Merge pull request #7490 from paul-elliott-arm/test_ecp_mod_p448
[Bignum] Add unit tests for ecp_mod_p448
diff --git a/3rdparty/CMakeLists.txt b/3rdparty/CMakeLists.txt
index e81ff51..67db68d 100644
--- a/3rdparty/CMakeLists.txt
+++ b/3rdparty/CMakeLists.txt
@@ -1,5 +1,10 @@
-execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE result)
+execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE everest_result)
+execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED RESULT_VARIABLE p256m_result)
-if(${result} EQUAL 0)
+if(${everest_result} EQUAL 0)
add_subdirectory(everest)
endif()
+
+if(${p256m_result} EQUAL 0)
+ add_subdirectory(p256-m)
+endif()
diff --git a/3rdparty/Makefile.inc b/3rdparty/Makefile.inc
index 0ed85af..80dc126 100644
--- a/3rdparty/Makefile.inc
+++ b/3rdparty/Makefile.inc
@@ -1,2 +1,3 @@
-THIRDPARTY_DIR = $(dir $(lastword $(MAKEFILE_LIST)))
+THIRDPARTY_DIR = $(dir $(word 2, $(MAKEFILE_LIST)))
include $(THIRDPARTY_DIR)/everest/Makefile.inc
+include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
diff --git a/3rdparty/p256-m/CMakeLists.txt b/3rdparty/p256-m/CMakeLists.txt
new file mode 100644
index 0000000..0001dd2
--- /dev/null
+++ b/3rdparty/p256-m/CMakeLists.txt
@@ -0,0 +1,25 @@
+add_library(p256m
+ p256-m_driver_entrypoints.c
+ p256-m/p256-m.c)
+
+target_include_directories(p256m
+ PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
+ $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
+ $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
+ $<INSTALL_INTERFACE:include>
+ PRIVATE ${MBEDTLS_DIR}/library/)
+
+if(INSTALL_MBEDTLS_HEADERS)
+
+ install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
+ DESTINATION include
+ FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
+ DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
+ FILES_MATCHING PATTERN "*.h")
+
+endif(INSTALL_MBEDTLS_HEADERS)
+
+install(TARGETS p256m
+EXPORT MbedTLSTargets
+DESTINATION ${CMAKE_INSTALL_LIBDIR}
+PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
diff --git a/3rdparty/p256-m/Makefile.inc b/3rdparty/p256-m/Makefile.inc
new file mode 100644
index 0000000..fc8f73b
--- /dev/null
+++ b/3rdparty/p256-m/Makefile.inc
@@ -0,0 +1,5 @@
+THIRDPARTY_INCLUDES+=-I../3rdparty/p256-m/p256-m/include -I../3rdparty/p256-m/p256-m/include/p256-m -I../3rdparty/p256-m/p256-m_driver_interface
+
+THIRDPARTY_CRYPTO_OBJECTS+= \
+ ../3rdparty/p256-m//p256-m_driver_entrypoints.o \
+ ../3rdparty/p256-m//p256-m/p256-m.o
diff --git a/3rdparty/p256-m/README.md b/3rdparty/p256-m/README.md
new file mode 100644
index 0000000..89648d4
--- /dev/null
+++ b/3rdparty/p256-m/README.md
@@ -0,0 +1,4 @@
+The files within the `p256-m/` subdirectory originate from the [p256-m GitHub repository](https://github.com/mpg/p256-m), which is distributed under the Apache 2.0 license. They are authored by Manuel Pégourié-Gonnard. p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256, especially suited to constrained 32-bit environments. Mbed TLS documentation for integrating drivers uses p256-m as an example of a software accelerator, and describes how it can be integrated alongside Mbed TLS. It should be noted that p256-m files in the Mbed TLS repo will not be updated regularly, so they may not have fixes and improvements present in the upstream project.
+
+The files `p256-m.c` and `.h`, along with the license, have been taken from the `p256-m` repository.
+It should be noted that p256-m deliberately does not supply its own cryptographically secure RNG function. As a result, the PSA RNG is used, with `p256_generate_random()` wrapping `psa_generate_random()`.
diff --git a/3rdparty/p256-m/p256-m/LICENSE b/3rdparty/p256-m/p256-m/LICENSE
new file mode 100644
index 0000000..d645695
--- /dev/null
+++ b/3rdparty/p256-m/p256-m/LICENSE
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/3rdparty/p256-m/p256-m/README.md b/3rdparty/p256-m/p256-m/README.md
new file mode 100644
index 0000000..5e88f71
--- /dev/null
+++ b/3rdparty/p256-m/p256-m/README.md
@@ -0,0 +1,544 @@
+*This is the original README for the p256-m repository. Please note that as
+only a subset of p256-m's files are present in Mbed TLS, this README may refer
+to files that are not present/relevant here.*
+
+p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256,
+especially suited to constrained 32-bit environments. It's written in standard
+C, with optional bits of assembly for Arm Cortex-M and Cortex-A CPUs.
+
+Its design is guided by the following goals in this order:
+
+1. correctness & security;
+2. low code size & RAM usage;
+3. runtime performance.
+
+Most cryptographic implementations care more about speed than footprint, and
+some might even risk weakening security for more speed. p256-m was written
+because I wanted to see what happened when reversing the usual emphasis.
+
+The result is a full implementation of ECDH and ECDSA in **less than 3KiB of
+code**, using **less than 768 bytes of RAM**, with comparable performance
+to existing implementations (see below) - in less than 700 LOC.
+
+_Contents of this Readme:_
+
+- [Correctness](#correctness)
+- [Security](#security)
+- [Code size](#code-size)
+- [RAM usage](#ram-usage)
+- [Runtime performance](#runtime-performance)
+- [Comparison with other implementations](#comparison-with-other-implementations)
+- [Design overview](#design-overview)
+- [Notes about other curves](#notes-about-other-curves)
+- [Notes about other platforms](#notes-about-other-platforms)
+
+## Correctness
+
+**API design:**
+
+- The API is minimal: only 4 public functions.
+- Each public function fully validates its inputs and returns specific errors.
+- The API uses arrays of octets for all input and output.
+
+**Testing:**
+
+- p256-m is validated against multiple test vectors from various RFCs and
+ NIST.
+- In addition, crafted inputs are used for negative testing and to reach
+ corner cases.
+- Two test suites are provided: one for closed-box testing (using only the
+ public API), one for open-box testing (for unit-testing internal functions,
+and reaching more error cases by exploiting knowledge of how the RNG is used).
+- The resulting branch coverage is maximal: closed-box testing reaches all
+ branches except four; three of them are reached by open-box testing using a
+rigged RNG; the last branch could only be reached by computing a discrete log
+on P-256... See `coverage.sh`.
+- Testing also uses dynamic analysis: valgrind, ASan, MemSan, UBSan.
+
+**Code quality:**
+
+- The code is standard C99; it builds without warnings with `clang
+ -Weverything` and `gcc -Wall -Wextra -pedantic`.
+- The code is small and well documented, including internal APIs: with the
+ header file, it's less than 700 lines of code, and more lines of comments
+than of code.
+- However it _has not been reviewed_ independently so far, as this is a
+ personal project.
+
+**Short Weierstrass pitfalls:**
+
+Its has been [pointed out](https://safecurves.cr.yp.to/) that the NIST curves,
+and indeed all Short Weierstrass curves, have a number of pitfalls including
+risk for the implementation to:
+
+- "produce incorrect results for some rare curve points" - this is avoided by
+ carefully checking the validity domain of formulas used throughout the code;
+- "leak secret data when the input isn't a curve point" - this is avoided by
+ validating that points lie on the curve every time a point is deserialized.
+
+## Security
+
+In addition to the above correctness claims, p256-m has the following
+properties:
+
+- it has no branch depending (even indirectly) on secret data;
+- it has no memory access depending (even indirectly) on secret data.
+
+These properties are checked using valgrind and MemSan with the ideas
+behind [ctgrind](https://github.com/agl/ctgrind), see `consttime.sh`.
+
+In addition to avoiding branches and memory accesses depending on secret data,
+p256-m also avoid instructions (or library functions) whose execution time
+depends on the value of operands on cores of interest. Namely, it never uses
+integer division, and for multiplication by default it only uses 16x16->32 bit
+unsigned multiplication. On cores which have a constant-time 32x32->64 bit
+unsigned multiplication instruction, the symbol `MUL64_IS_CONSTANT_TIME` can
+be defined by the user at compile-time to take advantage of it in order to
+improve performance and code size. (On Cortex-M and Cortex-A cores wtih GCC or
+Clang this is not necessary, since inline assembly is used instead.)
+
+As a result, p256-m should be secure against the following classes of attackers:
+
+1. attackers who can only manipulate the input and observe the output;
+2. attackers who can also measure the total computation time of the operation;
+3. attackers who can also observe and manipulate micro-architectural features
+ such as the cache or branch predictor with arbitrary precision.
+
+However, p256-m makes no attempt to protect against:
+
+4. passive physical attackers who can record traces of physical emissions
+ (power, EM, sound) of the CPU while it manipulates secrets;
+5. active physical attackers who can also inject faults in the computation.
+
+(Note: p256-m should actually be secure against SPA, by virtue of being fully
+constant-flow, but is not expected to resist any other physical attack.)
+
+**Warning:** p256-m requires an externally-provided RNG function. If that
+function is not cryptographically secure, then neither is p256-m's key
+generation or ECDSA signature generation.
+
+_Note:_ p256-m also follows best practices such as securely erasing secret
+data on the stack before returning.
+
+## Code size
+
+Compiled with
+[ARM-GCC 9](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm/downloads),
+with `-mthumb -Os`, here are samples of code sizes reached on selected cores:
+
+- Cortex-M0: 2988 bytes
+- Cortex-M4: 2900 bytes
+- Cortex-A7: 2924 bytes
+
+Clang was also tried but tends to generate larger code (by about 10%). For
+details, see `sizes.sh`.
+
+**What's included:**
+
+- Full input validation and (de)serialisation of input/outputs to/from bytes.
+- Cleaning up secret values from the stack before returning from a function.
+- The code has no dependency on libc functions or the toolchain's runtime
+ library (such as helpers for long multiply); this can be checked for the
+Arm-GCC toolchain with the `deps.sh` script.
+
+**What's excluded:**
+
+- A secure RNG function needs to be provided externally, see
+ `p256_generate_random()` in `p256-m.h`.
+
+## RAM usage
+
+p256-m doesn't use any dynamic memory (on the heap), only the stack. Here's
+how much stack is used by each of its 4 public functions on selected cores:
+
+| Function | Cortex-M0 | Cortex-M4 | Cortex-A7 |
+| ------------------------- | --------: | --------: | --------: |
+| `p256_gen_keypair` | 608 | 564 | 564 |
+| `p256_ecdh_shared_secret` | 640 | 596 | 596 |
+| `p256_ecdsa_sign` | 664 | 604 | 604 |
+| `p256_ecdsa_verify` | 752 | 700 | 700 |
+
+For details, see `stack.sh`, `wcs.py` and `libc.msu` (the above figures assume
+that the externally-provided RNG function uses at most 384 bytes of stack).
+
+## Runtime performance
+
+Here are the timings of each public function in milliseconds measured on
+platforms based on a selection of cores:
+
+- Cortex-M0 at 48 MHz: STM32F091 board running Mbed OS 6
+- Cortex-M4 at 100 MHz: STM32F411 board running Mbed OS 6
+- Cortex-A7 at 900 MHz: Raspberry Pi 2B running Raspbian Buster
+
+| Function | Cortex-M0 | Cortex-M4 | Cortex-A7 |
+| ------------------------- | --------: | --------: | --------: |
+| `p256_gen_keypair` | 921 | 145 | 11 |
+| `p256_ecdh_shared_secret` | 922 | 144 | 11 |
+| `p256_ecdsa_sign` | 990 | 155 | 12 |
+| `p256_ecdsa_verify` | 1976 | 309 | 24 |
+| Sum of the above | 4809 | 753 | 59 |
+
+The sum of these operations corresponds to a TLS handshake using ECDHE-ECDSA
+with mutual authentication based on raw public keys or directly-trusted
+certificates (otherwise, add one 'verify' for each link in the peer's
+certificate chain).
+
+_Note_: the above figures where obtained by compiling with GCC, which is able
+to use inline assembly. Without that inline assembly (22 lines for Cortex-M0,
+1 line for Cortex-M4), the code would be roughly 2 times slower on those
+platforms. (The effect is much less important on the Cortex-A7 core.)
+
+For details, see `bench.sh`, `benchmark.c` and `on-target-benchmark/`.
+
+## Comparison with other implementations
+
+The most relevant/convenient implementation for comparisons is
+[TinyCrypt](https://github.com/intel/tinycrypt), as it's also a standalone
+implementation of ECDH and ECDSA on P-256 only, that also targets constrained
+devices. Other implementations tend to implement many curves and build on a
+shared bignum/MPI module (possibly also supporting RSA), which makes fair
+comparisons less convenient.
+
+The scripts used for TinyCrypt measurements are available in [this
+branch](https://github.com/mpg/tinycrypt/tree/measurements), based on version
+0.2.8.
+
+**Code size**
+
+| Core | p256-m | TinyCrypt |
+| --------- | -----: | --------: |
+| Cortex-M0 | 2988 | 6134 |
+| Cortex-M4 | 2900 | 5934 |
+| Cortex-A7 | 2924 | 5934 |
+
+**RAM usage**
+
+TinyCrypto also uses no heap, only the stack. Here's the RAM used by each
+operation on a Cortex-M0 core:
+
+| operation | p256-m | TinyCrypt |
+| ------------------ | -----: | --------: |
+| key generation | 608 | 824 |
+| ECDH shared secret | 640 | 728 |
+| ECDSA sign | 664 | 880 |
+| ECDSA verify | 752 | 824 |
+
+On a Cortex-M4 or Cortex-A7 core (identical numbers):
+
+| operation | p256-m | TinyCrypt |
+| ------------------ | -----: | --------: |
+| key generation | 564 | 796 |
+| ECDH shared secret | 596 | 700 |
+| ECDSA sign | 604 | 844 |
+| ECDSA verify | 700 | 808 |
+
+**Runtime performance**
+
+Here are the timings of each operation in milliseconds measured on
+platforms based on a selection of cores:
+
+_Cortex-M0_ at 48 MHz: STM32F091 board running Mbed OS 6
+
+| Operation | p256-m | TinyCrypt |
+| ------------------ | -----: | --------: |
+| Key generation | 921 | 979 |
+| ECDH shared secret | 922 | 975 |
+| ECDSA sign | 990 | 1009 |
+| ECDSA verify | 1976 | 1130 |
+| Sum of those 4 | 4809 | 4093 |
+
+_Cortex-M4_ at 100 MHz: STM32F411 board running Mbed OS 6
+
+| Operation | p256-m | TinyCrypt |
+| ------------------ | -----: | --------: |
+| Key generation | 145 | 178 |
+| ECDH shared secret | 144 | 177 |
+| ECDSA sign | 155 | 188 |
+| ECDSA verify | 309 | 210 |
+| Sum of those 4 | 753 | 753 |
+
+_Cortex-A7_ at 900 MHz: Raspberry Pi 2B running Raspbian Buster
+
+| Operation | p256-m | TinyCrypt |
+| ------------------ | -----: | --------: |
+| Key generation | 11 | 13 |
+| ECDH shared secret | 11 | 13 |
+| ECDSA sign | 12 | 14 |
+| ECDSA verify | 24 | 15 |
+| Sum of those 4 | 59 | 55 |
+
+_64-bit Intel_ (i7-6500U at 2.50GHz) laptop running Ubuntu 20.04
+
+Note: results in microseconds (previous benchmarks in milliseconds)
+
+| Operation | p256-m | TinyCrypt |
+| ------------------ | -----: | --------: |
+| Key generation | 1060 | 1627 |
+| ECDH shared secret | 1060 | 1611 |
+| ECDSA sign | 1136 | 1712 |
+| ECDSA verify | 2279 | 1888 |
+| Sum of those 4 | 5535 | 6838 |
+
+**Other differences**
+
+- While p256-m fully validates all inputs, Tinycrypt's ECDH shared secret
+ function doesn't include validation of the peer's public key, which should be
+done separately by the user for static ECDH (there are attacks [when users
+forget](https://link.springer.com/chapter/10.1007/978-3-319-24174-6_21)).
+- The two implementations have slightly different security characteristics:
+ p256-m is fully constant-time from the ground up so should be more robust
+than TinyCrypt against powerful local attackers (such as an untrusted OS
+attacking a secure enclave); on the other hand TinyCrypt includes coordinate
+randomisation which protects against some passive physical attacks (such as
+DPA, see Table 3, column C9 of [this
+paper](https://www.esat.kuleuven.be/cosic/publications/article-2293.pdf#page=12)),
+which p256-m completely ignores.
+- TinyCrypt's code looks like it could easily be expanded to support other
+ curves, while p256-m has much more hard-coded to minimize code size (see
+"Notes about other curves" below).
+- TinyCrypt uses a specialised routine for reduction modulo the curve prime,
+ exploiting its structure as a Solinas prime, which should be faster than the
+generic Montgomery reduction used by p256-m, but other factors appear to
+compensate for that.
+- TinyCrypt uses Co-Z Jacobian formulas for point operation, which should be
+ faster (though a bit larger) than the mixed affine-Jacobian formulas
+used by p256-m, but again other factors appear to compensate for that.
+- p256-m uses bits of inline assembly for 64-bit multiplication on the
+ platforms used for benchmarking, while TinyCrypt uses only C (and the
+compiler's runtime library).
+- TinyCrypt uses a specialised routine based on Shamir's trick for
+ ECDSA verification, which gives much better performance than the generic
+code that p256-m uses in order to minimize code size.
+
+## Design overview
+
+The implementation is contained in a single file to keep most functions static
+and allow for more optimisations. It is organized in multiple layers:
+
+- Fixed-width multi-precision arithmetic
+- Fixed-width modular arithmetic
+- Operations on curve points
+- Operations with scalars
+- The public API
+
+**Multi-precision arithmetic.**
+
+Large integers are represented as arrays of `uint32_t` limbs. When carries may
+occur, casts to `uint64_t` are used to nudge the compiler towards using the
+CPU's carry flag. When overflow may occur, functions return a carry flag.
+
+This layer contains optional assembly for Cortex-M and Cortex-A cores, for the
+internal `u32_muladd64()` function, as well as two pure C versions of this
+function, depending on whether `MUL64_IS_CONSTANT_TIME`.
+
+This layer's API consists of:
+
+- addition, subtraction;
+- multiply-and-add, shift by one limb (for Montgomery multiplication);
+- conditional assignment, assignment of a small value;
+- comparison of two values for equality, comparison to 0 for equality;
+- (de)serialization as big-endian arrays of bytes.
+
+**Modular arithmetic.**
+
+All modular operations are done in the Montgomery domain, that is x is
+represented by `x * 2^256 mod m`; integers need to be converted to that domain
+before computations, and back from it afterwards. Montgomery constants
+associated to the curve's p and n are pre-computed and stored in static
+structures.
+
+Modular inversion is computed using Fermat's little theorem to get
+constant-time behaviour with respect to the value being inverted.
+
+This layer's API consists of:
+
+- the curve's constants p and n (and associated Montgomery constants);
+- modular addition, subtraction, multiplication, and inversion;
+- assignment of a small value;
+- conversion to/from Montgomery domain;
+- (de)serialization to/from bytes with integrated range checking and
+ Montgomery domain conversion.
+
+**Operations on curve points.**
+
+Curve points are represented using either affine or Jacobian coordinates;
+affine coordinates are extended to represent 0 as (0,0). Individual
+coordinates are always in the Montgomery domain.
+
+Not all formulas associated with affine or Jacobian coordinates are complete;
+great care is taken to document and satisfy each function's pre-conditions.
+
+This layer's API consists of:
+
+- curve constants: b from the equation, the base point's coordinates;
+- point validity check (on the curve and not 0);
+- Jacobian to affine coordinate conversion;
+- point doubling in Jacobian coordinates (complete formulas);
+- point addition in mixed affine-Jacobian coordinates (P not in {0, Q, -Q});
+- point addition-or-doubling in affine coordinates (leaky version, only used
+ for ECDSA verify where all data is public);
+- (de)serialization to/from bytes with integrated validity checking
+
+**Scalar operations.**
+
+The crucial function here is scalar multiplication. It uses a signed binary
+ladder, which is a variant of the good old double-and-add algorithm where an
+addition/subtraction is performed at each step. Again, care is taken to make
+sure the pre-conditions for the addition formulas are always satisfied. The
+signed binary ladder only works if the scalar is odd; this is ensured by
+negating both the scalar (mod n) and the input point if necessary.
+
+This layer's API consists of:
+
+- scalar multiplication
+- de-serialization from bytes with integrated range checking
+- generation of a scalar and its associated public key
+
+**Public API.**
+
+This layer builds on the others, but unlike them, all inputs and outputs are
+byte arrays. Key generation and ECDH shared secret computation are thin
+wrappers around internal functions, just taking care of format conversions and
+errors. The ECDSA functions have more non-trivial logic.
+
+This layer's API consists of:
+
+- key-pair generation
+- ECDH shared secret computation
+- ECDSA signature creation
+- ECDSA signature verification
+
+**Testing.**
+
+A self-contained, straightforward, pure-Python implementation was first
+produced as a warm-up and to help check intermediate values. Test vectors from
+various sources are embedded and used to validate the implementation.
+
+This implementation, `p256.py`, is used by a second Python script,
+`gen-test-data.py`, to generate additional data for both positive and negative
+testing, available from a C header file, that is then used by the closed-box
+and open-box test programs.
+
+p256-m can be compiled with extra instrumentation to mark secret data and
+allow either valgrind or MemSan to check that no branch or memory access
+depends on it (even indirectly). Macros are defined for this purpose near the
+top of the file.
+
+**Tested platforms.**
+
+There are 4 versions of the internal function `u32_muladd64`: two assembly
+versions, for Cortex-M/A cores with or without the DSP extension, and two
+pure-C versions, depending on whether `MUL64_IS_CONSTANT_TIME`.
+
+Tests are run on the following platforms:
+
+- `make` on x64 tests the pure-C version without `MUL64_IS_CONSTANT_TIME`
+ (with Clang).
+- `./consttime.sh` on x64 tests both pure-C versions (with Clang).
+- `make` on Arm v7-A (Raspberry Pi 2) tests the Arm-DSP assembly version (with
+ Clang).
+- `on-target-*box` on boards based on Cortex-M0 and M4 cores test both
+ assembly versions (with GCC).
+
+In addition:
+
+- `sizes.sh` builds the code for three Arm cores with GCC and Clang.
+- `deps.sh` checks for external dependencies with GCC.
+
+## Notes about other curves
+
+It should be clear that minimal code size can only be reached by specializing
+the implementation to the curve at hand. Here's a list of things in the
+implementation that are specific to the NIST P-256 curve, and how the
+implementation could be changed to expand to other curves, layer by layer (see
+"Design Overview" above).
+
+**Fixed-width multi-precision arithmetic:**
+
+- The number of limbs is hard-coded to 8. For other 256-bit curves, nothing to
+ change. For a curve of another size, hard-code to another value. For multiple
+curves of various sizes, add a parameter to each function specifying the
+number of limbs; when declaring arrays, always use the maximum number of
+limbs.
+
+**Fixed-width modular arithmetic:**
+
+- The values of the curve's constant p and n, and their associated Montgomery
+ constants, are hard-coded. For another curve, just hard-code the new constants.
+For multiple other curves, define all the constants, and from this layer's API
+only keep the functions that already accept a `mod` parameter (that is, remove
+convenience functions `m256_xxx_p()`).
+- The number of limbs is again hard-coded to 8. See above, but it order to
+ support multiple sizes there is no need to add a new parameter to functions
+in this layer: the existing `mod` parameter can include the number of limbs as
+well.
+
+**Operations on curve points:**
+
+- The values of the curve's constants b (constant term from the equation) and
+ gx, gy (coordinates of the base point) are hard-coded. For another curve,
+ hard-code the other values. For multiple curves, define each curve's value and
+add a "curve id" parameter to all functions in this layer.
+- The value of the curve's constant a is implicitly hard-coded to `-3` by using
+ a standard optimisation to save one multiplication in the first step of
+`point_double()`. For curves that don't have a == -3, replace that with the
+normal computation.
+- The fact that b != 0 in the curve equation is used indirectly, to ensure
+ that (0, 0) is not a point on the curve and re-use that value to represent
+the point 0. As far as I know, all Short Weierstrass curves standardized so
+far have b != 0.
+- The shape of the curve is assumed to be Short Weierstrass. For other curve
+ shapes (Montgomery, (twisted) Edwards), this layer would probably look very
+different (both implementation and API).
+
+**Scalar operations:**
+
+- If multiple curves are to be supported, all function in this layer need to
+ gain a new "curve id" parameter.
+- This layer assumes that the bit size of the curve's order n is the same as
+ that of the modulus p. This is true of most curves standardized so far, the
+only exception being secp224k1. If that curve were to be supported, the
+representation of `n` and scalars would need adapting to allow for an extra
+limb.
+- The bit size of the curve's order is hard-coded in `scalar_mult()`. For
+ multiple curves, this should be deduced from the "curve id" parameter.
+- The `scalar_mult()` function exploits the fact that the second least
+ significant bit of the curve's order n is set in order to avoid a special
+case. For curve orders that don't meet this criterion, we can just handle that
+special case (multiplication by +-2) separately (always compute that and
+conditionally assign it to the result).
+- The shape of the curve is again assumed to be Short Weierstrass. For other curve
+ shapes (Montgomery, (twisted) Edwards), this layer would probably have a
+very different implementation.
+
+**Public API:**
+
+- For multiple curves, all functions in this layer would need to gain a "curve
+ id" parameter and handle variable-sized input/output.
+- The shape of the curve is again assumed to be Short Weierstrass. For other curve
+ shapes (Montgomery, (twisted) Edwards), the ECDH API would probably look
+quite similar (with differences in the size of public keys), but the ECDSA API
+wouldn't apply and an EdDSA API would look pretty different.
+
+## Notes about other platforms
+
+While p256-m is standard C99, it is written with constrained 32-bit platforms
+in mind and makes a few assumptions about the platform:
+
+- The types `uint8_t`, `uint16_t`, `uint32_t` and `uint64_t` exist.
+- 32-bit unsigned addition and subtraction with carry are constant time.
+- 16x16->32-bit unsigned multiplication is available and constant time.
+
+Also, on platforms on which 64-bit addition and subtraction with carry, or
+even 64x64->128-bit multiplication, are available, p256-m makes no use of
+them, though they could significantly improve performance.
+
+This could be improved by replacing uses of arrays of `uint32_t` with a
+defined type throughout the internal APIs, and then on 64-bit platforms define
+that type to be an array of `uint64_t` instead, and making the obvious
+adaptations in the multi-precision arithmetic layer.
+
+Finally, the optional assembly code (which boosts performance by a factor 2 on
+tested Cortex-M CPUs, while slightly reducing code size and stack usage) is
+currently only available with compilers that support GCC's extended asm
+syntax (which includes GCC and Clang).
diff --git a/3rdparty/p256-m/p256-m/p256-m.c b/3rdparty/p256-m/p256-m/p256-m.c
new file mode 100644
index 0000000..abb9ab4
--- /dev/null
+++ b/3rdparty/p256-m/p256-m/p256-m.c
@@ -0,0 +1,1470 @@
+/*
+ * Implementation of curve P-256 (ECDH and ECDSA)
+ *
+ * Author: Manuel Pégourié-Gonnard.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include "p256-m.h"
+#include "psa/crypto.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#if defined (MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+
+/*
+ * Zeroize memory - this should not be optimized away
+ */
+static void zeroize(void *d, size_t n)
+{
+ volatile char *p = d;
+ while( n-- )
+ *p++ = 0;
+}
+
+/*
+ * Helpers to test constant-time behaviour with valgrind or MemSan.
+ *
+ * CT_POISON() is used for secret data. It marks the memory area as
+ * uninitialised, so that any branch or pointer dereference that depends on it
+ * (even indirectly) triggers a warning.
+ * CT_UNPOISON() is used for public data; it marks the area as initialised.
+ *
+ * These are macros in order to avoid interfering with origin tracking.
+ */
+#if defined(CT_MEMSAN)
+
+#include <sanitizer/msan_interface.h>
+#define CT_POISON __msan_allocated_memory
+// void __msan_allocated_memory(const volatile void* data, size_t size);
+#define CT_UNPOISON __msan_unpoison
+// void __msan_unpoison(const volatile void *a, size_t size);
+
+#elif defined(CT_VALGRIND)
+
+#include <valgrind/memcheck.h>
+#define CT_POISON VALGRIND_MAKE_MEM_UNDEFINED
+// VALGRIND_MAKE_MEM_UNDEFINED(_qzz_addr,_qzz_len)
+#define CT_UNPOISON VALGRIND_MAKE_MEM_DEFINED
+// VALGRIND_MAKE_MEM_DEFINED(_qzz_addr,_qzz_len)
+
+#else
+#define CT_POISON(p, sz)
+#define CT_UNPOISON(p, sz)
+#endif
+
+/**********************************************************************
+ *
+ * Operations on fixed-width unsigned integers
+ *
+ * Represented using 32-bit limbs, least significant limb first.
+ * That is: x = x[0] + 2^32 x[1] + ... + 2^224 x[7] for 256-bit.
+ *
+ **********************************************************************/
+
+/*
+ * 256-bit set to 32-bit value
+ *
+ * in: x in [0, 2^32)
+ * out: z = x
+ */
+static void u256_set32(uint32_t z[8], uint32_t x)
+{
+ z[0] = x;
+ for (unsigned i = 1; i < 8; i++) {
+ z[i] = 0;
+ }
+}
+
+/*
+ * 256-bit addition
+ *
+ * in: x, y in [0, 2^256)
+ * out: z = (x + y) mod 2^256
+ * c = (x + y) div 2^256
+ * That is, z + c * 2^256 = x + y
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static uint32_t u256_add(uint32_t z[8],
+ const uint32_t x[8], const uint32_t y[8])
+{
+ uint32_t carry = 0;
+
+ for (unsigned i = 0; i < 8; i++) {
+ uint64_t sum = (uint64_t) carry + x[i] + y[i];
+ z[i] = (uint32_t) sum;
+ carry = (uint32_t) (sum >> 32);
+ }
+
+ return carry;
+}
+
+/*
+ * 256-bit subtraction
+ *
+ * in: x, y in [0, 2^256)
+ * out: z = (x - y) mod 2^256
+ * c = 0 if x >=y, 1 otherwise
+ * That is, z = c * 2^256 + x - y
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static uint32_t u256_sub(uint32_t z[8],
+ const uint32_t x[8], const uint32_t y[8])
+{
+ uint32_t carry = 0;
+
+ for (unsigned i = 0; i < 8; i++) {
+ uint64_t diff = (uint64_t) x[i] - y[i] - carry;
+ z[i] = (uint32_t) diff;
+ carry = -(uint32_t) (diff >> 32);
+ }
+
+ return carry;
+}
+
+/*
+ * 256-bit conditional assignment
+ *
+ * in: x in [0, 2^256)
+ * c in [0, 1]
+ * out: z = x if c == 1, z unchanged otherwise
+ *
+ * Note: as a memory area, z must be either equal to x, or not overlap.
+ */
+static void u256_cmov(uint32_t z[8], const uint32_t x[8], uint32_t c)
+{
+ const uint32_t x_mask = -c;
+ for (unsigned i = 0; i < 8; i++) {
+ z[i] = (z[i] & ~x_mask) | (x[i] & x_mask);
+ }
+}
+
+/*
+ * 256-bit compare for equality
+ *
+ * in: x in [0, 2^256)
+ * y in [0, 2^256)
+ * out: 0 if x == y, unspecified non-zero otherwise
+ */
+static uint32_t u256_diff(const uint32_t x[8], const uint32_t y[8])
+{
+ uint32_t diff = 0;
+ for (unsigned i = 0; i < 8; i++) {
+ diff |= x[i] ^ y[i];
+ }
+ return diff;
+}
+
+/*
+ * 256-bit compare to zero
+ *
+ * in: x in [0, 2^256)
+ * out: 0 if x == 0, unspecified non-zero otherwise
+ */
+static uint32_t u256_diff0(const uint32_t x[8])
+{
+ uint32_t diff = 0;
+ for (unsigned i = 0; i < 8; i++) {
+ diff |= x[i];
+ }
+ return diff;
+}
+
+/*
+ * 32 x 32 -> 64-bit multiply-and-accumulate
+ *
+ * in: x, y, z, t in [0, 2^32)
+ * out: x * y + z + t in [0, 2^64)
+ *
+ * Note: this computation cannot overflow.
+ *
+ * Note: this function has two pure-C implementations (depending on whether
+ * MUL64_IS_CONSTANT_TIME), and possibly optimised asm implementations.
+ * Start with the potential asm definitions, and use the C definition only if
+ * we no have no asm for the current toolchain & CPU.
+ */
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t);
+
+/* This macro is used to mark whether an asm implentation is found */
+#undef MULADD64_ASM
+/* This macro is used to mark whether the implementation has a small
+ * code size (ie, it can be inlined even in an unrolled loop) */
+#undef MULADD64_SMALL
+
+/*
+ * Currently assembly optimisations are only supported with GCC/Clang for
+ * Arm's Cortex-A and Cortex-M lines of CPUs, which start with the v6-M and
+ * v7-M architectures. __ARM_ARCH_PROFILE is not defined for v6 and earlier.
+ */
+#if defined(__GNUC__) &&\
+ defined(__ARM_ARCH) && __ARM_ARCH >= 6 && defined(__ARM_ARCH_PROFILE) && \
+ ( __ARM_ARCH_PROFILE == 77 || __ARM_ARCH_PROFILE == 65 ) /* 'M' or 'A' */
+
+/*
+ * This set of CPUs is conveniently partitioned as follows:
+ *
+ * 1. Cores that have the DSP extension, which includes a 1-cycle UMAAL
+ * instruction: M4, M7, M33, all A-class cores.
+ * 2. Cores that don't have the DSP extension, and also lack a constant-time
+ * 64-bit multiplication instruction:
+ * - M0, M0+, M23: 32-bit multiplication only;
+ * - M3: 64-bit multiplication is not constant-time.
+ */
+#if defined(__ARM_FEATURE_DSP)
+
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
+{
+ __asm__(
+ /* UMAAL <RdLo>, <RdHi>, <Rn>, <Rm> */
+ "umaal %[z], %[t], %[x], %[y]"
+ : [z] "+l" (z), [t] "+l" (t)
+ : [x] "l" (x), [y] "l" (y)
+ );
+ return ((uint64_t) t << 32) | z;
+}
+#define MULADD64_ASM
+#define MULADD64_SMALL
+
+#else /* __ARM_FEATURE_DSP */
+
+/*
+ * This implementation only uses 16x16->32 bit multiplication.
+ *
+ * It decomposes the multiplicands as:
+ * x = xh:xl = 2^16 * xh + xl
+ * y = yh:yl = 2^16 * yh + yl
+ * and computes their product as:
+ * x*y = xl*yl + 2**16 (xh*yl + yl*yh) + 2**32 xh*yh
+ * then adds z and t to the result.
+ */
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
+{
+ /* First compute x*y, using 3 temporary registers */
+ uint32_t tmp1, tmp2, tmp3;
+ __asm__(
+ ".syntax unified\n\t"
+ /* start by splitting the inputs into halves */
+ "lsrs %[u], %[x], #16\n\t"
+ "lsrs %[v], %[y], #16\n\t"
+ "uxth %[x], %[x]\n\t"
+ "uxth %[y], %[y]\n\t"
+ /* now we have %[x], %[y], %[u], %[v] = xl, yl, xh, yh */
+ /* let's compute the 4 products we can form with those */
+ "movs %[w], %[v]\n\t"
+ "muls %[w], %[u]\n\t"
+ "muls %[v], %[x]\n\t"
+ "muls %[x], %[y]\n\t"
+ "muls %[y], %[u]\n\t"
+ /* now we have %[x], %[y], %[v], %[w] = xl*yl, xh*yl, xl*yh, xh*yh */
+ /* let's split and add the first middle product */
+ "lsls %[u], %[y], #16\n\t"
+ "lsrs %[y], %[y], #16\n\t"
+ "adds %[x], %[u]\n\t"
+ "adcs %[y], %[w]\n\t"
+ /* let's finish with the second middle product */
+ "lsls %[u], %[v], #16\n\t"
+ "lsrs %[v], %[v], #16\n\t"
+ "adds %[x], %[u]\n\t"
+ "adcs %[y], %[v]\n\t"
+ : [x] "+l" (x), [y] "+l" (y),
+ [u] "=&l" (tmp1), [v] "=&l" (tmp2), [w] "=&l" (tmp3)
+ : /* no read-only inputs */
+ : "cc"
+ );
+ (void) tmp1;
+ (void) tmp2;
+ (void) tmp3;
+
+ /* Add z and t, using one temporary register */
+ __asm__(
+ ".syntax unified\n\t"
+ "movs %[u], #0\n\t"
+ "adds %[x], %[z]\n\t"
+ "adcs %[y], %[u]\n\t"
+ "adds %[x], %[t]\n\t"
+ "adcs %[y], %[u]\n\t"
+ : [x] "+l" (x), [y] "+l" (y), [u] "=&l" (tmp1)
+ : [z] "l" (z), [t] "l" (t)
+ : "cc"
+ );
+ (void) tmp1;
+
+ return ((uint64_t) y << 32) | x;
+}
+#define MULADD64_ASM
+
+#endif /* __ARM_FEATURE_DSP */
+
+#endif /* GCC/Clang with Cortex-M/A CPU */
+
+#if !defined(MULADD64_ASM)
+#if defined(MUL64_IS_CONSTANT_TIME)
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
+{
+ return (uint64_t) x * y + z + t;
+}
+#define MULADD64_SMALL
+#else
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
+{
+ /* x = xl + 2**16 xh, y = yl + 2**16 yh */
+ const uint16_t xl = (uint16_t) x;
+ const uint16_t yl = (uint16_t) y;
+ const uint16_t xh = x >> 16;
+ const uint16_t yh = y >> 16;
+
+ /* x*y = xl*yl + 2**16 (xh*yl + yl*yh) + 2**32 xh*yh
+ * = lo + 2**16 (m1 + m2 ) + 2**32 hi */
+ const uint32_t lo = (uint32_t) xl * yl;
+ const uint32_t m1 = (uint32_t) xh * yl;
+ const uint32_t m2 = (uint32_t) xl * yh;
+ const uint32_t hi = (uint32_t) xh * yh;
+
+ uint64_t acc = lo + ((uint64_t) (hi + (m1 >> 16) + (m2 >> 16)) << 32);
+ acc += m1 << 16;
+ acc += m2 << 16;
+ acc += z;
+ acc += t;
+
+ return acc;
+}
+#endif /* MUL64_IS_CONSTANT_TIME */
+#endif /* MULADD64_ASM */
+
+/*
+ * 288 + 32 x 256 -> 288-bit multiply and add
+ *
+ * in: x in [0, 2^32)
+ * y in [0, 2^256)
+ * z in [0, 2^288)
+ * out: z_out = z_in + x * y mod 2^288
+ * c = z_in + x * y div 2^288
+ * That is, z_out + c * 2^288 = z_in + x * y
+ *
+ * Note: as a memory area, z must be either equal to y, or not overlap.
+ *
+ * This is a helper for Montgomery multiplication.
+ */
+static uint32_t u288_muladd(uint32_t z[9], uint32_t x, const uint32_t y[8])
+{
+ uint32_t carry = 0;
+
+#define U288_MULADD_STEP(i) \
+ do { \
+ uint64_t prod = u32_muladd64(x, y[i], z[i], carry); \
+ z[i] = (uint32_t) prod; \
+ carry = (uint32_t) (prod >> 32); \
+ } while( 0 )
+
+#if defined(MULADD64_SMALL)
+ U288_MULADD_STEP(0);
+ U288_MULADD_STEP(1);
+ U288_MULADD_STEP(2);
+ U288_MULADD_STEP(3);
+ U288_MULADD_STEP(4);
+ U288_MULADD_STEP(5);
+ U288_MULADD_STEP(6);
+ U288_MULADD_STEP(7);
+#else
+ for (unsigned i = 0; i < 8; i++) {
+ U288_MULADD_STEP(i);
+ }
+#endif
+
+ uint64_t sum = (uint64_t) z[8] + carry;
+ z[8] = (uint32_t) sum;
+ carry = (uint32_t) (sum >> 32);
+
+ return carry;
+}
+
+/*
+ * 288-bit in-place right shift by 32 bits
+ *
+ * in: z in [0, 2^288)
+ * c in [0, 2^32)
+ * out: z_out = z_in div 2^32 + c * 2^256
+ * = (z_in + c * 2^288) div 2^32
+ *
+ * This is a helper for Montgomery multiplication.
+ */
+static void u288_rshift32(uint32_t z[9], uint32_t c)
+{
+ for (unsigned i = 0; i < 8; i++) {
+ z[i] = z[i + 1];
+ }
+ z[8] = c;
+}
+
+/*
+ * 256-bit import from big-endian bytes
+ *
+ * in: p = p0, ..., p31
+ * out: z = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
+ */
+static void u256_from_bytes(uint32_t z[8], const uint8_t p[32])
+{
+ for (unsigned i = 0; i < 8; i++) {
+ unsigned j = 4 * (7 - i);
+ z[i] = ((uint32_t) p[j + 0] << 24) |
+ ((uint32_t) p[j + 1] << 16) |
+ ((uint32_t) p[j + 2] << 8) |
+ ((uint32_t) p[j + 3] << 0);
+ }
+}
+
+/*
+ * 256-bit export to big-endian bytes
+ *
+ * in: z in [0, 2^256)
+ * out: p = p0, ..., p31 such that
+ * z = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
+ */
+static void u256_to_bytes(uint8_t p[32], const uint32_t z[8])
+{
+ for (unsigned i = 0; i < 8; i++) {
+ unsigned j = 4 * (7 - i);
+ p[j + 0] = (uint8_t) (z[i] >> 24);
+ p[j + 1] = (uint8_t) (z[i] >> 16);
+ p[j + 2] = (uint8_t) (z[i] >> 8);
+ p[j + 3] = (uint8_t) (z[i] >> 0);
+ }
+}
+
+/**********************************************************************
+ *
+ * Operations modulo a 256-bit prime m
+ *
+ * These are done in the Montgomery domain, that is x is represented by
+ * x * 2^256 mod m
+ * Numbers need to be converted to that domain before computations,
+ * and back from it afterwards.
+ *
+ * Inversion is computed using Fermat's little theorem.
+ *
+ * Assumptions on m:
+ * - Montgomery operations require that m is odd.
+ * - Fermat's little theorem require it to be a prime.
+ * - m256_inv() further requires that m % 2^32 >= 2.
+ * - m256_inv() also assumes that the value of m is not a secret.
+ *
+ * In practice operations are done modulo the curve's p and n,
+ * both of which satisfy those assumptions.
+ *
+ **********************************************************************/
+
+/*
+ * Data associated to a modulus for Montgomery operations.
+ *
+ * m in [0, 2^256) - the modulus itself, must be odd
+ * R2 = 2^512 mod m
+ * ni = -m^-1 mod 2^32
+ */
+typedef struct {
+ uint32_t m[8];
+ uint32_t R2[8];
+ uint32_t ni;
+}
+m256_mod;
+
+/*
+ * Data for Montgomery operations modulo the curve's p
+ */
+static const m256_mod p256_p = {
+ { /* the curve's p */
+ 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000,
+ 0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF,
+ },
+ { /* 2^512 mod p */
+ 0x00000003, 0x00000000, 0xffffffff, 0xfffffffb,
+ 0xfffffffe, 0xffffffff, 0xfffffffd, 0x00000004,
+ },
+ 0x00000001, /* -p^-1 mod 2^32 */
+};
+
+/*
+ * Data for Montgomery operations modulo the curve's n
+ */
+static const m256_mod p256_n = {
+ { /* the curve's n */
+ 0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD,
+ 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF,
+ },
+ { /* 2^512 mod n */
+ 0xbe79eea2, 0x83244c95, 0x49bd6fa6, 0x4699799c,
+ 0x2b6bec59, 0x2845b239, 0xf3d95620, 0x66e12d94,
+ },
+ 0xee00bc4f, /* -n^-1 mod 2^32 */
+};
+
+/*
+ * Modular addition
+ *
+ * in: x, y in [0, m)
+ * mod must point to a valid m256_mod structure
+ * out: z = (x + y) mod m, in [0, m)
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static void m256_add(uint32_t z[8],
+ const uint32_t x[8], const uint32_t y[8],
+ const m256_mod *mod)
+{
+ uint32_t r[8];
+ uint32_t carry_add = u256_add(z, x, y);
+ uint32_t carry_sub = u256_sub(r, z, mod->m);
+ /* Need to subract m if:
+ * x+y >= 2^256 > m (that is, carry_add == 1)
+ * OR z >= m (that is, carry_sub == 0) */
+ uint32_t use_sub = carry_add | (1 - carry_sub);
+ u256_cmov(z, r, use_sub);
+}
+
+/*
+ * Modular addition mod p
+ *
+ * in: x, y in [0, p)
+ * out: z = (x + y) mod p, in [0, p)
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static void m256_add_p(uint32_t z[8],
+ const uint32_t x[8], const uint32_t y[8])
+{
+ m256_add(z, x, y, &p256_p);
+}
+
+/*
+ * Modular subtraction
+ *
+ * in: x, y in [0, m)
+ * mod must point to a valid m256_mod structure
+ * out: z = (x - y) mod m, in [0, m)
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static void m256_sub(uint32_t z[8],
+ const uint32_t x[8], const uint32_t y[8],
+ const m256_mod *mod)
+{
+ uint32_t r[8];
+ uint32_t carry = u256_sub(z, x, y);
+ (void) u256_add(r, z, mod->m);
+ /* Need to add m if and only if x < y, that is carry == 1.
+ * In that case z is in [2^256 - m + 1, 2^256 - 1], so the
+ * addition will have a carry as well, which cancels out. */
+ u256_cmov(z, r, carry);
+}
+
+/*
+ * Modular subtraction mod p
+ *
+ * in: x, y in [0, p)
+ * out: z = (x + y) mod p, in [0, p)
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static void m256_sub_p(uint32_t z[8],
+ const uint32_t x[8], const uint32_t y[8])
+{
+ m256_sub(z, x, y, &p256_p);
+}
+
+/*
+ * Montgomery modular multiplication
+ *
+ * in: x, y in [0, m)
+ * mod must point to a valid m256_mod structure
+ * out: z = (x * y) / 2^256 mod m, in [0, m)
+ *
+ * Note: as a memory area, z may overlap with x or y.
+ */
+static void m256_mul(uint32_t z[8],
+ const uint32_t x[8], const uint32_t y[8],
+ const m256_mod *mod)
+{
+ /*
+ * Algorithm 14.36 in Handbook of Applied Cryptography with:
+ * b = 2^32, n = 8, R = 2^256
+ */
+ uint32_t m_prime = mod->ni;
+ uint32_t a[9];
+
+ for (unsigned i = 0; i < 9; i++) {
+ a[i] = 0;
+ }
+
+ for (unsigned i = 0; i < 8; i++) {
+ /* the "mod 2^32" is implicit from the type */
+ uint32_t u = (a[0] + x[i] * y[0]) * m_prime;
+
+ /* a = (a + x[i] * y + u * m) div b */
+ uint32_t c = u288_muladd(a, x[i], y);
+ c += u288_muladd(a, u, mod->m);
+ u288_rshift32(a, c);
+ }
+
+ /* a = a > m ? a - m : a */
+ uint32_t carry_add = a[8]; // 0 or 1 since a < 2m, see HAC Note 14.37
+ uint32_t carry_sub = u256_sub(z, a, mod->m);
+ uint32_t use_sub = carry_add | (1 - carry_sub); // see m256_add()
+ u256_cmov(z, a, 1 - use_sub);
+}
+
+/*
+ * Montgomery modular multiplication modulo p.
+ *
+ * in: x, y in [0, p)
+ * out: z = (x * y) / 2^256 mod p, in [0, p)
+ *
+ * Note: as a memory area, z may overlap with x or y.
+ */
+static void m256_mul_p(uint32_t z[8],
+ const uint32_t x[8], const uint32_t y[8])
+{
+ m256_mul(z, x, y, &p256_p);
+}
+
+/*
+ * In-place conversion to Montgomery form
+ *
+ * in: z in [0, m)
+ * mod must point to a valid m256_mod structure
+ * out: z_out = z_in * 2^256 mod m, in [0, m)
+ */
+static void m256_prep(uint32_t z[8], const m256_mod *mod)
+{
+ m256_mul(z, z, mod->R2, mod);
+}
+
+/*
+ * In-place conversion from Montgomery form
+ *
+ * in: z in [0, m)
+ * mod must point to a valid m256_mod structure
+ * out: z_out = z_in / 2^256 mod m, in [0, m)
+ * That is, z_in was z_actual * 2^256 mod m, and z_out is z_actual
+ */
+static void m256_done(uint32_t z[8], const m256_mod *mod)
+{
+ uint32_t one[8];
+ u256_set32(one, 1);
+ m256_mul(z, z, one, mod);
+}
+
+/*
+ * Set to 32-bit value
+ *
+ * in: x in [0, 2^32)
+ * mod must point to a valid m256_mod structure
+ * out: z = x * 2^256 mod m, in [0, m)
+ * That is, z is set to the image of x in the Montgomery domain.
+ */
+static void m256_set32(uint32_t z[8], uint32_t x, const m256_mod *mod)
+{
+ u256_set32(z, x);
+ m256_prep(z, mod);
+}
+
+/*
+ * Modular inversion in Montgomery form
+ *
+ * in: x in [0, m)
+ * mod must point to a valid m256_mod structure
+ * such that mod->m % 2^32 >= 2, assumed to be public.
+ * out: z = x^-1 * 2^512 mod m if x != 0,
+ * z = 0 if x == 0
+ * That is, if x = x_actual * 2^256 mod m, then
+ * z = x_actual^-1 * 2^256 mod m
+ *
+ * Note: as a memory area, z may overlap with x.
+ */
+static void m256_inv(uint32_t z[8], const uint32_t x[8],
+ const m256_mod *mod)
+{
+ /*
+ * Use Fermat's little theorem to compute x^-1 as x^(m-2).
+ *
+ * Take advantage of the fact that both p's and n's least significant limb
+ * is at least 2 to perform the subtraction on the flight (no carry).
+ *
+ * Use plain right-to-left binary exponentiation;
+ * branches are OK as the exponent is not a secret.
+ */
+ uint32_t bitval[8];
+ u256_cmov(bitval, x, 1); /* copy x before writing to z */
+
+ m256_set32(z, 1, mod);
+
+ unsigned i = 0;
+ uint32_t limb = mod->m[i] - 2;
+ while (1) {
+ for (unsigned j = 0; j < 32; j++) {
+ if ((limb & 1) != 0) {
+ m256_mul(z, z, bitval, mod);
+ }
+ m256_mul(bitval, bitval, bitval, mod);
+ limb >>= 1;
+ }
+
+ if (i == 7)
+ break;
+
+ i++;
+ limb = mod->m[i];
+ }
+}
+
+/*
+ * Import modular integer from bytes to Montgomery domain
+ *
+ * in: p = p0, ..., p32
+ * mod must point to a valid m256_mod structure
+ * out: z = (p0 * 2^248 + ... + p31) * 2^256 mod m, in [0, m)
+ * return 0 if the number was already in [0, m), or -1.
+ * z may be incorrect and must be discared when -1 is returned.
+ */
+static int m256_from_bytes(uint32_t z[8],
+ const uint8_t p[32], const m256_mod *mod)
+{
+ u256_from_bytes(z, p);
+
+ uint32_t t[8];
+ uint32_t lt_m = u256_sub(t, z, mod->m);
+ if (lt_m != 1)
+ return -1;
+
+ m256_prep(z, mod);
+ return 0;
+}
+
+/*
+ * Export modular integer from Montgomery domain to bytes
+ *
+ * in: z in [0, 2^256)
+ * mod must point to a valid m256_mod structure
+ * out: p = p0, ..., p31 such that
+ * z = (p0 * 2^248 + ... + p31) * 2^256 mod m
+ */
+static void m256_to_bytes(uint8_t p[32],
+ const uint32_t z[8], const m256_mod *mod)
+{
+ uint32_t zi[8];
+ u256_cmov(zi, z, 1);
+ m256_done(zi, mod);
+
+ u256_to_bytes(p, zi);
+}
+
+/**********************************************************************
+ *
+ * Operations on curve points
+ *
+ * Points are represented in two coordinates system:
+ * - affine (x, y) - extended to represent 0 (see below)
+ * - jacobian (x:y:z)
+ * In either case, coordinates are integers modulo p256_p and
+ * are always represented in the Montgomery domain.
+ *
+ * For background on jacobian coordinates, see for example [GECC] 3.2.2:
+ * - conversions go (x, y) -> (x:y:1) and (x:y:z) -> (x/z^2, y/z^3)
+ * - the curve equation becomes y^2 = x^3 - 3 x z^4 + b z^6
+ * - 0 (aka the origin aka point at infinity) is (x:y:0) with y^2 = x^3.
+ * - point negation goes -(x:y:z) = (x:-y:z)
+ *
+ * Normally 0 (the point at infinity) can't be represented in affine
+ * coordinates. However we extend affine coordinates with the convention that
+ * (0, 0) (which is normally not a point on the curve) is interpreted as 0.
+ *
+ * References:
+ * - [GECC]: Guide to Elliptic Curve Cryptography; Hankerson, Menezes,
+ * Vanstone; Springer, 2004.
+ * - [CMO98]: Efficient Elliptic Curve Exponentiation Using Mixed Coordinates;
+ * Cohen, Miyaji, Ono; Springer, ASIACRYPT 1998.
+ * https://link.springer.com/content/pdf/10.1007/3-540-49649-1_6.pdf
+ * - [RCB15]: Complete addition formulas for prime order elliptic curves;
+ * Renes, Costello, Batina; IACR e-print 2015-1060.
+ * https://eprint.iacr.org/2015/1060.pdf
+ *
+ **********************************************************************/
+
+/*
+ * The curve's b parameter in the Short Weierstrass equation
+ * y^2 = x^3 - 3*x + b
+ * Compared to the standard, this is converted to the Montgomery domain.
+ */
+static const uint32_t p256_b[8] = { /* b * 2^256 mod p */
+ 0x29c4bddf, 0xd89cdf62, 0x78843090, 0xacf005cd,
+ 0xf7212ed6, 0xe5a220ab, 0x04874834, 0xdc30061d,
+};
+
+/*
+ * The curve's conventional base point G.
+ * Compared to the standard, coordinates converted to the Montgomery domain.
+ */
+static const uint32_t p256_gx[8] = { /* G_x * 2^256 mod p */
+ 0x18a9143c, 0x79e730d4, 0x5fedb601, 0x75ba95fc,
+ 0x77622510, 0x79fb732b, 0xa53755c6, 0x18905f76,
+};
+static const uint32_t p256_gy[8] = { /* G_y * 2^256 mod p */
+ 0xce95560a, 0xddf25357, 0xba19e45c, 0x8b4ab8e4,
+ 0xdd21f325, 0xd2e88688, 0x25885d85, 0x8571ff18,
+};
+
+/*
+ * Point-on-curve check - do the coordinates satisfy the curve's equation?
+ *
+ * in: x, y in [0, p) (Montgomery domain)
+ * out: 0 if the point lies on the curve and is not 0,
+ * unspecified non-zero otherwise
+ */
+static uint32_t point_check(const uint32_t x[8], const uint32_t y[8])
+{
+ uint32_t lhs[8], rhs[8];
+
+ /* lhs = y^2 */
+ m256_mul_p(lhs, y, y);
+
+ /* rhs = x^3 - 3x + b */
+ m256_mul_p(rhs, x, x); /* x^2 */
+ m256_mul_p(rhs, rhs, x); /* x^3 */
+ for (unsigned i = 0; i < 3; i++)
+ m256_sub_p(rhs, rhs, x); /* x^3 - 3x */
+ m256_add_p(rhs, rhs, p256_b); /* x^3 - 3x + b */
+
+ return u256_diff(lhs, rhs);
+}
+
+/*
+ * In-place jacobian to affine coordinate conversion
+ *
+ * in: (x:y:z) must be on the curve (coordinates in Montegomery domain)
+ * out: x_out = x_in / z_in^2 (Montgomery domain)
+ * y_out = y_in / z_in^3 (Montgomery domain)
+ * z_out unspecified, must be disregarded
+ *
+ * Note: if z is 0 (that is, the input point is 0), x_out = y_out = 0.
+ */
+static void point_to_affine(uint32_t x[8], uint32_t y[8], uint32_t z[8])
+{
+ uint32_t t[8];
+
+ m256_inv(z, z, &p256_p); /* z = z^-1 */
+
+ m256_mul_p(t, z, z); /* t = z^-2 */
+ m256_mul_p(x, x, t); /* x = x * z^-2 */
+
+ m256_mul_p(t, t, z); /* t = z^-3 */
+ m256_mul_p(y, y, t); /* y = y * z^-3 */
+}
+
+/*
+ * In-place point doubling in jacobian coordinates (Montgomery domain)
+ *
+ * in: P_in = (x:y:z), must be on the curve
+ * out: (x:y:z) = P_out = 2 * P_in
+ */
+static void point_double(uint32_t x[8], uint32_t y[8], uint32_t z[8])
+{
+ /*
+ * This is formula 6 from [CMO98], cited as complete in [RCB15] (table 1).
+ * Notations as in the paper, except u added and t ommited (it's x3).
+ */
+ uint32_t m[8], s[8], u[8];
+
+ /* m = 3 * x^2 + a * z^4 = 3 * (x + z^2) * (x - z^2) */
+ m256_mul_p(s, z, z);
+ m256_add_p(m, x, s);
+ m256_sub_p(u, x, s);
+ m256_mul_p(s, m, u);
+ m256_add_p(m, s, s);
+ m256_add_p(m, m, s);
+
+ /* s = 4 * x * y^2 */
+ m256_mul_p(u, y, y);
+ m256_add_p(u, u, u); /* u = 2 * y^2 (used below) */
+ m256_mul_p(s, x, u);
+ m256_add_p(s, s, s);
+
+ /* u = 8 * y^4 (not named in the paper, first term of y3) */
+ m256_mul_p(u, u, u);
+ m256_add_p(u, u, u);
+
+ /* x3 = t = m^2 - 2 * s */
+ m256_mul_p(x, m, m);
+ m256_sub_p(x, x, s);
+ m256_sub_p(x, x, s);
+
+ /* z3 = 2 * y * z */
+ m256_mul_p(z, y, z);
+ m256_add_p(z, z, z);
+
+ /* y3 = -u + m * (s - t) */
+ m256_sub_p(y, s, x);
+ m256_mul_p(y, y, m);
+ m256_sub_p(y, y, u);
+}
+
+/*
+ * In-place point addition in jacobian-affine coordinates (Montgomery domain)
+ *
+ * in: P_in = (x1:y1:z1), must be on the curve and not 0
+ * Q = (x2, y2), must be on the curve and not P_in or -P_in or 0
+ * out: P_out = (x1:y1:z1) = P_in + Q
+ */
+static void point_add(uint32_t x1[8], uint32_t y1[8], uint32_t z1[8],
+ const uint32_t x2[8], const uint32_t y2[8])
+{
+ /*
+ * This is formula 5 from [CMO98], with z2 == 1 substituted. We use
+ * intermediates with neutral names, and names from the paper in comments.
+ */
+ uint32_t t1[8], t2[8], t3[8];
+
+ /* u1 = x1 and s1 = y1 (no computations) */
+
+ /* t1 = u2 = x2 z1^2 */
+ m256_mul_p(t1, z1, z1);
+ m256_mul_p(t2, t1, z1);
+ m256_mul_p(t1, t1, x2);
+
+ /* t2 = s2 = y2 z1^3 */
+ m256_mul_p(t2, t2, y2);
+
+ /* t1 = h = u2 - u1 */
+ m256_sub_p(t1, t1, x1); /* t1 = x2 * z1^2 - x1 */
+
+ /* t2 = r = s2 - s1 */
+ m256_sub_p(t2, t2, y1);
+
+ /* z3 = z1 * h */
+ m256_mul_p(z1, z1, t1);
+
+ /* t1 = h^3 */
+ m256_mul_p(t3, t1, t1);
+ m256_mul_p(t1, t3, t1);
+
+ /* t3 = x1 * h^2 */
+ m256_mul_p(t3, t3, x1);
+
+ /* x3 = r^2 - 2 * x1 * h^2 - h^3 */
+ m256_mul_p(x1, t2, t2);
+ m256_sub_p(x1, x1, t3);
+ m256_sub_p(x1, x1, t3);
+ m256_sub_p(x1, x1, t1);
+
+ /* y3 = r * (x1 * h^2 - x3) - y1 h^3 */
+ m256_sub_p(t3, t3, x1);
+ m256_mul_p(t3, t3, t2);
+ m256_mul_p(t1, t1, y1);
+ m256_sub_p(y1, t3, t1);
+}
+
+/*
+ * Point addition or doubling (affine to jacobian, Montgomery domain)
+ *
+ * in: P = (x1, y1) - must be on the curve and not 0
+ * Q = (x2, y2) - must be on the curve and not 0
+ * out: (x3, y3) = R = P + Q
+ *
+ * Note: unlike point_add(), this function works if P = +- Q;
+ * however it leaks information on its input through timing,
+ * branches taken and memory access patterns (if observable).
+ */
+static void point_add_or_double_leaky(
+ uint32_t x3[8], uint32_t y3[8],
+ const uint32_t x1[8], const uint32_t y1[8],
+ const uint32_t x2[8], const uint32_t y2[8])
+{
+
+ uint32_t z3[8];
+ u256_cmov(x3, x1, 1);
+ u256_cmov(y3, y1, 1);
+ m256_set32(z3, 1, &p256_p);
+
+ if (u256_diff(x1, x2) != 0) {
+ // P != +- Q -> generic addition
+ point_add(x3, y3, z3, x2, y2);
+ point_to_affine(x3, y3, z3);
+ }
+ else if (u256_diff(y1, y2) == 0) {
+ // P == Q -> double
+ point_double(x3, y3, z3);
+ point_to_affine(x3, y3, z3);
+ } else {
+ // P == -Q -> zero
+ m256_set32(x3, 0, &p256_p);
+ m256_set32(y3, 0, &p256_p);
+ }
+}
+
+/*
+ * Import curve point from bytes
+ *
+ * in: p = (x, y) concatenated, fixed-width 256-bit big-endian integers
+ * out: x, y in Mongomery domain
+ * return 0 if x and y are both in [0, p)
+ * and (x, y) is on the curve and not 0
+ * unspecified non-zero otherwise.
+ * x and y are unspecified and must be discarded if returning non-zero.
+ */
+static int point_from_bytes(uint32_t x[8], uint32_t y[8], const uint8_t p[64])
+{
+ int ret;
+
+ ret = m256_from_bytes(x, p, &p256_p);
+ if (ret != 0)
+ return ret;
+
+ ret = m256_from_bytes(y, p + 32, &p256_p);
+ if (ret != 0)
+ return ret;
+
+ return (int) point_check(x, y);
+}
+
+/*
+ * Export curve point to bytes
+ *
+ * in: x, y affine coordinates of a point (Montgomery domain)
+ * must be on the curve and not 0
+ * out: p = (x, y) concatenated, fixed-width 256-bit big-endian integers
+ */
+static void point_to_bytes(uint8_t p[64],
+ const uint32_t x[8], const uint32_t y[8])
+{
+ m256_to_bytes(p, x, &p256_p);
+ m256_to_bytes(p + 32, y, &p256_p);
+}
+
+/**********************************************************************
+ *
+ * Scalar multiplication and other scalar-related operations
+ *
+ **********************************************************************/
+
+/*
+ * Scalar multiplication
+ *
+ * in: P = (px, py), affine (Montgomery), must be on the curve and not 0
+ * s in [1, n-1]
+ * out: R = s * P = (rx, ry), affine coordinates (Montgomery).
+ *
+ * Note: as memory areas, none of the parameters may overlap.
+ */
+static void scalar_mult(uint32_t rx[8], uint32_t ry[8],
+ const uint32_t px[8], const uint32_t py[8],
+ const uint32_t s[8])
+{
+ /*
+ * We use a signed binary ladder, see for example slides 10-14 of
+ * http://ecc2015.math.u-bordeaux1.fr/documents/hamburg.pdf but with
+ * implicit recoding, and a different loop initialisation to avoid feeding
+ * 0 to our addition formulas, as they don't support it.
+ */
+ uint32_t s_odd[8], py_neg[8], py_use[8], rz[8];
+
+ /*
+ * Make s odd by replacing it with n - s if necessary.
+ *
+ * If s was odd, we'll have s_odd = s, and define P' = P.
+ * Otherwise, we'll have s_odd = n - s and define P' = -P.
+ *
+ * Either way, we can compute s * P as s_odd * P'.
+ */
+ u256_sub(s_odd, p256_n.m, s); /* no carry, result still in [1, n-1] */
+ uint32_t negate = ~s[0] & 1;
+ u256_cmov(s_odd, s, 1 - negate);
+
+ /* Compute py_neg = - py mod p (that's the y coordinate of -P) */
+ u256_set32(py_use, 0);
+ m256_sub_p(py_neg, py_use, py);
+
+ /* Initialize R = P' = (x:(-1)^negate * y:1) */
+ u256_cmov(rx, px, 1);
+ u256_cmov(ry, py, 1);
+ m256_set32(rz, 1, &p256_p);
+ u256_cmov(ry, py_neg, negate);
+
+ /*
+ * For any odd number s_odd = b255 ... b1 1, we have
+ * s_odd = 2^255 + 2^254 sbit(b255) + ... + 2 sbit(b2) + sbit(b1)
+ * writing
+ * sbit(b) = 2 * b - 1 = b ? 1 : -1
+ *
+ * Use that to compute s_odd * P' by repeating R = 2 * R +- P':
+ * s_odd * P' = 2 * ( ... (2 * P' + sbit(b255) P') ... ) + sbit(b1) P'
+ *
+ * The loop invariant is that when beginning an iteration we have
+ * R = s_i P'
+ * with
+ * s_i = 2^(255-i) + 2^(254-i) sbit(b_255) + ...
+ * where the sum has 256 - i terms.
+ *
+ * When updating R we need to make sure the input to point_add() is
+ * neither 0 not +-P'. Since that input is 2 s_i P', it is sufficient to
+ * see that 1 < 2 s_i < n-1. The lower bound is obvious since s_i is a
+ * positive integer, and for the upper bound we distinguish three cases.
+ *
+ * If i > 1, then s_i < 2^254, so 2 s_i < 2^255 < n-1.
+ * Otherwise, i == 1 and we have 2 s_i = s_odd - sbit(b1).
+ * If s_odd <= n-4, then 2 s_1 <= n-3.
+ * Otherwise, s_odd = n-2, and for this curve's value of n,
+ * we have b1 == 1, so sbit(b1) = 1 and 2 s_1 <= n-3.
+ */
+ for (unsigned i = 255; i > 0; i--) {
+ uint32_t bit = (s_odd[i / 32] >> i % 32) & 1;
+
+ /* set (px, py_use) = sbit(bit) P' = sbit(bit) * (-1)^negate P */
+ u256_cmov(py_use, py, bit ^ negate);
+ u256_cmov(py_use, py_neg, (1 - bit) ^ negate);
+
+ /* Update R = 2 * R +- P' */
+ point_double(rx, ry, rz);
+ point_add(rx, ry, rz, px, py_use);
+ }
+
+ point_to_affine(rx, ry, rz);
+}
+
+/*
+ * Scalar import from big-endian bytes
+ *
+ * in: p = p0, ..., p31
+ * out: s = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
+ * return 0 if s in [1, n-1],
+ * -1 otherwise.
+ */
+static int scalar_from_bytes(uint32_t s[8], const uint8_t p[32])
+{
+ u256_from_bytes(s, p);
+
+ uint32_t r[8];
+ uint32_t lt_n = u256_sub(r, s, p256_n.m);
+
+ u256_set32(r, 1);
+ uint32_t lt_1 = u256_sub(r, s, r);
+
+ if (lt_n && !lt_1)
+ return 0;
+
+ return -1;
+}
+
+/* Using RNG functions from Mbed TLS as p256-m does not come with a
+ * cryptographically secure RNG function.
+ */
+int p256_generate_random(uint8_t *output, unsigned output_size)
+{
+ int ret;
+ ret = psa_generate_random(output, output_size);
+
+ if (ret != 0){
+ return P256_RANDOM_FAILED;
+ }
+ return P256_SUCCESS;
+}
+
+/*
+ * Scalar generation, with public key
+ *
+ * out: sbytes the big-endian bytes representation of the scalar
+ * s its u256 representation
+ * x, y the affine coordinates of s * G (Montgomery domain)
+ * return 0 if OK, -1 on failure
+ * sbytes, s, x, y must be discarded when returning non-zero.
+ */
+static int scalar_gen_with_pub(uint8_t sbytes[32], uint32_t s[8],
+ uint32_t x[8], uint32_t y[8])
+{
+ /* generate a random valid scalar */
+ int ret;
+ unsigned nb_tried = 0;
+ do {
+ if (nb_tried++ >= 4)
+ return -1;
+
+ ret = p256_generate_random(sbytes, 32);
+ CT_POISON(sbytes, 32);
+ if (ret != 0)
+ return -1;
+
+ ret = scalar_from_bytes(s, sbytes);
+ CT_UNPOISON(&ret, sizeof ret);
+ }
+ while (ret != 0);
+
+ /* compute and ouput the associated public key */
+ scalar_mult(x, y, p256_gx, p256_gy, s);
+
+ /* the associated public key is not a secret */
+ CT_UNPOISON(x, 32);
+ CT_UNPOISON(y, 32);
+
+ return 0;
+}
+
+/*
+ * ECDH/ECDSA generate pair
+ */
+int p256_gen_keypair(uint8_t priv[32], uint8_t pub[64])
+{
+ uint32_t s[8], x[8], y[8];
+ int ret = scalar_gen_with_pub(priv, s, x, y);
+ zeroize(s, sizeof s);
+ if (ret != 0)
+ return P256_RANDOM_FAILED;
+
+ point_to_bytes(pub, x, y);
+ return 0;
+}
+
+/**********************************************************************
+ *
+ * ECDH
+ *
+ **********************************************************************/
+
+/*
+ * ECDH compute shared secret
+ */
+int p256_ecdh_shared_secret(uint8_t secret[32],
+ const uint8_t priv[32], const uint8_t peer[64])
+{
+ CT_POISON(priv, 32);
+
+ uint32_t s[8], px[8], py[8], x[8], y[8];
+ int ret;
+
+ ret = scalar_from_bytes(s, priv);
+ CT_UNPOISON(&ret, sizeof ret);
+ if (ret != 0) {
+ ret = P256_INVALID_PRIVKEY;
+ goto cleanup;
+ }
+
+ ret = point_from_bytes(px, py, peer);
+ if (ret != 0) {
+ ret = P256_INVALID_PUBKEY;
+ goto cleanup;
+ }
+
+ scalar_mult(x, y, px, py, s);
+
+ m256_to_bytes(secret, x, &p256_p);
+ CT_UNPOISON(secret, 32);
+
+cleanup:
+ zeroize(s, sizeof s);
+ return ret;
+}
+
+/**********************************************************************
+ *
+ * ECDSA
+ *
+ * Reference:
+ * [SEC1] SEC 1: Elliptic Curve Cryptography, Certicom research, 2009.
+ * http://www.secg.org/sec1-v2.pdf
+ **********************************************************************/
+
+/*
+ * Reduction mod n of a small number
+ *
+ * in: x in [0, 2^256)
+ * out: x_out = x_in mod n in [0, n)
+ */
+static void ecdsa_m256_mod_n(uint32_t x[8])
+{
+ uint32_t t[8];
+ uint32_t c = u256_sub(t, x, p256_n.m);
+ u256_cmov(x, t, 1 - c);
+}
+
+/*
+ * Import integer mod n (Montgomery domain) from hash
+ *
+ * in: h = h0, ..., h_hlen
+ * hlen the length of h in bytes
+ * out: z = (h0 * 2^l-8 + ... + h_l) * 2^256 mod n
+ * with l = min(32, hlen)
+ *
+ * Note: in [SEC1] this is step 5 of 4.1.3 (sign) or step 3 or 4.1.4 (verify),
+ * with obvious simplications since n's bit-length is a multiple of 8.
+ */
+static void ecdsa_m256_from_hash(uint32_t z[8],
+ const uint8_t *h, size_t hlen)
+{
+ /* convert from h (big-endian) */
+ /* hlen is public data so it's OK to branch on it */
+ if (hlen < 32) {
+ uint8_t p[32];
+ for (unsigned i = 0; i < 32; i++)
+ p[i] = 0;
+ for (unsigned i = 0; i < hlen; i++)
+ p[32 - hlen + i] = h[i];
+ u256_from_bytes(z, p);
+ } else {
+ u256_from_bytes(z, h);
+ }
+
+ /* ensure the result is in [0, n) */
+ ecdsa_m256_mod_n(z);
+
+ /* map to Montgomery domain */
+ m256_prep(z, &p256_n);
+}
+
+/*
+ * ECDSA sign
+ */
+int p256_ecdsa_sign(uint8_t sig[64], const uint8_t priv[32],
+ const uint8_t *hash, size_t hlen)
+{
+ CT_POISON(priv, 32);
+
+ /*
+ * Steps and notations from [SEC1] 4.1.3
+ *
+ * Instead of retrying on r == 0 or s == 0, just abort,
+ * as those events have negligible probability.
+ */
+ int ret;
+
+ /* Temporary buffers - the first two are mostly stable, so have names */
+ uint32_t xr[8], k[8], t3[8], t4[8];
+
+ /* 1. Set ephemeral keypair */
+ uint8_t *kb = (uint8_t *) t4;
+ /* kb will be erased by re-using t4 for dU - if we exit before that, we
+ * haven't read the private key yet so we kb isn't sensitive yet */
+ ret = scalar_gen_with_pub(kb, k, xr, t3); /* xr = x_coord(k * G) */
+ if (ret != 0)
+ return P256_RANDOM_FAILED;
+ m256_prep(k, &p256_n);
+
+ /* 2. Convert xr to an integer */
+ m256_done(xr, &p256_p);
+
+ /* 3. Reduce xr mod n (extra: output it while at it) */
+ ecdsa_m256_mod_n(xr); /* xr = int(xr) mod n */
+
+ /* xr is public data so it's OK to use a branch */
+ if (u256_diff0(xr) == 0)
+ return P256_RANDOM_FAILED;
+
+ u256_to_bytes(sig, xr);
+
+ m256_prep(xr, &p256_n);
+
+ /* 4. Skipped - we take the hash as an input, not the message */
+
+ /* 5. Derive an integer from the hash */
+ ecdsa_m256_from_hash(t3, hash, hlen); /* t3 = e */
+
+ /* 6. Compute s = k^-1 * (e + r * dU) */
+
+ /* Note: dU will be erased by re-using t4 for the value of s (public) */
+ ret = scalar_from_bytes(t4, priv); /* t4 = dU (integer domain) */
+ CT_UNPOISON(&ret, sizeof ret); /* Result of input validation */
+ if (ret != 0)
+ return P256_INVALID_PRIVKEY;
+ m256_prep(t4, &p256_n); /* t4 = dU (Montgomery domain) */
+
+ m256_inv(k, k, &p256_n); /* k^-1 */
+ m256_mul(t4, xr, t4, &p256_n); /* t4 = r * dU */
+ m256_add(t4, t3, t4, &p256_n); /* t4 = e + r * dU */
+ m256_mul(t4, k, t4, &p256_n); /* t4 = s = k^-1 * (e + r * dU) */
+ zeroize(k, sizeof k);
+
+ /* 7. Output s (r already outputed at step 3) */
+ CT_UNPOISON(t4, 32);
+ if (u256_diff0(t4) == 0) {
+ /* undo early output of r */
+ u256_to_bytes(sig, t4);
+ return P256_RANDOM_FAILED;
+ }
+ m256_to_bytes(sig + 32, t4, &p256_n);
+
+ return P256_SUCCESS;
+}
+
+/*
+ * ECDSA verify
+ */
+int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64],
+ const uint8_t *hash, size_t hlen)
+{
+ /*
+ * Steps and notations from [SEC1] 4.1.3
+ *
+ * Note: we're using public data only, so branches are OK
+ */
+ int ret;
+
+ /* 1. Validate range of r and s : [1, n-1] */
+ uint32_t r[8], s[8];
+ ret = scalar_from_bytes(r, sig);
+ if (ret != 0)
+ return P256_INVALID_SIGNATURE;
+ ret = scalar_from_bytes(s, sig + 32);
+ if (ret != 0)
+ return P256_INVALID_SIGNATURE;
+
+ /* 2. Skipped - we take the hash as an input, not the message */
+
+ /* 3. Derive an integer from the hash */
+ uint32_t e[8];
+ ecdsa_m256_from_hash(e, hash, hlen);
+
+ /* 4. Compute u1 = e * s^-1 and u2 = r * s^-1 */
+ uint32_t u1[8], u2[8];
+ m256_prep(s, &p256_n); /* s in Montgomery domain */
+ m256_inv(s, s, &p256_n); /* s = s^-1 mod n */
+ m256_mul(u1, e, s, &p256_n); /* u1 = e * s^-1 mod n */
+ m256_done(u1, &p256_n); /* u1 out of Montgomery domain */
+
+ u256_cmov(u2, r, 1);
+ m256_prep(u2, &p256_n); /* r in Montgomery domain */
+ m256_mul(u2, u2, s, &p256_n); /* u2 = r * s^-1 mod n */
+ m256_done(u2, &p256_n); /* u2 out of Montgomery domain */
+
+ /* 5. Compute R (and re-use (u1, u2) to store its coordinates */
+ uint32_t px[8], py[8];
+ ret = point_from_bytes(px, py, pub);
+ if (ret != 0)
+ return P256_INVALID_PUBKEY;
+
+ scalar_mult(e, s, px, py, u2); /* (e, s) = R2 = u2 * Qu */
+
+ if (u256_diff0(u1) == 0) {
+ /* u1 out of range for scalar_mult() - just skip it */
+ u256_cmov(u1, e, 1);
+ /* we don't care about the y coordinate */
+ } else {
+ scalar_mult(px, py, p256_gx, p256_gy, u1); /* (px, py) = R1 = u1 * G */
+
+ /* (u1, u2) = R = R1 + R2 */
+ point_add_or_double_leaky(u1, u2, px, py, e, s);
+ /* No need to check if R == 0 here: if that's the case, it will be
+ * caught when comparating rx (which will be 0) to r (which isn't). */
+ }
+
+ /* 6. Convert xR to an integer */
+ m256_done(u1, &p256_p);
+
+ /* 7. Reduce xR mod n */
+ ecdsa_m256_mod_n(u1);
+
+ /* 8. Compare xR mod n to r */
+ uint32_t diff = u256_diff(u1, r);
+ if (diff == 0)
+ return P256_SUCCESS;
+
+ return P256_INVALID_SIGNATURE;
+}
+
+#endif
diff --git a/3rdparty/p256-m/p256-m/p256-m.h b/3rdparty/p256-m/p256-m/p256-m.h
new file mode 100644
index 0000000..f455cf1
--- /dev/null
+++ b/3rdparty/p256-m/p256-m/p256-m.h
@@ -0,0 +1,95 @@
+/*
+ * Interface of curve P-256 (ECDH and ECDSA)
+ *
+ * Author: Manuel Pégourié-Gonnard.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#ifndef P256_M_H
+#define P256_M_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+/* Status codes */
+#define P256_SUCCESS 0
+#define P256_RANDOM_FAILED -1
+#define P256_INVALID_PUBKEY -2
+#define P256_INVALID_PRIVKEY -3
+#define P256_INVALID_SIGNATURE -4
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * RNG function - must be provided externally and be cryptographically secure.
+ *
+ * in: output - must point to a writable buffer of at least output_size bytes.
+ * output_size - the number of random bytes to write to output.
+ * out: output is filled with output_size random bytes.
+ * return 0 on success, non-zero on errors.
+ */
+extern int p256_generate_random(uint8_t * output, unsigned output_size);
+
+/*
+ * ECDH/ECDSA generate key pair
+ *
+ * [in] draws from p256_generate_random()
+ * [out] priv: on success, holds the private key, as a big-endian integer
+ * [out] pub: on success, holds the public key, as two big-endian integers
+ *
+ * return: P256_SUCCESS on success
+ * P256_RANDOM_FAILED on failure
+ */
+int p256_gen_keypair(uint8_t priv[32], uint8_t pub[64]);
+
+/*
+ * ECDH compute shared secret
+ *
+ * [out] secret: on success, holds the shared secret, as a big-endian integer
+ * [in] priv: our private key as a big-endian integer
+ * [in] pub: the peer's public key, as two big-endian integers
+ *
+ * return: P256_SUCCESS on success
+ * P256_INVALID_PRIVKEY if priv is invalid
+ * P256_INVALID_PUBKEY if pub is invalid
+ */
+int p256_ecdh_shared_secret(uint8_t secret[32],
+ const uint8_t priv[32], const uint8_t pub[64]);
+
+/*
+ * ECDSA sign
+ *
+ * [in] draws from p256_generate_random()
+ * [out] sig: on success, holds the signature, as two big-endian integers
+ * [in] priv: our private key as a big-endian integer
+ * [in] hash: the hash of the message to be signed
+ * [in] hlen: the size of hash in bytes
+ *
+ * return: P256_SUCCESS on success
+ * P256_RANDOM_FAILED on failure
+ * P256_INVALID_PRIVKEY if priv is invalid
+ */
+int p256_ecdsa_sign(uint8_t sig[64], const uint8_t priv[32],
+ const uint8_t *hash, size_t hlen);
+
+/*
+ * ECDSA verify
+ *
+ * [in] sig: the signature to be verified, as two big-endian integers
+ * [in] pub: the associated public key, as two big-endian integers
+ * [in] hash: the hash of the message that was signed
+ * [in] hlen: the size of hash in bytes
+ *
+ * return: P256_SUCCESS on success - the signature was verified as valid
+ * P256_INVALID_PUBKEY if pub is invalid
+ * P256_INVALID_SIGNATURE if the signature was found to be invalid
+ */
+int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64],
+ const uint8_t *hash, size_t hlen);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* P256_M_H */
diff --git a/3rdparty/p256-m/p256-m_driver_entrypoints.c b/3rdparty/p256-m/p256-m_driver_entrypoints.c
new file mode 100644
index 0000000..8828909
--- /dev/null
+++ b/3rdparty/p256-m/p256-m_driver_entrypoints.c
@@ -0,0 +1,242 @@
+/*
+ * Driver entry points for p256-m
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mbedtls/platform.h"
+#include "p256-m_driver_entrypoints.h"
+#include "p256-m/p256-m.h"
+#include "psa/crypto.h"
+#include "psa_crypto_driver_wrappers.h"
+#include <stddef.h>
+
+#if defined(MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+
+/* INFORMATION ON PSA KEY EXPORT FORMATS:
+ *
+ * PSA exports SECP256R1 keys in two formats:
+ * 1. Keypair format: 32 byte string which is just the private key (public key
+ * can be calculated from the private key)
+ * 2. Public Key format: A leading byte 0x04 (indicating uncompressed format),
+ * followed by the 64 byte public key. This results in a
+ * total of 65 bytes.
+ *
+ * p256-m's internal format for private keys matches PSA. Its format for public
+ * keys is only 64 bytes; the same as PSA but without the leading byte (0x04).
+ * Hence, when passing public keys from PSA to p256-m, the leading byte is
+ * removed.
+ */
+
+/* Convert between p256-m and PSA error codes */
+static psa_status_t p256_to_psa_error(int ret)
+{
+ switch (ret) {
+ case P256_SUCCESS:
+ return PSA_SUCCESS;
+ case P256_INVALID_PUBKEY:
+ case P256_INVALID_PRIVKEY:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case P256_INVALID_SIGNATURE:
+ return PSA_ERROR_INVALID_SIGNATURE;
+ case P256_RANDOM_FAILED:
+ default:
+ return PSA_ERROR_GENERIC_ERROR;
+ }
+}
+
+psa_status_t p256_transparent_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key_buffer,
+ size_t key_buffer_size,
+ size_t *key_buffer_length)
+{
+ /* We don't use this argument, but the specification mandates the signature
+ * of driver entry-points. (void) used to avoid compiler warning. */
+ (void) attributes;
+
+ psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+
+ /*
+ * p256-m generates a 32 byte private key, and expects to write to a buffer
+ * that is of that size. */
+ if (key_buffer_size != 32) {
+ return status;
+ }
+
+ /*
+ * p256-m's keypair generation function outputs both public and private
+ * keys. Allocate a buffer to which the public key will be written. The
+ * private key will be written to key_buffer, which is passed to this
+ * function as an argument. */
+ uint8_t public_key_buffer[64];
+
+ status = p256_to_psa_error(
+ p256_gen_keypair(key_buffer, public_key_buffer));
+ if (status == PSA_SUCCESS) {
+ *key_buffer_length = 32;
+ }
+
+ return status;
+}
+
+psa_status_t p256_transparent_key_agreement(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length)
+{
+ /* We don't use these arguments, but the specification mandates the
+ * sginature of driver entry-points. (void) used to avoid compiler
+ * warning. */
+ (void) attributes;
+ (void) alg;
+
+ /*
+ * Check that private key = 32 bytes, peer public key = 65 bytes,
+ * and that the shared secret buffer is big enough. */
+ psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+ if (key_buffer_size != 32 || shared_secret_size < 32 ||
+ peer_key_length != 65) {
+ return status;
+ }
+
+ /* We add 1 to peer_key pointer to omit the leading byte of the public key
+ * representation (0x04). See information about PSA key formats at the top
+ * of the file. */
+ status = p256_to_psa_error(
+ p256_ecdh_shared_secret(shared_secret, key_buffer, peer_key+1));
+ if (status == PSA_SUCCESS) {
+ *shared_secret_length = 32;
+ }
+
+ return status;
+}
+
+psa_status_t p256_transparent_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length)
+{
+ /* We don't use these arguments, but the specification mandates the
+ * sginature of driver entry-points. (void) used to avoid compiler
+ * warning. */
+ (void) attributes;
+ (void) alg;
+
+ psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+ if (key_buffer_size != 32 || signature_size != 64) {
+ return status;
+ }
+
+ status = p256_to_psa_error(
+ p256_ecdsa_sign(signature, key_buffer, hash, hash_length));
+ if (status == PSA_SUCCESS) {
+ *signature_length = 64;
+ }
+
+ return status;
+}
+
+/* This function expects the key buffer to contain a 65 byte public key,
+ * as exported by psa_export_public_key() */
+static psa_status_t p256_verify_hash_with_public_key(
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ const uint8_t *hash,
+ size_t hash_length,
+ const uint8_t *signature,
+ size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+ if (key_buffer_size != 65 || signature_length != 64 || *key_buffer != 0x04) {
+ return status;
+ }
+
+ /* We add 1 to public_key_buffer pointer to omit the leading byte of the
+ * public key representation (0x04). See information about PSA key formats
+ * at the top of the file. */
+ const uint8_t *public_key_buffer = key_buffer + 1;
+ status = p256_to_psa_error(
+ p256_ecdsa_verify(signature, public_key_buffer, hash, hash_length));
+
+ return status;
+}
+
+psa_status_t p256_transparent_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ const uint8_t *signature,
+ size_t signature_length)
+{
+ /* We don't use this argument, but the specification mandates the signature
+ * of driver entry-points. (void) used to avoid compiler warning. */
+ (void) alg;
+
+ psa_status_t status;
+ uint8_t public_key_buffer[65];
+ size_t public_key_buffer_size = 65;
+
+ size_t public_key_length = 65;
+ /* As p256-m doesn't require dynamic allocation, we want to avoid it in
+ * the entrypoint functions as well. psa_driver_wrapper_export_public_key()
+ * requires size_t*, so we use a pointer to a stack variable. */
+ size_t *public_key_length_ptr = &public_key_length;
+
+ /* The contents of key_buffer may either be the 32 byte private key
+ * (keypair format), or 0x04 followed by the 64 byte public key (public
+ * key format). To ensure the key is in the latter format, the public key
+ * is exported. */
+ status = psa_driver_wrapper_export_public_key(
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ public_key_buffer,
+ public_key_buffer_size,
+ public_key_length_ptr);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = p256_verify_hash_with_public_key(
+ public_key_buffer,
+ public_key_buffer_size,
+ hash,
+ hash_length,
+ signature,
+ signature_length);
+
+exit:
+ return status;
+}
+
+#endif /* MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED */
diff --git a/3rdparty/p256-m/p256-m_driver_entrypoints.h b/3rdparty/p256-m/p256-m_driver_entrypoints.h
new file mode 100644
index 0000000..18c677a
--- /dev/null
+++ b/3rdparty/p256-m/p256-m_driver_entrypoints.h
@@ -0,0 +1,162 @@
+/*
+ * Driver entry points for p256-m
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef P256M_DRIVER_ENTRYPOINTS_H
+#define P256M_DRIVER_ENTRYPOINTS_H
+
+#if defined(MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#endif /* MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED */
+
+#include "psa/crypto_types.h"
+
+/** Generate SECP256R1 ECC Key Pair.
+ * Interface function which calls the p256-m key generation function and
+ * places it in the key buffer provided by the caller (mbed TLS) in the
+ * correct format. For a SECP256R1 curve this is the 32 bit private key.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[out] key_buffer The buffer to contain the key data in
+ * output format upon successful return.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[out] key_buffer_length The length of the data written in \p
+ * key_buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * Success. Keypair generated and stored in buffer.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_GENERIC_ERROR
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t p256_transparent_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key_buffer,
+ size_t key_buffer_size,
+ size_t *key_buffer_length);
+
+/** Perform raw key agreement using p256-m's ECDH implementation
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the private key
+ * in the format specified by PSA.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A key agreement algorithm that is
+ * compatible with the type of the key.
+ * \param[in] peer_key The buffer containing the peer's public
+ * key in format specified by PSA.
+ * \param[in] peer_key_length Size of the \p peer_key buffer in
+ * bytes.
+ * \param[out] shared_secret The buffer to which the shared secret
+ * is to be written.
+ * \param[in] shared_secret_size Size of the \p shared_secret buffer in
+ * bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that
+ * make up the returned shared secret.
+ * \retval #PSA_SUCCESS
+ * Success. Shared secret successfully calculated.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ */
+psa_status_t p256_transparent_key_agreement(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length);
+
+/** Sign an already-calculated hash with a private key using p256-m's ECDSA
+ * implementation
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the private key
+ * in the format specified by PSA.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible
+ * with the type of the key.
+ * \param[in] hash The hash to sign.
+ * \param[in] hash_length Size of the \p hash buffer in bytes.
+ * \param[out] signature Buffer where signature is to be written.
+ * \param[in] signature_size Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ * that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * Success. Hash was signed successfully.
+ * respectively of the key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ */
+psa_status_t p256_transparent_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length);
+
+/** Verify the signature of a hash using a SECP256R1 public key using p256-m's
+ * ECDSA implementation.
+ *
+ * \note p256-m expects a 64 byte public key, but the contents of the key
+ buffer may be the 32 byte keypair representation or the 65 byte
+ public key representation. As a result, this function calls
+ psa_driver_wrapper_export_public_key() to ensure the public key
+ can be passed to p256-m.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ *
+ * \param[in] key_buffer The buffer containing the key
+ * in the format specified by PSA.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash whose signature is to be
+ * verified.
+ * \param[in] hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param[in] signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ */
+psa_status_t p256_transparent_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ const uint8_t *signature,
+ size_t signature_length);
+
+#endif /* P256M_DRIVER_ENTRYPOINTS_H */
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index a7bf198..3a8c5c6 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -24,7 +24,7 @@
1. [Check for open issues](https://github.com/Mbed-TLS/mbedtls/issues) or [start a discussion](https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org) around a feature idea or a bug.
1. Fork the [Mbed TLS repository on GitHub](https://github.com/Mbed-TLS/mbedtls) to start making your changes. As a general rule, you should use the ["development" branch](https://github.com/Mbed-TLS/mbedtls/tree/development) as a basis.
1. Write a test which shows that the bug was fixed or that the feature works as expected.
-1. Send a pull request (PR) and work with us until it gets merged and published. Contributions may need some modifications, so a few rounds of review and fixing may be necessary. We will include your name in the ChangeLog :)
+1. Send a pull request (PR) and work with us until it gets merged and published. Contributions may need some modifications, so a few rounds of review and fixing may be necessary. See our [review process guidelines](https://mbed-tls.readthedocs.io/en/latest/reviews/review-for-contributors/).
1. For quick merging, the contribution should be short, and concentrated on a single feature or topic. The larger the contribution is, the longer it would take to review it and merge it.
Backwards Compatibility
diff --git a/ChangeLog.d/ec_jpake_user_peer_2.txt b/ChangeLog.d/ec_jpake_user_peer_2.txt
new file mode 100644
index 0000000..9572ac7
--- /dev/null
+++ b/ChangeLog.d/ec_jpake_user_peer_2.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix the J-PAKE driver interface for user and peer to accept any values
+ (previously accepted values were limited to "client" or "server").
diff --git a/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt b/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt
new file mode 100644
index 0000000..22e8adb
--- /dev/null
+++ b/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
+ MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
diff --git a/ChangeLog.d/programs_psa_fix.txt b/ChangeLog.d/programs_psa_fix.txt
new file mode 100644
index 0000000..fe2099e
--- /dev/null
+++ b/ChangeLog.d/programs_psa_fix.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix missing PSA initialization in sample programs when
+ MBEDTLS_USE_PSA_CRYPTO is enabled.
diff --git a/README.md b/README.md
index 288e692..fea73fc 100644
--- a/README.md
+++ b/README.md
@@ -307,6 +307,12 @@
Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license. Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. This enables LTS (Long Term Support) branches of the software to be provided under either the Apache-2.0 OR GPL-2.0-or-later licenses.
+### Third-party code included in Mbed TLS
+This project contains code from other projects. This code is located within the `3rdparty/` directory. The original license text is included within project subdirectories, and in source files. The projects are listed below:
+
+* `3rdparty/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
+* `3rdparty/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is also used by the project under the Apache 2.0 license. We do not plan to regularly update these files, so they may not contain fixes and improvements present in the upstream project.
+
Contributing
------------
diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md
index cd1b9fc..a3e3c76 100644
--- a/docs/proposed/psa-driver-interface.md
+++ b/docs/proposed/psa-driver-interface.md
@@ -390,10 +390,6 @@
const psa_crypto_driver_pake_inputs_t *inputs,
uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length);
-psa_status_t psa_crypto_driver_pake_get_role(
- const psa_crypto_driver_pake_inputs_t *inputs,
- psa_pake_role_t *role);
-
psa_status_t psa_crypto_driver_pake_get_cipher_suite(
const psa_crypto_driver_pake_inputs_t *inputs,
psa_pake_cipher_suite_t *cipher_suite);
diff --git a/docs/psa-driver-example-and-guide.md b/docs/psa-driver-example-and-guide.md
new file mode 100644
index 0000000..ff66124
--- /dev/null
+++ b/docs/psa-driver-example-and-guide.md
@@ -0,0 +1,175 @@
+# PSA Cryptoprocessor driver development examples
+
+As of Mbed TLS 3.4.0, the PSA Driver Interface has only been partially implemented. As a result, the deliverables for writing a driver and the method for integrating a driver with Mbed TLS will vary depending on the operation being accelerated. This document describes how to write and integrate cryptoprocessor drivers depending on which operation or driver type is being implemented.
+
+The `docs/proposed/` directory contains three documents which pertain to the proposed, work-in-progress driver system. The [PSA Driver Interface](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/proposed/psa-driver-interface.md) describes how drivers will interface with Mbed TLS in the future, as well as driver types, operation types, and entry points. As many key terms and concepts used in the examples in this document are defined in the PSA Driver Interface, it is recommended that developers read it prior to starting work on implementing drivers.
+The PSA Driver [Developer](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/proposed/psa-driver-developer-guide.md) Guide describes the deliverables for writing a driver that can be used with Mbed TLS, and the PSA Driver [Integration](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/proposed/psa-driver-integration-guide.md) Guide describes how a driver can be built alongside Mbed TLS.
+
+## Contents:
+[Background on how Mbed TLS calls drivers](#background-on-how-mbed-tls-calls-drivers)\
+[Process for Entry Points where auto-generation is implemented](#process-for-entry-points-where-auto-generation-is-implemented) \
+[Process for Entry Points where auto-generation is not implemented](#process-for-entry-points-where-auto-generation-is-not-implemented) \
+[Example: Manually integrating a software accelerator alongside Mbed TLS](#example-manually-integrating-a-software-accelerator-alongside-mbed-tls)
+
+## Background on how Mbed TLS calls drivers
+
+The PSA Driver Interface specification specifies which cryptographic operations can be accelerated by third-party drivers. Operations that are completed within one step (one function call), such as verifying a signature, are called *Single-Part Operations*. On the other hand, operations that consist of multiple steps implemented by different functions called sequentially are called *Multi-Part Operations*. Single-part operations implemented by a driver will have one entry point, while multi-part operations will have multiple: one for each step.
+
+There are two types of drivers: *transparent* or *opaque*. See below an excerpt from the PSA Driver Interface specification defining them:
+* **Transparent** drivers implement cryptographic operations on keys that are provided in cleartext at the beginning of each operation. They are typically used for hardware **accelerators**. When a transparent driver is available for a particular combination of parameters (cryptographic algorithm, key type and size, etc.), it is used instead of the default software implementation. Transparent drivers can also be pure software implementations that are distributed as plug-ins to a PSA Cryptography implementation (for example, an alternative implementation with different performance characteristics, or a certified implementation).
+* **Opaque** drivers implement cryptographic operations on keys that can only be used inside a protected environment such as a **secure element**, a hardware security module, a smartcard, a secure enclave, etc. An opaque driver is invoked for the specific [key location](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/proposed/psa-driver-interface.md#lifetimes-and-locations) that the driver is registered for: the dispatch is based on the key's lifetime.
+
+Mbed TLS contains a **driver dispatch layer** (also called a driver wrapper layer). For each cryptographic operation that supports driver acceleration (or sub-part of a multi-part operation), the library calls the corresponding function in the driver wrapper. Using flags set at compile time, the driver wrapper ascertains whether any present drivers support the operation. When no such driver is present, the built-in library implementation is called as a fallback (if allowed). When a compatible driver is present, the driver wrapper calls the driver entry point function provided by the driver author.
+
+The long-term goal is for the driver dispatch layer to be auto-generated using a JSON driver description file provided by the driver author.
+For some cryptographic operations, this auto-generation logic has already been implemented. When accelerating these operations, the instructions in the above documents can be followed. For the remaining operations which do not yet support auto-generation of the driver wrapper, developers will have to manually edit the driver dispatch layer and call their driver's entry point functions from there.
+
+Auto-generation of the driver wrapper is supported for the operation entry points specified in the table below. Certain operations are only permitted for opaque drivers. All other operation entry points do not support auto-generation of the driver wrapper.
+
+| Transparent Driver | Opaque Driver |
+|---------------------|---------------------|
+| `import_key` | `import_key` |
+| `export_key` | `export_key` |
+| `export_public_key` | `export_public_key` |
+| | `copy_key` |
+| | `get_builtin_key` |
+
+### Process for Entry Points where auto-generation is implemented
+
+If the driver is accelerating operations whose entry points are in the above table, the instructions in the driver [developer](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/proposed/psa-driver-developer-guide.md) and [integration](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/proposed/psa-driver-integration-guide.md) guides should be followed.
+
+There are three deliverables for creating such a driver. These are:
+ - A driver description file (in JSON format).
+ - C header files defining the types required by the driver description. The names of these header files are declared in the driver description file.
+ - An object file compiled for the target platform defining the functions required by the driver description. Implementations may allow drivers to be provided as source files and compiled with the core instead of being pre-compiled.
+
+The Mbed TLS driver tests for the aforementioned entry points provide examples of how these deliverables can be implemented. For sample driver description JSON files, see [`mbedtls_test_transparent_driver.json`](https://github.com/Mbed-TLS/mbedtls/blob/development/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json) or [`mbedtls_test_opaque_driver.json`](https://github.com/Mbed-TLS/mbedtls/blob/development/scripts/data_files/driver_jsons/mbedtls_test_transparent_driver.json). The header file required by the driver description is [`test_driver.h`](https://github.com/Mbed-TLS/mbedtls/blob/development/tests/include/test/drivers/test_driver.h). As Mbed TLS tests are built from source, there is no object file for the test driver. However, the source for the test driver can be found under `tests/src/drivers`.
+
+### Process for Entry Points where auto-generation is not implemented
+
+If the driver is accelerating operations whose entry points are not present in the table, a different process is followed where the developer manually edits the driver dispatch layer. The following steps describe this process. Steps 1, 2, 3, and 7 only need to be done once *per driver*. Steps 4, 5, and 6 must be done *for each single-part operation* or *for each sub-part of a multi-part operation* implemented by the driver.
+
+**1. Choose a driver prefix and a macro name that indicates whether the driver is enabled** \
+A driver prefix is simply a word (often the name of the driver) that all functions/macros associated with the driver should begin with. This is similar to how most functions/macros in Mbed TLS begin with `PSA_XXX/psa_xxx` or `MBEDTLS_XXX/mbedtls_xxx`. The macro name can follow the form `DRIVER_PREFIX_ENABLED` or something similar; it will be used to indicate the driver is available to be called. When building with the driver present, define this macro at compile time.
+
+**2. Include the following in one of the driver header files:**
+```
+#if defined(DRIVER_PREFIX_ENABLED)
+#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#endif
+
+// other definitions here
+
+#endif
+```
+
+**3. Conditionally include header files required by the driver**
+Include any header files required by the driver in `psa_crypto_driver_wrappers.h`, placing the `#include` statements within an `#if defined` block which checks if the driver is available:
+```
+#if defined(DRIVER_PREFIX_ENABLED)
+#include ...
+#endif
+```
+
+
+**4. For each operation being accelerated, locate the function in the driver dispatch layer that corresponds to the entry point of that operation.** \
+The file `psa_crypto_driver_wrappers.c.jinja` contains the driver wrapper functions. For the entry points that have driver wrapper auto-generation implemented, the functions have been replaced with `jinja` templating logic. While the file has a `.jinja` extension, the driver wrapper functions for the remaining entry points are simple C functions. The names of these functions are of the form `psa_driver_wrapper` followed by the entry point name. So, for example, the function `psa_driver_wrapper_sign_hash()` corresponds to the `sign_hash` entry point.
+
+**5. If a driver entry point function has been provided then ensure it has the same signature as the driver wrapper function.** \
+If one has not been provided then write one. Its name should begin with the driver prefix, followed by transparent/opaque (depending on driver type), and end with the entry point name. It should have the same signature as the driver wrapper function. The purpose of the entry point function is to take arguments in PSA format for the implemented operation and return outputs/status codes in PSA format. \
+*Return Codes:*
+* `PSA_SUCCESS`: Successful Execution
+* `PSA_ERROR_NOT_SUPPORTED`: Input arguments are correct, but the driver does not support the operation. If a transparent driver returns this then it allows fallback to another driver or software implementation.
+* `PSA_ERROR_XXX`: Any other PSA error code, see API documentation
+
+**6. Modify the driver wrapper function** \
+Each driver wrapper function contains a `switch` statement which checks the location of the key. If the key is stored in local storage, then operations are performed by a transparent driver. If it is stored elsewhere, then operations are performed by an opaque driver.
+ * **Transparent drivers:** Calls to driver entry points go under `case PSA_KEY_LOCATION_LOCAL_STORAGE`.
+ * **Opaque Drivers** Calls to driver entry points go in a separate `case` block corresponding to the key location.
+
+
+The diagram below shows the layout of a driver wrapper function which can dispatch to two transparent drivers `Foo` and `Bar`, and one opaque driver `Baz`.
+
+ ```
+psa_driver_wrapper_xxx()
+├── switch(location)
+| |
+| ├── case PSA_KEY_LOCATION_LOCAL_STORAGE //transparent driver
+| | ├── #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+| | | ├── #if defined(FOO_DRIVER_PREFIX_ENABLED)
+| | | | ├── if(//conditions for foo driver capibilities)
+| | | | ├── foo_driver_transparent_xxx() //call to driver entry point
+| | | | ├── if (status != PSA_ERROR_NOT_SUPPORTED) return status
+| | | ├── #endif
+| | | ├── #if defined(BAR_DRIVER_PREFIX_ENABLED)
+| | | | ├── if(//conditions for bar driver capibilities)
+| | | | ├── bar_driver_transparent_xxx() //call to driver entry point
+| | | | ├── if (status != PSA_ERROR_NOT_SUPPORTED) return status
+| | | ├── #endif
+| | ├── #endif
+| |
+| ├── case SECURE_ELEMENT_LOCATION //opaque driver
+| | ├── #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+| | | ├── #if defined(BAZ_DRIVER_PREFIX_ENABLED)
+| | | | ├── if(//conditions for baz driver capibilities)
+| | | | ├── baz_driver_opaque_xxx() //call to driver entry point
+| | | | ├── if (status != PSA_ERROR_NOT_SUPPORTED) return status
+| | | ├── #endif
+| | ├── #endif
+└── return psa_xxx_builtin() // fall back to built in implementation
+ ```
+
+All code related to driver calls within each `case` must be contained between `#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)` and a corresponding `#endif`. Within this block, each individual driver's compatibility checks and call to the entry point must be contained between `#if defined(DRIVER_PREFIX_ENABLED)` and a corresponding `#endif`. Checks that involve accessing key material using PSA macros, such as determining the key type or number of bits, must be done in the driver wrapper.
+
+**7. Build Mbed TLS with the driver**
+This guide assumes you are building Mbed TLS from source alongside your project. If building with a driver present, the chosen driver macro (`DRIVER_PREFIX_ENABLED`) must be defined. This can be done in two ways:
+* *At compile time via flags.* This is the preferred option when your project uses Mbed TLS mostly out-of-the-box without significantly modifying the configuration. This can be done by passing the option via `CFLAGS`.
+ * **Make**:
+ ```
+ make CFLAGS="-DDRIVER_PREFIX_ENABLED"
+ ```
+ * **CMake**: CFLAGS must be passed to CMake when it is invoked. Invoke CMake with
+
+ ```
+ CFLAGS="-DDRIVER_PREFIX_ENABLED" cmake path/to/source
+ ```
+* *Providing a user config file.* This is the preferred option when your project requires a custom configuration that is significantly different to the default. Define the macro for the driver, along with any other custom configurations in a separate header file, then use `config.py`, to set `MBEDTLS_USER_CONFIG_FILE`, providing the path to the defined header file. This will include your custom config file after the default. If you wish to completely replace the default config file, set `MBEDTLS_CONFIG_FILE` instead.
+
+### Example: Manually integrating a software accelerator alongside Mbed TLS
+
+[p256-m](https://github.com/mpg/p256-m) is a minimalistic implementation of ECDH and ECDSA on the NIST P-256 curve, specifically optimized for use in constrained 32-bit environments. As such, it serves as a software accelerator. This section demonstrates the integration of `p256-m` as a transparent driver alongside Mbed TLS, serving as a guide for implementation.
+The code for p256-m can be found in `3rdparty/p256-m/p256m`. In this demonstration, p256-m is built from source alongside Mbed TLS.
+
+The driver prefix for p256-m is `P256`/`p256`. The driver macro is `MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED`. To build with and use p256-m, set the macro using `config.py`, then build as usual using make/cmake. From the root of the `mbedtls/` directory, run:
+
+ python3 scripts/config.py set MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED
+ make
+
+p256-m implements four entry points: `generate_key`, `key_agreement`, `sign_hash`, `verify_hash`. The `sign/verify_hash` entry points are used instead of `sign/verify_message` as messages must be hashed prior to any operation, and p256-m does not implement this. The driver entry point functions can be found in `p256m_driver_entrypoints.[hc]`. These functions act as an interface between Mbed TLS and p256-m; converting between PSA and p256-m argument formats and performing sanity checks. If the driver's status codes differ from PSA's, it is recommended to implement a status code translation function. The function `p256_to_psa_error()` converts error codes returned by p256-m into PSA error codes.
+
+The driver wrapper functions in `psa_crypto_driver_wrappers.c.jinja` for all four entry points have also been modified. The code block below shows the additions made to `psa_driver_wrapper_sign_hash()`. In adherence to the defined process, all code related to the driver call is placed within a check for `MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED`. p256-m only supports non-deterministic ECDSA using keys based on NIST P256; these constraints are enforced through checks (see the `if` statement). Checks that involve accessing key attributes, (e.g. checking key type or bits) **must** be performed in the driver wrapper. This is because this information is marked private and may not be accessed outside the library. Other checks can be performed here or in the entry point function. The status returned by the driver is propagated up the call hierarchy **unless** the driver does not support the operation (i.e. return `PSA_ERROR_NOT_SUPPORTED`). In that case the next available driver/built-in implementation is called.
+
+```
+#if defined (MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+ PSA_ALG_IS_ECDSA(alg) &&
+ !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
+ PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 &&
+ attributes->core.bits == 256 )
+ {
+ status = p256_transparent_sign_hash( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+ }
+#endif /* MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED */
+```
+Following this, p256-m is now ready to use alongside Mbed TLS as a software accelerator. If `MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED` is set in the config, p256-m's implementations of key generation, ECDH, and ECDSA will be used where applicable.
diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index 9d783d5..92d0985 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md
@@ -13,7 +13,8 @@
**Application code:** when this option is enabled, you need to call
`psa_crypto_init()` before calling any function from the SSL/TLS, X.509 or PK
-module.
+modules, except for the various mbedtls_xxx_init() functions which can be called
+at any time.
**Why enable this option:** to fully take advantage of PSA drivers in PK,
X.509 and TLS. For example, enabling this option is what allows use of drivers
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 266eb9e..c81cd1c 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -66,13 +66,6 @@
#error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
#endif
-#if defined(__aarch64__) && defined(__GNUC__)
-/* We don't do anything with MBEDTLS_AESCE_C on systems without ^ these two */
-#if defined(MBEDTLS_AESCE_C) && !defined(MBEDTLS_HAVE_ASM)
-#error "MBEDTLS_AESCE_C defined, but not all prerequisites"
-#endif
-#endif
-
#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
#endif
diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h
index a63bb32..0008d73 100644
--- a/include/mbedtls/ecjpake.h
+++ b/include/mbedtls/ecjpake.h
@@ -54,6 +54,7 @@
typedef enum {
MBEDTLS_ECJPAKE_CLIENT = 0, /**< Client */
MBEDTLS_ECJPAKE_SERVER, /**< Server */
+ MBEDTLS_ECJPAKE_NONE, /**< Undefined */
} mbedtls_ecjpake_role;
#if !defined(MBEDTLS_ECJPAKE_ALT)
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 89d5659..75e4147 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1931,7 +1931,8 @@
* break backwards compatibility.
*
* \warning If you enable this option, you need to call `psa_crypto_init()`
- * before calling any function from the SSL/TLS, X.509 or PK modules.
+ * before calling any function from the SSL/TLS, X.509 or PK modules, except
+ * for the various mbedtls_xxx_init() functions which can be called at any time.
*
* \note An important and desirable effect of this option is that it allows
* PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling
@@ -2076,12 +2077,15 @@
* Module: library/aesce.c
* Caller: library/aes.c
*
- * Requires: MBEDTLS_HAVE_ASM, MBEDTLS_AES_C
+ * Requires: MBEDTLS_AES_C
*
* \warning Runtime detection only works on Linux. For non-Linux operating
* system, Armv8-A Cryptographic Extensions must be supported by
* the CPU when this option is enabled.
*
+ * \note Minimum compiler versions for this feature are Clang 4.0,
+ * GCC 6.0 or MSVC 2019 version 16.11.2.
+ *
* This module adds support for the AES Armv8-A Cryptographic Extensions on Aarch64 systems.
*/
#define MBEDTLS_AESCE_C
@@ -3916,4 +3920,18 @@
*/
//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
+/**
+ * Uncomment to enable p256-m, which implements ECC key generation, ECDH,
+ * and ECDSA for SECP256R1 curves. This driver is used as an example to
+ * document how a third-party driver or software accelerator can be integrated
+ * to work alongside Mbed TLS.
+ *
+ * \warning p256-m has only been included to serve as a sample implementation
+ * of how a driver/accelerator can be integrated alongside Mbed TLS. It is not
+ * intended for use in production. p256-m files in Mbed TLS are not updated
+ * regularly, so they may not contain upstream fixes/improvements.
+ * DO NOT ENABLE/USE THIS MACRO IN PRODUCTION BUILDS!
+ */
+//#define MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED
+
/** \} name SECTION: Module configuration options */
diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index c280360..d9473ac 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -202,7 +202,7 @@
uint8_t *MBEDTLS_PRIVATE(password);
size_t MBEDTLS_PRIVATE(password_len);
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
- uint8_t MBEDTLS_PRIVATE(role);
+ mbedtls_ecjpake_role MBEDTLS_PRIVATE(role);
uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_JPAKE_BUFFER_SIZE]);
size_t MBEDTLS_PRIVATE(buffer_length);
size_t MBEDTLS_PRIVATE(buffer_offset);
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index b858180..232a839 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -1328,20 +1328,6 @@
const psa_crypto_driver_pake_inputs_t *inputs,
uint8_t *buffer, size_t buffer_size, size_t *buffer_length);
-/** Get the role from given inputs.
- *
- * \param[in] inputs Operation inputs.
- * \param[out] role Return buffer for role.
- *
- * \retval #PSA_SUCCESS
- * Success.
- * \retval #PSA_ERROR_BAD_STATE
- * Role hasn't been set yet.
- */
-psa_status_t psa_crypto_driver_pake_get_role(
- const psa_crypto_driver_pake_inputs_t *inputs,
- psa_pake_role_t *role);
-
/** Get the length of the user id in bytes from given inputs.
*
* \param[in] inputs Operation inputs.
@@ -1560,7 +1546,6 @@
* been set (psa_pake_set_user() hasn't been
* called yet).
* \param[in] user_id The user ID to authenticate with.
- * (temporary limitation: "client" or "server" only)
* \param user_id_len Size of the \p user_id buffer in bytes.
*
* \retval #PSA_SUCCESS
@@ -1602,7 +1587,6 @@
* been set (psa_pake_set_peer() hasn't been
* called yet).
* \param[in] peer_id The peer's ID to authenticate.
- * (temporary limitation: "client" or "server" only)
* \param peer_id_len Size of the \p peer_id buffer in bytes.
*
* \retval #PSA_SUCCESS
@@ -2039,7 +2023,6 @@
struct psa_crypto_driver_pake_inputs_s {
uint8_t *MBEDTLS_PRIVATE(password);
size_t MBEDTLS_PRIVATE(password_len);
- psa_pake_role_t MBEDTLS_PRIVATE(role);
uint8_t *MBEDTLS_PRIVATE(user);
size_t MBEDTLS_PRIVATE(user_len);
uint8_t *MBEDTLS_PRIVATE(peer);
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 5359883..a992d8a 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -272,6 +272,10 @@
target_link_libraries(${mbedcrypto_static_target} PUBLIC everest)
endif()
+ if(TARGET p256m)
+ target_link_libraries(${mbedcrypto_static_target} PUBLIC p256m)
+ endif()
+
add_library(${mbedx509_static_target} STATIC ${src_x509})
set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
target_link_libraries(${mbedx509_static_target} PUBLIC ${libs} ${mbedcrypto_static_target})
@@ -291,6 +295,10 @@
target_link_libraries(${mbedcrypto_target} PUBLIC everest)
endif()
+ if(TARGET p256m)
+ target_link_libraries(${mbedcrypto_target} PUBLIC p256m)
+ endif()
+
add_library(${mbedx509_target} SHARED ${src_x509})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.4.0 SOVERSION 5)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
diff --git a/library/aesce.c b/library/aesce.c
index fe056dc..ff8c2e0 100644
--- a/library/aesce.c
+++ b/library/aesce.c
@@ -48,22 +48,34 @@
#if defined(MBEDTLS_HAVE_ARM64)
+/* Compiler version checks. */
+#if defined(__clang__)
+# if __clang_major__ < 4
+# error "Minimum version of Clang for MBEDTLS_AESCE_C is 4.0."
+# endif
+#elif defined(__GNUC__)
+# if __GNUC__ < 6
+# error "Minimum version of GCC for MBEDTLS_AESCE_C is 6.0."
+# endif
+#elif defined(_MSC_VER)
+/* TODO: We haven't verified MSVC from 1920 to 1928. If someone verified that,
+ * please update this and document of `MBEDTLS_AESCE_C` in
+ * `mbedtls_config.h`. */
+# if _MSC_VER < 1929
+# error "Minimum version of MSVC for MBEDTLS_AESCE_C is 2019 version 16.11.2."
+# endif
+#endif
+
#if !defined(__ARM_FEATURE_AES) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
# if defined(__clang__)
-# if __clang_major__ < 4
-# error "A more recent Clang is required for MBEDTLS_AESCE_C"
-# endif
# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
# define MBEDTLS_POP_TARGET_PRAGMA
# elif defined(__GNUC__)
-# if __GNUC__ < 6
-# error "A more recent GCC is required for MBEDTLS_AESCE_C"
-# endif
# pragma GCC push_options
# pragma GCC target ("arch=armv8-a+crypto")
# define MBEDTLS_POP_TARGET_PRAGMA
-# else
-# error "Only GCC and Clang supported for MBEDTLS_AESCE_C"
+# elif defined(_MSC_VER)
+# error "Required feature(__ARM_FEATURE_AES) is not enabled."
# endif
#endif /* !__ARM_FEATURE_AES || MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG */
@@ -295,12 +307,24 @@
* Older compilers miss some intrinsic functions for `poly*_t`. We use
* uint8x16_t and uint8x16x3_t as input/output parameters.
*/
+#if defined(__GNUC__) && !defined(__clang__)
+/* GCC reports incompatible type error without cast. GCC think poly64_t and
+ * poly64x1_t are different, that is different with MSVC and Clang. */
+#define MBEDTLS_VMULL_P64(a, b) vmull_p64((poly64_t) a, (poly64_t) b)
+#else
+/* MSVC reports `error C2440: 'type cast'` with cast. Clang does not report
+ * error with/without cast. And I think poly64_t and poly64x1_t are same, no
+ * cast for clang also. */
+#define MBEDTLS_VMULL_P64(a, b) vmull_p64(a, b)
+#endif
static inline uint8x16_t pmull_low(uint8x16_t a, uint8x16_t b)
{
+
return vreinterpretq_u8_p128(
- vmull_p64(
- (poly64_t) vget_low_p64(vreinterpretq_p64_u8(a)),
- (poly64_t) vget_low_p64(vreinterpretq_p64_u8(b))));
+ MBEDTLS_VMULL_P64(
+ vget_low_p64(vreinterpretq_p64_u8(a)),
+ vget_low_p64(vreinterpretq_p64_u8(b))
+ ));
}
static inline uint8x16_t pmull_high(uint8x16_t a, uint8x16_t b)
@@ -362,9 +386,14 @@
static inline uint8x16_t poly_mult_reduce(uint8x16x3_t input)
{
uint8x16_t const ZERO = vdupq_n_u8(0);
- /* use 'asm' as an optimisation barrier to prevent loading MODULO from memory */
+
uint64x2_t r = vreinterpretq_u64_u8(vdupq_n_u8(0x87));
+#if defined(__GNUC__)
+ /* use 'asm' as an optimisation barrier to prevent loading MODULO from
+ * memory. It is for GNUC compatible compilers.
+ */
asm ("" : "+w" (r));
+#endif
uint8x16_t const MODULO = vreinterpretq_u8_u64(vshrq_n_u64(r, 64 - 8));
uint8x16_t h, m, l; /* input high/middle/low 128b */
uint8x16_t c, d, e, f, g, n, o;
diff --git a/library/aesce.h b/library/aesce.h
index 12ddc74..7048d77 100644
--- a/library/aesce.h
+++ b/library/aesce.h
@@ -30,11 +30,11 @@
#include "mbedtls/aes.h"
-
-#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
- defined(__aarch64__) && !defined(MBEDTLS_HAVE_ARM64)
+#if !defined(MBEDTLS_HAVE_ARM64)
+#if defined(__aarch64__) || defined(_M_ARM64) || defined(_M_ARM64EC)
#define MBEDTLS_HAVE_ARM64
#endif
+#endif
#if defined(MBEDTLS_HAVE_ARM64)
diff --git a/library/bignum_core.c b/library/bignum_core.c
index a99b3be..b0ffa37 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -33,7 +33,7 @@
#include "bn_mul.h"
#include "constant_time_internal.h"
-inline size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a)
+size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a)
{
#if defined(__has_builtin)
#if __has_builtin(__builtin_clz)
diff --git a/library/ecdh.c b/library/ecdh.c
index b529af5..58ef881 100644
--- a/library/ecdh.c
+++ b/library/ecdh.c
@@ -20,7 +20,7 @@
/*
* References:
*
- * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * SEC1 https://www.secg.org/sec1-v2.pdf
* RFC 4492
*/
diff --git a/library/ecdsa.c b/library/ecdsa.c
index eb3c303..1faec16 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -20,7 +20,7 @@
/*
* References:
*
- * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * SEC1 https://www.secg.org/sec1-v2.pdf
*/
#include "common.h"
@@ -234,6 +234,19 @@
}
#endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */
+int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)
+{
+ switch (gid) {
+#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ case MBEDTLS_ECP_DP_CURVE25519: return 0;
+#endif
+#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
+ case MBEDTLS_ECP_DP_CURVE448: return 0;
+#endif
+ default: return 1;
+ }
+}
+
#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
/*
* Compute ECDSA signature of a hashed message (SEC1 4.1.3)
@@ -373,19 +386,6 @@
return ret;
}
-int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)
-{
- switch (gid) {
-#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
- case MBEDTLS_ECP_DP_CURVE25519: return 0;
-#endif
-#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
- case MBEDTLS_ECP_DP_CURVE448: return 0;
-#endif
- default: return 1;
- }
-}
-
/*
* Compute ECDSA signature of a hashed message
*/
diff --git a/library/ecp.c b/library/ecp.c
index 5d13b8e..086acb3 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -24,9 +24,11 @@
* GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
* FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
* RFC 4492 for the related TLS structures and constants
+ * - https://www.rfc-editor.org/rfc/rfc4492
* RFC 7748 for the Curve448 and Curve25519 curve definitions
+ * - https://www.rfc-editor.org/rfc/rfc7748
*
- * [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
+ * [Curve25519] https://cr.yp.to/ecdh/curve25519-20060209.pdf
*
* [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
* for elliptic curve cryptosystems. In : Cryptographic Hardware and
diff --git a/library/pk.c b/library/pk.c
index 2516eed..4e2f218 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -904,6 +904,7 @@
/* import private key into PSA */
status = psa_import_key(&attributes, d, d_len, key);
+ mbedtls_platform_zeroize(d, sizeof(d));
if (status != PSA_SUCCESS) {
return PSA_PK_TO_MBEDTLS_ERR(status);
}
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 20918bc..f7e91d6 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -91,10 +91,6 @@
#define BUILTIN_ALG_ANY_HKDF 1
#endif
-/* The only two JPAKE user/peer identifiers supported for the time being. */
-static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
-static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
-
/****************************************************************/
/* Global data, support functions and library management */
/****************************************************************/
@@ -6481,6 +6477,27 @@
return status;
}
+static psa_status_t psa_key_derivation_input_integer_internal(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ uint64_t value)
+{
+ psa_status_t status;
+ psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+ {
+ (void) step;
+ (void) value;
+ (void) kdf_alg;
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(operation);
+ }
+ return status;
+}
+
psa_status_t psa_key_derivation_input_bytes(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
@@ -6492,6 +6509,14 @@
data, data_length);
}
+psa_status_t psa_key_derivation_input_integer(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ uint64_t value)
+{
+ return psa_key_derivation_input_integer_internal(operation, step, value);
+}
+
psa_status_t psa_key_derivation_input_key(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
@@ -7208,19 +7233,6 @@
return PSA_SUCCESS;
}
-psa_status_t psa_crypto_driver_pake_get_role(
- const psa_crypto_driver_pake_inputs_t *inputs,
- psa_pake_role_t *role)
-{
- if (inputs->role == PSA_PAKE_ROLE_NONE) {
- return PSA_ERROR_BAD_STATE;
- }
-
- *role = inputs->role;
-
- return PSA_SUCCESS;
-}
-
psa_status_t psa_crypto_driver_pake_get_user_len(
const psa_crypto_driver_pake_inputs_t *inputs,
size_t *user_len)
@@ -7415,15 +7427,6 @@
goto exit;
}
- /* Allow only "client" or "server" values (temporary restriction). */
- if ((user_id_len != sizeof(jpake_server_id) ||
- memcmp(user_id, jpake_server_id, user_id_len) != 0) &&
- (user_id_len != sizeof(jpake_client_id) ||
- memcmp(user_id, jpake_client_id, user_id_len) != 0)) {
- status = PSA_ERROR_NOT_SUPPORTED;
- goto exit;
- }
-
operation->data.inputs.user = mbedtls_calloc(1, user_id_len);
if (operation->data.inputs.user == NULL) {
status = PSA_ERROR_INSUFFICIENT_MEMORY;
@@ -7461,15 +7464,6 @@
goto exit;
}
- /* Allow only "client" or "server" values (temporary restriction). */
- if ((peer_id_len != sizeof(jpake_server_id) ||
- memcmp(peer_id, jpake_server_id, peer_id_len) != 0) &&
- (peer_id_len != sizeof(jpake_client_id) ||
- memcmp(peer_id, jpake_client_id, peer_id_len) != 0)) {
- status = PSA_ERROR_NOT_SUPPORTED;
- goto exit;
- }
-
operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len);
if (operation->data.inputs.peer == NULL) {
status = PSA_ERROR_INSUFFICIENT_MEMORY;
@@ -7587,19 +7581,6 @@
if (inputs.user_len == 0 || inputs.peer_len == 0) {
return PSA_ERROR_BAD_STATE;
}
- if (memcmp(inputs.user, jpake_client_id, inputs.user_len) == 0 &&
- memcmp(inputs.peer, jpake_server_id, inputs.peer_len) == 0) {
- inputs.role = PSA_PAKE_ROLE_CLIENT;
- } else
- if (memcmp(inputs.user, jpake_server_id, inputs.user_len) == 0 &&
- memcmp(inputs.peer, jpake_client_id, inputs.peer_len) == 0) {
- inputs.role = PSA_PAKE_ROLE_SERVER;
- }
-
- if (inputs.role != PSA_PAKE_ROLE_CLIENT &&
- inputs.role != PSA_PAKE_ROLE_SERVER) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
}
/* Clear driver context */
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
index 7d672d6..cf8fe69 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
@@ -24,6 +24,10 @@
#include "psa/crypto.h"
#include "psa/crypto_driver_common.h"
+#if defined(MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+#include "../3rdparty/p256-m/p256-m_driver_entrypoints.h"
+#endif /* MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED */
+
/*
* Initialization and termination functions
*/
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index a537184..4136614 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -168,13 +168,11 @@
static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_ecjpake_role role = (operation->role == PSA_PAKE_ROLE_CLIENT) ?
- MBEDTLS_ECJPAKE_CLIENT : MBEDTLS_ECJPAKE_SERVER;
mbedtls_ecjpake_init(&operation->ctx.jpake);
ret = mbedtls_ecjpake_setup(&operation->ctx.jpake,
- role,
+ operation->role,
MBEDTLS_MD_SHA256,
MBEDTLS_ECP_DP_SECP256R1,
operation->password,
@@ -190,21 +188,30 @@
}
#endif
+/* The only two JPAKE user/peer identifiers supported in built-in implementation. */
+static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
+static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
+
psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
const psa_crypto_driver_pake_inputs_t *inputs)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- size_t password_len = 0;
- psa_pake_role_t role = PSA_PAKE_ROLE_NONE;
+ size_t user_len = 0, peer_len = 0, password_len = 0;
+ uint8_t *peer = NULL, *user = NULL;
+ size_t actual_user_len = 0, actual_peer_len = 0, actual_password_len = 0;
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
- size_t actual_password_len = 0;
status = psa_crypto_driver_pake_get_password_len(inputs, &password_len);
if (status != PSA_SUCCESS) {
return status;
}
- status = psa_crypto_driver_pake_get_role(inputs, &role);
+ psa_crypto_driver_pake_get_user_len(inputs, &user_len);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ psa_crypto_driver_pake_get_peer_len(inputs, &peer_len);
if (status != PSA_SUCCESS) {
return status;
}
@@ -216,7 +223,20 @@
operation->password = mbedtls_calloc(1, password_len);
if (operation->password == NULL) {
- return PSA_ERROR_INSUFFICIENT_MEMORY;
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto error;
+ }
+
+ user = mbedtls_calloc(1, user_len);
+ if (user == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto error;
+ }
+
+ peer = mbedtls_calloc(1, peer_len);
+ if (peer == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto error;
}
status = psa_crypto_driver_pake_get_password(inputs, operation->password,
@@ -225,6 +245,18 @@
goto error;
}
+ status = psa_crypto_driver_pake_get_user(inputs, user,
+ user_len, &actual_user_len);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+
+ status = psa_crypto_driver_pake_get_peer(inputs, peer,
+ peer_len, &actual_peer_len);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+
operation->password_len = actual_password_len;
operation->alg = cipher_suite.algorithm;
@@ -238,7 +270,24 @@
goto error;
}
- operation->role = role;
+ const size_t user_peer_len = sizeof(jpake_client_id); // client and server have the same length
+ if (actual_user_len != user_peer_len ||
+ actual_peer_len != user_peer_len) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto error;
+ }
+
+ if (memcmp(user, jpake_client_id, actual_user_len) == 0 &&
+ memcmp(peer, jpake_server_id, actual_peer_len) == 0) {
+ operation->role = MBEDTLS_ECJPAKE_CLIENT;
+ } else
+ if (memcmp(user, jpake_server_id, actual_user_len) == 0 &&
+ memcmp(peer, jpake_client_id, actual_peer_len) == 0) {
+ operation->role = MBEDTLS_ECJPAKE_SERVER;
+ } else {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto error;
+ }
operation->buffer_length = 0;
operation->buffer_offset = 0;
@@ -248,6 +297,9 @@
goto error;
}
+ /* Role has been set, release user/peer buffers. */
+ mbedtls_free(user); mbedtls_free(peer);
+
return PSA_SUCCESS;
} else
#else
@@ -257,6 +309,7 @@
{ status = PSA_ERROR_NOT_SUPPORTED; }
error:
+ mbedtls_free(user); mbedtls_free(peer);
/* In case of failure of the setup of a multipart operation, the PSA driver interface
* specifies that the core does not call any other driver entry point thus does not
* call mbedtls_psa_pake_abort(). Therefore call it here to do the needed clean
@@ -332,7 +385,7 @@
* information is already available.
*/
if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE &&
- operation->role == PSA_PAKE_ROLE_SERVER) {
+ operation->role == MBEDTLS_ECJPAKE_SERVER) {
/* Skip ECParameters, with is 3 bytes (RFC 8422) */
operation->buffer_offset += 3;
}
@@ -423,7 +476,7 @@
* we're a client.
*/
if (step == PSA_JPAKE_X4S_STEP_KEY_SHARE &&
- operation->role == PSA_PAKE_ROLE_CLIENT) {
+ operation->role == MBEDTLS_ECJPAKE_CLIENT) {
/* We only support secp256r1. */
/* This is the ECParameters structure defined by RFC 8422. */
unsigned char ecparameters[3] = {
@@ -541,7 +594,7 @@
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
if (operation->alg == PSA_ALG_JPAKE) {
- operation->role = PSA_PAKE_ROLE_NONE;
+ operation->role = MBEDTLS_ECJPAKE_NONE;
mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
operation->buffer_length = 0;
operation->buffer_offset = 0;
diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c
index 56a5efe..d4e1d74 100644
--- a/programs/fuzz/fuzz_client.c
+++ b/programs/fuzz/fuzz_client.c
@@ -78,6 +78,13 @@
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
goto exit;
@@ -175,6 +182,9 @@
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;
diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c
index a58f6f4..3659026 100644
--- a/programs/fuzz/fuzz_dtlsclient.c
+++ b/programs/fuzz/fuzz_dtlsclient.c
@@ -61,6 +61,13 @@
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
srand(1);
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
@@ -119,6 +126,9 @@
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;
diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c
index cdd69c0..1632e9d 100644
--- a/programs/fuzz/fuzz_dtlsserver.c
+++ b/programs/fuzz/fuzz_dtlsserver.c
@@ -50,6 +50,20 @@
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_x509_crt_init(&srvcert);
+ mbedtls_pk_init(&pkey);
+#endif
+ mbedtls_ssl_init(&ssl);
+ mbedtls_ssl_config_init(&conf);
+ mbedtls_ssl_cookie_init(&cookie_ctx);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
@@ -58,8 +72,7 @@
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
- mbedtls_x509_crt_init(&srvcert);
- mbedtls_pk_init(&pkey);
+
if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len) != 0) {
return 1;
@@ -78,9 +91,6 @@
initialized = 1;
}
- mbedtls_ssl_init(&ssl);
- mbedtls_ssl_config_init(&conf);
- mbedtls_ssl_cookie_init(&cookie_ctx);
if (mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
@@ -154,9 +164,16 @@
exit:
mbedtls_ssl_cookie_free(&cookie_ctx);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_pk_free(&pkey);
+ mbedtls_x509_crt_free(&srvcert);
+#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;
diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c
index 39c23e2..ce75624 100644
--- a/programs/fuzz/fuzz_privkey.c
+++ b/programs/fuzz/fuzz_privkey.c
@@ -30,13 +30,20 @@
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
+ mbedtls_pk_init(&pk);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
- return 1;
+ goto exit;
}
- mbedtls_pk_init(&pk);
ret = mbedtls_pk_parse_key(&pk, Data, Size, NULL, 0,
dummy_random, &ctr_drbg);
if (ret == 0) {
@@ -83,7 +90,13 @@
abort();
}
}
+exit:
+ mbedtls_entropy_free(&entropy);
+ mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_pk_free(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;
(void) Size;
diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c
index 7f5e4aa..9203b4e 100644
--- a/programs/fuzz/fuzz_pubkey.c
+++ b/programs/fuzz/fuzz_pubkey.c
@@ -11,6 +11,12 @@
mbedtls_pk_context pk;
mbedtls_pk_init(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_pk_parse_public_key(&pk, Data, Size);
if (ret == 0) {
#if defined(MBEDTLS_RSA_C)
@@ -66,6 +72,10 @@
abort();
}
}
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+exit:
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_free(&pk);
#else
(void) Data;
diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c
index cd021e1..e767859 100644
--- a/programs/fuzz/fuzz_server.c
+++ b/programs/fuzz/fuzz_server.c
@@ -58,6 +58,21 @@
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_x509_crt_init(&srvcert);
+ mbedtls_pk_init(&pkey);
+#endif
+ mbedtls_ssl_init(&ssl);
+ mbedtls_ssl_config_init(&conf);
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
+ mbedtls_ssl_ticket_init(&ticket_ctx);
+#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
@@ -67,8 +82,6 @@
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
- mbedtls_x509_crt_init(&srvcert);
- mbedtls_pk_init(&pkey);
if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len) != 0) {
return 1;
@@ -92,11 +105,6 @@
initialized = 1;
}
- mbedtls_ssl_init(&ssl);
- mbedtls_ssl_config_init(&conf);
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
- mbedtls_ssl_ticket_init(&ticket_ctx);
-#endif
if (mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_SERVER,
@@ -193,8 +201,14 @@
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_x509_crt_free(&srvcert);
+ mbedtls_pk_free(&pkey);
+#endif
mbedtls_ssl_free(&ssl);
-
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif
#else
(void) Data;
(void) Size;
diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c
index 6ff0c05..313540d 100644
--- a/programs/fuzz/fuzz_x509crl.c
+++ b/programs/fuzz/fuzz_x509crl.c
@@ -11,6 +11,12 @@
unsigned char buf[4096];
mbedtls_x509_crl_init(&crl);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_crl_parse(&crl, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
@@ -20,6 +26,11 @@
((void) ret);
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+exit:
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_crl_free(&crl);
#else
(void) Data;
diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c
index 858c1ff..8442090 100644
--- a/programs/fuzz/fuzz_x509crt.c
+++ b/programs/fuzz/fuzz_x509crt.c
@@ -11,6 +11,12 @@
unsigned char buf[4096];
mbedtls_x509_crt_init(&crt);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_crt_parse(&crt, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
@@ -20,6 +26,11 @@
((void) ret);
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+exit:
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_crt_free(&crt);
#else
(void) Data;
diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c
index 39fb4cb..395d3c2 100644
--- a/programs/fuzz/fuzz_x509csr.c
+++ b/programs/fuzz/fuzz_x509csr.c
@@ -11,6 +11,12 @@
unsigned char buf[4096];
mbedtls_x509_csr_init(&csr);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_csr_parse(&csr, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
@@ -20,6 +26,11 @@
((void) ret);
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+exit:
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_csr_free(&csr);
#else
(void) Data;
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index 029558d..9bee275 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -200,6 +200,15 @@
mbedtls_ctr_drbg_init(&ctr_drbg);
memset(buf, 0, sizeof(buf));
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
@@ -407,6 +416,9 @@
mbedtls_pk_free(&key);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index c80dcd0..cd16e33 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -99,6 +99,15 @@
mbedtls_pk_init(&pk);
memset(buf, 0, sizeof(buf));
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto cleanup;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
@@ -305,8 +314,10 @@
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
-
mbedtls_pk_free(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP);
mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP);
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index 862c93f..e8f3e85 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -216,6 +216,15 @@
memset(buf, 0, sizeof(buf));
#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP);
mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
@@ -422,6 +431,9 @@
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index 8862636..f60c946 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -67,6 +67,15 @@
memset(result, 0, sizeof(result));
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc != 2) {
mbedtls_printf("usage: mbedtls_pk_decrypt <key_file>\n");
@@ -139,6 +148,9 @@
mbedtls_pk_free(&pk);
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c
index eab3f08..04e5cc7 100644
--- a/programs/pkey/pk_encrypt.c
+++ b/programs/pkey/pk_encrypt.c
@@ -63,6 +63,15 @@
mbedtls_entropy_init(&entropy);
mbedtls_pk_init(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc != 3) {
mbedtls_printf("usage: mbedtls_pk_encrypt <key_file> <string of max 100 characters>\n");
@@ -140,6 +149,9 @@
mbedtls_pk_free(&pk);
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index 82cb6a1..57bd796 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -63,6 +63,15 @@
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_pk_init(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc != 3) {
mbedtls_printf("usage: mbedtls_pk_sign <key_file> <filename>\n");
@@ -140,6 +149,9 @@
mbedtls_pk_free(&pk);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c
index 0c549e0..bca985b 100644
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -55,6 +55,15 @@
mbedtls_pk_init(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc != 3) {
mbedtls_printf("usage: mbedtls_pk_verify <key_file> <filename>\n");
@@ -114,6 +123,9 @@
exit:
mbedtls_pk_free(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c
index 03882cd..999669e 100644
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -64,6 +64,15 @@
mbedtls_pk_init(&pk);
mbedtls_ctr_drbg_init(&ctr_drbg);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc != 3) {
mbedtls_printf("usage: rsa_sign_pss <key_file> <filename>\n");
@@ -153,6 +162,9 @@
mbedtls_pk_free(&pk);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c
index e21e927..8a1fb59 100644
--- a/programs/pkey/rsa_verify_pss.c
+++ b/programs/pkey/rsa_verify_pss.c
@@ -58,6 +58,15 @@
mbedtls_pk_init(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc != 3) {
mbedtls_printf("usage: rsa_verify_pss <key_file> <filename>\n");
@@ -129,6 +138,9 @@
exit:
mbedtls_pk_free(&pk);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c
index 44a135f..e47715c 100644
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@@ -109,11 +109,21 @@
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&cacert);
mbedtls_ctr_drbg_init(&ctr_drbg);
+ mbedtls_entropy_init(&entropy);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
- mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
@@ -324,12 +334,14 @@
#endif
mbedtls_net_free(&server_fd);
-
mbedtls_x509_crt_free(&cacert);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Shell can not handle large exit numbers -> 1 for errors */
if (ret < 0) {
diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c
index 6f8c841..f218130 100644
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@@ -119,6 +119,16 @@
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
@@ -394,6 +404,9 @@
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Shell can not handle large exit numbers -> 1 for errors */
if (ret < 0) {
diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c
index 6dbbc6d..e8f4797 100644
--- a/programs/ssl/mini_client.c
+++ b/programs/ssl/mini_client.c
@@ -175,8 +175,16 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init(&ca);
#endif
-
mbedtls_entropy_init(&entropy);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
ret = ctr_drbg_seed_failed;
@@ -262,7 +270,6 @@
exit:
mbedtls_net_free(&server_fd);
-
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
@@ -270,6 +277,9 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_free(&ca);
#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(ret);
}
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index ea96a4d..259b8f9 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -91,11 +91,21 @@
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&cacert);
mbedtls_ctr_drbg_init(&ctr_drbg);
+ mbedtls_entropy_init(&entropy);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
- mbedtls_entropy_init(&entropy);
+
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
@@ -274,12 +284,14 @@
#endif
mbedtls_net_free(&server_fd);
-
mbedtls_x509_crt_free(&cacert);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c
index 0ba0d2c..a5f0650 100644
--- a/programs/ssl/ssl_context_info.c
+++ b/programs/ssl/ssl_context_info.c
@@ -21,6 +21,7 @@
#include "mbedtls/build_info.h"
#include "mbedtls/debug.h"
+#include "mbedtls/platform.h"
#include <stdio.h>
#include <stdlib.h>
@@ -933,6 +934,15 @@
size_t ssl_max_len = SSL_INIT_LEN;
size_t ssl_len = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
/* The 'b64_file' is opened when parsing arguments to check that the
* file name is correct */
parse_arguments(argc, argv);
@@ -1001,6 +1011,10 @@
printf("Finished. No valid base64 code found\n");
}
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
return 0;
}
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 7ee880d..4777ee0 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -105,6 +105,15 @@
mbedtls_x509_crt_init(&srvcert);
mbedtls_ctr_drbg_init(&ctr_drbg);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
signal(SIGCHLD, SIG_IGN);
/*
@@ -366,13 +375,15 @@
exit:
mbedtls_net_free(&client_fd);
mbedtls_net_free(&listen_fd);
-
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 3b040aa..fb6f371 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -369,6 +369,16 @@
mbedtls_x509_crt_init(&clicert);
mbedtls_pk_init(&pkey);
mbedtls_ctr_drbg_init(&ctr_drbg);
+ mbedtls_entropy_init(&entropy);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
@@ -458,7 +468,6 @@
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
- mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
@@ -796,6 +805,9 @@
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index 2b3baff..9416c3c 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -332,6 +332,16 @@
*/
mbedtls_entropy_init(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
/*
* 1a. Seed the random number generator
*/
@@ -473,14 +483,14 @@
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_ssl_config_free(&conf);
-
mbedtls_net_free(&listen_fd);
-
mbedtls_mutex_free(&debug_mutex);
-
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_free();
#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(ret);
}
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 7dabda8..bb49155 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -104,6 +104,16 @@
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
@@ -343,7 +353,6 @@
mbedtls_net_free(&client_fd);
mbedtls_net_free(&listen_fd);
-
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
mbedtls_ssl_free(&ssl);
@@ -353,6 +362,9 @@
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(ret);
}
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index a9656c6..51a79ec 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -153,6 +153,7 @@
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&cacert);
+ mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_X509_CRL_PARSE_C)
mbedtls_x509_crl_init(&cacrl);
#else
@@ -161,6 +162,15 @@
memset(&cacrl, 0, sizeof(mbedtls_x509_crl));
#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
@@ -338,7 +348,6 @@
mbedtls_printf("\n . Seeding the random number generator...");
fflush(stdout);
- mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
@@ -448,6 +457,9 @@
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index 396aaf3..1772f87 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -179,6 +179,16 @@
mbedtls_pk_init(&key);
mbedtls_ctr_drbg_init(&ctr_drbg);
memset(buf, 0, sizeof(buf));
+ mbedtls_entropy_init(&entropy);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
@@ -388,7 +398,6 @@
mbedtls_printf(" . Seeding the random number generator...");
fflush(stdout);
- mbedtls_entropy_init(&entropy);
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
@@ -460,6 +469,9 @@
mbedtls_pk_free(&key);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
cur = opt.san_list;
while (cur != NULL) {
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index a822684..51b09f3 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -330,6 +330,15 @@
memset(buf, 0, sizeof(buf));
memset(serial, 0, sizeof(serial));
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
@@ -885,6 +894,9 @@
mbedtls_pk_free(&loaded_issuer_key);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/x509/crl_app.c b/programs/x509/crl_app.c
index d74a488..6c671ff 100644
--- a/programs/x509/crl_app.c
+++ b/programs/x509/crl_app.c
@@ -70,6 +70,15 @@
*/
mbedtls_x509_crl_init(&crl);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
@@ -125,6 +134,9 @@
exit:
mbedtls_x509_crl_free(&crl);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/programs/x509/load_roots.c b/programs/x509/load_roots.c
index 237bd7c..d024e98 100644
--- a/programs/x509/load_roots.c
+++ b/programs/x509/load_roots.c
@@ -123,6 +123,15 @@
struct mbedtls_timing_hr_time timer;
unsigned long ms;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc <= 1) {
mbedtls_printf(USAGE);
goto exit;
@@ -187,6 +196,9 @@
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* necessary configuration */
diff --git a/programs/x509/req_app.c b/programs/x509/req_app.c
index 83e2546..64b9f0b 100644
--- a/programs/x509/req_app.c
+++ b/programs/x509/req_app.c
@@ -70,6 +70,15 @@
*/
mbedtls_x509_csr_init(&csr);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
+ (int) status);
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if (argc < 2) {
usage:
mbedtls_printf(USAGE);
@@ -125,6 +134,9 @@
exit:
mbedtls_x509_csr_free(&csr);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_psa_crypto_free();
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
diff --git a/scripts/config.py b/scripts/config.py
index ac5f77c..92a4aad 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -216,6 +216,7 @@
'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
'MBEDTLS_X509_REMOVE_INFO', # removes a feature
'MBEDTLS_SSL_RECORD_SIZE_LIMIT', # in development, currently breaks other tests
+ 'MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED' # influences SECP256R1 KeyGen/ECDH/ECDSA
])
def is_seamless_alt(name):
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index 32e6bfe..3ecd74d 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -316,6 +316,26 @@
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined (MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+ PSA_ALG_IS_ECDSA(alg) &&
+ !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
+ PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 &&
+ attributes->core.bits == 256 )
+ {
+ status = p256_transparent_sign_hash( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+ }
+#endif /* MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED */
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
/* Fell through, meaning no accelerator supports this operation */
return( psa_sign_hash_builtin( attributes,
@@ -400,6 +420,25 @@
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined (MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+ PSA_ALG_IS_ECDSA(alg) &&
+ !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
+ PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 &&
+ attributes->core.bits == 256 )
+ {
+ status = p256_transparent_verify_hash( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+ }
+#endif /* MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED */
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
return( psa_verify_hash_builtin( attributes,
@@ -814,6 +853,20 @@
if( status != PSA_ERROR_NOT_SUPPORTED )
break;
#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+ attributes->core.type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) &&
+ attributes->core.bits == 256 )
+ {
+ status = p256_transparent_generate_key( attributes,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ break;
+ }
+
+#endif /* MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED */
}
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
@@ -2752,6 +2805,25 @@
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+ PSA_ALG_IS_ECDH(alg) &&
+ PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 &&
+ attributes->core.bits == 256 )
+ {
+ status = p256_transparent_key_agreement( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ peer_key,
+ peer_key_length,
+ shared_secret,
+ shared_secret_size,
+ shared_secret_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED)
+ return( status );
+ }
+#endif /* MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED */
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
/* Software Fallback */
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 47370b4..257903c 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -935,6 +935,10 @@
$(OPENSSL) pkey -in $< -inform DER -out $@
all_final += ec_prv.pk8param.pem
+ec_pub.pem: ec_prv.sec1.der
+ $(OPENSSL) pkey -in $< -inform DER -outform PEM -pubout -out $@
+all_final += ec_pub.pem
+
ec_prv.sec1.comp.pem: ec_prv.sec1.pem
$(OPENSSL) ec -in $< -out $@ -conv_form compressed
all_final += ec_prv.sec1.comp.pem
diff --git a/tests/data_files/ec_pub.comp.pem b/tests/data_files/ec_pub.comp.pem
index a3742a3..55fac08 100644
--- a/tests/data_files/ec_pub.comp.pem
+++ b/tests/data_files/ec_pub.comp.pem
@@ -1,4 +1,4 @@
-----BEGIN PUBLIC KEY-----
-MDEwEwYHKoZIzj0CAQYIKoZIzj0DAQEDGgACvHl9s65/COw9SWtPtBGz9iClWKUB
-4CIt
+MDEwEwYHKoZIzj0CAQYIKoZIzj0DAQEDGgADUXW83zCjcPOdU5PmEnKI2AFntfS0
+t3bG
-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_pub.der b/tests/data_files/ec_pub.der
index 74c5951..e4e5915 100644
--- a/tests/data_files/ec_pub.der
+++ b/tests/data_files/ec_pub.der
Binary files differ
diff --git a/tests/data_files/ec_pub.pem b/tests/data_files/ec_pub.pem
index d677d27..d54dc94 100644
--- a/tests/data_files/ec_pub.pem
+++ b/tests/data_files/ec_pub.pem
@@ -1,4 +1,4 @@
-----BEGIN PUBLIC KEY-----
-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEvHl9s65/COw9SWtPtBGz9iClWKUB
-4CItCM/g3Irsixp78kvpKVHMW6G+uyR0kJrg
+MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEUXW83zCjcPOdU5PmEnKI2AFntfS0
+t3bGdPfG81S30iQGLB9oVLWnrw/leOryWPAn
-----END PUBLIC KEY-----
diff --git a/tests/include/test/arguments.h b/tests/include/test/arguments.h
new file mode 100644
index 0000000..74bbbd5
--- /dev/null
+++ b/tests/include/test/arguments.h
@@ -0,0 +1,38 @@
+/**
+ * \file arguments.h
+ *
+ * \brief Manipulation of test arguments.
+ *
+ * Much of the code is in host_test.function, to be migrated here later.
+ */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef TEST_ARGUMENTS_H
+#define TEST_ARGUMENTS_H
+
+#include "mbedtls/build_info.h"
+#include <stdint.h>
+#include <stdlib.h>
+
+typedef union {
+ size_t len;
+ intmax_t sint;
+} mbedtls_test_argument_t;
+
+#endif /* TEST_ARGUMENTS_H */
diff --git a/tests/scripts/generate_test_code.py b/tests/scripts/generate_test_code.py
index f19d30b..839fccd 100755
--- a/tests/scripts/generate_test_code.py
+++ b/tests/scripts/generate_test_code.py
@@ -171,6 +171,28 @@
import argparse
+# Types recognized as signed integer arguments in test functions.
+SIGNED_INTEGER_TYPES = frozenset([
+ 'char',
+ 'short',
+ 'short int',
+ 'int',
+ 'int8_t',
+ 'int16_t',
+ 'int32_t',
+ 'int64_t',
+ 'intmax_t',
+ 'long',
+ 'long int',
+ 'long long int',
+ 'mbedtls_mpi_sint',
+ 'psa_status_t',
+])
+# Types recognized as string arguments in test functions.
+STRING_TYPES = frozenset(['char*', 'const char*', 'char const*'])
+# Types recognized as hex data arguments in test functions.
+DATA_TYPES = frozenset(['data_t*', 'const data_t*', 'data_t const*'])
+
BEGIN_HEADER_REGEX = r'/\*\s*BEGIN_HEADER\s*\*/'
END_HEADER_REGEX = r'/\*\s*END_HEADER\s*\*/'
@@ -192,9 +214,6 @@
CONDITION_OPERATOR_REGEX,
CONDITION_VALUE_REGEX)
TEST_FUNCTION_VALIDATION_REGEX = r'\s*void\s+(?P<func_name>\w+)\s*\('
-INT_CHECK_REGEX = r'int\s+.*'
-CHAR_CHECK_REGEX = r'char\s*\*\s*.*'
-DATA_T_CHECK_REGEX = r'data_t\s*\*\s*.*'
FUNCTION_ARG_LIST_END_REGEX = r'.*\)'
EXIT_LABEL_REGEX = r'^exit:'
@@ -303,7 +322,7 @@
:param name: Test function name
:param local_vars: Local variables declaration code
:param args_dispatch: List of dispatch arguments.
- Ex: ['(char *)params[0]', '*((int *)params[1])']
+ Ex: ['(char *) params[0]', '*((int *) params[1])']
:return: Test function wrapper.
"""
# Then create the wrapper
@@ -444,6 +463,49 @@
return dependencies
+ARGUMENT_DECLARATION_REGEX = re.compile(r'(.+?) ?(?:\bconst\b)? ?(\w+)\Z', re.S)
+def parse_function_argument(arg, arg_idx, args, local_vars, args_dispatch):
+ """
+ Parses one test function's argument declaration.
+
+ :param arg: argument declaration.
+ :param arg_idx: current wrapper argument index.
+ :param args: accumulator of arguments' internal types.
+ :param local_vars: accumulator of internal variable declarations.
+ :param args_dispatch: accumulator of argument usage expressions.
+ :return: the number of new wrapper arguments,
+ or None if the argument declaration is invalid.
+ """
+ # Normalize whitespace
+ arg = arg.strip()
+ arg = re.sub(r'\s*\*\s*', r'*', arg)
+ arg = re.sub(r'\s+', r' ', arg)
+ # Extract name and type
+ m = ARGUMENT_DECLARATION_REGEX.search(arg)
+ if not m:
+ # E.g. "int x[42]"
+ return None
+ typ, _ = m.groups()
+ if typ in SIGNED_INTEGER_TYPES:
+ args.append('int')
+ args_dispatch.append('((mbedtls_test_argument_t *) params[%d])->sint' % arg_idx)
+ return 1
+ if typ in STRING_TYPES:
+ args.append('char*')
+ args_dispatch.append('(char *) params[%d]' % arg_idx)
+ return 1
+ if typ in DATA_TYPES:
+ args.append('hex')
+ # create a structure
+ pointer_initializer = '(uint8_t *) params[%d]' % arg_idx
+ len_initializer = '((mbedtls_test_argument_t *) params[%d])->len' % (arg_idx+1)
+ local_vars.append(' data_t data%d = {%s, %s};\n' %
+ (arg_idx, pointer_initializer, len_initializer))
+ args_dispatch.append('&data%d' % arg_idx)
+ return 2
+ return None
+
+ARGUMENT_LIST_REGEX = re.compile(r'\((.*?)\)', re.S)
def parse_function_arguments(line):
"""
Parses test function signature for validation and generates
@@ -455,42 +517,27 @@
:return: argument list, local variables for
wrapper function and argument dispatch code.
"""
- args = []
- local_vars = ''
- args_dispatch = []
- arg_idx = 0
- # Remove characters before arguments
- line = line[line.find('(') + 1:]
# Process arguments, ex: <type> arg1, <type> arg2 )
# This script assumes that the argument list is terminated by ')'
# i.e. the test functions will not have a function pointer
# argument.
- for arg in line[:line.find(')')].split(','):
- arg = arg.strip()
- if arg == '':
- continue
- if re.search(INT_CHECK_REGEX, arg.strip()):
- args.append('int')
- args_dispatch.append('*( (int *) params[%d] )' % arg_idx)
- elif re.search(CHAR_CHECK_REGEX, arg.strip()):
- args.append('char*')
- args_dispatch.append('(char *) params[%d]' % arg_idx)
- elif re.search(DATA_T_CHECK_REGEX, arg.strip()):
- args.append('hex')
- # create a structure
- pointer_initializer = '(uint8_t *) params[%d]' % arg_idx
- len_initializer = '*( (uint32_t *) params[%d] )' % (arg_idx+1)
- local_vars += """ data_t data%d = {%s, %s};
-""" % (arg_idx, pointer_initializer, len_initializer)
-
- args_dispatch.append('&data%d' % arg_idx)
- arg_idx += 1
- else:
+ m = ARGUMENT_LIST_REGEX.search(line)
+ arg_list = m.group(1).strip()
+ if arg_list in ['', 'void']:
+ return [], '', []
+ args = []
+ local_vars = []
+ args_dispatch = []
+ arg_idx = 0
+ for arg in arg_list.split(','):
+ indexes = parse_function_argument(arg, arg_idx,
+ args, local_vars, args_dispatch)
+ if indexes is None:
raise ValueError("Test function arguments can only be 'int', "
"'char *' or 'data_t'\n%s" % line)
- arg_idx += 1
+ arg_idx += indexes
- return args, local_vars, args_dispatch
+ return args, ''.join(local_vars), args_dispatch
def generate_function_code(name, code, local_vars, args_dispatch,
@@ -705,7 +752,7 @@
execution.
:param data_f: file object of the data file.
- :return: Generator that yields test name, function name,
+ :return: Generator that yields line number, test name, function name,
dependency list and function argument list.
"""
__state_read_name = 0
@@ -748,7 +795,7 @@
parts = escaped_split(line, ':')
test_function = parts[0]
args = parts[1:]
- yield name, test_function, dependencies, args
+ yield data_f.line_no, name, test_function, dependencies, args
dependencies = []
state = __state_read_name
if state == __state_read_args:
@@ -846,6 +893,14 @@
return dep_check_code
+INT_VAL_REGEX = re.compile(r'-?(\d+|0x[0-9a-f]+)$', re.I)
+def val_is_int(val: str) -> bool:
+ """Whether val is suitable as an 'int' parameter in the .datax file."""
+ if not INT_VAL_REGEX.match(val):
+ return False
+ # Limit the range to what is guaranteed to get through strtol()
+ return abs(int(val, 0)) <= 0x7fffffff
+
def write_parameters(out_data_f, test_args, func_args, unique_expressions):
"""
Writes test parameters to the intermediate data file, replacing
@@ -864,9 +919,9 @@
typ = func_args[i]
val = test_args[i]
- # check if val is a non literal int val (i.e. an expression)
- if typ == 'int' and not re.match(r'(\d+|0x[0-9a-f]+)$',
- val, re.I):
+ # Pass small integer constants literally. This reduces the size of
+ # the C code. Register anything else as an expression.
+ if typ == 'int' and not val_is_int(val):
typ = 'exp'
if val not in unique_expressions:
unique_expressions.append(val)
@@ -909,6 +964,24 @@
return dep_check_code, expression_code
+def get_function_info(func_info, function_name, line_no):
+ """Look up information about a test function by name.
+
+ Raise an informative expression if function_name is not found.
+
+ :param func_info: dictionary mapping function names to their information.
+ :param function_name: the function name as written in the .function and
+ .data files.
+ :param line_no: line number for error messages.
+ :return Function information (id, args).
+ """
+ test_function_name = 'test_' + function_name
+ if test_function_name not in func_info:
+ raise GeneratorInputError("%d: Function %s not found!" %
+ (line_no, test_function_name))
+ return func_info[test_function_name]
+
+
def gen_from_test_data(data_f, out_data_f, func_info, suite_dependencies):
"""
This function reads test case name, dependencies and test vectors
@@ -931,7 +1004,7 @@
unique_expressions = []
dep_check_code = ''
expression_code = ''
- for test_name, function_name, test_dependencies, test_args in \
+ for line_no, test_name, function_name, test_dependencies, test_args in \
parse_test_data(data_f):
out_data_f.write(test_name + '\n')
@@ -940,18 +1013,15 @@
unique_dependencies)
# Write test function name
- test_function_name = 'test_' + function_name
- if test_function_name not in func_info:
- raise GeneratorInputError("Function %s not found!" %
- test_function_name)
- func_id, func_args = func_info[test_function_name]
+ func_id, func_args = \
+ get_function_info(func_info, function_name, line_no)
out_data_f.write(str(func_id))
# Write parameters
if len(test_args) != len(func_args):
- raise GeneratorInputError("Invalid number of arguments in test "
+ raise GeneratorInputError("%d: Invalid number of arguments in test "
"%s. See function %s signature." %
- (test_name, function_name))
+ (line_no, test_name, function_name))
expression_code += write_parameters(out_data_f, test_args, func_args,
unique_expressions)
diff --git a/tests/scripts/test_generate_test_code.py b/tests/scripts/test_generate_test_code.py
index d23d742..fe748ae 100755
--- a/tests/scripts/test_generate_test_code.py
+++ b/tests/scripts/test_generate_test_code.py
@@ -485,9 +485,10 @@
args, local, arg_dispatch = parse_function_arguments(line)
self.assertEqual(args, ['char*', 'int', 'int'])
self.assertEqual(local, '')
- self.assertEqual(arg_dispatch, ['(char *) params[0]',
- '*( (int *) params[1] )',
- '*( (int *) params[2] )'])
+ self.assertEqual(arg_dispatch,
+ ['(char *) params[0]',
+ '((mbedtls_test_argument_t *) params[1])->sint',
+ '((mbedtls_test_argument_t *) params[2])->sint'])
def test_hex_params(self):
"""
@@ -499,22 +500,22 @@
self.assertEqual(args, ['char*', 'hex', 'int'])
self.assertEqual(local,
' data_t data1 = {(uint8_t *) params[1], '
- '*( (uint32_t *) params[2] )};\n')
+ '((mbedtls_test_argument_t *) params[2])->len};\n')
self.assertEqual(arg_dispatch, ['(char *) params[0]',
'&data1',
- '*( (int *) params[3] )'])
+ '((mbedtls_test_argument_t *) params[3])->sint'])
def test_unsupported_arg(self):
"""
- Test unsupported arguments (not among int, char * and data_t)
+ Test unsupported argument type
:return:
"""
- line = 'void entropy_threshold( char * a, data_t * h, char result )'
+ line = 'void entropy_threshold( char * a, data_t * h, unknown_t result )'
self.assertRaises(ValueError, parse_function_arguments, line)
- def test_no_params(self):
+ def test_empty_params(self):
"""
- Test no parameters.
+ Test no parameters (nothing between parentheses).
:return:
"""
line = 'void entropy_threshold()'
@@ -523,6 +524,39 @@
self.assertEqual(local, '')
self.assertEqual(arg_dispatch, [])
+ def test_blank_params(self):
+ """
+ Test no parameters (space between parentheses).
+ :return:
+ """
+ line = 'void entropy_threshold( )'
+ args, local, arg_dispatch = parse_function_arguments(line)
+ self.assertEqual(args, [])
+ self.assertEqual(local, '')
+ self.assertEqual(arg_dispatch, [])
+
+ def test_void_params(self):
+ """
+ Test no parameters (void keyword).
+ :return:
+ """
+ line = 'void entropy_threshold(void)'
+ args, local, arg_dispatch = parse_function_arguments(line)
+ self.assertEqual(args, [])
+ self.assertEqual(local, '')
+ self.assertEqual(arg_dispatch, [])
+
+ def test_void_space_params(self):
+ """
+ Test no parameters (void with spaces).
+ :return:
+ """
+ line = 'void entropy_threshold( void )'
+ args, local, arg_dispatch = parse_function_arguments(line)
+ self.assertEqual(args, [])
+ self.assertEqual(local, '')
+ self.assertEqual(arg_dispatch, [])
+
class ParseFunctionCode(TestCase):
"""
@@ -1264,29 +1298,33 @@
# List of (name, function_name, dependencies, args)
tests = list(parse_test_data(stream))
test1, test2, test3, test4 = tests
- self.assertEqual(test1[0], 'Diffie-Hellman full exchange #1')
- self.assertEqual(test1[1], 'dhm_do_dhm')
- self.assertEqual(test1[2], [])
- self.assertEqual(test1[3], ['10', '"23"', '10', '"5"'])
+ self.assertEqual(test1[0], 3)
+ self.assertEqual(test1[1], 'Diffie-Hellman full exchange #1')
+ self.assertEqual(test1[2], 'dhm_do_dhm')
+ self.assertEqual(test1[3], [])
+ self.assertEqual(test1[4], ['10', '"23"', '10', '"5"'])
- self.assertEqual(test2[0], 'Diffie-Hellman full exchange #2')
- self.assertEqual(test2[1], 'dhm_do_dhm')
- self.assertEqual(test2[2], [])
- self.assertEqual(test2[3], ['10', '"93450983094850938450983409623"',
+ self.assertEqual(test2[0], 6)
+ self.assertEqual(test2[1], 'Diffie-Hellman full exchange #2')
+ self.assertEqual(test2[2], 'dhm_do_dhm')
+ self.assertEqual(test2[3], [])
+ self.assertEqual(test2[4], ['10', '"93450983094850938450983409623"',
'10', '"9345098304850938450983409622"'])
- self.assertEqual(test3[0], 'Diffie-Hellman full exchange #3')
- self.assertEqual(test3[1], 'dhm_do_dhm')
- self.assertEqual(test3[2], [])
- self.assertEqual(test3[3], ['10',
+ self.assertEqual(test3[0], 9)
+ self.assertEqual(test3[1], 'Diffie-Hellman full exchange #3')
+ self.assertEqual(test3[2], 'dhm_do_dhm')
+ self.assertEqual(test3[3], [])
+ self.assertEqual(test3[4], ['10',
'"9345098382739712938719287391879381271"',
'10',
'"9345098792137312973297123912791271"'])
- self.assertEqual(test4[0], 'Diffie-Hellman selftest')
- self.assertEqual(test4[1], 'dhm_selftest')
- self.assertEqual(test4[2], [])
+ self.assertEqual(test4[0], 12)
+ self.assertEqual(test4[1], 'Diffie-Hellman selftest')
+ self.assertEqual(test4[2], 'dhm_selftest')
self.assertEqual(test4[3], [])
+ self.assertEqual(test4[4], [])
def test_with_dependencies(self):
"""
@@ -1306,15 +1344,17 @@
# List of (name, function_name, dependencies, args)
tests = list(parse_test_data(stream))
test1, test2 = tests
- self.assertEqual(test1[0], 'Diffie-Hellman full exchange #1')
- self.assertEqual(test1[1], 'dhm_do_dhm')
- self.assertEqual(test1[2], ['YAHOO'])
- self.assertEqual(test1[3], ['10', '"23"', '10', '"5"'])
+ self.assertEqual(test1[0], 4)
+ self.assertEqual(test1[1], 'Diffie-Hellman full exchange #1')
+ self.assertEqual(test1[2], 'dhm_do_dhm')
+ self.assertEqual(test1[3], ['YAHOO'])
+ self.assertEqual(test1[4], ['10', '"23"', '10', '"5"'])
- self.assertEqual(test2[0], 'Diffie-Hellman full exchange #2')
- self.assertEqual(test2[1], 'dhm_do_dhm')
- self.assertEqual(test2[2], [])
- self.assertEqual(test2[3], ['10', '"93450983094850938450983409623"',
+ self.assertEqual(test2[0], 7)
+ self.assertEqual(test2[1], 'Diffie-Hellman full exchange #2')
+ self.assertEqual(test2[2], 'dhm_do_dhm')
+ self.assertEqual(test2[3], [])
+ self.assertEqual(test2[4], ['10', '"93450983094850938450983409623"',
'10', '"9345098304850938450983409622"'])
def test_no_args(self):
@@ -1335,7 +1375,7 @@
stream = StringIOWrapper('test_suite_ut.function', data)
err = None
try:
- for _, _, _, _ in parse_test_data(stream):
+ for _, _, _, _, _ in parse_test_data(stream):
pass
except GeneratorInputError as err:
self.assertEqual(type(err), GeneratorInputError)
@@ -1353,7 +1393,7 @@
stream = StringIOWrapper('test_suite_ut.function', data)
err = None
try:
- for _, _, _, _ in parse_test_data(stream):
+ for _, _, _, _, _ in parse_test_data(stream):
pass
except GeneratorInputError as err:
self.assertEqual(type(err), GeneratorInputError)
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index 60eae9a..86ff5b4 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -2,13 +2,18 @@
/*----------------------------------------------------------------------------*/
/* Headers */
+#include <test/arguments.h>
#include <test/helpers.h>
#include <test/macros.h>
#include <test/random.h>
#include <test/bignum_helpers.h>
#include <test/psa_crypto_helpers.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdint.h>
#include <stdlib.h>
+#include <string.h>
#if defined(MBEDTLS_ERROR_C)
#include "mbedtls/error.h"
@@ -19,23 +24,6 @@
#include "mbedtls/memory_buffer_alloc.h"
#endif
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT8 uint8_t;
-typedef INT32 int32_t;
-typedef UINT32 uint32_t;
-#define strncasecmp _strnicmp
-#define strcasecmp _stricmp
-#else
-#include <stdint.h>
-#endif
-
-#include <string.h>
-
-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) || defined(__MINGW32__)
-#include <strings.h>
-#endif
-
#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
#include <unistd.h>
#endif
diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function
index 475a9c8..06f391f 100644
--- a/tests/suites/host_test.function
+++ b/tests/suites/host_test.function
@@ -28,50 +28,28 @@
* integer value.
*
* \param str Input string.
- * \param value Pointer to int for output value.
+ * \param p_value Pointer to output value.
*
* \return 0 if success else 1
*/
-int verify_int(char *str, int32_t *value)
+int verify_int(char *str, intmax_t *p_value)
{
- size_t i;
- int minus = 0;
- int digits = 1;
- int hex = 0;
-
- for (i = 0; i < strlen(str); i++) {
- if (i == 0 && str[i] == '-') {
- minus = 1;
- continue;
- }
-
- if (((minus && i == 2) || (!minus && i == 1)) &&
- str[i - 1] == '0' && (str[i] == 'x' || str[i] == 'X')) {
- hex = 1;
- continue;
- }
-
- if (!((str[i] >= '0' && str[i] <= '9') ||
- (hex && ((str[i] >= 'a' && str[i] <= 'f') ||
- (str[i] >= 'A' && str[i] <= 'F'))))) {
- digits = 0;
- break;
- }
+ char *end = NULL;
+ errno = 0;
+ /* Limit the range to long: for large integers, the test framework will
+ * use expressions anyway. */
+ long value = strtol(str, &end, 0);
+ if (errno == EINVAL || *end != '\0') {
+ mbedtls_fprintf(stderr,
+ "Expected integer for parameter and got: %s\n", str);
+ return KEY_VALUE_MAPPING_NOT_FOUND;
}
-
- if (digits) {
- if (hex) {
- *value = strtol(str, NULL, 16);
- } else {
- *value = strtol(str, NULL, 10);
- }
-
- return 0;
+ if (errno == ERANGE) {
+ mbedtls_fprintf(stderr, "Integer out of range: %s\n", str);
+ return KEY_VALUE_MAPPING_NOT_FOUND;
}
-
- mbedtls_fprintf(stderr,
- "Expected integer for parameter and got: %s\n", str);
- return KEY_VALUE_MAPPING_NOT_FOUND;
+ *p_value = value;
+ return 0;
}
@@ -180,24 +158,24 @@
p++;
}
- /* Replace newlines, question marks and colons in strings */
+ /* Replace backslash escapes in strings */
for (i = 0; i < cnt; i++) {
p = params[i];
q = params[i];
while (*p != '\0') {
- if (*p == '\\' && *(p + 1) == 'n') {
- p += 2;
- *(q++) = '\n';
- } else if (*p == '\\' && *(p + 1) == ':') {
- p += 2;
- *(q++) = ':';
- } else if (*p == '\\' && *(p + 1) == '?') {
- p += 2;
- *(q++) = '?';
- } else {
- *(q++) = *(p++);
+ if (*p == '\\') {
+ ++p;
+ switch (*p) {
+ case 'n':
+ *p = '\n';
+ break;
+ default:
+ // Fall through to copying *p
+ break;
+ }
}
+ *(q++) = *(p++);
}
*q = '\0';
}
@@ -223,7 +201,8 @@
*
* \return 0 for success else 1
*/
-static int convert_params(size_t cnt, char **params, int32_t *int_params_store)
+static int convert_params(size_t cnt, char **params,
+ mbedtls_test_argument_t *int_params_store)
{
char **cur = params;
char **out = params;
@@ -241,7 +220,7 @@
break;
}
} else if (strcmp(type, "int") == 0) {
- if (verify_int(val, int_params_store) == 0) {
+ if (verify_int(val, &int_params_store->sint) == 0) {
*out++ = (char *) int_params_store++;
} else {
ret = (DISPATCH_INVALID_TEST_DATA);
@@ -255,7 +234,7 @@
mbedtls_test_unhexify((unsigned char *) val, strlen(val),
val, &len) == 0);
- *int_params_store = len;
+ int_params_store->len = len;
*out++ = val;
*out++ = (char *) (int_params_store++);
} else {
@@ -264,7 +243,7 @@
}
} else if (strcmp(type, "exp") == 0) {
int exp_id = strtol(val, NULL, 10);
- if (get_expression(exp_id, int_params_store) == 0) {
+ if (get_expression(exp_id, &int_params_store->sint) == 0) {
*out++ = (char *) int_params_store++;
} else {
ret = (DISPATCH_INVALID_TEST_DATA);
@@ -483,7 +462,7 @@
char buf[5000];
char *params[50];
/* Store for processed integer params. */
- int32_t int_params[50];
+ mbedtls_test_argument_t int_params[50];
void *pointer;
#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
int stdout_fd = -1;
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index 11a009a..6c8d98e 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -69,7 +69,7 @@
*
* \return 0 if exp_id is found. 1 otherwise.
*/
-int get_expression(int32_t exp_id, int32_t *out_value)
+int get_expression(int32_t exp_id, intmax_t *out_value)
{
int ret = KEY_VALUE_MAPPING_FOUND;
diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index cefbfc3..7f858e5 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -133,7 +133,7 @@
TEST_ASSERT(sign_is_valid(&X));
TEST_ASSERT(mbedtls_mpi_write_string(&X, radix_A, str, output_size, &len) == result_write);
if (result_write == 0) {
- TEST_ASSERT(strcasecmp(str, input_A) == 0);
+ TEST_ASSERT(strcmp(str, input_A) == 0);
TEST_ASSERT(str[len] == '!');
}
}
@@ -923,47 +923,16 @@
/* END_CASE */
/* BEGIN_CASE */
-void mpi_mod_int(char *input_X, char *input_Y,
- char *input_A, int mod_result)
+void mpi_mod_int(char *input_X, mbedtls_mpi_sint y,
+ mbedtls_mpi_sint a, int mod_result)
{
mbedtls_mpi X;
- mbedtls_mpi Y;
- mbedtls_mpi A;
int res;
mbedtls_mpi_uint r;
mbedtls_mpi_init(&X);
- mbedtls_mpi_init(&Y);
- mbedtls_mpi_init(&A);
- /* We use MPIs to read Y and A since the test framework limits us to
- * ints, so we can't have 64-bit values */
TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0);
- TEST_EQUAL(mbedtls_test_read_mpi(&Y, input_Y), 0);
- TEST_EQUAL(mbedtls_test_read_mpi(&A, input_A), 0);
-
- TEST_EQUAL(Y.n, 1);
- TEST_EQUAL(A.n, 1);
-
- /* Convert the MPIs for Y and A to (signed) mbedtls_mpi_sints */
-
- /* Since we're converting sign+magnitude to two's complement, we lose one
- * bit of value in the output. This means there are some values we can't
- * represent, e.g. (hex) -A0000000 on 32-bit systems. These are technically
- * invalid test cases, so could be considered "won't happen", but they are
- * easy to test for, and this helps guard against human error. */
-
- mbedtls_mpi_sint y = (mbedtls_mpi_sint) Y.p[0];
- TEST_ASSERT(y >= 0); /* If y < 0 here, we can't make negative y */
- if (Y.s == -1) {
- y = -y;
- }
-
- mbedtls_mpi_sint a = (mbedtls_mpi_sint) A.p[0];
- TEST_ASSERT(a >= 0); /* Same goes for a */
- if (A.s == -1) {
- a = -a;
- }
res = mbedtls_mpi_mod_int(&r, &X, y);
TEST_EQUAL(res, mod_result);
@@ -973,8 +942,6 @@
exit:
mbedtls_mpi_free(&X);
- mbedtls_mpi_free(&Y);
- mbedtls_mpi_free(&A);
}
/* END_CASE */
diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data
index 5eda4c1..9d068f1 100644
--- a/tests/suites/test_suite_bignum.misc.data
+++ b/tests/suites/test_suite_bignum.misc.data
@@ -56,10 +56,10 @@
mpi_read_write_string:16:"-23":17:"-23":4:0:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Test mpi_read_write_string #6 (Output radix of 15)
-mpi_read_write_string:10:"29":15:"1e":100:0:0
+mpi_read_write_string:10:"29":15:"1E":100:0:0
Test mpi_read_write_string #7
-mpi_read_write_string:10:"56125680981752282334141896320372489490613963693556392520816017892111350604111697682705498319512049040516698827829292076808006940873974979584527073481012636016353913462376755556720019831187364993587901952757307830896531678727717924":16:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":200:0:0
+mpi_read_write_string:10:"56125680981752282334141896320372489490613963693556392520816017892111350604111697682705498319512049040516698827829292076808006940873974979584527073481012636016353913462376755556720019831187364993587901952757307830896531678727717924":16:"0941379D00FED1491FE15DF284DFDE4A142F68AA8D412023195CEE66883E6290FFE703F4EA5963BF212713CEE46B107C09182B5EDCD955ADAC418BF4918E2889AF48E1099D513830CEC85C26AC1E158B52620E33BA8692F893EFBB2F958B4424":200:0:0
Test mpi_read_write_string #8 (Empty MPI hex -> hex)
mpi_read_write_string:16:"":16:"":4:0:0
@@ -1229,45 +1229,45 @@
mpi_mod_mpi:"-":"-2a":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
Base test mbedtls_mpi_mod_int #1
-mpi_mod_int:"3e8":"d":"c":0
+mpi_mod_int:"3e8":0xd:0xc:0
Base test mbedtls_mpi_mod_int #2 (Divide by zero)
-mpi_mod_int:"3e8":"0":"0":MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
+mpi_mod_int:"3e8":0x0:0x0:MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
Base test mbedtls_mpi_mod_int #3
-mpi_mod_int:"-3e8":"d":"1":0
+mpi_mod_int:"-3e8":0xd:0x1:0
Base test mbedtls_mpi_mod_int #4 (Negative modulo)
-mpi_mod_int:"3e8":"-d":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+mpi_mod_int:"3e8":-0xd:0x0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
Base test mbedtls_mpi_mod_int #5 (Negative modulo)
-mpi_mod_int:"-3e8":"-d":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+mpi_mod_int:"-3e8":-0xd:0x0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
Base test mbedtls_mpi_mod_int #6 (By 1)
-mpi_mod_int:"3e8":"1":"0":0
+mpi_mod_int:"3e8":0x1:0x0:0
Base test mbedtls_mpi_mod_int #7 (By 2)
-mpi_mod_int:"3e9":"2":"1":0
+mpi_mod_int:"3e9":0x2:0x1:0
Base test mbedtls_mpi_mod_int #8 (By 2)
-mpi_mod_int:"3e8":"2":"0":0
+mpi_mod_int:"3e8":0x2:0x0:0
Test mbedtls_mpi_mod_int: 0 (null) % 1
-mpi_mod_int:"":"1":"0":0
+mpi_mod_int:"":0x1:0x0:0
Test mbedtls_mpi_mod_int: 0 (null) % 2
-mpi_mod_int:"":"2":"0":0
+mpi_mod_int:"":0x2:0x0:0
Test mbedtls_mpi_mod_int: 0 (null) % -1
-mpi_mod_int:"":"-1":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+mpi_mod_int:"":-0x1:0x0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
Test mbedtls_mpi_mod_int: 0 (null) % -2
-mpi_mod_int:"":"-2":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+mpi_mod_int:"":-0x2:0x0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
# CURRENTLY FAILS - SEE GITHUB ISSUE #6540
#Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810
#depends_on:MBEDTLS_HAVE_INT64
-#mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0
+#mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":0x47DCCA4847DCCA48:0x2EFE6F1A7D28035A:0
Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810
mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0
@@ -1275,7 +1275,7 @@
# CURRENTLY FAILS - SEE GITHUB ISSUE #6540
#Test mbedtls_mpi_mod_int: 230772460340062999996714233870911201200 % 5178236083361335880 -> 0
#depends_on:MBEDTLS_HAVE_INT64
-#mpi_mod_int:"AD9D28BF6C4E98FDC2584FEF03A6DFB0":"47DCCA4847DCCA48":"0":0
+#mpi_mod_int:"AD9D28BF6C4E98FDC2584FEF03A6DFB0":0x47DCCA4847DCCA48:0x0:0
Test mbedtls_mpi_mod_mpi: 230772460340062999996714233870911201200 % 5178236083361335880 -> 0
mpi_mod_mpi:"AD9D28BF6C4E98FDC2584FEF03A6DFB0":"47DCCA4847DCCA48":"0":0
@@ -1283,7 +1283,7 @@
# CURRENTLY FAILS WHEN MPIS ARE 32-BIT (ISSUE #6450): WHEN FIXED, REMOVE "depends_on" LINE
Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 1205652040 -> 3644370
depends_on:MBEDTLS_HAVE_INT64
-mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0
+mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":0x47DCCA48:0x379BD2:0
Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 1205652040 -> 3644370
mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0
@@ -1291,7 +1291,7 @@
# CURRENTLY FAILS WHEN MPIS ARE 32-BIT (ISSUE #6450): WHEN FIXED, REMOVE "depends_on" LINE
Test mbedtls_mpi_mod_int: 230772460340063000000100500000296355640 % 1205652040 -> 0
depends_on:MBEDTLS_HAVE_INT64
-mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980974738":"47DCCA48":"0":0
+mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980974738":0x47DCCA48:0x0:0
Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000296355640 % 1205652040 -> 0
mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980974738":"47DCCA48":"0":0
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 5a4e77f..0591029 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -216,10 +216,9 @@
size_t len;
mbedtls_pk_debug_item dbg;
- PSA_ASSERT(psa_crypto_init());
-
mbedtls_pk_init(&pk);
mbedtls_pk_init(&pk2);
+ USE_PSA_INIT();
TEST_ASSERT(psa_crypto_init() == PSA_SUCCESS);
@@ -314,9 +313,8 @@
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- PSA_ASSERT(psa_crypto_init());
-
mbedtls_pk_init(&pk);
+ USE_PSA_INIT();
if (opaque_key == 1) {
psa_set_key_usage_flags(&attributes, key_usage);
@@ -362,6 +360,7 @@
size_t buf_size = sizeof(buf);
mbedtls_pk_init(&ctx);
+ USE_PSA_INIT();
TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
mbedtls_pk_verify_restartable(&ctx, MBEDTLS_MD_NONE,
@@ -397,6 +396,7 @@
NULL));
exit:
mbedtls_pk_free(&ctx);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -409,6 +409,7 @@
void *options = NULL;
mbedtls_pk_init(&pk);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_pk_setup(&pk, NULL) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
@@ -484,6 +485,7 @@
TEST_ASSERT(mbedtls_pk_parse_public_key(&pk, NULL, 0) ==
MBEDTLS_ERR_PK_KEY_INVALID_FORMAT);
#endif /* MBEDTLS_PK_PARSE_C */
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -494,6 +496,8 @@
/* For the write tests to be effective, we need a valid key pair. */
mbedtls_pk_init(&pk);
+ USE_PSA_INIT();
+
TEST_ASSERT(mbedtls_pk_parse_key(&pk,
key_data->x, key_data->len, NULL, 0,
mbedtls_test_rnd_std_rand, NULL) == 0);
@@ -514,6 +518,7 @@
exit:
mbedtls_pk_free(&pk);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -522,8 +527,8 @@
{
mbedtls_pk_context pk;
- USE_PSA_INIT();
mbedtls_pk_init(&pk);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
@@ -545,11 +550,10 @@
{
mbedtls_pk_context pub, prv, alt;
- USE_PSA_INIT();
-
mbedtls_pk_init(&pub);
mbedtls_pk_init(&prv);
mbedtls_pk_init(&alt);
+ USE_PSA_INIT();
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* mbedtls_pk_check_pair() returns either PK or ECP error codes depending
@@ -604,10 +608,8 @@
mbedtls_ecp_set_max_ops(1);
#endif
- USE_PSA_INIT();
-
mbedtls_pk_init(&pk);
-
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
rsa = mbedtls_pk_rsa(pk);
@@ -646,8 +648,8 @@
void *options;
int ret;
- MD_OR_USE_PSA_INIT();
mbedtls_pk_init(&pk);
+ MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
rsa = mbedtls_pk_rsa(pk);
@@ -735,11 +737,11 @@
unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
size_t slen;
- USE_PSA_INIT();
-
mbedtls_pk_restart_init(&rs_ctx);
mbedtls_pk_init(&prv);
mbedtls_pk_init(&pub);
+ USE_PSA_INIT();
+
memset(sig, 0, sizeof(sig));
TEST_ASSERT(mbedtls_pk_setup(&prv, mbedtls_pk_info_from_type(pk_type)) == 0);
@@ -915,12 +917,11 @@
mbedtls_pk_init(&pk);
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
+ USE_PSA_INIT();
memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info));
memset(output, 0, sizeof(output));
- USE_PSA_INIT();
-
/* encryption test */
/* init pk-rsa context */
@@ -988,15 +989,13 @@
mbedtls_pk_context pk;
size_t olen;
- USE_PSA_INIT();
-
mbedtls_pk_init(&pk);
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
+ USE_PSA_INIT();
memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info));
-
/* init pk-rsa context */
TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
rsa = mbedtls_pk_rsa(pk);
@@ -1045,11 +1044,10 @@
mbedtls_svc_key_id_t key_id;
size_t olen;
- USE_PSA_INIT();
-
mbedtls_pk_init(&pk);
mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
+ USE_PSA_INIT();
memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info));
@@ -1107,6 +1105,7 @@
int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
mbedtls_pk_init(&pk);
+ USE_PSA_INIT();
memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info));
memset(output, 0, sizeof(output));
@@ -1124,6 +1123,7 @@
exit:
mbedtls_pk_free(&pk);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1131,14 +1131,15 @@
void pk_rsa_overflow()
{
mbedtls_pk_context pk;
- size_t hash_len = SIZE_MAX, sig_len = SIZE_MAX;
+ size_t hash_len = UINT_MAX + 1, sig_len = UINT_MAX + 1;
unsigned char hash[50], sig[100];
+ mbedtls_pk_init(&pk);
+ USE_PSA_INIT();
+
memset(hash, 0x2a, sizeof(hash));
memset(sig, 0, sizeof(sig));
- mbedtls_pk_init(&pk);
-
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
@@ -1158,6 +1159,7 @@
exit:
mbedtls_pk_free(&pk);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1177,10 +1179,10 @@
size_t sig_len, ciph_len, test_len;
int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
- USE_PSA_INIT();
-
mbedtls_rsa_init(&raw);
- mbedtls_pk_init(&rsa); mbedtls_pk_init(&alt);
+ mbedtls_pk_init(&rsa);
+ mbedtls_pk_init(&alt);
+ USE_PSA_INIT();
memset(hash, 0x2a, sizeof(hash));
memset(sig, 0, sizeof(sig));
@@ -1274,12 +1276,12 @@
* - parse it to a PK context and verify the signature this way
*/
- PSA_ASSERT(psa_crypto_init());
+ mbedtls_pk_init(&pk);
+ USE_PSA_INIT();
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
if (PSA_KEY_TYPE_IS_RSA(psa_type_arg)) {
/* Create legacy RSA public/private key in PK context. */
- mbedtls_pk_init(&pk);
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
@@ -1293,7 +1295,6 @@
mbedtls_ecp_group_id grpid = parameter_arg;
/* Create legacy EC public/private key in PK context. */
- mbedtls_pk_init(&pk);
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0);
TEST_ASSERT(pk_genkey(&pk, grpid) == 0);
@@ -1434,8 +1435,8 @@
TEST_ASSERT(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg,
hash, hash_len, sig, sig_len) == 0);
exit:
- PSA_DONE();
mbedtls_pk_free(&pk);
+ PSA_DONE();
}
/* END_CASE */
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index 751482a..838a7db 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -17,9 +17,8 @@
int res;
char *pwd = password;
- MD_PSA_INIT();
-
mbedtls_pk_init(&ctx);
+ MD_PSA_INIT();
if (strcmp(pwd, "NULL") == 0) {
pwd = NULL;
@@ -50,9 +49,8 @@
mbedtls_pk_context ctx;
int res;
- MD_PSA_INIT();
-
mbedtls_pk_init(&ctx);
+ MD_PSA_INIT();
res = mbedtls_pk_parse_public_keyfile(&ctx, key_file);
@@ -78,6 +76,7 @@
int res;
mbedtls_pk_init(&ctx);
+ USE_PSA_INIT();
res = mbedtls_pk_parse_public_keyfile(&ctx, key_file);
@@ -92,6 +91,7 @@
exit:
mbedtls_pk_free(&ctx);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -101,8 +101,8 @@
mbedtls_pk_context ctx;
int res;
- USE_PSA_INIT();
mbedtls_pk_init(&ctx);
+ USE_PSA_INIT();
res = mbedtls_pk_parse_keyfile(&ctx, key_file, password,
mbedtls_test_rnd_std_rand, NULL);
@@ -128,11 +128,13 @@
mbedtls_pk_context pk;
mbedtls_pk_init(&pk);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_pk_parse_key(&pk, buf->x, buf->len, NULL, 0,
mbedtls_test_rnd_std_rand, NULL) == result);
exit:
mbedtls_pk_free(&pk);
+ USE_PSA_DONE();
}
/* END_CASE */
diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data
index a339cdb..34bf0da 100644
--- a/tests/suites/test_suite_pkwrite.data
+++ b/tests/suites/test_suite_pkwrite.data
@@ -93,3 +93,23 @@
Private key write check EC Brainpool 512 bits (DER)
depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_BP512R1_ENABLED
pk_write_key_check:"data_files/ec_bp512_prv.der":TEST_DER
+
+Derive public key RSA
+depends_on:MBEDTLS_RSA_C
+pk_write_public_from_private:"data_files/server1.key.der":"data_files/server1.pubkey.der"
+
+Derive public key RSA 4096
+depends_on:MBEDTLS_RSA_C
+pk_write_public_from_private:"data_files/rsa4096_prv.der":"data_files/rsa4096_pub.der"
+
+Derive public key EC 192 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+pk_write_public_from_private:"data_files/ec_prv.sec1.der":"data_files/ec_pub.der"
+
+Derive public key EC 521 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+pk_write_public_from_private:"data_files/ec_521_prv.der":"data_files/ec_521_pub.der"
+
+Derive public key EC Brainpool 512 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_BP512R1_ENABLED
+pk_write_public_from_private:"data_files/ec_bp512_prv.der":"data_files/ec_bp512_pub.der"
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index c0c5ad0..c148c8a 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -2,6 +2,7 @@
#include "mbedtls/pk.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
+#include "psa/crypto_sizes.h"
typedef enum {
TEST_PEM,
@@ -36,6 +37,9 @@
size_t buf_len, check_buf_len;
int ret;
+ mbedtls_pk_init(&key);
+ USE_PSA_INIT();
+
/* Note: if mbedtls_pk_load_file() successfully reads the file, then
it also allocates check_buf, which should be freed on exit */
TEST_EQUAL(mbedtls_pk_load_file(key_file, &check_buf, &check_buf_len), 0);
@@ -56,7 +60,6 @@
ASSERT_ALLOC(buf, check_buf_len);
- mbedtls_pk_init(&key);
if (is_public_key) {
TEST_EQUAL(mbedtls_pk_parse_public_keyfile(&key, key_file), 0);
if (is_der) {
@@ -98,6 +101,7 @@
mbedtls_free(buf);
mbedtls_free(check_buf);
mbedtls_pk_free(&key);
+ USE_PSA_DONE();
}
/* END_HEADER */
@@ -121,3 +125,57 @@
goto exit; /* make the compiler happy */
}
/* END_CASE */
+
+/* BEGIN_CASE */
+void pk_write_public_from_private(char *priv_key_file, char *pub_key_file)
+{
+ mbedtls_pk_context priv_key;
+ uint8_t *derived_key_raw = NULL;
+ size_t derived_key_len = 0;
+ uint8_t *pub_key_raw = NULL;
+ size_t pub_key_len = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ mbedtls_pk_init(&priv_key);
+ USE_PSA_INIT();
+
+ TEST_EQUAL(mbedtls_pk_parse_keyfile(&priv_key, priv_key_file, NULL,
+ mbedtls_test_rnd_std_rand, NULL), 0);
+ TEST_EQUAL(mbedtls_pk_load_file(pub_key_file, &pub_key_raw,
+ &pub_key_len), 0);
+
+ derived_key_len = pub_key_len;
+ ASSERT_ALLOC(derived_key_raw, derived_key_len);
+
+ TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
+ derived_key_len), pub_key_len);
+
+ ASSERT_COMPARE(derived_key_raw, derived_key_len,
+ pub_key_raw, pub_key_len);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_platform_zeroize(derived_key_raw, sizeof(derived_key_raw));
+
+ TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id,
+ PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT,
+ PSA_ALG_NONE), 0);
+
+ TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
+ derived_key_len), pub_key_len);
+
+ ASSERT_COMPARE(derived_key_raw, derived_key_len,
+ pub_key_raw, pub_key_len);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_destroy_key(opaque_key_id);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ mbedtls_free(derived_key_raw);
+ mbedtls_free(pub_key_raw);
+ mbedtls_pk_free(&priv_key);
+ USE_PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_platform.data b/tests/suites/test_suite_platform.data
index 557b586..39b423f 100644
--- a/tests/suites/test_suite_platform.data
+++ b/tests/suites/test_suite_platform.data
@@ -7,6 +7,3 @@
Time: delay milliseconds
time_delay_milliseconds:1000
-
-Time: delay seconds
-time_delay_seconds:1
diff --git a/tests/suites/test_suite_platform.function b/tests/suites/test_suite_platform.function
index 54ddd42..7453c32 100644
--- a/tests/suites/test_suite_platform.function
+++ b/tests/suites/test_suite_platform.function
@@ -38,8 +38,6 @@
/* END_DEPENDENCIES */
-
-
/* BEGIN_CASE depends_on:MBEDTLS_HAVE_TIME */
void time_get_milliseconds()
{
@@ -76,6 +74,14 @@
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_HAVE_TIME */
+
+/*
+ * WARNING: DO NOT ENABLE THIS TEST. We keep the code here to document the
+ * reason.
+ *
+ * The test often failed on the CI. See #1517. CI failures cannot be
+ * completely avoided due to out-of-sync clock sources.
+ */
void time_delay_seconds(int delay_secs)
{
mbedtls_time_t current = mbedtls_time(NULL);
@@ -84,7 +90,23 @@
sleep_ms(delay_secs * 1000);
elapsed_secs = mbedtls_time(NULL) - current;
- TEST_ASSERT(elapsed_secs >= delay_secs && elapsed_secs < 4 + delay_secs);
+
+ /*
+ * `mbedtls_time()` was defined as c99 function `time()`, returns the number
+ * of seconds since the Epoch. And it is affected by discontinuous changes
+ * from automatic drift adjustment or time setting system call. The POSIX.1
+ * specification for clock_settime says that discontinuous changes in
+ * CLOCK_REALTIME should not affect `nanosleep()`.
+ *
+ * If discontinuous changes occur during `nanosleep()`, we will get
+ * `elapsed_secs < delay_secs` for backward or `elapsed_secs > delay_secs`
+ * for forward.
+ *
+ * The following tolerance windows cannot be guaranteed.
+ * PLEASE DO NOT ENABLE IT IN CI TEST.
+ */
+ TEST_ASSERT(elapsed_secs - delay_secs >= -1 &&
+ elapsed_secs - delay_secs < 4);
/* This goto is added to avoid warnings from the generated code. */
goto exit;
}
diff --git a/tests/suites/test_suite_platform_printf.data b/tests/suites/test_suite_platform_printf.data
new file mode 100644
index 0000000..891771b
--- /dev/null
+++ b/tests/suites/test_suite_platform_printf.data
@@ -0,0 +1,114 @@
+# The test cases for printf and integers have two purposes: they exercise
+# the printf function family, and they exercise the passing of integers
+# and strings through the test framework.
+
+printf "%d", 0
+printf_int:"%d":0:"0"
+
+printf "%d", -0
+printf_int:"%d":-0:"0"
+
+printf "%d", 0x0
+printf_int:"%d":0x0:"0"
+
+printf "%d", 0x00
+printf_int:"%d":0x00:"0"
+
+printf "%d", 0x000000000000000000000000000000000000000000
+printf_int:"%d":0x000000000000000000000000000000000000000000:"0"
+
+printf "%d", -0x0
+printf_int:"%d":-0x0:"0"
+
+printf "%d", 1
+printf_int:"%d":1:"1"
+
+printf "%d", 0x1
+printf_int:"%d":0x1:"1"
+
+printf "%d", 0x0000000000000000000000000000000000000000001
+printf_int:"%d":0x0000000000000000000000000000000000000000001:"1"
+
+printf "%d", -1
+printf_int:"%d":-1:"-1"
+
+printf "%d", -0x1
+printf_int:"%d":-0x1:"-1"
+
+printf "%d", -0x0000000000000000000000000000000000000000001
+printf_int:"%d":-0x0000000000000000000000000000000000000000001:"-1"
+
+printf "%d", 2147483647
+printf_int:"%d":2147483647:"2147483647"
+
+printf "%d", 0x7fffffff
+printf_int:"%d":0x7fffffff:"2147483647"
+
+printf "%d", -2147483647
+printf_int:"%d":-2147483647:"-2147483647"
+
+printf "%d", -0x7fffffff
+printf_int:"%d":-0x7fffffff:"-2147483647"
+
+printf "%d", -2147483648
+printf_int:"%d":-2147483648:"-2147483648"
+
+printf "%d", -0x80000000
+printf_int:"%d":-0x80000000:"-2147483648"
+
+# Test that LONG_MAX is coming out untruncated through the test framework.
+printf "%lx", LONG_MAX
+printf_long_max:"%lx":LONG_MAX
+
+# The next few test cases exercise how the test framework handles special
+# characters in strings.
+printf "%c%c", SPACE, SPACE
+printf_char2:"%c%c":SPACE_CHAR:SPACE_CHAR:" "
+
+printf "%c%c", NEWLINE, SPACE
+printf_char2:"%c%c":NEWLINE_CHAR:SPACE_CHAR:"\n "
+
+printf "%c%c", DOUBLE QUOTE, SPACE
+printf_char2:"%c%c":DOUBLE_QUOTE_CHAR:SPACE_CHAR:"\" "
+
+printf "%c%c", COLON, SPACE
+printf_char2:"%c%c":COLON_CHAR:SPACE_CHAR:"\: "
+
+printf "%c%c", QUESTION, SPACE
+printf_char2:"%c%c":QUESTION_CHAR:SPACE_CHAR:"? "
+
+printf "%c%c", BACKSLASH, SPACE
+printf_char2:"%c%c":BACKSLASH_CHAR:SPACE_CHAR:"\\ "
+
+printf "%c%c", SPACE, BACKSLASH
+printf_char2:"%c%c":SPACE_CHAR:BACKSLASH_CHAR:" \\"
+
+printf "%c%c", COLON, COLON
+printf_char2:"%c%c":COLON_CHAR:COLON_CHAR:"\:\:"
+
+printf "%c%c", COLON, NEWLINE
+printf_char2:"%c%c":COLON_CHAR:NEWLINE_CHAR:"\:\n"
+
+printf "%c%c", QUESTION, QUESTION
+printf_char2:"%c%c":QUESTION_CHAR:QUESTION_CHAR:"??"
+
+printf "%c%c", QUESTION, NEWLINE
+printf_char2:"%c%c":QUESTION_CHAR:NEWLINE_CHAR:"?\n"
+
+printf "%c%c", BACKSLASH, NEWLINE
+printf_char2:"%c%c":BACKSLASH_CHAR:NEWLINE_CHAR:"\\\n"
+
+printf "%c%c", BACKSLASH, DOUBLE QUOTE
+printf_char2:"%c%c":BACKSLASH_CHAR:DOUBLE_QUOTE_CHAR:"\\\""
+
+printf "%c%c", BACKSLASH, COLON
+printf_char2:"%c%c":BACKSLASH_CHAR:COLON_CHAR:"\\\:"
+
+printf "%c%c", BACKSLASH, QUESTION
+printf_char2:"%c%c":BACKSLASH_CHAR:QUESTION_CHAR:"\\?"
+
+printf "%c%c", BACKSLASH, BACKSLASH
+printf_char2:"%c%c":BACKSLASH_CHAR:BACKSLASH_CHAR:"\\\\"
+
+printf "%c%c", BACKSLASH, n
+printf_char2:"%c%c":BACKSLASH_CHAR:LOWERCASE_N_CHAR:"\\n"
diff --git a/tests/suites/test_suite_platform_printf.function b/tests/suites/test_suite_platform_printf.function
new file mode 100644
index 0000000..3c816fe
--- /dev/null
+++ b/tests/suites/test_suite_platform_printf.function
@@ -0,0 +1,89 @@
+/* BEGIN_HEADER */
+
+/* The printf test functions take a format argument from the test data
+ * for several reasons:
+ * - For some tests, it makes sense to vary the format.
+ * - For all tests, it means we're testing the actual printf function
+ * that parses the format at runtime, and not a compiler optimization.
+ * (It may be useful to add tests that allow compiler optimizations.
+ * There aren't any yet at the time of writing.)
+ */
+
+#include "mbedtls/platform.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define NEWLINE_CHAR '\n'
+#define SPACE_CHAR ' '
+#define DOUBLE_QUOTE_CHAR '"'
+#define COLON_CHAR ':'
+#define QUESTION_CHAR '?'
+#define BACKSLASH_CHAR '\\'
+#define LOWERCASE_N_CHAR 'n'
+/* END_HEADER */
+
+/* BEGIN_CASE */
+void printf_int(char *format, /* any format expecting one int argument, e.g. "%d" */
+ int x, char *result)
+{
+ char *output = NULL;
+ const size_t n = strlen(result);
+
+ /* Nominal case: buffer just large enough */
+ ASSERT_ALLOC(output, n + 1);
+ TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, x));
+ ASSERT_COMPARE(result, n + 1, output, n + 1);
+ mbedtls_free(output);
+ output = NULL;
+
+exit:
+ mbedtls_free(output);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void printf_long_max(const char *format, /* "%lx" or longer type */
+ long value)
+{
+ char *expected = NULL;
+ char *output = NULL;
+ /* 2 hex digits per byte */
+ const size_t n = sizeof(value) * 2;
+
+ /* We assume that long has no padding bits! */
+ ASSERT_ALLOC(expected, n + 1);
+ expected[0] = '7';
+ memset(expected + 1, 'f', sizeof(value) * 2 - 1);
+
+ ASSERT_ALLOC(output, n + 1);
+ TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, value));
+ ASSERT_COMPARE(expected, n + 1, output, n + 1);
+ mbedtls_free(output);
+ output = NULL;
+
+exit:
+ mbedtls_free(output);
+ mbedtls_free(expected);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void printf_char2(char *format, /* "%c%c" */
+ int arg1, int arg2, char *result)
+{
+ char *output = NULL;
+ const size_t n = strlen(result);
+
+ /* Nominal case: buffer just large enough */
+ ASSERT_ALLOC(output, n + 1);
+ TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, arg1, arg2));
+ ASSERT_COMPARE(result, n + 1, output, n + 1);
+ mbedtls_free(output);
+ output = NULL;
+
+exit:
+ mbedtls_free(output);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 07aad73..fd35c87 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -3045,7 +3045,7 @@
aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CTR:"000102030405060708090A0B0C0D0E0F":"":"":PSA_ERROR_INVALID_ARGUMENT
PSA AEAD encrypt/decrypt: invalid algorithm (ChaCha20)
-depends_on:MBEDTLS_CHACHA20_C
+depends_on:PSA_WANT_KEY_TYPE_CHACHA20
aead_encrypt_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_STREAM_CIPHER:"":"":"":PSA_ERROR_INVALID_ARGUMENT
PSA Multipart AEAD encrypt: AES - CCM, 23 bytes (lengths set)
@@ -5031,6 +5031,9 @@
depends_on:PSA_WANT_ALG_SHA_256
derive_setup:PSA_ALG_CATEGORY_KEY_DERIVATION:PSA_ERROR_NOT_SUPPORTED
+Parse binary string
+parse_binary_string_test:"123456":0x123456
+
PSA key derivation: HKDF-SHA-256, good case, direct output
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_SUCCESS
@@ -5159,6 +5162,23 @@
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:PSA_KEY_TYPE_NONE:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_INFO:PSA_KEY_TYPE_NONE:"":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+PSA key derivation: HKDF-SHA-256, reject using input integer with direct secret
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:INPUT_INTEGER:"0b0b0b0b0b0b0b0b":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_INFO:PSA_KEY_TYPE_NONE:"":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: HKDF-SHA-256, reject input cost step using input_bytes
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:PSA_KEY_TYPE_NONE:"100000":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_INFO:PSA_KEY_TYPE_NONE:"":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: HKDF-SHA-256, input cost using input_integer after secret
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"100000":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_INFO:PSA_KEY_TYPE_NONE:"":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: HKDF-SHA-256, reject input cost using input_integer after secret and info
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"100000":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+
PSA key derivation: TLS 1.2 PRF SHA-256, good case
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_LABEL:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_TYPE_DERIVE:PSA_SUCCESS
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index cd8a7b5..98b1a33 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -294,6 +294,19 @@
((void) 0)
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+#define INPUT_INTEGER 0x10000 /* Out of range of psa_key_type_t */
+
+uint64_t parse_binary_string(data_t *bin_string)
+{
+ uint64_t result = 0;
+ TEST_LE_U(bin_string->len, 8);
+ for (size_t i = 0; i < bin_string->len; i++) {
+ result = result << 8 | bin_string->x[i];
+ }
+exit:
+ return result; /* returns 0 if len > 8 */
+}
+
/* An overapproximation of the amount of storage needed for a key of the
* given type and with the given content. The API doesn't make it easy
* to find a good value for the size. The current implementation doesn't
@@ -318,6 +331,7 @@
USE_GIVEN_TAG = 1,
} tag_usage_method_t;
+
/*!
* \brief Internal Function for AEAD multipart tests.
* \param key_type_arg Type of key passed in
@@ -2408,12 +2422,12 @@
/* BEGIN_CASE */
void copy_success(int source_usage_arg,
int source_alg_arg, int source_alg2_arg,
- unsigned int source_lifetime_arg,
+ int source_lifetime_arg,
int type_arg, data_t *material,
int copy_attributes,
int target_usage_arg,
int target_alg_arg, int target_alg2_arg,
- unsigned int target_lifetime_arg,
+ int target_lifetime_arg,
int expected_usage_arg,
int expected_alg_arg, int expected_alg2_arg)
{
@@ -8446,6 +8460,15 @@
/* END_CASE */
/* BEGIN_CASE */
+void parse_binary_string_test(data_t *input, int output)
+{
+ uint64_t value;
+ value = parse_binary_string(input);
+ TEST_EQUAL(value, output);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void derive_input(int alg_arg,
int step_arg1, int key_type_arg1, data_t *input1,
int expected_status_arg1,
@@ -8457,7 +8480,7 @@
{
psa_algorithm_t alg = alg_arg;
psa_key_derivation_step_t steps[] = { step_arg1, step_arg2, step_arg3 };
- psa_key_type_t key_types[] = { key_type_arg1, key_type_arg2, key_type_arg3 };
+ uint32_t key_types[] = { key_type_arg1, key_type_arg2, key_type_arg3 };
psa_status_t expected_statuses[] = { expected_status_arg1,
expected_status_arg2,
expected_status_arg3 };
@@ -8484,12 +8507,13 @@
mbedtls_test_set_step(i);
if (steps[i] == 0) {
/* Skip this step */
- } else if (key_types[i] != PSA_KEY_TYPE_NONE) {
- psa_set_key_type(&attributes, key_types[i]);
+ } else if (((psa_key_type_t) key_types[i]) != PSA_KEY_TYPE_NONE &&
+ key_types[i] != INPUT_INTEGER) {
+ psa_set_key_type(&attributes, ((psa_key_type_t) key_types[i]));
PSA_ASSERT(psa_import_key(&attributes,
inputs[i]->x, inputs[i]->len,
&keys[i]));
- if (PSA_KEY_TYPE_IS_KEY_PAIR(key_types[i]) &&
+ if (PSA_KEY_TYPE_IS_KEY_PAIR((psa_key_type_t) key_types[i]) &&
steps[i] == PSA_KEY_DERIVATION_INPUT_SECRET) {
// When taking a private key as secret input, use key agreement
// to add the shared secret to the derivation
@@ -8502,10 +8526,17 @@
expected_statuses[i]);
}
} else {
- TEST_EQUAL(psa_key_derivation_input_bytes(
- &operation, steps[i],
- inputs[i]->x, inputs[i]->len),
- expected_statuses[i]);
+ if (key_types[i] == INPUT_INTEGER) {
+ TEST_EQUAL(psa_key_derivation_input_integer(
+ &operation, steps[i],
+ parse_binary_string(inputs[i])),
+ expected_statuses[i]);
+ } else {
+ TEST_EQUAL(psa_key_derivation_input_bytes(
+ &operation, steps[i],
+ inputs[i]->x, inputs[i]->len),
+ expected_statuses[i]);
+ }
}
}
diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data
index c467d01..b9f68e1 100644
--- a/tests/suites/test_suite_psa_crypto_pake.data
+++ b/tests/suites/test_suite_psa_crypto_pake.data
@@ -48,11 +48,11 @@
PSA PAKE: set invalid user
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"aaaa":"server":0:ERR_IN_SET_USER:PSA_ERROR_NOT_SUPPORTED
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"something":"server":0:ERR_IN_OUTPUT:PSA_ERROR_NOT_SUPPORTED
PSA PAKE: set invalid peer
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
-ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"aaaa":0:ERR_IN_SET_PEER:PSA_ERROR_NOT_SUPPORTED
+ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"something":0:ERR_IN_OUTPUT:PSA_ERROR_NOT_SUPPORTED
PSA PAKE: user already set
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
@@ -220,9 +220,6 @@
PSA PAKE: input getters: cipher suite
pake_input_getters_cipher_suite
-PSA PAKE: input getters: role
-pake_input_getters_role
-
PSA PAKE: input getters: user
pake_input_getters_user
diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function
index ecbd363..52380de 100644
--- a/tests/suites/test_suite_psa_crypto_pake.function
+++ b/tests/suites/test_suite_psa_crypto_pake.function
@@ -989,8 +989,7 @@
&buffer_len_ret),
PSA_SUCCESS);
- TEST_EQUAL(buffer_len_ret, strlen(password));
- PSA_ASSERT(memcmp(password_ret, password, buffer_len_ret));
+ ASSERT_COMPARE(password_ret, buffer_len_ret, password, strlen(password));
exit:
PSA_ASSERT(psa_destroy_key(key));
PSA_ASSERT(psa_pake_abort(&operation));
@@ -1023,7 +1022,8 @@
TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret),
PSA_SUCCESS);
- PSA_ASSERT(memcmp(&cipher_suite_ret, &cipher_suite, sizeof(cipher_suite)));
+ ASSERT_COMPARE(&cipher_suite_ret, sizeof(cipher_suite_ret),
+ &cipher_suite, sizeof(cipher_suite));
exit:
PSA_ASSERT(psa_pake_abort(&operation));
@@ -1032,47 +1032,11 @@
/* END_CASE */
/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
-void pake_input_getters_role()
-{
- psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
- psa_pake_operation_t operation = psa_pake_operation_init();
- psa_pake_role_t role_ret = PSA_PAKE_ROLE_NONE;
-
- psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE(
- PSA_PAKE_PRIMITIVE_TYPE_ECC,
- PSA_ECC_FAMILY_SECP_R1, 256);
-
- PSA_INIT();
-
- psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
- psa_pake_cs_set_primitive(&cipher_suite, primitive);
- psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
-
- PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite));
-
- TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret),
- PSA_ERROR_BAD_STATE);
-
- /* Role can not be set directly using psa_pake_set_role(). It is set by the core
- based on given user/peer identifiers. Simulate that Role is already set. */
- operation.data.inputs.role = PSA_PAKE_ROLE_SERVER;
- TEST_EQUAL(psa_crypto_driver_pake_get_role(&operation.data.inputs, &role_ret),
- PSA_SUCCESS);
-
- TEST_EQUAL(role_ret, PSA_PAKE_ROLE_SERVER);
-exit:
- PSA_ASSERT(psa_pake_abort(&operation));
- PSA_DONE();
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
void pake_input_getters_user()
{
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
psa_pake_operation_t operation = psa_pake_operation_init();
- const uint8_t user[] = { 's', 'e', 'r', 'v', 'e', 'r' };
- const size_t user_len = sizeof(user);
+ const char *users[] = { "client", "server", "other" };
uint8_t user_ret[20] = { 0 }; // max user length is 20 bytes
size_t user_len_ret = 0;
size_t buffer_len_ret = 0;
@@ -1087,37 +1051,43 @@
psa_pake_cs_set_primitive(&cipher_suite, primitive);
psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
- PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite));
+ for (size_t i = 0; i < ARRAY_LENGTH(users); i++) {
+ uint8_t *user = (uint8_t *) users[i];
+ uint8_t user_len = strlen(users[i]);
- TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs,
- (uint8_t *) &user_ret,
- 10, &buffer_len_ret),
- PSA_ERROR_BAD_STATE);
+ PSA_ASSERT(psa_pake_abort(&operation));
- TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret),
- PSA_ERROR_BAD_STATE);
+ PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite));
- PSA_ASSERT(psa_pake_set_user(&operation, user, user_len));
+ TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs,
+ (uint8_t *) &user_ret,
+ 10, &buffer_len_ret),
+ PSA_ERROR_BAD_STATE);
- TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret),
- PSA_SUCCESS);
+ TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret),
+ PSA_ERROR_BAD_STATE);
- TEST_EQUAL(user_len_ret, user_len);
+ PSA_ASSERT(psa_pake_set_user(&operation, user, user_len));
- TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs,
- (uint8_t *) &user_ret,
- user_len_ret - 1,
- &buffer_len_ret),
- PSA_ERROR_BUFFER_TOO_SMALL);
+ TEST_EQUAL(psa_crypto_driver_pake_get_user_len(&operation.data.inputs, &user_len_ret),
+ PSA_SUCCESS);
- TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs,
- (uint8_t *) &user_ret,
- user_len_ret,
- &buffer_len_ret),
- PSA_SUCCESS);
+ TEST_EQUAL(user_len_ret, user_len);
- TEST_EQUAL(buffer_len_ret, user_len);
- PSA_ASSERT(memcmp(user_ret, user, buffer_len_ret));
+ TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs,
+ (uint8_t *) &user_ret,
+ user_len_ret - 1,
+ &buffer_len_ret),
+ PSA_ERROR_BUFFER_TOO_SMALL);
+
+ TEST_EQUAL(psa_crypto_driver_pake_get_user(&operation.data.inputs,
+ (uint8_t *) &user_ret,
+ user_len_ret,
+ &buffer_len_ret),
+ PSA_SUCCESS);
+
+ ASSERT_COMPARE(user_ret, buffer_len_ret, user, user_len);
+ }
exit:
PSA_ASSERT(psa_pake_abort(&operation));
PSA_DONE();
@@ -1129,8 +1099,7 @@
{
psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
psa_pake_operation_t operation = psa_pake_operation_init();
- const uint8_t peer[] = { 's', 'e', 'r', 'v', 'e', 'r' };
- const size_t peer_len = sizeof(peer);
+ const char *peers[] = { "client", "server", "other" };
uint8_t peer_ret[20] = { 0 }; // max peer length is 20 bytes
size_t peer_len_ret = 0;
size_t buffer_len_ret = 0;
@@ -1145,37 +1114,43 @@
psa_pake_cs_set_primitive(&cipher_suite, primitive);
psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
- PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite));
+ for (size_t i = 0; i < ARRAY_LENGTH(peers); i++) {
+ uint8_t *peer = (uint8_t *) peers[i];
+ uint8_t peer_len = strlen(peers[i]);
- TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs,
- (uint8_t *) &peer_ret,
- 10, &buffer_len_ret),
- PSA_ERROR_BAD_STATE);
+ PSA_ASSERT(psa_pake_abort(&operation));
- TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret),
- PSA_ERROR_BAD_STATE);
+ PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite));
- PSA_ASSERT(psa_pake_set_peer(&operation, peer, peer_len));
+ TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs,
+ (uint8_t *) &peer_ret,
+ 10, &buffer_len_ret),
+ PSA_ERROR_BAD_STATE);
- TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret),
- PSA_SUCCESS);
+ TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret),
+ PSA_ERROR_BAD_STATE);
- TEST_EQUAL(peer_len_ret, peer_len);
+ PSA_ASSERT(psa_pake_set_peer(&operation, peer, peer_len));
- TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs,
- (uint8_t *) &peer_ret,
- peer_len_ret - 1,
- &buffer_len_ret),
- PSA_ERROR_BUFFER_TOO_SMALL);
+ TEST_EQUAL(psa_crypto_driver_pake_get_peer_len(&operation.data.inputs, &peer_len_ret),
+ PSA_SUCCESS);
- TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs,
- (uint8_t *) &peer_ret,
- peer_len_ret,
- &buffer_len_ret),
- PSA_SUCCESS);
+ TEST_EQUAL(peer_len_ret, peer_len);
- TEST_EQUAL(buffer_len_ret, peer_len);
- PSA_ASSERT(memcmp(peer_ret, peer, buffer_len_ret));
+ TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs,
+ (uint8_t *) &peer_ret,
+ peer_len_ret - 1,
+ &buffer_len_ret),
+ PSA_ERROR_BUFFER_TOO_SMALL);
+
+ TEST_EQUAL(psa_crypto_driver_pake_get_peer(&operation.data.inputs,
+ (uint8_t *) &peer_ret,
+ peer_len_ret,
+ &buffer_len_ret),
+ PSA_SUCCESS);
+
+ ASSERT_COMPARE(peer_ret, buffer_len_ret, peer, peer_len);
+ }
exit:
PSA_ASSERT(psa_pake_abort(&operation));
PSA_DONE();
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 6bda6ca..6f9e544 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -12,6 +12,8 @@
#include <constant_time_internal.h>
#include <test/constant_flow.h>
+#define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 }
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -27,6 +29,7 @@
unsigned char input[MSGLEN];
unsigned char output[MSGLEN];
+ USE_PSA_INIT();
memset(input, 0, sizeof(input));
/* Make sure calling put and get on NULL buffer results in error. */
@@ -79,8 +82,8 @@
exit:
-
mbedtls_test_ssl_buffer_free(&buf);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -115,6 +118,7 @@
size_t i, j, written, read;
mbedtls_test_ssl_buffer_init(&buf);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, size) == 0);
/* Check the sanity of input parameters and initialise local variables. That
@@ -189,10 +193,10 @@
}
exit:
-
mbedtls_free(input);
mbedtls_free(output);
mbedtls_test_ssl_buffer_free(&buf);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -210,6 +214,7 @@
mbedtls_test_mock_socket socket;
mbedtls_test_mock_socket_init(&socket);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_mock_tcp_send_b(&socket, message, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);
mbedtls_test_mock_socket_init(&socket);
@@ -224,8 +229,8 @@
mbedtls_test_mock_socket_close(&socket);
exit:
-
mbedtls_test_mock_socket_close(&socket);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -259,6 +264,7 @@
mbedtls_test_mock_socket_init(&client);
mbedtls_test_mock_socket_init(&server);
+ USE_PSA_INIT();
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
@@ -317,9 +323,9 @@
TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
exit:
-
mbedtls_test_mock_socket_close(&client);
mbedtls_test_mock_socket_close(&server);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -357,6 +363,7 @@
mbedtls_test_mock_socket_init(&client);
mbedtls_test_mock_socket_init(&server);
+ USE_PSA_INIT();
/* Fill up the buffers with structured data so that unwanted changes
* can be detected */
@@ -445,17 +452,18 @@
}
exit:
-
mbedtls_test_mock_socket_close(&client);
mbedtls_test_mock_socket_close(&server);
+ USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_sanity()
{
- mbedtls_test_ssl_message_queue queue;
+ mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
+ USE_PSA_INIT();
/* Trying to push/pull to an empty queue */
TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(NULL, 1)
== MBEDTLS_TEST_ERROR_ARG_NULL);
@@ -468,14 +476,16 @@
exit:
mbedtls_test_ssl_message_queue_free(&queue);
+ USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_basic()
{
- mbedtls_test_ssl_message_queue queue;
+ mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);
/* Sanity test - 3 pushes and 3 pops with sufficient space */
@@ -495,14 +505,16 @@
exit:
mbedtls_test_ssl_message_queue_free(&queue);
+ USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_overflow_underflow()
{
- mbedtls_test_ssl_message_queue queue;
+ mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);
/* 4 pushes (last one with an error), 4 pops (last one with an error) */
@@ -521,14 +533,16 @@
exit:
mbedtls_test_ssl_message_queue_free(&queue);
+ USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_interleaved()
{
- mbedtls_test_ssl_message_queue queue;
+ mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);
/* Interleaved test - [2 pushes, 1 pop] twice, and then two pops
@@ -555,16 +569,18 @@
exit:
mbedtls_test_ssl_message_queue_free(&queue);
+ USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_insufficient_buffer()
{
- mbedtls_test_ssl_message_queue queue;
+ mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
size_t message_len = 10;
size_t buffer_len = 5;
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 1) == 0);
/* Popping without a sufficient buffer */
@@ -574,6 +590,7 @@
== (int) buffer_len);
exit:
mbedtls_test_ssl_message_queue_free(&queue);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -588,6 +605,7 @@
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ USE_PSA_INIT();
/* Send with a NULL context */
TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(NULL, message, MSGLEN)
== MBEDTLS_TEST_ERROR_CONTEXT_ERROR);
@@ -626,6 +644,7 @@
exit:
mbedtls_test_message_socket_close(&server_context);
mbedtls_test_message_socket_close(&client_context);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -638,8 +657,10 @@
unsigned i;
mbedtls_test_ssl_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
+
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
&client_queue, 1,
@@ -685,6 +706,7 @@
exit:
mbedtls_test_message_socket_close(&server_context);
mbedtls_test_message_socket_close(&client_context);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -697,8 +719,10 @@
unsigned i;
mbedtls_test_ssl_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
+
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
&client_queue, 2,
@@ -749,6 +773,7 @@
exit:
mbedtls_test_message_socket_close(&server_context);
mbedtls_test_message_socket_close(&client_context);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -761,8 +786,10 @@
unsigned i;
mbedtls_test_ssl_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
+
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
&client_queue, 2,
@@ -801,6 +828,7 @@
exit:
mbedtls_test_message_socket_close(&server_context);
mbedtls_test_message_socket_close(&client_context);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -813,8 +841,10 @@
unsigned i;
mbedtls_test_ssl_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
+
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
&client_queue, 2,
@@ -865,6 +895,7 @@
exit:
mbedtls_test_message_socket_close(&server_context);
mbedtls_test_message_socket_close(&client_context);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -877,8 +908,10 @@
unsigned i;
mbedtls_test_ssl_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
+
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
&client_queue, 1,
@@ -923,6 +956,7 @@
exit:
mbedtls_test_message_socket_close(&server_context);
mbedtls_test_message_socket_close(&client_context);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -935,8 +969,10 @@
unsigned i;
mbedtls_test_ssl_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
+
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
&client_queue, 3,
@@ -983,6 +1019,7 @@
exit:
mbedtls_test_message_socket_close(&server_context);
mbedtls_test_message_socket_close(&client_context);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -995,8 +1032,10 @@
unsigned i;
mbedtls_test_ssl_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
+
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
&client_queue, 3,
@@ -1070,6 +1109,7 @@
exit:
mbedtls_test_message_socket_close(&server_context);
mbedtls_test_message_socket_close(&client_context);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1080,10 +1120,9 @@
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
+ MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
@@ -1112,12 +1151,16 @@
void ssl_set_hostname_twice(char *hostname0, char *hostname1)
{
mbedtls_ssl_context ssl;
+
mbedtls_ssl_init(&ssl);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, hostname0) == 0);
TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, hostname1) == 0);
+exit:
mbedtls_ssl_free(&ssl);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1141,11 +1184,11 @@
size_t const buflen = 512;
mbedtls_record rec, rec_backup;
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_init(&ssl);
mbedtls_ssl_transform_init(&t0);
mbedtls_ssl_transform_init(&t1);
+ MD_OR_USE_PSA_INIT();
+
ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
etm, tag_mode, ver,
(size_t) cid0_len,
@@ -1295,11 +1338,11 @@
int seen_success; /* Indicates if in the current mode we've
* already seen a successful test. */
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_init(&ssl);
mbedtls_ssl_transform_init(&t0);
mbedtls_ssl_transform_init(&t1);
+ MD_OR_USE_PSA_INIT();
+
ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
etm, tag_mode, ver,
(size_t) cid0_len,
@@ -1456,11 +1499,10 @@
int ret;
const unsigned char pad_max_len = 255; /* Per the standard */
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_init(&ssl);
mbedtls_ssl_transform_init(&t0);
mbedtls_ssl_transform_init(&t1);
+ MD_OR_USE_PSA_INIT();
/* Set up transforms with dummy keys */
ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
@@ -1685,6 +1727,7 @@
ASSERT_COMPARE(dst, (size_t) desired_length,
expected->x, (size_t) expected->len);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -1738,6 +1781,7 @@
expected_server_write_iv->x,
(size_t) desired_iv_len);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -1782,6 +1826,7 @@
ASSERT_COMPARE(dst, desired_length,
expected->x, desired_length);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -1815,6 +1860,7 @@
ASSERT_COMPARE(secrets.early_exporter_master_secret, hash_len,
exporter_expected->x, exporter_expected->len);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -1848,6 +1894,7 @@
ASSERT_COMPARE(secrets.server_handshake_traffic_secret, hash_len,
server_expected->x, server_expected->len);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -1885,6 +1932,7 @@
ASSERT_COMPARE(secrets.exporter_master_secret, hash_len,
exporter_expected->x, exporter_expected->len);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -1914,6 +1962,7 @@
ASSERT_COMPARE(secrets.resumption_master_secret, hash_len,
resumption_expected->x, resumption_expected->len);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -1947,6 +1996,7 @@
ASSERT_COMPARE(binder, hash_len,
binder_expected->x, binder_expected->len);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -1971,8 +2021,6 @@
size_t buf_len;
int other_endpoint;
- MD_OR_USE_PSA_INIT();
-
TEST_ASSERT(endpoint == MBEDTLS_SSL_IS_CLIENT ||
endpoint == MBEDTLS_SSL_IS_SERVER);
@@ -2000,6 +2048,7 @@
mbedtls_ssl_transform_init(&transform_recv);
mbedtls_ssl_transform_init(&transform_send);
+ MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_ssl_tls13_populate_transform(
&transform_send, endpoint,
@@ -2045,6 +2094,7 @@
ASSERT_COMPARE(rec.buf + rec.data_offset, rec.data_len,
plaintext->x, plaintext->len);
+exit:
mbedtls_free(buf);
mbedtls_ssl_transform_free(&transform_send);
mbedtls_ssl_transform_free(&transform_recv);
@@ -2071,6 +2121,7 @@
ASSERT_COMPARE(secret_new, (size_t) expected->len,
expected->x, (size_t) expected->len);
+exit:
PSA_DONE();
}
/* END_CASE */
@@ -2114,9 +2165,9 @@
/*
* Test that a save-load pair is the identity
*/
-
mbedtls_ssl_session_init(&original);
mbedtls_ssl_session_init(&restored);
+ USE_PSA_INIT();
/* Prepare a dummy session to work on */
((void) endpoint_type);
@@ -2248,6 +2299,7 @@
mbedtls_ssl_session_free(&original);
mbedtls_ssl_session_free(&restored);
mbedtls_free(buf);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -2262,8 +2314,8 @@
/*
* Test that a load-save pair is the identity
*/
-
mbedtls_ssl_session_init(&session);
+ USE_PSA_INIT();
/* Prepare a dummy session to work on */
((void) endpoint_type);
@@ -2310,6 +2362,7 @@
mbedtls_ssl_session_free(&session);
mbedtls_free(buf1);
mbedtls_free(buf2);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -2324,8 +2377,8 @@
/*
* Test that session_save() fails cleanly on small buffers
*/
-
mbedtls_ssl_session_init(&session);
+ USE_PSA_INIT();
/* Prepare dummy session and get serialized size */
((void) endpoint_type);
@@ -2357,6 +2410,7 @@
exit:
mbedtls_ssl_session_free(&session);
mbedtls_free(buf);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -2371,8 +2425,8 @@
/*
* Test that session_load() fails cleanly on small buffers
*/
-
mbedtls_ssl_session_init(&session);
+ USE_PSA_INIT();
/* Prepare serialized session data */
((void) endpoint_type);
@@ -2410,6 +2464,7 @@
mbedtls_ssl_session_free(&session);
mbedtls_free(good_buf);
mbedtls_free(bad_buf);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -2432,6 +2487,7 @@
corrupt_config == 1 };
mbedtls_ssl_session_init(&session);
+ USE_PSA_INIT();
((void) endpoint_type);
((void) tls_version);
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -2484,7 +2540,8 @@
*byte ^= corrupted_bit;
}
}
-
+exit:
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -2645,13 +2702,10 @@
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */
void handshake_cipher(char *cipher, int pk_alg, int dtls)
{
- MD_OR_USE_PSA_INIT();
-
test_handshake_psk_cipher(cipher, pk_alg, NULL, dtls);
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
- MD_OR_USE_PSA_DONE();
}
/* END_CASE */
@@ -2721,15 +2775,10 @@
int expected_cli_fragments,
int expected_srv_fragments)
{
- MD_OR_USE_PSA_INIT();
-
test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments,
expected_srv_fragments, 0);
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
-
-exit:
- MD_OR_USE_PSA_DONE();
}
/* END_CASE */
@@ -2738,15 +2787,10 @@
int expected_cli_fragments,
int expected_srv_fragments)
{
- MD_OR_USE_PSA_INIT();
-
test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments,
expected_srv_fragments, 1);
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
-
-exit:
- MD_OR_USE_PSA_DONE();
}
/* END_CASE */
@@ -2859,7 +2903,6 @@
{
test_resize_buffers(mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1,
(char *) "");
-
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
@@ -2870,7 +2913,6 @@
char *cipher)
{
test_resize_buffers(mfl, 1, legacy_renegotiation, 0, 1, cipher);
-
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
@@ -2887,8 +2929,8 @@
mbedtls_ssl_config conf;
- MD_OR_USE_PSA_INIT();
mbedtls_ssl_config_init(&conf);
+ MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
psk0, sizeof(psk0),
@@ -2899,9 +2941,7 @@
MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
exit:
-
mbedtls_ssl_config_free(&conf);
-
MD_OR_USE_PSA_DONE();
}
/* END_CASE */
@@ -2931,8 +2971,8 @@
mbedtls_ssl_config conf;
- MD_OR_USE_PSA_INIT();
mbedtls_ssl_config_init(&conf);
+ MD_OR_USE_PSA_INIT();
switch (mode) {
case 0:
@@ -2983,7 +3023,6 @@
}
exit:
-
mbedtls_ssl_config_free(&conf);
MD_OR_USE_PSA_DONE();
@@ -2998,10 +3037,9 @@
mbedtls_ssl_config conf;
mbedtls_ssl_context ssl;
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_init(&ssl);
+ MD_OR_USE_PSA_INIT();
mbedtls_ssl_conf_endpoint(&conf, endpoint);
mbedtls_ssl_conf_transport(&conf, transport);
@@ -3042,10 +3080,10 @@
#endif
mbedtls_ssl_conf_curves(&conf, curve_list);
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_context ssl;
mbedtls_ssl_init(&ssl);
+ MD_OR_USE_PSA_INIT();
+
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL);
@@ -3059,7 +3097,6 @@
TEST_EQUAL(iana_tls_group_list[i], ssl.handshake->group_list[i]);
}
-
exit:
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
@@ -3083,10 +3120,10 @@
mbedtls_ssl_conf_groups(&conf, iana_tls_group_list);
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_context ssl;
mbedtls_ssl_init(&ssl);
+ MD_OR_USE_PSA_INIT();
+
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list != NULL);
@@ -3122,12 +3159,12 @@
options.srv_log_obj = &srv_pattern;
options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
- MD_OR_USE_PSA_INIT();
mbedtls_platform_zeroize(&client, sizeof(client));
mbedtls_platform_zeroize(&server, sizeof(server));
mbedtls_test_message_socket_init(&server_context);
mbedtls_test_message_socket_init(&client_context);
+ MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
&options, NULL, NULL,
@@ -3181,6 +3218,8 @@
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
+ USE_PSA_INIT();
+
TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT),
@@ -3195,8 +3234,10 @@
&len),
exp_ret);
+exit:
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -3205,9 +3246,13 @@
{
mbedtls_timing_delay_context delay_context;
+ USE_PSA_INIT();
mbedtls_timing_set_delay(&delay_context, 50, 100);
TEST_ASSERT(mbedtls_timing_get_final_delay(&delay_context) == 100);
+
+exit:
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -3224,10 +3269,9 @@
mbedtls_test_rnd_std_rand(NULL, own_cid, sizeof(own_cid));
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
+ MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
@@ -3383,11 +3427,12 @@
/*
* Test set-up
*/
- MD_OR_USE_PSA_INIT();
mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
mbedtls_test_init_handshake_options(&client_options);
+ MD_OR_USE_PSA_INIT();
+
client_options.pk_alg = MBEDTLS_PK_ECDSA;
ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
&client_options, NULL, NULL, NULL,
@@ -3478,9 +3523,8 @@
size_t pwd_len = 0;
int ret;
- MD_OR_USE_PSA_INIT();
-
mbedtls_ssl_init(&ssl);
+ MD_OR_USE_PSA_INIT();
/* test with uninitalized SSL context */
ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
@@ -3617,7 +3661,8 @@
#else
TEST_UNAVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448);
#endif
-
+ goto exit;
+exit:
MD_OR_USE_PSA_DONE();
}
/* END_CASE */
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index a6b001f..db2fe56 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -336,7 +336,7 @@
X509 CSR Information RSA with SHA-256, containing commas
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTS_X509_INFO
-mbedtls_x509_csr_info:"data_files/server1.req.commas.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL\, Commas, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/server1.req.commas.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
X509 CSR Information EC with SHA1
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
@@ -437,7 +437,7 @@
X509 Get Distinguished Name #5
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server1.commas.crt":"subject":"C=NL, O=PolarSSL\, Commas, CN=PolarSSL Server 1"
+mbedtls_x509_dn_gets:"data_files/server1.commas.crt":"subject":"C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1"
X509 Get Modified DN #1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
@@ -3145,7 +3145,7 @@
X509 Get time (UTC invalid character in year)
depends_on:MBEDTLS_X509_USE_C
-x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0\1130231212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0\\1130231212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
X509 Get time (UTC invalid character in month)
depends_on:MBEDTLS_X509_USE_C
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 905d62f..73e6803 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -429,12 +429,15 @@
int expected_result = ext_type & has_ext_type;
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
crt.ext_types = ext_type;
TEST_ASSERT(mbedtls_x509_crt_has_ext_type(&crt, has_ext_type) == expected_result);
+exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -463,6 +466,7 @@
size_t n = sizeof(buf);
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
memset(buf, 0, 2000);
TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), parse_result);
@@ -490,8 +494,8 @@
TEST_ASSERT(strcmp(buf, result_str) == 0);
exit:
-
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -503,6 +507,7 @@
int res;
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
memset(buf, 0, 2000);
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
@@ -515,6 +520,7 @@
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -526,6 +532,7 @@
int res;
mbedtls_x509_crl_init(&crl);
+ USE_PSA_INIT();
memset(buf, 0, 2000);
TEST_ASSERT(mbedtls_x509_crl_parse_file(&crl, crl_file) == 0);
@@ -538,6 +545,7 @@
exit:
mbedtls_x509_crl_free(&crl);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -548,12 +556,14 @@
char buf[2000];
mbedtls_x509_crl_init(&crl);
+ USE_PSA_INIT();
memset(buf, 0, 2000);
TEST_ASSERT(mbedtls_x509_crl_parse_file(&crl, crl_file) == result);
exit:
mbedtls_x509_crl_free(&crl);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -565,6 +575,7 @@
int res;
mbedtls_x509_csr_init(&csr);
+ USE_PSA_INIT();
memset(buf, 0, 2000);
TEST_ASSERT(mbedtls_x509_csr_parse_file(&csr, csr_file) == 0);
@@ -577,6 +588,7 @@
exit:
mbedtls_x509_csr_free(&csr);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -586,6 +598,7 @@
char buf[2000];
int res;
+ USE_PSA_INIT();
memset(buf, 0, sizeof(buf));
res = mbedtls_x509_crt_verify_info(buf, sizeof(buf), prefix, flags);
@@ -593,6 +606,9 @@
TEST_ASSERT(res >= 0);
TEST_ASSERT(strcmp(buf, result_str) == 0);
+
+exit:
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -616,11 +632,9 @@
* - x509_verify() for server5 -> test-ca2: ~ 18800
* - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500
*/
-
mbedtls_x509_crt_restart_init(&rs_ctx);
mbedtls_x509_crt_init(&crt);
mbedtls_x509_crt_init(&ca);
-
MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
@@ -673,7 +687,6 @@
mbedtls_x509_crt_init(&crt);
mbedtls_x509_crt_init(&ca);
mbedtls_x509_crl_init(&crl);
-
MD_OR_USE_PSA_INIT();
if (strcmp(cn_name_str, "NULL") != 0) {
@@ -758,6 +771,7 @@
mbedtls_x509_crt_init(&crt);
mbedtls_x509_crt_init(&ca);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
TEST_ASSERT(mbedtls_x509_crt_parse_file(&ca, ca_file) == 0);
@@ -775,6 +789,7 @@
exit:
mbedtls_x509_crt_free(&crt);
mbedtls_x509_crt_free(&ca);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -790,10 +805,10 @@
mbedtls_x509_crt_init(&crt);
mbedtls_x509_crt_init(&ca);
- verify_print_init(&vrfy_ctx);
-
MD_OR_USE_PSA_INIT();
+ verify_print_init(&vrfy_ctx);
+
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
TEST_ASSERT(mbedtls_x509_crt_parse_file(&ca, ca_file) == 0);
@@ -827,6 +842,8 @@
int res = 0;
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
+
memset(buf, 0, 2000);
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
@@ -844,6 +861,7 @@
}
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -855,6 +873,8 @@
int res = 0;
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
+
memset(buf, 0, 2000);
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
@@ -873,18 +893,20 @@
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_x509_get_name(char *rdn_sequence, int exp_ret)
{
- unsigned char *name;
+ unsigned char *name = NULL;
unsigned char *p;
size_t name_len;
mbedtls_x509_name head;
int ret;
+ USE_PSA_INIT();
memset(&head, 0, sizeof(head));
name = mbedtls_test_unhexify_alloc(rdn_sequence, &name_len);
@@ -897,7 +919,9 @@
TEST_EQUAL(ret, exp_ret);
+exit:
mbedtls_free(name);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -916,6 +940,7 @@
unsigned char buf[80], *out = NULL, *c;
const char *short_name;
+ USE_PSA_INIT();
memset(&parsed, 0, sizeof(parsed));
memset(buf, 0, sizeof(buf));
c = buf + sizeof(buf);
@@ -964,6 +989,7 @@
mbedtls_free(out);
mbedtls_asn1_free_named_data_list(&names);
mbedtls_asn1_free_named_data_list_shallow(parsed.next);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -973,6 +999,7 @@
mbedtls_x509_crt crt;
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
@@ -986,6 +1013,7 @@
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -995,6 +1023,7 @@
mbedtls_x509_crt crt;
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
@@ -1008,6 +1037,7 @@
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1017,11 +1047,13 @@
mbedtls_x509_crt crt;
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == result);
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1037,6 +1069,7 @@
#endif
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_der(&crt, buf->x, buf->len) == (result));
#if !defined(MBEDTLS_X509_REMOVE_INFO)
@@ -1103,6 +1136,7 @@
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1124,6 +1158,7 @@
oid.p = (unsigned char *) MBEDTLS_OID_PKIX "\x01\x1F";
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_der_with_ext_cb(&crt, buf->x, buf->len, 0, parse_crt_ext_cb,
&oid) == (result));
@@ -1157,6 +1192,7 @@
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1168,6 +1204,8 @@
int res;
mbedtls_x509_crl_init(&crl);
+ USE_PSA_INIT();
+
memset(output, 0, 2000);
@@ -1183,6 +1221,7 @@
exit:
mbedtls_x509_crl_free(&crl);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1194,6 +1233,8 @@
int my_ret;
mbedtls_x509_csr_init(&csr);
+ USE_PSA_INIT();
+
memset(my_out, 0, sizeof(my_out));
my_ret = mbedtls_x509_csr_parse_der(&csr, csr_der->x, csr_der->len);
@@ -1207,6 +1248,7 @@
exit:
mbedtls_x509_csr_free(&csr);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1218,6 +1260,8 @@
int my_ret;
mbedtls_x509_csr_init(&csr);
+ USE_PSA_INIT();
+
memset(my_out, 0, sizeof(my_out));
my_ret = mbedtls_x509_csr_parse_file(&csr, csr_file);
@@ -1231,6 +1275,7 @@
exit:
mbedtls_x509_csr_free(&csr);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1241,6 +1286,7 @@
int i;
mbedtls_x509_crt_init(&chain);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_path(&chain, crt_path) == ret);
@@ -1255,6 +1301,7 @@
exit:
mbedtls_x509_crt_free(&chain);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1271,10 +1318,8 @@
* We expect chain_dir to contain certificates 00.crt, 01.crt, etc.
* with NN.crt signed by NN-1.crt
*/
-
mbedtls_x509_crt_init(&trusted);
mbedtls_x509_crt_init(&chain);
-
MD_OR_USE_PSA_INIT();
/* Load trusted root */
@@ -1313,7 +1358,6 @@
mbedtls_x509_crt_init(&chain);
mbedtls_x509_crt_init(&trusted);
-
MD_OR_USE_PSA_INIT();
while ((act = mystrsep(&chain_paths, " ")) != NULL) {
@@ -1353,6 +1397,7 @@
const char *desc = NULL;
int ret;
+ USE_PSA_INIT();
oid.tag = MBEDTLS_ASN1_OID;
oid.p = buf->x;
@@ -1368,6 +1413,9 @@
TEST_ASSERT(desc != NULL);
TEST_ASSERT(strcmp(desc, ref_desc) == 0);
}
+
+exit:
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1377,6 +1425,8 @@
mbedtls_x509_buf oid;
char num_buf[100];
+ USE_PSA_INIT();
+
memset(num_buf, 0x2a, sizeof(num_buf));
oid.tag = MBEDTLS_ASN1_OID;
@@ -1391,6 +1441,9 @@
TEST_ASSERT(num_buf[ret] == 0);
TEST_ASSERT(strcmp(num_buf, numstr) == 0);
}
+
+exit:
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1400,6 +1453,7 @@
mbedtls_x509_crt crt;
mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
@@ -1407,6 +1461,7 @@
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1417,7 +1472,7 @@
mbedtls_x509_crt crt;
mbedtls_x509_crt_init(&crt);
-
+ USE_PSA_INIT();
TEST_ASSERT(mbedtls_x509_crt_parse_file(&crt, crt_file) == 0);
@@ -1426,6 +1481,7 @@
exit:
mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1438,6 +1494,7 @@
unsigned char *start = buf;
unsigned char *end = buf;
+ USE_PSA_INIT();
memset(&time, 0x00, sizeof(time));
*end = (unsigned char) tag; end++;
*end = strlen(time_str);
@@ -1455,6 +1512,8 @@
TEST_ASSERT(min == time.min);
TEST_ASSERT(sec == time.sec);
}
+exit:
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -1468,6 +1527,8 @@
mbedtls_md_type_t my_msg_md, my_mgf_md;
int my_salt_len;
+ USE_PSA_INIT();
+
buf.p = params->x;
buf.len = params->len;
buf.tag = params_tag;
@@ -1484,6 +1545,6 @@
}
exit:
- ;;
+ USE_PSA_DONE();
}
/* END_CASE */
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index bb40029..cd1b0a3 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -163,7 +163,7 @@
x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt"
X509 String to Names #1
-mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark\, Inc., OU=PolarSSL":0
+mbedtls_x509_string_to_names:"C=NL,O=Offspark\\, Inc., OU=PolarSSL":"C=NL, O=Offspark\\, Inc., OU=PolarSSL":0
X509 String to Names #2
mbedtls_x509_string_to_names:"C=NL, O=Offspark, Inc., OU=PolarSSL":"":MBEDTLS_ERR_X509_UNKNOWN_OID
@@ -175,10 +175,10 @@
mbedtls_x509_string_to_names:"C=NL, O=1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME
X509 String to Names #5 (Escape non-allowed characters)
-mbedtls_x509_string_to_names:"C=NL, O=Offspark\a Inc., OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME
+mbedtls_x509_string_to_names:"C=NL, O=Offspark\\a Inc., OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME
X509 String to Names #6 (Escape at end)
-mbedtls_x509_string_to_names:"C=NL, O=Offspark\":"":MBEDTLS_ERR_X509_INVALID_NAME
+mbedtls_x509_string_to_names:"C=NL, O=Offspark\\":"":MBEDTLS_ERR_X509_INVALID_NAME
Check max serial length
x509_set_serial_check:
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 0e4062e..b08555c 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -176,10 +176,9 @@
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
mbedtls_x509write_csr_init(&req);
-
+ mbedtls_pk_init(&key);
MD_OR_USE_PSA_INIT();
- mbedtls_pk_init(&key);
TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
mbedtls_test_rnd_std_rand, NULL) == 0);
@@ -266,12 +265,11 @@
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
mbedtls_test_rnd_pseudo_info rnd_info;
- memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
-
mbedtls_x509write_csr_init(&req);
-
MD_OR_USE_PSA_INIT();
+ memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
+
md_alg_psa = mbedtls_hash_info_psa_from_md((mbedtls_md_type_t) md_type);
TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
@@ -315,7 +313,7 @@
mbedtls_x509write_csr_free(&req);
mbedtls_pk_free(&key);
psa_destroy_key(key_id);
- PSA_DONE();
+ MD_OR_USE_PSA_DONE();
}
/* END_CASE */
@@ -356,13 +354,11 @@
mbedtls_mpi_init(&serial_mpi);
#endif
- MD_OR_USE_PSA_INIT();
-
mbedtls_pk_init(&subject_key);
mbedtls_pk_init(&issuer_key);
mbedtls_pk_init(&issuer_key_alt);
-
mbedtls_x509write_crt_init(&crt);
+ MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_pk_parse_keyfile(&subject_key, subject_key_file,
subject_pwd, mbedtls_test_rnd_std_rand, NULL) == 0);
@@ -597,6 +593,7 @@
mbedtls_x509write_cert ctx;
uint8_t invalid_serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN + 1];
+ USE_PSA_INIT();
memset(invalid_serial, 0x01, sizeof(invalid_serial));
#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
@@ -619,6 +616,7 @@
#else
;
#endif
+ USE_PSA_DONE();
}
/* END_CASE */
@@ -632,6 +630,8 @@
mbedtls_x509_name parsed, *parsed_cur, *parsed_prv;
unsigned char buf[1024], out[1024], *c;
+ USE_PSA_INIT();
+
memset(&parsed, 0, sizeof(parsed));
memset(out, 0, sizeof(out));
memset(buf, 0, sizeof(buf));
@@ -665,5 +665,6 @@
parsed_cur = parsed_cur->next;
mbedtls_free(parsed_prv);
}
+ USE_PSA_DONE();
}
/* END_CASE */