diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 975edb408..998b092b9 100755 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -716,7 +716,7 @@ typedef struct psa_hash_operation_s psa_hash_operation_t; * - A failed call to psa_hash_update(). * - A call to psa_hash_finish(), psa_hash_verify() or psa_hash_abort(). * - * \param operation + * \param operation The operation object to use. * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value * such that #PSA_ALG_IS_HASH(alg) is true). * @@ -909,7 +909,7 @@ typedef struct psa_mac_operation_s psa_mac_operation_t; * - A failed call to psa_mac_update(). * - A call to psa_mac_finish(), psa_mac_verify() or psa_mac_abort(). * - * \param operation + * \param operation The operation object to use. * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value * such that #PSA_ALG_IS_MAC(alg) is true). * @@ -985,7 +985,7 @@ typedef struct psa_cipher_operation_s psa_cipher_operation_t; * or psa_cipher_update(). * - A call to psa_cipher_finish() or psa_cipher_abort(). * - * \param operation + * \param operation The operation object to use. * \param alg The cipher algorithm to compute (\c PSA_ALG_XXX value * such that #PSA_ALG_IS_CIPHER(alg) is true). * @@ -1032,7 +1032,7 @@ psa_status_t psa_encrypt_setup(psa_cipher_operation_t *operation, * - A failed call to psa_cipher_update(). * - A call to psa_cipher_finish() or psa_cipher_abort(). * - * \param operation + * \param operation The operation object to use. * \param alg The cipher algorithm to compute (\c PSA_ALG_XXX value * such that #PSA_ALG_IS_CIPHER(alg) is true). * @@ -1082,46 +1082,77 @@ psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation); * @{ */ -/** The type of the state data structure for multipart AEAD operations. +/** The tag size for an AEAD algorithm, in bytes. * - * This is an implementation-defined \c struct. Applications should not - * make any assumptions about the content of this structure except - * as directed by the documentation of a specific implementation. */ -typedef struct psa_aead_operation_s psa_aead_operation_t; + * \param alg An AEAD algorithm + * (\c PSA_ALG_XXX value such that + * #PSA_ALG_IS_AEAD(alg) is true). + * + * \return The tag size for the specified algorithm. + * If the AEAD algorithm does not have an identified + * tag that can be distinguished from the rest of + * the ciphertext, return 0. + * If the AEAD algorithm is not recognized, return 0. + * An implementation may return either 0 or a + * correct size for an AEAD algorithm that it + * recognizes, but does not support. + */ +#define PSA_AEAD_TAG_SIZE(alg) \ + ((alg) == PSA_ALG_GCM ? 16 : \ + (alg) == PSA_ALG_CCM ? 16 : \ + 0) -/** Set the key for a multipart authenticated encryption operation. +/** The maximum size of the output of psa_aead_encrypt(), in bytes. * - * The sequence of operations to authenticate-and-encrypt a message - * is as follows: - * -# Allocate an operation object which will be passed to all the functions - * listed here. - * -# Call psa_aead_encrypt_setup() to specify the algorithm and key. - * The key remains associated with the operation even if the content - * of the key slot changes. - * -# Call either psa_aead_generate_iv() or psa_aead_set_iv() to - * generate or set the IV (initialization vector). You should use - * psa_encrypt_generate_iv() unless the protocol you are implementing - * requires a specific IV value. - * -# Call psa_aead_update_ad() to pass the associated data that is - * to be authenticated but not encrypted. You may omit this step if - * there is no associated data. - * -# Call psa_aead_update() zero, one or more times, passing a fragment - * of the data to encrypt each time. - * -# Call psa_aead_finish(). + * If the size of the ciphertext buffer is at least this large, it is + * guaranteed that psa_aead_encrypt() will not fail due to an + * insufficient buffer size. Depending on the algorithm, the actual size of + * the ciphertext may be smaller. * - * The application may call psa_aead_abort() at any time after the operation - * has been initialized with psa_aead_encrypt_setup(). + * \param alg An AEAD algorithm + * (\c PSA_ALG_XXX value such that + * #PSA_ALG_IS_AEAD(alg) is true). + * \param plaintext_length Size of the plaintext in bytes. * - * After a successful call to psa_aead_encrypt_setup(), the application must - * eventually terminate the operation. The following events terminate an - * operation: - * - A failed call to psa_aead_generate_iv(), psa_aead_set_iv(), - * psa_aead_update_ad() or psa_aead_update(). - * - A call to psa_aead_finish() or psa_aead_abort(). + * \return The AEAD ciphertext size for the specified + * algorithm. + * If the AEAD algorithm is not recognized, return 0. + * An implementation may return either 0 or a + * correct size for an AEAD algorithm that it + * recognizes, but does not support. + */ +#define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(alg, plaintext_length) \ + (PSA_AEAD_TAG_SIZE(alg) != 0 ? \ + (plaintext_length) + PSA_AEAD_TAG_SIZE(alg) : \ + 0) + +/** Process an authenticated encryption operation. * - * \param operation - * \param alg The AEAD algorithm to compute (\c PSA_ALG_XXX value - * such that #PSA_ALG_IS_AEAD(alg) is true). + * \param key Slot containing the key to use. + * \param alg The AEAD algorithm to compute + * (\c PSA_ALG_XXX value such that + * #PSA_ALG_IS_AEAD(alg) is true). + * \param nonce Nonce or IV to use. + * \param nonce_length Size of the \p nonce buffer in bytes. + * \param additional_data Additional data that will be authenticated + * but not encrypted. + * \param additional_data_length Size of \p additional_data in bytes. + * \param plaintext Data that will be authenticated and + * encrypted. + * \param plaintext_length Size of \p plaintext in bytes. + * \param ciphertext Output buffer for the authenticated and + * encrypted data. The additional data is not + * part of this output. For algorithms where the + * encrypted data and the authentication tag + * are defined as separate outputs, the + * authentication tag is appended to the + * encrypted data. + * \param ciphertext_size Size of the \p ciphertext buffer in bytes. + * This must be at least + * #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p alg, + * \p plaintext_length). + * \param ciphertext_length On success, the size of the output + * in the \b ciphertext buffer. * * \retval PSA_SUCCESS * Success. @@ -1136,44 +1167,73 @@ typedef struct psa_aead_operation_s psa_aead_operation_t; * \retval PSA_ERROR_HARDWARE_FAILURE * \retval PSA_ERROR_TAMPERING_DETECTED */ -psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation, - psa_key_slot_t key, - psa_algorithm_t alg); +psa_status_t psa_aead_encrypt( psa_key_slot_t key, + psa_algorithm_t alg, + const uint8_t *nonce, + size_t nonce_length, + const uint8_t *additional_data, + size_t additional_data_length, + const uint8_t *plaintext, + size_t plaintext_length, + uint8_t *ciphertext, + size_t ciphertext_size, + size_t *ciphertext_length ); -/** Set the key for a multipart authenticated decryption operation. +/** The maximum size of the output of psa_aead_decrypt(), in bytes. * - * The sequence of operations to authenticated and decrypt a message - * is as follows: - * -# Allocate an operation object which will be passed to all the functions - * listed here. - * -# Call psa_aead_decrypt_setup() to specify the algorithm and key. - * The key remains associated with the operation even if the content - * of the key slot changes. - * -# Call psa_aead_set_iv() to pass the initialization vector (IV) - * for the authenticated decryption. - * -# Call psa_aead_update_ad() to pass the associated data that is - * to be authenticated but not encrypted. You may omit this step if - * there is no associated data. - * -# Call psa_aead_update() zero, one or more times, passing a fragment - * of the data to decrypt each time. - * -# Call psa_aead_finish(). + * If the size of the plaintext buffer is at least this large, it is + * guaranteed that psa_aead_decrypt() will not fail due to an + * insufficient buffer size. Depending on the algorithm, the actual size of + * the plaintext may be smaller. * - * The application may call psa_aead_abort() at any time after the operation - * has been initialized with psa_aead_decrypt_setup(). + * \param alg An AEAD algorithm + * (\c PSA_ALG_XXX value such that + * #PSA_ALG_IS_AEAD(alg) is true). + * \param ciphertext_length Size of the plaintext in bytes. * - * After a successful call to psa_aead_decrypt_setup(), the application must - * eventually terminate the operation. The following events terminate an - * operation: - * - A failed call to psa_aead_update(). - * - A call to psa_aead_finish() or psa_aead_abort(). + * \return The AEAD ciphertext size for the specified + * algorithm. + * If the AEAD algorithm is not recognized, return 0. + * An implementation may return either 0 or a + * correct size for an AEAD algorithm that it + * recognizes, but does not support. + */ +#define PSA_AEAD_DECRYPT_OUTPUT_SIZE(alg, ciphertext_length) \ + (PSA_AEAD_TAG_SIZE(alg) != 0 ? \ + (plaintext_length) - PSA_AEAD_TAG_SIZE(alg) : \ + 0) + +/** Process an authenticated decryption operation. * - * \param operation - * \param alg The AEAD algorithm to compute (\c PSA_ALG_XXX value - * such that #PSA_ALG_IS_AEAD(alg) is true). + * \param key Slot containing the key to use. + * \param alg The AEAD algorithm to compute + * (\c PSA_ALG_XXX value such that + * #PSA_ALG_IS_AEAD(alg) is true). + * \param nonce Nonce or IV to use. + * \param nonce_length Size of the \p nonce buffer in bytes. + * \param additional_data Additional data that has been authenticated + * but not encrypted. + * \param additional_data_length Size of \p additional_data in bytes. + * \param ciphertext Data that has been authenticated and + * encrypted. For algorithms where the + * encrypted data and the authentication tag + * are defined as separate inputs, the buffer + * must contain the encrypted data followed + * by the authentication tag. + * \param ciphertext_length Size of \p ciphertext in bytes. + * \param plaintext Output buffer for the decrypted data. + * \param plaintext_size Size of the \p plaintext buffer in bytes. + * This must be at least + * #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p alg, + * \p ciphertext_length). + * \param plaintext_length On success, the size of the output + * in the \b plaintext buffer. * * \retval PSA_SUCCESS * Success. * \retval PSA_ERROR_EMPTY_SLOT + * \retval PSA_ERROR_INVALID_SIGNATURE + * The ciphertext is not authentic. * \retval PSA_ERROR_NOT_PERMITTED * \retval PSA_ERROR_INVALID_ARGUMENT * \c key is not compatible with \c alg. @@ -1184,37 +1244,17 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation, * \retval PSA_ERROR_HARDWARE_FAILURE * \retval PSA_ERROR_TAMPERING_DETECTED */ -psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation, - psa_key_slot_t key, - psa_algorithm_t alg); - -psa_status_t psa_aead_generate_iv(psa_aead_operation_t *operation, - unsigned char *iv, - size_t iv_size, - size_t *iv_length); - -psa_status_t psa_aead_set_iv(psa_aead_operation_t *operation, - const unsigned char *iv, - size_t iv_length); - -psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation, - const uint8_t *input, - size_t input_length); - -psa_status_t psa_aead_update(psa_aead_operation_t *operation, - const uint8_t *input, - size_t input_length); - -psa_status_t psa_aead_finish(psa_aead_operation_t *operation, - uint8_t *tag, - size_t tag_size, - size_t *tag_length); - -psa_status_t psa_aead_verify(psa_aead_operation_t *operation, - uint8_t *tag, - size_t tag_length); - -psa_status_t psa_aead_abort(psa_aead_operation_t *operation); +psa_status_t psa_aead_decrypt( psa_key_slot_t key, + psa_algorithm_t alg, + const uint8_t *nonce, + size_t nonce_length, + const uint8_t *additional_data, + size_t additional_data_length, + const uint8_t *ciphertext, + size_t ciphertext_length, + uint8_t *plaintext, + size_t plaintext_size, + size_t *plaintext_length ); /**@}*/ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 639c15e76..74e1146b2 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -111,20 +111,6 @@ struct psa_cipher_operation_s } ctx; }; -struct psa_aead_operation_s -{ - psa_algorithm_t alg; - int key_set : 1; - int iv_set : 1; - int ad_set : 1; - uint8_t iv_size; - uint8_t block_size; - union - { - unsigned dummy; /* Make the union non-empty even with no supported algorithms. */ - } ctx; -}; - struct psa_key_policy_s { psa_key_usage_t usage; diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 438f0f04d..4d42c8d2b 100755 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -910,10 +910,11 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation, static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, - size_t key_bits ) + size_t key_bits, + mbedtls_cipher_id_t* cipher_id ) { - mbedtls_cipher_id_t cipher_id; mbedtls_cipher_mode_t mode; + mbedtls_cipher_id_t cipher_id_tmp; if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) ) { @@ -958,25 +959,27 @@ static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( switch( key_type ) { case PSA_KEY_TYPE_AES: - cipher_id = MBEDTLS_CIPHER_ID_AES; + cipher_id_tmp = MBEDTLS_CIPHER_ID_AES; break; case PSA_KEY_TYPE_DES: if( key_bits == 64 ) - cipher_id = MBEDTLS_CIPHER_ID_DES; + cipher_id_tmp = MBEDTLS_CIPHER_ID_DES; else - cipher_id = MBEDTLS_CIPHER_ID_3DES; + cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES; break; case PSA_KEY_TYPE_CAMELLIA: - cipher_id = MBEDTLS_CIPHER_ID_CAMELLIA; + cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA; break; case PSA_KEY_TYPE_ARC4: - cipher_id = MBEDTLS_CIPHER_ID_ARC4; + cipher_id_tmp = MBEDTLS_CIPHER_ID_ARC4; break; default: return( NULL ); } + if( cipher_id != NULL ) + *cipher_id = cipher_id_tmp; - return( mbedtls_cipher_info_from_values( cipher_id, key_bits, mode ) ); + return( mbedtls_cipher_info_from_values( cipher_id_tmp, key_bits, mode ) ); } psa_status_t psa_mac_abort( psa_mac_operation_t *operation ) @@ -1036,7 +1039,7 @@ psa_status_t psa_mac_start( psa_mac_operation_t *operation, if( ! PSA_ALG_IS_HMAC( alg ) ) { - cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits ); + cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits, NULL ); if( cipher_info == NULL ) return( PSA_ERROR_NOT_SUPPORTED ); operation->mac_size = cipher_info->block_size; @@ -1755,6 +1758,268 @@ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, } +/****************************************************************/ +/* AEAD */ +/****************************************************************/ +psa_status_t psa_aead_encrypt( psa_key_slot_t key, + psa_algorithm_t alg, + const uint8_t *nonce, + size_t nonce_length, + const uint8_t *additional_data, + size_t additional_data_length, + const uint8_t *plaintext, + size_t plaintext_length, + uint8_t *ciphertext, + size_t ciphertext_size, + size_t *ciphertext_length ) +{ + int ret; + psa_status_t status; + key_slot_t *slot; + psa_key_type_t key_type; + size_t key_bits; + uint8_t *tag; + size_t tag_length; + mbedtls_cipher_id_t cipher_id; + const mbedtls_cipher_info_t *cipher_info = NULL; + + *ciphertext_length = 0; + + status = psa_get_key_information( key, &key_type, &key_bits ); + if( status != PSA_SUCCESS ) + return( status ); + slot = &global_data.key_slots[key]; + if( slot->type == PSA_KEY_TYPE_NONE ) + return( PSA_ERROR_EMPTY_SLOT ); + + cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, + key_bits, &cipher_id ); + if( cipher_info == NULL ) + return( PSA_ERROR_NOT_SUPPORTED ); + + if( !( slot->policy.usage & PSA_KEY_USAGE_ENCRYPT ) ) + return( PSA_ERROR_NOT_PERMITTED ); + + if ( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) != + PSA_KEY_TYPE_CATEGORY_SYMMETRIC ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + if( alg == PSA_ALG_GCM ) + { + mbedtls_gcm_context gcm; + tag_length = 16; + + if( PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) != 16 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + //make sure we have place to hold the tag in the ciphertext buffer + if( ciphertext_size < ( plaintext_length + tag_length ) ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + + //update the tag pointer to point to the end of the ciphertext_length + tag = ciphertext + plaintext_length; + + mbedtls_gcm_init( &gcm ); + ret = mbedtls_gcm_setkey( &gcm, cipher_id, + slot->data.raw.data, + key_bits ); + if( ret != 0 ) + { + mbedtls_gcm_free( &gcm ); + return( mbedtls_to_psa_error( ret ) ); + } + ret = mbedtls_gcm_crypt_and_tag( &gcm, MBEDTLS_GCM_ENCRYPT, + plaintext_length, nonce, + nonce_length, additional_data, + additional_data_length, plaintext, + ciphertext, tag_length, tag ); + mbedtls_gcm_free( &gcm ); + } + else if( alg == PSA_ALG_CCM ) + { + mbedtls_ccm_context ccm; + tag_length = 16; + + if( PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) != 16 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + if( nonce_length < 7 || nonce_length > 13 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + //make sure we have place to hold the tag in the ciphertext buffer + if( ciphertext_size < ( plaintext_length + tag_length ) ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + + //update the tag pointer to point to the end of the ciphertext_length + tag = ciphertext + plaintext_length; + + + + mbedtls_ccm_init( &ccm ); + ret = mbedtls_ccm_setkey( &ccm, cipher_id, + slot->data.raw.data, key_bits ); + if( ret != 0 ) + { + mbedtls_ccm_free( &ccm ); + return( mbedtls_to_psa_error( ret ) ); + } + ret = mbedtls_ccm_encrypt_and_tag( &ccm, plaintext_length, + nonce, nonce_length, additional_data, + additional_data_length, + plaintext, ciphertext, + tag, tag_length ); + mbedtls_ccm_free( &ccm ); + } + else + { + return( PSA_ERROR_NOT_SUPPORTED ); + } + + if( ret != 0 ) + { + memset( ciphertext, 0, ciphertext_size ); + return( mbedtls_to_psa_error( ret ) ); + } + + *ciphertext_length = plaintext_length + tag_length; + return( PSA_SUCCESS ); +} + +/* Locate the tag in a ciphertext buffer containing the encrypted data + * followed by the tag. Return the length of the part preceding the tag in + * *plaintext_length. This is the size of the plaintext in modes where + * the encrypted data has the same size as the plaintext, such as + * CCM and GCM. */ +static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length, + const uint8_t *ciphertext, + size_t ciphertext_length, + size_t plaintext_size, + const uint8_t **p_tag ) +{ + size_t payload_length; + if( tag_length > ciphertext_length ) + return( PSA_ERROR_INVALID_ARGUMENT ); + payload_length = ciphertext_length - tag_length; + if( payload_length > plaintext_size ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + *p_tag = ciphertext + payload_length; + return( PSA_SUCCESS ); +} + +psa_status_t psa_aead_decrypt( psa_key_slot_t key, + psa_algorithm_t alg, + const uint8_t *nonce, + size_t nonce_length, + const uint8_t *additional_data, + size_t additional_data_length, + const uint8_t *ciphertext, + size_t ciphertext_length, + uint8_t *plaintext, + size_t plaintext_size, + size_t *plaintext_length ) +{ + int ret; + psa_status_t status; + key_slot_t *slot; + psa_key_type_t key_type; + size_t key_bits; + const uint8_t *tag; + size_t tag_length; + mbedtls_cipher_id_t cipher_id; + const mbedtls_cipher_info_t *cipher_info = NULL; + + *plaintext_length = 0; + + status = psa_get_key_information( key, &key_type, &key_bits ); + if( status != PSA_SUCCESS ) + return( status ); + slot = &global_data.key_slots[key]; + if( slot->type == PSA_KEY_TYPE_NONE ) + return( PSA_ERROR_EMPTY_SLOT ); + + cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, + key_bits, &cipher_id ); + if( cipher_info == NULL ) + return( PSA_ERROR_NOT_SUPPORTED ); + + if( !( slot->policy.usage & PSA_KEY_USAGE_DECRYPT ) ) + return( PSA_ERROR_NOT_PERMITTED ); + + if ( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) != + PSA_KEY_TYPE_CATEGORY_SYMMETRIC ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + if( alg == PSA_ALG_GCM ) + { + mbedtls_gcm_context gcm; + + tag_length = 16; + status = psa_aead_unpadded_locate_tag( tag_length, + ciphertext, ciphertext_length, + plaintext_size, &tag ); + if( status != PSA_SUCCESS ) + return( status ); + + mbedtls_gcm_init( &gcm ); + ret = mbedtls_gcm_setkey( &gcm, cipher_id, + slot->data.raw.data, key_bits ); + if( ret != 0 ) + { + mbedtls_gcm_free( &gcm ); + return( mbedtls_to_psa_error( ret ) ); + } + + ret = mbedtls_gcm_auth_decrypt( &gcm, + ciphertext_length - tag_length, + nonce, nonce_length, + additional_data, + additional_data_length, + tag, tag_length, + ciphertext, plaintext ); + mbedtls_gcm_free( &gcm ); + } + else if( alg == PSA_ALG_CCM ) + { + mbedtls_ccm_context ccm; + + if( nonce_length < 7 || nonce_length > 13 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + tag_length = 16; + status = psa_aead_unpadded_locate_tag( tag_length, + ciphertext, ciphertext_length, + plaintext_size, &tag ); + if( status != PSA_SUCCESS ) + return( status ); + + mbedtls_ccm_init( &ccm ); + ret = mbedtls_ccm_setkey( &ccm, cipher_id, + slot->data.raw.data, key_bits ); + if( ret != 0 ) + { + mbedtls_ccm_free( &ccm ); + return( mbedtls_to_psa_error( ret ) ); + } + ret = mbedtls_ccm_auth_decrypt( &ccm, ciphertext_length - tag_length, + nonce, nonce_length, + additional_data, additional_data_length, + ciphertext, plaintext, + tag, tag_length ); + mbedtls_ccm_free( &ccm ); + } + else + { + return( PSA_ERROR_NOT_SUPPORTED ); + } + + if( ret != 0 ) + memset( plaintext, 0, plaintext_size ); + else + *plaintext_length = ciphertext_length - tag_length; + + return( mbedtls_to_psa_error( ret ) ); +} + /****************************************************************/ /* Module setup */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 2d6db6b83..1af3e5334 100755 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -236,3 +236,51 @@ sign_fail:PSA_KEY_TYPE_ECC_KEYPAIR(PSA_KEY_TYPE_ECC_CURVE_NISTP256R1):"307802010 PSA verify ECDSA SECP256R1 SHA-256 depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED asymmetric_verify:PSA_KEY_TYPE_ECC_KEYPAIR(PSA_KEY_TYPE_ECC_CURVE_NISTP256R1):"3078020101042100ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3aa00a06082a8648ce3d030107a14403420004dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_SHA_256:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" + +PSA AEAD Encrypt-Decrypt, AES CCM 19-bytes input - 1 +aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":PSA_ALG_CCM:"0C0D0E0F101112131415161718191A1B1C1D1E":"000102030405060708090A0B":"000102030405060708090A0B":PSA_SUCCESS + +PSA AEAD Encrypt-Decrypt, AES CCM 19-bytes input - 2 +aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"B96B49E21D621741632875DB7F6C9243D2D7C2":"000102030405060708090A0B":"EC46BB63B02520C33C49FD70":PSA_SUCCESS + +PSA AEAD Encrypt-Decrypt, Fail Scenario - Invalid key type +aead_encrypt_decrypt:PSA_KEY_TYPE_DES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"B96B49E21D621741632875DB7F6C9243D2D7C2":"000102030405060708090A0B":"EC46BB63B02520C33C49FD70":PSA_ERROR_NOT_SUPPORTED + +PSA AEAD Encrypt, AES CCM - 23-bytes input +aead_encrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C":"0BE1A88BACE018B1":"00412B4EA9CDBE3C9696766CFA":"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8120333D1FCB691F3406CBF531F83A4D8" + +PSA AEAD Encrypt, AES CCM - 24-bytes input +aead_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"48c0906930561e0ab0ef4cd972":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9" + +PSA AEAD Decrypt, AES CCM - 39-bytes input +aead_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8120333D1FCB691F3406CBF531F83A4D8":"0BE1A88BACE018B1":"00412B4EA9CDBE3C9696766CFA":"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C":PSA_SUCCESS + +PSA AEAD Decrypt, AES CCM - 40-bytes input +aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"48c0906930561e0ab0ef4cd972":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_SUCCESS + +PSA AEAD Decrypt, AES CCM - invalid signature +aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"26d56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"48c0906930561e0ab0ef4cd972":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_INVALID_SIGNATURE + +PSA AEAD Encrypt-Decrypt, AES GCM 19-bytes input - 1 +aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":PSA_ALG_GCM:"0C0D0E0F101112131415161718191A1B1C1D1E":"000102030405060708090A0B0C0D0E0F":"000102030405060708090A0B":PSA_SUCCESS + +PSA AEAD Encrypt-Decrypt, AES GCM 19-bytes input - 2 +aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_GCM:"B96B49E21D621741632875DB7F6C9243D2D7C2":"000102030405060708090A0B0C0D0E0F":"EC46BB63B02520C33C49FD70":PSA_SUCCESS + +PSA AEAD Encrypt, AES GCM - 128-bytes input - 1 +aead_encrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"00e440846db73a490573deaf3728c94f":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96" + +PSA AEAD Encrypt, AES GCM - 128-bytes input - 2 +aead_encrypt:PSA_KEY_TYPE_AES:"fe96eab10ff48c7942025422583d0377":PSA_ALG_GCM:"194c8bbbfae4a671386b8cd38f390f46f9df6b8661b470c310921a1c858a938045834bb10380037fbf5f5e00688554537be0fcafe8270b9b59068fa056ab1268fc166c2d729243a06650a171c929c7845c85330c04568d62977eedf3b1ba9dca13bdb8f9522817c8cb99e635e37465ec1c9f6f148d51437aa9f994a62e1bd013":"127628b6dcbce6fc8a8ef60798eb67b2088415635119697d20bb878c24d9c6f9c29e148521cb5e0feff892c7855d4f1c0bfb32ad33420976714dce87a0bbc18e4378bd1ef35197d0ca73051148f1199010f63caf122df5f71ad8d9c71df3eb2fbe3b2529d0ba657570358d3776f687bdb9c96d5e0e9e00c4b42d5d7a268d6a08":"97ce3f848276783599c6875de324361e":"12495120056ca3cac70d583603a476821bac6c57c9733b81cfb83538dc9e850f8bdf46065069591c23ebcbc6d1e2523375fb7efc80c09507fa25477ed07cee54fc4eb90168b3ef988f651fc40652474a644b1b311decf899660aef2347bb081af48950f06ebf799911e37120de94c55c20e5f0a77119be06e2b6e557f872fa0f6bac793bdc2190a195122c98544ccf56" + +PSA AEAD Decrypt, AES GCM - 144-bytes input - 1 +aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"00e440846db73a490573deaf3728c94f":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_SUCCESS + +PSA AEAD Decrypt, AES GCM - 144-bytes input - 2 +aead_decrypt:PSA_KEY_TYPE_AES:"fe96eab10ff48c7942025422583d0377":PSA_ALG_GCM:"12495120056ca3cac70d583603a476821bac6c57c9733b81cfb83538dc9e850f8bdf46065069591c23ebcbc6d1e2523375fb7efc80c09507fa25477ed07cee54fc4eb90168b3ef988f651fc40652474a644b1b311decf899660aef2347bb081af48950f06ebf799911e37120de94c55c20e5f0a77119be06e2b6e557f872fa0f6bac793bdc2190a195122c98544ccf56":"127628b6dcbce6fc8a8ef60798eb67b2088415635119697d20bb878c24d9c6f9c29e148521cb5e0feff892c7855d4f1c0bfb32ad33420976714dce87a0bbc18e4378bd1ef35197d0ca73051148f1199010f63caf122df5f71ad8d9c71df3eb2fbe3b2529d0ba657570358d3776f687bdb9c96d5e0e9e00c4b42d5d7a268d6a08":"97ce3f848276783599c6875de324361e":"194c8bbbfae4a671386b8cd38f390f46f9df6b8661b470c310921a1c858a938045834bb10380037fbf5f5e00688554537be0fcafe8270b9b59068fa056ab1268fc166c2d729243a06650a171c929c7845c85330c04568d62977eedf3b1ba9dca13bdb8f9522817c8cb99e635e37465ec1c9f6f148d51437aa9f994a62e1bd013":PSA_SUCCESS + +PSA AEAD Decrypt, AES GCM - invalid signature +aead_decrypt:PSA_KEY_TYPE_AES:"fe96eab10ff48c7942025422583d0377":PSA_ALG_GCM:"12195120056ca3cac70d583603a476821bac6c57c9733b81cfb83538dc9e850f8bdf46065069591c23ebcbc6d1e2523375fb7efc80c09507fa25477ed07cee54fc4eb90168b3ef988f651fc40652474a644b1b311decf899660aef2347bb081af48950f06ebf799911e37120de94c55c20e5f0a77119be06e2b6e557f872fa0f6bac793bdc2190a195122c98544ccf56":"127628b6dcbce6fc8a8ef60798eb67b2088415635119697d20bb878c24d9c6f9c29e148521cb5e0feff892c7855d4f1c0bfb32ad33420976714dce87a0bbc18e4378bd1ef35197d0ca73051148f1199010f63caf122df5f71ad8d9c71df3eb2fbe3b2529d0ba657570358d3776f687bdb9c96d5e0e9e00c4b42d5d7a268d6a08":"97ce3f848276783599c6875de324361e":"194c8bbbfae4a671386b8cd38f390f46f9df6b8661b470c310921a1c858a938045834bb10380037fbf5f5e00688554537be0fcafe8270b9b59068fa056ab1268fc166c2d729243a06650a171c929c7845c85330c04568d62977eedf3b1ba9dca13bdb8f9522817c8cb99e635e37465ec1c9f6f148d51437aa9f994a62e1bd013":PSA_ERROR_INVALID_SIGNATURE + +PSA AEAD Encrypt-Decrypt, Fail Scenario - Invalid algorithm +aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CTR:"B96B49E21D621741632875DB7F6C9243D2D7C2":"000102030405060708090A0B0C0D0E0F":"EC46BB63B02520C33C49FD70":PSA_ERROR_NOT_SUPPORTED diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 68bddd90c..a308cbd18 100755 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1142,3 +1142,239 @@ exit: mbedtls_psa_crypto_free( ); } /* END_CASE */ + +/* BEGIN_CASE */ +void aead_encrypt_decrypt( int key_type_arg, char * key_hex, + int alg_arg, char * input_hex, char * nonce_hex, + char * add_data, int expected_result_arg ) +{ + int slot = 1; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + unsigned char *key_data = NULL; + size_t key_size; + unsigned char *input_data = NULL; + size_t input_size; + unsigned char *output_data = NULL; + size_t output_size = 0; + size_t output_length = 0; + unsigned char *output_data2 = NULL; + size_t output_length2 = 0; + uint8_t* nonce; + size_t nonce_length = 16; + size_t tag_length = 16; + unsigned char *additional_data = NULL; + size_t additional_data_length = 0; + psa_status_t expected_result = (psa_status_t) expected_result_arg; + psa_key_policy_t policy = {0}; + + + key_data = unhexify_alloc( key_hex, &key_size ); + TEST_ASSERT( key_data != NULL ); + input_data = unhexify_alloc( input_hex, &input_size ); + TEST_ASSERT( input_data != NULL ); + additional_data = unhexify_alloc( add_data, &additional_data_length ); + TEST_ASSERT( input_data != NULL ); + output_size = input_size + tag_length; + output_data = mbedtls_calloc( 1, output_size ); + TEST_ASSERT( output_data != NULL ); + nonce = unhexify_alloc( nonce_hex, &nonce_length ); + TEST_ASSERT( nonce != NULL ); + + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + + psa_key_policy_init( &policy ); + + psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT , alg ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( slot, key_type, + key_data, key_size ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_aead_encrypt( slot, alg, + nonce, nonce_length, + additional_data, additional_data_length, + input_data, input_size, output_data, + output_size, &output_length ) == expected_result ); + + if( PSA_SUCCESS == expected_result ) + { + output_data2 = mbedtls_calloc( 1, output_length ); + TEST_ASSERT( output_data2 != NULL ); + + TEST_ASSERT( psa_aead_decrypt( slot, alg, + nonce, nonce_length, + additional_data, additional_data_length, + output_data, output_length, output_data2, + output_length, &output_length2 ) == expected_result ); + + + TEST_ASSERT( memcmp( input_data, output_data2, + input_size ) == 0 ); + } + + +exit: + psa_destroy_key( slot ); + mbedtls_free( key_data ); + mbedtls_free( input_data ); + mbedtls_free( additional_data ); + mbedtls_free( output_data ); + mbedtls_free( output_data2 ); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void aead_encrypt( int key_type_arg, char * key_hex, + int alg_arg, char * input_hex, + char * add_data, char * nonce_hex, + char * expected_result_hex ) +{ + int slot = 1; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + unsigned char *key_data = NULL; + size_t key_size; + unsigned char *input_data = NULL; + size_t input_size; + unsigned char *output_data = NULL; + size_t output_size = 0; + size_t output_length = 0; + unsigned char *expected_result = NULL; + size_t expected_result_length = 0; + uint8_t* nonce = NULL; + size_t nonce_length = 0; + size_t tag_length = 16; + unsigned char *additional_data = NULL; + size_t additional_data_length = 0; + psa_key_policy_t policy = {0}; + + + key_data = unhexify_alloc( key_hex, &key_size ); + TEST_ASSERT( key_data != NULL ); + input_data = unhexify_alloc( input_hex, &input_size ); + TEST_ASSERT( input_data != NULL ); + additional_data = unhexify_alloc( add_data, &additional_data_length ); + TEST_ASSERT( input_data != NULL ); + output_size = input_size + tag_length; + output_data = mbedtls_calloc( 1, output_size ); + TEST_ASSERT( output_data != NULL ); + nonce = unhexify_alloc( nonce_hex, &nonce_length ); + TEST_ASSERT( nonce != NULL ); + expected_result = unhexify_alloc( expected_result_hex, &expected_result_length ); + TEST_ASSERT( expected_result != NULL ); + + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + + psa_key_policy_init( &policy ); + + psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT , alg ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( slot, key_type, + key_data, key_size ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_aead_encrypt( slot, alg, + nonce, nonce_length, + additional_data, additional_data_length, + input_data, input_size, output_data, + output_size, &output_length ) == PSA_SUCCESS ); + + + TEST_ASSERT( memcmp( output_data, expected_result, + output_length ) == 0 ); + + +exit: + psa_destroy_key( slot ); + mbedtls_free( key_data ); + mbedtls_free( input_data ); + mbedtls_free( additional_data ); + mbedtls_free( output_data ); + mbedtls_free( nonce ); + mbedtls_free( expected_result ); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void aead_decrypt( int key_type_arg, char * key_hex, + int alg_arg, char * input_hex, + char * add_data, char * nonce_hex, + char * expected_result_hex, int expected_result_arg ) +{ + int slot = 1; + psa_key_type_t key_type = key_type_arg; + psa_algorithm_t alg = alg_arg; + unsigned char *key_data = NULL; + size_t key_size; + unsigned char *input_data = NULL; + size_t input_size; + unsigned char *output_data = NULL; + size_t output_size = 0; + size_t output_length = 0; + unsigned char *expected_data = NULL; + size_t expected_result_length = 0; + uint8_t* nonce = NULL; + size_t nonce_length = 0; + size_t tag_length = 16; + unsigned char *additional_data = NULL; + size_t additional_data_length = 0; + psa_key_policy_t policy = {0}; + psa_status_t expected_result = (psa_status_t) expected_result_arg; + + + key_data = unhexify_alloc( key_hex, &key_size ); + TEST_ASSERT( key_data != NULL ); + input_data = unhexify_alloc( input_hex, &input_size ); + TEST_ASSERT( input_data != NULL ); + additional_data = unhexify_alloc( add_data, &additional_data_length ); + TEST_ASSERT( input_data != NULL ); + output_size = input_size + tag_length; + output_data = mbedtls_calloc( 1, output_size ); + TEST_ASSERT( output_data != NULL ); + nonce = unhexify_alloc( nonce_hex, &nonce_length ); + TEST_ASSERT( nonce != NULL ); + expected_data = unhexify_alloc( expected_result_hex, &expected_result_length ); + TEST_ASSERT( expected_data != NULL ); + + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + + psa_key_policy_init( &policy ); + + psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT , alg ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( slot, key_type, + key_data, key_size ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_aead_decrypt( slot, alg, + nonce, nonce_length, + additional_data, additional_data_length, + input_data, input_size, output_data, + output_size, &output_length ) == expected_result ); + + + if ( expected_result == PSA_SUCCESS ) + { + TEST_ASSERT( memcmp( output_data, expected_data, + output_length ) == 0 ); + } + + + +exit: + psa_destroy_key( slot ); + mbedtls_free( key_data ); + mbedtls_free( input_data ); + mbedtls_free( additional_data ); + mbedtls_free( output_data ); + mbedtls_free( nonce ); + mbedtls_free( expected_data ); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */