes)" \
-s "early data accepted"
@@ -322,7 +322,7 @@
-C "NewSessionTicket: early_data(42) extension received." \
-c "ClientHello: early_data(42) extension does not exist." \
-C "EncryptedExtensions: early_data(42) extension received." \
- -C "EncryptedExtensions: early_data(42) extension ( ignored )."
+ -C "EncryptedExtensions: early_data(42) extension exists."
#TODO: OpenSSL tests don't work now. It might be openssl options issue, cause GnuTLS has worked.
skip_next_test
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 08830d9..d3eedcf 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1217,6 +1217,7 @@
# Direct dependencies
scripts/config.py unset MBEDTLS_HKDF_C
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
+ scripts/config.py unset MBEDTLS_PKCS7_C
# Indirect dependencies
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
make
@@ -1245,6 +1246,7 @@
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY
scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID
+ scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py unset MBEDTLS_SSL_SRV_C
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
@@ -1437,6 +1439,31 @@
tests/ssl-opt.sh -f "TLS 1.2"
}
+# We're not aware of any other (open source) implementation of EC J-PAKE in TLS
+# that we could use for interop testing. However, we now have sort of two
+# implementations ourselves: one using PSA, the other not. At least test that
+# these two interoperate with each other.
+component_test_tls1_2_ecjpake_compatibility() {
+ msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA"
+ scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+ make -C programs ssl/ssl_server2 ssl/ssl_client2
+ cp programs/ssl/ssl_server2 s2_no_use_psa
+ cp programs/ssl/ssl_client2 c2_no_use_psa
+
+ msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA"
+ scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ make clean
+ make -C programs ssl/ssl_server2 ssl/ssl_client2
+ make -C programs test/udp_proxy test/query_compile_time_config
+
+ msg "test: server w/o USE_PSA - client w/ USE_PSA"
+ P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f ECJPAKE
+ msg "test: client w/o USE_PSA - server w/ USE_PSA"
+ P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f ECJPAKE
+
+ rm s2_no_use_psa c2_no_use_psa
+}
+
component_test_psa_external_rng_use_psa_crypto () {
msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
scripts/config.py full
@@ -2131,6 +2158,7 @@
fi
scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
+ scripts/config.py unset MBEDTLS_PKCS7_C
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
}
@@ -2770,21 +2798,20 @@
tests/compat.sh
}
-component_test_variable_ssl_in_out_buffer_len_CID () {
- msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled (ASan build)"
- scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
- scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID
+component_test_dtls_cid_legacy () {
+ msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)"
+ scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
- msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID"
+ msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)"
make test
- msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled"
+ msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
tests/ssl-opt.sh
- msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled"
+ msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
tests/compat.sh
}
@@ -3282,6 +3309,7 @@
component_test_tls13_only () {
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
+ scripts/config.py set MBEDTLS_SSL_EARLY_DATA
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test: TLS 1.3 only, all key exchange modes enabled"
@@ -3301,6 +3329,8 @@
scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
+ scripts/config.py unset MBEDTLS_PKCS7_C
+ scripts/config.py set MBEDTLS_SSL_EARLY_DATA
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled"
@@ -3333,6 +3363,8 @@
scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
+ scripts/config.py unset MBEDTLS_PKCS7_C
+ scripts/config.py set MBEDTLS_SSL_EARLY_DATA
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode"
@@ -3350,6 +3382,8 @@
scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
+ scripts/config.py unset MBEDTLS_PKCS7_C
+ scripts/config.py set MBEDTLS_SSL_EARLY_DATA
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes"
@@ -3362,6 +3396,7 @@
component_test_tls13_only_ephemeral_all () {
msg "build: TLS 1.3 only from default, without PSK key exchange mode"
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+ scripts/config.py set MBEDTLS_SSL_EARLY_DATA
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
@@ -3376,6 +3411,7 @@
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
+ scripts/config.py set MBEDTLS_SSL_EARLY_DATA
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
@@ -3389,6 +3425,7 @@
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
+ scripts/config.py set MBEDTLS_SSL_EARLY_DATA
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index 31beb1c..a96254f 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-# basic-build-tests.sh
+# basic-build-test.sh
#
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0
@@ -36,7 +36,7 @@
#
# This script has been written to be generic and should work on any shell.
#
-# Usage: basic-build-tests.sh
+# Usage: basic-build-test.sh
#
# Abort on errors (and uninitiliased variables)
diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
index 5c18702..42f2e82 100755
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@@ -122,6 +122,7 @@
r'tests/data_files/.*\.req\.[^/]+\Z',
r'tests/data_files/.*malformed[^/]+\Z',
r'tests/data_files/format_pkcs12\.fmt\Z',
+ r'tests/data_files/pkcs7_data.*\.bin\Z',
]
BINARY_FILE_PATH_RE = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST))
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 6220527..1fe8bae 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1362,7 +1362,7 @@
if [ -n "$PXY_CMD" ]; then
kill $PXY_PID >/dev/null 2>&1
- wait $PXY_PID
+ wait $PXY_PID >> $PXY_OUT 2>&1
fi
}
@@ -1689,6 +1689,20 @@
O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
fi
+# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
+# low-security ones. This covers not just cipher suites but also protocol
+# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
+# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
+# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
+# a way to discover it from -help, so check the openssl version.
+case $($OPENSSL_CMD version) in
+ "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
+ *)
+ O_CLI="$O_CLI -cipher ALL@SECLEVEL=0"
+ O_SRV="$O_SRV -cipher ALL@SECLEVEL=0"
+ ;;
+esac
+
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
@@ -2600,7 +2614,6 @@
-c "Deserializing connection..." \
-S "Deserializing connection..."
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
run_test "Context serialization, server serializes, CCM" \
"$P_SRV dtls=1 serialize=1 exchanges=2" \
@@ -2674,7 +2687,6 @@
-c "Deserializing connection..." \
-s "Deserializing connection..."
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
run_test "Context serialization, re-init, client serializes, CCM" \
"$P_SRV dtls=1 serialize=0 exchanges=2" \
@@ -2711,7 +2723,6 @@
-c "Deserializing connection..." \
-S "Deserializing connection..."
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
run_test "Context serialization, re-init, server serializes, CCM" \
"$P_SRV dtls=1 serialize=2 exchanges=2" \
@@ -12945,8 +12956,8 @@
"$O_NEXT_CLI -msg -debug -tls1_3 -reconnect" \
0 \
-s "=> write NewSessionTicket msg" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
@@ -12962,8 +12973,8 @@
-c "Connecting again- trying to resume previous session" \
-c "NEW SESSION TICKET (4) was received" \
-s "=> write NewSessionTicket msg" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \
-s "key exchange mode: ephemeral" \
-s "key exchange mode: psk_ephemeral" \
-s "found pre_shared_key extension"
@@ -12985,8 +12996,8 @@
-c "Reconnecting with saved session" \
-c "HTTP/1.0 200 OK" \
-s "=> write NewSessionTicket msg" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \
-s "key exchange mode: ephemeral" \
-s "key exchange mode: psk_ephemeral" \
-s "found pre_shared_key extension"
@@ -13040,8 +13051,8 @@
-c "Reconnecting with saved session" \
-c "HTTP/1.0 200 OK" \
-s "=> write NewSessionTicket msg" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \
-s "key exchange mode: ephemeral" \
-s "key exchange mode: psk_ephemeral" \
-s "found pre_shared_key extension"
@@ -13064,8 +13075,8 @@
-c "Reconnecting with saved session" \
-c "Hostname mismatch the session ticket, disable session resumption." \
-s "=> write NewSessionTicket msg" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
- -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
+ -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH"
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function
index 612a7c6..078239f 100644
--- a/tests/suites/test_suite_bignum_core.function
+++ b/tests/suites/test_suite_bignum_core.function
@@ -935,7 +935,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
void mpi_core_ct_uint_table_lookup( int bitlen, int window_size )
{
size_t limbs = BITS_TO_LIMBS( bitlen );
@@ -1041,6 +1041,59 @@
/* BEGIN MERGE SLOT 1 */
+/* BEGIN_CASE */
+void mpi_core_exp_mod( char * input_N, char * input_A,
+ char * input_E, char * input_X )
+{
+ mbedtls_mpi_uint *A = NULL;
+ size_t A_limbs;
+ mbedtls_mpi_uint *E = NULL;
+ size_t E_limbs;
+ mbedtls_mpi_uint *N = NULL;
+ size_t N_limbs;
+ mbedtls_mpi_uint *X = NULL;
+ size_t X_limbs;
+ const mbedtls_mpi_uint *R2 = NULL;
+ mbedtls_mpi_uint *Y = NULL;
+ /* Legacy MPIs for computing R2 */
+ mbedtls_mpi N_mpi;
+ mbedtls_mpi_init( &N_mpi );
+ mbedtls_mpi R2_mpi;
+ mbedtls_mpi_init( &R2_mpi );
+
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &A_limbs, input_A ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &E, &E_limbs, input_E ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &N_limbs, input_N ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &X_limbs, input_X ) );
+ ASSERT_ALLOC( Y, N_limbs );
+
+ TEST_EQUAL( A_limbs, N_limbs );
+ TEST_EQUAL( X_limbs, N_limbs );
+
+ TEST_EQUAL( 0, mbedtls_mpi_grow( &N_mpi, N_limbs ) );
+ memcpy( N_mpi.p, N, N_limbs * sizeof( *N ) );
+ N_mpi.n = N_limbs;
+ TEST_EQUAL( 0,
+ mbedtls_mpi_core_get_mont_r2_unsafe( &R2_mpi, &N_mpi ) );
+ TEST_EQUAL( 0, mbedtls_mpi_grow( &R2_mpi, N_limbs ) );
+ R2 = R2_mpi.p;
+
+ TEST_EQUAL( 0,
+ mbedtls_mpi_core_exp_mod( Y, A, N, N_limbs, E, E_limbs, R2 ) );
+ TEST_EQUAL( 0, memcmp( X, Y, N_limbs * sizeof( mbedtls_mpi_uint ) ) );
+
+exit:
+ mbedtls_free( A );
+ mbedtls_free( E );
+ mbedtls_free( N );
+ mbedtls_free( X );
+ mbedtls_free( Y );
+ mbedtls_mpi_free( &N_mpi );
+ mbedtls_mpi_free( &R2_mpi );
+ // R2 doesn't need to be freed as it is only aliasing R2_mpi
+}
+/* END_CASE */
+
/* END MERGE SLOT 1 */
/* BEGIN MERGE SLOT 2 */
@@ -1049,6 +1102,52 @@
/* BEGIN MERGE SLOT 3 */
+/* BEGIN_CASE */
+void mpi_core_sub_int( char * input_A, char * input_B,
+ char * input_X, int borrow )
+{
+ /* We are testing A - b, where A is an MPI and b is a scalar, expecting
+ * result X with borrow borrow. However, for ease of handling we encode b
+ * as a 1-limb MPI (B) in the .data file. */
+
+ mbedtls_mpi_uint *A = NULL;
+ mbedtls_mpi_uint *B = NULL;
+ mbedtls_mpi_uint *X = NULL;
+ mbedtls_mpi_uint *R = NULL;
+ size_t A_limbs, B_limbs, X_limbs;
+
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &A_limbs, input_A ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &B, &B_limbs, input_B ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &X_limbs, input_X ) );
+
+ /* The MPI encoding of scalar b must be only 1 limb */
+ TEST_EQUAL( B_limbs, 1 );
+
+ /* The subtraction is fixed-width, so A and X must have the same number of limbs */
+ TEST_EQUAL( A_limbs, X_limbs );
+ size_t limbs = A_limbs;
+
+ ASSERT_ALLOC( R, limbs );
+
+#define TEST_COMPARE_CORE_MPIS( A, B, limbs ) \
+ ASSERT_COMPARE( A, (limbs) * sizeof(mbedtls_mpi_uint), B, (limbs) * sizeof(mbedtls_mpi_uint) )
+
+ /* 1. R = A - b. Result and borrow should be correct */
+ TEST_EQUAL( mbedtls_mpi_core_sub_int( R, A, B[0], limbs ), borrow );
+ TEST_COMPARE_CORE_MPIS( R, X, limbs );
+
+ /* 2. A = A - b. Result and borrow should be correct */
+ TEST_EQUAL( mbedtls_mpi_core_sub_int( A, A, B[0], limbs ), borrow );
+ TEST_COMPARE_CORE_MPIS( A, X, limbs );
+
+exit:
+ mbedtls_free( A );
+ mbedtls_free( B );
+ mbedtls_free( X );
+ mbedtls_free( R );
+}
+/* END_CASE */
+
/* END MERGE SLOT 3 */
/* BEGIN MERGE SLOT 4 */
diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data
index 95faa53..2ea4a58 100644
--- a/tests/suites/test_suite_bignum_mod.data
+++ b/tests/suites/test_suite_bignum_mod.data
@@ -1,29 +1,11 @@
-Test mbedtls_mpi_mod_setup #1 (Both representations invalid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_INVALID:MBEDTLS_MPI_MOD_REP_INVALID:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+Test mbedtls_mpi_mod_setup #1 (Internal representation invalid)
+mpi_mod_setup:MBEDTLS_MPI_MOD_REP_INVALID:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
-Test mbedtls_mpi_mod_setup #2 (Internal representation invalid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_INVALID:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+Test mbedtls_mpi_mod_setup #6 (Optimised reduction)
+mpi_mod_setup:MBEDTLS_MPI_MOD_REP_OPT_RED:0
-Test mbedtls_mpi_mod_setup #3 (Internal representation invalid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_BE:MBEDTLS_MPI_MOD_REP_INVALID:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
-
-Test mbedtls_mpi_mod_setup #4 (External representation invalid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_INVALID:MBEDTLS_MPI_MOD_REP_MONTGOMERY:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
-
-Test mbedtls_mpi_mod_setup #5 (External representation invalid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_INVALID:MBEDTLS_MPI_MOD_REP_OPT_RED:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
-
-Test mbedtls_mpi_mod_setup #6 (Both representations valid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_BE:MBEDTLS_MPI_MOD_REP_OPT_RED:0
-
-Test mbedtls_mpi_mod_setup #7 (Both representations valid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_BE:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0
-
-Test mbedtls_mpi_mod_setup #8 (Both representations valid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_OPT_RED:0
-
-Test mbedtls_mpi_mod_setup #9 (Both representations valid)
-mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0
+Test mbedtls_mpi_mod_setup #7 (Montgomery representation)
+mpi_mod_setup:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0
# BEGIN MERGE SLOT 1
@@ -50,17 +32,269 @@
# END MERGE SLOT 6
# BEGIN MERGE SLOT 7
+Test mbedtls_mpi_residue_setup #1 m > r
+mpi_residue_setup:"fe":"01":0
-# END MERGE SLOT 7
+Test mbedtls_mpi_residue_setup #2 r == m - 1
+mpi_residue_setup:"ff":"fe":0
-# BEGIN MERGE SLOT 8
+Test mbedtls_mpi_residue_setup #3 m->limbs = r-> limbs && m > r
+mpi_residue_setup:"7dfe5c6":"fe":0
-# END MERGE SLOT 8
+Test mbedtls_mpi_residue_setup #4 m->limbs = r-> limbs && m > r
+mpi_residue_setup:"7ffffffffffffffffffffffffffffffffffffffffffffff1":"0000000000000000000000000000000000000000000000fe":0
-# BEGIN MERGE SLOT 9
+Test mbedtls_mpi_residue_setup #5 m->limbs > r-> limbs && m > r
+mpi_residue_setup:"7ffffffff00000000":"fe":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
-# END MERGE SLOT 9
+Test mbedtls_mpi_residue_setup #6 m->limbs < r-> limbs && m > r
+mpi_residue_setup:"ff":"000000000000000000000000000000000000000000000001":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
-# BEGIN MERGE SLOT 10
+Test mbedtls_mpi_residue_setup #7 r == m
+mpi_residue_setup:"fe":"fe":-4
-# END MERGE SLOT 10
+Test mbedtls_mpi_residue_setup #8 r > m
+mpi_residue_setup:"fe":"ff":-4
+
+Test mbedtls_mpi_mod_io_neg #1 input_r < modulo m
+mpi_mod_io_neg:"fe":"fd":0
+
+Test mbedtls_mpi_mod_io_neg #2 input_r == modulo m
+mpi_mod_io_neg:"fe":"fe":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
+Test mbedtls_mpi_mod_io_neg #3 input_r > modulo m
+mpi_mod_io_neg:"fe":"ff":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
+Test mbedtls_mpi_mod_io_neg #4 input_r too large to fit
+mpi_mod_io_neg:"fe":"ffffffffffffffffff":MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+Test mbedtls_mpi_mod_io_neg #5 Sucesfull read / output buffer too small
+mpi_mod_io_neg:"7ffffffffffffffffffffffffffffff1":"ffff":0
+
+Test mbedtls_mpi_mod_io #1 N: "11" A: "119".
+mpi_mod_io:"000000000000000b":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #2 N: "11" A: "136".
+mpi_mod_io:"000000000000000b":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #3 N: "11" A: "119".
+mpi_mod_io:"000000000000000b":"0000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #4 N: "11" A: "136".
+mpi_mod_io:"000000000000000b":"0100000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #5 N: "140737488355333" A: "119".
+mpi_mod_io:"0000800000000005":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #6 N: "140737488355333" A: "136".
+mpi_mod_io:"0000800000000005":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #7 N: "140737488355333" A: "119".
+mpi_mod_io:"0000800000000005":"0000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #8 N: "140737488355333" A: "136".
+mpi_mod_io:"0000800000000005":"0100000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #9 N: "140737488355333" A: "119".
+mpi_mod_io:"0000800000000005":"00000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #10 N: "140737488355333" A: "136".
+mpi_mod_io:"0000800000000005":"ca03000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #11 N: "140737488355333" A: "119".
+mpi_mod_io:"0000800000000005":"00000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #12 N: "140737488355333" A: "136".
+mpi_mod_io:"0000800000000005":"28d49e5300000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #13 N: "9223372036854775807" A: "119".
+mpi_mod_io:"7fffffffffffffff":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #14 N: "9223372036854775807" A: "136".
+mpi_mod_io:"7fffffffffffffff":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #15 N: "9223372036854775807" A: "119".
+mpi_mod_io:"7fffffffffffffff":"0000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #16 N: "9223372036854775807" A: "136".
+mpi_mod_io:"7fffffffffffffff":"0100000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #17 N: "9223372036854775807" A: "119".
+mpi_mod_io:"7fffffffffffffff":"00000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #18 N: "9223372036854775807" A: "136".
+mpi_mod_io:"7fffffffffffffff":"ca03000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #19 N: "9223372036854775807" A: "119".
+mpi_mod_io:"7fffffffffffffff":"00000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #20 N: "9223372036854775807" A: "136".
+mpi_mod_io:"7fffffffffffffff":"28d49e5300000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #21 N: "9223372036854775807" A: "119".
+mpi_mod_io:"7fffffffffffffff":"7dfe5c6beb35a2d6":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #22 N: "9223372036854775807" A: "136".
+mpi_mod_io:"7fffffffffffffff":"d6a235eb6b5cfe7d":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #23 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #24 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #25 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #26 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #27 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #28 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"ca030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #29 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #30 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"28d49e53000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #31 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007dfe5c6beb35a2d6":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #32 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"d6a235eb6b5cfe7d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #33 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dca8de1c2adfc6d7aafb9b48e":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #34 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"8eb4b9af7a6dfcadc2e18dca0d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #35 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a7d17b6c4be72f3d5c16bf9c1af6fc933":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #36 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"33c96fafc1f96bc1d5f372bec4b6177d0a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #37 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fec97beec546f9553142ed52f147845463f579":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #38 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"79f563548447f152ed423155f946c5ee7bc9fe020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #39 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #40 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136".
+mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"4fdcca75f1d4e6dc789591f45a49ba2cb6a7c58b3bc88d3700000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #41 N: "201076468338594879614802819276237850336264827391977454179" A: "119".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #42 N: "201076468338594879614802819276237850336264827391977454179" A: "136".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #43 N: "201076468338594879614802819276237850336264827391977454179" A: "119".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000000000000000000000000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #44 N: "201076468338594879614802819276237850336264827391977454179" A: "136".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"010000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #45 N: "201076468338594879614802819276237850336264827391977454179" A: "119".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"0000000000000000000000000000000000000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #46 N: "201076468338594879614802819276237850336264827391977454179" A: "136".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"ca0300000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #47 N: "201076468338594879614802819276237850336264827391977454179" A: "119".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"0000000000000000000000000000000000000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #48 N: "201076468338594879614802819276237850336264827391977454179" A: "136".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"28d49e530000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #49 N: "201076468338594879614802819276237850336264827391977454179" A: "119".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000000000000000000007dfe5c6beb35a2d6":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #50 N: "201076468338594879614802819276237850336264827391977454179" A: "136".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"d6a235eb6b5cfe7d00000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #51 N: "201076468338594879614802819276237850336264827391977454179" A: "119".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"00000000000000000000000dca8de1c2adfc6d7aafb9b48e":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #52 N: "201076468338594879614802819276237850336264827391977454179" A: "136".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"8eb4b9af7a6dfcadc2e18dca0d0000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #53 N: "201076468338594879614802819276237850336264827391977454179" A: "119".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000a7d17b6c4be72f3d5c16bf9c1af6fc933":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #54 N: "201076468338594879614802819276237850336264827391977454179" A: "136".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"33c96fafc1f96bc1d5f372bec4b6177d0a00000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #55 N: "201076468338594879614802819276237850336264827391977454179" A: "119".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"0000000002fec97beec546f9553142ed52f147845463f579":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #56 N: "201076468338594879614802819276237850336264827391977454179" A: "136".
+mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"79f563548447f152ed423155f946c5ee7bc9fe0200000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #57 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #58 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #59 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #60 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #61 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #62 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"ca030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #63 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #64 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"28d49e53000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #65 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007dfe5c6beb35a2d6":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #66 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"d6a235eb6b5cfe7d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #67 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dca8de1c2adfc6d7aafb9b48e":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #68 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"8eb4b9af7a6dfcadc2e18dca0d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #69 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a7d17b6c4be72f3d5c16bf9c1af6fc933":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #70 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"33c96fafc1f96bc1d5f372bec4b6177d0a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #71 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fec97beec546f9553142ed52f147845463f579":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #72 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"79f563548447f152ed423155f946c5ee7bc9fe020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #73 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #74 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"4fdcca75f1d4e6dc789591f45a49ba2cb6a7c58b3bc88d3700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE
+
+Test mbedtls_mpi_mod_io #75 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395ab3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab358d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627":MBEDTLS_MPI_MOD_EXT_REP_BE
+
+Test mbedtls_mpi_mod_io #76 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136".
+mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"27d6b9ef85b7ecf293f6cb59a3b9ac5d72d1eb19c3fb6b7e8a1332ea2cfe352bb9cdd5f3cf35594a16fbe34fd726d96c372c27e174bda39d4a9e157d6de2fc7976af965c63ecd8c94e852ea3e68dcaf1c2752567a36f9dc5659dc9e2c1476c3a24a3a439b87c6e4c4dafdce56b1712b9e39d685bf21ccf87b2cf796c92e49b8d35aba846a87d2ad7a1dedc13c52a152336d4e9a386a2d275ae41ea5bb375d1a346317a822bdec9d1bcda63cb512a854c4fea437dc5f141732eada619ce2561cfa542524aa897d1a9de7a687f4875a679289cb5c4bfecc6d4deb64ea818eb86aff4be4ceac23aab95a3b45a41c6f2c82938db561fb15d3418a5488e1a2a5f41b6":MBEDTLS_MPI_MOD_EXT_REP_LE
diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function
index 1a2d0c1..a941cb6 100644
--- a/tests/suites/test_suite_bignum_mod.function
+++ b/tests/suites/test_suite_bignum_mod.function
@@ -12,7 +12,7 @@
*/
/* BEGIN_CASE */
-void mpi_mod_setup( int ext_rep, int int_rep, int iret )
+void mpi_mod_setup( int int_rep, int iret )
{
#define MLIMBS 8
mbedtls_mpi_uint mp[MLIMBS];
@@ -22,7 +22,7 @@
memset( mp, 0xFF, sizeof(mp) );
mbedtls_mpi_mod_modulus_init( &m );
- ret = mbedtls_mpi_mod_modulus_setup( &m, mp, MLIMBS, ext_rep, int_rep );
+ ret = mbedtls_mpi_mod_modulus_setup( &m, mp, MLIMBS, int_rep );
TEST_EQUAL( ret, iret );
/* Only test if the constants have been set-up */
@@ -80,7 +80,214 @@
/* END MERGE SLOT 6 */
/* BEGIN MERGE SLOT 7 */
+/* BEGIN_CASE */
+void mpi_residue_setup( char * input_N, char * input_R, int ret )
+{
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *R = NULL;
+ size_t n_limbs, r_limbs;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_residue r;
+ mbedtls_mpi_mod_modulus_init( &m );
+
+ /* Allocate the memory for intermediate data structures */
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, input_R ) );
+
+ TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+
+ TEST_EQUAL( ret, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) );
+
+ if ( ret == 0 )
+ {
+ TEST_EQUAL( r.limbs, r_limbs );
+ TEST_ASSERT( r.p == R );
+ }
+
+exit:
+ mbedtls_mpi_mod_modulus_free( &m );
+ mbedtls_free( N );
+ mbedtls_free( R );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mpi_mod_io_neg( char * input_N, data_t * buf, int ret )
+{
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *R = NULL;
+
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_residue r = { NULL, 0 };
+ mbedtls_mpi_mod_ext_rep endian = MBEDTLS_MPI_MOD_EXT_REP_LE;
+
+ mbedtls_mpi_mod_modulus_init( &m );
+
+ size_t n_limbs;
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) );
+ size_t r_limbs = n_limbs;
+ ASSERT_ALLOC( R, r_limbs );
+
+ /* modulus->p == NULL || residue->p == NULL ( m has not been set-up ) */
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) );
+
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) );
+
+ /* Set up modulus and test with residue->p == NULL */
+ TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) );
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) );
+
+ /* Do the rest of the tests with a residue set up with the input data */
+ TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) );
+
+ /* Fail for r_limbs < m->limbs */
+ r.limbs--;
+ TEST_ASSERT( r.limbs < m.limbs );
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) );
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) );
+ r.limbs++;
+
+ /* Fail for r_limbs > m->limbs */
+ m.limbs--;
+ TEST_ASSERT( r.limbs > m.limbs );
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) );
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) );
+ m.limbs++;
+
+ /* Test the read */
+ TEST_EQUAL( ret, mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) );
+
+ /* Test write overflow only when the representation is large and read is successful */
+ if ( r.limbs > 1 && ret == 0 )
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL,
+ mbedtls_mpi_mod_write( &r, &m, buf->x, 1, endian ) );
+
+exit:
+ mbedtls_mpi_mod_residue_release( &r );
+ mbedtls_mpi_mod_modulus_free( &m );
+ mbedtls_free( N );
+ mbedtls_free( R );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mpi_mod_io( char * input_N, data_t * input_A, int endian )
+{
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *R = NULL;
+ mbedtls_mpi_uint *R_COPY = NULL;
+ unsigned char *obuf = NULL;
+ unsigned char *ref_buf = NULL;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_residue r;
+ mbedtls_mpi_mod_residue r_copy;
+ size_t n_limbs, n_bytes, a_bytes;
+
+ mbedtls_mpi_mod_modulus_init( &m );
+
+ /* Read inputs */
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) );
+ n_bytes = n_limbs * sizeof( mbedtls_mpi_uint );
+ a_bytes = input_A->len;
+
+ /* Allocate the memory for intermediate data structures */
+ ASSERT_ALLOC( R, n_bytes );
+ ASSERT_ALLOC( R_COPY, n_bytes );
+
+ /* Test that input's size is not greater to modulo's */
+ TEST_LE_U( a_bytes, n_bytes );
+
+ /* Init Structures */
+ TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+
+ /* Enforcing p_limbs >= m->limbs */
+ TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R, n_limbs ) );
+
+ TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, input_A->x, input_A->len,
+ endian ) );
+
+ /* Read a copy for checking that writing didn't change the value of r */
+ TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r_copy, &m,
+ R_COPY, n_limbs ) );
+ TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r_copy, &m, input_A->x, input_A->len,
+ endian ) );
+
+ /* Get number of bytes without leading zeroes */
+ size_t a_bytes_trimmed = a_bytes;
+ while( a_bytes_trimmed > 0 )
+ {
+ unsigned char* r_byte_array = (unsigned char*) r.p;
+ if( r_byte_array[--a_bytes_trimmed] != 0 )
+ break;
+ }
+ a_bytes_trimmed++;
+
+ /* Test write with three output buffer sizes: tight, same as input and
+ * longer than the input */
+ size_t obuf_sizes[3];
+ const size_t obuf_sizes_len = sizeof( obuf_sizes ) / sizeof( obuf_sizes[0] );
+ obuf_sizes[0] = a_bytes_trimmed;
+ obuf_sizes[1] = a_bytes;
+ obuf_sizes[2] = a_bytes + 8;
+
+ for( size_t i = 0; i < obuf_sizes_len; i++ )
+ {
+ ASSERT_ALLOC( obuf, obuf_sizes[i] );
+ TEST_EQUAL( 0, mbedtls_mpi_mod_write( &r, &m, obuf, obuf_sizes[i], endian ) );
+
+ /* Make sure that writing didn't corrupt the value of r */
+ ASSERT_COMPARE( r.p, r.limbs, r_copy.p, r_copy.limbs );
+
+ /* Set up reference output for checking the result */
+ ASSERT_ALLOC( ref_buf, obuf_sizes[i] );
+ switch( endian )
+ {
+ case MBEDTLS_MPI_MOD_EXT_REP_LE:
+ memcpy( ref_buf, input_A->x, a_bytes_trimmed );
+ break;
+ case MBEDTLS_MPI_MOD_EXT_REP_BE:
+ {
+ size_t a_offset = input_A->len - a_bytes_trimmed;
+ size_t ref_offset = obuf_sizes[i] - a_bytes_trimmed;
+ memcpy( ref_buf + ref_offset, input_A->x + a_offset,
+ a_bytes_trimmed );
+ }
+ break;
+ default:
+ TEST_ASSERT( 0 );
+ }
+
+ /* Check the result */
+ ASSERT_COMPARE( obuf, obuf_sizes[i], ref_buf, obuf_sizes[i] );
+
+ mbedtls_free( ref_buf );
+ ref_buf = NULL;
+ mbedtls_free( obuf );
+ obuf = NULL;
+ }
+
+exit:
+ mbedtls_mpi_mod_modulus_free( &m );
+ mbedtls_free( N );
+ mbedtls_free( R );
+ mbedtls_free( R_COPY );
+ mbedtls_free( obuf );
+}
+/* END_CASE */
/* END MERGE SLOT 7 */
/* BEGIN MERGE SLOT 8 */
diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function
index 4adccce..c7decf0 100644
--- a/tests/suites/test_suite_bignum_mod_raw.function
+++ b/tests/suites/test_suite_bignum_mod_raw.function
@@ -49,22 +49,22 @@
mbedtls_mpi_uint init[sizeof( X ) / sizeof( X[0] )];
memset( init, 0xFF, sizeof( init ) );
- int ret = mbedtls_mpi_mod_modulus_setup( &m, init, nx, endian,
+ int ret = mbedtls_mpi_mod_modulus_setup( &m, init, nx,
MBEDTLS_MPI_MOD_REP_MONTGOMERY );
TEST_EQUAL( ret, 0 );
if( iendian == MBEDTLS_MPI_MOD_EXT_REP_INVALID && iret != 0 )
- m.ext_rep = MBEDTLS_MPI_MOD_EXT_REP_INVALID;
+ endian = MBEDTLS_MPI_MOD_EXT_REP_INVALID;
- ret = mbedtls_mpi_mod_raw_read( X, &m, input->x, input->len );
+ ret = mbedtls_mpi_mod_raw_read( X, &m, input->x, input->len, endian );
TEST_EQUAL( ret, iret );
if( iret == 0 )
{
if( iendian == MBEDTLS_MPI_MOD_EXT_REP_INVALID && oret != 0 )
- m.ext_rep = MBEDTLS_MPI_MOD_EXT_REP_INVALID;
+ endian = MBEDTLS_MPI_MOD_EXT_REP_INVALID;
- ret = mbedtls_mpi_mod_raw_write( X, &m, buf, nb );
+ ret = mbedtls_mpi_mod_raw_write( X, &m, buf, nb, endian );
TEST_EQUAL( ret, oret );
}
@@ -138,7 +138,6 @@
memset( buff_m, 0xFF, copy_limbs );
TEST_EQUAL( mbedtls_mpi_mod_modulus_setup(
&m, buff_m, copy_limbs,
- MBEDTLS_MPI_MOD_EXT_REP_BE,
MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 );
/* condition is false */
@@ -211,7 +210,6 @@
memset( buff_m, 0xFF, copy_limbs );
TEST_EQUAL( mbedtls_mpi_mod_modulus_setup(
&m, buff_m, copy_limbs,
- MBEDTLS_MPI_MOD_EXT_REP_BE,
MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 );
ASSERT_ALLOC( X, limbs );
@@ -275,6 +273,78 @@
/* BEGIN MERGE SLOT 2 */
+/* BEGIN_CASE */
+void mpi_mod_raw_sub( char * input_A,
+ char * input_B,
+ char * input_N,
+ char * result )
+{
+ mbedtls_mpi_uint *A = NULL;
+ mbedtls_mpi_uint *B = NULL;
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *X = NULL;
+ mbedtls_mpi_uint *res = NULL;
+ size_t limbs_A;
+ size_t limbs_B;
+ size_t limbs_N;
+ size_t limbs_res;
+
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init( &m );
+
+ TEST_EQUAL( mbedtls_test_read_mpi_core( &A, &limbs_A, input_A ), 0 );
+ TEST_EQUAL( mbedtls_test_read_mpi_core( &B, &limbs_B, input_B ), 0 );
+ TEST_EQUAL( mbedtls_test_read_mpi_core( &N, &limbs_N, input_N ), 0 );
+ TEST_EQUAL( mbedtls_test_read_mpi_core( &res, &limbs_res, result ), 0 );
+
+ size_t limbs = limbs_N;
+ size_t bytes = limbs * sizeof( mbedtls_mpi_uint );
+
+ TEST_EQUAL( limbs_A, limbs );
+ TEST_EQUAL( limbs_B, limbs );
+ TEST_EQUAL( limbs_res, limbs );
+
+ ASSERT_ALLOC( X, limbs );
+
+ TEST_EQUAL( mbedtls_mpi_mod_modulus_setup(
+ &m, N, limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 );
+
+ mbedtls_mpi_mod_raw_sub( X, A, B, &m );
+ ASSERT_COMPARE( X, bytes, res, bytes );
+
+ /* alias X to A */
+ memcpy( X, A, bytes );
+ mbedtls_mpi_mod_raw_sub( X, X, B, &m );
+ ASSERT_COMPARE( X, bytes, res, bytes );
+
+ /* alias X to B */
+ memcpy( X, B, bytes );
+ mbedtls_mpi_mod_raw_sub( X, A, X, &m );
+ ASSERT_COMPARE( X, bytes, res, bytes );
+
+ /* A == B: alias A and B */
+ if( memcmp( A, B, bytes ) == 0 )
+ {
+ mbedtls_mpi_mod_raw_sub( X, A, A, &m );
+ ASSERT_COMPARE( X, bytes, res, bytes );
+
+ /* X, A, B all aliased together */
+ memcpy( X, A, bytes );
+ mbedtls_mpi_mod_raw_sub( X, X, X, &m );
+ ASSERT_COMPARE( X, bytes, res, bytes );
+ }
+exit:
+ mbedtls_free( A );
+ mbedtls_free( B );
+ mbedtls_free( X );
+ mbedtls_free( res );
+
+ mbedtls_mpi_mod_modulus_free( &m );
+ mbedtls_free( N );
+}
+/* END_CASE */
+
/* END MERGE SLOT 2 */
/* BEGIN MERGE SLOT 3 */
@@ -287,6 +357,97 @@
/* BEGIN MERGE SLOT 5 */
+/* BEGIN_CASE */
+void mpi_mod_raw_add( char * input_N,
+ char * input_A, char * input_B,
+ char * input_S )
+{
+ mbedtls_mpi_uint *A = NULL;
+ mbedtls_mpi_uint *B = NULL;
+ mbedtls_mpi_uint *S = NULL;
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *X = NULL;
+ size_t A_limbs, B_limbs, N_limbs, S_limbs;
+
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init( &m );
+
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &A_limbs, input_A ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &B, &B_limbs, input_B ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &N_limbs, input_N ) );
+ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &S, &S_limbs, input_S ) );
+
+ /* Modulus gives the number of limbs; all inputs must have the same. */
+ size_t limbs = N_limbs;
+ size_t bytes = limbs * sizeof( *A );
+
+ TEST_EQUAL( A_limbs, limbs );
+ TEST_EQUAL( B_limbs, limbs );
+ TEST_EQUAL( S_limbs, limbs );
+
+ ASSERT_ALLOC( X, limbs );
+
+ TEST_EQUAL( mbedtls_mpi_mod_modulus_setup(
+ &m, N, limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY
+ ), 0 );
+
+ /* A + B => Correct result */
+ mbedtls_mpi_mod_raw_add( X, A, B, &m );
+ ASSERT_COMPARE( X, bytes, S, bytes );
+
+ /* A + B: alias X to A => Correct result */
+ memcpy( X, A, bytes );
+ mbedtls_mpi_mod_raw_add( X, X, B, &m );
+ ASSERT_COMPARE( X, bytes, S, bytes );
+
+ /* A + B: alias X to B => Correct result */
+ memcpy( X, B, bytes );
+ mbedtls_mpi_mod_raw_add( X, A, X, &m );
+ ASSERT_COMPARE( X, bytes, S, bytes );
+
+ if ( memcmp(A, B, bytes ) == 0 )
+ {
+ /* A == B: alias A and B */
+
+ /* A + A => Correct result */
+ mbedtls_mpi_mod_raw_add( X, A, A, &m );
+ ASSERT_COMPARE( X, bytes, S, bytes );
+
+ /* A + A: X, A, B all aliased together => Correct result */
+ memcpy( X, A, bytes );
+ mbedtls_mpi_mod_raw_add( X, X, X, &m );
+ ASSERT_COMPARE( X, bytes, S, bytes );
+ }
+ else
+ {
+ /* A != B: test B + A */
+
+ /* B + A => Correct result */
+ mbedtls_mpi_mod_raw_add( X, B, A, &m );
+ ASSERT_COMPARE( X, bytes, S, bytes );
+
+ /* B + A: alias X to A => Correct result */
+ memcpy( X, A, bytes );
+ mbedtls_mpi_mod_raw_add( X, B, X, &m );
+ ASSERT_COMPARE( X, bytes, S, bytes );
+
+ /* B + A: alias X to B => Correct result */
+ memcpy( X, B, bytes );
+ mbedtls_mpi_mod_raw_add( X, X, A, &m );
+ ASSERT_COMPARE( X, bytes, S, bytes );
+ }
+
+exit:
+ mbedtls_mpi_mod_modulus_free( &m );
+
+ mbedtls_free( A );
+ mbedtls_free( B );
+ mbedtls_free( S );
+ mbedtls_free( N );
+ mbedtls_free( X );
+}
+/* END_CASE */
/* END MERGE SLOT 5 */
/* BEGIN MERGE SLOT 6 */
@@ -315,7 +476,7 @@
TEST_LE_U(a_limbs, n_limbs);
TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
- MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
/* Convert from cannonical into Montgomery representation */
TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep( A, &m ) );
@@ -351,7 +512,7 @@
TEST_LE_U(a_limbs, n_limbs);
TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
- MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
/* Convert from Montgomery into cannonical representation */
TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep( A, &m ) );
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index b7c3b51..ff936df 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -450,8 +450,12 @@
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) );
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
- TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, ad, sizeof( ad ) - i ) );
- TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, ad, sizeof( ad ) - i ) );
+ int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM ||
+ cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ?
+ 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
+ TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, ad, sizeof(ad) - i ) );
+ TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_enc, ad, sizeof(ad) - i ) );
#endif
block_size = mbedtls_cipher_get_block_size( &ctx_enc );
@@ -470,7 +474,7 @@
total_len += outlen;
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
- TEST_ASSERT( 0 == mbedtls_cipher_write_tag( &ctx_enc, tag, sizeof( tag ) ) );
+ TEST_EQUAL( expected, mbedtls_cipher_write_tag( &ctx_enc, tag, sizeof(tag) ) );
#endif
TEST_ASSERT( total_len == length ||
@@ -491,7 +495,7 @@
total_len += outlen;
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
- TEST_ASSERT( 0 == mbedtls_cipher_check_tag( &ctx_dec, tag, sizeof( tag ) ) );
+ TEST_EQUAL( expected, mbedtls_cipher_check_tag( &ctx_dec, tag, sizeof(tag) ) );
#endif
/* check result */
@@ -547,7 +551,11 @@
TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv, 16 ) );
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) );
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
- TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, NULL, 0 ) );
+ int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM ||
+ cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ?
+ 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
+ TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx, NULL, 0 ) );
#endif
/* encode length number of bytes from inbuf */
@@ -609,7 +617,11 @@
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) );
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
- TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) );
+ int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM ||
+ cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ?
+ 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
+ TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) );
#endif
/* decode 0-byte string */
@@ -710,8 +722,12 @@
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) );
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
- TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) );
- TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, NULL, 0 ) );
+ int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM ||
+ cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ?
+ 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
+ TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) );
+ TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_enc, NULL, 0 ) );
#endif
block_size = mbedtls_cipher_get_block_size( &ctx_enc );
@@ -795,7 +811,11 @@
TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv->x, iv->len ) );
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) );
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
- TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, ad->x, ad->len ) );
+ int expected = ( ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
+ ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ?
+ 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
+ TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx, ad->x, ad->len ) );
#endif
/* decode buffer and check tag->x */
@@ -806,7 +826,11 @@
&outlen ) );
total_len += outlen;
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
- TEST_ASSERT( tag_result == mbedtls_cipher_check_tag( &ctx, tag->x, tag->len ) );
+ int tag_expected = ( ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
+ ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ?
+ tag_result : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
+ TEST_EQUAL( tag_expected, mbedtls_cipher_check_tag( &ctx, tag->x, tag->len ) );
#endif
/* check plaintext only if everything went fine */
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
new file mode 100644
index 0000000..f3cbb62
--- /dev/null
+++ b/tests/suites/test_suite_pkcs7.data
@@ -0,0 +1,83 @@
+PKCS7 Signed Data Parse Pass SHA256 #1
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
+pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA
+
+PKCS7 Signed Data Parse Pass SHA1 #2
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
+pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der":MBEDTLS_PKCS7_SIGNED_DATA
+
+PKCS7 Signed Data Parse Pass Without CERT #3
+depends_on:MBEDTLS_SHA256_C
+pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED_DATA
+
+PKCS7 Signed Data Parse Fail with multiple certs #4
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
+pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
+
+PKCS7 Signed Data Parse Fail with corrupted cert #5
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
+pkcs7_parse:"data_files/pkcs7_data_signed_badcert.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
+
+PKCS7 Signed Data Parse Fail with corrupted signer info #6
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
+pkcs7_parse:"data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
+
+PKCS7 Signed Data Parse Fail Version other than 1 #7
+depends_on:MBEDTLS_SHA256_C
+pkcs7_parse:"data_files/pkcs7_data_cert_signed_v2.der":MBEDTLS_ERR_PKCS7_INVALID_VERSION
+
+PKCS7 Signed Data Parse Fail Encrypted Content #8
+depends_on:MBEDTLS_SHA256_C
+pkcs7_parse:"data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
+
+PKCS7 Signed Data Verification Pass SHA256 #9
+depends_on:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
+
+PKCS7 Signed Data Verification Pass SHA256 #9.1
+depends_on:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0
+
+PKCS7 Signed Data Verification Pass SHA1 #10
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
+
+PKCS7 Signed Data Verification Pass SHA512 #11
+depends_on:MBEDTLS_SHA512_C:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
+
+PKCS7 Signed Data Verification Fail because of different certificate #12
+depends_on:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+
+PKCS7 Signed Data Verification Fail because of different data hash #13
+depends_on:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+
+PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1
+depends_on:MBEDTLS_SHA256_C
+pkcs7_parse:"data_files/pkcs7_signerInfo_issuer_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+
+PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2
+depends_on:MBEDTLS_SHA256_C
+pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+
+pkcs7_get_signers_info_set error handling (6213931373035520)
+depends_on:MBEDTLS_RIPEMD160_C
+pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+pkcs7_get_signers_info_set error handling (4541044530479104)
+depends_on:MBEDTLS_RIPEMD160_C
+pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+PKCS7 Only Signed Data Parse Pass #15
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
+pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA
+
+PKCS7 Signed Data Verify with multiple signers #16
+depends_on:MBEDTLS_SHA256_C
+pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":0:0
+
+PKCS7 Signed Data Hash Verify with multiple signers #17
+depends_on:MBEDTLS_SHA256_C
+pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
new file mode 100644
index 0000000..3d7dec6
--- /dev/null
+++ b/tests/suites/test_suite_pkcs7.function
@@ -0,0 +1,194 @@
+/* BEGIN_HEADER */
+#include "mbedtls/bignum.h"
+#include "mbedtls/pkcs7.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/oid.h"
+#include "sys/types.h"
+#include "sys/stat.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PKCS7_C:MBEDTLS_RSA_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
+void pkcs7_parse( char *pkcs7_file, int res_expect )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_EQUAL( res, 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_EQUAL( res, res_expect );
+
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */
+void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_hash_alg, int res_expect )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ unsigned char *data = NULL;
+ unsigned char hash[32];
+ struct stat st;
+ size_t datalen;
+ int res;
+ FILE *file;
+ const mbedtls_md_info_t *md_info;
+ mbedtls_md_type_t md_alg;
+
+ mbedtls_pkcs7 pkcs7;
+ mbedtls_x509_crt x509;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+ mbedtls_x509_crt_init( &x509 );
+
+ USE_PSA_INIT();
+
+ res = mbedtls_x509_crt_parse_file( &x509, crt );
+ TEST_EQUAL( res, 0 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_EQUAL( res, 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_EQUAL( res, MBEDTLS_PKCS7_SIGNED_DATA );
+
+ res = stat( filetobesigned, &st );
+ TEST_EQUAL( res, 0 );
+
+ file = fopen( filetobesigned, "rb" );
+ TEST_ASSERT( file != NULL );
+
+ datalen = st.st_size;
+ ASSERT_ALLOC( data, datalen );
+ TEST_ASSERT( data != NULL );
+
+ buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file );
+ TEST_EQUAL( buflen, datalen );
+ fclose( file );
+
+ if( do_hash_alg )
+ {
+ res = mbedtls_oid_get_md_alg( &pkcs7.signed_data.digest_alg_identifiers, &md_alg );
+ TEST_EQUAL( res, 0 );
+ TEST_EQUAL( md_alg, (mbedtls_md_type_t) do_hash_alg );
+ md_info = mbedtls_md_info_from_type( md_alg );
+
+ res = mbedtls_md( md_info, data, datalen, hash );
+ TEST_EQUAL( res, 0 );
+
+ res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash) );
+ }
+ else
+ {
+ res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen );
+ }
+ TEST_EQUAL( res, res_expect );
+
+exit:
+ mbedtls_x509_crt_free( &x509 );
+ mbedtls_free( data );
+ mbedtls_pkcs7_free( &pkcs7 );
+ mbedtls_free( pkcs7_buf );
+ USE_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */
+void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned, int do_hash_alg, int res_expect )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ unsigned char *data = NULL;
+ unsigned char hash[32];
+ struct stat st;
+ size_t datalen;
+ int res;
+ FILE *file;
+ const mbedtls_md_info_t *md_info;
+ mbedtls_md_type_t md_alg;
+
+ mbedtls_pkcs7 pkcs7;
+ mbedtls_x509_crt x509_1;
+ mbedtls_x509_crt x509_2;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+ mbedtls_x509_crt_init( &x509_1 );
+ mbedtls_x509_crt_init( &x509_2 );
+
+ USE_PSA_INIT();
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_EQUAL( res, 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_EQUAL( res, MBEDTLS_PKCS7_SIGNED_DATA );
+
+ TEST_EQUAL( pkcs7.signed_data.no_of_signers, 2 );
+
+ res = mbedtls_x509_crt_parse_file( &x509_1, crt1 );
+ TEST_EQUAL( res, 0 );
+
+ res = mbedtls_x509_crt_parse_file( &x509_2, crt2 );
+ TEST_EQUAL( res, 0 );
+
+ res = stat( filetobesigned, &st );
+ TEST_EQUAL( res, 0 );
+
+ file = fopen( filetobesigned, "rb" );
+ TEST_ASSERT( file != NULL );
+
+ datalen = st.st_size;
+ ASSERT_ALLOC( data, datalen );
+ buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file );
+ TEST_EQUAL( buflen, datalen );
+
+ fclose( file );
+
+ if( do_hash_alg )
+ {
+ res = mbedtls_oid_get_md_alg( &pkcs7.signed_data.digest_alg_identifiers, &md_alg );
+ TEST_EQUAL( res, 0 );
+ TEST_EQUAL( md_alg, MBEDTLS_MD_SHA256 );
+
+ md_info = mbedtls_md_info_from_type( md_alg );
+
+ res = mbedtls_md( md_info, data, datalen, hash );
+ TEST_EQUAL( res, 0 );
+
+ res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash) );
+ TEST_EQUAL( res, res_expect );
+ }
+ else
+ {
+ res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen );
+ TEST_EQUAL( res, res_expect );
+ }
+
+ res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen );
+ TEST_EQUAL( res, res_expect );
+
+exit:
+ mbedtls_x509_crt_free( &x509_1 );
+ mbedtls_x509_crt_free( &x509_2 );
+ mbedtls_pkcs7_free( &pkcs7 );
+ mbedtls_free( data );
+ mbedtls_free( pkcs7_buf );
+ USE_PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 659205d..946234c 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -6490,116 +6490,3 @@
PSA derive persistent key: HKDF SHA-256, exportable
persistent_key_load_key_from_storage:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_TYPE_RAW_DATA:1024:PSA_KEY_USAGE_EXPORT:0:DERIVE_KEY
-
-PSA PAKE: invalid alg
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:0:0
-
-PSA PAKE: invalid primitive type
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0
-
-PSA PAKE: invalid primitive family
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0
-
-PSA PAKE: invalid primitive bits
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0
-
-PSA PAKE: invalid hash
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0
-
-PSA PAKE: ecjpake setup server output step first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":0:0:0:0
-
-PSA PAKE: ecjpake setup server input step first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":0:0:0:0
-
-PSA PAKE: ecjpake setup server empty password
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":0:0:0:PSA_ERROR_BAD_STATE
-
-PSA PAKE: ecjpake setup client output step first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:0:0
-
-PSA PAKE: ecjpake setup client input step first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:1:"abcd":0:0:0:0
-
-PSA PAKE: ecjpake setup client empty password
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":0:0:0:PSA_ERROR_BAD_STATE
-
-PSA PAKE: ecjpake setup client bad password key type
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:PSA_ERROR_INVALID_ARGUMENT:0
-
-PSA PAKE: ecjpake setup client bad password key usage
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:PSA_ERROR_NOT_PERMITTED:0
-
-PSA PAKE: ecjpake setup invalid role NONE
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":0:PSA_ERROR_NOT_SUPPORTED:0:0
-
-PSA PAKE: ecjpake rounds
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
-ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0
-
-PSA PAKE: ecjpake rounds, client input first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
-ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:0
-
-# This test case relies on implementation (it may need to be adjusted in the future)
-PSA PAKE: ecjpake rounds - key is destroyed after being passed to set_password_key
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
-ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1
-
-PSA PAKE: ecjpake no input errors
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef"
-
-PSA PAKE: ecjpake no input errors, client input first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef"
-
-PSA PAKE: ecjpake inject input errors, first round client
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:1:"abcdef"
-
-PSA PAKE: ecjpake inject input errors, first round client, client input first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:1:"abcdef"
-
-PSA PAKE: ecjpake inject input errors, first round server
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:2:"abcdef"
-
-PSA PAKE: ecjpake inject input errors, first round server, client input first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:2:"abcdef"
-
-PSA PAKE: ecjpake inject input errors, second round client
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:3:"abcdef"
-
-PSA PAKE: ecjpake inject input errors, second round client, client input first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:3:"abcdef"
-
-PSA PAKE: ecjpake inject input errors, second round server
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:4:"abcdef"
-
-PSA PAKE: ecjpake inject input errors, second round server, client input first
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:4:"abcdef"
-
-PSA PAKE: ecjpake size macros
-depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256
-ecjpake_size_macros:
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index ca1614b..0c0f2ed 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -4,6 +4,7 @@
#include "mbedtls/asn1.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/oid.h"
+#include "common.h"
/* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random()
* uses mbedtls_ctr_drbg internally. */
@@ -1318,6 +1319,24 @@
}
#endif /* PSA_WANT_ALG_JPAKE */
+typedef enum
+{
+ INJECT_ERR_NONE = 0,
+ INJECT_ERR_UNINITIALIZED_ACCESS,
+ INJECT_ERR_DUPLICATE_SETUP,
+ INJECT_ERR_INVALID_USER,
+ INJECT_ERR_INVALID_PEER,
+ INJECT_ERR_SET_USER,
+ INJECT_ERR_SET_PEER,
+ INJECT_EMPTY_IO_BUFFER,
+ INJECT_UNKNOWN_STEP,
+ INJECT_INVALID_FIRST_STEP,
+ INJECT_WRONG_BUFFER_SIZE,
+ INJECT_VALID_OPERATION_AFTER_FAILURE,
+ INJECT_ANTICIPATE_KEY_DERIVATION_1,
+ INJECT_ANTICIPATE_KEY_DERIVATION_2,
+} ecjpake_injected_failure_t;
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -3983,7 +4002,7 @@
TEST_LE_U( length, output_buffer_size );
output_length += length;
PSA_ASSERT( psa_cipher_finish( &operation,
- output + output_length,
+ mbedtls_buffer_offset( output, output_length ),
output_buffer_size - output_length,
&length ) );
output_length += length;
@@ -4001,7 +4020,7 @@
TEST_LE_U( length, output_buffer_size );
output_length += length;
PSA_ASSERT( psa_cipher_finish( &operation,
- output + output_length,
+ mbedtls_buffer_offset( output, output_length ),
output_buffer_size - output_length,
&length ) );
output_length += length;
@@ -8753,11 +8772,9 @@
/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
int primitive_arg, int hash_arg, int role_arg,
- int input_first, data_t *pw_data,
- int expected_status_setup_arg,
- int expected_status_set_role_arg,
- int expected_status_set_password_key_arg,
- int expected_status_input_output_arg)
+ int test_input, data_t *pw_data,
+ int inj_err_type_arg,
+ int expected_error_arg)
{
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
psa_pake_operation_t operation = psa_pake_operation_init();
@@ -8769,12 +8786,9 @@
psa_pake_role_t role = role_arg;
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_status_t expected_status_setup = expected_status_setup_arg;
- psa_status_t expected_status_set_role = expected_status_set_role_arg;
- psa_status_t expected_status_set_password_key =
- expected_status_set_password_key_arg;
- psa_status_t expected_status_input_output =
- expected_status_input_output_arg;
+ ecjpake_injected_failure_t inj_err_type = inj_err_type_arg;
+ psa_status_t expected_error = expected_error_arg;
+ psa_status_t status;
unsigned char *output_buffer = NULL;
size_t output_len = 0;
@@ -8799,54 +8813,90 @@
PSA_ASSERT( psa_pake_abort( &operation ) );
- TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ),
- PSA_ERROR_BAD_STATE );
- TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ),
- PSA_ERROR_BAD_STATE );
- TEST_EQUAL( psa_pake_set_password_key( &operation, key ),
- PSA_ERROR_BAD_STATE );
- TEST_EQUAL( psa_pake_set_role( &operation, role ),
- PSA_ERROR_BAD_STATE );
- TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
- NULL, 0, NULL ),
- PSA_ERROR_BAD_STATE );
- TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0),
- PSA_ERROR_BAD_STATE );
-
- PSA_ASSERT( psa_pake_abort( &operation ) );
-
- TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ),
- expected_status_setup );
- if( expected_status_setup != PSA_SUCCESS )
+ if ( inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS )
+ {
+ TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ),
+ expected_error );
+ PSA_ASSERT( psa_pake_abort( &operation ) );
+ TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ),
+ expected_error );
+ PSA_ASSERT( psa_pake_abort( &operation ) );
+ TEST_EQUAL( psa_pake_set_password_key( &operation, key ),
+ expected_error );
+ PSA_ASSERT( psa_pake_abort( &operation ) );
+ TEST_EQUAL( psa_pake_set_role( &operation, role ),
+ expected_error );
+ PSA_ASSERT( psa_pake_abort( &operation ) );
+ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
+ NULL, 0, NULL ),
+ expected_error );
+ PSA_ASSERT( psa_pake_abort( &operation ) );
+ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0),
+ expected_error );
+ PSA_ASSERT( psa_pake_abort( &operation ) );
goto exit;
+ }
- TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ),
- PSA_ERROR_BAD_STATE );
-
- TEST_EQUAL( psa_pake_set_role( &operation, role),
- expected_status_set_role );
- if( expected_status_set_role != PSA_SUCCESS )
+ status = psa_pake_setup( &operation, &cipher_suite );
+ if (status != PSA_SUCCESS)
+ {
+ TEST_EQUAL( status, expected_error );
goto exit;
+ }
+
+ if( inj_err_type == INJECT_ERR_DUPLICATE_SETUP )
+ {
+ TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ),
+ expected_error );
+ goto exit;
+ }
+
+ status = psa_pake_set_role( &operation, role);
+ if ( status != PSA_SUCCESS )
+ {
+ TEST_EQUAL( status, expected_error );
+ goto exit;
+ }
if( pw_data->len > 0 )
{
- TEST_EQUAL( psa_pake_set_password_key( &operation, key ),
- expected_status_set_password_key );
- if( expected_status_set_password_key != PSA_SUCCESS )
+ status = psa_pake_set_password_key( &operation, key );
+ if ( status != PSA_SUCCESS )
+ {
+ TEST_EQUAL( status, expected_error );
goto exit;
+ }
}
- TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ),
- PSA_ERROR_INVALID_ARGUMENT );
- TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ),
- PSA_ERROR_INVALID_ARGUMENT );
+ if ( inj_err_type == INJECT_ERR_INVALID_USER )
+ {
+ TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ),
+ PSA_ERROR_INVALID_ARGUMENT );
+ goto exit;
+ }
- const uint8_t unsupported_id[] = "abcd";
+ if ( inj_err_type == INJECT_ERR_INVALID_PEER )
+ {
+ TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ),
+ PSA_ERROR_INVALID_ARGUMENT );
+ goto exit;
+ }
- TEST_EQUAL( psa_pake_set_user( &operation, unsupported_id, 4 ),
- PSA_ERROR_NOT_SUPPORTED );
- TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ),
- PSA_ERROR_NOT_SUPPORTED );
+ if ( inj_err_type == INJECT_ERR_SET_USER )
+ {
+ const uint8_t unsupported_id[] = "abcd";
+ TEST_EQUAL( psa_pake_set_user( &operation, unsupported_id, 4 ),
+ PSA_ERROR_NOT_SUPPORTED );
+ goto exit;
+ }
+
+ if ( inj_err_type == INJECT_ERR_SET_PEER )
+ {
+ const uint8_t unsupported_id[] = "abcd";
+ TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ),
+ PSA_ERROR_NOT_SUPPORTED );
+ goto exit;
+ }
const size_t size_key_share = PSA_PAKE_INPUT_SIZE( alg, primitive,
PSA_PAKE_STEP_KEY_SHARE );
@@ -8855,85 +8905,109 @@
const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE( alg, primitive,
PSA_PAKE_STEP_ZK_PROOF );
- /* First round */
- if( input_first )
+ if ( test_input )
{
- /* Invalid parameters (input) */
- TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF,
- NULL, 0 ),
- PSA_ERROR_INVALID_ARGUMENT );
- /* Invalid parameters (step) */
- TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
- key, pw_data->len ) , 0 );
- TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
- output_buffer, size_zk_proof ),
- PSA_ERROR_INVALID_ARGUMENT );
- /* Invalid first step */
- TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
- key, pw_data->len ), 0 );
- TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF,
- output_buffer, size_zk_proof ),
- PSA_ERROR_BAD_STATE );
-
- /* Possibly valid */
- TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
- key, pw_data->len ), 0 );
- TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE,
- output_buffer, size_key_share ),
- expected_status_input_output);
-
- if( expected_status_input_output == PSA_SUCCESS )
+ if ( inj_err_type == INJECT_EMPTY_IO_BUFFER )
{
- /* Buffer too large */
- TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
- output_buffer, size_zk_public + 1 ),
- PSA_ERROR_INVALID_ARGUMENT );
+ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ),
+ PSA_ERROR_INVALID_ARGUMENT );
+ goto exit;
+ }
- /* The operation's state should be invalidated at this point */
+ if ( inj_err_type == INJECT_UNKNOWN_STEP )
+ {
+ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
+ output_buffer, size_zk_proof ),
+ PSA_ERROR_INVALID_ARGUMENT );
+ goto exit;
+ }
+
+ if ( inj_err_type == INJECT_INVALID_FIRST_STEP )
+ {
+ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF,
+ output_buffer, size_zk_proof ),
+ PSA_ERROR_BAD_STATE );
+ goto exit;
+ }
+
+ status = psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE,
+ output_buffer, size_key_share );
+ if ( status != PSA_SUCCESS )
+ {
+ TEST_EQUAL( status, expected_error);
+ goto exit;
+ }
+
+ if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE )
+ {
+ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, size_zk_public + 1 ),
+ PSA_ERROR_INVALID_ARGUMENT );
+ goto exit;
+ }
+
+ if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE )
+ {
+ // Just trigger any kind of error. We don't care about the result here
+ psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, size_zk_public + 1 );
TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
output_buffer, size_zk_public ),
- PSA_ERROR_BAD_STATE );
+ PSA_ERROR_BAD_STATE );
+ goto exit;
}
- }
- else
- {
- /* Invalid parameters (output) */
- TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
- NULL, 0, NULL ),
- PSA_ERROR_INVALID_ARGUMENT );
- /* Invalid parameters (step) */
- TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
- key, pw_data->len ), 0 );
- TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
- output_buffer, buf_size, &output_len ),
- PSA_ERROR_INVALID_ARGUMENT );
- /* Invalid first step */
- TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
- key, pw_data->len ), 0 );
- TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
- output_buffer, buf_size, &output_len ),
- PSA_ERROR_BAD_STATE );
-
- /* Possibly valid */
- TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
- key, pw_data->len ), 0 );
- TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
- output_buffer, buf_size, &output_len ),
- expected_status_input_output );
-
- if( expected_status_input_output == PSA_SUCCESS )
+ } else {
+ if ( inj_err_type == INJECT_EMPTY_IO_BUFFER )
{
- TEST_ASSERT( output_len > 0 );
+ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
+ NULL, 0, NULL ),
+ PSA_ERROR_INVALID_ARGUMENT );
+ goto exit;
+ }
- /* Buffer too small */
- TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
- output_buffer, size_zk_public - 1, &output_len ),
- PSA_ERROR_BUFFER_TOO_SMALL );
+ if ( inj_err_type == INJECT_UNKNOWN_STEP )
+ {
+ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
+ output_buffer, buf_size, &output_len ),
+ PSA_ERROR_INVALID_ARGUMENT );
+ goto exit;
+ }
- /* The operation's state should be invalidated at this point */
+ if ( inj_err_type == INJECT_INVALID_FIRST_STEP )
+ {
+ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
+ output_buffer, buf_size, &output_len ),
+ PSA_ERROR_BAD_STATE );
+ goto exit;
+ }
+
+ status = psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
+ output_buffer, buf_size, &output_len );
+ if ( status != PSA_SUCCESS )
+ {
+ TEST_EQUAL( status, expected_error);
+ goto exit;
+ }
+
+ TEST_ASSERT( output_len > 0 );
+
+ if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE )
+ {
TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
- output_buffer, buf_size, &output_len ),
- PSA_ERROR_BAD_STATE );
+ output_buffer, size_zk_public - 1, &output_len ),
+ PSA_ERROR_BUFFER_TOO_SMALL );
+ goto exit;
+ }
+
+ if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE )
+ {
+ // Just trigger any kind of error. We don't care about the result here
+ psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, size_zk_public - 1, &output_len );
+ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, buf_size, &output_len ),
+ PSA_ERROR_BAD_STATE );
+ goto exit;
}
}
@@ -9000,7 +9074,7 @@
/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg,
int derive_alg_arg, data_t *pw_data,
- int client_input_first, int destroy_key )
+ int client_input_first, int inj_err_type_arg )
{
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
psa_pake_operation_t server = psa_pake_operation_init();
@@ -9014,6 +9088,7 @@
PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_derivation_operation_t client_derive =
PSA_KEY_DERIVATION_OPERATION_INIT;
+ ecjpake_injected_failure_t inj_err_type = inj_err_type_arg;
PSA_INIT( );
@@ -9051,22 +9126,27 @@
PSA_ASSERT( psa_pake_set_password_key( &server, key ) );
PSA_ASSERT( psa_pake_set_password_key( &client, key ) );
- if( destroy_key == 1 )
- psa_destroy_key( key );
-
- TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
+ if( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1 )
+ {
+ TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
PSA_ERROR_BAD_STATE );
- TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),
+ TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),
PSA_ERROR_BAD_STATE );
+ goto exit;
+ }
/* First round */
ecjpake_do_round( alg, primitive_arg, &server, &client,
client_input_first, 1, 0 );
- TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
+ if ( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2 )
+ {
+ TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
PSA_ERROR_BAD_STATE );
- TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),
+ TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),
PSA_ERROR_BAD_STATE );
+ goto exit;
+ }
/* Second round */
ecjpake_do_round( alg, primitive_arg, &server, &client,
diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data
new file mode 100644
index 0000000..f447ef0
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_pake.data
@@ -0,0 +1,203 @@
+PSA PAKE: uninitialized access to psa_pake_operation_t
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE
+
+PSA PAKE: invalid alg
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: invalid primitive type
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED
+
+PSA PAKE: invalid primitive family
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED
+
+PSA PAKE: invalid primitive bits
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED
+
+PSA PAKE: invalid hash
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED
+
+PSA PAKE: duplicate a valid setup
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_DUPLICATE_SETUP:PSA_ERROR_BAD_STATE
+
+PSA PAKE: ecjpake setup invalid role NONE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:ERR_IN_SET_ROLE:PSA_ERROR_NOT_SUPPORTED
+
+PSA PAKE: wrong password key type
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: wrong password key usage
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_NOT_PERMITTED
+
+PSA PAKE: set invalid user
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_INVALID_USER:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: set invalid peer
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_INVALID_PEER:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: set user
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_SET_USER:PSA_ERROR_NOT_SUPPORTED
+
+PSA PAKE: set peer
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_SET_PEER:PSA_ERROR_NOT_SUPPORTED
+
+PSA PAKE: invalid input
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: unkown input step
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: invalid first input step
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE
+
+PSA PAKE: input buffer too large
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: valid input operation after a failure
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE
+
+PSA PAKE: invalid output
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: unkown output step
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT
+
+PSA PAKE: invalid first output step
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE
+
+PSA PAKE: output buffer too small
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_BUFFER_TOO_SMALL
+
+PSA PAKE: valid output operation after a failure
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE
+
+PSA PAKE: check rounds w/o forced errors
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE
+
+PSA PAKE: check rounds w/o forced errors, TLS12_PRF
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE
+
+PSA PAKE: check rounds, key is destroyed after being passed to set_password_key
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1:ERR_NONE
+
+PSA PAKE: check rounds w/o forced errors, client input first
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:0:ERR_NONE
+
+PSA PAKE: force early key derivation 1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1
+
+PSA PAKE: force early key derivation 2
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2
+
+PSA PAKE: no injected errors
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_NONE:PSA_SUCCESS
+
+PSA PAKE: no injected errors, client input first
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_NONE:PSA_SUCCESS
+
+PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_KEY_SHARE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_KEY_SHARE:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PROOF
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PROOF:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_KEY_SHARE
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_KEY_SHARE:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_ZK_PROOF
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PROOF:PSA_ERROR_DATA_INVALID
+
+PSA PAKE: ecjpake size macros
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256
+ecjpake_size_macros:
diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function
new file mode 100644
index 0000000..4f000c1
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_pake.function
@@ -0,0 +1,917 @@
+/* BEGIN_HEADER */
+#include <stdint.h>
+
+#include "psa/crypto.h"
+
+typedef enum
+{
+ ERR_NONE = 0,
+ /* errors forced internally in the code */
+ ERR_INJECT_UNINITIALIZED_ACCESS,
+ ERR_INJECT_DUPLICATE_SETUP,
+ ERR_INJECT_INVALID_USER,
+ ERR_INJECT_INVALID_PEER,
+ ERR_INJECT_SET_USER,
+ ERR_INJECT_SET_PEER,
+ ERR_INJECT_EMPTY_IO_BUFFER,
+ ERR_INJECT_UNKNOWN_STEP,
+ ERR_INJECT_INVALID_FIRST_STEP,
+ ERR_INJECT_WRONG_BUFFER_SIZE,
+ ERR_INJECT_VALID_OPERATION_AFTER_FAILURE,
+ ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1,
+ ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2,
+ ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1,
+ ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1,
+ ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1,
+ ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2,
+ ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2,
+ ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2,
+ ERR_INJECT_ROUND2_CLIENT_KEY_SHARE,
+ ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC,
+ ERR_INJECT_ROUND2_CLIENT_ZK_PROOF,
+ ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1,
+ ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1,
+ ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1,
+ ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2,
+ ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2,
+ ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2,
+ ERR_INJECT_ROUND2_SERVER_KEY_SHARE,
+ ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC,
+ ERR_INJECT_ROUND2_SERVER_ZK_PROOF,
+ /* erros issued from the .data file */
+ ERR_IN_SETUP,
+ ERR_IN_SET_ROLE,
+ ERR_IN_SET_PASSWORD_KEY,
+ ERR_IN_INPUT,
+ ERR_IN_OUTPUT,
+} ecjpake_error_stage_t;
+
+typedef enum
+{
+ PAKE_ROUND_ONE,
+ PAKE_ROUND_TWO
+} pake_round_t;
+
+/*
+ * Inject an error on the specified buffer ONLY it this is the correct stage.
+ * Offset 7 is arbitrary, but chosen because it's "in the middle" of the part
+ * we're corrupting.
+ */
+#define DO_ROUND_CONDITIONAL_INJECT( this_stage, buf ) \
+ if ( this_stage == err_stage ) \
+ { \
+ *( buf + 7) ^= 1; \
+ }
+
+#define DO_ROUND_UPDATE_OFFSETS( main_buf_offset, step_offset, step_size ) \
+ { \
+ step_offset = main_buf_offset; \
+ main_buf_offset += step_size; \
+ }
+
+#define DO_ROUND_CHECK_FAILURE( ) \
+ if( err_stage != ERR_NONE && status != PSA_SUCCESS ) \
+ { \
+ TEST_EQUAL( status, expected_error_arg ); \
+ break; \
+ } \
+ else \
+ { \
+ TEST_EQUAL( status, PSA_SUCCESS ); \
+ }
+
+#if defined(PSA_WANT_ALG_JPAKE)
+static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive,
+ psa_pake_operation_t *server,
+ psa_pake_operation_t *client,
+ int client_input_first,
+ pake_round_t round,
+ ecjpake_error_stage_t err_stage,
+ int expected_error_arg )
+{
+ unsigned char *buffer0 = NULL, *buffer1 = NULL;
+ size_t buffer_length = (
+ PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) +
+ PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) +
+ PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2;
+ /* The output should be exactly this size according to the spec */
+ const size_t expected_size_key_share =
+ PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE);
+ /* The output should be exactly this size according to the spec */
+ const size_t expected_size_zk_public =
+ PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC);
+ /* The output can be smaller: the spec allows stripping leading zeroes */
+ const size_t max_expected_size_zk_proof =
+ PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF);
+ size_t buffer0_off = 0;
+ size_t buffer1_off = 0;
+ size_t s_g1_len, s_g2_len, s_a_len;
+ size_t s_g1_off, s_g2_off, s_a_off;
+ size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len;
+ size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off;
+ size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len;
+ size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off;
+ size_t c_g1_len, c_g2_len, c_a_len;
+ size_t c_g1_off, c_g2_off, c_a_off;
+ size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len;
+ size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off;
+ size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len;
+ size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off;
+ psa_status_t status;
+
+ ASSERT_ALLOC( buffer0, buffer_length );
+ ASSERT_ALLOC( buffer1, buffer_length );
+
+ switch( round )
+ {
+ case PAKE_ROUND_ONE:
+ /* Server first round Output */
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_g1_len ) );
+ TEST_EQUAL( s_g1_len, expected_size_key_share );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_g1_off, s_g1_len );
+
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_x1_pk_len ) );
+ TEST_EQUAL( s_x1_pk_len, expected_size_zk_public );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x1_pk_off, s_x1_pk_len );
+
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_x1_pr_len ) );
+ TEST_LE_U( s_x1_pr_len, max_expected_size_zk_proof );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x1_pr_off, s_x1_pr_len );
+
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_g2_len ) );
+ TEST_EQUAL( s_g2_len, expected_size_key_share );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_g2_off, s_g2_len );
+
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_x2_pk_len ) );
+ TEST_EQUAL( s_x2_pk_len, expected_size_zk_public );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x2_pk_off, s_x2_pk_len );
+
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_x2_pr_len ) );
+ TEST_LE_U( s_x2_pr_len, max_expected_size_zk_proof );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x2_pr_off, s_x2_pr_len );
+
+ /*
+ * When injecting errors in inputs, the implementation is
+ * free to detect it right away of with a delay.
+ * This permits delaying the error until the end of the input
+ * sequence, if no error appears then, this will be treated
+ * as an error.
+ */
+ if( client_input_first == 1 )
+ {
+ /* Client first round Input */
+ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + s_g1_off, s_g1_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + s_x1_pk_off,
+ s_x1_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + s_x1_pr_off,
+ s_x1_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + s_g2_off,
+ s_g2_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + s_x2_pk_off,
+ s_x2_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + s_x2_pr_off,
+ s_x2_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ /* Error didn't trigger, make test fail */
+ if( ( err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1 ) &&
+ ( err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2 ) )
+ {
+ TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
+ }
+ }
+
+ /* Client first round Output */
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_g1_len ) );
+ TEST_EQUAL( c_g1_len, expected_size_key_share );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_g1_off, c_g1_len );
+
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_x1_pk_len ) );
+ TEST_EQUAL( c_x1_pk_len, expected_size_zk_public );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x1_pk_off, c_x1_pk_len );
+
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_x1_pr_len ) );
+ TEST_LE_U( c_x1_pr_len, max_expected_size_zk_proof );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x1_pr_off, c_x1_pr_len );
+
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_g2_len ) );
+ TEST_EQUAL( c_g2_len, expected_size_key_share );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_g2_off, c_g2_len );
+
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_x2_pk_len ) );
+ TEST_EQUAL( c_x2_pk_len, expected_size_zk_public );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x2_pk_off, c_x2_pk_len );
+
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_x2_pr_len ) );
+ TEST_LE_U( c_x2_pr_len, max_expected_size_zk_proof );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x2_pr_off, buffer1_off );
+
+ if( client_input_first == 0 )
+ {
+ /* Client first round Input */
+ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + s_g1_off, s_g1_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + s_x1_pk_off,
+ s_x1_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + s_x1_pr_off,
+ s_x1_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + s_g2_off,
+ s_g2_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + s_x2_pk_off,
+ s_x2_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + s_x2_pr_off,
+ s_x2_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ /* Error didn't trigger, make test fail */
+ if( ( err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1 ) &&
+ ( err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2 ) )
+ {
+ TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
+ }
+ }
+
+ /* Server first round Input */
+ status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE,
+ buffer1 + c_g1_off, c_g1_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer1 + c_x1_pk_off, c_x1_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF,
+ buffer1 + c_x1_pr_off, c_x1_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE,
+ buffer1 + c_g2_off, c_g2_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer1 + c_x2_pk_off, c_x2_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF,
+ buffer1 + c_x2_pr_off, c_x2_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ /* Error didn't trigger, make test fail */
+ if( ( err_stage >= ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1 ) &&
+ ( err_stage <= ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2 ) )
+ {
+ TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
+ }
+
+ break;
+
+ case PAKE_ROUND_TWO:
+ /* Server second round Output */
+ buffer0_off = 0;
+
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_a_len ) );
+ TEST_EQUAL( s_a_len, expected_size_key_share );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND2_SERVER_KEY_SHARE,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_a_off, s_a_len );
+
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_x2s_pk_len ) );
+ TEST_EQUAL( s_x2s_pk_len, expected_size_zk_public );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x2s_pk_off, s_x2s_pk_len );
+
+ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + buffer0_off,
+ 512 - buffer0_off, &s_x2s_pr_len ) );
+ TEST_LE_U( s_x2s_pr_len, max_expected_size_zk_proof );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND2_SERVER_ZK_PROOF,
+ buffer0 + buffer0_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x2s_pr_off, s_x2s_pr_len );
+
+ if( client_input_first == 1 )
+ {
+ /* Client second round Input */
+ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + s_a_off, s_a_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + s_x2s_pk_off,
+ s_x2s_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + s_x2s_pr_off,
+ s_x2s_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ /* Error didn't trigger, make test fail */
+ if( ( err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE ) &&
+ ( err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF ) )
+ {
+ TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
+ }
+ }
+
+ /* Client second round Output */
+ buffer1_off = 0;
+
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_a_len ) );
+ TEST_EQUAL( c_a_len, expected_size_key_share );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND2_CLIENT_KEY_SHARE,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_a_off, c_a_len );
+
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_x2s_pk_len ) );
+ TEST_EQUAL( c_x2s_pk_len, expected_size_zk_public );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x2s_pk_off, c_x2s_pk_len );
+
+ PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer1 + buffer1_off,
+ 512 - buffer1_off, &c_x2s_pr_len ) );
+ TEST_LE_U( c_x2s_pr_len, max_expected_size_zk_proof );
+ DO_ROUND_CONDITIONAL_INJECT(
+ ERR_INJECT_ROUND2_CLIENT_ZK_PROOF,
+ buffer1 + buffer1_off );
+ DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x2s_pr_off, c_x2s_pr_len );
+
+ if( client_input_first == 0 )
+ {
+ /* Client second round Input */
+ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE,
+ buffer0 + s_a_off, s_a_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer0 + s_x2s_pk_off,
+ s_x2s_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF,
+ buffer0 + s_x2s_pr_off,
+ s_x2s_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ /* Error didn't trigger, make test fail */
+ if( ( err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE ) &&
+ ( err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF ) )
+ {
+ TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
+ }
+ }
+
+ /* Server second round Input */
+ status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE,
+ buffer1 + c_a_off, c_a_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC,
+ buffer1 + c_x2s_pk_off, c_x2s_pk_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF,
+ buffer1 + c_x2s_pr_off, c_x2s_pr_len );
+ DO_ROUND_CHECK_FAILURE( );
+
+ /* Error didn't trigger, make test fail */
+ if( ( err_stage >= ERR_INJECT_ROUND2_CLIENT_KEY_SHARE ) &&
+ ( err_stage <= ERR_INJECT_ROUND2_CLIENT_ZK_PROOF ) )
+ {
+ TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." );
+ }
+
+ break;
+
+ }
+
+exit:
+ mbedtls_free( buffer0 );
+ mbedtls_free( buffer1 );
+}
+#endif /* PSA_WANT_ALG_JPAKE */
+
+/*
+ * This check is used for functions that might either succeed or fail depending
+ * on the parameters that are passed in from the *.data file:
+ * - in case of success following functions depend on the current one
+ * - in case of failure the test is always terminated. There are two options
+ * here
+ * - terminated successfully if this exact error was expected at this stage
+ * - terminated with failure otherwise (either no error was expected at this
+ * stage or a different error code was expected)
+ */
+#define SETUP_ALWAYS_CHECK_STEP( test_function, this_check_err_stage ) \
+ status = test_function; \
+ if( err_stage != this_check_err_stage ) \
+ { \
+ PSA_ASSERT( status ); \
+ } \
+ else \
+ { \
+ TEST_EQUAL( status, expected_error ); \
+ goto exit; \
+ }
+
+/*
+ * This check is used for failures that are injected at code level. There's only
+ * 1 input parameter that is relevant in this case and it's the stage at which
+ * the error should be injected.
+ * The check is conditional in this case because, once the error is triggered,
+ * the pake's context structure is compromised and the setup function cannot
+ * proceed further. As a consequence the test is terminated.
+ * The test succeeds if the returned error is exactly the expected one,
+ * otherwise it fails.
+ */
+#define SETUP_CONDITIONAL_CHECK_STEP( test_function, this_check_err_stage ) \
+ if( err_stage == this_check_err_stage ) \
+ { \
+ TEST_EQUAL( test_function, expected_error ); \
+ goto exit; \
+ }
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PSA_CRYPTO_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
+void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
+ int primitive_arg, int hash_arg, int role_arg,
+ int test_input,
+ int err_stage_arg,
+ int expected_error_arg)
+{
+ psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
+ psa_pake_operation_t operation = psa_pake_operation_init();
+ psa_algorithm_t alg = alg_arg;
+ psa_pake_primitive_t primitive = primitive_arg;
+ psa_key_type_t key_type_pw = key_type_pw_arg;
+ psa_key_usage_t key_usage_pw = key_usage_pw_arg;
+ psa_algorithm_t hash_alg = hash_arg;
+ psa_pake_role_t role = role_arg;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ ecjpake_error_stage_t err_stage = err_stage_arg;
+ psa_status_t expected_error = expected_error_arg;
+ psa_status_t status;
+ unsigned char *output_buffer = NULL;
+ size_t output_len = 0;
+ const uint8_t unsupp_id[] = "abcd";
+ const uint8_t password[] = "abcd";
+ psa_key_derivation_operation_t key_derivation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+
+ PSA_INIT( );
+
+ size_t buf_size = PSA_PAKE_OUTPUT_SIZE( alg, primitive_arg,
+ PSA_PAKE_STEP_KEY_SHARE );
+ ASSERT_ALLOC( output_buffer, buf_size );
+
+ psa_set_key_usage_flags( &attributes, key_usage_pw );
+ psa_set_key_algorithm( &attributes, alg );
+ psa_set_key_type( &attributes, key_type_pw );
+ PSA_ASSERT( psa_import_key( &attributes, password, sizeof( password ),
+ &key ) );
+
+ psa_pake_cs_set_algorithm( &cipher_suite, alg );
+ psa_pake_cs_set_primitive( &cipher_suite, primitive );
+ psa_pake_cs_set_hash( &cipher_suite, hash_alg );
+
+ PSA_ASSERT( psa_pake_abort( &operation ) );
+
+ if ( err_stage == ERR_INJECT_UNINITIALIZED_ACCESS )
+ {
+ TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ),
+ expected_error );
+ TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ),
+ expected_error );
+ TEST_EQUAL( psa_pake_set_password_key( &operation, key ),
+ expected_error );
+ TEST_EQUAL( psa_pake_set_role( &operation, role ),
+ expected_error );
+ TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
+ NULL, 0, NULL ),
+ expected_error );
+ TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE,
+ NULL, 0 ),
+ expected_error );
+ TEST_EQUAL( psa_pake_get_implicit_key( &operation, &key_derivation ),
+ expected_error );
+ goto exit;
+ }
+
+ SETUP_ALWAYS_CHECK_STEP( psa_pake_setup( &operation, &cipher_suite ),
+ ERR_IN_SETUP );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_setup( &operation, &cipher_suite ),
+ ERR_INJECT_DUPLICATE_SETUP);
+
+ SETUP_ALWAYS_CHECK_STEP( psa_pake_set_role( &operation, role),
+ ERR_IN_SET_ROLE );
+
+ SETUP_ALWAYS_CHECK_STEP( psa_pake_set_password_key( &operation, key ),
+ ERR_IN_SET_PASSWORD_KEY );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_set_user( &operation, NULL, 0 ),
+ ERR_INJECT_INVALID_USER );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_set_peer( &operation, NULL, 0 ),
+ ERR_INJECT_INVALID_PEER );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_set_user( &operation, unsupp_id, 4 ),
+ ERR_INJECT_SET_USER );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_set_peer( &operation, unsupp_id, 4 ),
+ ERR_INJECT_SET_PEER );
+
+ const size_t size_key_share = PSA_PAKE_INPUT_SIZE( alg, primitive,
+ PSA_PAKE_STEP_KEY_SHARE );
+ const size_t size_zk_public = PSA_PAKE_INPUT_SIZE( alg, primitive,
+ PSA_PAKE_STEP_ZK_PUBLIC );
+ const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE( alg, primitive,
+ PSA_PAKE_STEP_ZK_PROOF );
+
+ if ( test_input )
+ {
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_input( &operation,
+ PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ),
+ ERR_INJECT_EMPTY_IO_BUFFER );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_input( &operation,
+ PSA_PAKE_STEP_ZK_PROOF + 10,
+ output_buffer, size_zk_proof ),
+ ERR_INJECT_UNKNOWN_STEP );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_input( &operation,
+ PSA_PAKE_STEP_ZK_PROOF,
+ output_buffer, size_zk_proof ),
+ ERR_INJECT_INVALID_FIRST_STEP )
+
+ SETUP_ALWAYS_CHECK_STEP( psa_pake_input( &operation,
+ PSA_PAKE_STEP_KEY_SHARE,
+ output_buffer, size_key_share ),
+ ERR_IN_INPUT );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_input( &operation,
+ PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, size_zk_public + 1 ),
+ ERR_INJECT_WRONG_BUFFER_SIZE );
+
+ SETUP_CONDITIONAL_CHECK_STEP(
+ ( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, size_zk_public + 1 ),
+ psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, size_zk_public ) ),
+ ERR_INJECT_VALID_OPERATION_AFTER_FAILURE );
+ } else {
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_output( &operation,
+ PSA_PAKE_STEP_ZK_PROOF,
+ NULL, 0, NULL ),
+ ERR_INJECT_EMPTY_IO_BUFFER );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_output( &operation,
+ PSA_PAKE_STEP_ZK_PROOF + 10,
+ output_buffer, buf_size, &output_len ),
+ ERR_INJECT_UNKNOWN_STEP );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_output( &operation,
+ PSA_PAKE_STEP_ZK_PROOF,
+ output_buffer, buf_size, &output_len ),
+ ERR_INJECT_INVALID_FIRST_STEP );
+
+ SETUP_ALWAYS_CHECK_STEP( psa_pake_output( &operation,
+ PSA_PAKE_STEP_KEY_SHARE,
+ output_buffer, buf_size, &output_len ),
+ ERR_IN_OUTPUT );
+
+ TEST_ASSERT( output_len > 0 );
+
+ SETUP_CONDITIONAL_CHECK_STEP( psa_pake_output( &operation,
+ PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, size_zk_public - 1,
+ &output_len ),
+ ERR_INJECT_WRONG_BUFFER_SIZE );
+
+ SETUP_CONDITIONAL_CHECK_STEP(
+ ( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, size_zk_public - 1, &output_len ),
+ psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC,
+ output_buffer, buf_size, &output_len ) ),
+ ERR_INJECT_VALID_OPERATION_AFTER_FAILURE );
+ }
+
+exit:
+ PSA_ASSERT( psa_destroy_key( key ) );
+ PSA_ASSERT( psa_pake_abort( &operation ) );
+ mbedtls_free( output_buffer );
+ PSA_DONE( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
+void ecjpake_rounds_inject( int alg_arg, int primitive_arg, int hash_arg,
+ int client_input_first,
+ data_t *pw_data,
+ int err_stage_arg,
+ int expected_error_arg )
+{
+ psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
+ psa_pake_operation_t server = psa_pake_operation_init();
+ psa_pake_operation_t client = psa_pake_operation_init();
+ psa_algorithm_t alg = alg_arg;
+ psa_algorithm_t hash_alg = hash_arg;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ ecjpake_error_stage_t err_stage = err_stage_arg;
+
+ PSA_INIT( );
+
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE );
+ psa_set_key_algorithm( &attributes, alg );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD );
+ PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len,
+ &key ) );
+
+ psa_pake_cs_set_algorithm( &cipher_suite, alg );
+ psa_pake_cs_set_primitive( &cipher_suite, primitive_arg );
+ psa_pake_cs_set_hash( &cipher_suite, hash_alg );
+
+ PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) );
+ PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) );
+
+ PSA_ASSERT( psa_pake_set_role( &server, PSA_PAKE_ROLE_SERVER ) );
+ PSA_ASSERT( psa_pake_set_role( &client, PSA_PAKE_ROLE_CLIENT ) );
+
+ PSA_ASSERT( psa_pake_set_password_key( &server, key ) );
+ PSA_ASSERT( psa_pake_set_password_key( &client, key ) );
+
+ ecjpake_do_round( alg, primitive_arg, &server, &client,
+ client_input_first, PAKE_ROUND_ONE,
+ err_stage, expected_error_arg );
+
+ if( err_stage != ERR_NONE )
+ goto exit;
+
+ ecjpake_do_round( alg, primitive_arg, &server, &client,
+ client_input_first, PAKE_ROUND_TWO,
+ err_stage, expected_error_arg );
+
+exit:
+ psa_destroy_key( key );
+ psa_pake_abort( &server );
+ psa_pake_abort( &client );
+ PSA_DONE( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
+void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg,
+ int derive_alg_arg, data_t *pw_data,
+ int client_input_first, int destroy_key,
+ int err_stage_arg )
+{
+ psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
+ psa_pake_operation_t server = psa_pake_operation_init();
+ psa_pake_operation_t client = psa_pake_operation_init();
+ psa_algorithm_t alg = alg_arg;
+ psa_algorithm_t hash_alg = hash_arg;
+ psa_algorithm_t derive_alg = derive_alg_arg;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_derivation_operation_t server_derive =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+ psa_key_derivation_operation_t client_derive =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+ ecjpake_error_stage_t err_stage = err_stage_arg;
+
+ PSA_INIT( );
+
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE );
+ psa_set_key_algorithm( &attributes, alg );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD );
+ PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len,
+ &key ) );
+
+ psa_pake_cs_set_algorithm( &cipher_suite, alg );
+ psa_pake_cs_set_primitive( &cipher_suite, primitive_arg );
+ psa_pake_cs_set_hash( &cipher_suite, hash_alg );
+
+ /* Get shared key */
+ PSA_ASSERT( psa_key_derivation_setup( &server_derive, derive_alg ) );
+ PSA_ASSERT( psa_key_derivation_setup( &client_derive, derive_alg ) );
+
+ if( PSA_ALG_IS_TLS12_PRF( derive_alg ) ||
+ PSA_ALG_IS_TLS12_PSK_TO_MS( derive_alg ) )
+ {
+ PSA_ASSERT( psa_key_derivation_input_bytes( &server_derive,
+ PSA_KEY_DERIVATION_INPUT_SEED,
+ (const uint8_t*) "", 0) );
+ PSA_ASSERT( psa_key_derivation_input_bytes( &client_derive,
+ PSA_KEY_DERIVATION_INPUT_SEED,
+ (const uint8_t*) "", 0) );
+ }
+
+ PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) );
+ PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) );
+
+ PSA_ASSERT( psa_pake_set_role( &server, PSA_PAKE_ROLE_SERVER ) );
+ PSA_ASSERT( psa_pake_set_role( &client, PSA_PAKE_ROLE_CLIENT ) );
+
+ PSA_ASSERT( psa_pake_set_password_key( &server, key ) );
+ PSA_ASSERT( psa_pake_set_password_key( &client, key ) );
+
+ if( destroy_key == 1 )
+ psa_destroy_key( key );
+
+ if( err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1 )
+ {
+ TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
+ PSA_ERROR_BAD_STATE );
+ TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),
+ PSA_ERROR_BAD_STATE );
+ goto exit;
+ }
+
+ /* First round */
+ ecjpake_do_round( alg, primitive_arg, &server, &client,
+ client_input_first, PAKE_ROUND_ONE,
+ ERR_NONE, PSA_SUCCESS );
+
+ if ( err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2 )
+ {
+ TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
+ PSA_ERROR_BAD_STATE );
+ TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),
+ PSA_ERROR_BAD_STATE );
+ goto exit;
+ }
+
+ /* Second round */
+ ecjpake_do_round( alg, primitive_arg, &server, &client,
+ client_input_first, PAKE_ROUND_TWO,
+ ERR_NONE, PSA_SUCCESS );
+
+ PSA_ASSERT( psa_pake_get_implicit_key( &server, &server_derive ) );
+ PSA_ASSERT( psa_pake_get_implicit_key( &client, &client_derive ) );
+
+exit:
+ psa_key_derivation_abort( &server_derive );
+ psa_key_derivation_abort( &client_derive );
+ psa_destroy_key( key );
+ psa_pake_abort( &server );
+ psa_pake_abort( &client );
+ PSA_DONE( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecjpake_size_macros( )
+{
+ const psa_algorithm_t alg = PSA_ALG_JPAKE;
+ const size_t bits = 256;
+ const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE(
+ PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits );
+ const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(
+ PSA_ECC_FAMILY_SECP_R1 );
+
+ // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types
+ /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */
+ TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
+ PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( key_type, bits ) );
+ TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
+ PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( key_type, bits ) );
+ /* The output for ZK_PROOF is the same bitsize as the curve */
+ TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
+ PSA_BITS_TO_BYTES( bits ) );
+
+ /* Input sizes are the same as output sizes */
+ TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
+ PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE) );
+ TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
+ PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC) );
+ TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
+ PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF) );
+
+ /* These inequalities will always hold even when other PAKEs are added */
+ TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
+ PSA_PAKE_OUTPUT_MAX_SIZE );
+ TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
+ PSA_PAKE_OUTPUT_MAX_SIZE );
+ TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
+ PSA_PAKE_OUTPUT_MAX_SIZE );
+ TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE),
+ PSA_PAKE_INPUT_MAX_SIZE );
+ TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC),
+ PSA_PAKE_INPUT_MAX_SIZE );
+ TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF),
+ PSA_PAKE_INPUT_MAX_SIZE );
+}
+/* END_CASE */
