From 8f2a6dcc253a81d6a1bccd6e8a19c101ef5bdeec Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 29 May 2019 17:32:21 +0200 Subject: [PATCH 01/34] Support PSA_KEY_DERIVATION_INPUT_SEED --- library/psa_crypto.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b3be2617b..d45a85200 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4778,6 +4778,7 @@ psa_status_t psa_key_derivation_input_bytes( psa_key_derivation_operation_t *ope case PSA_KEY_DERIVATION_INPUT_LABEL: case PSA_KEY_DERIVATION_INPUT_SALT: case PSA_KEY_DERIVATION_INPUT_INFO: + case PSA_KEY_DERIVATION_INPUT_SEED: return( psa_key_derivation_input_raw( operation, step, data, data_length ) ); default: From ed87d31d7d07fec5ddedc8afb19975e50d29a911 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 29 May 2019 17:32:39 +0200 Subject: [PATCH 02/34] Specify the order of inputs for TLS-1.2 KDFs From the implementation point of view does not make much difference to constrain the input order. We constrain it because, this way the code is easier to review, the data flow easier to understand and the implementations in general are easier to validate. --- include/psa/crypto_values.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index e9fb9ad01..19dc28bf4 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1244,10 +1244,11 @@ * specified in Section 5 of RFC 5246. It is based on HMAC and can be * used with either SHA-256 or SHA-384. * - * This key derivation algorithm uses the following inputs: + * This key derivation algorithm uses the following inputs, which must be + * passed in the order given here: + * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key. * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label. - * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. * * For the application to TLS-1.2 key expansion, the seed is the * concatenation of ServerHello.Random + ClientHello.Random, @@ -1288,10 +1289,11 @@ * The latter is based on HMAC and can be used with either SHA-256 * or SHA-384. * - * This key derivation algorithm uses the following inputs: + * This key derivation algorithm uses the following inputs, which must be + * passed in the order given here: + * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key. * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label. - * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. * * For the application to TLS-1.2, the seed (which is * forwarded to the TLS-1.2 PRF) is the concatenation of the From 71a4c9125b8d4df9151ee849ffb3511906b46818 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 Jun 2019 09:14:47 +0100 Subject: [PATCH 03/34] Add flag for removing deprecated API Add the compile time option PSA_PRE_1_0_KEY_DERIVATION. If this is not turned on, then the function `psa_key_derivation()` is removed. Most of the tests regarding key derivation haven't been adapted to the new API yet and some of them have only been adapted partially. When this new option is turned off, the tests using the old API and test cases using the old API of partially adapted tests are skipped. The sole purpose of this option is to make the transition to the new API smoother. Once the transition is complete it can and should be removed along with the old API and its implementation. --- include/psa/crypto_extra.h | 12 ++++++++ library/psa_crypto.c | 10 +++++++ programs/psa/key_ladder_demo.c | 6 ++-- tests/suites/test_suite_psa_crypto.data | 32 ++++++++++----------- tests/suites/test_suite_psa_crypto.function | 17 +++++++---- 5 files changed, 54 insertions(+), 23 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index b08f46d09..3675ac61b 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -224,6 +224,17 @@ void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats ); psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed, size_t seed_size); +/* + * If this option is not turned on, then the function `psa_key_derivation()` + * is removed. + * + * The sole purpose of this option is to make the transition to the new API + * smoother. Once the transition is complete it can and should be removed + * along with the old API and its implementation. + */ +#define PSA_PRE_1_0_KEY_DERIVATION + +#if defined(PSA_PRE_1_0_KEY_DERIVATION) /** Set up a key derivation operation. * * FIMXE This function is no longer part of the official API. Its prototype @@ -280,6 +291,7 @@ psa_status_t psa_key_derivation(psa_key_derivation_operation_t *operation, const uint8_t *label, size_t label_length, size_t capacity); +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ /* FIXME Deprecated. Remove this as soon as all the tests are updated. */ #define PSA_ALG_SELECT_RAW ((psa_algorithm_t)0x31000001) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d45a85200..bf425df38 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4311,6 +4311,7 @@ psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attribut /****************************************************************/ #if defined(MBEDTLS_MD_C) +#if defined(PSA_PRE_1_0_KEY_DERIVATION) /* Set up an HKDF-based operation. This is exactly the extract phase * of the HKDF algorithm. * @@ -4354,9 +4355,11 @@ static psa_status_t psa_key_derivation_hkdf_setup( psa_hkdf_key_derivation_t *hk hkdf->info_set = 1; return( PSA_SUCCESS ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ #if defined(MBEDTLS_MD_C) +#if defined(PSA_PRE_1_0_KEY_DERIVATION) /* Set up a TLS-1.2-prf-based operation (see RFC 5246, Section 5). * * Note that if this function fails, you must call psa_key_derivation_abort() @@ -4413,7 +4416,9 @@ static psa_status_t psa_key_derivation_tls12_prf_setup( return( PSA_SUCCESS ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ +#if defined(PSA_PRE_1_0_KEY_DERIVATION) /* Set up a TLS-1.2-PSK-to-MS-based operation. */ static psa_status_t psa_key_derivation_tls12_psk_to_ms_setup( psa_tls12_prf_key_derivation_t *tls12_prf, @@ -4454,8 +4459,10 @@ static psa_status_t psa_key_derivation_tls12_psk_to_ms_setup( mbedtls_platform_zeroize( pms, sizeof( pms ) ); return( status ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ +#if defined(PSA_PRE_1_0_KEY_DERIVATION) /* Note that if this function fails, you must call psa_key_derivation_abort() * to potentially free embedded data structures and wipe confidential data. */ @@ -4554,7 +4561,9 @@ static psa_status_t psa_key_derivation_internal( return( PSA_SUCCESS ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ +#if defined(PSA_PRE_1_0_KEY_DERIVATION) psa_status_t psa_key_derivation( psa_key_derivation_operation_t *operation, psa_key_handle_t handle, psa_algorithm_t alg, @@ -4594,6 +4603,7 @@ psa_status_t psa_key_derivation( psa_key_derivation_operation_t *operation, psa_key_derivation_abort( operation ); return( status ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ static psa_status_t psa_key_derivation_setup_kdf( psa_key_derivation_operation_t *operation, diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c index af7be1e0a..426e41f87 100644 --- a/programs/psa/key_ladder_demo.c +++ b/programs/psa/key_ladder_demo.c @@ -66,12 +66,14 @@ /* If the build options we need are not enabled, compile a placeholder. */ #if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \ !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) || \ - !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) + !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) ||\ + !defined(PSA_PRE_1_0_KEY_DERIVATION) int main( void ) { printf("MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or " "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or " - "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO not defined.\n"); + "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO and/or " + "PSA_PRE_1_0_KEY_DERIVATION not defined.\n"); return( 0 ); } #else diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index b3d27a8b4..f057f7797 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1849,70 +1849,70 @@ derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0 # Test vectors taken from https://www.ietf.org/mail-archive/web/tls/current/msg03416.html PSA key derivation: TLS 1.2 PRF SHA-256, output 100+0 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66":"" PSA key derivation: TLS 1.2 PRF SHA-256, output 99+1 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b":"66" PSA key derivation: TLS 1.2 PRF SHA-256, output 1+99 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3":"f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66" PSA key derivation: TLS 1.2 PRF SHA-256, output 50+50 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa0":"22f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66" PSA key derivation: TLS 1.2 PRF SHA-256, output 50+49 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa0":"22f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b" PSA key derivation: TLS 1.2 PRF SHA-384, output 148+0 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f":"" PSA key derivation: TLS 1.2 PRF SHA-384, output 147+1 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e5":"6f" PSA key derivation: TLS 1.2 PRF SHA-384, output 1+147 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b":"0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f" PSA key derivation: TLS 1.2 PRF SHA-384, output 74+74 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792ec":"a722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f" PSA key derivation: TLS 1.2 PRF SHA-384, output 74+73 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792ec":"a722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e5" # Test case manually extracted from debug output of TLS-PSK run # Label: "master secret" # Salt: Concatenation of ClientHello.Random and ServerHello.Random PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 48+0 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48:"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32ca43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710":"" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 24+24 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48:"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32c":"a43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 0+48 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48:"":"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32ca43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 48+0 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":"6d617374657220736563726574":48:"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c85ca71689301f9f4d875128c87608b75250b20a9550e4fe18":"" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 24+24 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":"6d617374657220736563726574":48:"":"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c85ca71689301f9f4d875128c87608b75250b20a9550e4fe18" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 0+48 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":"6d617374657220736563726574":48:"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c8":"5ca71689301f9f4d875128c87608b75250b20a9550e4fe18" PSA key derivation: HKDF SHA-256, request maximum capacity diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 4441e9b4c..b21a8f16d 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -545,6 +545,7 @@ static int exercise_key_derivation_key( psa_key_handle_t handle, seed, seed_length ) ); } +#if defined(PSA_PRE_1_0_KEY_DERIVATION) else { // legacy @@ -554,6 +555,7 @@ static int exercise_key_derivation_key( psa_key_handle_t handle, seed, seed_length, sizeof( output ) ) ); } +#endif PSA_ASSERT( psa_key_derivation_output_bytes( &operation, output, sizeof( output ) ) ); @@ -1776,7 +1778,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */ void derive_key_policy( int policy_usage, int policy_alg, int key_type, @@ -4024,7 +4026,7 @@ void key_derivation_init( ) } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */ void derive_setup( int key_type_arg, data_t *key_data, int alg_arg, @@ -4063,7 +4065,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */ void test_derive_invalid_key_derivation_state( ) { psa_key_handle_t handle = 0; @@ -4199,6 +4201,7 @@ void derive_output( int alg_arg, PSA_KEY_DERIVATION_INPUT_INFO, label->x, label->len ) ); } +#if defined(PSA_PRE_1_0_KEY_DERIVATION) else { // legacy @@ -4207,6 +4210,7 @@ void derive_output( int alg_arg, label->x, label->len, requested_capacity ) ); } +#endif PSA_ASSERT( psa_key_derivation_get_capacity( &operation, ¤t_capacity ) ); TEST_EQUAL( current_capacity, requested_capacity ); @@ -4295,6 +4299,8 @@ void derive_full( int alg_arg, PSA_KEY_DERIVATION_INPUT_INFO, label->x, label->len ) ); } + +#if defined(PSA_PRE_1_0_KEY_DERIVATION) else { // legacy @@ -4303,6 +4309,7 @@ void derive_full( int alg_arg, label->x, label->len, requested_capacity ) ); } +#endif PSA_ASSERT( psa_key_derivation_get_capacity( &operation, ¤t_capacity ) ); TEST_EQUAL( current_capacity, expected_capacity ); @@ -4335,7 +4342,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */ void derive_key_exercise( int alg_arg, data_t *key_data, data_t *salt, @@ -4395,7 +4402,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */ void derive_key_export( int alg_arg, data_t *key_data, data_t *salt, From 083036af64c79c097b90c8eeb23036072ec1bf3b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 Jun 2019 10:22:26 +0100 Subject: [PATCH 04/34] Safely erase key material upon abort Some key derivation operation contexts (like psa_tls12_prf_key_derivation_t) directly contain buffers with parts of the derived key. Erase them safely as part of the abort. --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bf425df38..924b291f4 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3902,7 +3902,7 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation { status = PSA_ERROR_BAD_STATE; } - memset( operation, 0, sizeof( *operation ) ); + mbedtls_platform_zeroize( operation, sizeof( *operation ) ); return( status ); } From e3e8166cdd3e27684c63162fea7d0f3c0c18b67c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 Jun 2019 14:07:27 +0100 Subject: [PATCH 05/34] Move PSA_PRE_1_0_KEY_DERIVATION to crypto_struct.h We want to make the PRF context structure depend on this flag, but crypto_extra.h is included after crypto_struct.h and having the option at its original place would not affect crypto_struct.h. --- include/psa/crypto_extra.h | 10 ---------- include/psa/crypto_struct.h | 11 +++++++++++ 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 3675ac61b..3fc73b9d3 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -224,16 +224,6 @@ void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats ); psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed, size_t seed_size); -/* - * If this option is not turned on, then the function `psa_key_derivation()` - * is removed. - * - * The sole purpose of this option is to make the transition to the new API - * smoother. Once the transition is complete it can and should be removed - * along with the old API and its implementation. - */ -#define PSA_PRE_1_0_KEY_DERIVATION - #if defined(PSA_PRE_1_0_KEY_DERIVATION) /** Set up a key derivation operation. * diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 977b021b8..0e0ecb22d 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -191,6 +191,17 @@ typedef struct } psa_hkdf_key_derivation_t; #endif /* MBEDTLS_MD_C */ +/* + * If this option is not turned on, then the function `psa_key_derivation()` + * is removed. And the new psa_tls12_prf_key_derivation_t context is used along + * with the corresponding new API. + * + * The sole purpose of this option is to make the transition to the new API + * smoother. Once the transition is complete it can and should be removed + * along with the old API and its implementation. + */ +#define PSA_PRE_1_0_KEY_DERIVATION + #if defined(MBEDTLS_MD_C) typedef struct psa_tls12_prf_key_derivation_s { From 999f648437ebec0f93021ae7b638f96cc69ca14b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 Jun 2019 12:04:10 +0100 Subject: [PATCH 06/34] Add new psa_tls12_prf_key_derivation_t As part of adapting TLS 1.2 key derivation to the PSA 1.0 API we need to change the context structure. --- include/psa/crypto_struct.h | 38 +++++++++++++++++++++++++++++++++++++ library/psa_crypto.c | 10 ++++++++++ 2 files changed, 48 insertions(+) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 0e0ecb22d..e6197cb9b 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -203,6 +203,7 @@ typedef struct #define PSA_PRE_1_0_KEY_DERIVATION #if defined(MBEDTLS_MD_C) +#if defined(PSA_PRE_1_0_KEY_DERIVATION) typedef struct psa_tls12_prf_key_derivation_s { /* The TLS 1.2 PRF uses the key for each HMAC iteration, @@ -231,6 +232,43 @@ typedef struct psa_tls12_prf_key_derivation_s uint8_t block_number; } psa_tls12_prf_key_derivation_t; +#else + +typedef enum +{ + TLS12_PRF_STATE_INIT, /* no input provided */ + TLS12_PRF_STATE_SEED_SET, /* seed has been set */ + TLS12_PRF_STATE_KEY_SET, /* key has been set */ + TLS12_PRF_STATE_LABEL_SET, /* label has been set */ + TLS12_PRF_STATE_OUTPUT /* output has been started */ +} psa_tls12_prf_key_derivation_state_t; + +typedef struct psa_tls12_prf_key_derivation_s +{ +#if PSA_HASH_MAX_SIZE > 0xff +#error "PSA_HASH_MAX_SIZE does not fit in uint8_t" +#endif + + /* Indicates how many bytes in the current HMAC block have + * already been read by the user. */ + uint8_t offset_in_block; + + /* The 1-based number of the block. */ + uint8_t block_number; + + psa_tls12_prf_key_derivation_state_t state; + + uint8_t *seed; + size_t seed_length; + uint8_t *label; + size_t label_length; + psa_hmac_internal_data hmac; + uint8_t Ai[PSA_HASH_MAX_SIZE]; + + /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */ + uint8_t output_block[PSA_HASH_MAX_SIZE]; +} psa_tls12_prf_key_derivation_t; +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ struct psa_key_derivation_s diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 924b291f4..f4e94bf2f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2122,11 +2122,13 @@ static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac ) return( psa_hash_abort( &hmac->hash_ctx ) ); } +#if defined(PSA_PRE_1_0_KEY_DERIVATION) static void psa_hmac_init_internal( psa_hmac_internal_data *hmac ) { /* Instances of psa_hash_operation_s can be initialized by zeroization. */ memset( hmac, 0, sizeof( *hmac ) ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ psa_status_t psa_mac_abort( psa_mac_operation_t *operation ) @@ -3879,6 +3881,7 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation mbedtls_free( operation->ctx.hkdf.info ); status = psa_hmac_abort_internal( &operation->ctx.hkdf.hmac ); } +#if defined(PSA_PRE_1_0_KEY_DERIVATION) else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */ PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) @@ -3897,6 +3900,7 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation mbedtls_free( operation->ctx.tls12_prf.Ai_with_seed ); } } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ else #endif /* MBEDTLS_MD_C */ { @@ -4000,6 +4004,7 @@ static psa_status_t psa_key_derivation_hkdf_read( psa_hkdf_key_derivation_t *hkd return( PSA_SUCCESS ); } +#if defined(PSA_PRE_1_0_KEY_DERIVATION) static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( psa_tls12_prf_key_derivation_t *tls12_prf, psa_algorithm_t alg ) @@ -4111,7 +4116,9 @@ cleanup: return( status ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ +#if defined(PSA_PRE_1_0_KEY_DERIVATION) /* Read some bytes from an TLS-1.2-PRF-based operation. * See Section 5 of RFC 5246. */ static psa_status_t psa_key_derivation_tls12_prf_read( @@ -4151,6 +4158,7 @@ static psa_status_t psa_key_derivation_tls12_prf_read( return( PSA_SUCCESS ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *operation, @@ -4210,6 +4218,7 @@ psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *op status = psa_key_derivation_hkdf_read( &operation->ctx.hkdf, hash_alg, output, output_length ); } +#if defined(PSA_PRE_1_0_KEY_DERIVATION) else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) { @@ -4217,6 +4226,7 @@ psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *op kdf_alg, output, output_length ); } +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ else #endif /* MBEDTLS_MD_C */ { From 6a1d262803c4808791e082c56116bc709555b2ea Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 Jun 2019 10:37:28 +0100 Subject: [PATCH 07/34] Adapt psa_key_derivation_abort to the new context --- library/psa_crypto.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f4e94bf2f..6d3260bf8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3881,11 +3881,11 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation mbedtls_free( operation->ctx.hkdf.info ); status = psa_hmac_abort_internal( &operation->ctx.hkdf.hmac ); } -#if defined(PSA_PRE_1_0_KEY_DERIVATION) else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */ PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) { +#if defined(PSA_PRE_1_0_KEY_DERIVATION) if( operation->ctx.tls12_prf.key != NULL ) { mbedtls_platform_zeroize( operation->ctx.tls12_prf.key, @@ -3899,8 +3899,27 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation operation->ctx.tls12_prf.Ai_with_seed_len ); mbedtls_free( operation->ctx.tls12_prf.Ai_with_seed ); } - } +#else + if( operation->ctx.tls12_prf.seed != NULL ) + { + mbedtls_platform_zeroize( operation->ctx.tls12_prf.seed, + operation->ctx.tls12_prf.seed_length ); + mbedtls_free( operation->ctx.tls12_prf.seed ); + } + + if( operation->ctx.tls12_prf.label != NULL ) + { + mbedtls_platform_zeroize( operation->ctx.tls12_prf.label, + operation->ctx.tls12_prf.label_length ); + mbedtls_free( operation->ctx.tls12_prf.label ); + } + + status = psa_hmac_abort_internal( &operation->ctx.tls12_prf.hmac ); + + /* We leave the fields Ai and output_block to be erased safely by the + * mbedtls_platform_zeroize() in the end of this function. */ #endif /* PSA_PRE_1_0_KEY_DERIVATION */ + } else #endif /* MBEDTLS_MD_C */ { From b03233e196002255ff7605d21dd64f10f71355f7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 Jun 2019 15:30:30 +0100 Subject: [PATCH 08/34] Add stubs for psa_tls12_prf_input --- library/psa_crypto.c | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 6d3260bf8..1e20f47cc 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4754,6 +4754,41 @@ static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf, return( PSA_ERROR_INVALID_ARGUMENT ); } } + +#if defined(PSA_PRE_1_0_KEY_DERIVATION) +static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, + psa_algorithm_t hash_alg, + psa_key_derivation_step_t step, + const uint8_t *data, + size_t data_length ) +{ + (void) prf; + (void) hash_alg; + (void) step; + (void) data; + (void) data_length; + + return( PSA_ERROR_INVALID_ARGUMENT ); +} +#else +static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, + psa_algorithm_t hash_alg, + psa_key_derivation_step_t step, + const uint8_t *data, + size_t data_length ) +{ + (void) prf; + (void) hash_alg; + (void) data; + (void) data_length; + + switch( step ) + { + default: + return( PSA_ERROR_INVALID_ARGUMENT ); + } +} +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ static psa_status_t psa_key_derivation_input_raw( @@ -4793,7 +4828,10 @@ static psa_status_t psa_key_derivation_input_raw( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) { // To do: implement this - status = PSA_ERROR_NOT_SUPPORTED; + status = psa_tls12_prf_input( &operation->ctx.tls12_prf, + PSA_ALG_HKDF_GET_HASH( kdf_alg ), + step, data, data_length ); + } else #endif /* MBEDTLS_MD_C */ From af3c2a070042be4ba3c83cd63453350966e825b7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 12 Jun 2019 12:34:34 +0100 Subject: [PATCH 09/34] Add a test for psa_key_derivation_input --- tests/suites/test_suite_psa_crypto.data | 4 ++ tests/suites/test_suite_psa_crypto.function | 59 +++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index f057f7797..08da0474d 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1791,6 +1791,10 @@ PSA key derivation: unsupported key derivation algorithm depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_CATEGORY_KEY_DERIVATION:"":"":42:PSA_ERROR_NOT_SUPPORTED +PSA key derivation: HKDF-SHA-256, good case +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS + PSA key derivation: invalid state (double generate + read past capacity) depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C test_derive_invalid_key_derivation_state: diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index b21a8f16d..7954d33eb 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -4065,6 +4065,65 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void derive_input( int alg_arg, + int key_type_arg, + int step1_arg, data_t *input1, + int step2_arg, data_t *input2, + int step3_arg, data_t *input3, + int expected_status_arg1, + int expected_status_arg2, + int expected_status_arg3 ) +{ + psa_algorithm_t alg = alg_arg; + size_t key_type = key_type_arg; + psa_key_derivation_step_t steps[] = {step1_arg, step2_arg, step3_arg}; + psa_status_t expected_statuses[] = {expected_status_arg1, + expected_status_arg2, + expected_status_arg3}; + data_t *inputs[] = {input1, input2, input3}; + psa_key_handle_t handles[] = {0, 0, 0}; + psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + size_t i; + + PSA_ASSERT( psa_crypto_init( ) ); + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, key_type ); + + PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); + + for( i = 0; i < ARRAY_LENGTH( steps ); i++ ) + { + switch( steps[i] ) + { + case PSA_KEY_DERIVATION_INPUT_SECRET: + PSA_ASSERT( psa_import_key( &attributes, + inputs[i]->x, inputs[i]->len, + &handles[i] ) ); + TEST_EQUAL( psa_key_derivation_input_key( &operation, steps[i], + handles[i] ), + expected_statuses[i] ); + break; + default: + TEST_EQUAL( psa_key_derivation_input_bytes( + &operation, steps[i], + inputs[i]->x, inputs[i]->len ), + expected_statuses[i] ); + break; + } + } + +exit: + psa_key_derivation_abort( &operation ); + for( i = 0; i < ARRAY_LENGTH( handles ); i++ ) + psa_destroy_key( handles[i] ); + PSA_DONE( ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */ void test_derive_invalid_key_derivation_state( ) { From 99dd6acdcec9d9b932521f33a349a9f335187449 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 12 Jun 2019 15:06:40 +0100 Subject: [PATCH 10/34] Add test cases for derive_input In the 1.0 API some functionality has been split from the psa_key_derivation_setup() function and is now done with the psa_key_derivation_input_*() functions. The new tests maintain the existing test coverage of this functionality. --- tests/suites/test_suite_psa_crypto.data | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 08da0474d..c008aa483 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1795,6 +1795,22 @@ PSA key derivation: HKDF-SHA-256, good case depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS +PSA key derivation: HKDF-SHA-512, good case +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C +derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_512):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS + +PSA key derivation: HKDF-SHA-256, bad key type +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_RAW_DATA:PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_SUCCESS + +PSA key derivation: TLS 1.2 PRF SHA-256, good case +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS + +PSA key derivation: TLS 1.2 PRF SHA-256, bad key type +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_RAW_DATA:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE + PSA key derivation: invalid state (double generate + read past capacity) depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C test_derive_invalid_key_derivation_state: From 4b7effd35af523fbd9dcc163fb8e3bf99b946e01 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 12 Jun 2019 15:27:53 +0100 Subject: [PATCH 11/34] Add more tests for TLS 1.2 PRF input --- tests/suites/test_suite_psa_crypto.data | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c008aa483..46baea230 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1807,6 +1807,26 @@ PSA key derivation: TLS 1.2 PRF SHA-256, good case depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS +PSA key derivation: TLS 1.2 PRF SHA-256, key first +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE + +PSA key derivation: TLS 1.2 PRF SHA-256, label first +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE + +PSA key derivation: TLS 1.2 PRF SHA-256, early label +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE + +PSA key derivation: TLS 1.2 PRF SHA-256, double seed +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE + +PSA key derivation: TLS 1.2 PRF SHA-256, double key +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_BAD_STATE + PSA key derivation: TLS 1.2 PRF SHA-256, bad key type depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_RAW_DATA:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE From b80a94e2ea280322de8282969685ab564acb5201 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 12 Jun 2019 15:54:46 +0100 Subject: [PATCH 12/34] Rename psa_key_derivation_input_raw The function dispatches between all the available methods and does not just handle the raw key derivation case like the name suggests. --- library/psa_crypto.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 1e20f47cc..96150f854 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4791,7 +4791,7 @@ static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, #endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ -static psa_status_t psa_key_derivation_input_raw( +static psa_status_t psa_key_derivation_input_internal( psa_key_derivation_operation_t *operation, psa_key_derivation_step_t step, const uint8_t *data, @@ -4856,8 +4856,8 @@ psa_status_t psa_key_derivation_input_bytes( psa_key_derivation_operation_t *ope case PSA_KEY_DERIVATION_INPUT_SALT: case PSA_KEY_DERIVATION_INPUT_INFO: case PSA_KEY_DERIVATION_INPUT_SEED: - return( psa_key_derivation_input_raw( operation, step, - data, data_length ) ); + return( psa_key_derivation_input_internal( operation, step, + data, data_length ) ); default: return( PSA_ERROR_INVALID_ARGUMENT ); } @@ -4884,10 +4884,10 @@ psa_status_t psa_key_derivation_input_key( psa_key_derivation_operation_t *opera * and leak values derived from the key. So be conservative. */ if( step != PSA_KEY_DERIVATION_INPUT_SECRET ) return( PSA_ERROR_INVALID_ARGUMENT ); - return( psa_key_derivation_input_raw( operation, - step, - slot->data.raw.data, - slot->data.raw.bytes ) ); + return( psa_key_derivation_input_internal( operation, + step, + slot->data.raw.data, + slot->data.raw.bytes ) ); } @@ -4999,8 +4999,9 @@ static psa_status_t psa_key_agreement_internal( psa_key_derivation_operation_t * /* Step 2: set up the key derivation to generate key material from * the shared secret. */ - status = psa_key_derivation_input_raw( operation, step, - shared_secret, shared_secret_length ); + status = psa_key_derivation_input_internal( operation, step, + shared_secret, + shared_secret_length ); exit: mbedtls_platform_zeroize( shared_secret, shared_secret_length ); From ef83f5e98eb859ff3baf7cf2662b55a45872c0a0 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 12 Jun 2019 16:05:43 +0100 Subject: [PATCH 13/34] Move raw key derivation input to a new function --- library/psa_crypto.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 96150f854..ebd98a852 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4791,6 +4791,25 @@ static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, #endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ +static psa_status_t psa_key_derivation_input_raw( + psa_key_derivation_operation_t *operation, + const uint8_t *data, + size_t data_length ) +{ + if( operation->capacity != 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + operation->ctx.buffer.data = mbedtls_calloc( 1, data_length ); + if( operation->ctx.buffer.data == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + memcpy( operation->ctx.buffer.data, data, data_length ); + operation->ctx.buffer.size = data_length; + operation->capacity = data_length; + + return PSA_SUCCESS; +} + static psa_status_t psa_key_derivation_input_internal( psa_key_derivation_operation_t *operation, psa_key_derivation_step_t step, @@ -4802,15 +4821,7 @@ static psa_status_t psa_key_derivation_input_internal( if( kdf_alg == PSA_ALG_SELECT_RAW ) { - if( operation->capacity != 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - operation->ctx.buffer.data = mbedtls_calloc( 1, data_length ); - if( operation->ctx.buffer.data == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - memcpy( operation->ctx.buffer.data, data, data_length ); - operation->ctx.buffer.size = data_length; - operation->capacity = data_length; - status = PSA_SUCCESS; + status = psa_key_derivation_input_raw( operation, data, data_length ); } else #if defined(MBEDTLS_MD_C) From f08e2654ed55339ebd536eeaaab61b4ef22a4cbd Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 Jun 2019 09:05:41 +0100 Subject: [PATCH 14/34] Add seed input for psa_tls12_prf_input --- library/psa_crypto.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ebd98a852..a2bf203c6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4771,19 +4771,37 @@ static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, return( PSA_ERROR_INVALID_ARGUMENT ); } #else +static psa_status_t psa_tls12_prf_set_seed( psa_tls12_prf_key_derivation_t *prf, + const uint8_t *data, + size_t data_length ) +{ + if( prf->state != TLS12_PRF_STATE_INIT ) + return( PSA_ERROR_BAD_STATE ); + + prf->seed = mbedtls_calloc( 1, data_length ); + if( prf->seed == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + memcpy( prf->seed, data, data_length ); + prf->seed_length = data_length; + + prf->state = TLS12_PRF_STATE_SEED_SET; + + return( PSA_SUCCESS ); +} + static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, psa_algorithm_t hash_alg, psa_key_derivation_step_t step, const uint8_t *data, size_t data_length ) { - (void) prf; (void) hash_alg; - (void) data; - (void) data_length; switch( step ) { + case PSA_KEY_DERIVATION_INPUT_SEED: + return( psa_tls12_prf_set_seed( prf, data, data_length ) ); default: return( PSA_ERROR_INVALID_ARGUMENT ); } From 8155054e28e92c416f6118af495b79b544135303 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 Jun 2019 14:26:34 +0100 Subject: [PATCH 15/34] Add key import for psa_tls12_prf_input --- library/psa_crypto.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a2bf203c6..c84098a6f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4790,18 +4790,36 @@ static psa_status_t psa_tls12_prf_set_seed( psa_tls12_prf_key_derivation_t *prf, return( PSA_SUCCESS ); } +static psa_status_t psa_tls12_prf_set_key( psa_tls12_prf_key_derivation_t *prf, + psa_algorithm_t hash_alg, + const uint8_t *data, + size_t data_length ) +{ + psa_status_t status; + if( prf->state != TLS12_PRF_STATE_SEED_SET ) + return( PSA_ERROR_BAD_STATE ); + + status = psa_hmac_setup_internal( &prf->hmac, data, data_length, hash_alg ); + if( status != PSA_SUCCESS ) + return( status ); + + prf->state = TLS12_PRF_STATE_KEY_SET; + + return( PSA_SUCCESS ); +} + static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, psa_algorithm_t hash_alg, psa_key_derivation_step_t step, const uint8_t *data, size_t data_length ) { - (void) hash_alg; - switch( step ) { case PSA_KEY_DERIVATION_INPUT_SEED: return( psa_tls12_prf_set_seed( prf, data, data_length ) ); + case PSA_KEY_DERIVATION_INPUT_SECRET: + return( psa_tls12_prf_set_key( prf, hash_alg, data, data_length ) ); default: return( PSA_ERROR_INVALID_ARGUMENT ); } From 63028dd906c23a31a67e60db326ba448ccbad493 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 Jun 2019 09:15:47 +0100 Subject: [PATCH 16/34] Add label input for psa_tls12_prf_input --- library/psa_crypto.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c84098a6f..bd9fca585 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4808,6 +4808,25 @@ static psa_status_t psa_tls12_prf_set_key( psa_tls12_prf_key_derivation_t *prf, return( PSA_SUCCESS ); } +static psa_status_t psa_tls12_prf_set_label( psa_tls12_prf_key_derivation_t *prf, + const uint8_t *data, + size_t data_length ) +{ + if( prf->state != TLS12_PRF_STATE_KEY_SET ) + return( PSA_ERROR_BAD_STATE ); + + prf->label = mbedtls_calloc( 1, data_length ); + if( prf->label == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + memcpy( prf->label, data, data_length ); + prf->label_length = data_length; + + prf->state = TLS12_PRF_STATE_LABEL_SET; + + return( PSA_SUCCESS ); +} + static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, psa_algorithm_t hash_alg, psa_key_derivation_step_t step, @@ -4820,6 +4839,8 @@ static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, return( psa_tls12_prf_set_seed( prf, data, data_length ) ); case PSA_KEY_DERIVATION_INPUT_SECRET: return( psa_tls12_prf_set_key( prf, hash_alg, data, data_length ) ); + case PSA_KEY_DERIVATION_INPUT_LABEL: + return( psa_tls12_prf_set_label( prf, data, data_length ) ); default: return( PSA_ERROR_INVALID_ARGUMENT ); } From ba3fab9074b292d3cf219c9d393f0a6715119a1e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 11 Jun 2019 14:50:16 +0100 Subject: [PATCH 17/34] Adapt derive_key_policy test to the new API --- tests/suites/test_suite_psa_crypto.data | 6 +++--- tests/suites/test_suite_psa_crypto.function | 20 ++++++++++++++------ 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 46baea230..c9e681746 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -461,7 +461,7 @@ depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C derive_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HKDF(PSA_ALG_SHA_256) PSA key policy: derive via TLS 1.2 PRF, permitted -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION derive_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256) PSA key policy: derive via HKDF, not permitted @@ -469,7 +469,7 @@ depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C derive_key_policy:0:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HKDF(PSA_ALG_SHA_256) PSA key policy: derive via TLS 1.2 PRF, not permitted -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION derive_key_policy:0:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256) PSA key policy: derive via HKDF, wrong algorithm @@ -477,7 +477,7 @@ depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C derive_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HKDF(PSA_ALG_SHA_224) PSA key policy: derive via TLS 1.2 PRF, wrong algorithm -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION derive_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HKDF(PSA_ALG_SHA_224) PSA key policy: agreement + KDF, permitted diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 7954d33eb..a049ee8cb 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1778,7 +1778,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */ +/* BEGIN_CASE */ void derive_key_policy( int policy_usage, int policy_alg, int key_type, @@ -1799,11 +1799,19 @@ void derive_key_policy( int policy_usage, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, &handle ) ); - status = psa_key_derivation( &operation, handle, - exercise_alg, - NULL, 0, - NULL, 0, - 1 ); + PSA_ASSERT( psa_key_derivation_setup( &operation, exercise_alg ) ); + + if( PSA_ALG_IS_TLS12_PRF( exercise_alg ) || + PSA_ALG_IS_TLS12_PSK_TO_MS( exercise_alg ) ) + PSA_ASSERT( psa_key_derivation_input_bytes( + &operation, + PSA_KEY_DERIVATION_INPUT_SEED, + (const uint8_t*) "", 0) ); + + status = psa_key_derivation_input_key( &operation, + PSA_KEY_DERIVATION_INPUT_SECRET, + handle ); + if( policy_alg == exercise_alg && ( policy_usage & PSA_KEY_USAGE_DERIVE ) != 0 ) PSA_ASSERT( status ); From 16de4a4017b541a86ce226e81ba4b05e1f0a6d38 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 13 Jun 2019 16:32:24 +0100 Subject: [PATCH 18/34] Adapt the derive_setup tests to the new API Part of the tests are adapted in this commit, another part is already covered by the derive_input tests and some of them are not applicable to the new API (the new API does not request capacity at the setup stage). The test coverage temporarily drops with this commit, the two test cases conserning capacity will be re-added in a later commit. --- tests/suites/test_suite_psa_crypto.data | 34 ++++++--------------- tests/suites/test_suite_psa_crypto.function | 27 ++-------------- 2 files changed, 12 insertions(+), 49 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c9e681746..e58abf9ca 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1757,39 +1757,31 @@ key_derivation_init: PSA key derivation: HKDF-SHA-256, good case depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_HKDF(PSA_ALG_SHA_256):"":"":42:PSA_SUCCESS +derive_setup:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_SUCCESS PSA key derivation: HKDF-SHA-512, good case depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_HKDF(PSA_ALG_SHA_512):"":"":42:PSA_SUCCESS - -PSA key derivation: HKDF-SHA-256, bad key type -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_RAW_DATA:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_HKDF(PSA_ALG_SHA_256):"":"":42:PSA_ERROR_INVALID_ARGUMENT +derive_setup:PSA_ALG_HKDF(PSA_ALG_SHA_512):PSA_SUCCESS PSA key derivation: TLS 1.2 PRF SHA-256, good case depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"":"":42:PSA_SUCCESS - -PSA key derivation: TLS 1.2 PRF SHA-256, bad key type -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_RAW_DATA:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"":"":42:PSA_ERROR_INVALID_ARGUMENT +derive_setup:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_SUCCESS PSA key derivation: not a key derivation algorithm (selection) depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_SELECT_RAW:"":"":42:PSA_ERROR_INVALID_ARGUMENT +derive_setup:PSA_ALG_SELECT_RAW:PSA_ERROR_INVALID_ARGUMENT PSA key derivation: not a key derivation algorithm (HMAC) depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_HMAC(PSA_ALG_SHA_256):"":"":42:PSA_ERROR_INVALID_ARGUMENT +derive_setup:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_INVALID_ARGUMENT PSA key derivation: unsupported key derivation algorithm depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_HKDF(PSA_ALG_CATEGORY_HASH):"":"":42:PSA_ERROR_NOT_SUPPORTED +derive_setup::PSA_ALG_HKDF(PSA_ALG_CATEGORY_HASH):PSA_ERROR_NOT_SUPPORTED PSA key derivation: unsupported key derivation algorithm depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_CATEGORY_KEY_DERIVATION:"":"":42:PSA_ERROR_NOT_SUPPORTED +derive_setup:PSA_ALG_CATEGORY_KEY_DERIVATION:PSA_ERROR_NOT_SUPPORTED PSA key derivation: HKDF-SHA-256, good case depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C @@ -1963,17 +1955,9 @@ PSA key derivation: HKDF SHA-1, request maximum capacity depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"":255 * 20:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"" -PSA key derivation: HKDF SHA-256, request too much capacity -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_HKDF(PSA_ALG_SHA_256):"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32 + 1:PSA_ERROR_INVALID_ARGUMENT - -PSA key derivation: HKDF SHA-1, request too much capacity -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C -derive_setup:PSA_KEY_TYPE_DERIVE:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":PSA_ALG_HKDF(PSA_ALG_SHA_1):"":"":255 * 20 + 1:PSA_ERROR_INVALID_ARGUMENT - PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, PSK too long (160 Bytes) -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_KEY_TYPE_DERIVE:"01020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708":PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"":"":100:PSA_ERROR_INVALID_ARGUMENT +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_input:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE PSA key derivation: over capacity 42: output 42+1 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index a049ee8cb..316f2edcd 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -4034,41 +4034,20 @@ void key_derivation_init( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_PRE_1_0_KEY_DERIVATION */ -void derive_setup( int key_type_arg, - data_t *key_data, - int alg_arg, - data_t *salt, - data_t *label, - int requested_capacity_arg, - int expected_status_arg ) +/* BEGIN_CASE */ +void derive_setup( int alg_arg, int expected_status_arg ) { - psa_key_handle_t handle = 0; - size_t key_type = key_type_arg; psa_algorithm_t alg = alg_arg; - size_t requested_capacity = requested_capacity_arg; psa_status_t expected_status = expected_status_arg; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; PSA_ASSERT( psa_crypto_init( ) ); - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); - psa_set_key_algorithm( &attributes, alg ); - psa_set_key_type( &attributes, key_type ); - - PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, - &handle ) ); - - TEST_EQUAL( psa_key_derivation( &operation, handle, alg, - salt->x, salt->len, - label->x, label->len, - requested_capacity ), + TEST_EQUAL( psa_key_derivation_setup( &operation, alg ), expected_status ); exit: psa_key_derivation_abort( &operation ); - psa_destroy_key( handle ); PSA_DONE( ); } /* END_CASE */ From a27c927d4a30fa37a1ccb7f1b2074bd6eedb3ade Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 14 Jun 2019 09:59:36 +0100 Subject: [PATCH 19/34] Add test for psa_key_derivation_set_capacity This commit restores the test coverage to the level before adapting the derive_setup tests. --- tests/suites/test_suite_psa_crypto.data | 8 ++++++++ tests/suites/test_suite_psa_crypto.function | 22 +++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index e58abf9ca..361308b63 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1955,6 +1955,14 @@ PSA key derivation: HKDF SHA-1, request maximum capacity depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"":255 * 20:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"" +PSA key derivation: HKDF SHA-256, request too much capacity +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +derive_set_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_256):255 * 32 + 1:PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: HKDF SHA-1, request too much capacity +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C +derive_set_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_1):255 * 20 + 1:PSA_ERROR_INVALID_ARGUMENT + PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, PSK too long (160 Bytes) depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION derive_input:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 316f2edcd..858356d9c 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -4052,6 +4052,28 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void derive_set_capacity( int alg_arg, int capacity_arg, + int expected_status_arg ) +{ + psa_algorithm_t alg = alg_arg; + size_t capacity = capacity_arg; + psa_status_t expected_status = expected_status_arg; + psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; + + PSA_ASSERT( psa_crypto_init( ) ); + + PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); + + TEST_EQUAL( psa_key_derivation_set_capacity( &operation, capacity ), + expected_status ); + +exit: + psa_key_derivation_abort( &operation ); + PSA_DONE( ); +} +/* END_CASE */ + /* BEGIN_CASE */ void derive_input( int alg_arg, int key_type_arg, From adbec81cc4ec05a4adaeceac9a16b7f3f8b90138 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 14 Jun 2019 11:05:39 +0100 Subject: [PATCH 20/34] Remove the deprecated PSA_ALG_SELECT_RAW option This change affects the psa_key_derivation_s structure. With the buffer removed from the union, it is empty if MBEDTLS_MD_C is not defined. We can avoid undefined behaviour by adding a new dummy field that is always present or make the whole union conditional on MBEDTLS_MD_C. In this latter case the initialiser macro has to depend on MBEDTLS_MD_C as well. Furthermore the first structure would be either psa_hkdf_key_derivation_t or psa_tls12_prf_key_derivation_t both of which are very deep and would make the initialisation macro difficult to maintain, therefore we go with the first option. --- include/psa/crypto_extra.h | 3 - include/psa/crypto_struct.h | 10 ++-- library/psa_crypto.c | 73 +------------------------ tests/suites/test_suite_psa_crypto.data | 4 -- 4 files changed, 7 insertions(+), 83 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 3fc73b9d3..0ab589226 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -283,9 +283,6 @@ psa_status_t psa_key_derivation(psa_key_derivation_operation_t *operation, size_t capacity); #endif /* PSA_PRE_1_0_KEY_DERIVATION */ -/* FIXME Deprecated. Remove this as soon as all the tests are updated. */ -#define PSA_ALG_SELECT_RAW ((psa_algorithm_t)0x31000001) - /** \addtogroup crypto_types * @{ */ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index e6197cb9b..d9e9b86da 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -277,11 +277,8 @@ struct psa_key_derivation_s size_t capacity; union { - struct - { - uint8_t *data; - size_t size; - } buffer; + /* Make the union non-empty even with no supported algorithms. */ + uint8_t dummy; #if defined(MBEDTLS_MD_C) psa_hkdf_key_derivation_t hkdf; psa_tls12_prf_key_derivation_t tls12_prf; @@ -289,7 +286,8 @@ struct psa_key_derivation_s } ctx; }; -#define PSA_KEY_DERIVATION_OPERATION_INIT {0, 0, {{0, 0}}} +/* This only zeroes out the first byte in the union, the rest is unspecified. */ +#define PSA_KEY_DERIVATION_OPERATION_INIT {0, 0, {0}} static inline struct psa_key_derivation_s psa_key_derivation_operation_init( void ) { const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT; diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bd9fca585..31520b8b1 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3865,16 +3865,6 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation * nothing to do. */ } else - if( kdf_alg == PSA_ALG_SELECT_RAW ) - { - if( operation->ctx.buffer.data != NULL ) - { - mbedtls_platform_zeroize( operation->ctx.buffer.data, - operation->ctx.buffer.size ); - mbedtls_free( operation->ctx.buffer.data ); - } - } - else #if defined(MBEDTLS_MD_C) if( PSA_ALG_IS_HKDF( kdf_alg ) ) { @@ -4213,23 +4203,6 @@ psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *op } operation->capacity -= output_length; - if( kdf_alg == PSA_ALG_SELECT_RAW ) - { - /* Initially, the capacity of a selection operation is always - * the size of the buffer, i.e. `operation->ctx.buffer.size`, - * abbreviated in this comment as `size`. When the remaining - * capacity is `c`, the next bytes to serve start `c` bytes - * from the end of the buffer, i.e. `size - c` from the - * beginning of the buffer. Since `operation->capacity` was just - * decremented above, we need to serve the bytes from - * `size - operation->capacity - output_length` to - * `size - operation->capacity`. */ - size_t offset = - operation->ctx.buffer.size - operation->capacity - output_length; - memcpy( output, operation->ctx.buffer.data + offset, output_length ); - status = PSA_SUCCESS; - } - else #if defined(MBEDTLS_MD_C) if( PSA_ALG_IS_HKDF( kdf_alg ) ) { @@ -4237,16 +4210,17 @@ psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *op status = psa_key_derivation_hkdf_read( &operation->ctx.hkdf, hash_alg, output, output_length ); } + else #if defined(PSA_PRE_1_0_KEY_DERIVATION) - else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || + if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) { status = psa_key_derivation_tls12_prf_read( &operation->ctx.tls12_prf, kdf_alg, output, output_length ); } -#endif /* PSA_PRE_1_0_KEY_DERIVATION */ else +#endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ { return( PSA_ERROR_BAD_STATE ); @@ -4509,23 +4483,6 @@ static psa_status_t psa_key_derivation_internal( /* Set operation->alg even on failure so that abort knows what to do. */ operation->alg = alg; - if( alg == PSA_ALG_SELECT_RAW ) - { - (void) salt; - if( salt_length != 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - (void) label; - if( label_length != 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - operation->ctx.buffer.data = mbedtls_calloc( 1, secret_length ); - if( operation->ctx.buffer.data == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - memcpy( operation->ctx.buffer.data, secret, secret_length ); - operation->ctx.buffer.size = secret_length; - max_capacity = secret_length; - status = PSA_SUCCESS; - } - else #if defined(MBEDTLS_MD_C) if( PSA_ALG_IS_HKDF( alg ) ) { @@ -4848,25 +4805,6 @@ static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, #endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ -static psa_status_t psa_key_derivation_input_raw( - psa_key_derivation_operation_t *operation, - const uint8_t *data, - size_t data_length ) -{ - if( operation->capacity != 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - - operation->ctx.buffer.data = mbedtls_calloc( 1, data_length ); - if( operation->ctx.buffer.data == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - - memcpy( operation->ctx.buffer.data, data, data_length ); - operation->ctx.buffer.size = data_length; - operation->capacity = data_length; - - return PSA_SUCCESS; -} - static psa_status_t psa_key_derivation_input_internal( psa_key_derivation_operation_t *operation, psa_key_derivation_step_t step, @@ -4876,11 +4814,6 @@ static psa_status_t psa_key_derivation_input_internal( psa_status_t status; psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation ); - if( kdf_alg == PSA_ALG_SELECT_RAW ) - { - status = psa_key_derivation_input_raw( operation, data, data_length ); - } - else #if defined(MBEDTLS_MD_C) if( PSA_ALG_IS_HKDF( kdf_alg ) ) { diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 361308b63..d9f02715a 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1767,10 +1767,6 @@ PSA key derivation: TLS 1.2 PRF SHA-256, good case depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C derive_setup:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_SUCCESS -PSA key derivation: not a key derivation algorithm (selection) -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_setup:PSA_ALG_SELECT_RAW:PSA_ERROR_INVALID_ARGUMENT - PSA key derivation: not a key derivation algorithm (HMAC) depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C derive_setup:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_ERROR_INVALID_ARGUMENT From c56215163fa2abd1d735b75c77866c7b1f9dab80 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 14 Jun 2019 11:27:57 +0100 Subject: [PATCH 21/34] Simplify psa_key_derivation_input_bytes The specific key derivation input functions support a subset of the input options and need to check it anyway. Checking it at the top level is redundant, it brings a very little value and comes with a cost in code size and maintainability. --- library/psa_crypto.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 31520b8b1..7b1d16b78 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4851,17 +4851,11 @@ psa_status_t psa_key_derivation_input_bytes( psa_key_derivation_operation_t *ope const uint8_t *data, size_t data_length ) { - switch( step ) - { - case PSA_KEY_DERIVATION_INPUT_LABEL: - case PSA_KEY_DERIVATION_INPUT_SALT: - case PSA_KEY_DERIVATION_INPUT_INFO: - case PSA_KEY_DERIVATION_INPUT_SEED: - return( psa_key_derivation_input_internal( operation, step, - data, data_length ) ); - default: - return( PSA_ERROR_INVALID_ARGUMENT ); - } + if( step == PSA_KEY_DERIVATION_INPUT_SECRET ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + return( psa_key_derivation_input_internal( operation, step, + data, data_length ) ); } psa_status_t psa_key_derivation_input_key( psa_key_derivation_operation_t *operation, From 51f4a0f9acc284fe42535a01aab9dceed3669040 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 14 Jun 2019 11:35:55 +0100 Subject: [PATCH 22/34] Style: enforce 80 column limit --- library/psa_crypto.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 7b1d16b78..093d2e568 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4846,10 +4846,11 @@ static psa_status_t psa_key_derivation_input_internal( return( status ); } -psa_status_t psa_key_derivation_input_bytes( psa_key_derivation_operation_t *operation, - psa_key_derivation_step_t step, - const uint8_t *data, - size_t data_length ) +psa_status_t psa_key_derivation_input_bytes( + psa_key_derivation_operation_t *operation, + psa_key_derivation_step_t step, + const uint8_t *data, + size_t data_length ) { if( step == PSA_KEY_DERIVATION_INPUT_SECRET ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -4858,9 +4859,10 @@ psa_status_t psa_key_derivation_input_bytes( psa_key_derivation_operation_t *ope data, data_length ) ); } -psa_status_t psa_key_derivation_input_key( psa_key_derivation_operation_t *operation, - psa_key_derivation_step_t step, - psa_key_handle_t handle ) +psa_status_t psa_key_derivation_input_key( + psa_key_derivation_operation_t *operation, + psa_key_derivation_step_t step, + psa_key_handle_t handle ) { psa_key_slot_t *slot; psa_status_t status; From 6660f0eb9819c15ddfd6355a4daaffe1c160c1d7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 17 Jun 2019 08:44:03 +0100 Subject: [PATCH 23/34] Add TLS 1.2 PSK master secret generation --- library/psa_crypto.c | 74 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 69 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 093d2e568..b64662906 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4727,6 +4727,22 @@ static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, return( PSA_ERROR_INVALID_ARGUMENT ); } + +static psa_status_t psa_tls12_prf_psk_to_ms_input( + psa_tls12_prf_key_derivation_t *prf, + psa_algorithm_t hash_alg, + psa_key_derivation_step_t step, + const uint8_t *data, + size_t data_length ) +{ + (void) prf; + (void) hash_alg; + (void) step; + (void) data; + (void) data_length; + + return( PSA_ERROR_INVALID_ARGUMENT ); +} #else static psa_status_t psa_tls12_prf_set_seed( psa_tls12_prf_key_derivation_t *prf, const uint8_t *data, @@ -4765,6 +4781,38 @@ static psa_status_t psa_tls12_prf_set_key( psa_tls12_prf_key_derivation_t *prf, return( PSA_SUCCESS ); } +static psa_status_t psa_tls12_prf_psk_to_ms_set_key( + psa_tls12_prf_key_derivation_t *prf, + psa_algorithm_t hash_alg, + const uint8_t *data, + size_t data_length ) +{ + psa_status_t status; + unsigned char pms[ 4 + 2 * PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ]; + + if( data_length > PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + /* Quoting RFC 4279, Section 2: + * + * The premaster secret is formed as follows: if the PSK is N octets + * long, concatenate a uint16 with the value N, N zero octets, a second + * uint16 with the value N, and the PSK itself. + */ + + pms[0] = ( data_length >> 8 ) & 0xff; + pms[1] = ( data_length >> 0 ) & 0xff; + memset( pms + 2, 0, data_length ); + pms[2 + data_length + 0] = pms[0]; + pms[2 + data_length + 1] = pms[1]; + memcpy( pms + 4 + data_length, data, data_length ); + + status = psa_tls12_prf_set_key( prf, hash_alg, pms, 4 + 2 * data_length ); + + mbedtls_platform_zeroize( pms, sizeof( pms ) ); + return( status ); +} + static psa_status_t psa_tls12_prf_set_label( psa_tls12_prf_key_derivation_t *prf, const uint8_t *data, size_t data_length ) @@ -4802,6 +4850,20 @@ static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf, return( PSA_ERROR_INVALID_ARGUMENT ); } } + +static psa_status_t psa_tls12_prf_psk_to_ms_input( + psa_tls12_prf_key_derivation_t *prf, + psa_algorithm_t hash_alg, + psa_key_derivation_step_t step, + const uint8_t *data, + size_t data_length ) +{ + if( step == PSA_KEY_DERIVATION_INPUT_SECRET ) + return( psa_tls12_prf_psk_to_ms_set_key( prf, hash_alg, + data, data_length ) ); + + return( psa_tls12_prf_input( prf, hash_alg, step, data, data_length ) ); +} #endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ @@ -4824,15 +4886,17 @@ static psa_status_t psa_key_derivation_input_internal( else #endif /* MBEDTLS_MD_C */ #if defined(MBEDTLS_MD_C) - /* TLS-1.2 PRF and TLS-1.2 PSK-to-MS are very similar, so share code. */ - if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || - PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) + if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ) { - // To do: implement this status = psa_tls12_prf_input( &operation->ctx.tls12_prf, PSA_ALG_HKDF_GET_HASH( kdf_alg ), step, data, data_length ); - + } + else if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) + { + status = psa_tls12_prf_psk_to_ms_input( &operation->ctx.tls12_prf, + PSA_ALG_HKDF_GET_HASH( kdf_alg ), + step, data, data_length ); } else #endif /* MBEDTLS_MD_C */ From 1468da76a5cf2429b1f99219c8fdfb595a08c9b7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 29 May 2019 17:35:49 +0200 Subject: [PATCH 24/34] Convert derive_output to the new KDF API --- tests/suites/test_suite_psa_crypto.data | 100 ++++++++++---------- tests/suites/test_suite_psa_crypto.function | 64 ++++++------- 2 files changed, 82 insertions(+), 82 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index d9f02715a..f618e13db 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1829,127 +1829,127 @@ test_derive_invalid_key_derivation_tests: PSA key derivation: HKDF SHA-256, RFC5869 #1, output 42+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"" PSA key derivation: HKDF SHA-256, RFC5869 #1, output 32+10 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf":"34007208d5b887185865" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf":"34007208d5b887185865" PSA key derivation: HKDF SHA-256, RFC5869 #1, output 0+42 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865" PSA key derivation: HKDF SHA-256, RFC5869 #1, output 1+41 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3c":"b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3c":"b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865" PSA key derivation: HKDF SHA-256, RFC5869 #1, output 41+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858":"" PSA key derivation: HKDF SHA-256, RFC5869 #1, output 1+40 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3c":"b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3c":"b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858" PSA key derivation: HKDF SHA-256, RFC5869 #2, output 82+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":82:"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":PSA_KEY_DERIVATION_INPUT_SECRET:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":PSA_KEY_DERIVATION_INPUT_INFO:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":82:"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87":"" PSA key derivation: HKDF SHA-256, RFC5869 #3, output 42+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"":42:"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"":42:"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8":"" PSA key derivation: HKDF SHA-1, RFC5869 #4, output 42+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):"0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896":"" PSA key derivation: HKDF SHA-1, RFC5869 #5, output 82+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":82:"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":PSA_KEY_DERIVATION_INPUT_SECRET:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":PSA_KEY_DERIVATION_INPUT_INFO:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":82:"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4":"" PSA key derivation: HKDF SHA-1, RFC5869 #6, output 42+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"":42:"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"":42:"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918":"" PSA key derivation: HKDF SHA-1, RFC5869 #7, output 42+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"":42:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":PSA_KEY_DERIVATION_INPUT_INFO:"":42:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"" # Test vectors taken from https://www.ietf.org/mail-archive/web/tls/current/msg03416.html PSA key derivation: TLS 1.2 PRF SHA-256, output 100+0 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66":"" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66":"" PSA key derivation: TLS 1.2 PRF SHA-256, output 99+1 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b":"66" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b":"66" PSA key derivation: TLS 1.2 PRF SHA-256, output 1+99 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3":"f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3":"f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66" PSA key derivation: TLS 1.2 PRF SHA-256, output 50+50 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa0":"22f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa0":"22f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66" PSA key derivation: TLS 1.2 PRF SHA-256, output 50+49 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"9bbe436ba940f017b17652849a71db35":"a0ba9f936cda311827a6f796ffd5198c":"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa0":"22f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa0":"22f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b" PSA key derivation: TLS 1.2 PRF SHA-384, output 148+0 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f":"" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f":"" PSA key derivation: TLS 1.2 PRF SHA-384, output 147+1 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e5":"6f" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e5":"6f" PSA key derivation: TLS 1.2 PRF SHA-384, output 1+147 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b":"0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b":"0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f" PSA key derivation: TLS 1.2 PRF SHA-384, output 74+74 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792ec":"a722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792ec":"a722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f" PSA key derivation: TLS 1.2 PRF SHA-384, output 74+73 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):"b80b733d6ceefcdc71566ea48e5567df":"cd665cf6a8447dd6ff8b27555edb7465":"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792ec":"a722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e5" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792ec":"a722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e5" # Test case manually extracted from debug output of TLS-PSK run # Label: "master secret" # Salt: Concatenation of ClientHello.Random and ServerHello.Random PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 48+0 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48:"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32ca43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710":"" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32ca43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710":"" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 24+24 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48:"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32c":"a43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32c":"a43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 0+48 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48:"":"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32ca43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"":"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32ca43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 48+0 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":"6d617374657220736563726574":48:"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c85ca71689301f9f4d875128c87608b75250b20a9550e4fe18":"" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c85ca71689301f9f4d875128c87608b75250b20a9550e4fe18":"" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 24+24 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":"6d617374657220736563726574":48:"":"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c85ca71689301f9f4d875128c87608b75250b20a9550e4fe18" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"":"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c85ca71689301f9f4d875128c87608b75250b20a9550e4fe18" PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 0+48 -depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:PSA_PRE_1_0_KEY_DERIVATION -derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":"6d617374657220736563726574":48:"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c8":"5ca71689301f9f4d875128c87608b75250b20a9550e4fe18" +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION +derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c8":"5ca71689301f9f4d875128c87608b75250b20a9550e4fe18" PSA key derivation: HKDF SHA-256, request maximum capacity depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":255 * 32:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"" PSA key derivation: HKDF SHA-1, request maximum capacity depends_on:MBEDTLS_MD_C:MBEDTLS_SHA1_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"":255 * 20:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":PSA_KEY_DERIVATION_INPUT_INFO:"":255 * 20:"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48":"" PSA key derivation: HKDF SHA-256, request too much capacity depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C @@ -1965,19 +1965,19 @@ derive_input:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KE PSA key derivation: over capacity 42: output 42+1 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"ff" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"ff" PSA key derivation: over capacity 42: output 41+2 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858":"65ff" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b8871858":"65ff" PSA key derivation: over capacity 42: output 43+0 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865ff":"" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865ff":"" PSA key derivation: over capacity 42: output 43+1 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C -derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865ff":"ff" +derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865ff":"ff" PSA key derivation: HKDF SHA-256, read maximum capacity minus 1 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 858356d9c..8e638b68d 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -4213,15 +4213,17 @@ exit: /* BEGIN_CASE */ void derive_output( int alg_arg, - data_t *key_data, - data_t *salt, - data_t *label, + int step1_arg, data_t *input1, + int step2_arg, data_t *input2, + int step3_arg, data_t *input3, int requested_capacity_arg, data_t *expected_output1, data_t *expected_output2 ) { - psa_key_handle_t handle = 0; psa_algorithm_t alg = alg_arg; + psa_key_derivation_step_t steps[] = {step1_arg, step2_arg, step3_arg}; + data_t *inputs[] = {input1, input2, input3}; + psa_key_handle_t handles[] = {0, 0, 0}; size_t requested_capacity = requested_capacity_arg; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; uint8_t *expected_outputs[2] = @@ -4234,7 +4236,7 @@ void derive_output( int alg_arg, size_t current_capacity; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status; - unsigned i; + size_t i; for( i = 0; i < ARRAY_LENGTH( expected_outputs ); i++ ) { @@ -4250,35 +4252,32 @@ void derive_output( int alg_arg, psa_set_key_algorithm( &attributes, alg ); psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); - PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, - &handle ) ); - /* Extraction phase. */ - if( PSA_ALG_IS_HKDF( alg ) ) + PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); + PSA_ASSERT( psa_key_derivation_set_capacity( &operation, + requested_capacity ) ); + for( i = 0; i < ARRAY_LENGTH( steps ); i++ ) { - PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) ); - PSA_ASSERT( psa_key_derivation_set_capacity( &operation, - requested_capacity ) ); - PSA_ASSERT( psa_key_derivation_input_bytes( &operation, - PSA_KEY_DERIVATION_INPUT_SALT, - salt->x, salt->len ) ); - PSA_ASSERT( psa_key_derivation_input_key( &operation, - PSA_KEY_DERIVATION_INPUT_SECRET, - handle ) ); - PSA_ASSERT( psa_key_derivation_input_bytes( &operation, - PSA_KEY_DERIVATION_INPUT_INFO, - label->x, label->len ) ); + switch( steps[i] ) + { + case 0: + break; + case PSA_KEY_DERIVATION_INPUT_SECRET: + PSA_ASSERT( psa_import_key( &attributes, + inputs[i]->x, inputs[i]->len, + &handles[i] ) ); + PSA_ASSERT( psa_key_derivation_input_key( + &operation, steps[i], + handles[i] ) ); + break; + default: + PSA_ASSERT( psa_key_derivation_input_bytes( + &operation, steps[i], + inputs[i]->x, inputs[i]->len ) ); + break; + } } -#if defined(PSA_PRE_1_0_KEY_DERIVATION) - else - { - // legacy - PSA_ASSERT( psa_key_derivation( &operation, handle, alg, - salt->x, salt->len, - label->x, label->len, - requested_capacity ) ); - } -#endif + PSA_ASSERT( psa_key_derivation_get_capacity( &operation, ¤t_capacity ) ); TEST_EQUAL( current_capacity, requested_capacity ); @@ -4321,7 +4320,8 @@ void derive_output( int alg_arg, exit: mbedtls_free( output_buffer ); psa_key_derivation_abort( &operation ); - psa_destroy_key( handle ); + for( i = 0; i < ARRAY_LENGTH( handles ); i++ ) + psa_destroy_key( handles[i] ); PSA_DONE( ); } /* END_CASE */ From 6c6c8fceaac62a570bb89ba7c7b09eb43d50fdb1 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 17 Jun 2019 12:38:20 +0100 Subject: [PATCH 25/34] Improve style --- library/psa_crypto.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b64662906..95f9197d1 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4131,10 +4131,10 @@ cleanup: /* Read some bytes from an TLS-1.2-PRF-based operation. * See Section 5 of RFC 5246. */ static psa_status_t psa_key_derivation_tls12_prf_read( - psa_tls12_prf_key_derivation_t *tls12_prf, - psa_algorithm_t alg, - uint8_t *output, - size_t output_length ) + psa_tls12_prf_key_derivation_t *tls12_prf, + psa_algorithm_t alg, + uint8_t *output, + size_t output_length ) { psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg ); uint8_t hash_length = PSA_HASH_SIZE( hash_alg ); @@ -4149,7 +4149,7 @@ static psa_status_t psa_key_derivation_tls12_prf_read( if( n == 0 ) { status = psa_key_derivation_tls12_prf_generate_next_block( tls12_prf, - alg ); + alg ); if( status != PSA_SUCCESS ) return( status ); @@ -4170,9 +4170,10 @@ static psa_status_t psa_key_derivation_tls12_prf_read( #endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ -psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *operation, - uint8_t *output, - size_t output_length ) +psa_status_t psa_key_derivation_output_bytes( + psa_key_derivation_operation_t *operation, + uint8_t *output, + size_t output_length ) { psa_status_t status; psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation ); From 7742feea539d5b55ebdb4b9dd03f9a2b3c390d16 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 17 Jun 2019 12:58:10 +0100 Subject: [PATCH 26/34] Add stub for new tls12_prf_generate_next_block --- library/psa_crypto.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 95f9197d1..74ca1d671 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4125,6 +4125,50 @@ cleanup: return( status ); } +#else +static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( + psa_tls12_prf_key_derivation_t *tls12_prf, + psa_algorithm_t alg ) +{ + psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg ); + uint8_t hash_length = PSA_HASH_SIZE( hash_alg ); + psa_status_t status; + + /* We can't be wanting more output after block 0xff, otherwise + * the capacity check in psa_key_derivation_output_bytes() would have + * prevented this call. It could happen only if the operation + * object was corrupted or if this function is called directly + * inside the library. */ + if( tls12_prf->block_number == 0xff ) + return( PSA_ERROR_BAD_STATE ); + + /* We need a new block */ + ++tls12_prf->block_number; + tls12_prf->offset_in_block = 0; + + /* Recall the definition of the TLS-1.2-PRF from RFC 5246: + * + * PRF(secret, label, seed) = P_(secret, label + seed) + * + * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) + + * HMAC_hash(secret, A(2) + seed) + + * HMAC_hash(secret, A(3) + seed) + ... + * + * A(0) = seed + * A(i) = HMAC_hash( secret, A(i-1) ) + * + * The `psa_tls12_prf_key_derivation` structures saves the block + * `HMAC_hash(secret, A(i) + seed)` from which the output + * is currently extracted as `output_block`. + */ + + (void) hash_length; + (void) status; + +cleanup: + + return( PSA_ERROR_NOT_SUPPORTED ); +} #endif /* PSA_PRE_1_0_KEY_DERIVATION */ #if defined(PSA_PRE_1_0_KEY_DERIVATION) From 844eb0e5fae1f1f9e1cae45cfa08e34caa587e1e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 19 Jun 2019 12:10:49 +0100 Subject: [PATCH 27/34] Add tls12_prf_read for the new API Technically we could have reused the old one for the new API, but then we had to set an extra field during setup. The new version works when all the fields that haven't been set explicitely are zero-initialised. --- include/psa/crypto_struct.h | 4 ++-- library/psa_crypto.c | 41 ++++++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index d9e9b86da..fdf78a8eb 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -250,8 +250,8 @@ typedef struct psa_tls12_prf_key_derivation_s #endif /* Indicates how many bytes in the current HMAC block have - * already been read by the user. */ - uint8_t offset_in_block; + * not yet been read by the user. */ + uint8_t left_in_block; /* The 1-based number of the block. */ uint8_t block_number; diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 74ca1d671..ba9b3e346 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4144,7 +4144,7 @@ static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( /* We need a new block */ ++tls12_prf->block_number; - tls12_prf->offset_in_block = 0; + tls12_prf->left_in_block = hash_length; /* Recall the definition of the TLS-1.2-PRF from RFC 5246: * @@ -4211,6 +4211,45 @@ static psa_status_t psa_key_derivation_tls12_prf_read( return( PSA_SUCCESS ); } +#else +static psa_status_t psa_key_derivation_tls12_prf_read( + psa_tls12_prf_key_derivation_t *tls12_prf, + psa_algorithm_t alg, + uint8_t *output, + size_t output_length ) +{ + psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg ); + uint8_t hash_length = PSA_HASH_SIZE( hash_alg ); + psa_status_t status; + uint8_t offset, length; + + while( output_length != 0 ) + { + /* Check if we have fully processed the current block. */ + if( tls12_prf->left_in_block == 0 ) + { + status = psa_key_derivation_tls12_prf_generate_next_block( tls12_prf, + alg ); + if( status != PSA_SUCCESS ) + return( status ); + + continue; + } + + if( tls12_prf->left_in_block > output_length ) + length = (uint8_t) output_length; + else + length = tls12_prf->left_in_block; + + offset = hash_length - tls12_prf->left_in_block; + memcpy( output, tls12_prf->output_block + offset, length ); + output += length; + output_length -= length; + tls12_prf->left_in_block -= length; + } + + return( PSA_SUCCESS ); +} #endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ From ea29bfb14893c8334558269488dcb92396449b30 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 19 Jun 2019 12:21:20 +0100 Subject: [PATCH 28/34] Add tls12_prf key derivation to the new API The TLS 1.2 pseudorandom function does a lot of distinct HMAC operations with the same key. To save the battery and CPU cycles spent on calculating the paddings and hashing the inner padding, we keep the hash context in the status right after the inner padding having been hashed and clone it as needed. --- library/psa_crypto.c | 77 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 69 insertions(+), 8 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ba9b3e346..153bc6d97 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4132,7 +4132,8 @@ static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( { psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg ); uint8_t hash_length = PSA_HASH_SIZE( hash_alg ); - psa_status_t status; + psa_hash_operation_t backup = PSA_HASH_OPERATION_INIT; + psa_status_t status, cleanup_status; /* We can't be wanting more output after block 0xff, otherwise * the capacity check in psa_key_derivation_output_bytes() would have @@ -4155,19 +4156,81 @@ static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( * HMAC_hash(secret, A(3) + seed) + ... * * A(0) = seed - * A(i) = HMAC_hash( secret, A(i-1) ) + * A(i) = HMAC_hash(secret, A(i-1)) * - * The `psa_tls12_prf_key_derivation` structures saves the block + * The `psa_tls12_prf_key_derivation` structure saves the block * `HMAC_hash(secret, A(i) + seed)` from which the output * is currently extracted as `output_block`. */ - (void) hash_length; - (void) status; + /* Save the hash context before using it, to preserve the hash state with + * only the inner padding in it. We need this, because inner padding depends + * on the key (secret in the RFC's terminology). */ + status = psa_hash_clone( &tls12_prf->hmac.hash_ctx, &backup ); + if( status != PSA_SUCCESS ) + goto cleanup; + + /* Calculate A(i) where i = tls12_prf->block_number. */ + if( tls12_prf->block_number == 1 ) + { + /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads + * the variable seed and in this instance means it in the context of the + * P_hash function, where seed = label + seed.) */ + status = psa_hash_update( &tls12_prf->hmac.hash_ctx, + tls12_prf->label, tls12_prf->label_length ); + if( status != PSA_SUCCESS ) + goto cleanup; + status = psa_hash_update( &tls12_prf->hmac.hash_ctx, + tls12_prf->seed, tls12_prf->seed_length ); + if( status != PSA_SUCCESS ) + goto cleanup; + } + else + { + /* A(i) = HMAC_hash(secret, A(i-1)) */ + status = psa_hash_update( &tls12_prf->hmac.hash_ctx, + tls12_prf->Ai, hash_length ); + if( status != PSA_SUCCESS ) + goto cleanup; + } + + status = psa_hmac_finish_internal( &tls12_prf->hmac, + tls12_prf->Ai, hash_length ); + if( status != PSA_SUCCESS ) + goto cleanup; + status = psa_hash_clone( &backup, &tls12_prf->hmac.hash_ctx ); + if( status != PSA_SUCCESS ) + goto cleanup; + + /* Calculate HMAC_hash(secret, A(i) + label + seed). */ + status = psa_hash_update( &tls12_prf->hmac.hash_ctx, + tls12_prf->Ai, hash_length ); + if( status != PSA_SUCCESS ) + goto cleanup; + status = psa_hash_update( &tls12_prf->hmac.hash_ctx, + tls12_prf->label, tls12_prf->label_length ); + if( status != PSA_SUCCESS ) + goto cleanup; + status = psa_hash_update( &tls12_prf->hmac.hash_ctx, + tls12_prf->seed, tls12_prf->seed_length ); + if( status != PSA_SUCCESS ) + goto cleanup; + status = psa_hmac_finish_internal( &tls12_prf->hmac, + tls12_prf->output_block, hash_length ); + if( status != PSA_SUCCESS ) + goto cleanup; + status = psa_hash_clone( &backup, &tls12_prf->hmac.hash_ctx ); + if( status != PSA_SUCCESS ) + goto cleanup; + cleanup: - return( PSA_ERROR_NOT_SUPPORTED ); + cleanup_status = psa_hash_abort( &backup ); + if( status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS ) + status = cleanup_status; + + return( status ); } #endif /* PSA_PRE_1_0_KEY_DERIVATION */ @@ -4295,7 +4358,6 @@ psa_status_t psa_key_derivation_output_bytes( output, output_length ); } else -#if defined(PSA_PRE_1_0_KEY_DERIVATION) if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) { @@ -4304,7 +4366,6 @@ psa_status_t psa_key_derivation_output_bytes( output_length ); } else -#endif /* PSA_PRE_1_0_KEY_DERIVATION */ #endif /* MBEDTLS_MD_C */ { return( PSA_ERROR_BAD_STATE ); From 5fe19734d509b2fe36471ed0a15385ce51c52bd6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 20 Jun 2019 15:09:30 +0100 Subject: [PATCH 29/34] Make key derivation initialisation consistent The macro initialiser might leave bytes in the union unspecified. Zeroising it in setup makes sure that the behaviour is the same independently of the initialisation method used. --- library/psa_crypto.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 153bc6d97..9d02a971d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4740,6 +4740,10 @@ static psa_status_t psa_key_derivation_setup_kdf( psa_key_derivation_operation_t *operation, psa_algorithm_t kdf_alg ) { + /* Make sure that operation->ctx is properly zero-initialised. (Macro + * initialisers for this union leave some bytes unspecified.) */ + memset( &operation->ctx, 0, sizeof( operation->ctx ) ); + /* Make sure that kdf_alg is a supported key derivation algorithm. */ #if defined(MBEDTLS_MD_C) if( PSA_ALG_IS_HKDF( kdf_alg ) || From 30090bc2cfcddc8e321507a9e4e72acdd496f821 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 25 Jun 2019 10:15:04 +0100 Subject: [PATCH 30/34] Fix error code PSA_ERROR_BAD_STATE means that the function was called on a context in a bad state. This error is something that can't happen while only using the PSA API and therefore a PSA_ERROR_CORRUPTION_DETECTED is a more appropriate error code. --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9d02a971d..4b7ae1f7c 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4141,7 +4141,7 @@ static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( * object was corrupted or if this function is called directly * inside the library. */ if( tls12_prf->block_number == 0xff ) - return( PSA_ERROR_BAD_STATE ); + return( PSA_ERROR_CORRUPTION_DETECTED ); /* We need a new block */ ++tls12_prf->block_number; From 76c398447715430e0ac7b3e933526a9bf3d4b343 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 Jun 2019 12:50:36 +0100 Subject: [PATCH 31/34] Clarify TLS PRF algorithm description --- library/psa_crypto.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4b7ae1f7c..766223f25 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4160,7 +4160,8 @@ static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( * * The `psa_tls12_prf_key_derivation` structure saves the block * `HMAC_hash(secret, A(i) + seed)` from which the output - * is currently extracted as `output_block`. + * is currently extracted as `output_block` and where i is + * `block_number`. */ /* Save the hash context before using it, to preserve the hash state with From 40e13938168af152db8e3ce9b02e1b0bca91735c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 26 Jun 2019 13:22:29 +0100 Subject: [PATCH 32/34] Optimize TLS PRF PSK key calculation --- library/psa_crypto.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 766223f25..e821ef682 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4939,6 +4939,7 @@ static psa_status_t psa_tls12_prf_psk_to_ms_set_key( { psa_status_t status; unsigned char pms[ 4 + 2 * PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ]; + unsigned char* cur = pms; if( data_length > PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -4950,14 +4951,16 @@ static psa_status_t psa_tls12_prf_psk_to_ms_set_key( * uint16 with the value N, and the PSK itself. */ - pms[0] = ( data_length >> 8 ) & 0xff; - pms[1] = ( data_length >> 0 ) & 0xff; - memset( pms + 2, 0, data_length ); - pms[2 + data_length + 0] = pms[0]; - pms[2 + data_length + 1] = pms[1]; - memcpy( pms + 4 + data_length, data, data_length ); + *cur++ = ( data_length >> 8 ) & 0xff; + *cur++ = ( data_length >> 0 ) & 0xff; + memset( cur, 0, data_length ); + cur += data_length; + *cur++ = pms[0]; + *cur++ = pms[1]; + memcpy( cur, data, data_length ); + cur += data_length; - status = psa_tls12_prf_set_key( prf, hash_alg, pms, 4 + 2 * data_length ); + status = psa_tls12_prf_set_key( prf, hash_alg, pms, cur - pms ); mbedtls_platform_zeroize( pms, sizeof( pms ) ); return( status ); From 0c1ed84258101607d8edea561e2457044074b1e6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 28 Jun 2019 13:35:36 +0100 Subject: [PATCH 33/34] Improve style --- library/psa_crypto.c | 2 ++ tests/suites/test_suite_psa_crypto.function | 2 ++ 2 files changed, 4 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index e821ef682..953a3ede5 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5012,8 +5012,10 @@ static psa_status_t psa_tls12_prf_psk_to_ms_input( size_t data_length ) { if( step == PSA_KEY_DERIVATION_INPUT_SECRET ) + { return( psa_tls12_prf_psk_to_ms_set_key( prf, hash_alg, data, data_length ) ); + } return( psa_tls12_prf_input( prf, hash_alg, step, data, data_length ) ); } diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 8e638b68d..48f533764 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1803,10 +1803,12 @@ void derive_key_policy( int policy_usage, if( PSA_ALG_IS_TLS12_PRF( exercise_alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( exercise_alg ) ) + { PSA_ASSERT( psa_key_derivation_input_bytes( &operation, PSA_KEY_DERIVATION_INPUT_SEED, (const uint8_t*) "", 0) ); + } status = psa_key_derivation_input_key( &operation, PSA_KEY_DERIVATION_INPUT_SECRET, From d6dce9f4f310efc7f60f23d1e7987fe4f7501f4b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 4 Jul 2019 09:11:38 +0100 Subject: [PATCH 34/34] Fix zero-length seed or label in TLS 1.2 PRF The psa_tls12_prf_set_seed() and psa_tls12_prf_set_label() functions did not work on platforms where malloc(0) returns NULL. It does not affect the TLS use case but these PRFs are used in other protocols as well and might not be used the same way. For example EAP uses the TLS PRF with an empty secret. (This would not trigger the bug, but is a strong indication that it is not safe to assume that certain inputs to this function are not zero length.) The conditional block includes the memcpy() call as well to avoid passing a NULL pointer as a parameter resulting in undefined behaviour. The current tests are already using zero length label and seed, there is no need to add new test for this bug. --- library/psa_crypto.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 953a3ede5..a47f9567d 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4901,12 +4901,15 @@ static psa_status_t psa_tls12_prf_set_seed( psa_tls12_prf_key_derivation_t *prf, if( prf->state != TLS12_PRF_STATE_INIT ) return( PSA_ERROR_BAD_STATE ); - prf->seed = mbedtls_calloc( 1, data_length ); - if( prf->seed == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); + if( data_length != 0 ) + { + prf->seed = mbedtls_calloc( 1, data_length ); + if( prf->seed == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); - memcpy( prf->seed, data, data_length ); - prf->seed_length = data_length; + memcpy( prf->seed, data, data_length ); + prf->seed_length = data_length; + } prf->state = TLS12_PRF_STATE_SEED_SET; @@ -4973,12 +4976,15 @@ static psa_status_t psa_tls12_prf_set_label( psa_tls12_prf_key_derivation_t *prf if( prf->state != TLS12_PRF_STATE_KEY_SET ) return( PSA_ERROR_BAD_STATE ); - prf->label = mbedtls_calloc( 1, data_length ); - if( prf->label == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); + if( data_length != 0 ) + { + prf->label = mbedtls_calloc( 1, data_length ); + if( prf->label == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); - memcpy( prf->label, data, data_length ); - prf->label_length = data_length; + memcpy( prf->label, data, data_length ); + prf->label_length = data_length; + } prf->state = TLS12_PRF_STATE_LABEL_SET;